Rules Applicable to an Exchange

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 1A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 w;s úfYI wxl 2271$10 - 2022 ud¾;= ui 15 jeks w`.yrejdod - 2022'03'15 No. 2271/10 - tuesday, march 15, 2022 EXTRAORDINARY The Gazette of the Democratic Socialist Republic of Sri Lanka (Published by Authority) PART I : SECTION (I) — GENERAL Y%S ,xld m%cd;dka;%sl iudcjd§ ckrcfha .eiÜ m;%h This Gazette Extraordinary can be downloaded from www.documents.gov.lk rules applicable to an exchange The Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 1A- PG 5785—15 (03/2022) Government Notifications RULES made by the Securities and Exchange Commission of Sri Lanka, in terms of Section 183 of the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021. Viraj Dayaratne PC Chairman Securities and Exchange Commission of Sri Lanka. Colombo 15th March, 2022

2A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Rules These Rules may be cited as the Rules applicable to an Exchange. General interpretation 1. The words and terms defined in the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 shall unless the context so requires have the same meaning assigned to it in the said Act: “Commission” means the Securities and Exchange Commission of Sri Lanka established in terms of the SEC Act; “Exchange” shall have the same meaning as defined in Section 188 of the SECAct; “Key Management Person” means directors (executive or otherwise) and shall include alternate directors, a chief executive officer, compliance officer and persons having authority and responsibility for planning, directing and controlling the activities of a company/entity either directly or indirectly; “Liquid Assets” means unencumbered cash or investments which can be readily converted to cash such as bank/call deposits, re-purchase agreements with maturity of less than three (3) months, commercial papers which are endorsed or guaranteed by a licensed commercial bank or licensed specialized bank with a term to maturity of less than three (3) months and government issued securities with a term to maturity of one (1) year or less or any other form of instruments as determined by the Commission; “SEC Act” means the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021; “Shareholders’ Funds” means the amount of equity of the company, which belongs to the shareholders of the company; “Stock Broker” shall have the same meaning as defined in Section 188 of the SEC Act; “Stock Dealer” shall have the same meaning as defined in Section 188 of the SEC Act; “Trading Participant” shall have the same meaning as defined in Section 188 of the SEC Act. Applicability 2. The Rules set out herein shall apply to an Exchange licensed under the SEC Act. 3. Every Exchange shall comply with: (a) the Rules set out herein and any amendments thereto; (b) provisions of the SEC Act; (c) directives issued from time to time by the Commission; and (d) Rules issued by the Commission relating to Fitness and Propriety of a Key Management Person of a Market Institution.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 3A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Requirement for a licence 5. No entity shall engage in the function of an Exchange without having first obtained a licence from the Commission. Procedure to obtain a licence 6. The grant of a licence shall be a two (2) stage process. An applicant may in the first instance apply for in-principle approval upon satisfying the requirements as set out in (a) hereof and after having obtained in-principle approval may thereafter apply for final approval upon satisfying the requirements as set out in (b) hereof: (a) in order to obtain in-principle approval an applicant shall submit to the Commission: (i) a duly completed application form according to the specimen provided on the website of the Commission; (ii) documents to establish the source of funding to establish the Exchange; (iii) documents outlining the business model to carry on the functions of the Exchange including financial feasibility; (iv) documents outlining the structures, systems and controls in place which will enable it to differentiate and segregate its commercial interests from its regulatory responsibilities; (v) documents outlining the governance structure of the Exchange; (vi) documents outlining the procedure in relation to the admission of Trading Participants to the Exchange; (vii) a declaration by the applicant as per Schedule I of these Rules; (viii) a copy of the draft Rules of the applicant in conformity with the requirements set out in Section 26 of the SEC Act; (ix) a copy of the internal compliance manual as set out in Schedule IV of these Rules; (x) documentation in support of measures taken to acquire information systems as stated in Rule 15 of these Rules; (xi) documentation in support of steps taken to recruit adequate human resources as stated in Rule 33 of these Rules to effectively discharge the obligations in keeping with the identified organizational structure of the applicant; (xii) any other requirements and/or information that the Commission may require considering particular circumstances; and (xiii) the processing fee specified by way of regulations made by the Minister from time to time. (b) within six (6) months of obtaining in-principle approval, the applicant shall fulfill the following requirements and submit the following documents as proof thereof in order to obtain final approval:

4A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (i) confirmation from chief executive officer and a director of the Exchange that the applicant has met the requirements as spelt out in Rule 9 (a) and (b) of these Rules; (ii) a confirmation from the chief executive officer and a director of the Exchange of compliance with the requirement on the minimum number of Trading Participants as stipulated in Rule 25 of these Rules; (iii) declarations by Key Management Persons relating to their fitness and propriety in terms of the Fitness and Propriety of a Key Management Person of a Market Institution as contained in Schedule II of these Rules. Such declaration shall be in the form of an affidavit prepared in accordance with the specimen provided in Schedule III of these Rules; (iv) a confirmation from the chief executive officer and a director of the Exchange of the implementation of information systems as stated in Rule 15 of these Rules; (v) a confirmation from the chief executive officer and a director of the Exchange of the recruitment of adequate human resources, particularly the officersstated in Rule 33 of these rules along with their names and designations; and (vi) the annual licence fee specified by way of regulations by the Minister from time to time.

• However, in the event the Colombo Stock Exchange is desirous of obtaining a licence to continue its functions upon the expiration of its present licence granted by the Commission, the two-stage process mentioned above may be waived by the Commission provided that the Colombo Stock Exchange satisfies all the requirements set out in (a) and (b) above at the same time.

7. As stipulated in Section 69 of the SEC Act, it shall be the duty of the Exchange to obtain the prior approval of the Commission of any change in particulars specified in an application to be licensed as an Exchange. Licensing fee 8. An Exchange shall pay such licensing fee as prescribed by way of regulations made by the Minister from time to time. Minimum financial requirements and submission of reports
8. An Exchange shall: (a) at all times maintain minimum Shareholders’ Funds as determined by the Commission from time to time; (b) at all times maintain minimum Liquid Assets as determined by the Commission from time to time; (c) inform the Commission immediately if Shareholders’ Funds and/or Liquid Assets fall below the requirement as stipulated in Rule 9 (a) and (b) above.
9. An Exchange shall provide the information as set out below to the Commission: (a) financial statements prepared quarterly in conformity with the Sri Lanka Accounting Standardssigned by the chief executive officer and a director within forty five (45) days from the end of each quarter;

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 5A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (b) a copy of the annual report in conformity with Section 73 of the SEC Act within a period of five (5) months from the close of each financial year; and (c) a copy of the compliance report as stated in Rule 47 hereof. 11. An Exchange shall, within three (3) months from the date of the auditor’s report, take steps to rectify the deficiencies if any, made out in the auditor’s report. Change in shareholding 12. Achange in the shareholding of five per centum (5%) or more of the totalshareholding of an Exchange shall be made only upon obtaining prior approval of the Commission. Duties of an Exchange 13. An Exchange shall at all times ensure that it complies with duties stipulated under Section 27 of the SEC Act. Maintenance of deposits of Trading Participants 14. Any deposit maintained by the Exchange on behalf of Trading Participants shall be accounted separately and shall be disclosed in the financial statements. Infrastructure and related requirements 15. An Exchange shall have all the capabilities to operate and conduct the functions of an Exchange and shall ensure the availability of the following infrastructure and related features in its systems at a minimum: (a) automated trading system; (b) market surveillance system; (c) operational procedures pertaining to Management Information Systems (MIS); (d) information dissemination and delivery channels (eg: website, mobile applications); (e) infrastructure requirements for internal business operations: (i) internal network; (ii) accounting system; (iii) documents archiving and retention system; (iv) an electronic communication mechanism; (v) data center (hosted on-site and off-site) and a separate disaster recovery facility at a suitable location to be maintained on a real time basis. 16. An Exchange shall ensure that its business applications minimize manual intervention in information inputs and outputs at all times and prevent unauthorized changes to its databases. 17. Information systems of an Exchange shall be subjected to control reviews at least once in every two (2) years and the control gaps identified shall be rectified following a time plan. The scope of testing shall cover business logic, system function, security controls and system performance at a minimum. 18. An Exchange shall have a documented Disaster Recovery (DR) Plan. 19. A DR test shall be conducted annually in line with the DR plan of the Exchange.

6A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 20. An Exchange shall ensure that its hosted servers are subjected to vulnerability assessments and penetration tests annually. The issues arising from such tests shall be rectified according to a time bound plan. 21. The reports pertaining to reviews and tests specified in Rules 17, 19 and 20 shall be retained for reference for a minimum period of six (6) years. 22. An Exchange shall maintain a duly updated Systems and Procedures Manual covering the following areas at a minimum, to ensure compliance with these Rules: (a) the organizational structure of the Exchange identifying key functions and persons, and their reporting structure; (b) operational procedures pertaining to an Exchange covering the following areas at a minimum: (i) operational procedures pertaining to MIS; (ii) procedures on staff trades by employees of an Exchange; and (iii) a procedure to handle client complaints. (c) policies, standards and procedures: (i) sound and prudent policies, standards and procedures for managing technology risks; and (ii) review and update policies, standards and procedures regularly, taking into consideration the evolving technology and cyber threat landscape. (d) management of third party services: (i) an Exchange shall assess and manage its exposure to technology risk that may affect confidentiality, integrity and availability of information technology systems and data before entering into a contractual agreement or partnership with third parties; and (ii) a comprehensive information technology security awareness training program shall be established to maintain a high level of awareness among all staff of an Exchange. (e) data and infrastructure security: develop comprehensive data loss prevention policies and adopt measures to detect and prevent unauthorized access, modification, copying or transmission of its confidential data. (f) user access management: establish a user access management process covering provisions relating to change and the revocation of access rights.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 7A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (g) network security: deploy effective security mechanismsto protect information assets(eg: firewall), network access controls. (h) cyber security: establish a security operations center or acquire managed security services (the processes, roles and responsibilities for security operations should be defined). (i) system backup and recovery: establish a system and data backup and recovery strategy and develop a plan to perform regular backups. (j) investor education and communication: measures to raise awareness among investors on the security best practices and terms and conditions that investors should adhere to when using online services. (k) incident management: establish an incident management framework with the objective of restoring an affected information technology service or system to a secure and stable state as quickly as possible to minimize the impact to the business and the investors. 23. An Exchange shall have sufficient and appropriate processes to ensure the functions of legal and enforcement, compliance, market surveillance, supervision of Trading Participants, information technology, finance and administration, internal audit and risk management are carried out. Rules of an Exchange 24. An Exchange shall in addition to the requirements stipulated in section 26 of the SEC Act, make provision for the following in its Rules: (a) the conditions on which listing of a particular security may be revoked; (b) the conditions governing dealings in securities by Trading Participants; (c) the timely and accurate disclosure of all material information required for investors to make informed investment decisions; (d) the protection of investors in securities from misrepresentation, misleading information, fraud, deceit and other adverse practices in the issue and trading of securities and from the abuse by certain persons holding privileged information not yet made available to the general public; (e) the prohibition of securities market misconduct of any form, including false trading, excessive trading, front running, market rigging etc.; (f) the conduct of securities trading of Stock Brokers and Stock Dealers and the manner in which information relating to transactions be maintained; and (g) ensuring that customers’ funds and securities are segregated from the other businesses of the Stock Brokers’ or Stock Dealers’.

8A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Trading Participants of an Exchange 25. Every Exchange shall ensure the availability of a minimum of five (5) Trading Participants. 26. In admitting Trading Participants, an Exchange shall ensure at a minimum that such Trading Participants: (a) are body corporates; (b) have high business integrity; (c) meet the minimum financial requirements stipulated in the Rules of the Exchange; and (d) meet the minimum standards stipulated in relevant rules of the Exchange. 27. An Exchange shall execute a detailed written agreement between the Exchange and the Trading Participants inclusive of rights and obligations of each party and dispute resolution mechanism. 28. Every Exchange shall ensure that its Trading Participants: (a) comply with Rules applicable to Trading Participants; and (b) initiate timely disciplinary action and take suitable action for any contravention or failure to comply with the provisions of the SEC Act. Appointment of directors of the Exchange 29. The appointment of directors of an Exchange shall be in conformity with Section 68 of the SEC Act. Governance of an Exchange 30. An Exchange shall have a board charter that inter alia includes a code of conduct for the board of directors and demarcate the responsibilities between its board of directors and the management. 31. An Exchange shall have, at a minimum the following sub-committees of the board of directors: (a) a risk and audit committee; (b) a remuneration committee; (c) a nomination committee; and (d) a rules committee. Human resources of an Exchange 32. An Exchange shall have an organizationalstructure with clearly defined responsibilities and authority for each category of employees. 33. An Exchange shall have suitably qualified persons for the following positions: (a) Chief Executive Officer (CEO); (b) Chief Regulatory Officer (CRO); (c) Head of Compliance; (d) Head of Legal; (e) Head of Finance; and (f) Head of Information Technology.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 9A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Commission approval to engage in other businesses 34. An Exchange shall disclose to the Commission all other business activities it is engaged in at the time of applying for its licence and inform the Commission in writing prior to engaging in any other business activity after obtaining a licence from the Commission. 35. An Exchange shall not engage in any other business which in the view of the Commission creates a conflict of interest unless prior written approval of the Commission is obtained. 36. In the conduct of any such other business activity, an Exchange shall ensure that proper processes are in place to have a clear demarcation of the different functions pertaining to such businesses. Maintenance of records 37. An Exchange shall maintain the following records: (a) Correspondence with Trading Participants; (b) comprehensive written records pertaining to disciplinary actions initiated against Trading Participants; (c) a comprehensive written record of all complaints received/disputes and action taken thereon by the Exchange; and (d) any other record the Commission requires the Exchange to maintain from time to time. 38. All of the above records shall be retained by the Exchange for a period of six (6) years. 39. An Exchange shall ensure confidentiality of all information relating to the Trading Participants unless such disclosure is required by law. Keeping of books and furnishing of returns 40. An Exchange shall: (a) maintain or cause to be maintained, such accounting records and other books as will truly reflect the transactions and financial position of its business and enable the preparation of a true and fair income statement and a statement of financial position in keeping with the Sri Lanka Accounting Standards adopted by the Institute of Chartered Accountants of Sri Lanka; (b) maintain or cause to be maintained such accounting records and other books in such manner as will enable them to be accurately audited; and (c) retain such accounting records or other books for a period of not less than six (6) years.

10A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Duty to furnish information and co-operate with auditors appointed by the Commission 41. Where the Commission having considered that it is in the interest of the Exchange or those of its Trading Participants, appoints an independent auditor or such other person or a body of persons to examine, audit and report either generally or in relation to any particular matter, it shall be the duty of such Exchange: (a) to produce any books, accounts and records of any assets held by the Exchange relating to its business; (b) to produce any records of any systems, processes or procedures adopted by the Exchange relating to its business; (c) to provide all information within its knowledge or which it is capable of obtaining; and (d) to ensure that all the information which is furnished to the auditor or independent auditor as the case may be is not false or misleading in any material particulars. 42. An Exchange shall not destroy, conceal or alter any records, property or books relating to the business of the Exchange which are in its possession or under its control with the intention of defeating, preventing, delaying or obstructing the carrying out of any examination. Submission of information to the Commission 43. An Exchange shall furnish such returns and provide such information relating to its business as the Commission may require from time to time. 44. The Commission may determine that any information required herein shall be submitted within such period at such intervals in such manner or in such form as the Commission may specify and the Exchange shall comply with such requirements. Compliance manual 45. An Exchange shall have an internal compliance manual applicable to its directors and employees which shall include amongst others adequate compliance procedures and practices as set out in Schedule IV of these Rules. Trading by employees 46. In the event of trading by employees of an Exchange, order instructions pertaining to such trades shall not be forwarded to a Stock Broker unless the order is authorized in writing by the chief executive officer or the compliance officer of the Exchange. Regulatory compliance and internal controls 47. The compliance officer on behalf of the Exchange shall make a quarterly compliance report which shall include amongst others the contents specified in Schedule V of these Rules approved by the board of directors and signed by the chief executive officer and a director confirming compliance with the provisions of the SECAct, the criteria set out herein, any other rules or directives issued by the Commission from time to time and the Financial Transaction Reporting Act, No. 06 of 2006 where applicable and forward the same to the Commission, before the twentieth (20th) day of the following month.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 11A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 However, in the event any non-compliance or breach is detected, the compliance officer shall immediately report such matter to the board of directors for rectification and inform the Commission within a period of twenty-eight (28) days from the date on which the board of directors were informed together with the steps that have been taken by the board of directors to rectify such non-compliance. 48. An Exchange shall have a fair and transparent complaint handling procedure to ensure the best interest of the Trading Participants and the public and shall maintain procedures to ensure that complaints received in relation to the conduct of Trading Participants are handled in a timely and effective manner. 49. An Exchange shall adhere to the Know Your Client (KYC) and due diligence procedures specified by the Financial Intelligence Unit (FIU) of the Central Bank of Sri Lanka from time to time. Notification on the happening of certain events 50. Without prejudice to the generality of the duties imposed under the SEC Act, in the event any one or more of the following events occur, an Exchange shall forthwith provide written notice to the Commission: (a) the Exchange is in the course of being wound up or otherwise dissolved whether within or outside Sri Lanka or where a receiver, liquidator or an equivalent person has been appointed in respect of any property of the Exchange; (b) the Exchange is unable to carry its functions of an Exchange; (c) the Exchange has failed to comply with the provisions of the SEC Act, Rules relating to Fitness and Propriety of a Key Management Person of a Market Institution and the Rules specified herein or any other directive issued by the Commission from time to time; (d) any information or document furnished to the Commission is false or misleading or there is any change in any information contained in a document furnished to the Commission; (e) any execution against the Exchange in respect of a judgment debt has been returned unsatisfied in whole or in part; (f) the Exchange whether within or outside Sri Lanka has entered into a compromise or scheme of arrangement with its creditors being a compromise or scheme of arrangement; (g) a Key Management Person has been convicted of any offence involving fraud or dishonesty or a violation of securities law within or outside of Sri Lanka; and/or (h) a Key Management Person of the Exchange becomes an undischarged bankrupt. Cancellation of a licence 51. The cancellation of a licence granted to an Exchange shall be governed by the provisions contained in Sections 28 and 29 of the SEC Act.

12A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Closure of an Exchange 52. The closure of an Exchange by the Commission in an emergency shall be as stipulated in Section 30 of the SEC Act. Commencement of operations 53. In the event an Exchange fails to commence the business within six (6) months after the issue of the licence, then the licence will cease to be valid. L i c e n c e o f a n Exchange deemed to be revoked 54. A licence of an Exchange shall be deemed to be revoked if the company to whom a licence has been granted is wound up or otherwise dissolved. SCHEDULE I Declaration by the Applicant To: Chairman Securities and Exchange Commission of Sri Lanka Level 28 & 29, East Tower World Trade Centre Echelon Square, Colombo 01, Sri Lanka In consideration of being licensed to operate as (type of market institution), we (name of the applicant entity) being duly incorporated and having our registered office/principal place of business at….................(address)…............. hereby undertake and agree:

1. to be licensed at the sole discretion of the Commission and for such period as may be determined by the Commission; and
2. to be bound by the applicable laws, rules, regulations and directives of the Commission as amended or replaced from time to time. We further declare that no finding has been made against the applicant entity by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence or any other act which involves fraud, deceit, dishonesty, misrepresentation, breach of contract or breach of fiduciary duty and that the statements made and information provided with the application are true and accurate to the best of our knowledge. Given under the common seal of the entity on this….........day of.........….in the presence of …………………. (Name) Director ……………………….. (Name) Director/Secretary or, Signed by the duly authorized signatories of the entity on this…...........day of….......... ………………………… (Name) Authorized Signatory Note: Please attach a certified true copy of the board resolution/Power of Attorney in proof of such authority.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 13A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE II Fitness and Propriety of a Key Management Person of a Market Institution General interpretation 1. The words and terms defined in the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 shall unless the context so requires have the same meaning assigned to them in the said Act. “Commission” means the Securities and Exchange Commission of Sri Lanka established in terms of the SEC Act; “Key Management Person” means directors (executive or otherwise) and shall include alternate directors, a chief executive officer, compliance officer and persons having authority and responsibility for planning, directing and controlling the activities of a company/entity either directly or indirectly; “Market Institution” shall have the same meaning as defined in Section 188 of the SEC Act; “SEC Act” means the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021. Submission of an affidavit to the Commission 2. No individual shall be appointed, elected, nominated or continue to serve as a Key Management Person of a Market Institution unless that individual is a fit and proper person to hold such office in such entity as morefully described in these Rules. 3. An individual proposed to be appointed, elected or nominated or who intends to continue to serve in the capacity of a Key Management Person, shallsubmit an affidavit to the Commission affirming thatsuch person is not subject to any of the infirmities morefully described in these Rules prior to such individual being appointed and at the time a Market Institution seeks a licence. 4. The information contained in the affidavit shall not be misleading or vague and shall contain a statement that the contents are true and accurate. 5. Adherence to these Rules shall be a continuous requirement and the compliance officer of a Market Institution shall immediately inform the board of directors of any matter that may disqualify the appointment or the continuation in office of a Key Management Person and the board of directors shall immediately notify the Commission the decision made in respect of such matter.

14A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Honesty, integrity and reputation 6. The Key Management Person shall not: (a) be a person who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence; (b) be a person who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of a capital market offence or against whom an offence has been compounded in terms of the SEC Act during a period of three (3) years immediately preceding the date of the application; (c) have been a Key Management Person of a body corporate who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence or capital market offence having proved to have been committed with the knowledge or involvement or negligence attributable to such person; (d) be a person who has been subject to an administrative sanction by the Commission during a period of three (3) years immediately preceding the date of the application; (e) be a Key Management Person of a company, partnership or other organization whose licence has been suspended or cancelled by the Commission for violating any provision of the SEC Act or any Rules or regulations made thereunder; (f) be a person who has been censured, disciplined, suspended or refused membership or registration by the Commission and any other regulatory authority in Sri Lanka or elsewhere during a period of three (3) years immediately preceding the date of the application; (g) be a person against whom a finding has been made by the Commission or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad that such individual has committed any act which involves fraud, deceit or dishonesty; (h) be a person who has been disqualified from acting as a director of a company, or has been dismissed or requested to resign from any position or office due to mismanagement of funds or the commission of financial fraud by the Commission, any other regulatory body or professional body; (i) be a person against whom an inquiry and/or investigation by the Commission and/or any other regulatory/professional body in Sri Lanka or elsewhere is presently pending for the commission of suspected capital market offences or any matter that involves fraud, deceit or dishonesty; and/or (j) be a person who has contravened any written law enacted for the protection of the members of the public against financial loss due to dishonesty or malpractice of such person.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 15A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Financial soundness 7. The Key Management Person shall not: (a) have proceedings instituted to be declared bankrupt or have been declared as bankrupt and/or had assets sequestered; (b) have been subject to any judgment debt or award in Sri Lanka or abroad that remains unpaid in whole or in part; and/or (c) have been a person of a company in a position that exercisessignificant influence in a company that: (i) has been subject to any judgment debt or award in Sri Lanka or abroad that remains unpaid in whole or in part; or (ii) has in Sri Lanka or abroad, made any arrangements in composition with its creditors, filed for bankruptcy, been declared bankrupt, had assets sequestered, involved in winding-up proceedings ordered by a court of law or been involved in proceedings relating to any of the foregoing. Competence and capability 8. The Key Management Person shall: (a) not have been declared by a court of competent jurisdiction in Sri Lanka or abroad to be of unsound mind; (b) possess the qualifications required to provide the services for which a licence has been sought/obtained from the Commission; (c) have satisfied the relevant training and competence requirements in relation to the regulated function the person performs or intends to perform; (d) demonstrate by experience that the chief executive officer, the chief regulatory officer and the compliance officer are suitable or will be suitable if approved to perform the regulated functions; (e) possess adequate time to perform the regulated function and meet the responsibilities associated with that function; and/or (f) have not contravened any written law enacted for the protection of the members of the public against financial loss due to incompetence of such person.

16A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE III Specimen of an Affidavit for Fitness and Propriety of a Key Management Person of a Market Institution I, ___________________________________________________ [Full name] holder of NIC No./Passport No. (In the case of a foreign national) ___________of __________________________ [Address], being a [Buddhist/Hindu/Muslim do hereby solemnly, sincerely and truly declare and affirm] / [Christian/ Catholic make oath and swear as follows]:

1. I am the [affirmant/deponent] above named.
2. I affirm/state that I am a ____________ [Designation] of _________________________________ [Name of the applicant entity].
3. I affirm/state that I possess the following academic and/or professional qualification(s) to perform the prescribed duties which I am engaged in: ………………………………………… ………………………………………… …………………………………………
4. I affirm/state that I have not been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence.
5. I affirm/state that I have not been a Key Management Person of a body corporate which has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence, proved to have been committed with the knowledge or involvement or negligence attributable to me.
6. I affirm/state that I am not a person against whom an offence has been compounded in terms of the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 (SEC Act) nor an administrative sanction has been imposed by the Commission during a period of three (3) years immediately preceding the date of this affidavit.
7. I affirm/state that I have not been a Key Management Person of a company, partnership or other organization whose licence has been suspended or cancelled by the Commission for violating any provision of the SEC Act, any rules or regulations made thereunder.
8. I affirm/state that I have not been a person who has been censured, disciplined, suspended or refused membership or registration by the Commission or any other regulatory authority in Sri Lanka or abroad during a period of three (3) years immediately preceding the date of this affidavit.
9. I affirm/state that I have not been a person who has been disqualified by the Commission or any other regulatory body or professional body from serving as a director of a company, or has been dismissed or requested to resign from any position or office due to mismanagement of funds or the commission of a financial fraud.
10. I affirm/state that I am not a person against whom an inquiry and/or an investigation by the Commission or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad is presently pending, for the commission of suspected capital market offences or any act which involves fraud, deceit or dishonesty or that a finding has been made by the Commission or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad that I have committed any act which involves fraud, deceit or dishonesty.
11. I affirm/state that I have not contravened any written law enacted for the protection of the members of the public against financial loss by dishonesty, incompetence or malpractice.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 17A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 12. I affirm/state that no proceedings have been instituted in a court of law in Sri Lanka or abroad requesting that I be declared bankrupt or that I have not been declared bankrupt and that my assets have not been sequestered. 13. I affirm/state that I have not been subject to any judgment debt or award in Sri Lanka or abroad that remains unpaid in whole or in part. 14. I affirm/state that I am not a person/a director of a company or a shareholder in a position that exercises significant influence in a company that: (a) has been subject to any judgment debt or award in Sri Lanka or abroad, that remains unpaid in whole or in part; or (b) has in Sri Lanka or abroad made any arrangements in composition with its creditors, filed for bankruptcy, been declared bankrupt, had assets sequestered, involved in winding-up proceedings ordered by a court of law or been involved in proceedings relating to any of the foregoing. 15. I affirm/state that I have not been declared as a person of unsound mind by a court of competent jurisdiction in Sri Lanka or abroad. 16. I affirm/state that I have the relevant training, competence and expertise in the nature of the business being conducted by the entity. 17. I affirm/state that I have the suitable experience to perform the regulated function. 18. I affirm/state that I have adequate time to perform the regulated functions and meet the responsibilities associated with such function of the entity. 19. I affirm/state that I have the technical knowledge and ability to perform the prescribed duties which I am engaged in, especially recognised professional qualifications and membership of relevant professional institutions. 20. I affirm/state that I have not contravened any written law enacted for the protection of the members of the public against financial loss due to my incompetence. 21. I affirm/state that all of the above are true and accurate to the best of my knowledge. The averments contained herein were read over to the [affirmant/deponent] who having understood the contents hereof and having accepted same as true, [affirmed/swore] to and placed his/her signature at …………. on this …………… day of ………………… Affix stamps as applicable Before me Justice of the Peace/Commissioner for Oaths.

18A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE IV Minimum Requirements of an Internal Compliance Manual

1. Conflicts of Interest: (a) mechanism to monitor and identify conflicts of interest situations and steps to address such situations in a timely manner; (b) procedures to prevent or control the exchange of information between persons engaged in activities that give rise to a risk of a conflict of interest; (c) procedures for the prevention or limitation of any person from exercising undue influence over the manner in which a relevant person carries out services or activities; (d) measures to ensure that it does not carry out any activities, which could cause a conflict of interest with its Exchange functions; (e) a transparent and non-discriminatory criteria for the admission of Trading Participants; (f) a procedure to ensure that the Exchange does not engage in transactions with related parties in a manner that would grant such parties more favorable treatment than that accorded to third parties in the ordinary course of business; (g) procedures to prevent trading by the employees of the Exchange during such period the Exchange holds material non-public information pertaining to listed public companies; and (h) measures ensuring that the entity acts in the best interest of the public.
2. Corporate Governance: (a) composition of the board of directors, availability of its subcommittees in accordance with these Rules; (b) a code of conduct and ethics, good business practices and the requirement to follow just and fair principles in the conduct of its business; (c) requirement to comply with the SEC Act, applicable rules and regulations introduced by the Commission in respect of Exchanges; (d) requirement to implement sound financial and business reporting structure; (e) requirement to segregate assets of the Trading Participants from those of the Exchange; and (f) requirement to ensure compliance with Fitness and Proprietary of a Key Management Person of a Market Institution issued by the Commission from time to time.
3. Internal controls and Risk Management: (a) the availability of sound internal controls and risk management policies and processes; (b) the availability of internal audit systems; (c) regular review of the adequacy and effectiveness of financial, operational and compliance controls; and (d) regular review of the adequacy and effectiveness of risk management policies and procedures.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 19A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE V Minimum Matters to be Disclosed in a Compliance Report

1. Confirmation that the business has been conducted in conformity with the: (a) Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021; (b) Rules issued by the Commission; (c) Rules of an Exchange pertaining to an Exchange; and (d) Rules and regulations of the Financial Intelligence Unit (FIU) of the Central Bank of Sri Lanka including rules and regulations pertaining to Anti Money Laundering.
2. If not: (a) provide information as to the nature of the non-compliance or breach; (b) action taken to prevent or mitigate the non-compliance or breach; and (c) the outcome.
3. Whether any Suspicious Transaction Reports (STRs) have been generated. If so: (a) the number generated and submitted to the FIU; and (b) outcomes if any.
4. Monitoring of network availability and performance with: (a) details pertaining to instances in which systems failure/malfunctions were detected in relation to the Automated Trading System during the quarter; and (b) details pertaining to the security threats to the network operating systems identified during the quarter. Any instances as referred to in items 4. (a) and (b) above and the remedial action taken shall be immediately brought to the attention of the Commission. EOG 03-0882/1

20A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 rules applicable to a clearing house The Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 RULES made by the Securities and Exchange Commission of Sri Lanka, in terms of Section 183 of the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021. Viraj Dayaratne PC Chairman Securities and Exchange Commission of Sri Lanka. Colombo 15th March, 2022. Rules These Rules may be cited as the Rules applicable to an Exchange. General interpretation 1. The words and terms defined in the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 shall unless the context so requires have the same meaning assigned to it in the said Act: “Central Counterparty” shall have the same meaning as defined in Section 32 of the SEC Act; “Clearing House” shall have the same meaning as defined in Section 188 of the SEC Act; “Clearing Member” shall have the same meaning as defined in Section 188 of the SEC Act; “Commission” means the Securities and Exchange Commission of Sri Lanka established in terms of the SEC Act; “Key Management Person” means the directors (executive or otherwise) and shall include alternate directors, a chief executive officer, compliance officer and persons having authority and responsibility for planning, directing and controlling the activities of a company/entity either directly or indirectly; “Liquid Assets” means unencumbered cash or investments which can be readily converted to cash such as bank/call deposits, re-purchase agreements with maturity of less than three (3) months, commercial papers which are endorsed or guaranteed by a licensed commercial bank or licensed specialized bank with a term to maturity of less than three (3) months and government issued securities with a term to maturity of one (1) year or less or any other form of instruments as determined by the Commission; “Market Charge” shall have the same meaning as defined in Section 32 of the SEC Act; “Market Contract” shall have the same meaning as defined in Section 32 of the SEC Act;

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 21A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 “SEC Act” means the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021; “Shareholders’ Funds” means the amount of equity of the Company which belongs to the shareholders of the Company. 2. The Rules set out herein shall apply to a Clearing House licensed under the SEC Act. 3. Every Clearing House shall comply with: (a) the Rules set out herein and any amendments thereto; (b) provisions of the SEC Act; (c) directives issued from time to time by the Commission; and (d) Rules issued by the Commission relating to Fitness and Propriety of a Key Management Person of a Market Institution. Requirement for a licence 4. No entity shall engage in the function of a Clearing House without having first obtained a licence from the Commission. Procedure to obtain a licence 5. The grant of a licence shall be a two (2) stage process. An applicant may in the first instance apply for in-principle approval upon satisfying the requirements as set out in (a) hereof and after having obtained in-principle approval may thereafter apply for final approval upon satisfying the requirements as set out in (b) hereof: (a) In order to obtain in-principle approval an applicant shall submit to the Commission: (i) a duly completed application form according to the specimen provided on the website of the Commission; (ii) documents to establish the source of funding to establish the Clearing House; (iii) documents outlining the business model to carry on the functions of the Clearing House including financial feasibility; (iv) documents outlining the governance structure of the Clearing House; (v) documents outlining the procedure in relation to the admission of Clearing Members to the Clearing House; (vi) documents outlining the details of settlement guarantee fund of the Clearing House; (vii) a declaration by the applicant as per Schedule I of these Rules; (viii) a copy of the internal compliance manual as set out in Schedule IV of these Rules ; (ix) a copy of the draft Rules of the applicant in conformity with the requirements set out in Section 36 of the SEC Act; Applicability

22A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (x) documentation in support of measures taken to acquire infrastructure and meet related requirements as specified in Rule 16; (xi) documentation in support of steps taken to recruit adequate human resources as stated in Rule 34 to effectively discharge the obligations in keeping with the identified organizational structure of the applicant; (xii) any other requirements and/or information that the Commission may require considering particular circumstances; and (xiii) the processing fee specified by way of regulations made by the Minister from time to time. (b) Within six (6) months of obtaining in-principle approval, the applicant shall fulfill the following requirements and submit the following documents as proof thereof in order to obtain final approval: (i) a confirmation from the chief executive officer and a director of the Clearing House that the applicant has met the requirements as spelt out in Rule 8 (a) and (b) of these Rules; (ii) a confirmation from the chief executive officer and a director of the Clearing House of compliance with the requirement on the minimum number of Clearing Members as stipulated in Rule 26 of these Rules; (iii) declarations by Key Management Persons relating to their fitness and propriety in terms of the Fitness and Propriety of a Key Management Person of a Market Institution as contained in Schedule II of these Rules. Such declaration shall be in the form of an affidavit prepared in accordance with the specimen provided in Schedule III of these Rules; (iv) a confirmation from the chief executive officer and a director of the Clearing House of the implementation of an information system as stated in Rule 16 in these Rules; (v) a confirmation from the chief executive officer and a director of the Clearing House of the recruitment of adequate human resources, particularly the officers stated in Rule 34 along with their names and designations; and (vi) the annual licence fee specified by way of regulations made by the Minister from time to time.

• However, in the event the Central Depository Systems (Pvt) Limited is desirous of obtaining a licence to continue its function as a Clearing House upon expiration of its present licence granted by the Commission, the two￾stage process mentioned above may be waived by the Commission provided that the Central Depository Systems (Pvt) Limited satisfies all requirements set out in (a) and (b) above at the same time.

6. As stipulated in Section 69 of the SEC Act, it shall be the duty of the Clearing House to obtain the prior approval of the Commission of any change in particulars specified in an application to be licensed as a Clearing House. Licensing fee 7. A Clearing House shall pay such licensing fee as prescribed by way of regulations made by the Minister from time to time under the SEC Act.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 23A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Minimum financial requirements and submission of reports 8. A Clearing House shall: (a) at all times maintain minimum Shareholders’ Funds as determined by the Commission from time to time; (b) at all times maintain minimum Liquid Assets as determined by the Commission from time to time; (c) inform the Commission immediately if Shareholders’ Funds and/or Liquid Assets fall below the requirement as stipulated in Rule 8 (a) and (b) above. 9. A Clearing House shall provide the information as set out below to the Commission: (a) financial statements prepared quarterly in conformity with the Sri Lanka Accounting Standards signed by the chief executive officer and a director within forty five (45) days from the end of each quarter; (b) a copy of the annual report in conformity with Section 73 of the SEC Act within a period of five (5) months from the close of each financial year; and (c) a copy of the compliance report as stated in Rule 47 hereof. 10. A Clearing House shall, within three (3) months from the date of the auditor’s report, take stepsto rectify the deficienciesif any, made out in the auditor’sreport, in so far as they relate to the activity of clearing functions. Change in shareholding 11. A change in the shareholding of five per centum (5%) or more of the total shareholding of a Clearing House shall be made only upon obtaining prior approval of the Commission. Duties of a Clearing House 12. A Clearing House shall at all times ensure that it complies with the duties stipulated under Section 37 of the SEC Act. Maintenance of guarantees and assets of Clearing Members 13. A Clearing House shall segregate the guarantees and the assets of Clearing Members from the assets of the licensed Clearing House. 14. A Clearing House shall not use the guarantees or assets taken from its Clearing Members for purposes other than those for which they were deposited. 15. Any deposit maintained by the Clearing House on behalf of Clearing Members shall be accounted separately and shall be disclosed in the financial statements. Infrastructure and related requirements 16. A Clearing House shall have all the capabilities to operate and conduct the functions of a Clearing House and shall ensure the availability of the following infrastructure and related features in its systems at a minimum: (a) clearing system; (b) settlement gateway connected to the depository system; (c) infrastructure requirements for internal business operations: (i) internal network; (ii) accounting system; (iii) document archiving and retention system; (iv) an electronic communication mechanism; (v) data center (hosted on-site or off-site) and a separate disaster recovery facility at a suitable location.

24A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 17. A Clearing House shall ensure that its business applications minimize manual intervention in information inputs and outputs where possible and prevent unauthorized changes to its databases. 18. Information systems of a Clearing House shall be subjected to control reviews at least once in every two (2) years and the control gaps identified shall be rectified following a time plan. The scope of testing should cover business logic, system function, security controls and system performance at a minimum. 19. A Clearing House shall have a documented Disaster Recovery (DR) Plan. 20. A DR test shall be conducted annually in line with the DR plan of the Clearing House. 21. A Clearing House shall ensure that its hosted servers are subjected to vulnerability assessments and penetration tests annually. The issues arising from such tests shall be rectified according to a time bound plan. 22. The reports pertaining to reviews and tests specified in Rules 18, 20 and 21 shall be retained for reference for a minimum period of six (6) years. 23. A Clearing House shall maintain a duly updated Systems and Procedures Manual covering the following areas, to ensure compliance with these Rules: (a) the organizational structure of the Clearing House identifying key functions and persons and their reporting structure; (b) operational procedures pertaining to a Clearing House covering the following areas at a minimum: (i) operational procedures pertaining to Management Information Systems (MIS); (ii) procedures on staff trades by employees of the Clearing House; and (iii) a procedure to handle complaints. (c) policies, standards and procedures: (i) sound and prudent policies, standards and procedures for managing technology risks; and (ii) review and update policies, standards and procedures regularly, taking into consideration the evolving technology and cyber threat landscape. (d) management of third-party services: (i) a Clearing House should asses and manage its exposure to technology risk that may affect confidentiality, integrity and availability of information technology systems and data before entering into a contractual agreement or partnership with third parties; and

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 25A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (ii) a comprehensive information technology security awareness training program should be established to maintain a high level of awareness among all staff of the Clearing House. (e) data and infrastructure security: develop comprehensive data loss prevention policies and adopt measures to detect and prevent unauthorized access, modification, copying or transmission of its confidential data. (f) user access management: establish a user access management process covering provisions relating to change and the revocation of access rights of information assets. (g) network security: deploy effective security mechanisms to protect information assets (eg: firewall), network access controls. (h) cyber security: establish a security operations center or acquire managed security services (the processes, roles and responsibilities for security operations should be defined). (i) system backup and recovery: establish a system and data backup and recovery strategy and develop a plan to perform regular backups. (j) investor education and communication: measures to raise awareness among investors on the security best practices and terms and conditions that investors should adhere to when using online services. (k) incident management: establish an incident management framework with the objective of restoring an affected information technology service or system to a secure and stable state as quickly as possible to minimize the impact to the business and investors. 24. A Clearing House shall have sufficient and appropriate processes to ensure that the functions of legal and enforcement, compliance, surveillance, supervision of Clearing Members, information technology, finance and administration, internal audit and risk management are carried out. Rules of a Clearing House 25. A Clearing House shall, in addition to the requirements stipulated under Section 36 of the SEC Act, make provisions for the following in preparing its Rules: (a) rules on the application of collateral subject to a Market Charge in conformity with Section 50 of the SEC Act; (b) rules on the transfer of securities in settlement in conformity with Section 51 of the SEC Act; and (c) rules on the purchase and sale of securities in conformity with Section 52 of the SEC Act.

26A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Clearing Members of a Clearing House 26. Every Clearing House shall ensure the availability of a minimum of three (3) Clearing Members. 27. In admitting Clearing Members, a Clearing House shall ensure at a minimum that such members: (a) are body corporates; (b) have high business integrity; (c) meet the minimum financial requirements stipulated in the relevant rules of the Clearing House; and (d) meet the minimum standards stipulated in the relevant rules of the Clearing House. 28. A Clearing House shall execute a detailed written agreement executed between the Clearing House and the Clearing Members inclusive of rights and obligations of each party and a dispute resolution mechanism. 29. Every Clearing House shall ensure that its Clearing Members: (a) comply with the Rules applicable to Clearing Members; (b) initiate timely disciplinary action and take suitable action for any contravention or failure to comply with the provisions of the SEC Act. Appointment of directors of the Clearing House 30. The appointment of directors of a Clearing House shall be in conformity with Section 68 of the SEC Act. Governance of a Clearing House 31. A Clearing House shall have a board charter that inter alia includes a code of conduct for the board of directors and demarcate the responsibilities between its board of directors and management. 32. A Clearing House shall have, at a minimum the following sub-committees of the board of directors: (a) a risk and audit committee; (b) a remuneration committee; (c) a nomination committee; (d) a rules committee; and (e) a dispute resolution committee. Human resources of a Clearing House 33. A Clearing House shall have an organizational structure with clearly defined responsibilities and authority for each category of employees. 34. AClearing House shall have suitably qualified personsfor the following positions: (a) Chief Executive Officer (CEO); (b) Chief Regulatory Officer (CRO); (c) Head of Compliance; (d) Head of Legal; (e) Head of Finance; and (f) Head of Information Technology.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 27A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Commission approval to engage in other businesses 35. A Clearing House shall disclose to the Commission all other business activities it is engaged in at the time of applying for its licence and inform the Commission in writing prior to engaging in any other business activity after obtaining a licence from the Commission. 36. A Clearing House shall not engage in any other business which in the view of the Commission creates a conflict of interest unless prior written approval of the Commission is obtained. 37. In the conduct of any such other business activity, a Clearing House shall ensure that proper processes are in place to have a clear demarcation of the different functions pertaining to such businesses. Maintenance of records 38. A Clearing House shall maintain the following records: (a) correspondence with Clearing Members; (b) comprehensive written records pertaining to disciplinary actions initiated against Clearing Members; (c) a comprehensive written record of all complaints received/disputes and action taken thereon by the Clearing House; and (d) any other record the Commission requires the Clearing House to maintain from time to time. 39. All of the above records shall be retained by the Clearing House for a period of six (6) years. 40. A Clearing House shall ensure confidentiality of all information relating to the Clearing Members unless such disclosure is required by law. Keeping of books and furnishing of returns 41. A Clearing House shall: (a) maintain or cause to be maintained, such accounting records and other books as will truly reflect the transactions and financial position of its business and enable the preparation of a true and fair income statement and a statement of financial position in keeping with the Sri Lanka Accounting Standards adopted by the Institute of Chartered Accountants of Sri Lanka; (b) maintain or cause to be maintained such accounting records and other books in such manner as will enable them to be accurately audited; and (c) retain such accounting records or other books for a period of not less than six (6) years.

28A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Duty to furnish information and co-orporate with auditors appointed by the Commission 42. Where the Commission having considered that it is in the interest of the Clearing House or those of its Clearing Members, appoints an independent auditor or such other person or a body of persons to examine, audit and report either generally or in relation to any particular matter, it shall be the duty of such Clearing House: (a) to produce any books, accounts and records of any assets held by the Clearing House relating to its business; (b) to produce any records of any systems, processes or procedures adopted by the Clearing House relating to its business; (c) to provide all information within its knowledge or which it is capable of obtaining; and (d) to ensure that all the information which is furnished to the auditor or independent auditor as the case may be is not false or misleading in any material particulars. 43. A Clearing House shall not destroy, conceal or alter any records, property or books relating to the business of the Clearing House which are in its possession or under its control with the intention of defeating, preventing, delaying or obstructing the carrying out of any examination. Submission of information to the Commission 44. A Clearing House shall furnish such returns and provide such information relating to its business as the Commission may require from time to time. 45. The Commission may determine that any information required herein shall be submitted within such period at such intervals in such manner or in such form as the Commission may specify and the Clearing House shall comply with such requirements. Compliance manual 46. A Clearing House shall have an internal compliance manual applicable to its directors and employees which shall include amongst others adequate compliance procedures and practices as set out in Schedule IV of these Rules. Regulatory compliance and internal controls 47. The compliance officer on behalf of the Clearing House shall make a quarterly compliance report which shall include amongst others the contents specified in Schedule V of these Rules approved by the board of directors and signed by the chief executive officer and a director confirming compliance with the provisions of the SEC Act, the criteria set out herein, any other rules or directives issued by the Commission from time to time and the Financial Transactions Reporting Act, No. 06 of 2006 where applicable and forward the same to the Commission, before the twentieth (20th) day of the following month. However, in the event any non-compliance or breach is detected, the compliance officershall immediately reportsuch matterto the board of directorsforrectification and inform the Commission within a period of twenty-eight (28) days from the date on which the board of directors were informed together with the steps that have been taken by the board of directors to rectify such non-compliance. 48. A Clearing House shall have a fair and transparent complaint handling procedure to ensure the best interest of the Clearing Members and the public and shall maintain procedures to ensure that complaints received in relation to the conduct of Clearing Members are handled in a timely and effective manner.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 29A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 49. A Clearing House shall adhere to the Know Your Client (KYC) and due diligence procedures specified by the Financial Intelligence Unit (FIU) of the Central Bank of Sri Lanka from time to time. Trading by employees 50. In the event of trading by employees of a Clearing House, order instructions pertaining to such trades shall not be forwarded to a Stock Broker unless the order is authorised in writing by the chief executive officer or the compliance officer of a Clearing House. Notification on the happening of certain events 51. Without prejudice to the generality of the duties imposed under the SEC Act, in the event any one or more of the following events occur, a Clearing House shall forthwith provide written notice to the Commission: (a) the Clearing House is in the course of being wound up or otherwise dissolved whether within or outside Sri Lanka or where a receiver, liquidator or an equivalent person has been appointed in respect of any property of the Clearing House; (b) the Clearing House is unable to carry on its functions as a Clearing House; (c) the Clearing House has failed to comply with the provisions of the SEC Act, Rules relating to Fitness and Propriety of a Key Management Person of a Market Institution and the Rules specified herein or any other directive issued by the Commission from time to time; (d) any information or document furnished to the Commisison is false or misleading or there is any change in any information contained in a document furnished to the Commission; (e) any execution against the Clearing House in respect of a judgment debt has been returned unsatisfied in whole or in part; (f) the Clearing House whether within or outside Sri Lanka has entered into a compromise or scheme of arrangement with its creditors being a compromise or scheme of arrangement; (g) a Key Management Person has been convicted of any offence involving fraud or dishonesty or a violation of securities law within or outside of Sri Lanka; and/or (h) a Key Management Person of the Clearing House becomes an undischarged bankrupt. Cancellation of a licence 52. The cancellation of a licence granted to a Clearing House shall be governed by the provisions contained in Section 39 of the SEC Act. Commencement of operations 53. In the event a Clearing House fails to commence the business within six (6) months after the issue of the licence, then the licence will cease to be valid. Licence of a Clearing House deemed to be revoked 54. A licence of a Clearing House shall be deemed to be revoked if the company to whom a licence has been granted is wound up or otherwise dissolved.

30A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE I Declaration by the Applicant To: Chairman Securities and Exchange Commission of Sri Lanka Level 28 & 29, East Tower World Trade Center Echelon Square, Colombo 01, Sri Lanka. In consideration of being licensed to operate as (type of market institution), we (name of the applicant entity) being duly incorporated and having our registered office/principal place of business at.............…(address)…...........hereby undertake and agree:

1. to be licensed at the sole discretion of the Commission and for such period as may be determined by the Commission; and
2. to be bound by the applicable laws, rules, regulations and directives of the Commission as amended or replaced from time to time. We further declare that no finding has been made against the applicant entity by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence or any other act which involves fraud, deceit, dishonesty, misrepresentation, breach of contract or breach of fiduciary duty and that the statements made and information provided along with the application are true and accurate to the best of our knowledge. Given under the common seal of the entity on this…............day of…..........in the presence of ………………………. (Name) Director ……………………….. (Name) Director/Secretary or, Signed by the duly authorized signatories of the entity on this….............day of…........... ………………………… (Name) Authorized Signatory Note: Please attach a certified true copy of the board resolution/Power of Attorney in proof of such authority.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 31A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE II Fitness and Propriety of a Key Management Person of a Market Institution General interpretation 1. The words and terms defined in the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 shall unless the context so requires have the same meaning assigned to them in the said Act. “Commission” means the Securities and Exchange Commission of Sri Lanka established in terms of the SEC Act; “Key Management Person” means directors (executive or otherwise) and shall include alternate directors, a chief executive officer, compliance officer and persons having authority and responsibility for planning, directing and controlling the activities of a company/entity either directly or indirectly; “Market Institution” shall have the same meaning as defined in Section 188 of the SEC Act; “SEC Act” means the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021. Submission of an affidavit to the Commission 2. No individual shall be appointed, elected, nominated or continue to serve as a Key Management Person of a Market Institution unlessthat individual is a fit and proper person to hold such office in such entity as morefully described in these Rules. 3. An individual proposed to be appointed, elected or nominated or who intends to continue to serve in the capacity of a Key Management Person, shall submit an affidavit to the Commission affirming that such person is not subject to any of the infirmities morefully described in these Rules prior to such individual being appointed and at the time a Market Institution seeks a licence. 4. The information contained in the affidavit shall not be misleading or vague and shall contain a statement that the contents are true and accurate. 5. Adherence to these Rules shall be a continuous requirement and the compliance officer of a Market Institution shall immediately inform the board of directors of any matter that may disqualify the appointment or the continuation in office of a Key Management Person and the board of directors shall immediately notify the Commission the decision made in respect of such matter.

32A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Honesty, integrity and reputation 6. The Key Management Person shall not: (a) be a person who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence; (b) be a person who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of a capital market offence or against whom an offence has been compounded in terms of the SEC Act during a period of three (3) years immediately preceding the date of the application; (c) have been a Key Management Person of a body corporate who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence or capital market offence having proved to have been committed with the knowledge or involvement or negligence attributable to such person; (d) be a person who has been subject to an administrative sanction by the Commission during a period of three (3) years immediately preceding the date of the application; (e) be a Key Management Person of a company, partnership or other organization whose licence has been suspended or cancelled by the Commission for violating any provision of the SEC Act or any rules or regulations made thereunder; (f) be a person who has been censured, disciplined, suspended or refused membership or registration by the Commission and any other regulatory authority in Sri Lanka or elsewhere during a period of three (3) years immediately preceding the date of the application; (g) be a person against whom a finding has been made by the Commission or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad that such individual has committed any act which involves fraud, deceit or dishonesty; (h) be a person who has been disqualified from acting as a director of a company, or has been dismissed or requested to resign from any position or office due to mismanagement of funds or the commission of financial fraud by the Commission, any other regulatory body or professional body; (i) be a person against whom an inquiry and/or investigation by the Commission and/or any other regulatory/professional body in Sri Lanka or elsewhere is presently pending for the commission of suspected capital market offences or any matter that involves fraud, deceit or dishonesty; and/or (j) be a person who has contravened any written law enacted for the protection of the members of the public against financial loss due to dishonesty or malpractice of such person.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 33A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Financial soundness 7. The Key Management Person shall not: (a) have proceedings instituted to be declared bankrupt or have been declared bankrupt and/or had assets sequestered; (b) have been subject to any judgement debt or award in Sri Lanka or abroad that remains unpaid in whole or in part; (c) have been a person of a company in a position that exercises significant influence in a company that: i. has been subject to any judgement debt or award in Sri Lanka or abroad that remains unpaid in whole or in part; or ii. has in Sri Lanka or abroad, made any arrangements in composition with its creditors, filed for bankruptcy, been declared bankrupt, had assets sequestered, involved in winding￾up proceedings ordered by a court of law or been involved in proceedings relating to any of the foregoing. Competence and capability 8. The Key Management Person shall: (a) not have been declared by a court of competent jurisdiction in Sri Lanka or abroad to be of unsound mind; (b) possess the qualifications required to provide the services for which a licence has been sought/obtained from the Commission; (c) have satisfied the relevant training and competence requirements in relation to the regulated function the person performs or intends to perform; (d) demonstrate by experience that the chief executive officer, the chief regulatory officer and the compliance officer are suitable or will be suitable if approved to perform the regulated functions; (e) possess adequate time to perform the regulated function and meet the responsibilities associated with that function; and/or (f) have not contravened any written law enacted for the protection of the members of the public against financial loss due to incompetence of such person.

34A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE III Specimen of an Affidavit for Fitness and Propriety of a Key Management Person of a Market Institution I, ___________________________________________________ [Full name] holder of NIC No. /Passport No. (In the case of a foreign national) ___________of __________________________ [Address], being a [Buddhist/Hindu/Muslim do hereby solemnly, sincerely and truly declare and affirm]/[Christian/ Catholic make oath and swear as follows]:

1. I am the [affirmant/deponent] above named.
2. I affirm/state that I am a ____________ [Designation] of _________________________________ [Name of the applicant entity].
3. I affirm/state that I possessthe following academic and/or professional qualification(s) to perform the prescribed duties which I am engaged in.

---

---

---

4. I affirm/state that I have not been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence.
5. I affirm/state that I have not been a Key Management Person of a body corporate which has been found guilty/ held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence, proved to have been committed with the knowledge or involvement or negligence attributable to me.
6. I affirm/state that I am not a person against whom an offence has been compounded in terms of the Securities and Exchange Commission of Sri Lanka Act, No.19 of 2021 (SEC Act) nor an administrative sanction has been imposed by the Commission during a period of three (3) years immediately preceding the date of this affidavit.
7. I affirm/state that I have not been a Key Management Person of a company, partnership or other organization whose licence has been suspended or cancelled by the Commission for violating any provision of the SEC Act, any rules or regulations made thereunder.
8. I affirm/state that I have not been a person who has been censured, disciplined,suspended or refused membership or registration by the Commission and/or any other regulatory authority in Sri Lanka or abroad during a period of three (3) years immediately preceding the date of this affidavit.
9. I affirm/state that I have not been a person who has been disqualified by the Commission and/or any other regulatory body or professional body from serving as a director of a company, or has been dismissed or requested to resign from any position or office due to mismanagement of funds or the commission of a financial fraud.
10. I affirm/state that I am not a person against whom an inquiry and/or investigation by the Commission/and or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad is presently pending, for the commission of suspected capital market offences or any act which involves fraud, deceit or dishonesty or that a finding has been made by the Commission/and or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad that I have committed any act which involves fraud, deceit or dishonesty.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 35A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 11. I affirm/state that I have not contravened any written law enacted for the protection of the members of the public against financial loss by dishonesty, incompetence or malpractice. 12. I affirm/state that no proceedings have been instituted in a court of law in Sri Lanka or abroad requesting that I be declared bankrupt or that I have not been declared bankrupt and that my assets have not been sequestered. 13. I affirm/state that I have not been subject to any judgement debt or award in Sri Lanka or abroad that remains unpaid in whole or in part. 14. I affirm/state that I am not a person/a director of a company or a shareholder in a position that exercises significant influence in a company that: (a) has been subject to any judgment debt or award in Sri Lanka or abroad, that remains unpaid in whole or in part; or (b) has in Sri Lanka or abroad made any arrangements in composition with its creditors, filed for bankruptcy, been declared bankrupt, had assets sequestered, involved in winding-up proceedings ordered by a court of law or been involved in proceedings relating to any of the foregoing. 15. I affirm/state that I have not been declared as a person of unsound mind by a court of competent jurisdiction in Sri Lanka or abroad. 16. I affirm/state that I have the relevant training, competence and expertise in the nature of the business being conducted by the entity. 17. I affirm/state that I have the suitable experience to perform the regulated function. 18. I affirm/state that I have adequate time to perform the regulated functions and meet the responsibilities associated with such function of the entity. 19. I affirm/state that I have the technical knowledge and ability to perform the prescribed duties which I am engaged in, especially recognised professional qualifications and membership of relevant professional institutions. 20. I affirm/state that I have not contravened any written law enacted for the protection of the members of the public against financial loss due to my incompetence. 21. I affirm/state that all of the above are true and accurate to the best of my knowledge. The averments contained herein were read over to the [affirmant/deponent] who having understood the contents hereof and having accepted same as true, [affirmed/swore] to and placed his/her signature at …………. on this …………… day of ………………… Affix stamps as applicable Before me Justice of the Peace/Commissioner for Oaths.

36A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE IV Minimum Requirements of an Internal Compliance Manual

1. Conflicts of Interest: (a) a mechanism to monitor and identify conflict of interestsituations and stepsto addresssuch situations in a timely manner; (b) procedures to prevent or control the exchange of information between persons engaged in activities that give rise to a risk of a conflict of interest; (c) procedures for the prevention or limitation of any person from exercising undue influence over the manner in which a relevant person carries out services or activities; (d) ensure that it does not carry out any activities, which could cause a conflict of interest with its Clearing House functions; (e) a transparent and non-discriminatory criteria for the admission of Clearing Members; (f) a procedure to ensure that the Clearing House does not engage in transactions with related parties in a manner that would grant such parties more favorable treatment than that accorded to third parties in the ordinary course of business; and (g) measures ensuring that entity acts in the best interest of the public.
2. Corporate Governance: (a) composition of the board of directors, availability of its subcommittees in accordance with these Rules; (b) a code of conduct and ethics, good business practices and the requirement to follow just and fair principles in the conduct of its business; (c) requirement to comply with the SEC Act, applicable rules and regulations introduced by the Commission in respect of Clearing Houses; (d) requirement to implement a sound financial and business reporting structure; (e) requirement to segregate assets of the Clearing Members from those of the Clearing House; and (f) requirement to ensure compliance with fitness and proprietary Rules issued by the Commission from time to time.
3. Internal controls and Risk Management: (a) the availability of sound internal controls and risk management policies and processes; (b) the availability of internal audit systems; (c) regular review of the adequacy and effectiveness of financial, operational and compliance controls; and (d) regular review of the adequacy and effectiveness of risk management policies and procedures.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 37A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE V Minimum Matters to be Disclosed in a Compliance Report

1. Confirmation that the business has been conducted in conformity with the: (a) Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021; (b) Rules issued by the Commission; (c) Rules of an Exchange pertaining to a Clearing House; and (d) Rules and Regulations of the Financial Intelligence Unit (FIU) of the Central Bank of Sri Lanka including rules and regulations pertaining to Anti Money Laundering.
2. If not: (a) provide information as to the nature of the non-compliance or breach; (b) action taken to prevent or mitigate the non-compliance or breach; and (c) the outcome.
3. Monitoring of network availability and performance with: (a) details pertaining to instances in which systems failure/malfunctions were detected in relation to the clearing system during the quarter; and (b) details pertaining to the security threats to the network operating systems identified during the quarter. Any instances as referred to items 3 (a) and (b) above and the remedial action taken shall be immediately brought to the attention of the Commission.
4. A list of complaints received by the Clearing House for the quarter and the current status of such complaints.
5. A list of instances in which settlement failures by the Clearing Members have been identified during the quarter.
6. A list of instances in which the Clearing Members have failed to meet margin and collateral requirements stipulated in the Rules of a Clearing House.
7. Findings on stress testing conducted quarterly in relation to the adequacy of components of default waterfall.
8. Whether any Suspicious Transaction Reports (STRs) have been generated. If so: (a) the number generated and submitted to the FIU; and (b) outcomes if any. EOG 03-0882/2

38A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 rules applicable to a central Depository The Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 RULES made by the Securities and Exchange Commission of Sri Lanka, in terms of Section 183 of the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021. Viraj Dayaratne PC Chairman Securities and Exchange Commission of Sri Lanka. Colombo 15th March, 2022. These Rules may be cited as the Rules applicable to a Central Depository. General interpretation

1. The words and terms defined in the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 shall unless the context so requires have the same meaning assigned to it in the said Act: “Central Depository” shall have the same meaning as defined in Section 188 of the SEC Act; “Commission” means the Securities and Exchange Commission of Sri Lanka established in terms of the SEC Act; “Depository Participant” shall have the same meaning as defined in Section 188 of the SEC Act; “Exchange” shall have the same meaning as defined in Section 188 of the SEC Act; “Key Management Person” means directors (executive or otherwise) and shall include alternate directors, a chief executive officer, compliance officer and persons having authority and responsibility for planning, directing and controlling the activities of a company/entity either directly or indirectly; “Liquid Assets” means unencumbered cash or investments which can be readily converted to cash such as bank/call deposits, re-purchase agreements with maturity of less than three (3) months, commercial papers which are endorsed or guaranteed by a licensed commercial bank or licensed specialized bank with a term to maturity of less than three (3) months and government issued securities with a term to maturity of one (1) year or less or any other form of instruments as determined by the Commission; “Market Contract” shall have the same meaning as defined in Section 32 of the SECAct; “Securities” shall have the same meaning as defined in Section 188 of the SEC Act; “Securities Account ” means an account opened in a Central Depository; “Securities Account Holder” means a person in whose name a Securities Account has been opened in a Central Depository; “SEC Act” means the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021;

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 39A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 “Shareholders’ Funds” mean the amount of equity of the company, which belongs to the shareholders of the company. Applicability 2. The Rules set out herein shall apply to a Central Depository licensed under the SEC Act. 3. Every Central Depository shall comply with: (a) the Rules set out herein and any amendments made thereto; (b) provisions of the SEC Act; (c) directives issued from time to time by the Commission; and (d) Rules issued by the Commission relating to Fitness and Propriety of a Key Management Person of a Market Institution. Requirement for a licence 4. No entity shall engage in the function of a Central Depository without having first obtained a licence from the Commission. Procedure to obtain a licence 5. The grant of a licence shall be a two (2) stage process. An applicant may in the first instance apply for in-principle approval upon satisfying the requirements as set out in (a) hereof and after having obtained in-principle approval may thereafter apply for final approval upon satisfying the requirements as set out in (b) hereof: (a) In order to obtain in-principle approval an applicant shall submit to the Commission: (i) a duly completed application form according to the specimen provided on the website of the Commission; (ii) documents to establish the source of funding to establish the Central Depository; (iii) documents outlining the business model to carry on the functions of the Central Depository including financial feasibility; (iv) documents outlining the structures, systems and controls in place which will enable it to differentiate and segregate its commercial interests from its regulatory responsibilities; (v) documents outlining the governance structure of the Central Depository; (vi) documents outlining the procedure in relation to the admission of Depository Participants to the Central Depository; (vii) a declaration by the applicant as per Schedule I of these Rules; (viii) a copy of the internal compliance manual as specified in Schedule IV of these Rules; (ix) a copy of the draft Rules of the applicant in conformity with the requirements set out in Section 55 of the SEC Act; (x) documentation in support of measures taken to acquire infrastructure and meet related requirements as specified in Rule 20;

40A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (xi) documentation in support of steps taken to recruit adequate human resources as stated in Rule 37 to effectively discharge the obligations in keeping with the identified organizational structure of the applicant; (xii) any other requirements and/or information that the Commission may require considering particular circumstances; (xiii) the processing fee specified by way of regulations made by the Minister from time to time. (b) Within six (6) months of obtaining in-principle approval, the applicantshall fulfill the following requirements and submit the following documents as proof thereof in order to obtain final approval: (i) confirmation from the chief executive officer and a director that the applicant has met the requirements as spelt out in Rule 8 (a) and (b) of these Rules; (ii) declarations by Key Management Persons relating to their fitness and propriety in terms of the Fitness and Propriety of a Key Management Person of a Market Institution as stipulated in Schedule II of these Rules. Such declaration shall be in the form of an affidavit prepared in accordance with the specimen provided in Schedule III of these Rules; (iii) confirmation from the chief executive officer and a director of the establishment of a system that will enable the maintenance of securities in a scrip-less form and the ability to maintain data entries electronically as stated in Rule 20; (iv) confirmation from the chief executive officer and a director of the recruitment of adequate human resources, particularly the officersstated in Rule 37 along with their names and designations; and (v) the annual licence fee specified by way of regulations made by the Minister from time to time.

• However, in the event Central Depository Systems (Pvt.) Ltd. is desirous of obtaining a licence to continue its functions as a Central Depository upon expiration of its present licence granted by the Commission, the two stage process mentioned above may be waived by the Commission provided that the Central Depository Systems (Pvt.) Ltd. satisfies all requirements set out in (a) and (b) above at the same time.

6. As stipulated in Section 69 of the SEC Act, it shall be the duty of a Central Depository to obtain the prior approval of the Commission of any change in particulars specified in an application to be licensed as a Central Depository. Licensing fee 7. A Central Depository shall pay such licensing fee as prescribed by way of regulations made by the Minister from time to time.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 41A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Minimum financial requirements and submission of reports 8. A Central Depository shall: (a) at all times maintain minimum Shareholders’ Funds as determined by the Commission from time to time; (b) at all times maintain minimum Liquid Assets determined by the Commission from time to time; and (c) inform the Commission immediately if Shareholders’ Funds and/or Liquid Assets fall below the requirement as stipulated in Rule 8 (a) and (b) above. 9. A Central Depository shall provide the information as set out below to the Commission: (a) financial statements prepared quarterly in conformity with the Sri Lanka Accounting Standardssigned by the chief executive officer and a director within forty five (45) days from the end of each quarter; (b) a copy of the annual report in conformity with Section 73 of the SEC Act within a period of five (5) months from the close of each financial year; and (c) a copy of the compliance report as stated in Rule 51 hereof. 10. A Central Depository shall, within three (3) months from the date of the auditor’s report, take steps to rectify the deficiencies if any, made out in the auditor’s report. Change of shareholding 11. Achange in the shareholding of five per centum (5%) or more of the totalshareholding of a Central Depository shall be made only upon obtaining the prior approval of the Commission. Duties of a Central Depository 12. A Central Depository shall at all times ensure that it complies with the duties stipulated under Section 56 of the SEC Act. Segregation of Securities 13. A Central Depository shall ensure the segregation of Securities belonging to investors from those of Depository Participants. Operations of a Central Depository 14. All Securities Accounts opened with the Central Depository shall be in the name of the beneficial owner of the deposited securities or in the name of a nominee. 15. A Central Depository shall not process the opening of any Securities Accounts where the application is not in conformity with these Rules, Rules of a Central Depository and the Central Depository’s operational guidelines. 16. All dealings of Securities held in a Central Depository shall be made by way of book entries in the accounts of a Central Depository. 17. A Central Depository shall ensure that all instructions relating to a Securities Account are properly and accurately carried out and a proper log of such instructions is maintained. 18. A Central Depository shall ensure that the Securities Accounts of account holders are updated in relation to Market Contracts in a timely manner on the settlement date. 19. A Central Depository shall have a board approved procedure in relation to transfer of Securities of Securities Accounts, in the event of suspension/termination of a Depository Participant.

42A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Infrastructure and related requirements 20. A Central Depository shall have all the capabilities to operate and conduct the functions of a Central Depository and shall ensure the availability of the following infrastructure and related features in its systems at a minimum: (a) an automated depository system with the ability to maintain data entries electronically; (b) settlement gateway connected to the depository system; (c) infrastructure requirement for internal business operations: (i) internal network; (ii) accounting system; (iii) document archiving and retention system; (iv) an electronic communication mechanism; and (v) data centre hosted (on-site or off-site) and a separate disaster recovery facility at a suitable location. 21. A Central Depository shall ensure that its business applications minimize manual intervention in information inputs and outputs where possible and prevent unauthorized changes to its databases. 22. Information systems of a Central Depository shall be subjected to control reviews at least once in every two (2) years and the control gaps identified shall be rectified following a time plan. The scope of testing should cover business logic, system function, security controls and system performance at a minimum. 23. A Central Depository shall have a documented Disaster Recovery (DR) Plan. 24. A DR test should be conducted annually in line with the DR plan of the Central Depository. 25. A Central Depository shall ensure that its hosted servers are subjected to vulnerability assessments and penetration tests annually. The issues arising from such tests shall be rectified according to a time bound plan. 26. The reports pertaining to reviews and tests specified in Rules 22, 24 and 25 shall be retained for reference for a minimum period of six (6) years. 27. A Central Depository shall maintain a duly updated Systems and Procedures Manual covering the following areas, to ensure compliance with these Rules: (a) the organizational structure of the Central Depository identifying key functions and persons and their reporting structure: (b) operational procedures pertaining to a Central Depository covering the following areas at a minimum: (i) operational procedures pertaining to Central Depository systems/ functions;

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 43A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (ii) availability of any procedures on staff trades by Central Depository employees; and (iii) a procedure to handle complaints. (c) policies, standards and procedures : (i) sound and prudent policies, standards and procedures for managing technology risks; and (ii) review and update policies, standards and procedures regularly, taking into consideration the evolving technology and cyber threat landscape. (c) management of third party services : (i) a Central Depository shall asses and manage its exposure to technology risk that may affect confidentiality, integrity and availability of the information technology systems and data before entering into a contractual agreement or partnership with third parties; and (ii) a comprehensive information technology security awareness training program shall be established to maintain a high level of awareness among all staff of the Central Depository. (d) data and infrastructure security : develop comprehensive data loss prevention policies and adopt measures to detect and prevent unauthorized access, modification, copying or transmission of its confidential data. (e) user access management : establish a user access management process covering provisions relating to change and the revocation of access rights. (f) network security : deploy effective security mechanisms to protect information assets (eg: firewall), network access controls. (g) cyber security : establish a security operations center or acquire managed security services (the processes, roles and responsibilities for security operations should be defined). (h) system backup and recovery : establish a system backup and recovery strategy and develop a plan to perform regular backups.

44A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (i) investor education and communication : measures to raise awareness among investors on the security best practices and terms and conditions that investors should adhere to when using online services. (j) incident management : establish an incident management framework with the objective of restoring an affected information technology service or system to a secure and stable state as quickly as possible to minimize the impact to the business and the investors. 28. A Central Depository shall have sufficient and appropriate processes to ensure the functions of legal and enforcement, compliance, surveillance, supervision of Depository Participants, information technology, finance and administration, internal audit and risk management are carried out. Rules of a Central Depository 29. A Central Depository in addition to the requirements stipulated in Section 55 of the SEC Act, shall make provision for the following in preparing its rules: (a) eligibility of an entity to become a Depository Participant; (b) correspondence between the Central Depository and the Depository Participants; (c) opening/suspending/closing of Securities Accounts; (d) transfer of Securities held in Securities Accounts; (e) forwarding account statement to Securities Account Holders; (f) risk management requirements for Depository Participants; and (g) enforcement and disciplinary procedures for Depository Participants. Depository Participants of a Central Depository 30. In admitting Depository Participants, a Central Depository shall ensure at a minimum that such Depository Participants: (a) are body corporates; (b) have high business integrity; (c) are of good financial standing; (d) meet the minimum financial requirements stipulated in the Rules of a Central Depository; and (e) meet the minimum standards stipulated in the Rules of a Central Depository. 31. A Central Depository shall execute a detailed written agreement between the Central Depository and the Depository Participant inclusive of rights and obligation of each party and dispute resolution mechanism. 32. Every Central Depository shall ensure that its Depository Participants:

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 45A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 (a) comply with rules applicable to Depository Participants; and (b) initiate timely disciplinary action and take suitable action for any contravention or failure to comply with the provisions of the SEC Act. Appointment of directors of the Central Depository 33. The appointment of directors of a Central Depository shall be in conformity with Section 68 of the SEC Act. Governance of a Central Depository 34. A Central Depository shall have a board charter that inter alia includes a code of conduct for the board of directors and demarcate the responsibilities between its board of directors and the management. 35. A Central Depository shall have, at a minimum the following sub-committees of the board of directors: (a) a risk and audit committee; (b) a remuneration committee; and (c) a nomination committee. Human resources of a Central Depository 36. A Central Depository shall have an organizational structure with clearly defined responsibilities and authority for each category of employees. 37. ACentral Depository shall have suitably qualified personsfor the following positions: (a) Chief Executive Officer (CEO); (b) Chief Regulatory Officer (CRO); (c) Head of Compliance; (d) Head of Legal; (e) Head of Finance; and (f) Head of Information Technology. Commission approval to engage in other businesses 38. A Central Depository shall disclose to the Commission all other business activities it is engaged in at the time of applying for its licence and inform the Commission in writing prior to engaging in any other business activity after obtaining a licence from the Commission. 39. A Central Depository shall not engage in any other business which in the view of the Commission creates a conflict of interest unless prior written approval of the Commission is obtained. 40. In the conduct of any such other business activity, a Central Depository shall ensure that proper processes are in place to have a clear demarcation of the different functions pertaining to such businesses. Maintenance of records 41. A Central Depository shall maintain the following records: (a) records pertaining to transaction history of each Securities Accounts of Securities Account Holders; (b) correspondence with Depository Participants; (c) comprehensive written records pertaining to disciplinary actions initiated against Depository Participants; (d) a comprehensive written record of all complaints received/disputes and action taken thereon by the Central Depository; and (e) any other record the Commission requires the Central Depository to maintain from time to time.

46A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 42. All of the above records shall be retained by the Central Depository for a period of six (6) years. 43. ACentral Depository shall ensure confidentiality of all information relating to Securities Account Holders unless such disclosure is required by law. Keeping of books and furnishing of returns 44. A Central Depository shall: (a) maintain or cause to be maintained, such accounting records and other books as will truly reflect the transactions and financial position of its business and enable the preparation of a true and fair income statement and a statement of financial position in keeping with the Sri Lanka Accounting Standards adopted by the Institute of Chartered Accountants of Sri Lanka; (b) maintain or cause to be maintained such accounting records and other books in such manner as will enable them to be accurately audited; and (c) retain such accounting records or other books for a period of not less than six (6) years. Duty to furnish information and co-operate with auditors appointed by the Commission 45. Where the Commission having considered that it is in the interest of the Central Depository or those of its Depository Participants, appoints an independent auditor or such other person or a body of persons to examine, audit and report either generally or in relation to any particular matter, it shall be the duty of such Central Depository: (a) to produce any books, accounts and records of any assets held by the Central Depository relating to its business; (b) to produce any records of any systems, processes or procedures adopted by the Central Depository relating to its business; (c) to provide all information within its knowledge or which it is capable of obtaining; and (d) to ensure that all the information which is furnished to the auditor or independent auditor as the case may be is not false or misleading in any material particulars. 46. A Central Depository shall not destroy, conceal or alter any records, property or books relating to the business of the Central Depository which are in its possession or under its control with the intention of defeating, preventing, delaying or obstructing the carrying out of any examination. Submission of information to the Commission 47. A Central Depository shall furnish such returns and provide such information relating to its business as the Commission may require from time to time. 48. The Commission may determine that any information required herein shall be submitted within such period at such intervals in such manner or in such form as the Commission may specify and the Central Depository shall comply with such requirements. Trading by employees 49. In the event of trading by employees of a Central Depository, order instructions pertaining to such trades shall not be forwarded to a Stock Broker unless the order is authorized in writing by the chief executive officer or the compliance officer of the Central Depository.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 47A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Compliance manual 50. A Central Depository shall have an internal compliance manual applicable to its directors and employees which shall include amongst others adequate compliance procedures and practices as set out in Schedule IV of these Rules. Regulatory compliance and internal controls 51. The compliance officer on behalf of the Central Depository shall make a quarterly compliance report which shall include amongst others the contents specified in Schedule V of these Rules approved by the board of directors and signed by the chief executive officer and a director confirming compliance with the provisions of the SEC Act, the criteria set out herein, any other rules or directives issued by the Commission from time to time and the Financial Transactions Reporting Act, No. 06 of 2006 where applicable and forward the same to the Commission, before the twentieth (20th) day of the following month. However, in the event any non-compliance or breach is detected, the compliance officer shall immediately report such matter to the board of directors for rectification, and inform the Commission within a period of twenty-eight (28) days from the date on which the board of directors were informed as to the steps that have been taken by the board of directors to rectify such non-compliance. 52. A Central Depository shall have a fair and transparent complaint handling procedure to ensure the best interest of the Depository Participants and the public and shall maintain procedures to ensure that complaints received in relation to the conduct of Depository Participants are handled in a timely and effective manner. 53. A Central Depository shall adhere to the Know Your Client (KYC) and due diligence procedures specified by the Financial Intelligence Unit (FIU) of the Central Bank of Sri Lanka from time to time. Notification on the happening of certain events 54. Without prejudice to the generality of the duties imposed under the SEC Act, in the event of any one or more of the following events occur, a Central Depository shall forthwith provide written notice to the Commission: (a) the Central Depository is in the course of being wound up or otherwise dissolved whether within or outside Sri Lanka or where a receiver, liquidator or an equivalent person has been appointed in respect of any property of the Central Depository; (b) the Central Depository is unable to carry its functions of a Central Depository; (c) the Central Depository has failed to comply with the provisions of the SEC Act, Rules relating to Fitness and Propriety of a Key Management Person of a Market Institution and the Rules specified herein or any other directive issued by the Commission from time to time; (d) any information or document furnished to the Commission is false or misleading or there is any change in any information contained in a document furnished to the Commission; (e) any execution against the Central Depository in respect of a judgment debt has been returned unsatisfied in whole or in part; (f) the Central Depository whether within or outside Sri Lanka has entered into a compromise or scheme of arrangement with its creditors being a compromise or scheme of arrangement; (g) a Key Management Person has been convicted of any offence involving fraud or dishonesty or a violation of securities law within or outside of Sri Lanka; and/or (h) a Key Management Person of the Central Depository becomes an undischarged bankrupt.

48A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Cancellation of a licence 55. The cancellation of a licence granted to a Central Depository shall be governed by the provisions contained in Sections 57 and 58 of the SEC Act. Licence of a Central Depository deemed to be revoked 56. A licence of a Central Depository shall be deemed to be revoked if the company to whom a licence has been granted is wound up or otherwise dissolved. SCHEDULE I Declaration by the Applicant To: Chairman Securities and Exchange Commission of Sri Lanka Level 28 & 29, East Tower World Trade Center Echelon Square, Colombo 01, Sri Lanka. In consideration of being licensed to operate as (type of market institution), we (name of the applicant entity) being duly incorporated and having our registered office/principal place of business at….................(address)........…..hereby undertake and agree:

1. to be licensed at the sole discretion of the Commission and for such period as may be determined by the Com￾mission; and
2. to be bound by the applicable laws, rules, regulations and directives of the Commission as amended or replaced from time to time. We further declare that no finding has been made against the applicant entity by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence or any other act which involves fraud, deceit, dis￾honesty, misrepresentation, breach of contract or breach of fiduciary duty and that the statements made and information provided along with the application are true and accurate to the best of our knowledge. Given under the common seal of the entity on this….................day of.............….in the presence of ……………………… (Name) Director ……………………….. (Name) Director/Secretary or, Signed by the duly authorized signatories of the entity on this................….day of….............. ………………… (Name) Authorized Signatory Note: Please attach a certified true copy of the board resolution/Power of Attorney in proof of such authority.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 49A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE II Fitness and Propriety of a Key Management Person of a Market Institution General interpretation 1. The words and terms defined in the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 shall unless the context so requires have the same meaning assigned to them in the said Act: “Commission” means the Securities and Exchange Commission of Sri Lanka established in terms of the SEC Act; “Key Management Person” means directors (executive or otherwise) and shall include alternate directors, a chief executive officer, compliance officer and persons having authority and responsibility for planning, directing and controlling the activities of a company/entity either directly or indirectly; “Market Institution” shall have the same meaning as defined in Section 188 of the SEC Act; “SEC Act” means the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021. Submission of an affidavit to the Commission 2. No individual shall be appointed, elected, nominated or continue to serve as a Key Management Person of a Market Institution unless that individual is a fit and proper person to hold such office in such entity as morefully described in these Rules. 3. An individual proposed to be appointed, elected or nominated or who intends to continue to serve in the capacity of a Key Management Person, shall submit an affidavit to the Commission affirming that such person is not subject to any of the infirmities morefully described in these Rules prior to such individual being appointed and at the time a Market Institution seeks a licence. 4. The information contained in the affidavit shall not be misleading or vague and shall contain a statement that the contents are true and accurate. 5. Adherence to these Rules shall be a continuous requirement and the compliance officer of a Market Institution shall immediately inform the board of directors of any matter that may disqualify the appointment or the continuation in office of a Key Management Person and the board of directors shall immediately notify the Commission the decision made in respect of such matter.

50A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Honesty, integrity and reputation 6. The Key Management Person shall not: (a) be a person who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence; (b) be a person who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of a capital market offence or against whom an offence has been compounded in terms of the SEC Act during a period of three (3) years immediately preceding the date of the application; (c) have been a Key Management Person of a body corporate who has been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence or capital market offence having proved to have been committed with the knowledge or involvement or negligence attributable to such person; (d) be a person who has been subject to an administrative sanction by the Commission during a period of three (3) years immediately preceding the date of the application; (e) be a Key Management Person of a company, partnership or other organization whose licence has been suspended or cancelled by the Commission for violating any provision of the SEC Act or any rules or regulations made thereunder; (f) be a person who has been censured, disciplined, suspended or refused membership or registration by the Commission and any other regulatory authority in Sri Lanka or elsewhere during a period of three (3) years immediately preceding the date of the application; (g) be a person against whom a finding has been made by the Commission or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad that such individual has committed any act which involves fraud, deceit or dishonesty; (h) be a person who has been disqualified from acting as a director of a company, or has been dismissed or requested to resign from any position or office due to mismanagement of funds or the commission of financial fraud by the Commission, any other regulatory body or professional body; (i) be a person against whom an inquiry and/or investigation by the Commission and/or any other regulatory/professional body in Sri Lanka or elsewhere is presently pending for the commission of suspected capital market offences or any matter that involves fraud, deceit or dishonesty; and/or (j) be a person who has contravened any written law enacted for the protection of the members of the public against financial loss due to dishonesty or malpractice of such person.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 51A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 Financial soundness 7. The Key Management Person shall not: (a) have proceedings instituted to be declared bankrupt or have been declared bankrupt and/or had assets sequestered; (b) have been subject to any judgment debt or award in Sri Lanka or abroad that remains unpaid in whole or in part; and/or (c) have been a person of a company in a position that exercises significant influence in a company that: (i) has been subject to any judgment debt or award in Sri Lanka or abroad that remains unpaid in whole or in part; or (ii) has in Sri Lanka or abroad, made any arrangements in composition with its creditors, filed for bankruptcy, been declared bankrupt, had assets sequestered, involved in winding-up proceedings ordered by a court of law or been involved in proceedings relating to any of the foregoing. Competence and capability 8. The Key Management Person shall: (a) not have been declared by a court of competent jurisdiction in Sri Lanka or abroad to be of unsound mind; (b) possessthe qualificationsrequired to provide the servicesfor which a licence has been sought/obtained from the Commission; (c) have satisfied the relevant training and competence requirements in relation to the regulated function the person performs or intends to perform; (d) demonstrate by experience that the chief executive officer, the chiefregulatory officer and the compliance officer are suitable or will be suitable if approved to perform the regulated functions; (e) possess adequate time to perform the regulated function and meet the responsibilities associated with that function;and/or (f) have not contravened any written law enacted for the protection of the members of the public against financial loss due to incompetence of such person.

52A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE III Specimen of an Affidavit for Fitness and Propriety of a Key Management Person of a Market Institution I, ___________________________________________________ [Full name] holder of NIC No./Passport No. (In the case of a foreign national) ___________of __________________________ [Address], being a [Buddhist/ Hindu/Muslim do hereby solemnly, sincerely and truly declare and affirm]/[Christian/Catholic make oath and swear as follows]:

1. I am the [affirmant/deponent] above named.
2. I affirm/state that I am a ____________ [Designation] of _________________________________ [Name of the applicant entity].
3. I affirm/state that I possesssuitable academic and/or professional qualification(s) to perform the prescribed duties which I am engaged in.
4. I affirm/state that I have not been found guilty/held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence.
5. I affirm/state that I have not been a Key Management Person of a body corporate which has been found guilty/ held responsible by a court of law in Sri Lanka or abroad for the commission of any criminal offence/capital market offence, proved to have been committed with the knowledge or involvement or negligence attributable to me.
6. I affirm/state that I am not a person against whom an offence has been compounded in terms of the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 (SEC Act) nor an administrative sanction has been imposed by the Commission during a period of three (3) years immediately preceding the date of this affidavit.
7. I affirm/state that I have not been a Key Management Person of a company, partnership or other organization whose licence has been suspended or cancelled by the Commission for violating any provision of the SEC Act, any rules or regulations made thereunder.
8. I affirm/state that I have not been a person who has been censured, disciplined,suspended or refused membership or registration by the Commission or any other regulatory authority in Sri Lanka or abroad during a period of three (3) years immediately preceding the date of this affidavit.
9. I affirm/state that I have not been a person who has been disqualified by the Commission or any other regulatory body or professional body from serving as a director of a company, or has been dismissed or requested to resign from any position or office due to mismanagement of funds or the commission of a financial fraud.
10. I affirm/state that I am not a person against whom an inquiry and/or an investigation by the Commission or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad is presently pending, for the commission of suspected capital market offences or any act which involves fraud, deceit or dishonesty or that a finding has been made by the Commission or any other regulatory/supervisory authority/professional body in Sri Lanka or abroad that I have committed any act which involves fraud, deceit or dishonesty.
11. I affirm/state that I have not contravened any written law enacted for the protection of the members of the public against financial loss by dishonesty, incompetence or malpractice.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 53A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 The averments contained herein were read over to the [affirmant/deponent] who having understood the contents hereof and having accepted same as true, [affirmed/swore] to and placed his/her signature at …………. on this …………… day of ………………… Affix stamps as applicable Before me Justice of the Peace/Commissioner for Oaths. 12. I affirm/state that no proceedings have been instituted in a court of law in Sri Lanka or abroad requesting that I be declared bankrupt or that I have not been declared bankrupt and that my assets have not been sequestered. 13. I affirm/state that I have not been subject to any judgment debt or award in Sri Lanka or abroad that remains unpaid in whole or in part. 14. I affirm/state that I am not a person/a director of a company or a shareholder in a position that exercises significant influence in a company that: (a) has been subject to any judgment debt or award in Sri Lanka or abroad, that remains unpaid in whole or in part; or (b) has in Sri Lanka or abroad made any arrangements in composition with its creditors, filed for bankruptcy, been declared bankrupt, had assets sequestered, involved in winding-up proceedings ordered by a court of law or been involved in proceedings relating to any of the foregoing. 15. I affirm/state that I have not been declared as a person of unsound mind by a court of competent jurisdiction in Sri Lanka or abroad. 16. I affirm/state that I have the relevant training, competence and expertise in the nature of the business being conducted by the entity. 17. I affirm/state that I have the suitable experience to perform the regulated function. 18. I affirm/state that I have adequate time to perform the regulated functions and meet the responsibilities associated with such function of the entity. 19. I affirm/state thatI have the technical knowledge and ability to perform the prescribed duties which I am engaged in, especially recognised professional qualifications and membership of relevant professional institutions. 20. I affirm/state that I have not contravened any written law enacted for the protection of the members of the public against financial loss due to my incompetence. 21. I affirm/state that all of the above are true and accurate to the best of my knowledge.

54A I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE IV Minimum Requirements of an Internal Compliance Manual

1. Conflicts of Interest: (a) a mechanism to monitor and identify conflicts of interestsituations and stepsto addresssuch situations in a timely manner; (b) procedures to prevent or control the exchange of information between persons engaged in activities that give rise to a risk of a conflict of interest; (c) procedures for the prevention or limitation of any person from exercising undue influence over the manner in which a relevant person carries out services or activities; (d) ensure that it does not carry out any activities, which could cause a conflict of interest with its Central Depository functions; (e) a transparent and non-discriminatory criteria for the admission of Depository Participants; (f) a procedure to ensure that the Central Depository does not engage in transactions with related parties in a manner that would grant such parties more favorable treatment than that accorded to third parties in the ordinary course of business; and (g) measures ensuring that the entity acts in the best interest of the public.
2. Corporate Governance: (a) composition of the board of directors, availability of its subcommittees in accordance with these Rules; (b) a code of conduct and ethics, good business practices and the requirement to follow just and fair principles in the conduct of its business; (c) requirement to comply with the SEC Act, applicable rules and regulations introduced by the Commission in respect of Central Depositories; (d) requirement to implement sound financial and business reporting structure; (e) requirement to segregate assets of the Depository Participants from those of the Central Depository; (f) requirement to segregate securities of the Securities Account Holders from those of the Depository Participants; and (g) requirement to ensure compliance with Fitness and Proprietary of a Key Management Person of a Market Institution issued by the Commission from time to time.
3. Internal controls and Risk Management: (a) the availability of sound internal controls and risk management policies and processes; (b) the availability of internal audit systems; (c) regular review of the adequacy and effectiveness of financial, operational and compliance controls; and (d) regular review of the adequacy and effectiveness of risk management policies and procedures.

I fldgi ( ^I& fPoh - YS% ,xld m%cd;dka;s%l iudcjd§ ckrcfha w;s úfYI .eiÜ m;%h - 2022'03'15 55A Part I : Sec. (I) - GAZETTE EXTRAORDINARY OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA - 15.03.2022 SCHEDULE V Minimum Matters to be Disclosed in a Compliance Report

1. Confirmation that the business has been conducted in conformity with the: (a) Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021; (b) Rules issued by the Commission; (c) Rules of a Central Depository pertaining to a Central Depository; and (d) Rules and Regulations of the Financial Intelligence Unit (FIU) of the Central Bank of Sri Lanka including rules and regulations pertaining to Anti Money Laundering.
2. If not: (a) provide information as to the nature of the non-compliance or breach; (b) action taken to prevent or mitigate the non-compliance or breach; and (c) the outcome.
3. Whether any Suspicious Transaction Reports (STRs) have been generated. If so: (a) the number generated and submitted to the FIU; and (b) outcomes if any. PRINTED AT THE DEPARTMENT OF GOVERNMENT PRINTING, SRI LANKA. EOG 03-0882/3