JPRF-S-2025-0152 — Incorporates Chapter XVIII Regulating Insurance Technology Service Entities into the Private Insurance System Codification

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Red Block, 8th floor | Postal Code: 170507 | Quito - Ecuador | Resolution No. JPRF-S-2025-0152 THE FINANCIAL POLICY AND REGULATION BOARD CONSIDERING: That, Article 82 of the Constitution of the Republic of Ecuador prescribes that the right to legal security is based on respect for the Constitution and the existence of prior, clear, public, and applied legal norms by competent authorities; That, Article 84 of the Supreme Norm prescribes that every body with regulatory power shall have the obligation to formally and materially adapt laws and other legal norms to the rights provided for in the Constitution; That, number 6 of Article 132 of the Magna Carta grants public regulatory bodies the authority to issue general norms in matters within their competence, without altering or innovating legal provisions; That, Article 213 of the aforementioned norm defines superintendencies as technical bodies for surveillance, auditing, intervention, and control of economic activities and services provided by public and private entities, with the purpose that these activities and services comply with the legal framework and attend to the general interest. Superintendencies shall act ex officio or upon citizen request. The specific powers of the superintendencies and the areas requiring control, auditing, and surveillance of each shall be determined according to law; That, Article 226 ibidem provides that State institutions, their bodies, dependencies, public servants, and persons acting by virtue of a state power shall exercise only the competencies and powers attributed to them in the Constitution and the law, having the duty to coordinate necessary actions for the effective fulfillment of rights recognized in the Constitution; That, Article 227 ibidem determines that public administration constitutes a service to the community governed by the principles of effectiveness, efficiency, quality, hierarchy, decentralization, coordination, participation, planning, transparency, and evaluation; That, Article 308 ibidem indicates that financial activities are a matter of public order and may be exercised, with prior authorization from the State, in accordance with the law; That, the article enumerated following Article 6, which incorporates international best practices, of the Organic Code of Monetary and Financial Affairs, Book I, prescribes that bodies with regulatory, normative, or control capacity shall seek to adopt as a reference framework international technical standards related to the scope of their competence for the issuance of regulations and the exercise of their functions, strictly adhering to the normative hierarchy established in the Constitution of the Republic of Ecuador; That, Article 13 of the Organic Code of Monetary and Financial Affairs, Book I, created the Financial Policy and Regulation Board, part of the Executive Function, as a public law legal entity, with administrative, financial, and operational autonomy, responsible for formulating credit, financial, securities, insurance, and prepaid comprehensive health care service policy and regulation; That, Article 14 ibidem, in numbers 1, 2, and 3, provides that it corresponds to the Financial Policy and Regulation Board within its scope of competence to formulate insurance policies; issue regulations that allow maintaining the integrity, solidity, sustainability, and stability of the insurance system; and, also, issue micro-prudential regulations for the insurance sector; That, Article 14.1 numbers 1, 7, 9, 14 letter b, 15 letters a and b, 17, 25, and 27 of the aforementioned Organic Code of Monetary and Financial Affairs, Book I, establish that it corresponds to the Financial Policy and Regulation Board, among other powers, the following: i) regulate the creation, constitution, organization, activities, operation, and liquidation of insurance entities; ii) issue the prudential regulatory framework to which insurance entities must adhere; iii) issue the non-prudential regulatory framework for all insurance entities, which will include, among others, transparency and information disclosure norms; iv) authorize insurance entities for new activities or operations that, while not prohibited, are necessary for the fulfillment of insurance policy objectives in accordance with the regulations issued for this effect; v) establish within the framework of its competencies any measure that helps prevent and eradicate fraudulent and prohibited practices, including money laundering and the financing of crimes such as terrorism, considering current and applicable international standards and protecting the privacy of individuals regarding the dissemination of their personal information, as well as information; vi) issue norms regulating insurance and reinsurance; vii) apply the provisions of said organic code and resolve cases not foreseen in it, within its scope of competence; and, viii) exercise the other functions, duties, and powers assigned to it by the Organic Code of Monetary and Financial Affairs and the law; That, number 1 of Article 25.1 ibidem prescribes, as one of the functions of the Technical Secretariat of the Financial Policy and Regulation Board, the elaboration of technical and legal reports that support the regulation proposals to be issued by the Financial Policy and Regulation Board; That, General Provision Twenty-Ninth of the Organic Code of Monetary and Financial Affairs, Book I, prescribes: “In existing legislation where reference is made to the 'Monetary and Financial Policy and Regulation Board', replace with 'Financial Policy and Regulation Board.'”; That, Transitory Provision Fifty-Fourth of the aforementioned code determines the transitional regime of resolutions of the Codification of the Monetary and Financial Policy and Regulation Board, establishing that: “(...) Resolutions contained in the Codification of Monetary, Financial, Securities, and Insurance Resolutions of the Monetary and Financial Policy and Regulation Board and norms issued by control bodies will remain in effect until the Monetary Policy and Regulation Board and the Financial Policy and Regulation Board resolve what corresponds, within their scope of competencies.”; That, the Organic Law for the Development, Regulation, and Control of Technological Financial Services (Fintech Law), published in the Official Register Supplement No. 215 of December 22, 2022, states in its Article 1 that its object is to regulate Fintech Activities related to all financial activities, including the insurance market; it also indicates in its Article 5 that Fintech Activities imply the development, provision, use, or offer of insurance technology services, among others; That, Article 8 of the Fintech Law stipulates that fintech companies will be regulated by the Financial Policy and Regulation Board; That, the aforementioned organic law incorporates into the Organic Code of Monetary and Financial Affairs, Book III “General Insurance Law” a series of articles that determine duties and attributions to the Financial Policy and Regulation Board; That, Article 2 of the Organic Code of Monetary and Financial Affairs, Book III “General Insurance Law” details the members of the private insurance system, among which are insurance technology service entities; That, Article 8.1 of the aforementioned norm establishes that insurance technology service entities are companies that develop technology-centered activities for the referred market, detailing that they are the following: “1. Alternative transaction systems: Virtual platforms for the promotion and commercialization of insurance; 2. Infrastructure for the insurance market. Customer and risk profile evaluation, fraud prevention, identity verification, big data analytics, business intelligence, cybersecurity, and electronic contracting.

Resolution No. JPRF-S-2025-0152 Page 3 of 8

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Red Block, 8th floor | Postal Code: 170507 | Quito - Ecuador | 3. Blockchain. Developers of blockchain-based solutions for the insurance market. 4. Others that may be determined by the Financial Policy and Regulation Board.”; That, Article 8.5 of the cited organic code states that the Financial Policy and Regulation Board shall be the body responsible for establishing the definition and actions comprising the operations carried out by insurance technology service entities; That, through Letter No. JPRF-JPRF-2024-0358-O of December 10, 2024, this Board formally requested from the Financial and Economic Analysis Unit the report regarding money laundering related to the proposed norm for insurance technology service entities; That, through Letter No. UAFE-UAFE-2025-0028-O of February 12, 2025, the Financial and Economic Analysis Unit presented the “Non-Binding Technical Report on the Project of the Norm Regulating Insurance Technology Service Entities Issued by the Financial Policy and Regulation Board”; this technical contribution concluded that "the money laundering risk is considered low since they function mainly as intermediaries between the client and insurance companies"; fulfilling what is prescribed in Article 7 of the Regulation to the Organic Law for the Development, Regulation, and Control of Technological Financial Services (Fintech Law) which indicates that the Financial Policy and Regulation Board must have the technical contribution of the Financial and Economic Analysis Unit for the issuance of corresponding regulations with the object of preventing money laundering and the financing of crimes; That, Article 15 of the Organic Administrative Code, with reference to the principle of responsibility, provides that the State shall respond for damages as a consequence of the lack or deficiency in the provision of public services or the actions or omissions of its public servants or subjects of private rights acting in the exercise of a public power delegated by the State and its dependents, controlled or contractors, with the State making effective the responsibility of the public servant for intentional or negligent acts or omissions, stating that no public servant is exempt from responsibility; That, the Technical Secretary of the Financial Policy and Regulation Board, through Memorandum No. JPRF-ST-2025-0031-M of April 25, 2025, sends to the President of the Board the Technical Report No. JPRF-CTVS-2025-004 of April 25, 2025, issued by the Technical Coordination of Policy and Regulation of the Securities and Insurance System; as well as the Legal Report No. JPRF-CJF-2025-017 of April 25, 2025, issued by the Legal Coordination of Financial Policy and Norms of this Board, as well as the respective resolution project; That, the Financial Policy and Regulation Board, in an ordinary session held by technological means, convened on April 25, 2025, and carried out via video conference on April 30, 2025, reviewed the Memorandum No. JPRF-ST-2025-0031-M of April 25, 2025, issued by the Technical Secretary of the Board; as well as the aforementioned Technical Report No. JPRF-CTVS-2025-004 and Legal Report No. JPRF-CJF-2025-017, in addition to the corresponding resolution project; That, the Financial Policy and Regulation Board, in an ordinary session held by technological means, convened on April 25, 2025, and carried out via video conference on April 30, 2025, reviewed and approved the following Resolution; and, In exercise of its functions, RESOLVES: ARTICLE FIRST.- Incorporate Chapter XVIII “Norm that regulates insurance technology service entities”, Title II “On the Constitution, Organization, Activities and Functioning”, Book III “Private Insurance System” of the Codification of Monetary, Financial, Securities, and Insurance Resolutions, in the following terms:

Resolution No. JPRF-S-2025-0152 Page 4 of 8

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Red Block, 8th floor | Postal Code: 170507 | Quito - Ecuador | “CHAPTER XVIII: NORM THAT REGULATES INSURANCE TECHNOLOGY SERVICE ENTITIES SECTION I: OBJECT, SCOPE OF APPLICATION, DEFINITIONS AND PRINCIPLES Art. 1.- Object.- This norm aims to establish a regulatory framework for activities inherent to insurance technology service entities defined in the Organic Law for the Development, Regulation, and Control of Technological Financial Services “Fintech Law”, which entail financial risk, determining their operations, guidelines for their adequate deployment; as well as establishing guidelines for the mitigation of associated risks. Art. 2.- Scope.- This norm shall apply to insurance technology service entities, whose activities and operations entail financial risk. Art. 3.- Definitions.- For the purposes of this norm, the following definitions are established: Corporate governance code: It is a set of guiding principles and guidelines for the organizational structure, roles, and responsibilities within an entity, based on management best practices, promoting transparency, accountability, and equity in decision-making to protect the interests of shareholders, directors, employees, and other stakeholders. Fundamental processes: It is an ordered sequence of key activities necessary for an insurance company to operate and fulfill the purpose of its business scope. Sensitive processes: They represent those activities crucial for the operation of an insurance company whose failure could jeopardize financial sustainability and efficient operational capacity. Infrastructure: Set of technological and/or physical resources that guarantee a secure, efficient, and effective operation composed, at least, of hardware, software, networks, connectivity, and necessary security measures for information management and protection; and, if applicable, the facilities and essential equipment for the physical and operational support of activities. Probability: It is the possibility that a risk event occurs in a given period of time. Product manager: It is the leader of the comprehensive development of new products and services, whose role is to safeguard the adequate functionality and quality of services provided by insurance technology service entities, ensuring that technological solutions meet market expectations, offer an excellent user experience, and comply with current regulations. Inherent risk: It is the level of risk inherent to the activity, without taking into account the effect of implemented controls. Residual risk: It is the resulting level of risk after applying controls. Severity: It is the magnitude or impact that a risk would have if it were to occur. Financial sustainability: It refers to the capacity of an insurance company to maintain sufficient assets to meet its obligations to policyholders and other stakeholders, also guaranteeing an adequate level of equity, liquidity, and profitability that allows continuous operation and sustainable growth. Emerging technologies: Those innovations that are on the verge of becoming predominant and have the potential to have a great impact on society. Advanced technologies: Represent technologies that have already reached a high level of development and sophistication, are widely adopted and used in various industries due to their proven effectiveness and efficiency.

Resolution No. JPRF-S-2025-0152 Page 5 of 8

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Red Block, 8th floor | Postal Code: 170507 | Quito - Ecuador | Art. 4.- Principles.- Insurance technology service entities shall be governed by the following principles: a) Transparency: Provide information on products and services, in a clear, complete, and understandable manner; b) Digital Security: Protect networks, systems, and data against unauthorized access and digital threats, guaranteeing their confidentiality, integrity, and availability; c) Continuous Innovation: Foster continuous improvement and the adoption of new technologies to offer efficient and effective solutions in the insurance sector; d) Proportionality: Implement control and risk mitigation measures that are appropriate to their operations and activities; and, e) Service Quality: Provide technology services supported by robust, efficient, and secure systems. SECTION II: QUALIFICATION, AUTHORIZATION, AND OPERATIONS OF INSURANCE TECHNOLOGY SERVICE ENTITIES Art. 5.- Qualification and authorization for operation.- Insurance technology service entities must be constituted and formed in accordance with what is established in the Fintech Law. Once constituted, they must be qualified by the Superintendence of Companies, Securities, and Insurance (SCVS); the requirements, as well as technical and financial parameters necessary for qualification, must be duly established by the SCVS, and consider, at least, the following aspects: a) That its corporate object is clearly defined and corresponds to one of the activities determined for insurance technology service entities in the Fintech Law; b) That they have the capital and infrastructure necessary to deploy the operations they intend to carry out; c) That they have a corporate governance code; and, d) That the organizational structure includes the roles of product manager and risk management. Once compliance with requirements, as well as technical and financial parameters established by the SCVS, is verified, the same shall proceed to authorize their operation; the control norm that the SCVS must issue for these purposes will include the pertinent items regarding the suspension or revocation of the operation authorization and the corresponding sanctioning framework. Art. 6.- Financial risk technology services.- Those services provided by insurance technology service entities whose operations are framed within what is established in this norm, and focus directly on sensitive and fundamental processes, with potential capacity to impact the flow and financial sustainability of insurance companies, shall be considered. Art. 7.- Guidelines for the operations of insurance technology service entities.- Insurance Technology Service Entities, in their operations, must align with the following criteria: a) Services related to the functions of: i) prospecting, marketing, and commercialization; ii) underwriting; iii) actuarial; and/or, iv) claims and indemnification; and, b) Use of advanced and/or emerging technologies that promote continuous improvement, add value to both clients and insurance companies, and are oriented towards: i) the creation of new business models, ii) the improvement of customer experience, iii) the personalization of services, or iv) the optimization of processes and functionalities related to the insurance business scope, within the framework of activities established in Article 8.1 of the Fintech Law.

Resolution No. JPRF-S-2025-0152 Page 6 of 8

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Red Block, 8th floor | Postal Code: 170507 | Quito - Ecuador | Art. 8.- Operations of insurance technology service entities.- Operations must adhere to what is established in this norm, particularly regarding financial risk technology services, as well as the guidelines for the operations of insurance technology service entities. Among the contemplated operations, without being limited solely to them, include the following: 8.1. Sale of insurance; 8.2. Tariff optimization; 8.3. Evaluation and selection of risk profiles; 8.4. Product design and development; 8.5. Prevention of losses associated with the business scope; and, 8.6. Claims management. SECTION III: ON RISK MANAGEMENT Art. 9.- Risk management.- Insurance technology service entities must implement a risk management system consistent with their activities and aligned with international best practices; the risk management system must consider the stages of identification, measurement, control, and monitoring, as well as adhere to the principle of proportionality. a) Identification.- It is a continuous and systematic process, whose purpose is to analyze the internal and external context of the entity to identify the most relevant risk exposures. This process must focus on recognizing, analyzing, and understanding the specific risks of the business scope, as well as the risks associated with the intensive use of technology by insurance technology service entities. Entities that develop technological activities for the insurance system must adopt an integral and proactive vision of the risks to which they are exposed. Risk identification must include, at a minimum, the following aspects: i. Analysis of the Internal and External Environment; ii. Survey, mapping, and documentation of processes; iii. Determination of threats and vulnerabilities; iv. Classification and categorization of risks; v. Prioritization and documentation of risks; and, vi. Continuous risk updating. b) Measurement.- Once risks are identified, they must be evaluated by establishing the probability and severity of each. The methodology and measurement tools used must be of recognized technical value and be adequate to the complexity of the operations and the risk levels assumed by the insurance technology service entity. The entity must periodically verify the effectiveness of these tools to determine if they require updates or improvements.