Circular No. 1198: Regulatory Framework for Merchant Payment Acceptance Activities

.. BANGKO SENTRAL NG PILIPINAS '..*?**' OFFICE OF THE Go\IEPNOP Subject: Regulatory Framework for Merchant Payment ACce tance Act' 't' The Monetary Board, in its Resolution No. 806 dated 11 Jul 2024, ;^ d the following framework governing merchant payment acce tance activit' (NIPAA). Section I. The terms defined under Republic Act No. 11/27 or th N t' I Payment Systems Act INPSAl, the National Retail Payment System (NRPS) Framework, the Payment System Oversight Framewoi'k, and other rel t issuances of the Bangko Sentral shall be complemented b the f 11 definitions, which shall be included in the Manual of Peguletiois f P Systems (MopPS): ' OFFICE OF THE Go\IEPNOP CIRCULAR No. 1198 Series of 2024 GLOSSARY OF TERMS Merchant - for Section 503 of The MopPS, refei's to an end-user that avails of merchant payment acceptance activities. Merchant account - refers to a transaction account where funds from merchant payment acceptance activities are received by merchant. c. Merchant payment acceptance activities (MPAAl - refers to the set of services provided to a merchant to receive payment for sale of o0ds and/or services. In general, services include me I'chant acq uisition; providing the means to accept various payment instruments and collect, secure, transmit and process payment information; and providing support sei'vices related to the payment. Merchant acquisition - refers to the service of accepting and rocessin payment transactions on behalf of a merchant under an agreement, resulting in a transfer of funds to the merchant. e. Merchant fee - refers to the fee paid by the merchant to an o erator f a payment system for merchant acquisition services. Tl\is me be composed of merchant discount rate, scheme fees. rental and maintenance charges for terminals, among others a b d ...,..,. Page I of :2

Section 2. The following Sections shall be created in then/lopPS 503 Ops THAT ENGAGE IN MERCHANT PAYMENT ACCEPTANCE ACTIVITIES 503.1 Policy Statement. The Bangko Sentral reco nizes that e bl' merchants to accept different forms of payments for the sale of o0ds and/or services in a safe and efficient manner is vital in facilitatin the smooth flow of funds in the economy and contributin to the wide adoption of digital paymentsin the country. For digital pa merits to th ' , minimum standards and good practices must be established to: (i) safeguard the funds received from customers of merchants; and (Ii) protect the rights and interests of end-users (i. e. , mercha nts) that deal with operators of payment systems (Ops) that engage in merchant payment acceptance activities (MPAA). Pursuent to Republic Act No. 11/27, or the National Payment S stems A t (NPSA), the National Retail Payment System (NRPS) Framework, and the Payment System Oversight Framework, the Regulatory Framework f NIPAA ensures that Ops that engage in MPAA ado t coin governance structures and appropriate measures to effectiveIy inaria e risks attendant to their business model, includin risks r I t d t settlement, operations, information technology 11T), a nti-mone laundering a rid cou ritering terrorism and proliferation fine nc' (AMI. /'GTPF), and end-user protection. 503.2 Scope and Applicability. This policy covers any Ops en d ' intending to engage in NIPAA in the Philippines (Ops-NIPAA). For avoidance of doubt, NIPAA includes merchant acquisition services. As Ops, all Ops￾NIPAA shall comply with the pertinent provisions of this Section, and I , rules, and regulations applicable to Ops. ' ' An Ops is considered engaged in NIPAA in the Philippines if the Ops, merchant, or both are located in the Philippines. For Banks and Electronic Moneylssuers-Non-Bank Financial Inst't t' (EMI-NBFl), An Ops engaged in orintending to engage in NIPAAthat has a concurrent banking or EMI-NBFl license is expected to adhere to the more stringent requirements between the guidelines in this pollc and the applicable provisions of the Manual of Regulations for Banks (MopB) and the Manual of Regulations for Non-Bank Financial Institutions IMORNBFlj, as applicable, to satisfy the overall regulatory expectations of the Bangko Sentral. PART FIVE LICENSING AND REGISTRATION XXX xXx Page 2 of 12

Banks and EMI-NBFls engaged in NIPAA shall comply with the provisions on payments to merchants, pricing mecha nism, and reportorial requirements in this framework. ' For Ops-MPAA under the Regulotory Jurisdiction of Other Local o Foreign Authorities or Overseers of Payment Systems. An Ops-NIPAA that is under the regulatory jurisdiction of other local or forei n authorities or overseers of payment systems shall coin ply with the requirements of this framework, particularly the provisions on payments to merchants, pricin mechanism, and reportorial requirements. For the requirements in this Section that are also imposed b other local or foreign authorities or overseers of payment systems, the Ops-NIPAA in a submit to the Bangko Sentral proofs of compliance with the SImil requirements by said authorities. The Bangko Sentral may consider the documents submitted by the Ops-NIPAA in evaluating coin lience with requirements in this Section and direct the Ops~MPAA to submit additional docu merits to su bstantiate the proof of coin PIiance, as necessar . 503.3 Governance and Risk Management Measures A Iicable to Ops￾MPAA. Ops-NIPAA shall observe governance and risk mane eme t measures coinmensurate to the activities they perform, sub'ect to compliance with the requirements under Section 401 for Governance, Section 903.1 on Outsourcing, Section 903.2 on Information Technolo Risk Management 11TRM), Section 1003 on AML!'CTPF and Section 1103 on End- User Protection of the Manual. 503.4 Authority to Engage in Merchant Acquisition. An a uthorit from th Bangko Sentral must be obtained priorto engaging in merchant ac uisition in the Philippines. Regardless of the status of its coin lience with the registration requirement under Section 502 of this Manual, an Ops that intends to engage in merchant acquisition shall secure a Merchant Acquisition License (MAL) with the appropriate supervising department of the Bangko Sentral. An Ops granted with IvlAL by the Bangko Sentral, herein referred to as Ops￾IvlAL, is not required to register as Ops and is considered coin lient with the rules and regulations on the registration of Ops under Section 502 of this Alla n ual, The guidelines on application for I/IAL are set out in Appendix 503-I of this Manual. The appropriate supervising department of the Bangko Sentra! may request submission of additional documents and information durin the evaluation of the application for MAL. The application for rinAL shall be processed only upon receipt of the complete documents. Applyin for a I/IAL authorizes the Bangko Sentral to conduct onsite verification of the documents and/or representations stated in the application filed in connection with the license or authority applied for. Any misrepresentation in the documents submitted may be used as ground for denial of the IvlAL application. Banks and EMI-NBFls that intend to engage in merchant ac uisition as art of their normal or allowed business oper^tions need not apply for a se erate Page 3 of 12

license from the Bangko Sentral. Prior notification (Appendix 503-5) to the appropriate supervising department of the Bangko Sentral shall suffice. 503.5 Registration for Engagement in Other MPAA. An Ops en d ' intending to engage in MPAA other than merchant acquisition shall re 1ster with the Bangko Sentralin accordance with Section 502 of this Manual. 503.6 Capital Requirement. The minimum required ca ital for Ops-IvlAL shall be based on the following MAL categories: Category In case of application for license, the category shall be based on th expected average monthly value of collected funds to be transferred to merchants while engaged in merchant acquisition in the first twelve (12) months of operation by the Ops. The capital requirement shall be coin lied with on the date of application. A Average monthly value of collected funds transferred to merchants in the applicable period B When the average monthly value of collected funds transferred to merchants for two (2) consecutive calendar yea rs while operating as an Ops￾Iv!AL warrants a change in category, the corresponding minimum re uired capital shall apply. In case there is a need to increase the minimum re uir d capital PUTSuant to a change in category, the Ops-IvlAL shall coin I with the revised capital requirement within sixty (60) business days after the start of the calendar year. The minimum required capital shall be computed as paid-in ca itel sto k plus additional paid-in capital, deposit for stock subscription, retained earnings, and undivided profits, less intangible assets. For Ops-AllALthat are banks and EMI-NBFis, the minimum re u'r d 't I shall be the highest among: (a) the required minimum capitalization for banks depending on bank category, (b) the required minimum capitalization based on EMI category, or (c) the minimum capitalization under the categories in this Subsection, as applicable. 503.7 Governance for Merchant Acquisition Services. For Ops-IVIAL, th following provisions shall govern merchant acquisition services: a. Merchant Management. An Ops-MAL shall have prudent mercha t payment acceptance criteria and procedures for inaria in its relationship with merchants approved by its board of directors' Less than PIOO million PIOO million and above Minim urn Required Capital P5 million PIO million (1) Merchant Due Diligence (Moo). A risk-based approach shall be undertaken depending on the type of merchant, business relationshi or nature of transaction or activity and risk profile. An Ops-MAL shall formulate a risk-based and tiered MDD that involves reduced MDD for potentially low-risk merchants and enhanced MDD merchants, which shall include for higher-risk Page 4 o. 2

(a) Merchant Identification. An Ops-MAL shall establish and record the true identity of their merchants based on official documents. They shall maintain a proportionate system of verifying the true identity of their merchants and, in the case of corporate clients, require a system of verifying their legal existence and organizational structure, as well as the authority and identification of all persons purporting to act on their behalf. Merchant risk assessment. An Ops-MAL shall understand, evaluate, analyze, and periodically assess the overall potential risk of a merchant, such as risks related to its financial capecit , legitimacy, operations, money laundering/terrorism financing/proliferation financing, cybersecurity, and consumer protection, among others, using reliable documents, information, or any other appropriate measures to undertake the background verification. When applicable, additional controls may be instituted to manage the potential risk of a merchant. Ib) IC) Merchant monitoring. An Ops-tviAL shall ensure periodic monitoring of its merchants in terms of adherence to their agreement and the merchant's business activities and shall kee records of these monitoring activities. In an existence of a valid ground based on the suspension or termination clause in the governing agreement, an Ops-IvlAL shall immediately suspend or terminate any merchant payment acceptance relationship with a merchant. (2) Governing agreement. A written agreement between merchant and the Ops-IvlAL shall be executed to overn relationship, which, at the minimum, shall cover the followin : (a) Account maintenance, such as information on: in business ownership and/or management, (11) business office and/or store address, and (inI nature of business; Ib) Timing and manner of the transfer to the merchant of the funds collected by the Ops-MAL, including the designation by the merchant of the means of receiv!rig payment and merchant account where the funds will be transferred, as applicable; (c) Disclosures and stipulations on the sharing of risks associated with merchant acquisition; Id) Roles and responsibilities of each party, procedures and timelines On: in Liability management in case of negligence/security breaches/ fraud, among others; (11) Reconciliation process; (Iii) Safeguards against unauthorized disclosure of customer data and other protected information, data loss, fraud, and cyber threats; as well as to facilitate the secure and efficient sharing of data among authorized entities; (Iv) Handling and resolving complaints, refund/failed transactions, or customer returns; and Suspension and termination clauses, where the grounds include the following: (1) for suspension, breach of the agreement or a merchant is (e) the the Page 5 of 12

suspected to be involved in fraudulent or illegal activity based on information obtained from a reliable source, a complaint from an aggrieved party or a finding under its own systems, and Iii) for termination, merchant's involvement in fraudulent or illegal activity substantiated by adequate and appropriate evidence after the investigation or assessment of the Ops- $11AL or conviction with finality by a court of law. (3) Dispute resolutibn. An Ops-MAL shall have in place a dispute resolution framework to ensure prompt and effective resolution of cases with its merchants and cases with its third-party service providers. It shall contain details, such as the transaction life c cle, a detailed explanation of types of disputes, the process of dealing with them, the responsibilities of all parties, the procedure for addressin the grievance, and the turnaround time for each stage. Payment to Merchants. The Ops-IvlAL shall maintain desi nated account/s with a Bangko Sentral Supervised Financial Institution IBSFlj where funds received or collected on behalf of merchants are held separate from the Ops-rillAL's own funds and shall be ro erl accounted for. The funds in the designated deposit account/s shall only be used for settlement purposes with the merchants and/or transfers related to merchant acquisition, such as chargebacks to a merit instrument issuers or the charging of merchant fees. In case there is a need to shift the designated account from one BSFl to another, the said change shall be effected in a time-bound manner without jin actin the payment cycle for the merchants. b Ops-MAL shall ensure timely and complete funds settlement with merchants. The settlement period shall be agreed upon by the Ops-IvlAL and the merchant, but shall not be longer than two (2) business days from the day the funds are received by the Ops-IvlAL for transfer to a merchant. In the event that the payment cycle stated in the merchant agreement is more than the agreed maximum number of days as stated above, an Ops-IvlAL shall submit justification, including su ortin documentation, to the appropriate supervising depa rtment, subject to prior approval of the Bangko Sentral. Without such approval, the Ops~ IvlAL shall undertake safeguarding measures, which in a include placing the outstanding funds in a trust account or securing a bank guarantee against it in a BSFl or any other measures acceptable to the Bangko Sentral. Ops-FAAL shall be liable to provide the collected funds to merchants in the event the issuer of payment instruments or any other parties involved in the handling of such funds fail to fulfill their settlement obligations, regardless of dispute with other parties. Pricing Mechanism. Notwithsta riding the consu mer pricing rules under the NRPS Framework and subsequent relevant issuances, Ops-IviAL shall adopt a pricing mechanism whereby merchant fees may be charged to merchants availing of merchant payment acce tance C Page 5 of 12

activities. Such pricing mechanisms shall be reasonable, trans arent, market-based, and proportional to the cost of the services offered in order to sustain the business operations of the parties involved 503.8 Commencement of Merchant Acquisition Service. An Ops-MPAA granted a MAL shall commence actual engagement in merchant acquisition within six (6) months from the date of issuance of the license, unless alonger period has been approved by the Bangko Sentral. Failure to commence actual merchant acquisition within the six (6) month period shall render the license automatically revoked. Within five (5) business days from the actual start of merchant acquisition service, the Ops-FAAL shall notify in writing the appropriate supervising department of the Bangko Sentral of the actual start date. Such notificati shall be duly acknowledged by the appropriate supervising department of the Bangko Sentral. 503.9 Ops Without the Appropriate License from the Ban ko Sentr I. When an Ops required to be licensed under this Section is found t b engaging in merchant acquisition without a prior license, the Monetar Board shall issue a directive to such Ops to coin I with the tic requirements under this Section. If, after notice to the concerned Ops, the Ops continues to engage in said activities without the requisite license, the Monetary Board shall issue an order to such Ops to cease en a in in said activities and to take immediate action to apply for a license. The Ban ko Sentral may coordinate with other regulators and concerned over riment agencies to inform them that the said Ops do not have the required license from the Bangko Sentral to engage in such activities. This procedure is without prejudice to the enforcement actions that may be de 10 ed b the Bangko Sentral, as may be applicable, under existing laws, rules, and regulations. 503.10 Continuing Compliance. Ops-rillAL shall continuousl coin I 'tti the operational standards and requirements set out in this Section and other relevant sections of this Manual, Any deviation or non-coin lience after securing a license shall be a basis for the imposition of appro riate enforcement actions. Bangko Sentral authorized personnel shall have the authority to conduct an assessment, examination, and/or systems and operational review pursuent to Section 101 of this Manual. 503.1 Voluntary Termination of Merchant Acquisition Service. An Ops￾MAL that wish to cease engaging in merchant acquisition shall secure rior approval of the Bangko Sentral on the termination and ensure coin fiance with the following procedures: At least three (3) months prior to intended date of termination, submit to the appropriate supervising department of the Bangko Sentral a request for approval, signed by the president or officer of equivalent rank, stating the details andjustification for the voluntary termination, and submitting the Board or stockholders' approval of the same; Upon receipt of the notice of the Bangko Sentral approval: (1) send written notice of termination to merchants by personal service, or registered mail/other mall couriers wherein proof of receipt of notice by the merchants shall be kept on file and made available upon re uest of a. b. Page 7 of 12

the Bangko Sentral; and Iii) publish notice in a newspaper of general circulation and post the same in the official website of the Ops-MAL, if applicable; and Submit to the appropriate supervising department of the Bangko Sentral within five (5) business days from date of termination, a certification signed by the president or officer of equivalent rank, stetin that the: to termination was implemented, (ii) notification requirement under Item "b" above has been complied with, and (11i) the Ops-illAL has no remaining obligations to its merchants. C. 503.12 Reportorial Requirements. The guidelines on reportin under Section 103 of this Manual shall apply to Ops-NIPAA. As such, Ops-NIPAA shall comply with the reportorial requirements for Ops. In addition, Ops￾NIPA, . shell submit the following secondary report to the a ro riate supervising department of the Bangko Sentral: Annual audited financial statement Report Title In addition to above, an Ops~IvlAL shall submit the following secondar reports to the appropriate supervising department of the Bangko Sentral: Statistics related to NIPAA (Appendix 503-2) Notice to the Bangko Sentral of 519 nificaint changes (Appendix 503-3) Report Title Frequency Annually Notice to the Bangko Sentral of change in average monthly value of collected fu rids to be transferred to merchants that would change license category IAPpendix 503-4) 120 business days after end of reference year Frequency Submission Deadline Quarterly For this purpose, significant changes include: a. Changes in ownership, directors, and/or key officers or representatives authorized to officially communicate to the Bangko Sentral; and Any proposed changes to merchant payment acceptance model of the Ops-MPAA that are significant or change the risk profile of the business model, which includes but is not limited to any chan es in target market, mode of payment acceptance, as well as payment and settlement flow. The guidelines for the preparation and electronic submission of the re orts required in this Section will be covered by a separate issuance. Statistics related to NIPAA shall apply to Ops-IViAL that are not re uired to submit the monthly report on Electronic Payments and Financial Services As needed As needed 15 business days after end of reference q uarter Submission Deadline b 30 business days prior to effective date of proposed change 60 business DCcu rrence days after Page B of 12

pursuant to Section 501.6 of this Manual, Failure to comply with the provisions of this Subsection shall cause the concerned Ops-NIPAA to applicable sanctions for Erroneous, Delayed, Erroneous and delayed, or Unsubmitted Reports, as prescribed under Subsection103.5 of this Manual. ' 503.3 Enforcement Actions. Failure to comply with the requirements of this Section shall subject the Ops-NIPAA to the appropriate enforcem t action provided under Part Fifteen of this Manual. 903 SPECIAL RULES FOR MERCHANT PAYMENT ACCEPTANCE ACTIVITIES 903.1 Outsourcing. Ops engaged in or intending to engage in merchant payment acceptance activities IMPAA) in the Philippines (Ops-NIPAA) shall remain responsible and accountable for the services outsourced to third￾party service providers. As applicable, it shall be the responsibility of the O PS-rill PAA to: Conduct appropriate due diligence review of the third party to assess the legitimacy and capability of the third party in performing the service to be outsourced prior to entering into an outsourcing arrangement; Ensure that the relationship/arrangement is supported by a written contract that should contain, at a minimum, business continuit and disaster recovery arrangements of the third party to ensure continuit of operations; Ensure that the third party employs a high degree of professional care in performing the outsourced activities as if these were conducted b the Ops-MPA, * itself. This would include, among others, makin use of monitoring and control procedures to ensure compliance at all times with applicable Bangko Sentral rules and regulations; Ensure that the third party adheres to international standards on information technology 11T) governance, information security, and business continuity in the performance of its outsourced activities and complies with all laws and Bangko Sentral rules and regulations covering the activities outsourced, especially on compliance with AM L/'GTPF requirements; Undertake operational review of the third party at least on an annual basis as part of risk management. This review should be documented as part of the Ops-MPAA's monitoring and control process; Identify, delineate and document the responsibilities and accountabilities of each party as regards the outsourcing arra rigement, including PIa rining for contingencies. Notwithstanding any contractual agreement between the Ops-MPAA. and third part on the sharing of responsibility, the Ops-NIPAA shall be responsible to Page 9 of 12 PART NINE OPERATIONAL RISK XXX a. b xxX C d. e f

its merchants; without prejudice to further recourse, if an , b the Ops￾MPAA to the third party; Review a rid monitor the security practices and control processes of the third party on a regular basis, including commissioning or obtainin periodic expert reports on adequacy of security to maintain the confidentiality and integrity of data, and coin 11ance with internationally recognized standards in respect to the operations of the third party. Considering that the third party may service more than Ops-MPAA, the Ops-!VIPAA should ensure that records ertai t its transactions are segregated from those of other Ops-MPAA; and Maintain necessary documentation to show that outsou rcin arrangements are properly reviewed, and the appropriate due diligence has been undertaken prior to implementation. The Ops￾NIPAA shall keep in its file these documents and the same shall be made available to authorized representatives of the Bangko Sentralf inspection. g h. 903.21nformation Technology Risk Management 11TRM). Ops-NIPAA shall design and implement an ITPM that is risk-based, coinmensurate with th size, naru re, types of products and services, and complexity of its inform t' technology (In operations. There shall be a robust and effective information technology and security risk management framework and rocess , including corresponding governance structures and controls, to en u financial stability, operational resilience, and end-user protection, whi F1, t a minimum, shall include the following: a. Organizational structure that has well-defined role d responsibilities for information, business processes, applications, IT infrastructu re, and fraud prevention; Policies and procedu res on the identification, measurement, monitoring and controlling of data security and IT risks on a eriodic basis; b C. Appropriate IT and security infrastructure and systems for reventi and detection of cybersecurity and fraud, including processes d procedures on prevention, detection and monitoring to initi ate cybersecurity and fraud risk; Mechanism for monitoring, handling and reporting incidents and breaches related to data security, IT and fraud; Effective business continuity plan and disaster recovery plan for, t minimum, all critical business functions; Independent assessment of risk management process and controls; Sufficient resources to hire and train employees to ensure that the have the necessary capacity and expertise to meet the requirements for IT and the business lines it supports; Baseline tech nology-related recoin mendations, latest encr tion standards, transport channel security, among others, based on international standards and recognized principles of international practice for ITF^NII and Measures to ensure compliance with applicable data stora e and privacy requirements, such as not storing the customer card credentials within their database or the server accessed by the merchant d. e. f. g h Page To of 12

PART TEN ANTI-MONEY LAUNDERING I COUNTERING TERRORISM AND PROLIFERATION FINANCING (AML/'CTPF) 1003 SPECIAL RULES FOR MERCHANT ACTIVITIES Ops engaged in or intending to engage in merchant payment acce to c activities (MPAA. I in the Philippines (Ops-NIPAA) shall adhere to the applicable provisions under the Anti-Money Laundering Act, as amended, The Terrorism Financing Prevention and Suppression Act of 2012, a d targeted financial sanctions (TFS)-related laws and their respective Implementing Rules and Regulations (IPR). XXX XXx 1103 SPECIAL RULES ACTIVITIES Ops engaged in or intending to engage in merchant pa merit acce t activities IMPAA) in the Philippines (Ops-MPAA) shall be considered a Bangko Sentral Supervised Institution (BSI) for the purposes of this Section and shall have mechanisms in place that ensure the safety of end-users (i. e. , merchants) availing of its service. Such mechanisms shall comply with existing financial consumer protection laws under the Financial Products and Services Consumer Protection Act (F?A No. 11765) and related implementing rules a rid reg ulations. PAYMENT ACCEPTANCE PART ELEVEN END~USER PROTECTION XXX FOR MERCHANT PAYMENT ACCEPTANCE Section 3. The Appendices of the MopPS and the prescribed re rt I templates in relation to merchant payment acceptance activities are attached Annex A of this Circular. Section 4. Transitory Provision. All Ops already enga ed in NIPAA t th time of the effectivity of this Circular shall comply with the re uir t prescribed under this Circular notlaterthan twelve (12) months from its effectivit . Within six (6) months from effectivity of this Circular, Ops-NIPAA shall submit the following requirements to the appropriate supervising department of the Ban ko Sentral: a. A certification, signed by the president or officer with equivalent rank and function, of the applicable requirements of this Circular that the Xxx xXx Page 11 of 12

Ops-MPAA is already in compliance with (Annex B); and A duly accomplished gap assessment template (Annex C) specifying the plan of actions the Ops-NIPAA will undertake, with the corresponding timelines not exceeding twelve (12) months from the effectivity of this Circular, to conform to the provisions it has yet to full comply with. In addition, to comply with the licensing requirements prescribed under this framework, an Ops already engaged in merchant acquisition shall subm't, not later than six (6) months from effectivity of this Circular, to the appropriate supervising department of the Bangko Sentral the documentary re uirements under the guidelines on the application for AllAL (Appendix 503-1 of the MopPS). The actual average monthly value of collected funds transferred to merchants in the 12-month period prior to the date of application, augmented b ex t d average value if the entity is operating for less than twelve (12) months, shall be used as basis for category of license. The capital requirement shall be coin lied with on the date of application. For registered Ops already engaged in merchant acquisition, the amount paid as registration fee, as applicable, shall be deducted from the license fee u on approval. Upon submission of the above documentary requirements and a merit of applicable filing fees, if any, the Ops-NIPAA may continue to operate its busine unless otherwise informed by the appropriate supervising department of the Bangko Sentral. The imposition of the appropriate enforcement action under thi Section shall apply for failure to submit within the prescribed deadline the re ui d information or documents. Banks and EMI-NBFls shall submit to the appropriate su ervi I department of the Bangko Sentral not later than six (6) months from the effectivit of this Circula r: A notice of their engagement in merchant acquisition signed b the president, chief executive officer, or senior officer holding an equivalent and , position and supporting documentary requirements IAPpendix 503-5); b a b. A duly accomplished gap assessment template (Annex C) for the provisions on payment to merchants, pricing mechanism, and reportorial requirements, specifying the plan of actions the Ops-NIPAA. will undertake, with the corresponding timelines not exceeding twelve (12) months from the effectivity of this Circular, to conform to the provisions it has yet to fully comply with Section 5. Effectivity. This Circular shall take effect fifteen (15) calendar days following its publication either in the Official Gazette or in a news a f general circulation. IQ 3 uly 2024 "';^,,,"'RYB, ,,, Officer-i Charge Page 12 of 12

Appendix 503.1 Guidelines on Application for Merchant Acquisition License An Ops~NIPAA. intending to engage in merchant acquisition shall coin I 'th th following requirements: a. Docu meritary requirements I. Application for Registration as Operator of Payment System (Ops) (Appendix 502-2) signed by the president, chief executive officer, or a senior officer holding an equivalent position; Proof of financial capacity I. For New Entity: Treasurer's Affidavit supported by proof of payment of subscribed capital (for partnershijos, corporations, and cooperatives) or Bank Certification fror sole proprietorship) 11. For Existing Entity: Latest Audited Financial Statement and Latest Interim Balance Sheet signed by the OwnedManaging Partner/President Copy of Certificate of registration from the Department of Trade and Industry IDTl), Securities and EXchange Commission (SEC) or Cooperative Development Authority (CDA), as applicable; Copy of the business registration/permit indicating the line of business of the Ops, from the city or municipality that has territorial jurisdiction over the place of establishment and operation of the Ops for the current period; 5. Documentary requirements in compliance with the Governance Policy for Ops as stated in Section 401 of the MORPS; 6. Organizational structure; 7. Business plan, including but not limited to a description of business model, ta rget me rkets, payment services/products offered to merchants, payment settlement process/ proced ures with corresponding process flow/s; Risk management policies and procedures covering but not limited to the following critical areas: Information Technolo , Information Security, Business Continuity and Operational Risk Management; 9. Merchant management policies and procedures, includin due diligence and approval criteria, on boarding and monitoring; 10. Document/information on merchant protection, particula rly redress mechanism; 11. Expected average monthly value of collected funds to be transferred to merchants in the applicable period; 12 Tern plates of agreements/contracts with merchants, settlement banks, third party providers and other entities that are necessar in the provision of merchant acquisition service, as applicable; List of settlement banks, third party providers and other entities that are necessary in the provision of merchant acquisition service, as applicable; and 14. Schedule of fees and/or charges 2. 3 4 AN N Ex A 8 13 Pagel of 2

An Ops-NIPAA already registered with the Bangko Sentral as Ops need not submit items am-(5) above if the information from previously submitted documents during registration remain the same. Applications with incomplete documentation will be returned without prejudice to re~submission of a complete application and collection of a PPIica ble fees. The Bangko Sentral may request information and/or documents aside from the minimum documentary requirements prescribed above to arrive at an informed decision. It may also conduct limited inspection or validation, when warranted. The Bangko Sentral may approve any application of an eligible applicant after evaluating the application and considering relevant factors. Likewise, the Bangko Sentral may deny applications if (a) significant supervisory or compliance concerns exist, or (b) the applicants fail to provide material information necessary to make an informed decision. Application fees. An applicant, depending on its classification, shall be assessed the following fees per application: i. Filing fee - shall be charged upon filing of an application and is non￾refundable. In case of re-submission of application that is returned for and , incomplete documentation, another filing fee shall be charged anew; 11. License fee - shall be charged to certain application upon ap roval Assessed fees shall be paid to the Bangko Sentral as follows b Type of Fee Filing License C. Post Decision. Unless otherwise prescribed by the Bangko Sentral, an applicant may file a new application for a denied and/or withdrawn application after the lapse of six (6) months from the date of denial/ withd rawal: Provided, That any weaknesses, deficiencies and/or non~ compliance with any laws, rules, regulations and/or directives that made the applicants in eligible have already been satisfactoril add ressed. PIO, 000.00 A P25,000.00 Category I*20,000.00 B P60,000.00 Page 2 of 2

Name of Ops-MPAA: Date: <End-Month Year> Transaction/Payment Instrument A. Via electronic .hannnl lintone'. mobil". POS. inPa. . ATM. CAM/Pa entkiask Statistics Related to Merchant Payment Acceptance Activities (MPAA) I. Ca, h-INd, sit Ii. Cash, UVwi. hd, awal ill. Domestic fund t, .h, ,.,/, chantsnce .v. Cross-border transfers a. Unward v. Bills a merit b. Outward vl. Pa morit, o merchants vii. Pa vin Other E= menu Re av. ,"men, a. Via UV. ", h. -count. r i. cash-IrJde o31t ii. Cn, h, UVwj, hdraw, I 11i. Domestic fund tnn. for/,. miltanc. Iv. Cross. border transfers Cash Volume a. Inward v. Bills " men, h. OURward ui. P. merit to Inc. ch. nt= vi, . Pa Vll, . ORher s: innntto DVD, ninent value ch"ck ,_!I v@Iu me Value D, bit Card Ibnnk or .' money, Valumu PaymenR Cards ,. o Pre-paid Card Val tic 0.00 Valu me o it, o Value Appendix 503-2 Credit card 1.1j, , 0.00 Velu in" o Payment Instructions I. .g. ER. QR Endoj .t * 0.00 o Value ,, Oco 0.00 .1:10 v@Iu me o It Itt, . 0.00 a , Valu. U 00 Other, o. 00 O O* o VOIU inc . 0.00 It tit o Vnju" U Total ona 0.00 000 o VCIu me o o 0.00 hill
o o Value o O 00 o 0.00 Oco o , o 0.00 o 0.00 0.00 0.0 o o 0.00 o 0.00 o 0.00 0.00 o * o o00 o o. 00 0.00 rino 0.00 o 0.00 o o 0.00 o ,, o 000 0.00 U 0.00 Oco o 0.00 o 0.00 o 0.00 o o 0.00 D 0.00 Oco o 0.00 o 0.00 o. 00 o 0.00 o 0.00 0.00 Page I of 4

Tatfil . . A. User Profile i. Numbeiof users/accounts it Number of active users iii. Number or tie-ups with international scheme iv. Number of users/accounts tied to international scheme B. Number of terminals i. POS Ii. in POS 111. ATM iv. CAM v. Payment Kiosk vi. Others: C. Number of agents ,: i. Direct a ents ii. A Grits b virtue of artnershi with other Ops D. Number of billers/merchants i. Direct billets/merchants ,, , * ii. Biller/Merchants byvirLue of partnership with other Ops o 0.00 o I. Settlement happensin less than 30 days No. of Billers ,i. Settlement hap ens between 31 to 60 da 0.00 iii. Settlement happens between 61 to 90 days iv. Settlement happens between 91toT80 days v. Settlement hap ens after 180 days Q 0.00 o . . 0.00 o S 0.00 o a Government o b Non- over ninent 0.00 a Government b Non-government o 0.00 o Page 2 of 4

F, Availability i. System Availability ii. Network Availability iii. Termina! Availability IAvera e! G. Complaints Handling - No. of complaints received for the reference period i. No. of coin plaints. beginning balance funresolved from previous reference periodj ii. No. of complaints resolved within TAT iii. No. of complaints, esolved outside TAT iv. No. of unresolved complaints as of end of reporting period H. Fraud Management i. No. of Fraud Incidents ii. No. of Accounts/Customers Affected Minimum Fee i. Number of incidentsjlo, the reference periodj 11. Number of incidents resolved Ifor she reference period) iii. Total downtime due to the incidents iv. Top 31ncidents {for the reference periodj - Nature of Incident Maximum Fee I. Number o11ncidentsjlor the, elerence periodj it Number of incidents resolved Ifor the reference periodj iii. Total downtime due to the incidents iv. Top 31ncidents Ifor the reference periodj - Nature of Incident Percentage 2 3 2 Date of Occurrence 3 Root Cause Date of Occurrence Resolution Root Cause Impact Resolution Impact Page 3 of 4

List of Delisted Merchants No. 2 3 4 5 6 Name of Merchant 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Reason for Delisting Note: Template of this report will be provided in Excel format Delisting Date Page 4 of 4

Pursuant to the requirement under Section 503 of the Manual f Peg ulations for Payment Systems (MORPS), I, <Name of Officer>, <President or Officer of Equivalent Rank>, on behalf of the <Name of Ops-MAL>, 'th Office> notifies the head/principal office address at <coin lete address of Head Prin'ci o1 Appendix 503-3 Notice to the Bangko Sentral of Significant Changes merchant payment acceptance activities as evidenced by the attached su pporting document/s: <description of significant change/s> I also certify that all relevant documentsin support of this representation are readily available for verification by the Bangko Sentral durin on it verification/examination or when a written request is made to determine corn PIiance. Signed: Name of President/Officer of Equivalent Rank President/Equivalent Rank Date

Appendix 503-4 Notice of Change in the Average Monthly Value of Collected Funds Transferred to Merchants Resulting to a Change in Categor of Licens Pursuant to the requirement under Section 503 of the Manual of Re ulations for Payment Systems (MopPS), I, <Name of Officer> <President or Equivalent Rank>, on behalf of the <Name of Ops-MAL>, with head/princi al office address at <coin lete oddress of Head Princi o1 Office>, notifie th Bangko Sentral of the change belowin the average monthly value of collect d funds transferred to merchantsin two (2) calendaryears resulting to a chan e in the category of license. Period of prior category Reference Period (Start and End Date) Calendar Year I Calendar Year 2 I also certify that all relevant documents in support of this representation are readily available for verification by the Bangko Sentral durin on it verification/examination or when a written request is made to determine compliance. Average Monthly Value of Collected Funds Transferred to Merchants ^. I^. P, Signed: Name of President/Officer of Equivalent Rank President/Equivalent Rank Date

Appendix 503-5 Notice to the Bangko Sentral of Engagement in Merchant AC uisition I, EN^t^^!:;^, <President or Officer of Equivalent ladnk>, on behalf of the <Name of BSP-Supervised Financial Institution jBSFl)>, with head/principal office address at <coin fete address of Head Princi o1 Office>, notifies the Bangko Sentral of our enga ement in mer h t acquisition as defined in Section 503 of the Manual of Regulations for Pa t Systems (NIORPS) beginning ^date of commencement^ as evidenced b the attached supporting document/s: Business plan, including but not limited to a description of business model, target me rkets, payment services/prod ucts offered to merchants, payment settlement process/ procedures with corresponding process Howls; (2) Merchant management policies and procedures, including due diligence and approval criteria, criboarding and monitoring; (3) Document/information on merchant protection, particularly redress mechanism; (4) Average monthly value of collected funds to be transferred to merchants in a twelve (12)-month period, augmented by expected average value if the BSFl is operating for less than twelve (12) months; (5) Templates of agreements/contracts with merchants, settlement banks, third party providers and other entities that are necessar in th engagement In merchant acquisition, as applicable; (6) List of settlement banks, third party providers and other entities that are and ,, necessary in the engagement in merchant acquisition, as applicable; (7) Schedule of fees and/or charges. I also certify that all relevant documents in support of this representation are readily available for verification by examiners of the Bangko Sentral durin onsite verification/examination or when a written request is made to determine coin plie rice. Signed: (1) Name of President/Officer of Equivalent Rank President/Equivalent Rank Date:

CERTIFICATION OF COMPLIANCE WITH THE REGULATORY FRAMEWORK ON MERCHANT PAYMENT ACCEPTANCE ACTIVITIES behalf of the <Name of Ops-MPAA>, with head/principal office address at <coin lete address of Head Princi o10ffice>, hereby certi that <Name of I, <Name of Officer> <President or -MPAA> coin lies wit t ' [Month] 2024 except for those indicated in the Gap Assessment tattached), which shall be complied with by the target date for compliance indicated in the same document. I certify further that to the best of my knowledge, all the information contained in the attached documents supporting the institution's coin 11ance are hereby true and correct. I also certify that all relevant documents in support of the merchant payment acceptance activities and operations are kept on file and are readil available for verification by the Bangko Sentral durin onsite verification/examination or when a written request is made to determine coin pile rice. This certification is being submitted in compliance with the requirements provided in the Circular No. dated [Month] 2024 AN NEX B Sig med Name of President/Officer of Equivalent Rank President/Equivalent Rank Date

tName of Operator of Payment System - Merchant Payment Acceptance Activities (Ops - MPAA)l Gap Assessment under Circular No. dated IMOnthl 2024 BSP Regulatory Provisions ey provisions/requirements under Circular No dated 2024 Level of Compliance Governance and risk management measures applicable to Ops-MPAA a. Governance Isection 4011 Indicate level of coinplibnce lie. , Coinpfied, Partially Complied, or Not Coinpl!^d, Not Appficoble) b. Outsourcing Isection 903.1j Existing Controls Provide brief statement on the BSFlls existing policies and processes. c. Information Technology Risk Ma nagement (ITRM) Isection 903.2) ANN Ex c Gap/s d. Anti-Money Laundering I Countering Terrorism and Proliferation Financing (AM L/CT P F) (Section 1003) Identify specific gap/s vis-d￾vis the regulatory requirement, ,' Action Plan/s Inchcate action plan/:s and the committed timefine S e. End-User Protection Isection 1103) 2 Authority to engage in merchant acquisition a Capital requirements b. Governance Merchant Management 11. 3. 111. Payment to Merchants Reportorial Requirements Pricing Mechanism