Technical Standards for Comprehensive Risk Management and Information Transparency of Investment Banks

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 1 of 41 CNBCR-09/2025 NRP-93 TECHNICAL STANDARDS FOR COMPREHENSIVE RISK MANAGEMENT AND TRANSPARENCY OF INFORMATION OF INVESTMENT BANKS Approval: 10/11/2025 Validity: 25/11/2025

THE COMMITTEE OF STANDARDS OF THE CENTRAL RESERVE BANK OF EL SALVADOR, CONSIDERING: I. That article 3, paragraph 3 of the Investment Banks Law establishes that, in accordance with the Law on Supervision and Regulation of the Financial System, Investment Banks constituted in accordance with the Investment Banks Law shall have the status of members of the Financial System. II. That article 38 of the Investment Banks Law establishes that Investment Banks may use any digital means available to perfect their contracts with their clients and suppliers, using technological means such as electronic signature or any other that facilitates remote contracting. III. That articles 41, paragraphs 4 and 5 of the Investment Banks Law establish that Investment Banks may contract with third parties any service inherent, necessary, or complementary to the carrying out of the operations described in said article. Any service contracted with a third party shall be subject to the same regulation and supervision, where applicable, as the Investment Bank, with the latter being ultimately responsible for the integrity, availability, and confidentiality of the service provided and for providing any information that the Superintendence may request. Likewise, it is established that Investment Banks, as responsible parties towards their clients, must carry out an extended "know your provider" procedure, ensuring the legal existence and technical capacity of the provider, as well as complying with applicable regulations. IV. That article 45 of the Investment Banks Law contemplates that Investment Banks will freely establish interest rates, commissions, and surcharges. The interest rates, commissions, and other surcharges that Investment Banks apply to their operations must be made known to the public monthly or when they are modified. Under no circumstances may an Investment Bank increase them in active operations without having previously made them known to the public. V. That article 2 of the Law on Supervision and Regulation of the Financial System establishes that the Financial Supervision and Regulation System aims to ensure the efficiency and transparency of the financial system, as well as the adoption of the highest standards of conduct in the development of their businesses. VI. That in accordance with article 3, letter c) of the Law on Supervision and Regulation of the Financial System, it is the responsibility of the Financial System Superintendence to proactively monitor the risks of the members of the financial system and the way in which they manage them, ensuring the prudent maintenance of their solvency and liquidity.

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 2 of 41 CNBCR-09/2025 NRP-93 TECHNICAL STANDARDS FOR COMPREHENSIVE RISK MANAGEMENT AND TRANSPARENCY OF INFORMATION OF INVESTMENT BANKS Approval: 10/11/2025 Validity: 25/11/2025 VII. That article 32 of the Law on Supervision and Regulation of the Financial System establishes that the Superintendence may require supervised entities direct access to all data, reports, or documents regarding their operations through the means and form it defines. VIII. That in accordance with article 35, letter d) of the Law on Supervision and Regulation of the Financial System, it is stipulated that directors, managers, and other officials holding management or administrative positions in members of the financial system must conduct their business, acts, and operations complying with the highest ethical standards of conduct, acting with the diligence of a good merchant in their own business, being obligated to comply with and ensure that the institution they direct or work for adopts and updates policies and mechanisms for risk management, including among other actions, identifying, evaluating, mitigating, and disclosing them in accordance with international best practices. IX. That article 99, letter a) of the Law on Supervision and Regulation of the Financial System stipulates that it shall be the responsibility of the Standards Committee to approve technical standards, instructions, and provisions that the laws regulating the supervised entities establish must be issued to facilitate their application, including aspects inherent to risk management by the supervised entities.

THEREFORE, in virtue of the regulatory powers conferred by article 99 of the Law on Supervision and Regulation of the Financial System,

AGREES to issue the following: TECHNICAL STANDARDS FOR COMPREHENSIVE RISK MANAGEMENT AND TRANSPARENCY OF INFORMATION OF INVESTMENT BANKS

CHAPTER I OBJECT, SUBJECTS, AND TERMS

Object Art. 1.- These Standards aim to establish the minimum provisions that Investment Banks must comply with regarding comprehensive risk management and information transparency, in accordance with applicable laws and international standards, consistent with the nature, size, types of products, services, clients, and scale of their activities. These Standards complement the general regulatory framework in force, of which the "Technical Standards on Corporate Governance" (NRP-17), approved by the Central Bank through its Standards Committee, is also a part.

Subjects Art. 2.- The subjects obligated to comply with the provisions established in these Standards are Investment Banks.

Terms Art. 3.- For the purposes of these Standards, the terms indicated below have the following meaning: a) Digital Asset: In accordance with article 3 of the Digital Asset Issuance Law, it is a digital representation that can be stored and transferred electronically, using a Distributed Ledger Technology system, or similar or analogous technology, in which records are linked and encrypted to protect the security and privacy of transactions, which are characterized by being ownable, exchangeable, transferable, negotiable, and promotable by natural and legal persons; b) Easily Liquidated Assets: In accordance with article 4 of the Investment Banks Law, these are goods or resources owned by a natural or legal person that can be used immediately without legal or contractual restrictions, understanding that these assets are free of liens and any restriction that limits their use or alienation, such as: Bitcoin, Stablecoins, Treasury Bonds, Tokenized Treasury Bonds, Gold, Tokenized Gold, among others; c) Senior Management: The President, Executive President, Executive Director, General Manager, or their substitute, and the executive positions that report to them; d) Risk Appetite: The level and types of risks that an entity is willing to assume in relation to its activities, to achieve its strategic objectives and business plans; e) Central Bank: Central Reserve Bank of El Salvador; f) Commission: Amount of money charged by Investment Banks to the sophisticated investor for the provision of an operation or an additional service effectively provided, identified and described in the contract, and which is not inherent to the contracted product or service; g) Conflict of Interest: Any situation in which a personal benefit or interest of a third party may be perceived to influence the judgment or professional decision of an entity member regarding the fulfillment of their obligations; h) Comprehensive Risk Management Culture: Norms, attitudes, knowledge, and behavior of an entity related to risk and decisions on how to manage and control them;

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 3 of 41 CNBCR-09/2025 NRP-93 TECHNICAL STANDARDS FOR COMPREHENSIVE RISK MANAGEMENT AND TRANSPARENCY OF INFORMATION OF INVESTMENT BANKS Approval: 10/11/2025 Validity: 25/11/2025 i) Disclosure: Publications in newspapers, websites, any other medium or electronic device, as well as exhibitions in physical or electronic billboards of Investment Banks; j) Risk Factors: Represent those variables that entities must consider for adequate identification and mitigation of the risks to which they are exposed; k) Sophisticated Investor: In accordance with article 4 of the Investment Banks Law, these are natural or legal persons, national or foreign, to whom Investment Banks are authorized to offer their services, which must meet the criteria established in said article; l) Board of Directors: A collegiate body or equivalent body in charge of the administration of the entity, with functions of supervision, direction, and control; m) Law: Investment Banks Law; n) Multi-signature: A security mechanism characterized by requiring several keys for the authorization of operations; o) Digital Platforms: In accordance with article 5 of the Digital Asset Issuance Law, these are digital infrastructures that allow two or more acquirers to interact and exchange digital assets for other digital assets or for fiat money; p) Stress Tests: Scenarios used to evaluate and measure the resistance, vulnerability, and stability of an entity or financial system against the occurrence of possible adverse extreme events, and their impact on equity and/or the financial results of an entity; q) Superintendence: Financial System Superintendence; r) Risk Tolerance: Acceptable levels of risk-taking to achieve a specific objective or manage a category of risk. Risk tolerance represents the practical application of risk appetite and is generally aligned with risk categories, such as strategy, finance, people, or reputation; s) Interest Rate: The price paid or received for the use of money, which is established as a percentage of the capital based on the days the debtor or depositor has or makes it available from the date of disbursement or deposit; t) Nominal Interest Rate: Annualized active or passive interest rate freely established by the Investment Bank and accepted by the sophisticated investor; u) Effective Interest Rate or EIR: Annualized interest rate that allows equalizing the present value of all installments and other payments to be made by the sophisticated investor with the amount they will effectively receive as a loan; and v) Reference Rate: A single rate that will serve as the basis for contracting active operations with adjustable interest rates and will be established by the Investment Bank.

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 4 of 41 CNBCR-09/2025 NRP-93 TECHNICAL STANDARDS FOR COMPREHENSIVE RISK MANAGEMENT AND TRANSPARENCY OF INFORMATION OF INVESTMENT BANKS Approval: 10/11/2025 Validity: 25/11/2025 CHAPTER II ON COMPREHENSIVE RISK MANAGEMENT

Comprehensive Risk Management Art. 4.- Investment Banks must establish a comprehensive risk management system, which shall be understood as a strategic process carried out by the entire Investment Bank, through which they identify, measure, control, mitigate, monitor, and communicate the different types of risks to which they are exposed and the interrelationships that arise between them, to achieve their objectives. This management must be in accordance with their nature, risk profile, volume, and complexity of their activities, business lines, own and third-party resources, so as to promote the implementation of measures consistent with best practices for the transparent, efficient, and orderly functioning of the market. The integral process for risk management must be duly documented and periodically reviewed based on changes that occur in the Investment Bank's risk profile and in the market. The policies, procedures, and manuals issued by Investment Banks must be in Spanish.

Stages of the comprehensive risk management process Art. 5.- Investment Banks must have a continuous documented process for the comprehensive management of their risks, which must contain at least the following stages: a) Identification: This is the stage in which existing risks in each operation, product, service, process, and business line developed by the Investment Bank and those that may arise in new business lines are recognized and understood. In this stage, risk factors that can generate changes in the Investment Bank's equity are identified based on the activities or operations own to it and those carried out with sophisticated investors in accordance with the Law; b) Measurement: This is the stage in which risks must be quantified in order to determine compliance or adequacy of policies, fixed limits, and measure the possible economic impact on the financial results of the Investment Bank. The methodologies and tools to measure each type of risk must be in accordance with the size, nature of their operations, and the levels of risks assumed by the Investment Bank; c) Control and mitigation: This is the stage that seeks to ensure that the policies, limits, and procedures established for the treatment and mitigation of risks are appropriately taken and executed; and d) Monitoring and communication: This is the stage that provides systematic and permanent follow-up to risk exposures and the results of adopted actions. These information systems must ensure a periodic and objective review of risk positions and the generation of sufficient information to support decision-making processes and allow communicating the results of risk management in a timely manner.

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 5 of 41 CNBCR-09/2025 NRP-93 TECHNICAL STANDARDS FOR COMPREHENSIVE RISK MANAGEMENT AND TRANSPARENCY OF INFORMATION OF INVESTMENT BANKS Approval: 10/11/2025 Validity: 25/11/2025 Types of Risks Art. 6.- For the purposes of these Standards, Investment Banks must manage, according to their structures, size, businesses, and resources, at least the following risks: a) Credit Risk: The possibility of loss due to the non-compliance of contractual obligations assumed by a counterparty, understood as a borrower or a debt issuer, according to the Technical Standards issued by the Central Bank through its Standards Committee; b) Market Risk: The possibility of loss, resulting from movements in market prices that generate a deterioration in value in positions within and outside the balance sheet or in the financial results of the Investment Bank; Likewise, they must consider fluctuations in the price of a digital asset, pledged or held in custody; c) Liquidity Risk: The possibility of incurring losses due to not having sufficient resources to meet assumed obligations, incurring excessive costs, and being unable to develop the business under the planned conditions; d) Operational Risk: The possibility of incurring losses due to failures in processes, people, information systems, and due to external events; it includes legal risk, fraud risk, technological or cybersecurity risk, strategic risk, custody risk, etc., according to the Technical Standards issued by the Central Bank through its Standards Committee; and e) Reputational Risk: The possibility of incurring losses, resulting from the deterioration of the Investment Bank's image, due to non-compliance with laws, internal norms, corporate governance codes, codes of conduct, money laundering, among others. With reference to the management of money laundering and asset risks, terrorism financing, and the financing of the proliferation of weapons of mass destruction, Investment Banks must apply what is established in the "Technical Standards for the Management of Money Laundering and Asset Risks, Terrorism Financing, and the Financing of the Proliferation of Weapons of Mass Destruction" (NRP-36), approved by the Central Bank through its Standards Committee.

CHAPTER III ENVIRONMENT FOR COMPREHENSIVE RISK MANAGEMENT

Organizational System Art. 7.- Investment Banks must establish an organizational structure that allows for adequate comprehensive risk management, with the appropriate segregation of functions and hierarchical levels of operational support, business, and control areas that participate in the process, as well as levels of dependency, in accordance with the risk profile, size, and nature of their operations. Investment Banks will establish and apply the methodologies they consider appropriate for the risk management model, without prejudice to the norms and minimum requirements established by the Central Bank through its Standards Committee.

Functions of the Board of Directors Art. 8.- The Board of Directors is responsible for ensuring adequate comprehensive risk management, having among its functions at least the following: a) Define and approve the Investment Bank's risk appetite and tolerance, as well as the exposure limits of each particular risk according to its profile; likewise, it must establish the respective controls for exceptions and deviations to said limits; b) Approve the internal organizational or functional structure according to its business model, with their respective organization manuals and segregation of functions, assigning the necessary resources to implement and maintain adequate risk management, effectively and efficiently; c) Approve the policies and manuals for the management of risks assumed by the Investment Bank, ensuring that they are implemented; d) Create the Risk Committee, as established in the "Technical Standards on Corporate Governance" (NRP-17) approved by the Central Bank through its Standards Committee, approving the appointment and removal of its members, when applicable, and ensuring their independence; e) Create the Risk Unit and appoint the person in charge of it, ensuring its independence from the business and operational areas of the Investment Bank to avoid conflicts of interest, as well as the separation of functions and corresponding responsibilities, and providing it with the resources, tools, materials, and adequate technical training; f) Know and understand all risks inherent to the businesses developed by the Investment Bank and to which it is exposed, their evolution, and their effects, especially at the equity levels; as well as the methodologies and tools for risk management; g) Approve the Investment Bank's involvement in new products, services, business lines, and operations, and ensure that they adhere to the business strategies of the same and to the policies for risk management; h) Ensure that an organizational culture of risk management is implemented within the Investment Bank; and i) Ensure that Internal Audit verifies the existence and compliance of the Investment Bank's comprehensive risk management scheme. The policies and manuals for risk management approved by the Board of Directors

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 6 of 41 CNBCR-09/2025 NRP-93 TECHNICAL STANDARDS FOR COMPREHENSIVE RISK MANAGEMENT AND TRANSPARENCY OF INFORMATION OF INVESTMENT BANKS Approval: 10/11/2025 Validity: 25/11/2025 must be sent to the Superintendence for its knowledge, within the first ten business days following their approval or respective modification. The period between reviews and/or updates on policies or manuals must not exceed two years.

Functions of the Risk Committee Art. 9.- The functions of the Risk Committee will include, at a minimum, the following activities: a) Approve the following: i. The methodologies to manage the different types of risks to which the Investment Bank is exposed, as well as their eventual modifications, ensuring that the same considers the relevant risks of the activities it carries out; and ii. The corrective actions proposed by the Risk Unit and the involved areas, as well as the mechanisms for their implementation, in the case of deviation with respect to the assumed exposure levels or limits. b) Require and follow up on corrective plans to normalize non-compliance with exposure limits or reported deficiencies; c) Evaluate, endorse, and propose for Board of Directors approval, at least, the following: i. The strategies, policies, and manuals for comprehensive risk management, as well as the eventual modifications made to them; ii. The tolerance limits for exposure to the different types of risks identified by the Investment Bank, consistent with its risk appetite; and iii. The cases or special circumstances in which exposure limits may be exceeded, as well as the special controls over said circumstances. d) Inform the Board of Directors about the risks assumed by the Investment Bank, their evolution, their effects, especially at the equity levels, and additional mitigation needs, as well as their corrective actions; e) Inform the Board of Directors about the exposures, deviations, and exceptions of the risks that are managed in the Investment Bank; and f

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 7 of 41 CNBCR-09/2025 NRP-93 TECHNICAL STANDARDS FOR COMPREHENSIVE RISK MANAGEMENT AND TRANSPARENCY OF INFORMATION OF INVESTMENT BANKS Approval: 10/11/2025 Validity: 25/11/2025 [Text ends abruptly in source document]