Regulation on the Organization and Implementation of Activities by Payment and Electronic Money Institutions

Central Bank of the Republic of Azerbaijan Decision № 01/2 10 January 2024 Regulation on the organization and implementation of activities by payment and electronic money institutions

1. General provisions 1.1. This Regulation has been developed according to Articles 3.2.9, 4.2, 5.1.1, 5.1.2, 7.1.1, 10.1, 49.2.11, 49.3, 59.2.3, 62.3.1, and 62.4 of the Law of the Republic of Azerbaijan ‘on Payment Services and Payment Systems’ (hereinafter – the Law). 1.2. This Regulation specifies requirements for the minimum initial capital and minimum amount of own funds for payment institutions (PIs) and electronic money institutions (EMIs), outlines a procedure for the calculation, structure and composition of own funds, the implementation of currency exchange activities and issuance of loans to payment service users, low-risk liquid assets where the funds received by EMIs can be invested, instances and procedures for informing about operational or security incidents, and requirements on handling sensitive payment data. This Regulation also establishes the requirements for the activity program and business plan of a PI and an EMI; their internal control and risk management systems; security measures for the provision of payment services; business continuity and recovery plans in emergency situations; the minimum amount of civil liability insurance (guarantee) for a PI intending exclusively to provide account information services; information security requirements; as well as the form, content, and procedure for submission of reports on the activities of PIs and EMIs. 1.2-1. Requirements relating to procedures for handling sensitive payment data in the institution, information security, as well as the business continuity and recovery plan in emergency situations, are regulated by the ‘Information security requirements for supervised entities in financial markets,’ approved by Decision No. 14/2 of the Management Board of the Central Bank dated 28 March 2024 (hereinafter – the ‘Requirements’). 1.3. According to Article 3.2.9 of this Law, when the maximum amount of a single payment transaction provided by a mobile network operator for the purchase of digital content and voice-based services exceeds AZN50 (fifty), and the amount of such payment transactions for one subscriber over a month surpasses AZN250 (two hundred and fifty), as well as if total amount of charitable activities within a month exceeds AZN500 (five hundred) for this type of payment transactions conducted on one subscriber, such relevant payment transactions are considered a payment service for the purposes of the Law. 1.4. The ‘institution’ in this Regulation is defined as a PI and an EMI. 1.5. The institution maintains cash operations, cash storage and transportation in accordance with the ‘Regulation on cash operations, storage and transportation of cash and other valuables in credit, payment, and electronic money institutions’ approved by Resolution No 24/1 of the Management Board of the Central Bank of the Republic of Azerbaijan (hereinafter – the Central Bank) dated 14 September 2021.

1.6. The institution maintains electronic transfer of funds in accordance with the ‘Regulation on customer due diligence during wire transfers’ approved by Resolution 09/1 of the Management Board of the Central Bank dated 22 February 2023. 1.7. The institution maintains opening, maintaining and closing of payment accounts in accordance with the ‘Regulations on opening, maintaining, and closing bank accounts’ approved by Resolution 04/2 of the Management Board of the Central Bank dated 4 February 2022 in consideration of the requirements of the Law. 2. Definitions 2.1. The definitions used in this Regulation bear the following meanings: 2.1.1. liquidity risk – the risk of inability to meet planned and unexpected liabilities in a timely and effective manner. 2.1.2. operational risk – risks arising from errors and mistakes made by institution's employees, problems and deficiencies in the information system and technologies, as well as risks arising from events outside the institution. 2.1.3. credit risk – the risk arising from non-timely or incomplete performance of the payment service user's liability payable related to the loan obtained from the institution. 2.1.4. compliance risk – the risk of enforcement measures and sanctions, financial losses, or loss of reputation that the institution may face as a result of non-compliance with the legislation and legal acts regulating financial markets. 2.1.5. average outstanding electronic money balance – average amount calculated on the basis of balances of funds attracted from payment service users to issue electronic money over the last 6 (six) months, as at the end of the last business day of each month. 2.1.6. counterparty risk – the risk that one of the parties fails to fulfill its contractual obligations. 2.1.7. risk appetite – the level of risk that an institution is willing to accept, within its risk-taking capacity, in order to achieve its strategic objectives. 2.1.8. risk limit – the maximum level of risk accepted by the institution for each type of activity. 2.1.9. risk matrix – a tool for determining the level of risk based on the relationship between the probability of occurrence and the projected loss. 2.2. The terms ‘resident’ and ‘non-resident’ used in this Regulation have the meanings specified in the Law of the Republic of Azerbaijan ‘on Currency Regulation,’ while other terms have the meanings defined in the Law. 3. Initial capital of the institution 3.1. The minimum amount of the initial capital of the PI (funds allocated to the local branch of the foreign PI) is set as follows depending on the payment service it provides: 3.1.1. AZN500 (five hundred) thousand when the payment services specified in Articles 3.1.1, 3.1.2, 3.1.3 of the Law are provided together or any of them. 3.1.2. AZN100 (one hundred) thousand, when the payment service specified in Article 3.1.4 of the Law is provided. 3.1.3. AZN100 (one hundred) thousand, when the payment service specified in Article 3.1.5 of the Law is provided. 3.1.4. the highest amount set in the relevant items, when all or some of the payment services specified in sub-items 3.1.1, 3.1.2, 3.1.3 of this Regulation are provided. 3.2. The minimum amount of the initial capital of the EMI (funds allocated to the local branch of the foreign EMI) is established in the amount of AZN750 (seven hundred and fifty) thousand.

3.3. No charter capital is required from a PI that exclusively provides the payment service stipulated in Article 3.1.7 of the Law. Such an institution should insure its civil liability in an amount of not less than AZN50,000 (fifty thousand) with an insurer that is not a related party and does not belong to the same financial group, for up to every 100,000 (one hundred thousand) payment service users, or obtain a guarantee in amount of not less than AZN 50,000 (fifty thousand) from a credit institution or an insurer that is not a related party and does not belong to the same financial group. The amount of the civil liability insurance or guarantee is recalculated twice a year, based on the average number of users over each six (six)-month period, based on the number of payment service users as of the last business day of June and December, and is updated within 10 (ten) business days if required. Such institution submits to the Central Bank a report on the calculation of the minimum amount of civil liability insurance or the guarantee obtained, in accordance with Annex No. 1 to this Regulation, no later than within the first 7 (seven) business days of July and January of each year. 4. Own funds of the institution 4.1. The institution should have minimum own funds, except for the cases of exceptionally engaging in payment services outlined in Articles 3.1.6 and 3.1.7 of the Law. The main objective of own funds is to support the business strategy of the institution, ensure its financial stability during unfavorable changes in internal and external environments. 4.2. The minimum amount of own funds of the institution should not fall below the minimum amount of the initial capital determined by this Regulation and the amount calculated in the following manner: 4.2.1. The average monthly payment value (PV) is calculated as equal to 1/12 (one twelfth) of the amount of payment transactions executed by the institution over the last 12 (twelve) months (excluding expenses and intra-institutional payment transactions), and the coefficients specified in the table below are applied to the PV: * (With respect to existing supervised entities, sections 8–14 shall apply upon the expiration of twelve (12) months from the date the Decision enters into force) PV Calculated amount up to AZN10 million 4 percent AZN10 million and over, but up to AZN20 million AZN400 thousand + AZN10 million and over, but 2.5 percent of up to AZN20 million AZN20 million and over, but up to AZN200 million AZN400 thousand + AZN250 thousand + AZN20 million and over, but 1 percent of up to AZN200 million AZN200 million and over, but up to AZN500 million AZN400 thousand + AZN250 thousand + AZN1.8 million + AZN200 million and over, but 0.5 percent of up to AZN500 million AZN500 million and over AZN400 thousand + AZN250 thousand + AZN1.8 million + AZN1.5 million + 0.25 percent of AZN500 million and over 4.2.2. coefficients provided for in sub-item 4.2.3 of this Regulation apply in addition to the total amount calculated in accordance with sub-item 4.2.1 of this Regulation.

4.2.3. when the institution provides the payment services outlined in Articles 3.1.1, 3.1.2, 3.1.3, 3.1.4 and 3.1.5 of the Law together or any of them (except for Article 3.1.4 of the Law) the coefficient is equal to 1, and the coefficient is equal to 0.5 when exceptionally providing the payment service outlined in Article 3.1.4 of the Law.* 4.3. The minimum amount of own funds of an EMI should equal to the sum of the amount calculated in accordance with Item 4.2 herein and an amount equal to at least 2 (two) percent of the average outstanding balance of the electronic money it has issued, provided that it is not less than the minimum initial capital established by this Regulation.* 4.4. Own funds of the institution are calculated 4 (four) times a year - on the last working day of each quarter. Indicators in foreign currency are reflected in manat equivalent at an official exchange rate of the Central Bank as of the calculation date. 4.5. The structure of institution’s own funds includes the following components: 4.5.1. initial capital paid in cash (in the case of a joint-stock company, issued and fully paid ordinary shares, excluding ordinary shares and participatory interests repurchased by the organization). * 4.5.2. capital surplus – difference between the selling price and the nominal value of stocks (shares). 4.5.3. net retained earnings (losses): * 4.5.3.1. net retained earnings (losses) of previous years. 4.5.3.2. capital reserves, i.e., funds formed from retained earnings of previous years. 4.5.3.3. profit of the current year, if audited by an external auditor. 4.6. As part of the objectives of Article 7.1.2 of the Law, assets that secure guarantees are not included to the calculation of own funds of the institution. 4.7. The below indicators are deducted prior to the calculation of institution’s own funds: 4.7.1. net value of intangible assets (after depreciation) not included to initial capital.* 4.7.2. amount of deferred tax assets specified with the IFRS. 4.7.3. investments in institution’s subsidiaries, as well as in capital of other legal entities. 4.8. The institution submits to the Central Bank a report on own funds components quarterly according to Annexes 2 and 3 to this Regulation no later than the first 10 (ten) working days of the next quarter, and another report on its activity monthly according to Annex 11 of this Regulation on the first 5 days of the next month no later than the first 10 (ten) working days of the next month.* 5. An activity program and a business plan on providing payment services 5.1. The activity program on providing payment services addresses at least the following: 5.1.1. a detailed explanation of the type of payment services and the methods of providing them, an explanatory description of the payment services (diagram and disclosure of transaction flow and movement of funds, parties involved in the transaction chain and their functions, as well as clearly indicating the settlement procedure). 5.1.2. a detailed description of the types of activities to be provided according to Article 5.1 of the Law along with the provision of payment services. 5.1.3. disclosure of the measures to be introduced to ensure the security of payment service users' funds (in case of selecting the method determined under Article 7.1.2 of the Law, the procedure for calculating the insurance and guarantee amount is specified separately). 5.1.4. procedure for opening payment accounts, description of the structure of the unique identifier applied. 5.1.5. if payment services are to be provided through branches, payment agents, and payment terminals, information about them.

5.1.6. when using the services of third-party providers, detailed information about those providers and the services they provide, as well as their duties and responsibilities. 5.1.7. a detailed description of the integration model and the payment service delivery method when cooperation with local and foreign payment service providers is envisaged during the provision of payment services. 5.1.8. Information about the address(es) where the institution will carry out its activities, including photos clearly showing the interior and exterior of the relevant address(es). 5.1.9. Information on the availability of necessary information systems and technological infrastructure for the provision of services by an external auditor in accordance with Item 3.7 of the Requirements, and on the assessment of information security. 5.1.10. Information on the institution’s possession of necessary resources (human resources, software, communication means, etc.) for receiving, recording, investigating, and responding to complaints related to its activities. 5.2. The business plan prepared by the institution for the first 3 (three) years includes at least the following information: 5.2.1. A marketing strategy reflecting the institution’s channels for providing payment services. 5.2.2. Information on the start date of operations for all services planned by the institution. 5.2.3. An analysis document covering the institution’s weaknesses and strengths, as well as opportunities and threats in the payment services market. 5.2.4. Analysis of the target audience for the payment services provided by the institution and its competitive position in the payment services market for the services offered. 5.2.5. Financial forecasts for the first 3 (three) years reflecting that the institution has necessary systems, resources, and procedures to ensure stable operations. 5.2.6. Forecasted income statement, balance sheet, cash flow statement, and, if applicable, statement of changes in capital. 5.2.7. Estimated transaction volume and number, number of payment service users, and applicable service fees. 5.2.8. Audited financial statements for the previous financial year (if the institution existed in the previous financial year). 5.2.9. Information on the institution’s projected own funds. 6. Internal control and risk management systems 6.1. To ensure reliable and safe provision of payment services, the institution should have an appropriate organizational structure, risk management and internal control systems covering all areas of its activity. 6.1-1. In the organizational structure submitted by the institution in accordance with Article 49.2.7 of the Law, there should be separate structural units for internal control, risk management, internal audit, and information security, and the performance of these functions should not be outsourced to third-party providers. The composition of this organizational structure should be established no later than 3 (three) months from the date the license is obtained. 6.1-2. The head of the internal audit service should comply with the requirements of the Law of the Republic of Azerbaijan ‘on Internal Audit,’ while heads of other structural units specified in Item 6.1-1 herein should have a minimum of 1 (one) year of work experience in the relevant field. 6.2. There should be regulatory documents (statutes, rules, procedures, etc.) that define functions, powers, subordination and reporting rules of institution's structural units and are approved by the institution's authorized management body. 6.3. The institution's internal control system should ensure at least the following: 6.3.1. clear segregation of authorities in decision-making within the institution.

6.3.2. complete, accurate and timely preparation and delivery of information required for activities of management bodies. 6.3.3. compliance of the institution’s activities with the legislation, legal acts regulating financial markets and internal regulatory documents. 6.3.4. real-time recording of transactions conducted in branches in the institution's automated operating system. 6.3.5. lack of conflicts of interest between structural units, availability of appropriate procedures for timely identification and prevention of instances and areas where a conflict of interest may occur. 6.3.6. recording of payment transactions in institution's accounting and financial reporting. 6.3.7. reliable, sustainable, and safe management of institution's information systems under internal regulatory documents. 6.3.8. maintenance of information confidentiality and integrity in the institution. 6.3.9. conduction of internal audit and effective risk management. 6.3.10. timely informing governing bodies of the institution about violations and deficiencies identified in institution’s activities and internal control system as a result of external or internal audits, as well as violations and deficiencies identified by the Central Bank as part of supervisory measures and monitoring of the measures implemented to eliminate such violations and deficiencies. 6.3.11. timely, complete, and correct preparation and presentation of information and reports under the requirements of the legislation and legal acts regulating financial markets. 6.3.12. considering the requirements of Article 11 of the Law, availability of internal regulatory documents on handling appeals of payment service users. 6.3.13. when the institution uses services of third-party providers, their compliance with relevant requirements set by the Law and this Regulation, as well as taking security measures for the storage and transmission of information. 6.3.14. except for the provision of payment services specified in Articles 3.1.6 and/or 3.1.7 of the Law exceptionally, availability of internal AML/CFT internal control program according to the Law of the Republic of Azerbaijan ‘on Prevention of the legalization of criminally obtained property and the financing of terrorism’ (the AML/CFT Law). 6.3.15. availability of internal rules and procedures related to the implementation of control over compliance with the legislation in the field of payment services by involved payment agents, as well as the requirements of the AML/CFT Law. 6.3-1. Persons performing the internal control function may not simultaneously perform other executive (operational) duties within the institution. 6.3-2. The organization should take continuous measures to enhance the knowledge and skills of employees of structural units performing the internal control function. 6.4. The institution should comply with the following internal audit requirements: 6.4.1. the authorized management body of the institution should approve annual internal audit plans developed by the head of the internal audit service, create necessary conditions for audit activities and take appropriate measures to eliminate violations and deficiencies detected by the internal audit service. 6.4.2. the institution’s internal audit service should be separate from day-to-day operational and control functions. 6.4.3. The internal audit service of the institution should, at least once a year, submit a report to authorized governing bodies of the institution, which includes at least the following:

6.4.3.1. the status of implementation of the annual audit plan of the internal audit service (including activities carried out by the internal audit service that were not specified in the annual audit plan, as well as planned but not implemented activities and the reasons for their non-implementation). 6.4.3.2. violations and deficiencies identified during the audit review. 6.4.3.3. recommendations issued and their implementation status, as well as the reasons for non￾implementation of the recommendations. 6.4.3.4. the results of the assessment of the adequacy and effectiveness of the internal control system and the risk management system. 6.4.4. The internal audit service of the institution should be subordinate and accountable to the general meeting or the supervisory (board of directors) board (while the internal audit service of a local branch of a foreign PI or EMI should be subordinate and accountable to the executive body). 6.5. All areas of institution's activities (including activities performed through outsourcing) are included in the scope of the internal audit function. 6.6. During the organization and implementation of internal audit in the institution, the requirements of the Law of the Republic of Azerbaijan ‘on Internal Audit’ should be adhered. 6.7. The institution should have an effective risk management system adequate to the type, amount, nature of payment services, and the risks it faces. 6.8. The risk management system should include at least the following rules and procedures: 6.8.1. the procedure for risk management, including the identification, assessment, management, monitoring and control of all existing and potential risks of the institution, including liquidity, operational, compliance, credit, counterparty, and other risks. 6.8.2. the procedure for managing the risks that may arise where payment services are provided through payment agents. 6.8.3. the procedure for monitoring and managing the risks that may arise in connection with the use of the services of third-party providers. 6.8.4. the allocation of risk-related responsibilities among the structural units of the institution, the interaction in risk management, the description of information exchange, and the procedure for informing the executive body of identified risks. 6.8.5. risk management reporting system. 6.8.6. risk appetite, risk limits and risk matrix. 6.9. Internal risk management rules and procedures are reviewed at least once a year and appropriate changes are made and duly formalized if necessary. 6.10. The internal rules and procedures for risk management are reviewed and, where necessary, amended and duly formalized when the institution introduces new payment services or new products, makes material changes to existing payment services, as well as to information systems and technologies, commences the provision of payment services through payment agents or branches, and when operational or security incidents occur that affect the secure provision of payment services 6.11. When introducing new payment services and/or launching new products, the institution should assess and duly document its possession of necessary financial and human resources, as well as infrastructure (technological equipment, information systems, etc.). 6.12. Where the institution uses services of third-party service providers, it should ensure that such providers are financially sound and reliable, possess the competence, resources, and experience necessary to provide relevant services, and that such services are not provided by another person on the basis of a subcontracting arrangement.

7. Security measures for the provision of payment services 7.1. The institution should have a security policy against fraud, which should include at least: 7.1.1. measures and tools used for the detection and prevention of fraud. 7.1.2. information on the responsible employees or structural unit in charge of handling fraud￾related complaints. 7.1.3. a procedure for notifying relevant structural units in the event of a fraud. 7.1.4. contact channels (an email address, contact telephone number, etc.) enabling payment service users to submit relevant requests 24/7/365. 7.1.5. a system for monitoring suspicious transactions. 7.2. The handling and protection of personal data by the institution shall additionally be carried out in compliance with the requirements of the Law of the Republic of Azerbaijan ‘on Personal Data.’ 7.3. To conduct transactions of payment service users, an EMI should hold accounts with a bank operating in the Republic of Azerbaijan or with a local branch of a foreign bank, as specified in sub-item 2.6.8 and 2.6.9 of the ‘Regulations on opening, maintaining, and closing bank accounts’, approved by Decision No. 04/2 of the Management Board of the Central Bank dated 4 February 2022, while a PI should hold the accounts specified in sub-item 2.6.9 of those Regulations. The institution submits to the Central Bank, on a monthly basis and no later than the first seven (7) business days of the following month, information on the bank accounts in which the funds of payment service users are held, as well as on other payment accounts and the movement of funds in such accounts, in accordance with Annexes Nos. 4, 4-1, 4-2 and 4-3 herein. 7.4. To ensure the security of payment service users’ funds, an EMI and a PI should maintain records of the funds held in bank accounts in a manner that allows the identification of the users to whom such funds belong. The automated information system used for recording transactions should contain, at a minimum, the transaction type, the unique transaction identification number, transaction amount and currency, the transaction date and time, and information identifying the payment service user. 7.5. The institution should, on each business day, reconcile its accounting records with the bank statement of its bank account for the previous operational day, record all discrepancies identified as a result of such reconciliation, including discrepancies arising between the institution’s internal records due to the absence of the possibility to transmit data to the bank’s operational system and/or credit funds to bank accounts outside business hours, investigate causes of such discrepancies, and take necessary measures to eliminate them. 7.6. Where fees or other payments for payment services and related services are received in the bank accounts referred to in Item 7.3 herein, in addition to payment service users’ funds, the institution should transfer such funds to its payment account where its own funds are held no later than five (5) business days. 7.7. In the cases referred to in Article 7.1.1 of the Law, an EMI may invest funds received for the execution of payment transactions in the currency of such funds in the following low-risk liquid assets: 7.7.1. Government securities. 7.7.2. Securities issued by governments or central banks of countries with a minimum sovereign credit rating of ‘AA’ (or an equivalent rating). 7.7.3. Securities issued by multilateral development banks with a credit rating of ‘AAA’ (or an equivalent rating) assigned by international rating agencies. 7.8. Within seven (7) business days after commencing operations, the EMI submits to the Central Bank copies of documents confirming the methods used to ensure the security of payment service users’ funds. 7.9. The institution should notify the Central Bank and submit copies of supporting documents within seven (7) business days after changing the bank in which payment service users’ funds are held,

implementing other methods used to ensure the security of such funds, or opening a new account for conducting payment service users’ transactions. 8. Business continuity and recovery plan in emergencies 8.1. The institution’s business continuity and recovery plan in emergencies should include at least: 8.1.1. classification of emergencies by the criticality level. 8.1.2. a list and authorities of persons responsible for recovery of activities in emergencies. 8.1.3. a list of critical information systems and technologies used in facilitating information sharing during emergency situations, along with logical and physical topological diagrams illustrating connections between them. 8.1.4. classification of business processes determined by their level of criticality within the framework of business impact analysis. 8.1.5. an acceptable time indicator of irrecoverable data loss in the information system as a result of an emergency. 8.1.6. the time required to restore the information system supporting the business process following an emergency. 8.1.7. measures to prevent risks that may arise during emergency stoppages under possible scenarios. 8.1.8. communication measures in emergencies. 8.1.9. measures to ensure business continuity in case of using services of third-party service providers for the maintenance of information systems and/or resources. 8.2. To ensure business continuity in emergencies, the institution should ensure reliable, safe and continuous operation of its information system and/or resources from the backup center. The backup center should be outside the location of the institution 8.3. The business continuity and recovery plan should be tested at least 2 (two) times a year under different scenarios and results documented. If the test result is unsuccessful, the institution should conduct the test again through the backup center within the next 2 (two) months. 8.4. In accordance with Item 8.3 of this Regulation, the institution should inform the Central Bank about it 5 (five) working days prior to the test, and submit the report specified in Annex 5 to this Regulation within 7 (seven) working days after the end of the test. 8.5. To ensure business continuity in emergencies, the institution should appoint and instruct employees (main and substitute persons) responsible for responding to requests and maintaining information sharing and send written information on these employees to the Central Bank no later than February 25 of each year (first, last, middle names, position and contact information). When responsible employees change, written information on newly appointed persons is submitted to the Central Bank within 5 (five) working days. 9. Pre-financing for payment operations 9.1. For the execution of payment operations (credit transfer, direct debit, payment card, or similar payment instruments), the payment service provider may grant a loan to each payment service user of up to AZN50. Such a loan is granted in accordance with the requirements of the Civil Code of the Republic of Azerbaijan, subject to the following requirements: 9.1.1. a loan is granted only in the national currency for up to two (2) months. 9.1.2. the outstanding principal amount of a loan for a single payment service user may not exceed AZN50 (fifty).

9.1.3. the granting of a loan is suspended if institution’s own funds fall below the requirements set out in this Regulation. 9.1.4. total amount of granted loans (loans that have not yet matured and those classified as loss assets) may not exceed 10% of institution’s own funds. 9.1.5. A loan is classified as a loss asset if it is not repaid within two (2) months from the date of granting. The institution suspends the granting of further loans if total amount of such loans, including loss assets written off in the last twelve (12) months, exceeds 1% of institution’s own funds. 9.2. Loans granted to payment service users within the requirements defined in Item 9.1 of this Regulation are financed only from institution's own funds. The institution may noy issue loans from the funds received from payment service users. 9.3. The institution submits a report on granted loans to the Central Bank monthly no later than first 10 (ten) business days of the following month under Annex 6 of this Regulation. 10. Currency exchange and currency operations 10.1. The institution (except for PIs exceptionally engaged in payment services specified in Articles 3.1.6 and/or 3.1.7 of this Law) may carry out currency exchange activities for the execution of payment orders. In this case, the currency exchange transaction should be conducted simultaneously with the execution of the payment order and should not exceed the payment order amount. 10.2. Currency exchange operations may not be performed by the institution for domestic payment transactions of payment service users. 10.3. Requirements of the Law of the Republic of Azerbaijan ‘on Currency Regulation’ and normative acts adopted in accordance with it should be adhered when conducting currency exchange and currency transactions. 10.4. The institution submits a report on currency exchange transactions to the Central Bank monthly no later than the first 7 (seven) working days of the following month in accordance with Annex 7 of this Regulation. 11. Notification of operational or security incidents 11.1. The institution should notify the Central Bank of any ‘information security incident’ as provided for in sub-item 2.1.20 of the Requirements. 12. Reporting The reports specified by this Regulation are approved by the enhanced electronic signature of the head of the executive body of the institution or the official person(s) authorized by him/her and are submitted through the electronic information system of the Central Bank.

Annex 1 to the ‘Regulation on the organization and implementation of activities by payment and electronic money institutions’ Report on calculation of insurance and guarantee amounts 1 Number of payment service users as of the last business day of the reporting period 2 Amount of the civil liability insurance / guarantee (thousand manats) 3 Date of calculation of the insurance/guarantee amount 4 Validity of insurance / guarantee from to Annex 2 to the ‘Regulation on the organization and implementation of activities by payment and electronic money institutions’ Report on own funds of the electronic money institution Name of the electronic money institution: Reporting period: (thousand manats)

1. Services provided by the electronic money institution 1 Payment volume (PV) 1.1. Incoming electronic money transactions (excluding intra￾institution transfers) 1.1 in national currency 1.1a in foreign currency (in manat equivalent) 1.1b 1.2.Outgoing electronic money transactions (excluding intra￾institution transfers) 1.2 in national currency 1.2a in foreign currency (in manat equivalent) 1.2b 1.3. Transactions relating to the provision of other payment services not connected with the issuance of electronic money or the execution of electronic money payment transactions 1.3 in national currency 1.3a in foreign currency (in manat equivalent) 1.3b
2. Own funds calculation (electronic money issuance and electronic money transactions only) 2 2.1. Initial capital 2.1 2.2. End-of-period residual electronic money balance (quarterly, last business day) 2.2

2.3. Average balance of electronic money 2.3 January 2.3a February 2.3b March 2.3c April 2.3ç May 2.3d June 2.3e July 2.3ə August 2.3f September 2.3g October 2.3h November 2.3x December 2.3i 2.4. Own funds based on the average electronic money balance (2% of row 2.3) 2.4 3. Calculation of own funds where payment services include electronic money issuance and electronic money transactions and other payment services 3 3.1. Total value of payment transactions executed in the past 12 months (rows 1.1 + 1.3) 3.1 3.2. Average monthly payment volume over the past 12 months (row 3.1 ÷ 12) 3.2 3.3. Amount calculated as per sub-item 4.2.1 of the Regulation 3.3 up to AZN10 million (4%) 3.3a AZN10 million and over, but up to AZN20 million (2.5%) 3.3b AZN20 million and over, but up to AZN200 million (1%) 3.3c AZN200 million and over, but up to AZN500 million (0.5%) 3.3ç AZN500 million and over (0.25%) 3.3d 3.4. Amount calculated in accordance with sub-item 4.2.3 (row 3.3 × 1) 3.4 3.5. Own funds required (row 2.4 + row 3.4) 3.5 4. Components of own funds of the EMI 4 4.1. Cash-paid initial capital (fully paid ordinary shares issued, less shares repurchased by the institution) 4.1 4.2. Share premium (difference between the issue price and nominal value of shares) (capital surplus) 4.2 4.3. Retained net earnings (losses): 4.3 4.3.1. net retained earnings (losses) of previous years 4.3.1 4.3.2. capital reserves 4.3.2

4.3.3. current year profit (loss), subject to external audit 4.3.3 4.4. Total of components (row 4.1 + row 4.2) 4.4 5. Deductions from own funds 5 5.1. Net value of intangible assets not included in initial capital (after depreciation) 5.1 5.2. Deferred tax assets 5.2 5.3. Investments by the EMI in subsidiaries and other legal entities 5.3 5.4. Total deductions (Row 5.1 + row 5.2 + row 5.3) 5.4

6. Own funds 6 6.1. Own funds based on balance sheet (row 4.4 – row 5.4) 6.1 Annex 3 to the ‘Regulation on the organization and implementation of activities by payment and electronic money institutions’ Payment institution name: Reporting period: Report on payment institution’s own funds (in thousand manats)
7. Payment services provided by the PI 1 Payment volume (PV) 1.1. Other payment services transactions (not relating to electronic money issuance and electronic money payment execution) 1.1 in national currency 1.1a in foreign currency 1.1b
8. Calculation of own funds 2 2.1. Total value of payment transactions executed over the past 12 months (row 1.1) 2.1 2.2. Average monthly payment value over the past 12 months (row 2.1 ÷ 12) 2.2 2.3. Amount per sub-item 4.2.1 of this Regulation 2.3 up to AZN10 million (4%) 2.3a AZN10 million and over, but up to AZN20 million (2.5%) 2.3b AZN20 million and over, but up to AZN200 million (1%) 2.3c AZN200 million and over, but up to AZN500 million (0.5%) 2.3ç AZN500 million and over (0.25%) 2.3d

2.4. Amount per sub-item 4.2.3 of this Regulation (row 2.3 × 1) 2.4 3. Components of PI’s own funds 3 3.1. Cash-paid initial capital (fully paid ordinary shares issued less shares repurchased by the institution) 3.1 3.2. Share premium (difference between issue price and nominal value of shares)/capital surplus 3.2 3.3. Net retained earnings (losses): 3.3 3.3.1. net retained earnings (losses) of previous years 3.3.1 3.3.2. current year profit (loss), subject to external audit 3.3.2 3.3.3. capital reserves 3.3.3 3.4. Total of components (row 3.1 + row 3.2 + row 3.3) 3.4 4. Deductions from own fund 4 4.1. Net value of intangible assets not included in initial capital (after depreciation) 4.1 4.2. Deferred tax assets 4.2 4.3. Investments by the PI in subsidiaries and other legal entities 4.3 4.4. Total deductions (row 4.1 + row 4.2 + row 4.3) 4.4 5. Own funds 5 5.1. Own funds based on balance sheet (row 3.4 – row 4.4) 5.1 Information on the institution’s domestic bank accounts No Bank name Account No Account type Account currency Balance as of the reporting date (in thousand manats) Annex 4 to the ‘Regulation on the organization and implementation of activities by payment and electronic money institutions’

Annex 4-1 to the ‘Regulation on the organization and implementation of activities by payment and electronic money institutions’ Institution name Reporting period Report on accounts held outside the Republic of Azerbaijan and transactions conducted through those accounts 1 Account country 2 Account-holding payment service provider 3 Account number (in IBAN format) 4 Account’s 4.1 purpose 4.2 opening date (dd.mm.yy) 4.3 type 4.4 currency 5 Account balance on the last calendar day of the month (in thousand manats) 5.1 (in foreign currency) 5.2 (in manat equivalent) 6 Account turnover for the reporting month (in thousand manats) 6.1 (in foreign currency) 6.2 (in manat equivalent) 7 Total value of incoming transactions (in thousand manats) 7.1 (in foreign currency) 7.2 (in manat equivalent) 8 Total value of outgoing transactions (in thousand manats) 8.1 (in foreign currency) 8.2 (in manat equivalent)

Annex 4-2 to the ‘Regulation on the organization and implementation of activities by payment and electronic money institutions’ Institution name Reporting period Report on funds received from abroad into the institution’s bank accounts for safeguarding payment service users’ funds 1 Sender of funds 1.1 Country 1.2 Account-servicing foreign financial institution 2 Incoming transaction number, thousand transactions value, thousand manats 2.1 Credit transactions to individuals number, thousand transactions value, thousand manats 2.1.1 out of which, resident number, thousand transactions value, thousand manats 2.1.2 out of which, non-resident number, thousand transactions value, thousand manats 2.2 Credit transactions to taxpayers number, thousand transactions value, thousand manats 2.2.1 out of which by private entrepreneurs number, thousand transactions value, thousand manats 2.2.1.1 resident number, thousand transactions value, thousand manats 2.2.1.2 non-resident number, thousand transactions value, thousand manats 2.2.2 out of which by legal entities number, thousand transactions value, thousand manats 2.2.2.1 out of which resident number, thousand transactions value, thousand manats 2.2.2.2 out of which non-resident number, thousand transactions value, thousand manats

Annex 4-3 to the ‘Regulation on the organization and implementation of activities by payment and electronic money institutions’ Institution name Reporting period Report on foreign currency funds transferred abroad from the accounts opened with the bank, in order to ensure the security of payment service users’ funds of the institution 1 Name of the country 1.1 funds were transferred to 1.2 Name of the financial institution 2 Transfer transactions number, thousand transactions value, thousand manats 2.1 By individuals number, thousand transactions value, thousand manats 2.1.1 resident number, thousand transactions value, thousand manats 2.1.2 non-resident number, thousand transactions value, thousand manats 2.2 By taxpayers number, thousand transactions value, thousand manats 2.2.1 by private entrepreneurs number, thousand transactions value, thousand manats 2.2.1.1 resident number, thousand transactions value, thousand manats 2.2.1.2 non-resident number, thousand transactions value, thousand manats 2.2.2 by legal entities number, thousand transactions value, thousand manats 2.2.2.1 resident number, thousand transactions value, thousand manats 2.2.2.2 non-resident number, thousand transactions value, thousand manats

‘Annex 5 to the Regulation on the organization and implementation of activities by payment institutions and electronic money institutions Report on the organization of activities of payment and electronic money institutions from a back-up center General information Institution name Back-up center switching scenario Date and hour of switching Switching period Covered areas (services) Areas (services) not covered Result of switching Persons responsible for switching to the back-up center First, last, middle names Structural unit Position Signature Annex 6 to the Regulation on the organization and implementation of activities by payment institutions and electronic money institutions Institution name Reporting period Report on loans granted Loans Number of loans Amount of loans (in thousand manats) Weight (%)

1. Loans issued 1.1. Unmatured 1.2. Loss
2. Loans repaid
3. Loss assets written off

3.1. loss assets written off in the last 12 (twelve) months 4. Own funds 5. Share of the total amount of loans granted in own funds (%) 6. Share of loans recognized as loss and loss loans written off over the last 12 (twelve) months (the total of items 1.2 and 3.1 of this table) in own funds (%) Annex 7 to the Regulation on the organization and implementation of activities by payment institutions and electronic money institutions Institution name: Reporting period: Report on currency exchange operations No Indicator Amount (in thousand manats) Number 1 Currency exchange operations within a month 2 Average monthly amount of currency exchange transactions per operating day 3 Types of currencies involved in currency exchange transactions conducted during the month: USD EUR RUB Other Annex 8 to the Regulation on the organization and implementation of activities by payment and electronic money institutions Incident risk level Criterion Low risk High risk

Effect on payment operations If it affects more than 10% of the average number of transactions conducted during a day (based on the average daily indicator of the previous month) or if total amount of these transactions exceeds 100 (one hundred) thousand manats If it affects more than 25% of the average number of transactions conducted during a day (based on the average daily indicator of the previous month) or if total amount of these transactions exceeds 1 (one) million manats Effect on payment service users If it affects more than 10% of payment service users, or more than 5 (five) thousand payment service users If it affects more than 25% or more than 50 (fifty) thousand payment service users Effect on service accessibility If the payment service is unavailable within 1 (one) - 2 (two) hours If the payment service is unavailable for more than 2 (two) hours Economic impact (financial losses) If the institution suffers a loss of more than 1 (one) million manats or 1% of its own funds Effect on other payment service providers or related payment service infrastructure If it affects other payment service providers or related payment service infrastructure Reputation impact If it affects the reputation of the institution Annex 9 to the Regulation on the organization and implementation of activities by payment institutions and electronic money institutions Preliminary report on operating or security incident Reporting date (day/month/year, hour/minute) Incident number Incident time (day/month/year, hour/minute) (if known) Incident detection time (day/month/year, hour/minute) General information Institution name

Information on the person responsible for the incident (first, last, middle names, position, including contact information (e-mail address, GSM number)) Type of incident □ Operating □ Security Incident impact criterion □ Effect on payment service users □ Effect on service accessibility □ Economic effect (financial losses) □ Reputation impact □ Effect on payment operations □ Effect on other payment service providers or related payment service infrastructure Brief and general explanation of the incident Has relevant information been delivered/ Will relevant information be delivered to related public authorities? (If the answer is ‘yes’, please specify the public authority) Annex 10 to the Regulation on the organization and implementation of activities by payment institutions and electronic money institutions Final report on operational or security incident Reporting date (day/month/year, hour/minute) Incident number (refer to the preliminary report)

1. General information Updated information (in addition to the preliminary report) Information about the incident Changes made to the preliminary report Other important information

Additional information about the incident When the incident started (day/month/year, hour/minute) How did the incident start? How did the incident proceed? Are payment service users informed about the incident? (If the answer is ‘yes’, please specify) Is it related to previous incidents? (If the answer is ‘yes’, please specify) Were other institutions/third parties exposed to this incident? (If the answer is ‘yes’, please specify) When was the incident resolved (day/month/year, hour/minute) 2. Incident classification Effect on payment operations Number of transactions affected Weight of transactions affected (compared to the average daily indicator of the previous month) Size of transactions affected (in thousand manats) Incident period Notes Effect on payment service users Number of users affected Users affected (in percentage) Economic impact (financial losses) Amount of loss (in thousand manats) Effect on other institutions or related payment service infrastructure (Yes/No) (if the answer is ‘Yes’, please describe the effect)

Reputation impact (Yes/No) (if the answer is ‘Yes’, please describe the effect) 3. Description of the incident Type of incident □ Operational □ Security Reason of the incident (if the answer is ‘other’, please specify) □ Under investigation □ Harmful activity □ Processing error □ System error □ Human factor □ External factor □ Other 4. Effect of the incident Overall effect □ Integrity □ Confidentiality □ Accessibility Service channels affected □ Branches □ E-commerce □ Mobile application □ Website □ ATMs □ Agent network □ Other Payment service affected □ Cash inflow and/or outflow on the payment account □ Execution of payment operations with credit transfer, direct debiting, payment cards or other similar payment instruments □ Issuance of payment instruments and/or acquiring of payment operations □ Money remittance □ E-money issuance and execution of e￾money payment operations □ Intermediary payment services □ Account information service

5. The reason and analysis of the incident The reason of incident (several reasons can be specified) Harmful activity □ Harmful virus □ Intrusion □ System overloading □ External damage □ Fraud □ Other Processing error □ Monitoring and control error □ Communication error □ Recovery problems □ Other System error □ Technical error □ Network error □ Database error □ Software error □ Physical damage □ Other Human factor □ Unexpected error □ Inaction □ Resource shortfall □ Other External factor □ Technical service provider □ Force-majeure case □ Other Other Additional information related to the reason of the incident Actions taken (to be taken) to prevent reiteration of the incident
6. Additional information Are other institutions informed on the incident? (If yes, please specify) Are legal actions taken against the institution regarding the incident? (If yes, please specify)

Annex 11 to the Regulation on the organization and implementation of activities by payment institutions and electronic money institutions Institution name Reporting period Report on institution’s main financial indicators Information on institution’s main financial indicators (in thousand manats) 1 Cash funds cash held in cash desks cash held in payment terminals cash in transit 2 Institution’s funds held in payment accounts opened with the institution’s payment service providers 3 Funds held in payment accounts where users’ funds related to payment services are kept balances in electronic money accounts balances related to other payment services 4 Outstanding loans granted to users (not yet matured) 5 Accounts receivable (excluding loans granted to users) from payment agents from other payment service providers other receivables 6 Recoverable taxes 7 Other short-term assets 8 Short-term assets (total of rows 1–7) 9 Fixed assets (less amortization) 10 Intangible assets (net of amortization) including those included in initial capital including those not included in initial capital 11 Deferred tax assets (over 1 year) 12 Other long-term assets 13 Long-term assets (total of rows 9-12) 14 Total assets (row 8 + row 13) 15 Funds borrowed from credit institutions (up to one year) 16 Funds borrowed from other persons (up to one year) 17 Amounts payable to payment agents 18 Amounts due to payment service users electronic money holders other payment service users 19 Accounts payable

20 Tax liabilities 21 Other short-term liabilities 22 Short-term liabilities (total of rows 15-21) 23 Funds borrowed from credit institutions (over one year) 24 Funds borrowed from other persons (over one year) 25 Deferred tax liabilities (over one year) 26 Other long-term liabilities 27 Long-term liabilities (total of rows 24-26) 28 Total liabilities (row 22 + row 27) 29 Initial capital 30 Retained net earnings (losses) retained net earnings (losses) of previous years current year profit (loss) capital reserves 31 General reserves 32 Total equity (total of rows 29-31) 33 Total liabilities and equity (row 28 + row 32) 34. Total income 34.1. income related to payment services 34.2. interest income from loans 34.3. income from currency exchange transactions 34.4. other income 35. Total expenses 35.1 expenses related to payment services 35.2 payroll expenses 35.3 depreciation expense 35.4 interest expense 35.5 expenses arising from currency exchange transactions 35.6 tax expenses 35.7 deferred tax expense 35.8 other expenses 36. Net gains (losses) (difference between rows 34 and 35)