Norm Reforming Article 10 of the General Standard on Imposition of Fines

Page 1 of 10 RESOLUTION NO. CD-SIBOIF-1269-1-SEP10-2021 Dated September 10, 2021 NORM REFORMING ARTICLE 10 OF THE GENERAL STANDARD ON IMPOSITION OF FINES

The Board of Directors of the Superintendence of Banks and Other Financial Institutions,

CONSIDERING

I That through Resolution No. CD-SIBOIF-410-1-MAR14-2006, dated March 14, 2006, the "General Standard on Imposition of Fines" was approved, published in La Gaceta, Official Gazette No. 80 of April 25, 2006.

II That Article 164, second paragraph, of Law No. 561, "General Law of Banks, Non-Bank Financial Institutions and Financial Groups," published in La Gaceta, Official Gazette No. 232, of November 30, 2005, amended by Law No. 1078, "Law Reforming Law No. 561, 'General Law of Banks, Non-Bank Financial Institutions and Financial Groups,'" published in La Gaceta, Official Gazette No. 160, of August 26, 2021; establishes that: "The Board of Directors of the Superintendence shall issue the general standards that financial institutions regulated by this Law, which are Obligated Subjects in accordance with the legislation regulating the matter against Money Laundering/Counter-Terrorism Financing/Counter-Proliferation Financing (ML/TF/CPF); as well as the necessary standards that establish infractions and administrative sanctions, when, in increase of their legal, operational, or reputational risks, they incur deficiencies or non-compliance with legal, regulatory, or normative provisions issued by the competent authority, as well as resolutions, guidelines, or instructions from the Superintendent to prevent ML/TF/CPF, which will be sanctioned for each infraction according to their gravity...", within the ranges provided in the aforementioned article.

III That it is appropriate to modify Article 10 of the aforementioned "General Standard on Imposition of Fines," in order to update the ranges and classify infractions according to their gravity, as established in Article 164 of Law No. 561.

IV That in accordance with the considerations stated above and based on the faculty established in Articles 3, items 2), 12), and 13), and 10, items 1), 2), and 5) of Law No. 316, "Law of the Superintendence of Banks and Other Financial Institutions" and its reforms.

HAS ISSUED

Page 2 of 10 The following, CD-SIBOIF-1269-1-SEP10-2021 NORM REFORMING ARTICLE 10 OF THE GENERAL STANDARD ON IMPOSITION OF FINES

FIRST: Article 10 of the "General Standard on Imposition of Fines," contained in Resolution No. CD-SIBOIF-410-1-MAR14-2006, of March 14, 2006, published in La Gaceta, Official Gazette No. 80, of April 25, 2006, and its reforms, is hereby amended, which shall read as follows:

"Art. 10.- Imposition of fines for infractions to the provisions and/or guidelines for the Prevention of Money or Asset Laundering, Terrorism Financing, and Financing of the Proliferation of Weapons of Mass Destruction.- As indicated in Article 164 of the General Banks Law, regarding the prevention of money or asset laundering, terrorism financing, and financing of the proliferation of weapons of mass destruction, supervised financial institutions shall be sanctioned by the Superintendent in accordance with the following:

a. Range:

1. Banks: i. Minor infractions: 20,000 up to 50,000 fine units or 0.015% of equity; in the latter case, the higher amount. ii. Serious infractions: 50,001 up to 250,000 fine units or 0.065% of equity; in the latter case, the higher amount. iii. Very serious infractions: 250,001 up to 500,000 fine units or 0.150% of equity; in the latter case, the higher amount.
2. Financial Societies: i. Minor infractions: fines of 3,000 up to 8,000 fine units or 0.015% of equity; in the latter case, the higher amount. ii. Serious infractions: fines of 8,001 up to 15,000 fine units or 0.065% of equity; in the latter case, the higher amount. iii. Very serious infractions: fines of 15,001 up to 30,000 fine units or 0.150% of equity; in the latter case, the higher amount.

Page 3 of 10 3. Special Regime Financial Companies: i. Minor infractions: fines of 2,000 up to 6,000 fine units or 0.015% of equity; in the latter case, the higher amount. ii. Serious infractions: fines of 6,001 up to 10,000 fine units or 0.065% of equity; in the latter case, the higher amount. iii. Very serious infractions: fines of 10,001 up to 25,000 fine units or 0.150% of equity; in the latter case, the higher amount. 4. Representation Offices of Foreign Banks and Financial Institutions: i. Minor infractions: fines of 5,000 up to 20,000 fine units or 0.015% of the credit portfolio amount; in the latter case, the higher amount. ii. Serious infractions: fines of 20,001 up to 40,000 fine units or 0.065% of the credit portfolio; in the latter case, the higher amount. iii. Very serious infractions: fines of 40,001 up to 60,000 fine units or 0.150% of the credit portfolio; in the latter case, the higher amount. The percentage shall be calculated on the equity registered in the financial statements corresponding to the month of December of the year prior to the application of the fine, reported by the infringing financial institution to the Superintendence and published by it on its website. For the case of representation offices of foreign banks and financial institutions, the percentage shall be applied to the average balance of the portfolio reported in the twelve months preceding the month of the application of the fine. Financial institutions that have been in operation for less than twelve months shall be imposed the sanctions corresponding to the minimum and maximum amounts of fine units, referred to above, according to the gravity of the infractions.

b. Infractions according to gravity.

1. Minor infractions: i. When the institution, despite having an Annual Operational Plan for the Prevention of Money Laundering, Terrorism Financing, and Financing of the Proliferation of Weapons of Mass Destruction (ML/TF/CPF) authorized by its Board of Directors; this plan is deficient in its programming and/or execution. ii. When the ML/TF/CPF training program is deficient, inadequate, or incongruent in relation to the complexity, size, or risk profile of the institution; or said program is executed deficiently. iii. When the Code of Conduct exists, but it is inadequate or insufficient regarding the policies adopted by the Board of Directors of the institution for the ML/TF/CPF Program. iv. When the institution notifies changes in its ML/TF/CPF Administrator or substitute late, or notifies them failing to meet the information requirements that must be submitted. v. Sending outside the established deadline or incomplete or inaccurate information that institutions must submit to the Superintendence, occasionally or periodically, in accordance with the law, standards, or instructions of the Superintendent. vi. Sending outside the established deadline the monthly Cash Transaction Reports (CTR) that must be submitted in accordance with the laws and regulations of the matter issued by the competent authority.

Page 4 of 10 2. Serious infractions: i. Sending outside the established deadline or incomplete or inaccurate statistical information that institutions must submit to the Superintendence, occasionally or periodically, in accordance with the law, standards, or instructions of the Superintendent. ii. When the institution does not have or does not evidence having an Annual Operational Plan for ML/TF/CPF authorized by its Board of Directors; which must comply and adhere, insofar as applicable, to the legal framework. iii. When it does not have or does not evidence having an annual and institutional training program on ML/TF/CPF with its budget allocation for its execution, authorized by its Board of Directors. iv. When it does not have a Code of Conduct that meets the policies adopted by the Board of Directors of the institution for the ML/TF/CPF Program. v. When the institution has not updated its individual ML/TF/CPF risk assessment in accordance with applicable legal and normative provisions; or has not established in its policies the methodology or frequency to prepare or update the aforementioned assessment, increasing the institution's risk profile. vi. When the ML/TF/CPF Program presents deficiencies, both in its content and in its execution, the respective sanction shall be applied as these deficiencies are determined, among which are mentioned: A. When it does not adjust to the nature or complexity of its products or services or to the size of its activity or to the provisions in accordance with the laws or regulations of the matter. B. When it has not carried out the differentiation of the intensity of policies, procedures, internal controls, tasks, and measures according to the ML/TF/CPF risk levels classified as high, medium, or low of all areas of its businesses and activities, to its clients, and to the size of the institution. C. When its implementation or execution is deficient, increasing the institution's risk profile. D. When it has not carried out or updated in its ML/TF/CPF Manual the policies, procedures, internal controls, weights, criteria, and variables for the determination of ML/TF/CPF risk levels and in its classification matrix of each of these risks or the results of their application are not documented. E. When the ML/TF/CPF Manual is not updated in accordance with the standard and law of the matter, approved by the Board of Directors of the institution. F. When the ML/TF/CPF Manual exists, but it is inadequate or incongruent regarding the complexity of its financial products and services, service and business technology, or the risk profile of the institution or the market in which it operates. G. When the ML/TF/CPF Manual exists, but it does not contain specific policies and procedures for: G1. The administration, backing, safeguarding, custody, conservation, maintenance, and access controls of records, files, archives, and other data, whether physical or electronic, that in accordance with the law and regulations for the prevention of ML/TF/CPF are subject to conservation for the legal term, or that, if these procedures exist, they are inadequate or deficient, or are being applied deficiently. G2. The prevention and monitoring of ML/TF/CPF risks through transactions via electronic funds transfers or through the purchase or sale of foreign currency or instruments of consignment or remittances or deposits or withdrawals of funds or credit operations or other transactions or products and services for which the institution is authorized by law, or that, if these procedures exist, they are inadequate or deficient, or are being applied deficiently.

Page 5 of 10 G3. The early detection, investigation, analysis, scrutiny, escalation, documentation, and decision to report or not report suspicious activities of ML or TF or CPF to the competent authority or that, if these procedures exist, they are inadequate or are being applied deficiently or the tools used for the monitoring of accounts or products or services or transactions are not in accordance with the complexity and volume of operations of the entity or are ineffective for the early detection of suspicious activities. G4. Reevaluate existing ML/TF/CPF risks in the redesign, modification, or innovations of operations, products, services, channels, or payment methods or existing business lines, through the use and application of new technologies or the appropriate measures to manage and mitigate identified risks or does not include them in its ML/TF/CPF Manual. G5. The classification of the ML/TF/CPF risk level in new or sophisticated financial products or services that facilitate anonymity or those used for their monitoring and early detection of unusual or suspicious ML/TF/CPF operations or the systems or tools for their monitoring are not in correspondence with the technology that the institution is using in the provision of the same. G6. When the due diligence measures included therein do not adjust to the risks identified in the national ML/TF/CPF risk assessment or the sectoral assessment or its own institutional assessment of these risks. H. When the physical or electronic documentation in the files is not in accordance with the ML/TF/CPF risk level regarding the identification, verification measures, and knowledge of the client or its ultimate beneficiary or regarding the ordering parties or the beneficiaries of funds transfers or remittances is incomplete or inappropriate in accordance with the minimum requirements of the law or regulations of the matter or regarding the "Know Your Customer" policies of the institution itself, which denote an inadequate or deficient application of Due Diligence. I. Sending incomplete or inaccurate the monthly CTRs that must be submitted in accordance with the laws and regulations of the matter issued by the competent authority. J. When the Superintendent determines that the ML/TF/CPF Administrator does not meet one, several, or all of the following conditions:

Page 6 of 10 J1. Is not formally and in practice invested with the due authority and autonomy, organizational, administrative, and functional; J2. Does not have the training, education, and experience that this function requires in the matter and industry in which the institution operates; J3. Is not assigned or does not have the adequate personnel and/or the training and education that this function requires; J4. Does not fulfill or fulfills deficiently the functions corresponding to it in accordance with the law and regulations of the matter. J5. The institution cannot evidence that the ML/TF/CPF Administrator or its Substitute, when substituting the holder in their functions, have an administrative treatment comparable in all aspects to that granted to other first-level managerial positions in the administrative structure of the same. K. When the financial, human, technological, and material resources assigned by the Board of Directors of the institution to carry out the execution of the ML/TF/CPF Program, are not in accordance with the volume, complexity of its financial products and services, service and business technology, or risk profile of the institution or the market in which it operates. L. When the internal audit function is insufficient or deficient in the permanent review of the ML/TF/CPF Program in accordance with the law or regulations of the matter or regarding the institution's own audit program. M. For the late contracting or execution of the external audit exceeding the deadlines established by the regulations governing the matter of external audit, for the verification of the efficacy and quality of the ML/TF/CPF Program, in accordance with the law and regulations of the matter. N. For other circumstances, in which due to the deficient implementation of the ML/TF/CPF Program or due to non-compliance with other legal or normative provisions or instructions of the Superintendent on the matter, the profile and exposure of the institution to these risks is increased. vii. When it does not deliver the information requirements that the Superintendent makes to the institution, either for the realization of its on-site, remote, or off-site supervision activities or for the monitoring of compliance with periodic obligations or those that are particularly requested of them, or does not provide delegated supervisors with the minimum conditions required for the development of their inspection tasks.

Page 7 of 10 viii. Not complying with the resolutions ordered by the Superintendent to the institution to implement actions and remedy the deficiencies determined and formulated in the inspection report or that, having established the actions, does not fulfill or execute them in accordance with the deadlines of the activities communicated to the Superintendent by the institution in its respective Action Plan.

3. Very serious infractions: i. When the institution does not have an ML/TF/CPF Administrator and its respective substitute, appointed by its Board of Directors or equivalent body, to whom it must report administratively, organizationally, and functionally, dedicated exclusively to the implementation, training, and follow-up of the ML/TF/CPF Program. ii. When the ML/TF/CPF Administrator does not inform the Superintendent or conceals information about facts that prevent the adequate performance of their supervision work, once they have not been resolved by the entity's management despite requiring immediate attention, without prejudice to their dismissal according to the gravity of the concealed fact at the technical criterion of the Superintendent and other legal consequences derived therefrom. iii. When the obligation to inform the competent authority, according to the law of the matter, the CTRs, is not fulfilled, in accordance with the information required by the law and applicable regulations for said report or, in its case, for not sending the negative communication of non-existence of reportable cash transactions for the month. iv. For the non-performance of the external audit for the verification of the efficacy and quality of the ML/TF/CPF Program, in accordance with the law and regulations of the matter. v. When the institution has not carried out its individual ML/TF/CPF risk assessment in accordance with applicable legal and normative provisions or, having carried it out, does not evidence having considered for its realization, insofar as applicable, the threats, vulnerabilities, and risks identified in the National ML/TF/CPF Risk Assessment or Sectoral Assessments of these risks that have been communicated to it. vi. When it does not evidence that the results of its Individual ML/TF/CPF Risk Assessment were communicated and approved by the Board of Directors or equivalent body, or that it does not evidence having established an institutional strategy to address the identified major and minor risks, with its respective Institutional Action Plan to address them.

Page 8 of 10 vii. When it does not evidence that the measures established in its ML/TF/CPF Program are designed based on the results of its Individual ML/TF/CPF Risk Assessment. viii. When there is no Manual of Policies and Procedures for the Prevention of ML/TF/CPF risks or ML/TF/CPF Manual. ix. When Internal Audit does not evidence having audited at least once a year, the components of the Integrated System for the Prevention and Management of ML/TF/CPF Risks (SIPAR ML/TF/CPF) or the entity's Prevention Program determined according to its ML/TF/CPF risk matrix, evaluating the minimum aspects established in the regulations governing the matter of ML/TF/CPF; or that, having carried it out, does not pronounce in its respective report on the quality, sufficiency, and effectiveness of the same. x. When the institution does not have an ML/TF/CPF Program in accordance with the laws and regulations of the matter. xi. When the person holding any of the following categories: legal representative, director, manager, official, or ML/TF/CPF Administrator, as responsible for the application of the laws and regulations of the matter, does not fulfill their functions or responsibilities assigned by legislation or those assigned by the internal policies and provisions of the institution itself. xii. When the institution's ML/TF/CPF Program does not contemplate carrying out the individual ML/TF/CPF risk assessment for clients, countries or geographic areas, products, services, operations or transactions, distribution and sending channels, use of new technologies for service provision, both new and existing, and other risk factors that they consider pertinent, in accordance with the legal and/or normative requirements applicable. xiii. When the institution does not fulfill the obligation to report or present the respective Report of Suspicious Operations (SAR) of ML/TF/CPF to the competent authority, according to the law and regulations of the matter. xiv. The person holding any of the following categories: director, representative, manager, senior executive, official, ML/TF/CPF Administrator, internal auditor, or any other employee of the institution who discloses or informs the client that their transaction is being analyzed or considered for a possible Report of Suspicious Operation of ML or TF or CPF or who informs them that such a report will be or has been filed. Fine amount: between four and eight monthly salaries of the person involved in the infraction according to the categories cited above. In the case of directors, the fine will be between ten and fifty thousand fine units.

Page 9 of 10 xv. The director, representative, manager, senior executive, official, administrator of the prevention of ML/TF/CPF risks, internal auditor, or any other employee of the institution, who alter or distort data or antecedents in balance sheets, books, statements, accounts, correspondence, or any other document or who conceal or prevent them from being known or destroy these elements, with the aim of hindering, diverting, or evading the oversight, supervision, or inspection that corresponds to be exercised by the Superintendence in accordance with the Law, shall be sanctioned without prejudice to the corresponding criminal sanctions, with a fine equivalent to a minimum of two times their monthly salary up to six times their monthly salary. For the case of directors, the sanction will be a minimum of ten thousand up to fifty thousand fine units, according to the gravity of the offense.

In accordance with the faculty granted by Article 164 of the General Banks Law, the Superintendent, separately or jointly with the monetary sanctions for the infractions committed against the legal and normative framework against ML/TF/CPF, may apply one or more of the following range of sanctions: temporary suspension of certain or all operations affected by the deficiencies of the ML/TF/CPF prevention program, up to the cancellation of the authorization granted, action plans for the period determined by the Superintendent, reprimands, temporary separation of officials and employees, including members of the board of directors, representatives, executive president, general manager, or principal executive director, the ML/TF/CPF prevention administrator or their substitute, or the internal auditor.

In the case of very serious infractions or recidivism, the Superintendent may additionally order the permanent removal from office of the infractor."

SECOND: This standard shall enter into force upon its notification, without prejudice to its subsequent publication in La Gaceta, Official Gazette. (F) legible