Agreement No. 005-2021 Modifying Article 15 of Agreement No. 6-2011 on Electronic Banking

Republic of Panama Banking Superintendence AGREEMENT No. 005-2021 (November 23, 2021) “By which Article 15 of Agreement No. 6-2011 is modified” THE BOARD OF DIRECTORS In exercise of its legal powers, and CONSIDERING: That following the issuance of Decree-Law 2 of February 22, 2008, the Executive Branch prepared a systematic compilation in the form of a Single Text of Decree-Law 9 of 1998 and all its modifications, which was approved by Executive Decree 52 of April 30, 2008, hereinafter the Banking Law; That in accordance with paragraphs 1 and 2 of Article 5 of the Banking Law, the objectives of the Banking Superintendence are to ensure the maintenance of the solidity and efficiency of the banking system, as well as to strengthen and foster the conditions conducive to the development of the Republic of Panama as an international financial center; That in accordance with paragraphs 3 and 4 of Article 5 of the Banking Law, the objectives of the Banking Superintendence are to promote public confidence in the banking system, and to ensure the legal balance between the banking system and its clients; That in accordance with Article 11, paragraph 5 of the Banking Law, it is the responsibility of the Board of Directors to establish, in the administrative sphere, the interpretation and scope of legal or regulatory provisions in banking matters; That through Agreement No. 6-2011, modified by Agreement No. 9-2014, guidelines on electronic banking and the management of related risks are established; That in light of the increasing electronic fraud at the national and international levels that constantly test the vulnerabilities of the electronic channels of the banking sector, this Superintendence has considered it important to strengthen the guidelines on electronic banking, so that the services offered to clients are managed in a more secure, reliable, and efficient manner in the banks operating in the country; That taking into account the constant technological changes, it is vital for this Superintendence to ensure that banking entities carry out adequate management of the risks related to the use of electronic channels that provide services to their clients, in order to ensure adequate protection of the banking client and, consequently, the transactions they carry out through electronic channels are conducted in a more secure and reliable manner; That in working sessions of this Board of Directors, the need and convenience of updating Article 15 of Agreement No. 6-2011 has been highlighted, with the aim of strengthening certain guidelines in the risk management of operations carried out by banks, when through their electronic banking channels, operations conducted by their clients are exposed, given the increase in electronic fraud.

Agreement No. 005-2021 Page 2 of 3 AGREES: ARTICLE 1. Paragraph 2 of Article 15 of Agreement No. 6-2011 shall read as follows: “ … 2. Internet Banking and Mobile Banking At the level of internet and mobile banking, every bank must ensure the implementation, at a minimum, of the following security measures: a. Bank Authentication. For the client to recognize the bank, it will be necessary to have at least the following measures: a.1. A digital method that allows the client to identify that it is the bank to which they correspond; such as digital certificates, client-preselected images or equivalents, before entering their password. a.2. Immediately after login, the client's full name and their last login date to the service must be displayed for verification by the client themselves. b. Client Authentication. For access to this service, the following authentication measures will be necessary: b.1. Category 1 authentication factor, which must meet the following parameters: it must be initially set by the bank and subsequently modifiable by the client themselves, and contain a minimum of eight (8) alphanumeric characters. b.2. Category 2 authentication factor, which must meet the following parameters: implementation of a “dynamic validation” layer or similar technology and processes that offer at least the same level of security. This factor will be applicable when the client conducts transactions to a third party, either within the same banking entity or in another banking entity. In the case of dynamic validation, the bank must have an automated PIN generation system with a minimum of six (6) digits in their generation. The Category 2 authentication factor may be carried out by both hardware devices and portable software solutions on mobile devices. This factor will be mandatory for conducting banking transactions, and optional for inquiries made by a client through these channels. PARAGRAPH 1. For the purposes of what is established in letter b.2., subsection b., paragraph 2 of Article 15 of this Agreement, banking entities must ensure that for the activation process of the security component (soft token), a secure client authentication process is carried out, for which the bank must ensure the use of the most secure authentication mechanisms, such as, for example, the hard token (category 2 factor), or category 3 factor and its derivatives with the highest level of certainty, or liveness tests or others that may emerge. Likewise, for active internet and mobile banking clients, the bank must ensure that any change related to client information, such as changes to phone number, email address, address, or other sensitive data, incorporates into its process the category 2 or category 3 authentication factor. Banking entities will have a deadline until February 28, 2022 to comply with the provisions established in this paragraph. PARAGRAPH 2. The bank that, from the entry into force of this Agreement, requests authorization for the implementation of new electronic channels or for the addition of new services to a previously authorized channel, in compliance with what is provided in Article 3 of this Agreement, must comply with the requirements established in paragraph 1 of this paragraph, as part of good management of the risks of electronic channels.

Agreement No. 005-2021 Page 3 of 3 Notwithstanding the foregoing, until February 28, 2022, the Superintendence may approve the use of a channel or the addition of new services to a previously authorized channel; however, in these cases, the bank must assume the risks and costs for transactions not recognized by its clients, as a consequence of the activation of the two-factor authentication without the security measures provided in paragraph 1 of this paragraph. …” ARTICLE 2. EFFECTIVE DATE. This Agreement shall take effect from its promulgation. Given in the city of Panama, on the twenty-third (23) day of the month of November of two thousand twenty-one (2021). LET IT BE COMMUNICATED, PUBLISHED, AND COMPLIED WITH. THE PRESIDENT, THE SECRETARY, Luis Alberto La Rocca Rafael Guardia Pérez