Circular SINAP 1-234 Retail Payment Systems - Fraud Mitigation Measures

"Year of the Reconstruction of the Argentine Nation" COMMUNICATION “A” 8298 07/08/2025 TO FINANCIAL INSTITUTIONS, TO PAYMENT SERVICE PROVIDERS OFFERING PAYMENT ACCOUNTS, TO ADMINISTRATORS OF ELECTRONIC FUNDS TRANSFER PAYMENT SCHEMES: Ref.: Circular SINAP 1-234: Retail Payment Systems - Fraud Mitigation Measures.

---

We address you to inform you that this Institution has adopted the following resolution:

1. Approve the text attached in the Annex detailing the provisions adopted to mitigate fraud.
2. Establish that the low-value electronic clearing chamber (CEC-BV) shall have a period of 10 (ten) business days from the issuance of this communication to make available to the Central Bank of the Argentine Republic and to the obligated parties subject to this measure the information specified in point 2.1. of the Annex and 60 (sixty) calendar days for that referred to in point 2.2. of the Annex. The application of the totalizers in risk assessment processes set forth in point 3. of the Annex shall be implemented within 60 (sixty) calendar days after making available the information from the aforementioned points 2.1. and 2.2., respectively. We remain, respectfully yours. CENTRAL BANK OF THE ARGENTINE REPUBLIC Alejandra I. Sanguinetti Roberto A. Boccardo Signature 2 Deputy General Manager of Payment Instruments Deputy General Manager of Systems and Organization

ANEXO

-1-

1. Obligated Parties 1.1. Financial Institutions (FIs). 1.2. Payment service providers offering payment accounts (PSPPAs). 1.3. Administrators of electronic funds transfer payment schemes.

2. CBU/CVU Totalizers 2.1. The low-value electronic clearing chamber (CEC-BV) shall maintain a permanently updated record containing the total number of CBU and CVU for each CUIL/CUIT, corresponding to natural persons holding peso-denominated current accounts as stated in the consolidated text of Savings Deposits, Salary Accounts and Special Accounts provided by FIs (Except for the special account for asset regularization – Law 27.743) and payment accounts provided by PSPPAs. 2.2. Additionally, the CEC-BV shall maintain a daily historical record for each CUIT/CUIL, containing the number of CBU and CVU additions and deletions for the last twelve (12) months (rolling). 2.3. The CEC-BV shall make available to the obligated parties free of charge, the information contained in the record indicated in points 2.1. and 2.2., through 2 (two) mechanisms: 2.3.1. A daily file containing the entirety of the record. 2.3.2. An automated programming interface (API) to query the information contained in the record.

3. Application of Totalizers in Risk Assessment Processes Based on the consolidated information provided by the CEC-BV, and according to the risk appetite adopted by each entity, FIs and PSPPAs shall define and implement procedures to: 3.1. Identify and conduct enhanced risk analysis among their natural person customer base presenting higher potential risk, due to holding a total number of accounts in FIs and PSPPAs that -a priori- would not be justified by their transaction history and/or declared activity and/or other evidentiary elements defined in their policies and procedures or applicable client due diligence regulations. The result of the analysis shall be used in transactional monitoring of accounts, and the entity may, based on this result, proceed with operational discontinuation of the customer, including account closure, under applicable regulations. -2- 3.2. Apply in the new customer onboarding process the analysis required in point 3.1., with the entity able to reject the application based on the result of the analysis performed. 3.3. Periodically establish review protocols and, if necessary, update identification and customer management policies and procedures for customers holding a total number of accounts in FIs and PSPPAs -or another characteristic indicated by the BCRA- that a priori lack justification according to the criteria established in point 3.1., which must be aligned with best practices and emerging fraud threats. These reviews shall allow adjusting existing controls or designing new controls to mitigate this type of risk. 3.4. Provide continuous training to personnel involved in the fraud management process to identify and manage the situations mentioned in points 3.1., 3.2. and 3.3., ensuring they are prepared to effectively apply the established procedures and controls, keeping records of the developed activity, which must be available to the Superintendence of Financial and Foreign Exchange Entities (SEFyC).

The decisions adopted by FIs and PSPPAs under these provisions shall be based on objective criteria generally applicable to the entire customer base. Administrators of electronic funds transfer payment schemes shall, where applicable, use the available information for alert scoring in transactions within the administered scheme. The policies and procedures established regarding the preceding points shall be adequately formalized with the involvement of top management and made available to SEFyC upon request. Internal audits of FIs and/or equivalent control bodies of PSPPAs shall include in their planning, at least annually, procedures aimed at validating the effectiveness of the aforementioned policies and procedures. This frequency shall be increased considering the complexity and characteristics of the entities and/or the result of the evaluations performed.

4. Final Provisions The CEC-BV shall make available to the Central Bank of the Argentine Republic the record indicated in points 2.1. and 2.2., through the same mechanisms indicated in point 2.3.

5. Non-Compliance The obligated party and those found responsible are subject to the application of sanctions as provided in articles 41 and 42 of the Financial Entities Law and corresponding provisions for non-compliance with these regulations.