Agreement No. 3-2026: Establishing Criteria for Imposing and Grading Administrative Sanctions on Banks for Violations of the Prevention Regime

Republic of Panama Banking Superintendence of Panama AGREEMENT No. 3-2026 (May 29, 2026) "Establishing the criteria for the imposition and grading of administrative sanctions applicable to banks for violation of the prevention regime"

THE BOARD OF DIRECTORS, In exercise of its legal powers, and CONSIDERING:

That as a result of the issuance of Decree-Law No. 2 of February 22, 2008, the Executive Branch elaborated a systematic ordering in the form of a Single Text of Decree-Law No. 9 of February 28, 1998, and all its modifications, which was approved through Executive Decree No. 52 of April 30, 2008, hereinafter the Banking Law;

That in accordance with paragraphs 1 and 2 of Article 5 of the Banking Law, it is the objective of the Banking Superintendence to ensure the solidity and efficiency of the banking system; as well as to strengthen and foster the favorable conditions for the development of the Republic of Panama as an International Financial Center;

That in accordance with paragraph 5 of Article 11 of the Banking Law, it corresponds to the Board of Directors to fix, within the administrative scope, the interpretation and scope of legal or regulatory provisions in banking matters;

That Article 112 of the Banking Law establishes that banks and other supervised entities by the Banking Superintendence shall have the obligation to establish policies, procedures, and internal control structures to prevent their services from being used improperly for the crime of money laundering, terrorist financing, and other related or similar nature crimes;

That Article 114 of the Banking Law establishes that banks and other supervised entities by the Banking Superintendence shall adopt policies, practices, and procedures that allow them to know and identify their clients and employees with the greatest certainty possible, as part of the prevention process established in the Banking Law and the norms that develop it;

That Article 184 of the Banking Law provides that the Superintendent shall impose the administrative sanctions that correspond to the violation of this law, other laws, and Agreements that regulate or modify it, taking into consideration the gravity of the offense, recidivism, and the magnitude of the damage and harm caused to third parties; as well as that the Banking Superintendence shall establish the grading of sanctions and the sanctioning procedure in compliance with what is established in the Banking Law and special laws;

That by means of Law No. 23 of April 27, 2015, and its modifications, measures are adopted to prevent money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction;

That in accordance with what is established in paragraphs 1 and 5 of Article 20 of Law No. 23 of 2015, it is the attribute of the supervisory bodies to supervise that the obligated financial subjects have policies, mechanisms, and internal control procedures for each of the natural or legal persons subject to their supervision, in order to verify the due compliance with the provisions established in this Law and its regulations; as well as to impose the corresponding sanctions for non-compliance with the referred Law;

That Article 22 of Law No. 23 of 2015 modified by Article 123 of Law No. 21 of May 10, 2017, details the obligated financial subjects that will be subject to supervision by the Banking Superintendence of Panama, among them banks;

Agreement No. 3-2026 Page 2 of 11

That Article 59 of Law No. 23 of 2015 stipulates the criteria that the supervisory bodies shall take into consideration for the imposition of administrative sanctions that correspond to the violation of the provisions of this Law and its regulations, pointing out among them the gravity of the offense, recidivism, the magnitude of the damage, and harm caused to third parties. Likewise, it establishes that the supervisory bodies shall establish the grading of sanctions, a progression of disciplinary and financial sanctions;

That Law No. 254 of November 11, 2021, introduces adjustments to the legislation in matters of international fiscal transparency and the prevention of money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction;

That through Article 12 of Law No. 254 of 2021, Article 60 of Law No. 23 of 2015 is modified, establishing that the amount of sanctions that the supervisory bodies shall impose for non-compliance with the provisions of the prevention regime, when there is no specific sanction, shall be from five thousand balboas (B/.5,000.00) up to five million balboas (B/.5,000,000.00), taking into consideration the gravity of the offense, the degree of recidivism, the magnitude of the damage, and the size of the obligated subject;

That Article 61 of Law No. 23 of 2015 modified by Law No. 254 of 2021 states that sanctions for non-compliance with the prevention regime shall be applied not only to the obligated subjects but also to those who allow or authorize the non-compliance with said provisions;

That Executive Decree No. 35 of September 6, 2022, regulates Law No. 23 of 2015, which adopts measures to prevent money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction, and other provisions are issued;

That Articles 28, 29, and 32 of Executive Decree No. 35 of 2022 establish the minimum criteria for the imposition of sanctions and the classification of the gravity of infractions that the supervisory bodies shall apply to the obligated subjects for non-compliance with Law No. 23 of 2015, without prejudice to the specific criteria that each supervisory body may establish according to its regulatory sector;

That the Banking Superintendence of Panama has issued various agreements in matters of prevention, among them: Agreement No. 4-2015 on the registry of custodians of bearer shares; Agreement No. 7-2015 on the catalog of alert signals for the detection of suspicious transactions; Agreement No. 10-2015 on the prevention of the improper use of banking and fiduciary services; Agreement No. 6-2016 on risk management in matters of money laundering; Agreement No. 7-2016 on cross-border banking correspondentship; Agreement No. 1-2019 on the catalog of alert signals for the detection of transactions related to terrorist financing; and Agreement No. 1-2026 on the prevention of the improper use of banking and fiduciary services, which will begin to take effect within a period of six (6) months counted from its promulgation and repeals Agreement No. 10-2015, which together with their respective modifications complement the provisions of the prevention regime applied to the banks supervised by this Superintendence;

That Agreement No. 9-2015 of July 27, 2015, establishes the administrative sanctioning procedure applied to the banks supervised by this Superintendence for possible infractions to the provisions in matters of Prevention of Money Laundering, Terrorist Financing, and Financing of the Proliferation of Weapons of Mass Destruction applicable to financial obligated subjects;

That in working sessions of this Superintendence, the need and convenience of establishing the criteria for the imposition and grading of administrative sanctions applicable to banks for violation of the prevention regime of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction has been highlighted.

Agreement No. 3-2026 Page 3 of 11

AGREES:

ARTICLE 1. OBJECT AND SCOPE. This Agreement aims to establish the criteria upon which the application of sanctions to banks will be imposed and graded by the Banking Superintendence of Panama as a consequence of non-compliance with the provisions related to the prevention regime of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction.

For the purposes of this Agreement, the prevention regime shall be understood as the compilation of norms, in matters of prevention of Money Laundering, Terrorist Financing, and Financing of the Proliferation of Weapons of Mass Destruction, which are collected in Law No. 23 of 2015 and its modifications, Executive Decree No. 35 of 2022, and other related laws; as well as the banking regulations issued on the matter.

ARTICLE 2. SCOPE OF APPLICATION. The provisions of this Agreement are applicable to all banking entities that incur in conduct that, by action or omission, implies an infraction to the provisions of the prevention regime identified or incurred from the entry into force of this Agreement.

For the imposition of the sanctions established in this Agreement, the administrative sanctioning procedure provided for in Agreement No. 9-2015 shall be applied.

For those findings resulting from infractions of minor gravity, the terms established in Agreement No. 9-2015 may be reduced by half.

In those cases resulting from findings of minor, medium, and maximum gravity indicated by the supervisor, which are accepted by the bank at the time of presenting the defenses for the identified findings, the terms established in Agreement No. 9-2015 may likewise be reduced by half.

ARTICLE 3. TYPES OF SANCTIONS. By virtue of the powers contained in Law No. 23 of 2015 and Executive Decree 35 of 2022, the Banking Superintendence may impose administrative disciplinary and/or financial sanctions for non-compliance with the provisions established by the prevention regime.

1. Disciplinary Sanctions Disciplinary sanctions may include the cancellation, withdrawal, restriction, suspension, removal of banking license, and others contemplated by the Banking Regime and prevention regime.

2. Financial Sanctions Financial sanctions comprise fines of five thousand balboas (B/. 5,000.00) up to five million balboas (B/. 5,000,000.00), which shall be imposed according to the criteria contemplated in this Agreement.

ARTICLE 4. CRITERIA FOR THE IMPOSITION OF SANCTIONS. In accordance with what is provided by Articles 28 and 32 of Executive Decree No. 35 of 2022, for the imposition of the sanctions described in this Agreement for non-compliance with the prevention regime, the Banking Superintendence shall take into consideration, as a minimum, the following valuation criteria:

1. The gravity of the offense: Comprises the set of infringing conduct of the prevention regime in which the bank has incurred, and which may be classified into categories of minor gravity, medium gravity, and maximum gravity. For the determination of the component of the gravity of the offense, the following circumstances shall be taken into consideration:

a. The relative importance and risk; b. The duration of the non-compliance; c. The proof of intent or negligence;

Agreement No. 3-2026 Page 4 of 11

d. Any other circumstance that allows dimensioning the degree of intentionality by action or omission.

2. The Degree of Recidivism: It shall be considered when the bank has been previously sanctioned for the same violating conduct to the prevention regime, provided that the sanction was imposed within the five (5) years prior to said indication, counted from the date on which the resolution imposing the sanction became final. For the determination of the component of the degree of recidivism, the following circumstances shall be taken into consideration:

a. The compliance history of the obligated subject; b. Previous sanctions imposed by the supervisory bodies on the bank; c. Corrective measures adopted by the bank to remedy the non-compliance.

For the purposes of this Agreement, the reiterative conduct of the bank, incurring in findings indicated in previous inspections that have been the subject of an action plan and were subject to a compliance schedule, within the five years following the inspection that gives rise to the sanctioning process, shall also be considered as recidivism.

3. The Magnitude of the Damage: Comprises the reputational and economic damage that the banking entity may suffer due to the relevance of the detected findings, among them negative news or publications that impact the bank, questioning by banking correspondents, decrease in deposits, reputational and economic damage or harm to the Banking Superintendence and the Banking Center. For the determination of the component of the magnitude of the damage, the following circumstances shall be taken into consideration:

a. The amount of profits or benefits obtained or expected losses by the bank, the client, the ultimate beneficiary, and/or the natural persons who have allowed or authorized the non-compliance; b. Any possible systemic consequence of the infraction, including reputational damage to the sector and/or country.

4. The Size of the Bank: For the determination of the component of the size of the bank, the paid or assigned capital, as appropriate, as of December 31 of each year shall be taken into consideration.

5. The Criticality of the Infraction: The component of criticality of the infraction shall be understood as the valuation of the affectation that the entity may present regarding the risk it represents, whether high, medium, or low risk.

The Banking Superintendence may determine other criteria for the imposition of sanctions.

ARTICLE 5. CATEGORIES OF THE GRAVITY OF THE INFRACTION. In accordance with what is provided by Articles 29 and 32 of Executive Decree No. 35 of 2022, administrative sanctions for non-compliance with the prevention regime shall be classified according to the following non-limiting categories of gravity of the infraction, committed by action or omission by the banking entities.

1. Maximum Gravity: Comprises the non-compliance with a criterion, procedure, or obligation of such magnitude that puts at risk the effectiveness and integrity of the internal prevention regime, whose deficiency generates a cascade effect, invalidating the efficacy of subsequent controls. These non-compliances seriously and permanently compromise the security, operational continuity, or integrity of the entity, requiring immediate corrective actions. Maximum gravity shall be considered when the infraction, by action or omission, is not remediable or curable, is the result of negligence or intent, in any of the following cases that correspond:

a. Altering or manipulating information requested by the Banking Superintendence, the Financial Analysis Unit for the prevention of money laundering and terrorist financing crimes, or other competent authorities in matters of prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction crimes;

Agreement No. 3-2026 Page 5 of 11

b. The reluctance or obstruction to provide information that has been requested from the bank by the Banking Superintendence, the Financial Analysis Unit for the Prevention of Money Laundering and Terrorist Financing Crimes, or other competent authorities in matters of prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction crimes; c. The reluctance to provide information that is required in the course of an inspection; d. Non-compliance with the preventive freezing duty established in Law No. 23 of 2015; e. Non-compliance with the duty to report to the Financial Analysis Unit for the prevention of money laundering and terrorist financing crimes what is established in Articles 53 and 54 of Law No. 23 of 2015, when the responsible person, employee, or any executive of the bank had internally manifested the existence of indications or certainty that a fact or operation was related to the crime of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction; f. Starting or maintaining the contractual, professional, or business relationship with any client who does not facilitate the application of enhanced or reinforced due diligence measures; g. Recidivism in the non-compliance with any criterion of medium gravity; h. If during the five (5) years prior, a sanction had been imposed on the financial obligated subject for the same type of infraction and the sanctioning resolution is final; i. Non-compliance with the obligation to adopt corrective measures, or measures to remedy weaknesses, indicated by the Banking Superintendence, as provided in the money laundering prevention regime; j. Non-compliance with the duty to apply due diligence to all clients, which includes updating the information and documentation of existing clients at the time of the entry into force of Law No. 23 of 2015; k. Non-compliance with the application of enhanced or reinforced due diligence measures for clients or services considered high risk; l. Non-compliance with the duty to adequately identify the ultimate beneficiary; m. Non-compliance with the duty to identify the source of income; n. Non-compliance with the duty to evidence the origin and destination of funds; o. Non-compliance with the duty to keep its client database updated; p. Non-compliance with the duty to carry out an effective verification process of risk lists against its client database; q. Non-compliance with the duties of confidentiality and reserve of information; r. Non-compliance with the obligation to have an effective and efficient monitoring tool, so that they can have a tracking and monitoring system to generate alerts on movements or changes that occur in the commercial relationship with the client, including those that deviate from their expected behavior and others that allow identifying different typologies; s. Non-compliance with the obligation to adequately classify individuals who fall under the category of politically exposed person (PEP) national or foreign, whether client or ultimate beneficiary, according to what the prevention regime establishes; t. Any other infraction that, accumulated, determines that the Banking Superintendence constitutes maximum gravity;

2. Medium Gravity: Comprises the non-compliance with a criterion, procedure, or obligation of such magnitude that could put at risk the effectiveness of the internal prevention regime. Medium gravity shall be considered when the infraction, by action or omission, is caused by negligence or fault, in any of the following cases that correspond:

a. Not complying with the design and implementation of appropriate risk mitigators to their risk assessment in their money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction prevention manual; b. Non-compliance with the application of the "Know Your Employee" policy in the selection, profile creation, and training; c. Recidivism in the non-compliance with any criterion of minor gravity; d. Not giving continuous follow-up to the business relationship with clients and not carrying out the update of their files;

Agreement No. 3-2026 Page 6 of 11

e. Non-compliance with the duty to examine any fact, operation, or transaction that is considered unusual, regardless of its amount, as established by the prevention regime; f. Non-compliance with the duty to ensure that the information of electronic transfers, both of the originator and the beneficiary, includes the data established in Article 46 of Law No. 23 of 2015 and Agreement No. 2-2017. g. Non-compliance with the duty to ensure that the information accompanying electronic transfers remains throughout the entire payment chain and is available to competent authorities; h. Repeated non-compliance with the non-delivery of cash and quasi-cash reports to the Financial Analysis Unit. It shall be understood that the report has not been delivered when, upon reaching the thirtieth (30) day of the month in which the cash and quasi-cash report was to be delivered, it is not carried out according to what was instructed by the Financial Analysis Unit; i. Any other infraction that determines that the Banking Superintendence constitutes medium gravity;

3. Minor Gravity: Comprises the non-compliance with a criterion, procedure, or obligation in a way that does not put at risk the effectiveness of the internal prevention regime. Minor gravity shall be considered when the infraction by action or omission has been committed by negligence or imprudence of the offender. The following cases, which are illustrative but not limiting, constitute minor gravity infractions:

a. Late compliance in the sending of information or documentation requested by the Banking Superintendence, the Financial Analysis Unit for the Prevention of Money Laundering and Terrorist Financing Crimes, and competent authorities in matters of prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction crimes; b. Acts or omissions to duties or conduct that violate some provision of Law No. 23 of 2015 and that are not typified as an infraction of medium gravity or maximum gravity according to the previous articles; c. Delay in the presentation of information that banks must remit to the Superintendence by mandate of Law No. 23 of 2015 and its regulation or by requirement contemplated in banking agreements issued on the matter. d. Any other infraction that, even being minor, when reiterated or accumulated, the Banking Superintendence determines is of minor gravity.

ARTICLE 6. CRITICALITY OF THE INFRACTION. Comprises the component that allows evaluating with greater judgment the levels of affectation that the risk of non-compliance incurred by the bank may present or cause, according to the criteria detailed below:

1. Critical: When the offense occurs due to a lack or non-compliance with any of the following obligations:

a. Not having a compliance officer, or that the same does not perform the functions established in the applicable norms or that there is no evidence that it performs its functions in accordance with what is established in the applicable regulation or when the Compliance Officer does not have the necessary independence to achieve its function. b. That the compliance officer does not have the necessary resources for its adequate performance based on the risks that the supervised subject has with the products it offers to the market, the geographies in which it operates, the type of clients it attends, the channels it uses for operation;

Agreement No. 3-2026 Page 7 of 11

c. That the compliance officer does not have the necessary training or specialization to perform its functions, or that the compliance function is not integrated into the organizational structure with the appropriate hierarchy and autonomy; d. That the compliance function is not carried out by a person with sufficient seniority, experience, and authority within the organization; e. That the compliance function does not have direct access to the highest levels of management of the bank; f. That the compliance function does not have the ability to communicate directly with the Board of Directors or the highest executive body of the bank; g. That the compliance function does not have the authority to request information from any area of the bank; h. That the compliance function does not have the authority to implement corrective measures or recommend sanctions; i. That the compliance function does not have the authority to suspend or restrict operations when necessary to prevent risks; j. That the compliance function does not have the authority to report directly to the supervisory body when necessary; k. That the compliance function does not have the authority to conduct internal audits or reviews; l. That the compliance function does not have the authority to train employees on prevention matters; m. That the compliance function does not have the authority to update policies and procedures; n. That the compliance function does not have the authority to monitor transactions; o. That the compliance function does not have the authority to file suspicious activity reports; p. That the compliance function does not have the authority to maintain records; q. That the compliance function does not have the authority to cooperate with external authorities; r. That the compliance function does not have the authority to manage the prevention program; s. That the compliance function does not have the authority to assess risks; t. Any other infraction that, accumulated, determines that the Banking Superintendence constitutes critical criticality;

2. High: When the offense occurs due to a lack or non-compliance with any of the following obligations:

a. Not having a risk assessment methodology; b. Not updating the risk assessment methodology; c. Not applying the risk assessment methodology; d. Not documenting the risk assessment methodology; e. Not reviewing the risk assessment methodology; f. Not approving the risk assessment methodology; g. Not implementing the risk assessment methodology; h. Not monitoring the risk assessment methodology; i. Not reporting on the risk assessment methodology; j. Not training on the risk assessment methodology; k. Not communicating the risk assessment methodology; l. Not integrating the risk assessment methodology; m. Not aligning the risk assessment methodology; n. Not validating the risk assessment methodology; o. Not testing the risk assessment methodology; p. Not auditing the risk assessment methodology; q. Not certifying the risk assessment methodology; r. Not registering the risk assessment methodology; s. Not archiving the risk assessment methodology; t. Any other infraction that, accumulated, determines that the Banking Superintendence constitutes high criticality;

3. Medium: When the offense occurs due to a lack or non-compliance with any of the following obligations:

a. Not having a compliance program; b. Not updating the compliance program; c. Not applying the compliance program; d. Not documenting the compliance program; e. Not reviewing the compliance program; f. Not approving the compliance program; g. Not implementing the compliance program; h. Not monitoring the compliance program; i. Not reporting on the compliance program; j. Not training on the compliance program; k. Not communicating the compliance program; l. Not integrating the compliance program; m. Not aligning the compliance program; n. Not validating the compliance program; o. Not testing the compliance program; p. Not auditing the compliance program; q. Not certifying the compliance program; r. Not registering the compliance program; s. Not archiving the compliance program; t. Any other infraction that, accumulated, determines that the Banking Superintendence constitutes medium criticality;

4. Low: When the offense occurs due to a lack or non-compliance with any of the following obligations:

a. Not having a prevention manual; b. Not updating the prevention manual; c. Not applying the prevention manual; d. Not documenting the prevention manual; e. Not reviewing the prevention manual; f. Not approving the prevention manual; g. Not implementing the prevention manual; h. Not monitoring the prevention manual; i. Not reporting on the prevention manual; j. Not training on the prevention manual; k. Not communicating the prevention manual; l. Not integrating the prevention manual; m. Not aligning the prevention manual; n. Not validating the prevention manual; o. Not testing the prevention manual; p. Not auditing the prevention manual; q. Not certifying the prevention manual; r. Not registering the prevention manual; s. Not archiving the prevention manual; t. Any other infraction that, accumulated, determines that the Banking Superintendence constitutes low criticality;

ARTICLE 7. GRADING OF SANCTIONS. The Banking Superintendence shall grade the sanctions according to the following scale:

1. Maximum Gravity: The sanction shall be imposed at the maximum level, which may include the revocation of the banking license and/or a fine of five million balboas (B/.5,000,000.00).

2. Medium Gravity: The sanction shall be imposed at the medium level, which may include a fine of between one million and five million balboas (B/.1,000,000.00 to B/.5,000,000.00).

3. Minor Gravity: The sanction shall be imposed at the minor level, which may include a fine of between five thousand and one million balboas (B/.5,000.00 to B/.1,000,000.00).

The Banking Superintendence may adjust the sanction within the established range based on the criteria established in Article 4.

ARTICLE 8. TRANSITORY PROVISIONS. This Agreement shall enter into force on the day following its publication in the Official Gazette.

The Banking Superintendence shall issue the necessary resolutions to implement this Agreement.

All previous agreements that contradict this Agreement are hereby repealed.

Given in the City of Panama, on May 29, 2026.

[Signatures of the Board of Directors]

Banking Superintendence of Panama