BCRA Communication A 8315: Guidelines for Risk Management in Financial Entities. Results Distribution. Update of Ordered Texts.

“Year of the Reconstruction of the Argentine Nation” COMMUNICATION “A” 8315 01/09/2025 TO FINANCIAL ENTITIES: Ref.: Circular LISOL 1-1116, RUNOR 1-1918: Guidelines for Risk Management in Financial Entities. Results Distribution. Update of Ordered Texts.

---

We address you to deliver the attached pages, which replace those previously provided and must be incorporated into the ordered text on Guidelines for Risk Management in Financial Entities, pursuant to Resolution published via Communication A 8249. Likewise, point 3.4 of the ordered text on Results Distribution is updated as a result of what is provided in Communication A 8204. We remind you that on this Institution’s website www.bcra.gob.ar, by accessing “Financial System – LEGAL AND REGULATORY FRAMEWORK – Ordering and Summaries – Ordered Texts of General Regulation”, you will find the modifications made with texts highlighted in special characters (strikethrough and bold). We salute you attentively. SALUTE YOU ATTENTIVELY. CENTRAL BANK OF THE ARGENTINE REPUBLIC Ana M. Dentone Darío C. Stefanelli Deputy General Manager of Regulations Technical - Prudential Main Manager of Issuance and Regulatory Applications ANNEX

-Index- Section 6. Operational Risk Management. 6.1. Concepts. 6.2. Responsibilities. 6.3. Operational risk management process. 6.4. Technology and information security risk management. 6.5. Transparency. Section 7. Securitization Risk Management. 7.1. General considerations. 7.2. Securitization risk management process. 7.3. Operations related to securitizations. 7.4. Residual risks. 7.5. Transparency. Section 8. Concentration Risk Management. 8.1. Concepts. 8.2. Situations that may originate risk concentrations. 8.3. Framework for concentration risk management. 8.4. Concentration risk management process. 8.5. Stress tests. Responsibilities. 8.6. Transparency. Section 9. Reputational Risk Management. 9.1. Concepts. 9.2. Reputational risk management process. 9.3. Transparency. Section 10. Strategic Risk Management. 10.1. Concept. 10.2. Strategic risk management process. 10.3. Responsibilities. 10.4. Transparency. Section 11. Conducting stress tests. 11.1. Concepts. 11.2. Guidelines. B.C.R.A. ORDERED TEXT ON GUIDELINES FOR RISK MANAGEMENT IN FINANCIAL ENTITIES Version: 4th. COMMUNICATION “A” 8315 Validity: 01/09/2025 Page 2

-Index- Section 12. Operational Resilience. 12.1. Concepts. 12.2. Responsibilities. 12.3. Operational risk management. 12.4. Business continuity planning and testing. 12.5. Mapping interconnections and interdependencies. 12.6. Third-party dependency management (outsourcing). 12.7. Incident management. 12.8. Technology and information security. Correlation table B.C.R.A. ORDERED TEXT ON GUIDELINES FOR RISK MANAGEMENT IN FINANCIAL ENTITIES Version: 1st. COMMUNICATION “A” 8315 Validity: 01/09/2025 Page 3

Financial entities must implement a framework to manage operational risk as an integral and separate discipline from other risks, which must be proportional to the entity’s size and operational complexity and adequate to its risk profile. 6.1. Concepts. 6.1.1. Operational Risk. Operational risk is understood –a concept that includes legal risk and excludes strategic and reputational risks– as the risk of losses resulting from inadequate or faulty internal processes, personnel actions, or systems, or those arising from external events. The legal risk, which may occur endogenously or exogenously to the financial entity, includes, among other aspects, exposure to sanctions, penalties, or other economic and non-economic consequences due to non-compliance with regulations and contractual obligations. Strategic risk is understood as that arising from an inadequate business strategy or adverse changes in forecasts, parameters, objectives, and other functions supporting that strategy. Each entity may adopt a broader definition of operational risk at its discretion, adapting it to its reality and needs, provided that, at a minimum, the concepts previously outlined are included. 6.1.2. Operational Risk Management. Operational risk management is understood as the identification, assessment, monitoring, control, and mitigation of this risk. Financial entities must evaluate their vulnerability to events, thereby better understanding their operational risk profile and, where applicable, adopting corrective measures regarding relevant policies. The framework for operational risk management comprises the policies, practices, procedures, and structures that the financial entity possesses for its adequate management, and must additionally allow it to assess capital sufficiency. The framework must cover the entity’s operational risk appetite and tolerance –which must be established in its risk management policies–, including the extent and manner in which this risk is transferred outside the entity. 6.1.3. Loss Events. The exhaustive list of categories –for the purposes of these provisions– for classifying loss events derived from operational risk is indicated below, including some examples of the concepts that would integrate each category: B.C.R.A. GUIDELINES FOR RISK MANAGEMENT IN FINANCIAL ENTITIES Section 6. Operational Risk Management. Version:3rd. COMMUNICATION “A” 8315 Validity: 01/09/2025 Page 1

6.1.3.1. Internal fraud: false information on positions –own or clients’–, thefts by employees, use of the financial entity’s confidential information for the employee’s benefit, etc. 6.1.3.2. External fraud: theft, forgery, damages from intrusion into information systems, etc. 6.1.3.3. Labor relations and workplace safety: employee claims for compensation, infringements of labor health and safety regulations, discrimination laws, general liabilities, etc. 6.1.3.4. Customer practices, products and businesses: abuse of confidential customer information, fraudulent trading in the financial entity’s accounts, money laundering, sale of unauthorized products, etc. 6.1.3.5. Physical asset damage arising from: acts of terrorism and vandalism, earthquakes, fires, floods, etc. 6.1.3.6. Activity disruptions and technological failures: hardware or software failures, telecommunications problems, interruption in public service provision, etc. 6.1.3.7. Execution, management and compliance with process deadlines: data entry errors, guarantee administration failures, incomplete legal documentation, unauthorized access to clients’ accounts, litigation with suppliers, etc. The same loss event cannot be registered in more than one of the aforementioned categories. 6.1.4. Lines of Defense. Financial entities generally rely on 3 lines of defense, whose degree of implementation must be proportional to the nature and size of the entity and the complexity of its operations, and adequate to its risk profile. i) First line: management within business units –such as finance, human resources, technology– whose responsibilities include, among others, identifying and evaluating significant operational risks inherent to their respective business units, establishing appropriate controls to mitigate them, and evaluating the design and effectiveness of these controls using management tools. ii) Second line: independent operational risk management, which develops an independent view of business units regarding identified significant operational risks, the design and effectiveness of key controls, and risk tolerance. Additionally, among other responsibilities, it reviews the relevance and consistency of business units’ implementation of operational risk management tools, measurement activities, and reporting systems. B.C.R.A. GUIDELINES FOR RISK MANAGEMENT IN FINANCIAL ENTITIES Section 6. Operational Risk Management. Version: 3rd. COMMUNICATION “A” 8315 Validity: 01/09/2025 Page 2

iii) Third line: independent review ensuring that the operational risk management framework is adequate. Generally, this falls to internal and/or external audit. Among other responsibilities, it must review the design and implementation of operational risk management systems and associated governance processes in the first and second lines of defense, as well as validation processes to guarantee independence and consistent implementation aligned with the entity’s policies. If business units contain first and second lines of defense functions, entities must document and delineate the responsibilities of each function, emphasizing the independence of the second line. 6.2. Responsibilities. Each entity is responsible for implementing efficient operational risk management, considering the guidelines outlined below and taking into account the entity’s size and operational complexity. The Board of Directors, Senior Management, and the unit or person responsible for operational risk management must demonstrate a high degree of commitment to maintaining a solid culture of operational risk management, in which activities related to this risk form part of the entity’s daily processes. 6.2.1. Board of Directors. The Board is responsible for ensuring the entity has an adequate strategy for operational risk management, the operational risk assumed by the entity, and how it is managed. To this end, it must: 6.2.1.1. Approve the framework to be used for operational risk management, with a minimum review frequency of annually or whenever the entity deems relevant events or situations related to this risk occur, which must be reported to the Superintendence of Financial and Exchange Entities; 6.2.1.2. Maintain clear knowledge of the procedures developed to manage operational risk and their degree of compliance. To this end, it must receive at least semi-annually sufficient information to analyze the entity’s general operational risk profile and verify strategic and substantial implications for its activity; 6.2.1.3. Ensure that the operational risk management framework is subject to an internal audit process –an area not responsible for its management– that provides adequate coverage and depth of reviews, along with timely adoption of corrective measures by audited areas; 6.2.1.4. Approve policies for disseminating the operational risk management framework and training, directed to all areas and officials of the financial entity; B.C.R.A. GUIDELINES FOR RISK MANAGEMENT IN FINANCIAL ENTITIES Section 6. Operational Risk Management. Version: 4th. COMMUNICATION “A” 8315 Validity: 01/09/2025 Page 3

6.2.1.5. Establish policies for managing operational risks derived from outsourced activities, delegated activities in accordance with Section 9 of the Ordered Text on Expansion of Financial Entities, and services provided by suppliers; 6.2.1.6. Approve a policy for disseminating information to third parties regarding the operational risk management framework. The content and characteristics of this information must be proportional to the volume, complexity, and risk profile of the financial entity’s operations; 6.2.1.7. Guarantee that the entity has technically qualified personnel, as well as necessary resources for operational risk management; 6.2.1.8. Verify that those in charge of this management –operational risk unit or responsible person, according to point 6.2.4– do not perform other tasks in areas that may generate conflicts of interest with their function; 6.2.1.9. Approve and periodically review the definition of operational risk appetite and tolerance in line with the nature, types, and levels of operational risk that the financial entity is willing to assume. The definition of the entity’s operational risk appetite and tolerance must be linked to its short- and long-term strategic and financial plans. Considering both the interests of clients and shareholders as well as regulatory requirements, an effective definition of risk appetite and tolerance must: i) be easy to communicate and understand for all stakeholders; ii) include background and assumptions that consider the entity’s business plans; iii) include reasons for assuming or avoiding certain types of risks, and limits or indicators (which may be quantitative or non-quantitative) to allow monitoring of these risks; iv) ensure that the strategy and risk limits of business units, other entities forming the entity’s economic group, and contracted third parties (outsourced), as applicable, align with the risk appetite established by the financial entity; and v) be prospective and, if possible, subject to scenarios and stress tests ensuring the entity understands which events could lead it to exceed its risk appetite and tolerance. In reviewing the adequacy of limits and the general definition of risk appetite and tolerance, the Board must consider: current and expected changes in the external environment –including the regulatory framework across all jurisdictions where the financial entity provides services–; current or future significant increases in business volumes or activities; control environment quality; effectiveness of risk management or mitigation strategies; loss experiences; and the frequency, volume, or nature of deviations from established limits. The Board must monitor compliance with the definition of risk appetite and tolerance and ensure timely detection and correction of deviations. 6.2.1.10.Regularly supervise the effectiveness of technology and information security risk management to ensure data and systems confidentiality, integrity, and availability. 6.2.2. Senior Management. 6.2.2.1. Responsible for implementing, reporting, and controlling processes and procedures to put into practice and operate the framework approved by the entity’s Board. This framework will be applied consistently throughout the financial entity, with all organizational levels understanding their responsibilities regarding this risk administration. 6.2.2.2. Responsible for ensuring processes and procedures applicable to each business unit, aimed at managing the operational risk of the entity’s products, activities, processes, and systems. 6.2.2.3. Must establish clear lines of authority, responsibility, and communication with different management levels to foster and maintain the assumption of responsibilities. 6.2.2.4. Ensures sufficient resources exist for effective operational risk management. 6.2.2.5. Must evaluate whether the managerial monitoring process adapts to risks inherent in each business unit’s policies. 6.2.2.6. Receives reports from the operational risk unit or responsible person, and where applicable, from the functional level with decision-making capacity in risk management upon which that unit or person depends, related to execution results of processes and procedures, detection of possible deficiencies in operational risk management policies, processes, and procedures, and pertinent proposals for their correction. The financial entity will establish the periodicity of these reports according to its size, nature and complexity of products and processes, and magnitude of operations. 6.2.2.7. Reports to the Board at least semi-annually on main aspects related to operational risk management. B.C.R.A. GUIDELINES FOR RISK MANAGEMENT IN FINANCIAL ENTITIES Section 6. Operational Risk Management. Version: 3rd. COMMUNICATION “A” 8315 Validity: 01/09/2025 Page 5

6.2.2.8. Regularly evaluates the design, implementation, and effectiveness of technology and information security risk management. 6.2.2.9. Ensures that the change management process in the entity is integral, has adequate resources, and is appropriately articulated between relevant lines of defense. 6.2.3. Management/Departments. Management is responsible for applying, in different business units –according to their scope of competence– concrete processes and procedures according to the framework defined for operational risk management, ensuring that both procedures and controls are adequate and effective within their applied scope. Likewise, they will report to the operational risk unit or responsible person regarding execution results of processes and procedures, with the periodicity established by the financial entity according to its size, nature and complexity of products and processes, and magnitude of operations. 6.2.4. Operational Risk Unit or Responsible Person. The structure of the unit responsible for operational risk management will contemplate the following characteristics: 6.2.4.1. Adapts to the entity’s size, nature and complexity of products and processes, and magnitude of operations; 6.2.4.2. Must functionally depend on the General Management –or equivalent authority– or a functional level with decision-making capacity in risk management reporting to that Management; 6.2.4.3. Cannot be under internal audit, an area that –notwithstanding this– may contribute its expertise to developing the operational risk management framework and to constantly improving its administration; 6.2.4.4. May involve personnel from other areas provided assigned responsibilities do not imply conflicts of interest based on respective competencies; 6.2.4.5. There must be independence between the unit or person responsible for operational risk management and involved business units, as well as clear delineation of functions, responsibilities, and job profiles at all levels; 6.2.4.6. Must articulate the main processes the financial entity needs to manage operational risk, adopting mechanisms that allow effective communication, interaction, and coordination with responsible parties for other risks –which the entity possesses according to its definitions and requirements of the Central Bank of the Argentine Republic– and responsible parties for contracting external services; B.C.R.A. GUIDELINES FOR RISK MANAGEMENT IN FINANCIAL ENTITIES Section 6. Operational Risk Management. Version: 3rd. COMMUNICATION “A” 8315 Validity: 01/09/2025 Page 6

6.2.4.7. Receives reports from Management with execution results of processes and procedures, with the periodicity established by the financial entity according to its size, nature and complexity of products and processes, and magnitude of operations; 6.2.4.8. Reports to General Management or, where applicable, to the functional level with decision-making capacity in risk management upon which it depends, the detection of possible deficiencies arising from applying operational risk management policies, processes, and procedures, and pertinent proposals for their correction, with the periodicity established by the financial entity according to its size, nature and complexity of products and processes, and magnitude of operations. 6.3. Operational Risk Management Process. Effective management of this risk will contribute to preventing future losses derived from operational events. Consequently, financial entities must manage the inherent operational risk of their relevant products, activities, processes, and systems; additionally, prior to launching or presenting new products, starting activities, or implementing processes or systems, they must also verify that their inherent operational risk is adequately evaluated. The operational risk management process will comprise the stages described below. 6.3.1. Identification and Assessment. 6.3.1.1. General Considerations. For operational risk identification, internal factors –such as the financial entity’s structure and nature of activities– and external factors –such as sector changes and technological advances– that could affect process development and negatively influence projections made according to business strategies defined by the financial entity will be considered. Financial entities must use internal data, establishing a process to systematically record and report the frequency, severity, categories, and other relevant aspects of loss events due to operational risk. Recording these events will contribute to reducing incidents, losses, and improving service and product quality. The data collection process must be accompanied by an incentive policy that encourages recording, thereby promoting an organizational culture for reporting such data and controls contributing to verifying consistency and integrity. B.C.R.A. GUIDELINES FOR RISK MANAGEMENT IN FINANCIAL ENTITIES Section 6. Operational Risk Management. Version: 3rd. COMMUNICATION “A” 8315 Validity: 01/09/2025 Page 7

6.3.1.2. Tools. Among the tools entities must use to identify and evaluate their operational risks, the following stand out: i) Self-assessment of operational risks. Consists of evaluating inherent risk –before implementing controls and mitigation measures–, control environment effectiveness, and