Agreement No. 13 (2018) Modifying Agreement No. 10-2015 on Prevention of Misuse of Banking and Fiduciary Services

Republic of Panama Superintendence of Banks AGREEMENT No. 010-2015 (issued on July 27, 2015) "Prevention of the Misuse of Banking and Fiduciary Services"

THE BOARD OF DIRECTORS in the exercise of its legal powers, and

CONSIDERING:

That as a result of the issuance of Decree-Law No. 2 of February 22, 2008, the Executive Branch elaborated a systematic ordering in the form of a Single Text of Decree-Law No. 9 of February 26, 1998, and all its modifications, which was approved through Executive Decree No. 52 of April 30, 2008, hereinafter referred to as the Banking Law;

That Article 36 of Law No. 1 of January 5, 1984 establishes that the Superintendence of Banks will supervise and ensure the proper functioning of the trust business;

That in accordance with numeral 1 of Article 5 of the Banking Law, it is an objective of the Superintendence of Banks to ensure the solidity and efficiency of the banking system;

That in accordance with numeral 2 of Article 5 of the Banking Law, it is an objective of the Superintendence of Banks to strengthen and foster favorable conditions for the development of the Republic of Panama as an International Financial Center;

That Article 112 of the Banking Law establishes that banks and other supervised entities have the obligation to establish policies, procedures, and internal control structures to prevent their services from being used improperly for the crime of money laundering, terrorist financing, and other related or similar crimes;

That the Banking Law establishes in its Article 113 that banks and other supervised entities by the Superintendence will supply the information required by laws, decrees, and other regulations for the prevention of money laundering, terrorist financing, and other related or similar crimes or of similar nature or origin, currently in force in the Republic of Panama. It also indicates that they will be obligated to supply such information to the Superintendence when it so requires;

That in accordance with what is established in Article 114 of the Banking Law, banks and other supervised entities by the Superintendence will adopt policies, practices, and procedures that allow them to know and identify their clients and employees with the greatest certainty possible, with the Superintendence retaining the faculty to develop pertinent norms that adjust to the policies and norms currently in force in the country;

That Agreement No. 12-2005 of December 14, 2005 establishes measures to prevent the misuse of banking and fiduciary services;

That through Law No. 41 of October 2, 2000, modified by Law No. 1 of January 5, 2004, a Chapter titled "On Money Laundering" is added to Title XII of the Penal Code, in whose Article 1 the crime of money laundering is typified;

That through Law No. 50 of July 2, 2003, acts of terrorism and their financing are typified as an autonomous crime in the Penal Code and the respective sanctions are established;

Agreement No. 010-2015 Page 2 of 17

That through Law No. 23 of April 27, 2015, measures are adopted to prevent money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction;

That Article 19 of Law No. 23 of 2015 establishes as a supervisory organism, among others, the Superintendence of Banks;

That Article 20 numeral 7 of Law No. 23 of 2015 establishes among the attributions of supervisory organisms, to issue guidelines and feedback norms to obligated financial subjects, non-financial obligated subjects, and activities performed by supervised professionals for their application, as well as procedures for the identification of beneficial owners, of legal persons and other legal structures;

That in accordance with Article 22 of Law No. 23 of 2015, it corresponds to the Superintendence of Banks to supervise in matters of prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction; banks; trust companies and any other activity they perform; financial companies, financial leasing companies; factoring companies, issuers or processors of debit, credit, and prepaid cards, whether natural or legal persons, and entities issuing payment means and electronic money;

That as established in Law No. 23 of 2015 on the prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction, the Superintendence of Banks will correspond to supervise and regulate in matters of prevention of money laundering, other obligated subjects, in addition to banks and trust companies that were already under its supervision; and

That in working sessions of this Board of Directors, the need and convenience of updating the prevention measures of the misuse of banking and fiduciary services contemplated in Agreement No. 12-2005 has been manifested, in order to contemplate the new guidelines established in Law No. 23 of 2015 which adopts measures to prevent money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction.

AGREES:

ARTICLE 1. SCOPE OF APPLICATION. The provisions of this Agreement will apply to the following obligated subjects:

1. Banks.
2. Trust companies.
3. Banking Groups as established in Article 38.

ARTICLE 2. PREVENTION OF MONEY LAUNDERING, TERRORIST FINANCING, AND FINANCING OF THE PROLIFERATION OF WEAPONS OF MASS DESTRUCTION. Banks and trust companies must take the necessary measures to prevent their operations and/or transactions from being carried out with funds or on funds originating from activities related to the crimes of money laundering, terrorist financing, or financing of the proliferation of weapons of mass destruction, hereinafter "Prevention of Money Laundering." For this purpose, they have the obligation to comply with the terms in this Agreement and with the legal provisions related to this matter.

ARTICLE 3. MANUAL FOR THE PREVENTION OF MONEY LAUNDERING. Banks and trust companies must have a Manual for the Prevention of Money Laundering duly approved by the board of directors, which will contain the policies, mechanisms, and procedures established by the bank or trust company to prevent their operations from being carried out with funds originating from these activities. The policies adopted through this Manual must allow the effective and timely functioning of the money laundering prevention system of the bank or trust company and translate into rules of conduct and procedures that guide the action of the entity and its shareholders, which will be mandatory to comply with.

The Manual must be disseminated among all personnel of the banking or trust entity, and its update must be carried out continuously.

The updates made to the Manual must be brought to the knowledge of the Money Laundering Prevention Committee, who will carry out a preliminary approval, which will be ratified and approved by the Board of Directors, at least once (1) a year.

ARTICLE 4. CONSTITUTION OF THE MONEY LAUNDERING PREVENTION COMMITTEE IN BANKING ENTITIES. Banking entities must constitute a Money Laundering Prevention Committee, which will report directly to the bank's board of directors and which must be integrated at minimum by two (2) members of the board of directors, the general manager, the main executives of the areas of risk, compliance, business, operations, and internal audit. This Committee will have among its functions, the approval of the planning and coordination of money laundering prevention activities and, in addition, must have knowledge of the work developed and operations analyzed by the compliance officer, such as the implementation, progress, and control of its compliance program, among others.

The Committee will elaborate its internal work regulations, duly approved by the board of directors, which will contain the policies and procedures for the fulfillment of its functions, as well as the periodicity in which they will carry out their meetings, which must be at least every two (2) months. The decisions adopted in the Committee meetings must be recorded in minutes, which will be available to the Superintendence of Banks.

ARTICLE 5. CONCEPT OF CLIENT. For the purposes of this Agreement, a client will be understood as any natural or legal person, who establishes, maintains, or has maintained, habitually or occasionally, a contractual or business relationship with a Bank, or who receives fiduciary services from a trust company.

ARTICLE 6. BENEFICIAL OWNER. For the purposes of this Agreement, beneficial owner will be understood as the natural person(s) who owns, controls, or exercises significant influence over the account relationship, contractual or business relationship, or the natural person in whose name or benefit a transaction is carried out, which also includes natural persons who exercise final control over a legal person, trusts, and other legal structures.

ARTICLE 7. INTERBANK OPERATIONS. Any operation or transaction that arises as a result of an interbank relationship that the bank provides to foreign banks, will be subject to due diligence measures, which must be in accordance with the level of risk it represents.

Banks are prohibited from establishing or maintaining any type of interbank or correspondent relationship with banks that, whether they themselves or their head office, lack physical presence in their jurisdiction of origin or are not affiliated with a financial group subject to consolidated supervision.

Banks must ensure that they maintain special attention with banking entities located in jurisdictions that have weak norms for the prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction, according to lists issued by international organizations such as the Financial Action Task Force (FATF), among others.

ARTICLE 8. DUE DILIGENCE MEASURES FOR INTERBANK OPERATIONS. For the purposes of Article 7 of this Agreement, the due diligence process must include, among others, the following:

1. Ensure the existence and physical presence of the bank or its head office, and gather sufficient information on: a. The banking institution receiving the contracted service. b. Management. c. Its main commercial activities. d. The nature of the business of said entity. e. Determine, together with publicly available information, the reputation of the institution.
2. Confirm that the banking institution receiving the service has measures and controls for the prevention and detection of money laundering, in accordance with international standards.
3. Pay special attention when maintaining relationships with banks located in jurisdictions that have less demanding Know Your Customer norms than those established by this Superintendence.
4. Clearly establish and document, if necessary, the respective responsibilities of each bank on the due diligence processes regarding underlying clients in correspondent business.
5. Obtain the approval of senior management before establishing new correspondent relationships.

ARTICLE 9. CLIENT DUE DILIGENCE. Obligated subjects must maintain in their operations risk-based due diligence with their individual clients and with their resources that are the object of the contractual relationship, whether habitual or occasional, regardless of the amount of the operation, as well as keep it updated during its course. In addition, taking into consideration the category and risk profile of the client, they must pay special attention when carrying out transactions exceeding ten thousand balboas (B/.10,000.00), when unusual operations are detected, when there is suspicion of money laundering, as well as when the entity has doubts about the veracity or suitability of the information obtained on the identification of the client and/or ultimate beneficiary.

Obligated subjects must identify and verify the client and/or beneficial owner, requesting and consulting documents, data, or reliable information from independent sources, such as systems or tools that consolidate local and international information related to the prevention of money laundering (For example, OFAC list, United Nations list, among others).

The mechanisms for client and ultimate beneficiary identification, as well as verification and documentation, will depend on the risk profile of the obligated subjects, considering the types of clients, products, and services offered, the distribution or marketing channels used, and the geographical location of their facilities, their clients, and beneficial owners. In this sense, the following types of due diligence may be carried out:

1. Due diligence: set of norms, policies, processes, and actions that allow a reasonable knowledge of the qualitative and quantitative aspects of the client and the beneficial owner, with special attention to the client's financial and transactional profile, the origin of their wealth, and the continuous monitoring of their transactions or operations.
2. Enhanced or reinforced due diligence: set of norms, policies, processes, and actions more demanding and reasonably designed so that the knowledge of the client is intensified based on the results of the identification, evaluation, and diagnosis of the risks applied by the entity. This process must allow greater knowledge of the qualitative and quantitative aspects of the client and the beneficial owner, with special attention to the financial and transactional profile and the origin of their wealth, as well as a more demanding continuous monitoring in their transactions or operations so that the knowledge of the client is intensified based on the results of identification, evaluation, and diagnosis of the risks applied by the entity.
3. Simplified due diligence: set of basic or elementary norms, policies, processes, and actions, which based on the results of identification, evaluation, and risk diagnosis, the entity will apply to prevent money laundering crimes. Among the simplified due diligence measures, banks and trust companies may reduce the documentary review process, reduce the frequency of client identification updates, reduce the monitoring of the business relationship, or abstain from gathering information on the professional or business activity of the client.

The possible existing variables can increase or decrease the potential risk they represent, thus impacting the level of due diligence measures. In case there is a higher risk, stricter measures must be taken, and in case the risk is lower, simplified due diligence measures may be adopted, provided there is an adequate risk analysis.

PARAGRAPH 1. The Superintendence of Banks may, in attention to the risk profile of each obligated subject, establish different amounts on which special attention must be paid when carrying out due diligence.

PARAGRAPH 2. Banks must keep their database updated and available to the supervisors of the Superintendence of Banks.

ARTICLE 10. MINIMUM REQUIREMENTS OF DUE DILIGENCE. Due diligence on clients and their resources, whether natural or legal persons, consists at minimum, in doing the following:

1. Elaborate a client profile.
2. Maintain documentation and monitoring of the financial transactions of their clients.
3. Give particular follow-up to those clients who carry out operations for amounts of ten thousand balboas (B/. 10,000.00) or more, taking into consideration the category and risk profile of the client.
4. Review at least every six (6) months the operations of their clients, carried out habitually and in cash for amounts exceeding ten thousand balboas (B/. 10,000.00), with the purpose of determining if the criteria of habitualness established by the entity are maintained.
5. Pay special attention and take pertinent measures for high-risk clients, including those clients identified as Politically Exposed Persons (PEPs).

Banking entities belonging to a banking group may rely on the banking group's compliance structure to carry out due diligence.

ARTICLE 11. METHOD FOR THE RISK CLASSIFICATION OF CLIENTS. Each obligated subject must design and adopt a methodology for the risk classification of clients, which must contain the following elements at minimum:

1. General concept.
2. Minimum criteria or variables for the analysis of the client's risk profile.
3. Description of the classification and risk categories of clients.
4. Definition of models for the establishment of the client's risk profile.
5. Design and description of risk matrices.

The client risk classification method and its updates must be approved by the Money Laundering Prevention Committee and sent annually to the Superintendence of Banks for verification.

The Superintendence of Banks will carry out the actions to verify that the client classification methodology is reasonable according to the volume and nature of the operations carried out by the obligated subject, as well as with the client profile it attends.

In cases where it is determined that the classification methodology is insufficient or inadequate, the Superintendence may require the obligated subject to take the measures corresponding to its correction or clarification within the timeframe it establishes.

ARTICLE 12. CLIENT RISK CATEGORIES. The obligated subject must assign a risk category to each client, which will be based on the description of an individual risk profile, for which the obligated subject must design and implement a client risk classification methodology. The obligated subject must take this classification into consideration to establish the type of due diligence and monitoring programs that will be applied.

For the establishment of the categorization and risk profile of clients, the following aspects will be considered, at minimum:

1. Differentiation of relationships with clients by risk categories, depending on whether high, medium, or low risk categories are used.
2. The criteria to establish the risk categories.
3. The additional documentary requirements to comply with the "know your client and/or beneficial owner" policy for each risk category established by the obligated subject.

ARTICLE 13. MINIMUM CRITERIA OR VARIABLES FOR THE ANALYSIS AND DESCRIPTION OF THE CLIENT'S RISK PROFILE. For the analysis and description of the risk profile of each client, obligated subjects will select from the following criteria or variables, without being limited to these:

1. Nationality.
2. Country of birth or country of incorporation.
3. Country of domicile.
4. Profession or trade.
5. Geographical zone of the client's business activities.
6. Economic and financial activity of the client.
7. Type of legal structure used, where applicable.
8. Type, amount, and frequency of transactions (sent and received, national and international).
9. Origin of resources (national and international).
10. Politically Exposed Persons (PEPs).
11. Products, services, and channels used by the client.

The criteria or variables used for the analysis and description of the client's risk profile must be described in the methodology for the risk classification of clients that the bank uses.

ARTICLE 14. CLIENT PROFILE FOR NATURAL PERSONS. When dealing with natural persons, banks and trust companies must elaborate a client profile which will include a form designed by the entity that will contain written information, as well as the documents that support said information. The client profile must count, at minimum, with the following information and documentation, which must be obtained before initiating the commercial relationship with the client:

1. Identification and verification of the client: full name, age, sex, employment or labor situation, marital status, profession or occupation, nationality, residence, and suitable identity document of the client.

For the purposes of the suitable identity document, when it is a person of Panamanian nationality, it will be the personal identity card, or the official form of application for the identity card while said document is in process.

It will also be acceptable the passport when it is a person of Panamanian nationality residing abroad.

When it is a foreigner, the suitable identity document will be the passport.

To satisfy this requirement, it will only be necessary to keep a copy of the page(s) where the photograph, signature, and general information of the client appear and the page where the entry stamp to the country is stamped. In the case of clients who have been captured by the bank through visits abroad or when the capture is carried out by agents of entities affiliated with the group, or when the linkage is carried out by banks with an international license, the requirement of a copy of the passport page where the entry stamp to the country is stamped will not apply. These clients

Agreement No. 010-2015 Page 7 of 17

may also be identified through the official identification document of their country of origin in which their photograph, general information, and signature appear.

Foreigners who have obtained residency in Panama may also be identified through the personal identity card issued by the Electoral Tribunal of Panama.

Persons who are in our country under migratory status of permanent resident in condition of refugee or asylum seeker, may be identified through the refugee card issued by the National Migration Service.

In any case, the document must be valid at the time of its presentation for the account opening procedure.

For purposes of update in the respe