Securities Industry (Regulatory Sandbox Licensing) Guidelines 2026

Page 1 of 42 ‘Ensuring Investor Protection’ SECURITIES AND EXCHANGE COMMISSION, GHANA SECURITIES INDUSTRY (REGULATORY SANDBOX LICENSING) GUIDELINES 2026 SEC/GUI/001/03/2026

Page 2 of 42 SECURITIES INDUSTRY (REGULATORY SANDBOX LICENSING) GUIDELINES 2026 ARRANGEMENT OF GUIDELINES

1. INTRODUCTION
2. OBJECTIVES OF THE GUIDELINES
3. ELIGIBILITY
4. APPLICATION PROCESSES
5. DOCUMENTS REQUIRED
6. APPROVAL PROCESSES
7. SELECTION CRITERIA
8. REJECTION OF AN APPLICATION
9. SAFEGUARDS, TERMS AND CONDITIONS
10. EXTENDING OR EXITING THE SANDBOX
11. TERMINATION OF THE REGULATORY SANDBOX LICENCE
12. EXITING AND TERMINATION OBLIGATIONS
13. REPORTING OBLIGATIONS
14. POWER OF THE SEC TO ISSUE DIRECTIONS
15. FEES AND COSTS
16. APPEALS OR REVIEW MECHANISM
17. MISCELLANEOUS
18. SUPERVISORY OBLIGATION
19. DEFINITION OF TERMS
20. ANNEXES – APPLICATION FORM

Page 3 of 42 SECURITIES INDUSTRY (REGULATORY SANDBOX) LICENSING GUIDELINES 2026 In the exercise of the powers conferred on the Securities and Exchange Commission (hereinafter referred to as the “SEC”) by sections 3 and 209 of the Securities Industry Act, 2016 (Act 929), as amended by the Securities Industry (Amendment) Act, 2021 (Act 1062), and pursuant to section 71 of the Virtual Asset Providers Act, 2025 (Act 1154), these Guidelines are issued this 9th day of March 2026.

1. INTRODUCTION (1) The SEC, pursuant to its mandate to regulate and promote the development of an efficient, fair and transparent market, seeks to encourage responsible innovation by permitting capital market activities, products, services and business models to be tested in a controlled environment, with the potential for wider adoption in Ghana and beyond, while ensuring investor protection, market integrity and financial stability. (2) These Guidelines shall establish a controlled, live testing environment under the Regulatory Sandbox, subject to defined eligibility criteria, parameters, safeguards, reporting obligations, and supervisory oversight as determined by the SEC. Participation in the Regulatory Sandbox shall be subject to such terms, conditions and restrictions as the SEC may impose. (3) The Regulatory Sandbox shall operate in a risk-based, proportionate and technology-neutral manner, having regard to the nature, scale, complexity and risks of the innovation, and the need to ensure investor protection, market integrity and financial stability. (4) For the avoidance of doubt, these Guidelines shall apply to any innovation, arrangement, activity, entity, system, platform, infrastructure or related function that falls within or relates to the regulatory mandate of the SEC, whether technology-enabled or otherwise, including activities conducted wholly or partly within Ghana or having an impact on the Ghanaian capital market or investors. (5) The SEC shall determine the applicability of these Guidelines and may, where necessary, issue notices, directives, supplementary guidance or impose additional requirements, conditions, or safeguards for their effective implementation and supervision. (6) These Guidelines supersede and replace any previous guidelines or requirements on Regulatory Sandbox in the capital market including Securities Industry (Regulatory Sandbox

Page 4 of 42 Licensing) Guidelines 2020 with number SEC/GUI/006/10/2020 issued on 8th day of October 2020. 2. OBJECTIVES OF THE GUIDELINES (1) These Guidelines shall provide a framework for the issuance of Regulatory Sandbox Licences to facilitate the testing of innovative capital market activities, products, services, business models, market infrastructure, or related services for which existing legal or regulatory provisions may be absent, inadequate or evolving. (2) The objectives of the Regulatory Sandbox include, without limitation, to: (a) facilitate responsible innovation that delivers demonstrable value to investors and the capital market; (b) ensure appropriate safeguards for investor protection, market integrity and financial stability; (c) enable controlled and time-bound testing of innovative capital market solutions, including those involving virtual or digital assets and other emerging technologies, within a risk-based, proportionate and technology-neutral regulatory framework; (d) enable the SEC to assess risks, operational models, and regulatory implications of emerging technologies, business models, and capital market arrangements; and (e) support the development of appropriate regulatory frameworks, supervisory approaches, and policy responses based on evidence obtained from Sandbox testing. 3. ELIGIBILITY (1) A person shall not be eligible for the grant of a Regulatory Sandbox Licence by the SEC unless the Applicant has fully complied with applicable laws of incorporation and has the legal capacity, authority, operational capability and financial resources commensurate with the nature, scale and risks of the proposed Sandbox activity, to conduct the proposed Sandbox activity in a safe, secure and orderly manner (2) An Applicant shall comply with all Fit and Proper criteria specified in the Securities Industry (Licensing) Guidelines, 2020, as well as any additional Fit and Proper requirements prescribed by the SEC, including those introduced or updated from time to time. (3) An Applicant shall provide a detailed testing plan including: (a) clear objectives, methodologies and timelines;

Page 5 of 42 (b) defined parameters such as user limits, transaction caps and geographic scope; (c) measurable expected outcomes and success criteria; (d) evidence of prior proof-of-concept testing where applicable; and (e) where the proposed innovation involves virtual or digital assets, distributed ledger technology, or similar technological arrangements, the Applicant shall demonstrate: (i) a clearly defined custody or asset control model, including whether assets are held in self-custody, hosted custody, or through third-party arrangements; (ii) governance arrangements for Private Key Management, transaction authorisation, and operational continuity; (iii)systems and controls for transaction monitoring, blockchain or distributed ledger analytics, and sanctions screening; and (iv) full disclosure of all material third-party service providers, including technology, custody, liquidity, infrastructure and compliance service providers. (4) An Applicant deploying a virtual or digital asset–based solution, including decentralised autonomous organisations (DAOs), semi-decentralised arrangements, or protocol-based governance structures, shall be eligible for consideration, provided that the Applicant demonstrates: (a) the existence of accountable natural persons or legal entities responsible for the proposed Sandbox activity; (b) adequate governance, risk management, internal control and oversight arrangements proportionate to the nature, scale, complexity and risk profile of the Sandbox activity; and (c) effective mechanisms for regulatory access, oversight and supervision by the SEC. (5) Without prejudice to the foregoing, an Applicant shall submit, as part of its application, a winding up and failure management plan demonstrating how the Applicant will; (a) cease operations in an orderly manner; (b) settle all outstanding customer obligations; (c) safeguard customer assets and data; and (d) notify customers and the SEC immediately, of any material incidents or termination of testing. (6) An Applicant shall demonstrate its ability and readiness to establish and maintain a physical presence in Ghana and appoint one or more responsible officers, representatives, or

Page 6 of 42 designated personnel accountable to the SEC for regulatory engagement, supervision, compliance and enforcement. (7) In the case of a foreign Virtual Asset Service Provider, the Applicant shall provide satisfactory evidence that it is duly licensed, authorised, or subject to regulatory oversight in its home jurisdiction, and that such licence remains valid and in good regulatory standing. The Applicant’s home Regulator must be a full signatory to the International Organisation of Securities Commissions (IOSCO) Multilateral Memorandum of Understanding, or must have an information-sharing or capacity-building Memorandum of Understanding with the SEC. The Applicant shall further provide evidence of compliance with applicable regulatory requirements in its home jurisdiction, including a confirmation that no material regulatory prohibition, enforcement action, or supervisory restriction exists that would impair its ability to operate within the Sandbox. The Applicant shall also provide such additional information-sharing, supervisory cooperation, or cross-border oversight arrangements as the SEC may require. (8) The SEC may impose additional eligibility requirements proportionate to the nature, scale, complexity, and risk profile of the proposed Sandbox activity. 4. APPLICATION PROCESSES (1) An Applicant seeking a Regulatory Sandbox Licence shall submit an application in the prescribed form set out in ANNEX A, together with all required supporting documents and information, to the SEC for consideration. (2) Licensees of the SEC, or other firms that wish to provide capital market services or Financial Technology ‘FinTech’ firms operating within the capital market space and professional services firms partnering with or providing support to such businesses (the “Applicants”) may apply using ANNEX A to enter a regulatory Sandbox (the “Sandbox”) to test innovative capital market products and services in the production environment but within a well￾defined space and duration. (3) The Sandbox shall include appropriate safeguardsto contain the consequences of failure and maintain the overall safety and soundness of the capital market. (4) Depending on the capital market service or the provision of support to the capital market service provider to be tested, the Applicant involved and the application made, the SEC shall

Page 7 of 42 determine the specific legal and regulatory requirements which it is prepared to relax for each case. Any such relaxation shall be consistent with the statutory powers of the SEC and shall not extend to requirements imposed directly by primary legislation unless expressly permitted by law. Please refer to ANNEX B for examples of the legal and regulatory requirements that the SEC may consider relaxing for the duration of the Sandbox, as well as those which the SEC intends to maintain. (5) An Applicant shall engage the SEC prior to submission to clarify regulatory expectations and suitability for Sandbox testing. Such engagement shall not be construed as approval or endorsement by the SEC. (6) An Applicant seeking to test a virtual or digital asset–based capital market activity may apply under a designated Virtual Asset Sandbox Track and shall provide such additional technical, operational, legal and risk disclosures as the SEC may prescribe. 5. DOCUMENTS REQUIRED (1) An application for a Regulatory Sandbox Licence shall not be considered complete or accepted for assessment unless the following documents, or such other information as the SEC may require, are submitted: (a) Business registration or incorporation documents applicable to the Applicant; (b) A three (3) to five (5) year business plan, including a feasibility study, outlining the proposed capital market activity or related services to be undertaken; (c) The business plan shall include, at a minimum: i. A detailed description of the proposed activity or product; ii. Financial forecasts and projections; iii. Initial investment and capital structure; iv. Funding sources; and v. Identification of any regulatory constraints or compliance considerations relating to the proposed activity. (d) Audited financial statements for the past three (3) years for an existing company (or for the number of years in existence, where less than three (3) years), or an audited statement of affairs, as applicable; (e) Details of promoters, beneficial owners and directors of the Applicant, where applicable;

Page 8 of 42 (f) Disclosure of all material third-party service providers, outsourcing arrangements, technology partners, custodians, liquidity providers, or other operational dependencies relevant to the proposed Sandbox activity; (g) Any other information or documents that the SEC may require of the Applicant including those prescribed in Annex A and any applicable Supplementary Annexes; and; (h) Details of any existing relevant regulatory approvals, authorisations or applicable regulatory framework. 2. Where an Applicant applies under the Virtual Asset Sandbox Track, the Applicant shall, in addition to the documents and information required in Annex A, submit such additional documents, disclosures, and information as prescribed in Annex A-Addendum (Virtual Asset Sandbox Application Requirements). 3. The Applicant shall ensure that all information and documents submitted to the SEC are true, accurate, complete, and not misleading in any material respect, and shall promptly notify the SEC of any material change affecting the accuracy or completeness of such information. 4. The SEC may verify any information provided by the Applicant and may request confirmation from third parties, including regulators, auditors, or service providers, where necessary, and may require additional documents, explanations, clarifications, or supporting information at any stage of the application, assessment, or Sandbox period. 6. APPROVAL PROCESSES (1) The approval process shall not exceed ninety (90) days from the date the SEC determines that the application is complete and satisfactory for assessment. Where the period of approval process extends beyond 90 days, the SEC shall inform the Applicant in writing, specifying any outstanding conditions, deficiencies, additional documents required, or reasons for the delay, where applicable. For the avoidance of doubt, the lapse of the ninety (90) day period shall not be construed as automatic approval of the application. (2) Notwithstanding paragraph (1), the SEC may suspend, defer, or discontinue the approval process where material risks, deficiencies, regulatory concerns, or incomplete or unsatisfactory information are identified. (3) Approval shall be communicated in writing and evidenced by the issuance of a

Page 9 of 42 Regulatory Sandbox Licence, subject to such terms, conditions, restrictions, and safeguards as the SEC may impose. (4) Upon approval, the Applicant shall become the Entity responsible for deploying and operating the Sandbox (the “Sandbox Entity”), and the SEC may provide temporary regulatory support by relaxing specific legal and regulatory requirements that would otherwise apply to the Sandbox Entity for the duration of the Sandbox, subject to the statutory powers of the SEC. (5) Any approval granted under this paragraph shall be subject to the safeguards, terms and conditions set out in paragraph 9 of these Guidelines and any additional requirements imposed by the SEC, and the SEC may amend, impose, or withdraw such conditions where necessary. (6) Upon successful completion of testing and on exiting the Sandbox, the Sandbox Entity shall fully comply with all applicable legal and regulatory requirements, including any licensing or registration requirements applicable to its activities. (7) Approval to participate in the Sandbox shall not be construed as an endorsement, authorisation, or permanent licence to conduct regulated activities outside the Sandbox, unless otherwise expressly granted by the SEC. 7. SELECTION CRITERIA (1) An Applicant seeking a Regulatory Sandbox Licence shall demonstrate that: (a) the product or service is genuinely innovative or applied in an innovative manner and not substantially similar to products or services already available for which market operators are licensed by the SEC; (b) the product or service has clear potential to benefit the market and investors in identifiable ways; (c) the Applicant has assessed and demonstrated the usefulness and functionality of the product or service and has the capacity to identify, assess, mitigate, and manage associated risks effectively; (d) adequate governance arrangements are in place, including identifiable accountable persons or legal entities responsible for compliance, risk management, and oversight of the Sandbox activity; (e) the Applicant has established mechanisms for investor complaints handling, dispute

Page 10 of 42 resolution and client compensation or redress, where required by the SEC; (f) the Applicant has identified regulatory gaps or constraints relevant to the proposed activity; (g) the Applicant intends, and has the reasonable capability and commitment, to deploy the product or service on a commercial scale in Ghana upon successful completion of the Sandbox period, subject to compliance with applicable legal and regulatory requirements; (h) where the application involves virtual or digital assets, distributed ledger technology, tokenisation including the tokenisation of securities, real-world assets, commodities, financial instruments, or other asset classes, automated systems, or other emerging technologies, the Applicant shall clearly identify and characterise the nature, structure, and operation of the asset, service, activity, protocol, platform, or supporting infrastructure, having regard to its economic substance, functional features, governance arrangements, control mechanisms, technological dependencies, and risk profile, and shall outline the material legal, regulatory, operational, technological, and financial risks associated with such activity; (i) for proposed activities involving virtual or digital assets or other higher-risk technological arrangements, the Applicant shall demonstrate the capacity to implement and comply with applicable anti-money laundering, counter-terrorist financing, fraud prevention, and sanctions obligations on a risk-based basis, including the ability to monitor, detect, prevent, and report suspicious activities where required; (j) the Applicant has demonstrated sufficient technological capability, including cybersecurity, data protection and operational resilience measures, to support the proposed Sandbox activity; (k) the Applicant has developed preliminary plans for the orderly winding-down or termination of the Sandbox activity, including the protection of customer assets and data, in the event of failure or exit; (2) The SEC may, at any time, determine, interpret, designate, or reclassify the legal, regulatory, or supervisory status of any activity, product, service, asset, business model, technological arrangement, or operational structure proposed or conducted within the Sandbox. Such determination, interpretation, designation or reclassification shall be based on the economic substance, functional characteristics, operational reality, or risk profile, irrespective of the

Page 11 of 42 form, label, terminology, or classification provided by the Applicant. (3) Any other conditions that the SEC may require of an applicant. 8. REJECTION OF AN APPLICATION (1) The SEC may reject an application for a Regulatory Sandbox Licence on any of the following grounds: (a) where the SEC is of the opinion that the proposed capital market activity, product, service, business model, or technological arrangement is against public policy or the public interest; (b) where the SEC is of the opinion that the risks to customers, investors, market integrity, financial stability, or the capital market cannot be adequately mitigated through Sandbox safeguards, operational limits, supervisory measures, or other regulatory controls; (c) where the SEC is of the opinion that it does not have sufficient supervisory, technical, operational, or regulatory capacity to effectively supervise, monitor, or regulate the proposed activity; (d) where the proposed activity presents unresolved legal, regulatory, operational, or technological issues, including uncertainty relating to regulatory classification, supervisory authority, enforceability, or regulatory treatment; (e) where the Applicant fails to demonstrate adequate governance arrangements, accountable persons, risk management systems, or effective mechanisms for regulatory access, supervision, or oversight; (f) where the Applicant is unable to demonstrate compliance with applicable anti-money laundering, countering the financing of terrorism, fraud prevention, sanctions or other applicable legal or regulatory requirements, or where the proposed activity presents an unacceptable risk of illicit financial activity or consumer harm; (g) where the structure, technology or operational arrangement materially limits the SEC’s ability to supervise, monitor, enforce or exercise effective regulatory oversight; (h) where the proposed activity cannot be appropriately controlled, supervised, suspended or terminated in an orderly manner; (i) where the Applicant has provided false, misleading, incomplete, or inaccurate information, and in addition to rejecting the application; i. impose administrative sanctions or penalties as permitted under applicable laws

Page 12 of 42 and regulations; and ii. refer the matter for civil or criminal action where appropriate. (j) on any other ground that the SEC considers appropriate in the interest of investor protection, market integrity, financial stability, or the orderly development of the capital market. (2) Where the SEC rejects an application, the SEC shall notify the Applicant in writing, providing the reasons for the rejection, provided that the SEC shall not be obliged to disclose confidential supervisory assessments or sensitive regulatory information. (3) A rejection of an application shall not prevent the Applicant from submitting a new application at a later date, subject to addressing the deficiencies identified by the SEC. 9. SAFEGUARDS, TERMS AND CONDITIONS (1) The SEC may issue a Regulatory Sandbox Licence subject to such safeguards, terms and conditions, including requiring the Applicant to: (a) implement appropriate consumer protection measures, including clear disclosure to customers that the activity is conducted within a Regulatory Sandbox and disclosure of all material risks associated with participation; (b) maintain adequate governance, risk management, internal control and oversight arrangements proportionate to the nature, scale and risk profile of the Sandbox activity; (c) operate strictly within the scope, limits, parameters and duration approved by the SEC and shall not materially expand, modify or alter the Sandbox activity without prior written approval; (d) designate one or more identifiable responsible officers or accountable persons with sufficient authority to ensure compliance with these Guidelines and to serve as regulatory liaison with the SEC; (e) maintain adequate financial, operational, technological and human resources necessary for the safe, secure and orderly conduct of Sandbox testing; (f) implement appropriate operational, technological, cybersecurity and data protection safeguards proportionate to the risks presented; (g) establish and maintain appropriate mechanisms for handling customer complaints, incidents, system failures and operational disruptions;

Page 13 of 42 (h) ensure proper protection and safeguarding of customer assets, funds, data and transactional information, where applicable; (i) maintain proper records of Sandbox activities, transactions, incidents, customer interactions and operational events, and make such records available to the SEC upon request; (j) cooperate fully with the SEC and provide timely access to records, systems, personnel and information necessary for supervisory, regulatory and enforcement purposes. (2) Where the Sandbox activity involves customer funds, custody of assets, virtual or digital assets, tokenisation, distributed ledger technology, automated systems, cross-border infrastructure, financial intermediation, or similar risk-bearing arrangements, the SEC may impose additional safeguards proportionate to the risks identified, including requiring the Applicant or Sandbox Entity to: (a) implement enhanced customer disclosure, risk acknowledgement or customer protection measures; (b) implement appropriate anti-money laundering, countering the financing of terrorism, fraud prevention and sanctions compliance measures proportionate to the nature, structure and risk profile of the Sandbox activity; (c) establish appropriate asset protection, safeguarding, segregation, escrow, custody, trust, insurance, or equivalent arrangements where customer assets or funds are involved; (d) implement enhanced operational, technological, cybersecurity or resilience safeguards; (e) implement enhanced reporting, supervisory access, audit, monitoring or assurance requirements; (f) implement customer compensation, redress, contingency or recovery arrangements where appropriate; and (g) implement such other safeguards as the SEC considers necessary having regard to the risks presented by the Sandbox activity. (3) The applicability and scope of additional safeguards shall be determined by reference to the operational structure, risk profile, technological design and potential impact of the Sandbox activity. (4) A Sandbox Entity shall ensure regulatory access to the SEC for effective supervision and

Page 14 of 42 oversight over the Sandbox activity at all times. (5) A Sandbox Entity shall not implement any operational, technological, legal or structural arrangement that prevents effective regulatory oversight, supervisory access, regulatory monitoring or enforcement by the SEC. (6) Where required by the SEC, a Sandbox Entity shall establish a physical presence in Ghana or designate responsible persons authorised to act on its behalf for regulatory, supervisory and enforcement purposes. (7) The SEC may, at any time: (a) impose additional safeguards, terms or operational limits; (b) modify existing safeguards; (c) require additional reporting, disclosures, audits or supervisory access; or (d) issue directions necessary for investor protection, market integrity or financial stability. (8) Failure to comply with any safeguards, terms, conditions or directions imposed by the SEC may result in suspension, restriction or termination of the Regulatory Sandbox Licence, or such other regulatory or enforcement action as the SEC considers appropriate. (9) A Regulatory Sandbox Licence shall be limited in scope and duration and shall not constitute a full licence, permanent authorisation, or approval to conduct regulated activities beyond the Sandbox unless otherwise expressly granted by the SEC. (10) The SEC may determine shorter or longer testing periods depending on the nature, scale, complexity, and risk profile of the Sandbox activity, and may impose phased testing timelines, milestones, or review checkpoints as part of the Sandbox Licence conditions 10. EXTENDING OR EXITING THE SANDBOX (1) At the end of the Sandbox period, the legal and regulatory requirements relaxed by the SEC shall cease to apply, and the Sandbox Entity shall exit from the Sandbox, unless the SEC approves an extension or grants the Sandbox Entity a licence or authorisation to operate under the applicable legal and regulatory framework. (2) Where the Sandbox Entity requires an extension of the Sandbox period, the Sandbox Entity shall apply to the SEC at least one (1) month before the expiration of the Sandbox period, providing reasons to support the application for extension. The SEC shall review the application and approval may be granted on such terms and conditions as the SEC considers

Page 15 of 42 appropriate. The SEC’s decision on the application shall remain final. (3) Upon exit from the Sandbox, the Sandbox Entity may deploy the product or service on a broader scale, subject to obtaining all required licences, registrations, approvals, or authorisations under applicable laws, provided that: (a) the SEC and the Sandbox Entity are satisfied that the Sandbox has achieved its intended test outcomes; and (b) the Sandbox Entity demonstrates full compliance with all applicable legal and regulatory requirements. (4) The SEC may direct a Sandbox Entity to exit the Sandbox at any time where: (a) the Sandbox Entity has achieved its testing objectives; (b) the Sandbox Entity fails to comply with the safeguards, terms, or conditions of the Sandbox Licence; (c) the Sandbox activity presents unacceptable risks to investors, the capital market, or financial stability; or (d) the SEC considers such exit necessary in the public interest. (5) Upon exit from the Sandbox, the Sandbox Entity shall cease all Sandbox activities unless otherwise authorised by the SEC. 11. TERMINATION OF THE REGULATORY SANDBOX LICENCE (1) The grounds for termination of the Regulatory Sandbox licence may include where: (a) the Sandbox Entity fails to commence the business for which the Regulatory Sandbox Licence was issued within three (3) months of the issuance of the licence; (b) the Sandbox Entity breaches any term or condition under which the licence was issued; (c) the SEC is of the opinion that the Sandbox Entity has failed or is failing to ensure adequate risk controls; (d) the SEC is of the opinion that the Sandbox Entity is unable to comply with the conditions or safeguards imposed under the licence; (e) the SEC determines that the Sandbox activity has not met its stated objectives or testing outcomes within the agreed parameters and timeline; (f) the Sandbox Entity is unable to comply fully with the applicable legal and regulatory requirements upon the expiry of the Sandbox period;

Page 16 of 42 (g) a material flaw is identified in the capital market activity, product or service under testing such that the risks posed to customers or the capital market outweigh the benefits of continued testing, and the flaw cannot reasonably be resolved within the Sandbox period; (h) the Sandbox Entity breaches any condition imposed by the SEC for the duration of the Regulatory Sandbox Licence; (i) the Sandbox Entity notifies the SEC of its decision to exit the Sandbox voluntarily; and (j) the SEC considers termination necessary in the interest of investor protection, market integrity, financial stability, or the public interest. (2) The SEC may terminate a Regulatory Sandbox Licence at any time by written notice to the Sandbox Entity, specifying the effective date of termination. (3) Upon termination of the Regulatory Sandbox Licence, the Sandbox Entity shall immediately cease all Sandbox activities, unless otherwise authorised by the SEC, and shall comply with such directions as the SEC may issue, including directions relating to: (a) the orderly cessation of Sandbox operations; (b) the protection and return of customer assets; (c) the resolution of outstanding customer obligations; (d) the handling and protection of customer data; and (e) the submission of final reports or information required by the SEC. (4) Termination of a Regulatory Sandbox Licence shall not affect any obligation, liability, or enforcement action arising from activities conducted during the Sandbox period. 12. EXITING AND TERMINATION OBLIGATIONS (1) A Sandbox Entity shall not cease operations, suspend testing, or exit the Sandbox without the prior written approval of the SEC, except where termination is directed by the SEC under these Guidelines. (2) A Sandbox Entity shall ensure that all obligations to customers in respect of the activity, product or service under testing are fully discharged, settled, or otherwise appropriately addressed before exiting the Sandbox or discontinuing testing. (3) The SEC may issue such additional directions or impose such conditions as it considers necessary for the protection of investors, market integrity, or orderly exit from the

Page 17 of 42 Sandbox. (4) Upon successful completion of Sandbox testing involving virtual or digital assets, distributed ledger technology, tokenisation, automated systems, or other emerging technologies, the SEC may, where appropriate, grant conditional or restricted authorisation, transitional approval, or a phased compliance arrangement pending the Sandbox Entity’s full compliance with applicable legal and regulatory requirements. (5) The Sandbox Entity shall submit a final exit report to the SEC in such form and within such timeframe as the SEC may require, including details of testing outcomes, customer impact, incidents, and measures taken to ensure orderly exit. (6) The Sandbox Entity shall continue to cooperate with the SEC and provide access to records, systems, personnel, and information relating to Sandbox activities, as may be required by the SEC. 13. REPORTING OBLIGATIONS (1) The Sandbox Entity shall submit to the SEC such reports, information and disclosures relating to its activities during the licence period as the SEC may determine, including on a daily, weekly, monthly, quarterly or annual basis, or any combination thereof, as specified in the conditions of the licence, and in such form and manner as the SEC may prescribe. All submissions involving VASPs shall be made using the templates provided in ANNEX D, including the KPI & Risk Disclosure Template and the Consumer Risk Statement Template. (2) The Sandbox Entity shall notify the SEC in writing within seven (7) days of any material change in ownership, control, governance structure, key personnel, business model, risk profile or operational arrangements previously submitted to the SEC as part of its Sandbox application or licensing process. (3) A Sandbox Entity shall notify the SEC immediately, and in any event not later than twenty-four (24) hours, of any material incident, including system failure, cyber￾incident, data breach, fraud event, operational disruption or significant customer impact, and shall provide such follow-up reports and remediation updates as the SEC may require. (4) A Sandbox Entity testing a virtual or digital asset–based activity shall, upon exit from the Sandbox, submit a post-implementation report within thirty (30) days outlining:

Page 18 of 42 (i) testing outcomes and performance results, including all relevant KPIs as provided in ANNEX D; (ii) risk events and mitigation measures, as reported in the Risk Disclosure Template in ANNEX D; (iii) consumer impact and protection measures, including evidence of provision and acknowledgment of the Consumer Risk Statement Template in ANNEX D; and (iv) regulatory observations and lessons learned to support ongoing policy and supervisory development. (5) The SEC may require the submission of supporting documents, data, system records or any additional information necessary to verify or assess any report submitted under this paragraph. (6) All reports, information and disclosures submitted under this paragraph shall be true, accurate, complete and not misleading in any material respect. Compliance with the templates and certifications in ANNEX D shall be considered binding, and failure to comply may result in rejection, suspension, or termination of the Sandbox Licence. 14. POWER OF THE SEC TO ISSUE DIRECTIONS (1) The SEC may issue such directions as it considers necessary or expedient in the public interest, for the protection of investors, or for the maintenance of market integrity, or for effective supervision of Sandbox activities, including directions to: (a) restrict or modify Sandbox activities; (b) impose additional safeguards, conditions or reporting requirements; or (c) suspend or require cessation of testing. (2) A Sandbox Entity shall comply with any direction issued by the SEC under this paragraph. (3) Directions may be issued at any time during the Sandbox period, including extensions or upon exit, and shall be proportionate to the risks identified, and shall remain binding on the Sandbox Entity until withdrawn, varied, or revoked by the SEC. (4) Failure to comply with a direction issued under this paragraph may result in suspension, variation, or termination of the Regulatory Sandbox Licence, or any other enforcement action as the SEC considers appropriate.

Page 19 of 42 (5) Without prejudice to the foregoing, the SEC may require temporary system access, data access, transaction information or operational controls necessary for supervisory monitoring. 15. FEES AND COSTS (1) An Applicant or Sandbox Entity shall pay the fees prescribed by the SEC in respect of Sandbox applications and activities undertaken pursuant to these Guidelines. (2) The applicable fee structure, including application fees, licensing fees, supervisory fees, and any other applicable charges, shall be communicated by the SEC and shall be payable in such manner and within such timeframe as the SEC may specify. (3) The SEC may vary, review, or update applicable fees from time to time as it considers necessary. (4) Fees paid under these Guidelines shall be non-refundable, unless otherwise determined by the SEC. (5) The Sandbox Entity shall bear all costs associated with compliance with these Guidelines, including costs relating to audits, independent assurance, technical assessments, reporting, and implementation of safeguards, where required by the SEC. 16. APPEALS OR REVIEW MECHANISM (1) Applicants or Sandbox Entities may request a review of SEC decisions relating to rejection of applications, directions issued, or licence suspension, variation, or termination, by submitting a written request to the SEC stating the grounds for the review. (2) Any request for review shall be submitted within fourteen (14) days of notification of the SEC’s decision, or such other period as the SEC may permit. (3) Reviews shall be conducted in accordance with procedures prescribed by the SEC, and the SEC may affirm, vary, or reverse its decision. (4) The submission of a request for review shall not suspend, delay, or affect the implementation of the SEC’s decision, unless the SEC expressly determines otherwise in writing. (5) The decision of the SEC following a review shall be final, without prejudice to any rights available under applicable law

Page 20 of 42 17. MISCELLANEOUS (1) These Guidelines operate in addition to any relevant laws and regulations. (2) The SEC reserves the right to amend the Guidelines from time to time. (3) The SEC may issue supplementary directives, circulars or notices for the effective implementation of these Guidelines. (4) These Guidelines apply to existing and future technologies, business models, financial instruments, market infrastructures, or operational arrangements, whether currently known or developed in the future, where such activities fall within the regulatory mandate of the SEC. 18. SUPERVISORY OBLIGATIONS The SEC may conduct on-site or off-site inspections, system reviews, data examinations or supervisory visits at any time during the Sandbox period, and the Sandbox Entity shall provide full cooperation and access to its premises, systems, records and personnel as may be required by the SEC. 19. DEFINITION OF TERMS In these guidelines – “Applicant” means a legal Entity that intends to apply for, or has applied for a Regulatory Sandbox Licence to participate in the Regulatory Sandbox but has not been issued with it; “Blockchain” means blockchain as defined in the Virtual Asset Service Providers Act, 2025 (Act 1154); “Distributed Ledger Technology (DLT)” means Distributed Ledger Technology as defined in the Virtual Asset Service Providers Act, 2025 (Act 1154); “Emerging Technologies” mean any new or evolving technology, including distributed ledger technology, artificial intelligence, machine learning, tokenisation, automated systems, cryptographic systems, decentralised systems, or similar technological arrangements; “FinTech” means technology-enabled financial services, products or business models operating within or related to the capital market;

Page 21 of 42 “Regulatory Sandbox” means a framework that enables qualified firms and businesses to test innovative capital market products and services in a controlled, time-bound regulatory environment; “Sandbox Entity” means a holder of a sandbox licence or a capital market operator, FinTech firm, or other approved Entity that has been granted authorisation to participate in the Regulatory Sandbox. “Testing Period” means the period specified in the Regulatory Sandbox Licence during which a Sandbox Entity is authorised to conduct Sandbox activities; “Virtual Asset” means a virtual asset as defined in the Virtual Asset Service Providers Act, 2025 (Act 1154). “Virtual Asset Service Provider” or “VASP” means a Virtual Asset Service Provider as defined in the Virtual Asset Service Providers Act, 2025 (Act 1154);

Page 22 of 42 20. APPLICATION FORM (ANNEX A) APPLICATION FOR A REGULATORY SANDBOX LICENCE Important Notice: Applicants shall complete this Application Form fully and accurately and submit all required supporting documentation and information to the Securities and Exchange Commission (SEC). Applicants proposing activities involving virtual assets, distributed ledger technology, tokenisation, or other emerging technologies shall, in addition to this Application Form, complete ANNEX A – ADDENDUM (Virtual Asset Sandbox Application Supplement), where applicable. Where certain information is unavailable, not applicable, or not fully developed at the time of application, the Applicant shall provide a clear explanation and such alternative information as may be reasonably necessary to enable the SEC to assess the application.

1. General Information a) Registered Name of Applicant b) Registered Office Address c) Principal Place of Business (Physical Address) d) Addresses of Branches, Operational Locations, or Offices (if applicable) e) Location of Key Operational, Technical, or Management Functions Relevant to the Sandbox Activity f) Telephone Number g) Official Email Address h) Website (if applicable) i) Name and Address of Principal Bankers j) Details of Operational, Client, Escrow, Trust, or Other Accounts Used or Intended to be Used for the Sandbox Activity k) Name and Address of Company Secretary (if applicable) l) Name and Address of External Auditors (if appointed) m) Name and Address of Legal Advisers (if applicable) n) Name, position or title, telephone number, email address, and physical location of the person designated as the primary regulatory contact authorised to liaise

Page 23 of 42 with the SEC on behalf of the Applicant 2. Type of application (1) Please indicate the nature of the application: a) Initial Sandbox Application b) Application for Extension of Existing Sandbox Licence (2) If application relates to an existing Sandbox Licence, please provide: a) Sandbox Licence number b) Date of issuance c) Duration of Sandbox period d) Description of Sandbox activity currently undertaken e) Reason for extension 3. Legal Status (1) If applicant is incorporated in Ghana, please specify whether applicant is – a) incorporated under the Companies Act 2019, (Act 992); or b) incorporated under the Incorporated Private Partnerships Act, 1962 (Act 152). (2) If applicant is incorporated outside Ghana, please specify the jurisdiction and the Act under which the applicant is incorporated. (3) Please confirm whether the Companies Constitution/ Partnership Agreement of the applicant permits it to engage in the business for which the Regulatory Sandbox licence is sought. 4. Capital structure and shareholding (1) Please provide: a) Authorised shares b) Issued shares c) Paid-up capital d) Capital structure (2) Provide details of shareholders or beneficial holding 5% or more: a) Name

Page 24 of 42 b) Address c) Nationality d) Percentage ownership e) Nature of ownership (direct or indirect) (3) For partnership the SEC shall determine additional requirements regarding the following; (a) Percentage ownership (b) Nature of ownership (direct or indirect) (c) Capital requirement 5. Description Of Proposed Sandbox Activity (1) Provide a detailed description of the proposed Sandbox activity, including: a) Nature of the product, service, or business model b) Explanation of innovation and expected benefits c) Regulatory uncertainty or constraints necessitating Sandbox participation d) Target customers or user groups e) Proposed operational scope and scale f) Key operational processes Where applicable, provide details of distributed ledger technology, tokenisation, automated systems, artificial intelligence, decentralised systems, or other emerging technologies. 6. Sandbox Testing Plan (1) Provide a structured testing plan including: a) Testing objectives b) Testing methodology c) Proposed Sandbox duration d) Testing phases and milestones (if applicable) e) Customer limits f) Transaction limits g) Risk mitigation and customer protection measures h) Exit and transition plan

Page 25 of 42 7. Technology And System Architecture (1) Provide: a) Description of technology infrastructure b) System architecture and operational components c) Data storage and processing arrangements d) Custody or asset safeguarding arrangements (if applicable) e) Third-party service providers or operational dependencies f) Cross-border infrastructure dependencies (if applicable) g) System architecture diagram (attach separately) Where emerging, automated, decentralised, or advanced technologies are used, provide sufficient technical details to enable regulatory assessment. 8. Cybersecurity, Data Protection, And Operational Resilience (1) Provide details of: a) Cybersecurity controls b) Access control and authentication measures c) Encryption and key management d) Incident detection and response procedures e) Data protection and confidentiality safeguards f) Business continuity and disaster recovery arrangements 9. Risk Management and Compliance (1) Provide details of: a) Risk management framework b) Compliance framework c) Internal controls d) Governance arrangements e) Customer protection measures f) Incident management procedures g) AML/CFT controls 10. Other businesses Please give details of other businesses (if any) the applicant is engaged in other than the business for which a Sandbox licence is being applied.

Page 26 of 42 11. Particulars of directors/partners and management (1) Please specify name, address and profession/occupation of every director/partner of the applicant along with any other directorships held by them. (2) Please also specify if they will be executive or non-executive. (3) Please specify if they will be independent director(s) (4) Please specify the name, address and qualifications of the chief executive officer of the applicant along with any other directorships held by him/ her. 12. Organisation chart Please annex a chart setting out by way of a diagram the organisational structure of the applicant with particular reference to supervision and lines of reporting. 13. Group and associated person information Please specify names of the holding company, subsidiary companies and associates of the applicant indicating companies or partnerships in which the applicant has an interest. 14. Staff (1) Please name the directors/partners, owners and employees of the applicant who will be involved in the operations of the business for which the licence is sought. (2) Please specify qualifications and experience and whether these persons are holders of market operators’ representative licences under the Act. (3) Please provide the names and addresses of documentation/computer/accounting/administration and clerical staff of the applicant. (4) Please specify location and custodian of the register of interests in securities required to be maintained under section 127(1) of the Securities Industry Act, 2016 (Act 929) as amended where applicable. We the undersigned certify that the above information is true and accurate. We undertake in the event of our application being accepted/our Sandbox licence being extended to abide by the Securities

Page 27 of 42 Industry Act, 2016 (Act 929) as amended, Regulations made under it, Rules, Statements of Principles, Procedures, Guidelines, Codes, Directives, Circulars, Manuals, etc., present and prospective issued from time to time by the SEC established by Act 929 as amended. We also undertake to inform the SEC immediately of any change in any of the particulars stated in this application. We confirm that – a) the Applicant is not in the course of being wound up/or in bankruptcy; b) no receiver or manager has been appointed under any law with regard to the business and assets of the Applicant; c) the Applicant has not entered into any compromise or scheme of arrangement with any of its creditors either in Ghana or outside which is still in operation; d) neither the Applicant nor any of the directors/partners and executive officers of the Applicant have been – i. adjudged bankrupt anywhere; ii. convicted either within Ghana or elsewhere within the period of 10 years immediately preceding the date on which this application is made of an offence involving fraud or dishonesty punishable on conviction with imprisonment for a term of three months or more; iii. denied a licence as a market operator or representative or had a licence issued under the Securities Industry Act, 2016 (Act 929) as amended or the Virtual Asset Service Providers Act, 2025 (Act 1154) to them suspended or revoked; or iv. directors or partners of an entity which has been denied a licence under the Securities Industry Act, 2016 (Act 929) as amended or the Virtual Asset Service Providers Act, 2025 (Act 1154) or had any licence issued under the Securities Industry Act, 2016 (Act 929) or the Virtual Asset Service Providers Act, 2025 (Act 1154) suspended or revoked. We enclose -

1. A certified true copy of the certificate of incorporation/registration of the company/Partnership.
2. A certified true copy of the constitution or the partnership agreement.
3. A certified true copy of the Audited Financial statements of the applicant for the past three financial years or Statement of Affairs (where the applicant is yet to commence operations or is yet to issue audited financial statements).

Page 28 of 42 4. Receipt in proof of payment of the licence fee prescribed. 5. Business plan (as defined in this guideline). 6. Tax clearance certificate with regard to the last period of assessment. 7. A certified copy of the register of interests required to be maintained under section 127 (1) in Form No. 5 (Schedule 7) of the Securities Industry Act, 2016 (Act 929) as amended. 8. Sandbox testing plan 9. Organisational chart showing governance structure and reporting lines. 10. Risk management and compliance framework. 11. Relevant technical documentation describing the proposed system, product, service, business model or technology, where applicable. 12. Any additional documents, information, or disclosures that the SEC may require for the purpose of assessing the application.

Page 29 of 42 VASP-SPECIFIC APPLICATION REQUIREMENTS (ANNEX A – ADDENDUM) VIRTUAL ASSET SERVICE PROVIDER (VASP) APPLICATION SUPPLEMENT (To be completed in addition to Annex A) This Supplement shall be completed in addition to the standard Annex A Application Form by Applicants seeking a Regulatory Sandbox Licence under the Virtual Asset Sandbox Track.

1. VASP Information (a) Specify the type of virtual asset services to be offered. (b) Describe the virtual asset ecosystem and any digital tokens involved, (c) Provide details of any smart contract protocols, decentralised applications, or automated execution mechanisms involved in the proposed Sandbox activity. (d) Clearly identify whether the proposed activity involves centralised, decentralised, or hybrid operational models. (e) Investor type
2. Technical and Operational Requirements (a) Smart Contract Audits: Submit independent third-party audit reports for all smart contracts, protocols, or automated execution systems intended for Sandbox testing. (b) Node Governance (where applicable): Outline node structure, validator responsibilities, consensus mechanisms, and governance arrangements. (c) Cybersecurity and Data Protection: Describe measures implemented to safeguard customer assets, private keys, and personal data, including encryption, multi￾signature controls, access management, and monitoring systems. (d) Business Continuity and Operational Resilience Provide disaster recovery plans, incident response frameworks, and operational resilience arrangements. (e) System Architecture: Provide a high-level architecture diagram of technology infrastructure, including wallets, custody systems, APIs, third-party integrations, and cross-border dependencies.

Page 30 of 42 3. Governance and Compliance (a) Provide an organisational chart highlighting VASP-specific roles, including compliance, technical operations, custody management, and risk management. (b) Demonstrate compliance with applicable anti-money laundering (AML), countering the financing of terrorism (CFT), and sanctions obligations on a risk-based basis. Provide internal policies covering: i. Customer onboarding ii. KYC verification iii. Ongoing monitoring iv. Transaction monitoring v. Suspicious transaction reporting vi. Travel rule compliance 4. Financial and Risk Management (a) Submit financial projections specific to VASP operations, including expected revenue streams. (b) Provide evidence of segregation of client assets from proprietary funds. (c) Describe custody model (self-custody, hosted custody, third-party custodian). (d) Provide a comprehensive risk assessment covering: (a) Market risks (b) Liquidity risks (c) Custody risks (d) Technological risks (e) Smart contract risks (f) Governance risks (g) Counterparty risks (h) Operational risks 5. Evidence and Supporting Documents Applicants must submit: (a) Tokenomics whitepaper or equivalent technical documentation. (b) Smart contract audit reports.

Page 31 of 42 (c) Node governance documentation (if applicable). (d) Cybersecurity and operational resilience policies. (e) AML/CFT policies and procedures. (f) Evidence of local participation and operational presence. (g) The SEC may request additional documentation depending on the nature of the virtual asset activity. Minimum Local Participation Threshold for Foreign Virtual Asset Service Providers A foreign Applicant shall, as a condition for the grant or continuation of a Regulatory Sandbox Licence, demonstrate not less than thirty percent (30%) local participation and maintain a demonstrable local operational presence in Ghana, as approved by the SEC. Local participation may be satisfied through either of the following mechanisms: (a) Direct Equity Participation At least thirty percent (30%) of the issued equity or ownership interest in the Sandbox Entity is held by: i. Ghanaian citizens; or ii. companies incorporated in Ghana and beneficially owned by Ghanaian citizens. Ownership shall be genuine, beneficial, and not merely nominal or trustee-based unless fully disclosed and approved by the SEC. (b) Commercial Participation Arrangement Where equity participation is impracticable, the Applicant may satisfy the requirement through binding commercial arrangements, including: • Revenue-sharing agreements; • Joint ventures; • Strategic partnerships; • Operational outsourcing agreements; Provided that: (i) Ghanaian entities receive not less than thirty percent (30%) of the net economic benefit derived from the Sandbox activity;

Page 32 of 42 (ii) Such participation relates to core operational or economic functions of the Sandbox activity; and (iii) The arrangement is legally binding, transparent, and enforceable. (c) Physical Operational Presence Notwithstanding paragraph (a) or (b), every foreign Applicant admitted into the Regulatory Sandbox shall; i. establish and maintain a physical operational office in Ghana for the duration of the Sandbox testing period; ii. appoint at least one Ghana-resident senior officer or compliance officer responsible for regulatory liaison, compliance and supervisory engagement with the SEC; and iii. ensure that key compliance, reporting and customer-facing functions relating to the Sandbox activity are accessible to, and exercisable from, Ghana. For the avoidance of doubt, the establishment of a registered address without substantive operational capacity shall not satisfy this requirement. ( d ) Evidence of Compliance An Applicant shall submit: i. ownership and beneficial ownership declarations; ii. executed shareholder, partnership, or commercial agreements; iii. Evidence of operational capacity in Ghana; iv. governance or operational arrangements evidencing local involvement; and v. such additional information as the SEC may require or any other requirement imposed by any relevant law.

ANNEX B EXAMPLES OF FLEXIBILITY AROUNDREGULATORY REQUIREMENTS AND EXPECTATIONS FOR THE SANDBOX The following tables provide examples of the legal and regulatory requirements that the SEC is prepared to consider relaxing for the duration of the Sandbox, as well as those which the SEC intendsto maintain. It must be emphasised that the examples outlined in the table are not exhaustive. Depending on the proposed capital market activity, business model, product or service, the applicant involved and the application made, the SEC shall solely determine the specific legal and regulatory requirements which it is prepared to relax for each case. “To Maintain” requirements Confidentiality of customer information and data handling Fit and proper criteria particularly on honesty and integrity Handling of customer’s moneys and assets by intermediaries Prevention of money laundering and countering the financing of terrorism Corporate Governance Requirements Environmental/ climate change concerns “Possible to Relax” requirements Asset maintenance requirement Board composition Cash balances Credit rating Financial soundness Capital adequacy Licence fees Page 33 of 42

Page 34 of 42 SEC’s Guidelines that may be applicable in each case and on case-by-case basis Minimum liquid assets Minimum paid-up capital Relative size Reputation Track record

Page 35 of 42 ANNEX C APPLICATION AND APPROVAL PROCESS To illustrate the application and approval process, ANNEX C provides a case study on how an application that meets the SEC’s expectations is processed. The application and approval process is shown in the following diagram. Throughout the evaluation of the Sandbox application, along with the experimentation phase, the SEC will keep in touch with the applicant/Sandbox Entity: a) The applicant must contact the SEC at sandbox@sec.gov.gh with any questions they may have about the sandbox before submitting an application. b) The “Application Stage”, estimated time of receiving the full set of data required for the evaluation, the SEC will analyse the application and make every effort to notify the applicant of its possible appropriateness for a sandbox license. The preliminary indication aids in the applicant's resource and business planning. c) At the "Evaluation Stage," the amount of time needed to thoroughly review the application depends on its complexity and thoroughness as well as the particular legal and regulatory

Page 36 of 42 requirements at play. The applicant may revise the application for resubmission after consulting with the SEC, as the sandbox method is exploratory in nature. The decision on the sandbox will be communicated to the applicant in writing. d) The applicant will be notified in the event that their application is denied. Failure to meet any of the evaluation criteria or the sandbox's goal and ideals could be the reason for rejection. When the candidate is prepared to fulfill the sandbox's goal, guiding principles, and assessment standards, they may reapply. e) The sandbox enters the "Testing Stage" after the application is approved, and paragraph 9 of these criteria will be applicable. Customers must be informed by the sandbox entity that the applicant is operating in a sandbox and that the main risks related to the capital market activity, product, or service are disclosed. Additionally, the sandbox organisation must get confirmation from the clients that they have read and comprehended these risks. f) The sandbox entity must notify the SEC at least one month in advance and submit "change requests" that include specifics of the changes along with justifications if it plans to make significant changes to the capital market activity, product, or service being tested during the "Testing Stage." While the SEC examines the change requests and notifies the sandbox entity of its decision, the sandbox entity can carry on evaluating the current product or service. g) The Deployment entail rolling out the tested solution to the investing public on a licensed product or service by the SEC. Applicant should have met all necessary conditions to transition from sandbox license to a licensed virtual asset service pursuant to the Schedule in the Virtual Asset Service Product Act, 2025 (Act, 1154). h) Relevant details about all authorized sandbox applications, including the applicant's identity and the start and end dates of the sandbox testing, may be posted on the SEC website for the sake of openness and customer information.

Page 37 of 42 ANNEX D KPI & RISK DISCLOSURE TEMPLATE FOR VASP SANDBOX LICENSING APPLICATIONS AND POST-IMPLEMENTATION REPORTING Applicants must complete all sections relevant to their business model. Submissions form part of the binding sandbox application and ongoing compliance obligations.

1. Universal KPIs (Applicable to All VASP Categories) KPI Category Specific KPI Measurement Method Reporting Frequency Transaction Activity Volume and value of transactions Count and total monetary value of transactions executed Monthly User Adoption Number of active users/clients Count of unique users transacting ≥1/month Monthly Incident & Breach Reporting Number of security incidents/data breaches Incident logs; notification to SEC Within 24 hours Compliance Milestones Achievement of sandbox-specific regulatory conditions Yes/No checklist with evidence Quarterly Customer Complaints Volume and resolution rate (%) Complaints log; resolution timeframe Monthly Financial Resilience Capital/liquidity adequacy vs. requirements Ratio of liquid assets to liabilities Quarterly Operational Uptime System availability (%) Uptime monitoring tools Monthly

Page 38 of 42 Client Demographics Age, gender, location, and other relevant characteristics Aggregate anonymised data collected from user profiles and onboarding records Monthly 2. Category-Specific KPIs 2.1 Virtual Asset Exchanges & Trading Platforms KPI Category Specific KPI Measurement Method Target/Threshold Market Integrity Volume of suspicious transactions reported SARs filed as % of total transactions ≥100% flagged activity reported Liquidity Average bid-ask spread for top 5 pairs Spread in basis points ≤ 50 bps for major or highly liquid trading pairs. Settlement Efficiency Failed settlement rate (%) Failed trades / total trades ≤0.1% Cybersecurity Number of attempted cyberattacks thwarted Security event logs Immediate reporting Consumer Protection % of users completing risk awareness quiz User onboarding data ≥90% (Subsequent categories, ICO/STO, Tokenisation, ETFs, Managers, Brokerage, Advocacy, Mining & Validation, Sandbox, follow similar tables with KPIs, methods, and thresholds.)

Page 39 of 42 3. Risk Disclosure Template 3.1 Purpose & Scope Applicants must identify, disclose and mitigate risks associated with their sandbox activities. 3.2 Universal Risk Categories Risk Category Required Disclosure Points Market & Volatility Price volatility, liquidity, correlation with traditional markets, macroeconomic sensitivity Business continuity, Technology & Operational Cybersecurity threats, custody arrangements, smart contract vulnerabilities, system failures, key person dependencies, extended enterprise risk(third-party risks), disaster recovery arrangement. Regulatory & Legal Regulatory uncertainty, cross-border conflicts, licensing/compliance risks, AML risk, tax treatment, legal recourse People Risk Human resource capacity (in terms of skill and optimal numbers) Compensation & Redress Compensation coverage, insurance policies, client asset segregation, recovery/resolution plans 4. Risk Mitigation Disclosure Table Applicants must complete: Risk Category Identified Risks Mitigation Measures Residual Risk (High/Med/Low) Monitoring Frequency Market & Volatility [List from 3.2] [Specific measures] [Assessment] Daily/Weekly Business continuity, Technology [List from 3.2] [Specific measures] [Assessment] Realtime/Daily

Page 40 of 42 & Operational Regulatory & Legal [List from 3.2] [Specific measures] [Assessment] Monthly/Quarterly People Risk [List from 3.2] [Specific measures] [Assessment] Monthly/Quarterly Category￾Specific [List from 3.2] [Specific measures] [Assessment] As appropriate 5. Post-Implementation Reporting Sandbox participants must submit a final KPI and risk report, including:

1. Executive Summary: Overall performance against KPIs.
2. KPI Dashboard: Tabulated results and explanations for variances.
3. Incident Analysis: Root causes and remedial actions.
4. Consumer Impact: Benefits/harms to users.
5. Regulatory Recommendations: Evidence-based suggestions for SEC updates.
6. Other reporting requirements as may be determined by the SEC
7. Certification To be completed by the CEO and Chief Compliance Officer/AMLRO: “We hereby certify that all material risks and mitigation measures associated with our sandbox activities have been fully disclosed and implemented, and we will immediately update SEC of any material changes. We understand that incomplete or misleading disclosures may result in sandbox termination or licence refusal.” Name Position Signature Date

Page 41 of 42 ANNEX E CONSUMER RISK DISCLOSURE TEMPLATE FOR VASP SANDBOX LICENSING APPLICATIONS AND POST-IMPLEMENTATION REPORTING Applicants must ensure consumer of virtual asset complete all sections relevant to their business model. Submissions form part of the binding sandbox application and ongoing compliance obligations. Consumer Risk Statement Template Virtual assets are high-risk products. You should read this notice carefully before using this service.

1. You May Lose All or Part of Your Investment The value of virtual assets can fluctuate rapidly and unpredictably. As a result, you may lose all or a portion of your money, assets, or investment.
2. Not Legal Tender or Guaranteed Virtual assets: • Are not issued or guaranteed by the Government of Ghana or the Bank of Ghana • Are not protected by deposit insurance or investor compensation schemes
3. Limited Regulatory Protection Virtual asset services operate under a testing environment (Regulatory Sandbox). Consumer protections may be more limited than those applicable to traditional financial services.
4. Technology and Cyber Risks Virtual assets rely on digital technology and may be exposed to: • Hacking or cyberattacks • Loss or theft of private keys • Smart contract failures • System outages or operational disruptions

Page 42 of 42 Losses from these events may be irreversible. 5. Access and Custody Risks If you lose passwords, private keys, or authentication credentials, you may permanently lose access to your virtual assets. 6. Liquidity Risks You may not always be able to sell or convert virtual assets quickly or at expected prices due to market conditions. 7. Regulatory Uncertainty Laws and regulations governing virtual assets are evolving and may change, which could affect your ability to use or trade these assets. IMPORTANT You should only use virtual asset services if you: • Fully understand the risks; and • Can afford to lose your entire investment. If you are unsure, seek independent professional advice. CUSTOMER CONFIRMATION By proceeding, you confirm that: ☐ I have read and understood this risk warning. ☐ I understand that virtual assets are high risk. ☐ I accept full responsibility for any losses. Name: ................................................................................................................................................................................. Signature: ……………………………………………………………………………………………………………. Date: ...................................................................................................................................................................................