Rule for Registration, Cancellation of Registration, and Regulation of a Credit Information Bureau in the National Bank of Georgia

Order of the President of the National Bank of Georgia Order №193/04 August 27, 2018 Tbilisi On the Approval of the Rule for Registration, Cancellation of Registration, and Regulation of a Credit Information Bureau in the National Bank of Georgia In accordance with sub-paragraph "g" of the first paragraph of Article 15, and the first and second paragraphs of Article 52¹ of the Organic Law of Georgia "on the National Bank of Georgia," I hereby order: Article 1 To approve the attached Rule for Registration, Cancellation of Registration, and Regulation of a Credit Information Bureau in the National Bank of Georgia. Article 2 This Order shall enter into force on September 1, 2018. President of the National Bank Koba Gvenetadze

Rule for Registration, Cancellation of Registration, and Regulation of a Credit Information Bureau in the National Bank of Georgia Article 1. General Provisions

1. The purpose of this Rule is to ensure financial stability and the protection of consumer rights within the mandate of the National Bank of Georgia.
2. This Rule defines the principles for the registration, cancellation of registration, and regulation of a Credit Information Bureau in the National Bank of Georgia (hereinafter – the National Bank), as well as the conditions for information protection/security, which ensure the continuity of the Bureau's activities. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Article 2. Definition of Terms
3. For the purposes of this Rule, the terms used herein have the following meanings: a) Credit Information Bureau – an entrepreneurial entity that collects, stores, processes, and issues credit information about a person (hereinafter – the Bureau), and an entrepreneurial entity that collects, processes, and issues credit information about a person (hereinafter – the Platform); b) Administrator – a member of the Supervisory Board or the Directorate (Board of Directors) of the Bureau/Platform, as well as a person who is authorized to assume obligations on behalf of the Bureau/Platform, either independently or jointly with one or more other persons; c) Significant Share – a direct or indirect holding of more than 10 percent of the paid-in capital, stated capital, or/and voting shares of a Bureau/Platform by a person or a group of jointly acting partners (shareholders), and/or the ability of a person or a group of jointly acting partners (shareholders) to exert significant influence on the Bureau/Platform, regardless of the amount of the share in the capital and/or voting shares; d) Significant Influence – shall be interpreted in accordance with the International Financial Reporting Standards (IFRS); e) Credit Information – information about a natural and/or legal person (including an organizational entity that is not a legal person) regarding a loan/credit and off-balance sheet liabilities (bank guarantee, letter of credit, etc.); f) Non-credit Information – any information and other relevant data arising from the obligatory legal relationship of a natural and/or legal person (including an organizational entity that is not a legal person); g) Paid-in Charter Capital – the portion of the stated charter capital that has been actually paid in; h) Operational Assets – any type of asset necessary for the uninterrupted conduct of the Bureau's authorized activities; i) Risk Appetite – the amount and type of risk that the Bureau/Platform can assume based on its size and/or strategic capabilities; j) Major Operational Risk – a total loss whose recorded or expected aggregate amount is equal to or exceeds GEL 50,000; k) Data Subject (Person/User) – any natural/legal person (including an organizational entity that is not a legal person) about whom credit/non-credit information and other relevant data is

collected, processed, or stored at the Bureau/Platform (including a borrower, co-borrower, guarantor, and provider of collateral); l) Solvency Analysis – an analysis of the income, expenses, and liabilities of the borrower/co￾borrower, as well as the guarantor and the provider of collateral; m) Data Processing – shall be interpreted in accordance with the Law of Georgia "on Personal Data Protection"; n) Independent Member of the Supervisory Board – a member whose appointment requires the Bureau to consider each of the cases provided for in this sub-paragraph. The existence of any one case does not automatically preclude a person's independence. Such circumstances must be taken into account by the Bureau and, if the member is deemed independent, must be properly justified. Specifically, the circumstances to be considered are when the person to be appointed: n.a) Has had a family relationship within the last two years with the administrators of the Bureau, or with person(s) who directly or indirectly hold a significant share in the Bureau. For the purposes of this sub-paragraph, persons in a family relationship shall be considered those who are ranked in the first and second order of legal heirs according to the Civil Code of Georgia; n.b) Has conducted/conducts business or has/had other types of material business relationships within the last two years with the administrators of the Bureau or with a person who directly or indirectly holds a significant share in the Bureau; n.c) Has any other type of relationship, position, or connection that may affect the person's independence. 2. Other terms used in this Rule shall have the meanings defined by the legislation of Georgia. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Article 3. Authority of the National Bank

1. In terms of regulation and supervision of Bureaus/Platforms, the National Bank: a) Supervises compliance with the requirements defined by this Rule; b) Registers and cancels the registration of Bureaus/Platforms in accordance with this Rule; c) Is authorized to impose any requirement on a Bureau/Platform and/or issue written instructions for the purposes of this Rule; d) Is authorized to require the Bureau/Platform to conduct, and the Bureau/Platform is obliged to ensure, mandatory scheduled and unscheduled technical and financial audits by an audit firm that has professional experience appropriate to the size and risk profile of the Bureau/Platform. For an unscheduled audit, the Bureau/Platform is obliged to agree on the identity of the auditor with the National Bank in advance; e) Is authorized to require the Bureau/Platform to develop appropriate procedures, implement technical support, allocate human resources, and establish a relevant structural unit to protect consumer rights; f) Is authorized to conduct both on-site and remote, scheduled and unscheduled inspections of the Bureau/Platform (including the inspection of processes related to the Bureau/Platform);

g) Is authorized, if necessary, to request and receive any documentation/information (including independently of/in addition to the documents specified in Article 6 of this Rule); h) If an administrator of the Bureau/Platform does not meet the requirements established by law or if there is a significant or systematic violation of the legislation of Georgia, is authorized to demand the dismissal of the administrator from their position; i) In exceptional cases, is authorized to restrict the rights of a data subject (for the purposes of this sub-paragraph, a natural person) in accordance with Article 21 of the Law of Georgia "on Personal Data Protection"; j) If the data server of the Bureau/Platform is located in a country that does not meet data security requirements (including at the legislative level), is authorized to demand that the Bureau/Platform change the location of its data server within the deadlines established by the National Bank; k) Is authorized, if necessary, to request a meeting with members of the Supervisory Board and/or the external auditor of the Bureau/Platform. 2. Correspondence/communication between the National Bank and the Bureau/Platform may be conducted in physical and/or electronic form. These forms have equal legal force. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №327/04 of December 31, 2024 - website, 31.12.2024. Article 4. The Bureau/Platform

1. The Bureau/Platform is a legal entity established in the legal form of a limited liability company or a joint-stock company, which is registered by the National Bank of Georgia based on its application and the submission of relevant documentation/information, and which carries out activities permitted by the Organic Law of Georgia "on the National Bank of Georgia" and the relevant legal acts of the National Bank.
2. A Bureau is obliged to include the term "Credit Information Bureau" in its corporate name, in addition to the designation provided for by the Law of Georgia "on Entrepreneurs," while a Platform is obliged to include the term "Credit Information Bureau - Platform."
3. An entrepreneurial entity is entitled to operate with the status of a Bureau/Platform only after its registration by the National Bank.
4. During the registration application process for a Bureau, as well as during the period when the registration is valid, at least 50% of the Bureau's assets must consist of its own funds.
5. During the registration application process for a Bureau, as well as during the period when the registration is valid, the Bureau's paid-in charter capital must be at least GEL 3,000,000 (three million). For the purposes of this paragraph, the paid-in charter capital shall be derived from the difference between the operational assets and the total liabilities (including off-balance sheet liabilities) of the Bureau.
6. A Bureau is obliged to insure its professional liability (including cyber risk) for an amount of at least GEL 5,000,000 (five million) to compensate for possible material damages caused by non-compliance with the requirements established by the Organic Law of

Georgia "on the National Bank of Georgia" and the legal acts of the National Bank issued on its basis. The terms of the professional liability insurance (including cyber risk) must be agreed upon with the National Bank. 7. A Platform is obliged to insure its professional liability for an amount of at least GEL 200,000 (two hundred thousand) to compensate for possible material damages caused by non-compliance with the requirements established by the Organic Law of Georgia "on the National Bank of Georgia" and the legal acts of the National Bank issued on its basis. The terms of the professional liability insurance must be agreed upon with the National Bank. 8. Upon the occurrence of an insured event and the payment of compensation, the Bureau/Platform must ensure the renewal of the minimum limit of its professional liability insurance within 20 (twenty) working days. 9. The qualifications and professional skills of the administrators of the Bureau/Platform must comply with the requirements established by this Rule. 10. The Bureau/Platform is obliged to immediately inform the National Bank if, in the course of its activities, it becomes aware of any violation of the requirements provided for by the legislation of Georgia and/or this Rule by lending organizations or information recipients/providers, related to the collection, storage, processing, and issuance of credit, non-credit, and/or other relevant information about a person. 11. The Bureau/Platform is obliged to ensure the existence of a structural unit and persons responsible for receiving and reviewing complaints regarding the credit, non-credit, and/or other relevant information of a data subject (including jointly with the relevant data recipient/provider). 12. The Bureau/Platform must have an appropriate organizational structure, policies/procedures, and human resources to ensure the adequate management, monitoring, and control of financial, operational, legal, and other risks. 13. The National Bank is authorized to require that a product submitted by a Platform be reviewed in accordance with the rules and requirements established by the Regulation approved by the Order №110/04 of the President of the National Bank of Georgia of May 25, 2020, "On the Approval of the Regulation on the Creation and Use of a Regulatory Sandbox Framework by the National Bank of Georgia." 14. The Bureau is obliged to ensure the presence of at least one independent member in its Supervisory Board. Any member of the Supervisory Board who has a conflict of interest regarding a specific issue shall be restricted from participating in decision-making. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №327/04 of December 31, 2024 - website, 31.12.2024. Article 5. Activities of the Bureau and the Platform

1. Only the following types of activities are permitted for a Bureau: a) Collecting, storing, recording, issuing, and otherwise processing credit, non-credit information, and/or other relevant data about a person (data subject) in the manner prescribed by law;

b) The sale of special software necessary for the automation of the activities of participants in the credit information system (lending organizations and information recipients/providers); c) Assessing the solvency of data subjects (including the development of statistical, behavioral, and other assessment models); d) Analytical, educational activities, and providing consultations in the relevant field. For these purposes, the Bureau must agree in advance with the National Bank on any product/service offered to a third party (including any form of processing of data held at the Bureau); d¹) Providing an identification service for a person (data subject) in the digital channels of a lending organization and information recipient/provider that has a contractual relationship with it, for the purpose of obtaining the consent of this person (data subject) and verifying the information held about them at the Bureau; e) Other relevant activities carried out with the prior written consent of the National Bank. 2. The activities specified in the first paragraph of this Article may be carried out by the Bureau taking into account the requirements established by this Rule and the "Rule on Providing Information to a Credit Information Bureau on the Territory of Georgia, Recording and Accessing Information in the Database of the Credit Information Bureau." 3. Before carrying out the activity specified in sub-paragraph "c" of the first paragraph of this Article, the Bureau is obliged to notify the National Bank. 4. A Platform is permitted, within its authority, to receive, process, and transfer credit, non￾credit information, and/or other relevant data about a person (data subject) from the Bureau to a third party. 5. The requirements of the Order №195/04 of the President of the National Bank of Georgia of August 27, 2018, "On the Approval of the Rule on Providing Information to a Credit Information Bureau on the Territory of Georgia, Recording and Accessing Information in the Database of the Credit Information Bureau" do not apply to the activities of a Platform. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №327/04 of December 31, 2024 - website, 31.12.2024. Article 6. Registration of a Bureau and a Platform in the National Bank

1. An entrepreneurial entity, for the purpose of registering as a Bureau/Platform, must submit a written application to the National Bank, to which the documentation and information provided for in this Article must be attached.

2. The application must contain information on: a) The corporate name; b) The legal form; c) The legal address; d) The amount of paid-in capital.

3. The application must be accompanied by: a) An extract from the Registry of Entrepreneurs and Non-entrepreneurial (Non￾commercial) Legal Entities; b) The original registered charter or a notarized copy thereof; c) A business plan and financial forecast for the next three years; d) A technical audit report prepared by a reputable company, if available, confirming that the applicant's technical/software capabilities fully meet the requirements of this Rule; e) Documents regarding the appointment of the administrator; f) The personal resume (CV) of the administrators; g) Documents confirming the origin of financial funds of the significant shareholders/administrators and/or the beneficial owner (including financial statements); h) Information on the debts of the Bureau and its administrators; i) A certificate of no criminal record for the administrators and the significant shareholder. The time elapsed since the issuance date of a certificate of no criminal record issued in accordance with the legislation of Georgia and submitted to the National Bank on the basis of this sub-paragraph must not exceed 15 calendar days, while the time elapsed since the issuance date of a certificate of no criminal record issued by the competent authorities of a foreign country must not exceed 2 months; j) Identity documents of the significant shareholders/administrators and/or the beneficial owner (copy of ID card or passport). In the case of a legal entity, the founding documents; k) A written confirmation from the administrators of their compliance with the fitness criteria established by this Rule; l) A document confirming the right of use or ownership of the real estate where the Bureau will be located (administrative office, location of operational assets, etc.); m) Information/documentation on the education and/or experience of the administrators; n) The applicant's tax declarations for the last 3 years, if any; o) Financial statements and audit reports for the last three years, if any; p) Relevant documentation/information confirming the Bureau's compliance with Articles 11, 13, 14, and 15 of this Rule.

4. For the purposes of this Rule, documents issued by a foreign country to be submitted to the National Bank must be certified with an Apostille or legalized. Foreign-language documents must be submitted in the form of an officially certified Georgian translation.

5. The National Bank is authorized to request additional information and/or documentation from the entrepreneurial entity in addition to the information submitted and to determine the form and deadline for the submission of said information and/or documentation.

6. The requirements of sub-paragraph "d" of paragraph 2, sub-paragraphs "h", "l" of paragraph 3, and compliance with Article 15 of this Rule as provided for by sub-paragraph "p" of this Article do not apply to a Platform.

Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №327/04 of December 31, 2024 - website, 31.12.2024. Article 7. Fitness and Properness Criteria for a Significant Shareholder and Administrator of a Bureau and Platform

1. A person is prohibited from being a significant shareholder of a Bureau/Platform if they have been convicted of a serious or particularly serious crime, for financing terrorism and/or for money laundering, or for another economic crime.

2. A significant shareholder of a Bureau/Platform must have a proper reputation.

3. A person may be an administrator of a Bureau/Platform if: a) They have not been recognized by a court as a recipient of support; b) They have not been convicted of a serious or particularly serious crime, for financing terrorism and/or for money laundering, or for another economic crime; c) They have an appropriate education and/or a minimum of 3 years of professional experience in credit information activities or similar activities. The level of education and experience of the administrator must be in line with the scale and complexity of the Bureau/Platform and their specific functions; d) They did not participate in an operation that caused significant damage to the employing organization and/or led to the organization's insolvency or bankruptcy; e) They did not abuse their powers in the performance of their official duties; f) They have fulfilled and/or are fulfilling their loan/credit obligations to any lender; g) They have not been declared insolvent/bankrupt. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Article 8. Decision-making on the Registration Application

4. Within 60 (sixty) working days of receiving a written application for registration as a Bureau/Platform and the relevant documentation/information from an entrepreneurial entity, the National Bank shall make a reasoned decision and issue an individual administrative-legal act on registration or refusal of registration. A copy of the individual administrative-legal act shall be sent to the interested entrepreneurial entity. Depending on the complexity of the issue, the deadline for a response may be extended by an additional 30 (thirty) working days, and the applicant must be notified thereof.

5. If the documentation/information submitted by the interested entrepreneurial entity does not meet the requirements defined by the legislation of Georgia and this Rule, the National Bank shall set a deadline for the interested entrepreneurial entity to remedy the defect, during which the running of the deadline specified in the first paragraph of this Article shall be suspended. Failure to meet the deadline set for remedying the defect shall be grounds for refusing the registration of the interested entrepreneurial entity as a Bureau/Platform.

6. The National Bank is authorized to refuse registration if: a) The information and/or documents requested by the National Bank were not provided, or/and the provided documentation is not complete; b) The information and/or documents submitted by the interested entrepreneurial entity are forged, incomplete, and/or non-compliant with the current legislation of Georgia, or are not provided within the timeframes specified by this Rule; c) The National Bank has determined that the entrepreneurial entity, its administrator/significant shareholder does not meet the criteria or/and violates, or does not comply with the conditions established for Bureaus/Platforms by this Rule and/or other relevant legal acts.

7. The National Bank is authorized to make a decision on the registration of an interested entrepreneurial entity with certain conditions. In this case, the individual administrative￾legal act issued by the National Bank shall define the relevant conditions and the deadline within which the Bureau/Platform must ensure compliance with the conditions and only thereafter carry out its activities. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Article 9. Registration of Changes

8. In the event of a change in its corporate name, legal form, or legal address, the Bureau/Platform is obliged to notify the National Bank in writing within five working days before implementing this change.

9. In the event of a change of administrators, the Bureau/Platform must submit to the National Bank, 5 (five) working days in advance, the documentation and information about the administrator that is required at the time of registration of the Bureau/Platform. If it is found that the administrator does not meet the criteria established by legislation, including this Rule, the National Bank is authorized to demand that the Bureau/Platform dismiss them from their position. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Article 10. Cancellation of Registration of a Bureau and a Platform

10. The National Bank shall issue an individual administrative-legal act on the cancellation of the registration of a Bureau/Platform, which must indicate the grounds for the cancellation of registration.

11. The grounds for cancellation of registration are: a) A written application from a person authorized to represent the Bureau/Platform for the cancellation of registration, together with the decision taken by the relevant body of the Bureau/Platform; b) A decision of the shareholders and/or the relevant body, when the Bureau/Platform is in the process of liquidation;

c) Based on the assessment and/or inspection by the National Bank, the Bureau/Platform fails to ensure the security of the data and/or information entrusted to it; d) Based on the assessment and/or inspection by the National Bank, the Bureau/Platform is engaged in or has engaged in unhealthy business practices that may cause significant harm to data subjects; e) The merger, acquisition, consolidation, or division of the Bureau/Platform with another Bureau/Platform; f) If the Bureau's own funds constitute less than 50% of its assets; g) Violation by the Bureau/Platform of the requirements stipulated in paragraph 5 or paragraph 7 of Article 4 of this Rule; h) The Bureau/Platform has been deprived of the right to carry out its activities by a court; i) Forgery and/or inaccurate information discovered in the documentation submitted for registration with the National Bank; j) The removal/cancellation of registration of the Bureau/Platform from the Registry of Entrepreneurs and Non-entrepreneurial (Non-commercial) Legal Entities; k) Failure by the Bureau to submit financial statements and an audit report to the National Bank for two consecutive times in the form and with the frequency established by the National Bank; l) A legally binding guilty verdict from a court regarding the deprivation of the right to conduct activities or/and the liquidation of the Bureau/Platform; m) The Bureau/Platform does not comply with the requirements established by the legislation of Georgia, including the Law of Georgia "on Personal Data Protection," the legal acts of the National Bank, and/or the written instructions of the National Bank, or/and did not allow employees of the National Bank to conduct an inspection; n) Failure of the Bureau/Platform to carry out activities within 12 months from the date of registration, or the cessation of activities by an active Bureau/Platform for more than 6 months. 3. The National Bank is authorized to cancel the registration of a Bureau/Platform (as well as its branch and subsidiary company) if it becomes known to the National Bank that the head office of the Bureau/Platform has been deprived of the right to conduct appropriate operations in its country of location. 4. Upon cancellation of registration, in case of insolvency and/or liquidation, the Bureau is obliged to fully transfer the information held in the Bureau (including the personal data of data subjects) to the National Bank, which will make a decision on the further transfer of the database in agreement with the Personal Data Protection Service. 5. The National Bank is authorized to cancel the registration of a Platform if the product submitted by the Platform did not successfully pass the testing stages defined by the Regulation approved by the Order №110/04 of the President of the National Bank of Georgia of May 25, 2020, "On the Approval of the Regulation on the Creation and Use of a Regulatory Sandbox Framework by the National Bank of Georgia."

Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №327/04 of December 31, 2024 - website, 31.12.2024. Article 11. Acquisition of a Significant Share

1. A person who intends to acquire a significant share in a Bureau/Platform in an amount such that their or their beneficial owner's (owners') participation in the capital of this Bureau/Platform will exceed 10 or 50 percent, is obliged to submit to the National Bank the documentation/information about the significant shareholder as defined by Articles 6 and 7 of this Rule.

2. The National Bank has the discretionary power to additionally request and receive any documentation/information for the purpose of assessing the transaction for the acquisition of a significant share.

3. The National Bank shall review the application for the acquisition of a significant share within 30 working days of its submission and shall either give consent to the interested person for the transaction or provide a reasoned refusal.

4. Failure by the National Bank to respond to the interested person within 30 working days of the submission of the application automatically means that consent has been given for the relevant transaction.

5. The National Bank is authorized to grant the interested person a maximum of 30 calendar days to remedy a defect and/or to submit additional documentation/information, during which the running of the deadline specified in paragraph 3 of this Article shall be suspended. Failure to meet the established deadline is grounds for refusing the interested person's acquisition of a significant share in the Bureau/Platform.

6. A transaction for the acquisition of a significant share of a Bureau/Platform is void if the interested person did not submit to the National Bank the documentation/information about the significant shareholder as defined by Articles 6 and 7 of this Rule, or if, despite receiving a reasoned refusal from the National Bank, they still acquired the significant share. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Article 12. Obligations of Administrators of a Bureau and a Platform

7. The administrator of a Bureau/Platform is obliged to conduct the activities of the Bureau/Platform in accordance with the legislation of Georgia, including ensuring the adequate management of the financial, operational, legal, and other risks facing the Bureau/Platform.

8. The administrator of a Bureau/Platform is responsible for ensuring the existence of organization-wide policies, procedures, and relevant systems for managing financial, legal, operational, and other risks, which cover all products, services, and operations and which are in line with the risk profile.

9. The administrator of the Bureau/Platform shall ensure the organization is staffed with appropriate and competent personnel and shall promote and develop the principles of competence and integrity.

10. It is the responsibility of the administrators of a Bureau/Platform to raise the level of awareness regarding risks throughout the organization, so that all employees of the Bureau/Platform are properly informed about what constitutes and what is included in the various types of risks facing the Bureau/Platform.

11. The administrator is responsible for ensuring that the Bureau/Platform develops a mechanism for notifying the National Bank of a major operational risk event. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Article 13. Operational Risk Management Framework for a Bureau and a Platform

12. All Bureaus/Platforms operating in Georgia must have an operational risk management framework (hereinafter – the Framework).

13. The Bureau/Platform is obliged to regularly assess the adequacy of the Framework and to update it in accordance with expected operational risks and changes in its risk profile.

14. All policies/procedures included in the Framework must be fully formalized and documented in writing. The operational risk management framework must contain the following parts: a) The objectives of operational risk management and the risk appetite; b) Business continuity management/plan, which in turn, also includes a recovery component in case of an incident; c) Information systems management; d) Information security; e) A mechanism for identifying, monitoring, reporting, and controlling fraud risks; f) Risk assessment tools and methods, which include, but are not limited to, the following instruments: f.a) A definition of operational risk loss; f.b) A database of operational risk losses; f.c) Identification and definition of business processes; f.d) Key risk indicators; f.e) The life cycle of the risk management process, which must include: f.e.a) Risk identification, development and implementation of control mechanisms; f.e.b) Risk monitoring and reporting; f.e.c) Risk mitigation and assessment of residual risks. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022.

Article 14. Requirements for Information Systems

1. The Bureau/Platform must have policies and procedures that cover the adequacy and security of the organization's existing information systems and technologies.

2. Policies and procedures related to information systems and security must be based on a recognized standard and methodology.

3. The Bureau/Platform must implement information systems and technologies that are suitable for and correspond to the volume and complexity of its current and future operations.

4. The Bureau/Platform must regularly assess and review the compliance and suitability of its information systems, taking into account the size, complexity, and intricacy of the Bureau/Platform.

5. The Bureau/Platform is obliged to develop an information security policy, which must consider information security objectives and strategy. This implies the proper protection of data existing within the organization.

6. The information security policy must cover the issue of ensuring the confidentiality, integrity, and availability of all data held at the Bureau/Platform.

7. The Bureau must conduct penetration testing at least twice a year, and the Platform at least once a year, which shall be carried out with the participation of an external audit firm or other relevant competent organization, the identity of which must be agreed upon in advance with the National Bank. The penetration testing must cover all of the organization's information systems and related processes.

8. The Bureau/Platform must, at least once a year, conduct an independent audit of its information systems and technologies, which shall be carried out by an external audit firm or other relevant competent organization, the identity of which must be agreed upon in advance with the National Bank.

9. The audit of information systems and technologies must, at a minimum, cover the organization's business continuity management, information security, and data quality management environment. The audit conducted within the framework of the information security management environment must fully cover the Bureau/Platform's information security policy and related processes.

10. The Bureau/Platform is obliged to immediately report any information security and protection vulnerability to the National Bank. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №202/04 of August 3, 2023 - website, 04.08.2023. Article 15. Requirements for Business Continuity Management

11. The Bureau is obliged to analyze and develop adequate control measures for significant threats that could hinder the proper and continuous functioning of the Bureau.

12. The Bureau must have a clear and thoroughly documented business continuity plan. This serves to achieve a high level of business continuity, which will enable the organization to provide its services to parties in a business relationship with it on an uninterrupted basis and to promptly restore operations in the event of an incident.

13. The business continuity plan must contain a written policy and procedures that ensure the continuous operation of the organization and detail the Bureau's plans and response mechanisms in the event of unexpected situations/events and/or major disruptions in the organization's operations.

14. The business continuity plan must consist of the following stages: a) Business impact analysis (focused on critical business processes); b) Risk assessment; c) Risk management; d) Risk monitoring; e) Regular testing.

15. The Bureau must have both a primary and an alternative data center, which will be geographically diversified from the primary data center.

16. At least one of the Bureau's data centers (including all necessary technical equipment) must be located in Georgia.

17. The Bureau's alternative data center must not be exposed to the same risks to which the Bureau's primary data center is exposed.

18. The Bureau must conduct a full test of its business continuity plan at least once a year.

19. The business continuity plan must be assessed and updated regularly, especially when significant changes occur within the organization and/or new products are planned to be introduced.

20. The Bureau is obliged to record the test results in detail, in both written and electronic form, and to provide them to the National Bank upon request. Article 16. Requirements regarding Outsourcing Operations

21. The Bureau is obliged to notify the National Bank at least 30 working days before establishing an outsourcing relationship that is directly related to the Bureau's core activities and the information systems of its core activities, in order to obtain the consent provided for in the first paragraph of Article 17 of this Rule.

22. The outsourcing agreement must be concluded under the condition that, if necessary, the timely and uninterrupted restoration of the Bureau's activities by the National Bank, as well as the effective supervision of the Bureau, is not hindered or delayed.

23. The existing outsourcing contractual relationships with third parties and the rights/obligations defined by the contract must not contradict the requirements of the legislation of Georgia, including this Rule and the "Rule on Providing Information to a Credit Information Bureau on the Territory of Georgia, Recording and Accessing Information in the Database of the Credit Information Bureau."

24. When concluding an outsourcing agreement, a condition must be included in the agreement stating that the National Bank, as the supervisory body of the Bureau, shall be granted the right to immediately and unconditionally request any information/documentation related to the Bureau.

25. The provision of outsourcing services to the Bureau by a foreign company and the transfer of critical data and processes outside the borders of Georgia shall not impede the comprehensive supervision of the Bureau by the National Bank, including inspections, nor the ability to transfer the database held at the Bureau to the National Bank in the event of the Bureau's liquidation.

26. The Bureau is obliged to conduct an adequate and competent risk assessment in relation to the outsourcing relationship, which in turn includes a complete analysis by the Bureau of all available information about the company, implying at least the assessment of the latest (most recent) independent financial/technological audit report, if any. In the event that the outsourcing service is provided by a company located outside of Georgia, the Bureau is obliged to have and keep a copy of the outsourcing company's audit report on the territory of Georgia. If necessary and upon the request of the National Bank, the Bureau is obliged to immediately provide the risk assessment, as well as the company's audit report, to the National Bank.

27. The Bureau's business continuity plan must necessarily take into account the Bureau's outsourcing operations, which implies timely access to the Bureau's critical information and the resumption of services under unexpected national or geographical restrictions or disruptions that affect the adequate provision of the outsourced service by the company.

28. In the event that the requirements stipulated by this Rule are not met by the third party (company) providing the outsourcing service to the Bureau, the Bureau shall be held responsible for the non-fulfillment of the requirements of this Rule in accordance with Article 52¹ of the Organic Law of Georgia "on the National Bank of Georgia." Article 17. Review of the Outsourcing Notification by the National Bank

29. Within 30 working days of receiving the notification provided for in the first paragraph of Article 16 of this Rule, the National Bank shall review the planned outsourcing relationship and give the Bureau consent or refusal to establish such a relationship. Depending on the complexity of the outsourcing relationship, the deadline for a response may be extended by an additional 45 working days, and the Bureau must be notified thereof.

30. Failure by the National Bank to respond within 30 working days of the submission of the notification specified in the first paragraph of Article 16 of this Rule automatically means that consent has been given to establish the respective outsourcing relationship.

31. An outsourcing agreement is void if the Bureau did not notify the National Bank of the planned outsourcing relationship, submitted incorrect/inaccurate information to the National Bank to obtain consent, or received a reasoned refusal from the National Bank but entered into the outsourcing agreement anyway. Article 18. Transitional Provisions

32. For the purpose of carrying out the activities of a credit information bureau, a person is obliged to register with the National Bank of Georgia from September 1, 2018, and to meet

the requirements established on the basis of this Rule and the Organic Law of Georgia "on the National Bank of Georgia." 2. In the event that a person wishing to carry out the activities of a Bureau does not meet the requirements established by this Rule and the legal act issued on the basis of the Organic Law of Georgia "on the National Bank of Georgia" at the time of registration with the National Bank, they are obliged to submit, along with the documentation/information for registration, a reasonable plan for coming into compliance with these requirements. The National Bank will review the compliance plan and either grant consent or refuse the person's registration as a Bureau. In case of failure to comply with the compliance plan, the National Bank will take actions provided for by law. 3. The Bureau is obliged to comply with the requirement of paragraph 14 of Article 4 of this Rule from November 1, 2022. Order of the President of the National Bank of Georgia №120/04 of September 13, 2022 - website, 14.09.2022.