1. RATIONALE AND OBJECTIVES FINANCREDITS BNK is firmly committed to the prevention of money laundering, the prevention of the financing of terrorist activities and compliance with the International Financial Sanctions and Countermeasures Programmes (hereinafter “Sanctions”), actively promoting the application of the highest international standards in this field.

Financial crime is a universal and globalised phenomenon that takes advantage of the disappearance of trade barriers and the internationalisation of the economy to materialise. The fight against this phenomenon requires and demands a coordinated response from the international community in general and the financial sector in particular, in order to avoid being used inadvertently and unwittingly for illicit purposes.

The purpose of this Corporate Policy on the Prevention of Money Laundering and Terrorist Financing and on the Management of International Financial Sanctions and Countermeasures (hereinafter the “Policy”) is to (1) establish a Group-wide compliance framework that all companies must apply in the exercise of their activities, business and relationships, both domestically and internationally, to prevent money laundering and terrorist financing and to comply with the various international financial sanctions and countermeasures programmes that may apply; (2) to define roles and responsibilities in this area; (3) to lay the foundations for the definition and implementation of policies and procedures in the Group’s subsidiaries; and (4) to establish the governance framework.

The application of the measures contained in this Policy must ensure due compliance with the applicable regulations in all those jurisdictions where the FINANCREDITS BNK Group is present and operates.

1. CONCEPTS For the purposes of the interpretation and application of this Policy, the following definitions shall apply

Money laundering:

• The conversion or transfer of property, knowing that such property is derived from criminal activity or from participation in criminal activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting persons involved in evading the legal consequences of their actions.
• The concealment or disguise of the true nature, source, location, disposition, movement or ownership of property or rights in property, knowing that such property is derived from criminal activity or from participation in criminal activity.
• The acquisition, possession or use of property, knowing, at the time of receipt of the property, that it is derived from criminal activity or from participation in criminal activity.
• Participation in any of the activities mentioned in the preceding paragraphs, association to commit such acts, attempts to commit such acts, and aiding, abetting or counselling anyone to commit such acts or facilitating their commission.

Property derived from criminal activity shall mean all types of assets, whether tangible or intangible, movable or immovable, tangible or intangible, and legal documents or instruments in any form, including electronic or digital, evidencing ownership of or a right over such assets, including the amount of the fraud in the case of offences against public finances, the acquisition or possession of which has its origin in a criminal offence.

Money laundering shall be deemed to take place even if the activities which generated the property were carried out in the territory of another State.

Finally, it should be noted that in the money laundering process the following stages are usually distinguished:

1. Placement or concealment: The introduction of criminal cash into financial circuits or a change to a different asset.
2. Accumulation: Carrying out transfers or movements between different products or services in one or different jurisdictions in order to split, accumulate, conceal, move the amounts and deposit them in jurisdictions that are less rigorous in investigations into the origin of the proceeds or in accounts where the origin of the money has a legal appearance, or carrying out other transactions that make it impossible to trace the true origin.

Integration: Incorporation of capital into the financial system under the guise of legitimacy.

The entities and companies of the FINANCREDITS BNK Group may be used in any phase of the process described above, mainly in the “placement” phase, and the necessary internal control measures must therefore be adopted to manage this risk.

Terrorist financing The supply, deposit, distribution or collection of funds or property, by any means, directly or indirectly, with the intention of using them or in the knowledge that they will be used, in full or in part, for the commission of any of the terrorist offences defined in the applicable criminal legislation.

Terrorist financing shall be deemed to exist even if the provision or collection of funds or property took place in the territory of another State.

International financial sanctions and countermeasures programmes Instruments of a political, diplomatic or economic nature used by countries and international or supranational organisations for the purpose of implementing restrictive measures to prevent violations of international law, human rights or civil rights and freedoms.

SCOPE OF APPLICATION The Policy is applicable to all companies of the FINANCREDITS BNK Group that are required to comply with it by anti-money laundering regulations or Sanctions programmes. The Policy shall be adopted in all jurisdictions where FINANCREDITS BNK and its subsidiaries carry out their activity, relations or business.

The boards of directors of the Group companies shall adhere to this Policy.

Likewise, the units assigned with the functions of prevention and supervision shall develop their corresponding rules and procedures for their correct implementation, execution and compliance. The companies of the Group shall adapt their rules and procedures in accordance with the specific legal requirements applicable in each jurisdiction and shall have the prior approval of the Compliance Department of FINANCREDITS BNK, as the parent company of the Group, to validate that such adaptations are consistent and do not contradict the Policy. A f t e r validation by the Compliance department of FINANCREDITS BNK, the rules shall be submitted to the Group’s Internal Control Body for final approval.

APPLICABLE PRINCIPLES AND STANDARDS The main principles and standards that constitute the prevention framework that this Policy regulates are:

1. Risk Assessment.
2. Due Diligence.
3. Detection, control and examination of operations.
4. Reporting of suspicious transactions.
5. Control of Sanctions lists and Communication of detections.
6. Retention of documentation.
7. Training.
8. Roles and responsibilities.
9. Consolidated risk management.

In order to maintain an adequate control and prevention framework with a risk-based approach, the Group’s companies should be categorised according to their level of risk so as to ensure that a higher degree of supervision is applied to those companies, segments, channels, jurisdictions or products with a higher level of risk.

1. Due Diligence The customer admission policy and due diligence measures may in no case entail the infringement of rights in the jurisdictions where the Group Company carries out its activities.

The customer admission policy is dynamic and establishes a Group-wide compliance framework that may vary depending on the level of risk of certain segments or activities as derived from their exposure to risk at any given time. The admission policy must comply with international standards and the Know Your Customer (KYC) principle, with a particular focus on ensuring that a good knowledge of the customer and its activities is available at all times.

The Know Your Customer principle and due diligence policies shall always apply a risk-based approach and ensure that the measures applied are appropriate to the underlying risk of money laundering, terrorist financing or sanctions.

1.1 Customer classification. The Group companies’ customers must be segmented and classified according to risk as an element that enables the design of preventive and control measures to mitigate exposure to risk, so that stricter measures and controls are applied to those customers with a higher level of risk.

Controls and procedures should ensure adequate and continuous monitoring of the business relationship with the objective of adapting the level of risk, and thus the measures to be applied, to the customer’s risk circumstances at all times.

The assessment of the level of risk shall be documented in the companies of the FINANCREDITS BNK Group according to their activity and operations. In order to determine this classification, various factors shall be taken into account depending on the risk exposure of the company and its customers or suppliers and, as a minimum, shall include the analysis of the following factors

• Client characteristics:

– Activity.

– Geographical area.

– Person of Public Responsibility (PRP).

– Identity of the beneficial owner.

– Ownership or Control Structure.

• Characteristics of products or services:

– Product type.

– Business segment.

– Relationship channel.

• Operational characteristics:

– Source of funds.

– Transactions.

As a minimum, Group companies must use the following customer classifications, according to the degree of risk identified:

1.2 Persons whose admission is not permitted: Business relations with natural or legal persons who are in any of the following situations may not be admitted:

• Persons to whom it has not been possible to apply the due diligence measures provided for in this Policy during their admission process.
• Persons included in national or international Sanctions lists and those who should not be admitted as customers in accordance with the Sanctions programmes defined in this Policy and in the applicable legal regulations in this area.
• Persons whose business is of such a nature as to make it impossible to verify the legitimacy of transactions or the source of funds.
• Persons who refuse to provide documentation allowing full formal identification of the holder and/or beneficial owner or who, having provided such documentation, refuse to allow the Entity to keep a digitised copy of it.
• Persons who provide documents which are manifestly false or which give rise to serious doubts as to their legality, legitimacy, non-manipulation, or which do not offer sufficient guarantees.
• Persons who refuse to provide requested information or documentation relating to the verification of declared activities or the source of funds, such as the purpose and nature of the business relationship with the entity.
• Legal persons and arrangements where the ownership or control structure cannot be ascertained or in companies where the beneficial owner cannot be ascertained.
• Screen banks and those financial institutions that deal with this type of entities.
• Persons or entities that intend to carry out operations corresponding to financial activities, gambling, betting, money exchange, payment institutions or other activities without having the corresponding official authorisation or other legally enforceable requirements.
• Any other category not covered by the above and which it is appropriate to reject in view of the provisions of a legal rule or the Company’s internal policy.
• Individuals or legal entities that, having been customers of the Group at some point in time, have ceased to be customers of the Group in application of this Policy.

1.3 Above-average risk persons: their acceptance as customers is in any case conditional on the application of enhanced due diligence measures and will require centralised approval. The following persons or entities will be included in this category:

• National and foreign individuals with public responsibility.
• National and foreign legal entities whose beneficial owner and/or any of their administrators are persons with public liability (PRP’s), both national and foreign.
• Natural or legal persons with residence or nationality in a risky jurisdiction, as well as those who are not in such a situation and are controlled by persons or entities from risk jurisdictions.
• Customers involved in the production, marketing, distribution and sale of arms and other items of a military nature.
• Payment institutions, money remittance and/or foreign exchange services, casinos, gaming companies and other companies linked to games of chance that have the corresponding official authorisation or other legally enforceable requirements, as well as any other risk sector when required by their specific procedures.
• Bearer companies, once their ownership or control structure has been determined.

All other persons or entities shall be subject to normal or simplified due diligence measures as set out in the applicable regulations or internal rules and procedures.

1.4 Formal identification of customers: the rules and procedures that develop this Policy must guarantee in the Group’s companies the proper identification of all customers in accordance with the legislation applicable at all times and in each jurisdiction, which shall include, in all cases, verification of identity by means of valid and current documents.

Under no circumstances shall business relations be maintained with persons who have not been identified, and the contracting of products or services of an anonymous, encrypted or fictitious nature is also prohibited.

Prior to the establishment of business relations or the execution of transactions, the beneficial owner must be identified. This obligation implies that if there are indications or certainty that customers are not acting on their own account, precise information must be obtained in order to know the identity of the persons on whose behalf they are acting, as well as sufficient documentation accrediting the powers of attorney with which they are acting.

1.5 Knowledge of the customer’s activity and assets: prior to the establishment of a business relationship, Group companies must at least gather information on the customer’s professional or business activity and the origin of the funds or assets.

Depending on the level of risk assigned to the customer, they may adopt additional measures consisting of documentary verification, through reliable external sources, of the information provided by the customer, especially in relation to his professional or business activity, the origin of the funds or assets and any other relevant information in accordance with internal rules and procedures.

2. Detection, control and examination of operations Group companies shall have the means to detect, control and examine transactions. These means shall be applied according to risk and shall in any case cover the three basic scenarios for detecting transactions:
3. Internal reporting by Group employees.
4. The detection of possible suspicious transactions through the alert systems established (at the level of each Group company and/or centralised).
5. Communications from supervisory bodies or law enforcement or judicial authorities.

The detection of suspicious transactions shall entail a detailed and comprehensive analysis aimed at determining the effective existence of indications of money laundering and terrorist financing. The methodology for carrying out this analysis shall be set out in a specific procedure known as the Special Examination Procedure. Such analysis shall in all cases be centralised in a single unit common to all the companies of the Group operating in the same jurisdiction.

Monitoring will be automated and will review activity based on patterns identified by law and best practice at any given time.

1. Internal reporting by Group employees.
2. The detection of possible suspicious transactions through the alert systems established (at the level of each Group company and/or centralised).
3. Communications from supervisory bodies or law enforcement or judicial authorities.

The detection of suspicious transactions shall entail a detailed and comprehensive analysis aimed at determining the effective existence of indications of money laundering and terrorist financing. The methodology for carrying out this analysis shall be set out in a specific procedure known as the Special Examination Procedure. Such analysis shall in all cases be centralised in a single unit common to all the companies of the Group operating in the same jurisdiction.

Monitoring will be automated and will review activity based on patterns identified by law and best practice at any given time.

1. Internal reporting by Group employees.
2. The detection of possible suspicious transactions through the alert systems established (at the level of each Group company and/or centralised).
3. Communications from supervisory bodies or law enforcement or judicial authorities.

The detection of suspicious transactions shall entail a detailed and comprehensive analysis aimed at determining the effective existence of indications of money laundering and terrorist financing. The methodology for carrying out this analysis shall be set out in a specific procedure known as the Special Examination Procedure. Such analysis shall in all cases be centralised in a single unit common to all the companies of the Group operating in the same jurisdiction.

Monitoring will be automated and will review activity based on patterns identified by law and best practice at any given time.

1. Internal reporting by Group employees.
2. The detection of possible suspicious transactions through the alert systems established (at the level of each Group company and/or centralised).
3. Communications from supervisory bodies or law enforcement or judicial authorities.

Monitoring will be automated and will review activity based on patterns identified by law and best practice at any given time.

3. Reporting suspicious transactions The Group companies shall report on their own initiative to the supervisory and/or financial intelligence bodies any event or transaction, even a mere attempt, which, once the special examination has been completed when it determines that there are indications or certainty of a relationship with money laundering or terrorist financing in the operation.

In particular, transactions which show a clear mismatch with the nature, volume of activity or operational history of clients shall be reported to supervisory bodies.

The decision to notify shall be taken centrally in each jurisdiction by the persons or bodies designated for this purpose and shall be made through the representative authorised by the competent authorities. The communication made shall, in any case, include information on the decision taken on whether or not to continue the business relationship, as well as the justification for this decision.

Notwithstanding the indication communication, the institution shall immediately take additional risk management and mitigation measures which shall take into account the disclosure risk.

Group employees must refrain from executing any transaction for which there is any indication or certainty that it is related to money laundering or terrorist financing.

Employees, officers or agents of the Group shall not disclose to the customer or to third parties that information has been reported to internal control bodies or to the supervisory body, or that any transaction is being or may be examined for possible money laundering or terrorist financing.

4. Control of sanction lists and reporting of detections In order to comply with the restrictions imposed by the Sanctions programmes, Group companies must:
5. Identify and follow the Sanctions programmes established by the United Nations (UN), OFAC and local programmes applicable in the jurisdictions in which the Group’s companies operate.
6. Assess the risks associated with activities related to Sanctions Programmes in determining the risks of participating or engaging in activities restricted or prohibited by Sanctions;
7. Refrain from executing or participating in operations or transactions with sanctioned persons;
8. Comply with prohibitions and restrictions on the execution of transactions, payments or business relations and refrain from executing them when they imply non-compliance with Sanctions programmes;
9. Blocking assets and funds when required by the Sanctions programmes and communicating such circumstances to the authorities administering the Sanctions programmes;
10. Implement internal control procedures and prevention mechanisms to ensure adequate compliance with the obligations of Group companies, including automated screening procedures and tools.
11. Retention of documentation FINANCREDITS BNK companies shall establish documentation retention policies that comply with the legal requirements applicable in each jurisdiction, the minimum retention period being that determined at any given time by the relevant legislation, and never less than 10 years.

The documentation that must be kept in accordance with the prevention laws includes, as a minimum, the following aspects:

1. In particular, it shall be retained for use in any investigation or analysis of possible prevention cases by supervisors or any other competent authority:
2. Copies of documents required under due diligence measures, including, in particular, copies of identification documents, customer statements, documentation and information provided by the customer or obtained from reliable independent sources.
3. Original or a copy with evidentiary force of the documents or records that adequately prove the transactions, the parties to the transactions and the business relationships.
4. All documentation formalising compliance with its reporting and internal control obligations:
5. Communications to supervisory bodies.
6. Communication of the appointment of representatives to the Financial Intelligence Authorities.
7. Special examination files.
8. Suspicious transaction reports sent to supervisory bodies and related documentation.
9. Information requests and tracing requests received from supervisory bodies.
10. Annual external expert review reports and related documents.
11. Minutes of the meetings of the internal control bodies, including the minutes and documents of other bodies regarding aspects with an impact on prevention.
12. Training Raising awareness of the risks associated with these crimes is a key element in the fight against money laundering and terrorism.

FINANCREDITS BNK Group companies shall define, maintain and implement training programmes for their employees to ensure an adequate level of awareness for all staff as required by law and shall establish policies to ensure mandatory training in the prevention of money laundering, terrorist financing and sanctions for all their staff (including senior management and management bodies) on a regular basis and appropriate to the level of risk exposure of their activity in the company.

The AML/CFT training programmes of all companies of the FINANCREDITS BNK Group shall be validated by the Compliance Unit of FINANCREDITS BNK as a specialised unit within the Group, once they have been validated by the departments responsible for training and compliance of the company, keeping records and evidence of the training given, its contents, and the employees who have received and passed it.

7. Roles and responsibilities The entities of the FINANCREDITS BNK Group, in accordance with the regulations, must have a governance structure and an internal organisation that allows them to comply with the obligations of identification and prevention of money laundering and the financing of terrorism and Sanctions, that guarantees compliance with the appropriate reporting obligations in each jurisdiction to the competent Authorities of each company and that guarantees an effective blocking and freezing of funds or economic resources resulting from the application of international sanctions frameworks and countermeasures.

In order to comply with these obligations, the function of preventing money laundering/terrorist financing and sanctions must be assigned to a unit or department and, where applicable to the activities or business, a Head must be appointed. This person shall be appointed on a part-time or full-time basis depending on the company and type of business, as a result of the principle of a risk-based approach to money laundering/terrorist financing and sanctions, and shall report functionally to the person responsible for group prevention.

The responsibility for implementing customer identification processes will rest primarily with those who have direct contact and relationships with customers and are directly involved at the origin of the establishment of customer relationships, applying the relevant policies at all times (first line of defence).

As a second independent line of defence, the main functions of the Prevention of Money Laundering and Terrorist Financing (AML/CFT) function will include, among others:

1. The definition and implementation of prevention policies, standards and procedures.
2. Overseeing the implementation and enforcement of prevention policies, standards and procedures with a risk-based approach.
3. The definition of a compliance programme and plan to ensure compliance with the applicable regulations.
4. The validation and monitoring of internal controls to ensure adequate knowledge of customers.
5. Maintaining fluid contact and communication with supervisory bodies, authorities and regulators.
6. In the case of prevention officers located in jurisdictions other than FINANCREDITS BNK’s, promptly communicate and notify the Group Head of any relevant aspects related to the prevention model in their jurisdiction and the associated risks.
7. Periodically assess the level of risk exposure and propose corrective and remediation measures to correct weaknesses or non-compliances. For its part, the Internal Audit function will carry out periodic reviews of the most relevant aspects of the functions involved in the Group’s prevention model and their adaptation to this Policy and other applicable standards and procedures.
8. Consolidated risk management FINANCREDITS BNK believes that the best way to combat the risks associated with this Policy is the consolidated management of these risks and the uniform and aggregated management of the information related to the management of these risks at the Group level regardless of the jurisdiction in which the companies that make up the Group operate.

The principle of aggregated or consolidated management is thus a fundamental pillar of the prevention model and makes it possible to coordinate the efforts of all the Group’s companies in a uniform manner and to assess and manage risks on an aggregated basis.

Therefore, all the entities that make up the Group shall keep FINANCREDITS BNK promptly informed of high-risk relationships, data on sensitive activities and their associated risks, promptly responding to any request for information that FINANCREDITS BNK may make in the management of regulatory and reputational risk related to money laundering, financing of terrorism and Sanctions.

In any case, these obligations are understood to be without prejudice to strict compliance with the applicable regulations, especially those on data protection and privacy. FINANCREDITS BNK and the companies of the Group shall adopt the necessary measures to preserve the confidentiality and privacy of the data thus communicated between Group entities.

GOVERNANCE

The development of the prevention, management, control and decision-making functions contemplated in this Policy and its implementing rules requires a solid governance structure that guarantees the involvement of the decision-making, management and administrative bodies of FINANCREDITS BNK as well as close coordination between the companies of the Group.

In the process of transposition and adaptation of this Policy, each company of the Group shall identify the governing and decision-making bodies that are responsible for decision-making, supervision and control of the risks associated with this Policy.

To this end:

• The management bodies of each Group company shall be responsible for:

1. Take ultimate responsibility for the approval and implementation of this Policy and its implementing regulations;
2. Supervise compliance with the rules and regulations in this area;
3. Ensure that corrective, mitigating and remedial actions identified as a result of internal control procedures or supervisory activity are taken;
4. Approve risk appetite;

When so agreed by the management body and in accordance with the terms of the Articles of Association and internal regulations, the board committees (Risk and/or Audit) shall also be responsible for:

1. Assist and advise the management body in the definition and evaluation of the rules and procedures implementing this Policy;
2. Monitor regulatory changes by advising and assessing their impact on internal rules and procedures;
3. Incorporate the risks associated with this Policy into the day-to-day management of the company’s risks;

In addition, FINANCREDITS BNK may determine and define as non-statutory bodies other collegiate bodies or committees with responsibility in this area at Group level. By way of non-exhaustive example, the governing and management bodies of FINANCREDITS BNK with responsibility for the Group may designate:

1. A Compliance Committee that will assume at least as its main responsibility the advisory role in decision-making to the governing bodies as well as decision-making related to compliance risk management in general.
2. A committee for the prevention of money laundering, terrorist financing and sanctions, which shall have at least the following functions:
3. Making day-to-day management decisions in relation to the risks in this Policy;
4. Validate the compliance programmes of the Group’s companies;
5. Periodically control, evaluate and supervise the risks associated with this Policy, proposing the adoption of any corrective and mitigating measures it deems appropriate with respect to the weaknesses, non-compliances and weaknesses that have been identified in the internal control processes and supervisory and inspection activities;
6. The above prevention committee may delegate part of its executive and decision-making functions to a delegated body to ensure that decisions are taken in an expeditious manner.

ENTRY INTO FORCE, INTERPRETATION, APPROVAL AND ADMINISTRATION OF POLICY

This Policy and its subsequent amendments and updates must be approved by the Board of Directors of FINANCREDITS BNK.

The administration, interpretation of the Policy and verification of the correct adaptation of its contents in the companies of the Group shall be the responsibility of the head of the Prevention Unit of FINANCREDITS BNK.

This Policy shall enter into force upon its publication through internal communication channels and shall be updated periodically.