Anti-Money Laundering and Counter-Terrorism Financing Policy

Guiding Principles

• 4.1. Observe current legislation and regulations applicable to payment institutions;
• 4.2. Promote high standards of ethics, integrity, fairness, transparency, justice and commitment, which are part of the values disseminated in our Code of Ethics;
• 4.3. Value the transparency and confidentiality of information, as well as preserve the relationship of trust and harmony with our customers;
• 4.4. Disseminate the culture of preventing money laundering and terrorism financing throughout the institution, including our partners and third-party service providers.

General Guidelines

• 4.5. The commitment to establish and maintain a structure for preventing and combating money laundering and terrorism financing in all areas of D EMPREENDIMENTOS, through processes, internal regulations and training for its employees on the subject;
• 4.6. Develop, implement and periodically update this policy, manuals, procedures and internal controls aimed at preventing money laundering and terrorism financing, in line with current legislation and regulations, as well as best market practices;
• 4.7. Conduct effectiveness tests of existing controls for preventing money laundering and terrorism financing in the various business areas of D EMPREENDIMENTOS that are susceptible to money laundering and terrorism financing crimes;
• 4.8. Periodically report to D EMPREENDIMENTOS’s Board of Directors and the Board of Administration, with prior validation by internal audit, on the effectiveness of internal controls for preventing money laundering and terrorism financing;
• 4.9. Promote and disseminate to all employees, partners and third-party service providers a culture of ethical principles and integrity and of combating and preventing illicit acts in the different business activities.

Governance and Structure Guidelines

• 4.10. D EMPREENDIMENTOS’s governance structure aims to ensure compliance with this policy, procedures and internal controls for preventing money laundering and terrorism financing.
• 4.11. The policy is applicable and widely disseminated to all D EMPREENDIMENTOS employees, partners and third-party service providers.
• 4.12. The responsibility for defining the governance structure, processes and maintaining this policy and procedures lies with the Risk and Compliance Board, and its approval must be the responsibility of D EMPREENDIMENTOS’s top management.
• 4.13. Documents related to the prevention of money laundering and terrorism financing, such as this policy, procedures, contracts, reports, as well as information collected in related procedures, must remain available to the Central Bank of Brazil for a minimum period of 10 years and must comply with current regulations, which establish the specific term for documents.
• 4.14. To compose the governance structure, D EMPREENDIMENTOS appoints a director responsible for fulfilling obligations under current legislation and regulations to the Central Bank of Brazil, ensuring that this director has no conflict of interest with their functions.

Internal Risk Assessment Guidelines

• 4.15. D EMPREENDIMENTOS carries out an internal assessment with the objective of identifying and measuring the risk of using its products and services in relation to money laundering and terrorism financing practices.
• 4.16. The internal assessment considers the following risk profiles:
  I. customers;
  II. the institution, including its business model and geographic area of operation;
  III. operations, transactions, products and services, covering all distribution channels and the use of new technologies;
  IV. activities carried out by employees, partners and third-party service providers.
• 4.17. The identified risk considers the probability of occurrence and the magnitude of financial, legal, reputational and socio-environmental impacts.
• 4.18. The internal risk assessment adopts management and mitigation controls classified according to the risk profiles considered for analysis, reinforcing controls for higher or lower risk situations, respectively.
• 4.19. Responsibility for conducting the internal risk assessment lies with the Compliance area, and it must be updated every two years or when significant changes occur in its risk profiles or regulations.
• 4.20. The internal risk assessment is a document approved by the Director appointed to the Central Bank of Brazil in compliance with Circular No. 3.978/20 (Prevention of money laundering and terrorism financing), with prior knowledge of Internal Audit and the Board of Administration, and is the responsibility of the Compliance and PLDFT areas. Its use is restricted and confidential to the mentioned areas and the Board of Administration.

Know Your Customer (KYC) Guidelines

• 4.21. D EMPREENDIMENTOS adopts a policy and procedure aimed at knowing its customers, including due diligence in their identification, qualification and classification.
• 4.22. Responsibility for customer identification and qualification lies with the Fraud Prevention area, which must obtain, verify and validate the authenticity of registration information and relevant information to know the customers, in accordance with the minimum registration information criteria established in Circular No. 3.978/20.
• 4.23. Information collected in customer qualification must be kept up to date and properly stored, including verification of the customer’s status as a Politically Exposed Person (PEP), as well as verification of the status of representative, family member or close associate of such persons.
• 4.24. Customer qualification must ensure compatibility of data collection, verification and validation with the risk profile, as well as include the nature of the business relationship. Therefore, additional customer information must be added when compatible with the risk of using products and services in money laundering and terrorism financing.
• 4.25. Information collected in customer qualification must be kept up to date and permanently reassessed according to the evolution of the business relationship and risk profile.
• 4.26. Responsibility for customer classification lies with the PLDFT area, observing the classification criteria and mitigating controls presented in the Internal Risk Assessment.
• 4.27. Identification, qualification and classification criteria for customers must also be adopted for administrators and representatives under the National Register of Legal Entities (CNPJ).
• 4.28. Qualification of legal entity customers must include analysis of the corporate participation chain up to identifying the natural person characterized as the ultimate beneficiary.
• 4.29. The minimum reference ownership percentage for identifying the ultimate beneficiary established by D EMPREENDIMENTOS is 25%.
• 4.30. Business relationships may not be initiated until customer identification and qualification procedures are completed.
• 4.31. Any relevant situations related to customers, such as negative media, presence of PEPs, changes in control structure or indications of non-compliance with money laundering and terrorism financing, must involve the director responsible for PLDFT, and may be referred to a decision-making committee.
• 4.32. A business relationship may be initiated for a maximum period of thirty days in case of insufficient information for customer qualification, provided that it does not impair monitoring and selection procedures.

Know Your Partner and Service Provider (KYP) Guidelines

• 4.33. D EMPREENDIMENTOS adopts a procedure to know its partners and third-party service providers, including due diligence in their identification, qualification and classification, considering their risk profile and the services to be provided.
• 4.34. The procedure for knowing partners and third-party service providers will be compatible with the guidelines of this policy, such as data collection, verification and validation and the internal risk assessment.
• 4.35. Information on partners and third-party service providers will be kept up to date, including any changes that imply classification changes in risk categories.
• 4.36. Areas involved in partner relationships and contracting third-party service providers must strictly follow the guidelines of this policy and specific procedures aimed at knowing both partners and third-party service providers.
• 4.37. D EMPREENDIMENTOS will conduct preliminary evaluations of third-party service providers, considering aspects such as technical capacity, experience, reputation, financial situation and legal and regulatory compliance.
• 4.38. Contracts with third-party service providers will be formalized and include clauses establishing at minimum the rights and obligations of the parties, a detailed description of the services to be provided, deadlines and conditions of execution, responsibilities and applicable penalties, and control and monitoring mechanisms.
• 4.39. D EMPREENDIMENTOS will implement monitoring and supervision processes for third-party service providers to ensure the quality, safety and efficiency of services provided, as well as compliance with legal and regulatory requirements.
• 4.40. D EMPREENDIMENTOS will conduct periodic reviews of contracts and performance of third-party service providers to verify whether activities are being carried out as agreed and associated risks are being properly managed.
• 4.41. Information collected in the qualification of the partner and third-party service provider will be kept up to date and properly stored, including verification of Politically Exposed Person (PEP) status and verification of representative, family member or close associate status of such politically exposed persons.

Check the Best Practices Manual for partners and third-party service providers.

Know Your Employee (KYE) Guidelines

• 4.42. D EMPREENDIMENTOS implements procedures to know its employees, from selection to hiring, collecting, verifying and validating data to identify and qualify them according to the profile of the position they occupy and the professional activities performed.
• 4.43. Employee qualification must also include identification and classification as a Politically Exposed Person (PEP) or the existence of a close tie with such persons.
• 4.44. Employees are classified by the PLDFT area according to the activities performed, in the risk categories defined in the Internal Risk Assessment.
• 4.45. Employee information must be kept up to date, including any changes that imply changes in risk classification.
• 4.46. In the event of vertical reclassification of position, the Organizational Efficiency area must inform the PLDFT area for a new risk classification to be carried out.
• 4.47. Areas and managers involved in hiring or promoting employees must strictly follow the guidelines of this policy and specific procedures aimed at knowing their employees.

Financial Operations and Services Record Guidelines

• 4.48. D EMPREENDIMENTOS adopts procedures and technology to maintain records of all operations carried out, contracted products and services, including electronic currency movement records, which are part of the Central Bank of Brazil authorization requirements, being embedded in its operation as a payment intermediary.
• 4.49. Technology area and operations movement responsible parties must observe the minimum recording criteria for each operation according to Circular No. 3.978/20, aimed at ensuring the recording of the following information: operation type, amount (when applicable), date of execution, name of the responsible party followed by the CPF or CNPJ number of the holder, as well as the beneficiary in the case of a resident or headquartered person in the country, plus the channel used.
• 4.50. Note: this guideline directs information on operation records and is not a criterion for acceptance of new customers or new business, and must comply with other D EMPREENDIMENTOS acceptance policies.
• 4.51. For payment, receipt and transfer operations, in addition to minimum recording criteria indicated in item 4.45, both recorded data and resource origin and destination identification must be included.
• 4.52. Minimum records for identifying origin and destination of resources in payment, receipt and transfer operations are:
  I. name and CPF or CNPJ number of the sender or payer;
  II. name and CPF or CNPJ number of the receiver or beneficiary;
  III. identification codes in the payment or funds transfer settlement system of institutions involved in the operation; and
  IV. branch and account numbers involved in the operation.

Monitoring, Selection and Analysis of Suspicious Operations and Situations Guidelines

Reporting to COAF

• 4.61. Dossiers submitted and deliberated by D EMPREENDIMENTOS’s top management will be reported to COAF by the PLDFT area. These dossiers will be composed in a clear and objective manner, with customer description, description of indications found, and the evidence supporting them, considering the regulatory basis of the decision, according to the scenarios provided in Circular Letter 4.001/2020.
• 4.62. The report of the suspicious operation or situation to COAF will be made by the next business day after the reporting decision, that is, within 24 hours; and the scenarios provided in Circular Letter 4.001/2020 must be duly recorded in Siscoaf.
• 4.63. The PLDFT area and other areas involved in identifying and analyzing operations and/or situations with indications or suspicions of money laundering and terrorism financing must conduct the entire process confidentially, without notifying those involved or third parties.
• 4.64. In the absence of operations or situations requiring COAF reporting during the calendar year, the PLDFT area must provide a declaration within ten business days after the end of that year, certifying the non-occurrence of reportable operations or situations.
• 4.65. Reports amended or canceled after the 5th consecutive business day of their submission must be accompanied by a justification of the occurrence.
• 4.66. Reports may be centralized through the prudential conglomerate, on behalf of the institution in which the operation or situation occurred. Thus, the decision must be made in a meeting of D EMPREENDIMENTOS’s Board of Administration or Executive Board.
• 4.67. Details and specifications if the person subject to COAF reporting:
  I. is a politically exposed person or representative, family member or close associate of such person;
  II. is a person who has knowingly carried out or attempted to carry out terrorist acts or participated in or facilitated them;
  III. is a person who owns or controls, directly or indirectly, resources in D EMPREENDIMENTOS;
• 4.68. Reports are made through the system provided by the regulator and D EMPREENDIMENTOS must register in the COAF Financial Activities Control System (Siscoaf).
• 4.69. Dossiers of transactions and situations flagged for COAF reporting are recorded electronically or physically by the PLDFT area, with access authorized only to those involved in processes and activities preventing money laundering and terrorism financing. Contents will be maintained and stored for 10 years, as well as minutes of deliberations by D EMPREENDIMENTOS’s top management.

Effectiveness Assessment

• 4.70. D EMPREENDIMENTOS must assess the effectiveness of this policy, procedures and internal controls, which must be documented in a specific report produced under the responsibility of the Internal Controls area.
• 4.71. The Effectiveness Assessment report must at minimum:
  I. be prepared annually, with a base date of December 31; and
  II. be submitted for acknowledgment by March 31 of the year following the base date to D EMPREENDIMENTOS’s Board of Administration.
• 4.72. The Effectiveness Assessment report must describe:
  I. the methodology adopted in the effectiveness assessment;
  II. the tests applied;
  III. the qualifications of the assessors; and
  IV. the deficiencies identified.
• 4.73. It must include at minimum the assessment of:
  I. Know Your Customer (KYC) procedures, including verification and validation of customer information and adequacy of registration data;
  II. monitoring, selection, analysis and COAF reporting procedures, including assessment of operation selection parameters and suspicious situations;
  III. governance of the anti-money laundering and counter-terrorism financing policy;
  IV. measures to develop an organizational culture aimed at preventing money laundering and terrorism financing;
  V. periodic staff training programs;
  VI. procedures to know employees (KYE), partners and third-party service providers (KYP); and the actions to regularize findings from internal audit and Central Bank supervision.
• 4.74. Action plan monitoring:
  I. D EMPREENDIMENTOS must develop an action plan to resolve deficiencies identified in the Effectiveness Assessment.
  II. Monitoring the implementation of the action plan must be documented in a follow-up report.
  III. The action plan and corresponding follow-up report must be submitted for acknowledgment and evaluation by June 30 of the year following the base date of the Board of Administration report and to D EMPREENDIMENTOS’s Executive Board.

Monitoring and Control Guidelines

• 4.75. D EMPREENDIMENTOS will ensure the implementation and adequacy of this policy, procedures and internal controls, including but not limited to:
  - Audit processes, tests and trails: Under D EMPREENDIMENTOS’s Risk and Compliance Program, policy and procedures related to PLDFT will be reviewed annually by PLDFT and Compliance areas and necessary tests and improvement points will be carried out by the Internal Controls area in the Effectiveness Assessment report.
  - Appropriate metrics and indicators: The PLDFT area will consider as indicators the number of analyses carried out for Know Your Employee, Know Your Partner and Service Provider, Know Your Customer and Monitoring, Selection and Analysis of Suspicious Operations and Situations procedures. Quantitative data from the Internal Risk Assessment and PLDFT training completion rates will also be considered.
  - Identification and correction of any deficiencies: Deficiency identification will be based on the Effectiveness Assessment report, with necessary corrections guided by the Action Plan report.
• 4.76. The mechanisms cited in this policy will be subjected to periodic tests by Internal Audit.