Financial Crime Compliance and Cyber Security – Comfort Letter – FundBank (Europe) S.A.

Applicable Legal and Regulatory Framework

Luxembourg is one of the charter members of the Financial Action Task Force on Money Laundering (FATF) and a member of the European Union, is subject to EU regulations concerning Anti-Money Laundering and Combating the Financing of Terrorism (“AML/CFT”).

As an authorized credit institution under the Banking Law of 5^th April 1993 (as amended), FundBank is regulated

ed by the Commission de Surveillance du Secteur Financier (the “CSSF” or the “Regulator”). CSSF is responsible for overseeing all Banks, other Institutions and Professionals active in Luxembourg financial sector in Luxembourg. For evidence of regulation, please refer to the CSSF website: www.cssf.lu .

The 5^th European Anti Money Laundering Directive (2018/843) has been transposed into domestic law dated 25 March 2020, amending the Law of 12 November 2004 on the fight against money laundering and terrorist financing. As a regulating body, the CSSF has issued regulations and circulars outlining the obligations of Luxembourg regulated entities with regard to anti money laundering and fight against terrorism financing.

Governance Framework

The Bank has in place policies and procedures related notably to AML/CFT (including Proliferations Financing Tax Compliance and Sanctions), Anti-Bribery and Corruption, Information Security Policy approved by the Authorised Management of the Bank as well as the Audit and Risk Committee and ultimately ratified by the Board of Directors. The purpose of which is to describe the Bank’s internal control framework based on applicable legal and regulatory requirements as well as best practices.

The Board of Directors has the overall responsibility for having in place an appropriate framework for compliance with laws and regulations, and an effective control system, which allows notably for ML/FT and Sanctions risks to be assessed and managed appropriately.

The policies and procedures are regularly reviewed and updated by the Bank and checked by the Internal Audit and External Auditors on regular basis.

The Bank has implemented the so-called “three line of defence” model in line with the Luxembourg regulation:

• The first line of defence consists of the business units that take or acquire risks under the predefined policies and limits and carry out controls of first line.
• The second line of defence is formed by the control functions, including the Compliance function and the Risk management function, including the Chief Information Security Officer, which contributes to the independent risk control. Both functions are performing controls and testing in accordance with their respective framework approved by the Board of Directors of the Bank.
• The third line of defence is formed by the Internal Audit which is outsourced to EY Luxembourg.

Compliance function

The characteristics and the responsibilities of the Compliance function are defined in accordance with the applicable regulation and approved by the Board of Directors. It articulates on the fields of intervention directly related to the responsibilities of the Compliance function as well as the independence, objectivity and permanence of the Compliance function.

The Compliance function is held by the Chief Compliance Officer (“the CCO”) who is under the hierarchical responsibility of the Chief Risk Officer also appointed Authorised Manager of the Bank. The appointment and revocation of the CCO is approved by the Board of Directors and subject to CSSF approval.

The CCO has direct access to the Board of Directors.

The Board of Directors and the Authorised Management of the Bank (all together the Management Body) should ensure that the Compliance function has the necessary and sufficient resources, infrastructure and budget to guarantee the execution of its tasks.

Due Diligence process

The Bank has established procedures regarding Customer Due Diligence including Know Your Customer (“KYC”) which include identifying and verifying the identity of the customers and the beneficial owners on the basis of documents, data or information obtained from reliable and independent source. The records used to identify the customers are retained for a periodic of ten years after the relationship with the customer has ended.

Moreover, the Banks pays special attention to :

• Understand the ownership, control structure and investment strategies of our customers,
• Obtain information on the purpose and intended nature of business relationship; and
• Monitor the business relationships, including scrutiny of transactions to ensure consistency of transactions /investments with obtained information about purpose of intended nature of the business relationship.

The respect of these procedures is checked on a regular basis by the Compliance function and Internal Audit function as well as by the Bank’s external statutory auditor. The latter are required to report annually to the CSSF on the Bank’s AML/CFT (including KYC) process.

The Bank does not establish business relationship or carry out any transactions in case where the identify of the customer cannot be satisfactorily established and verified, including but not limited to the Beneficial owner where applicable and documentary evidence of their identification paper is held.

The Bank does not establish any business relationship with shell banks, occasional customer or sanctioned individual/companies. The Bank does not provide anonymous or numbered account and does not allow payable trough account.

The customer risk assessment is completed at the onboarding stage of the business relationship as well as during the ongoing due diligence.

The customer risk determines the process and controls which are proportionate to the level of AML/CFT (including sanctions and tax) presented by each business relationship and customers. The processes are:

• The appropriate level of transaction monitoring as defined in the article 32 of the CSSF Regulation 12-02 as amended by the CSSF Regulation 20-05;
• The appropriate level and frequency of due diligence updated applied.

The customer risk assessment is based essentially on 4 risk factors with underlying criterias:

• The customer risk factor
• The geographical and countries risk factor
• The product and services
• The delivery channels

The overall customer risk factor is taking into account the potential tax risk of the business relationship in accordance with the CSSF Circular 17/650 as amended by the CSSF Circular 20/744.

Enhanced Due Diligence is be automatically completed in case :

• High risk customers;
• Politically Exposed Persons (including individuals or persons related to Politically Exposed Persons);
• Transactions related to High risk third country
• Complex structure representing a Tax risk
• Where deemed necessary

Acceptance of New Business relationships

For all new business relationships and new accounts request, the first line of defence staff have to fill out detailed questionnaire asking for precise information about prospective customers and/or existing customers, their type of business, the source of wealth, the source of funds and the type of investments intended and ultimately the operation that will be conducted on the account with the Bank and the nature and purpose of the account.

Prospective customer’s names as well as customer’s names (and related parties) are screened on an ongoing and automated basis vis Temenos Financial Crime Mitigation (a dedicated Financial crime compliance/AML tool, hereafter “FCM”), trough official and internal lists to avoid to enter into business relationship with individuals or institutions which appear on applicable terrorist or terrorist organisations, or against whom sanctions have been imposed by the EU, the United Nations or the United States of America; or with someone suspected being or having being involved in criminal activities.

The Bank has implemented procedures for identification and monitoring of Politically Exposed Persons. In the event that the customer is considered as a PEP, an immediate family member or close associate of a PEP or an entity owned or controlled by a PEP, FundBank will use all reasonable efforts to corroborate the source of funds.

Monitoring of transactions

FundBank uses FCM to detect suspicious transactions and to filter incoming and outgoing payments and transactions. The detection of suspicious transactions will trigger an in-depth investigations of the customer by the first line of defence. The assessment will be escalated, reviewed and challenged by the Compliance function who will also analyse the situation.

Ongoing Sanctions Screening

FundBank filters transfer messages and screen its customer data base against official lists provided by Dow Jones and internal lists.

The Bank pays the utmost attention to respect all embargoes and restrictive measures (included targeted assets) decided and published by the CSSF, the Financial Intelligence Unit (“FIU”), the Financial Actions Tasks Force (“FATF”), the European Union (“EU”), the United Nations (“UN”) and the Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury.

The Bank is performing real time monitoring of all sender/receiver data of transactions against national and international sanctions lists mentioned above as well as PEP lists while daily monitoring is done on the customers data base.

Cooperation with the Authorities and suspicious transaction report

The Bank’s utmost objective is to prevent, detect and report suspected money laundering or terrorism financing activities to the FIU without delay.

In accordance with applicable laws and regulations, including privacy and data protection laws, our Bank fully co-operates with governmental and law enforcement authorities. We are strictly complying with any information request from those authorities to which customer information and documentation may be made available upon request.

Anti Bribery, Fraud and Corruption

FundBank is committed to applying the highest standards of ethical conduct and integrity in its business activities.

It is the responsibilities of all staff, individual and business acting on behalf of FundBank to conduct business honestly and professionally.

The Bank has implemented effective policies and systems to prevent bribery and corruption taking place.

FundBank considers that Bribery, Fraud and Corruption have a detrimental impact on business by undermining good governance and distorting free markets. The Bank does not tolerate any form of bribery by, or of, its staff or any individuals or companies acting on its behalf. All staff are forbidden from giving and/or accepting bribes as it may constitute a corrupt act.

A breach of the internal policy will be rated as grounds for disciplinary action and non-compliance is a legal reason for contract and/or business relationship termination, aside from legal sanctions.

The staff is encouraged to report any suspicious activity to the Compliance function.

The Whistleblowing Policy aims to advise staff of the protection offered who voice concerns in good faith, through anonymous or non-anonymous channels.

Any report may by the staff will be subject to investigation by the internal appointed responsible under strict confidentiality and the identity of the whistleblower remains protected. Each investigation step needs to be properly documented for a potential trial. In accordance with the applicable Luxembourg law of 16^th May 2023, whistleblowers are protected from any form of retaliation.

CyberSecurity

The Bank is committed to instilling a sound information security culture that promotes risk-awareness throughout the organization, and implementing internal governance and control framework that ensures an effective and prudent management of cybersecurity and IT risks.

A senior officer, the Chief Information Security Officer (CISO), is appointed for the oversight the Bank’s cybersecurity and IT risk posture and reports regularly to the Authorised Management and the Board of Directors.

Roles and responsibilities for IT risk and information security at the Bank are structured in line with the Three Line of Defense (3LoD) model to ensure effective and adequate control mechanisms.

An overarching Information Security Policy outlines the guiding principles and organizational requirements for information security. The Policy is supported by a comprehensive set of underlying information security policies addressing areas such as access control, acceptable use of IT assets, malware defense, asset management, disaster recovery & data backup, change management, data and system security, incident response, logging & monitoring, physical security, network security, risk & vulnerability management, vendor security management.

IT assets and controls, in particular those supporting critical or important functions, must be subjected to regular testing through vulnerability assessments, penetration tests, security reviews and internal audits to continuously improve the IT and cybersecurity internal control framework.

Finally, all staff must complete regular information security trainings and awareness sessions (multiple times a year) drawing attention to various cyber threats and risks (e.g. phishing) and how to identify them and respond.

Staff Awareness

All Staff, including the members of the Management Body must complete the AML/CFT and Sanctions training on a yearly basis in order to ensure that they possess an adequate awareness level of the risks related to AML/CFT (including Tax and Sanctions), Anti-Bribery and Corruption (including Fraud) as well as Cyber Security according to their roles and responsibilities.

New Staff are required to attend training within 30 days of being hired.

Luxembourg, 08 May 2025