FacilitaPay's policy aims to support its strategies to ensure consistent delivery of its products and services. Implementing an effective business continuity strategy is essential to ensure that FacilitaPay's customers are not affected by service interruptions resulting from unexpected events. It also aims to ensure the well-being of employees in any adverse conditions, whether operational or regulatory.

Business Continuity Management (BCM) has as its main objective to strategically identify the company's critical processes. The development of a recovery strategy and action plans is fundamental to ensure that all essential services continue to operate properly even in unforeseen situations. Thus, this policy defines procedures to ensure that FacilitaPay:
• Complies with the provisions of art. 17, item II, and art. 15, item I, of BCB Resolution No. 198/22, as transcribed above;
• Is aligned with the institution's business plan, according to Annex II, art. 1, §2, item XI of BCB IN No. 103/21;
• Is in accordance with the organization's objectives and business strategy;
• Ensures that all FacilitaPay employees and any other parties acting on behalf of FacilitaPay are aware of their responsibilities regarding business recovery and continuity strategies;

• Establishes adequate procedures for business continuity, in order to mitigate risks associated with unplanned service interruptions;

• Has agility in assessing and preventing economic and regulatory impacts on its products and services, in the various countries in which it operates;

• Avoids/reduces damages caused by unexpected events that may cause interruptions in the provision of our services to our customers;

• Protects FacilitaPay's operations against breaches of confidentiality, integrity and availability;

• Defines, establishes and maintains effective, sustainable and measurable business continuity controls.

For this, it is essential that we maintain processes compatible with applicable regulations and well-recommended market practices.

Each business area must develop a Business Continuity Plan considering risks to business requirements, impact analysis and resources, resulting in the definition of a Business Continuity strategy. This policy is applicable to all companies in the FacilitaPay economic group and considers the definition of Risk Appetite from FacilitaPay's Compliance Policy, that is, focusing on processes or areas with low, medium or high RBA impact.

Business Continuity should be managed by each area, as they are the ones who best know their priorities and levels of internal and external involvement. Senior management and all leadership levels need to be engaged with Business Continuity Management, understanding the relevant issues for their respective structures. In addition to existing operations and processes, Business Continuity should include a realistic and reliable business impact analysis, considering relevant systems and information.

This information will guide the Information Technology & Cyber Security team in the development of the IT Disaster Recovery Plan (DRP), aligning critical processes with systems, ensuring that all essential systems are covered by the DRP. In case of a crisis threat, the Risk area must be notified to assess the potential impact on FacilitaPay. All relevant information will be forwarded to senior management members for possible activation of the Crisis Committee, if strategic decisions are necessary. Meetings can take place in person at any FacilitaPay unit or remotely through available tools.

In order to control and mitigate liquidity risk, processes have been defined and developed to monitor activities, addressing occurrences mitigating liquidity risk and suggesting improvements.

To identify these risks, information on the daily movement of applications and control is evaluated through signaling of changes that may indicate insufficient financial resources to honor obligations, such as identification of all cash inflows and outflows, categorized by term, evaluation of different stress scenarios, including market crises, loss of major customers and operational failures, and continuous monitoring of key indicators, such as immediate liquidity ratio, liquidity coverage and liquidity gap. Active integration between Information Security and Risk teams is essential, enabling employees and leaders to prevent risks in their areas.

Leaders should be proactive, monitoring the activation of exercises and reporting all risk-related incidents to the Risk area. The BCM lifecycle includes the annual review of the Business Impact Analysis (BIA) based on the results of the Risk and Control Assessment (RCA), the Business Continuity Plan (BCP), and the BCM Training and Exercises conducted for all FacilitaPay areas. To assess compliance with this policy, FacilitaPay will annually verify if all areas are in compliance with the established Business Continuity Plan.

In the Information Security area, the Security and Continuity Governance pillar will define the method for measuring policy compliance, carried out at least once a year. The Governance team should report the results of the BCM lifecycle to leadership, including necessary action plans for improvements in contingency strategies. The results of all tests to ensure compliance with the BCM strategy will be formalized in an Annual Compliance Certificate, with the approval of senior management and the Technology Board. This certificate will confirm that major incident and business recovery plans have been updated and tested for each area.
Para a identificação destes riscos são avaliadas informações sobre a movimentaçãodiária de aplicações e controle mediante sinalização de alterações que possam conotar ainsuficiência de recursos financeiros para honrar com as obrigações, como identificação de todas as entradas e saídas de caixa, categorizadas por prazo, avaliação de diferentes cenários de estresse, incluindo crises de mercado, perda de grandes clientes e falhas operacionais e monitoramento contínuo de indicadores chave, como índice de liquidez imediata, cobertura de liquidez e gap de liquidez.

É essencial a integração ativa entre as equipes de Segurança da Informação e Riscos, capacitando colaboradores e líderes para a prevenção de riscos em suas áreas. Os líderes devem ser proativos, acompanhando a ativação de exercícios e reportando à área de Riscos todos os incidentes relacionados a riscos.O ciclo de vida do BCM inclui a revisão anual da Análise de Impacto ao Negócio (BIA) com base nos resultados do Risk and Control Assessment (RCA), o Plano de Continuidade de Negócios (BCP), e os Treinamentos e Exercícios de BCM realizados para todas as áreas da FacilitaPay.Para avaliar o cumprimento desta política, a FacilitaPay verificará anualmente se todas as áreas estão em conformidade com o Plano de Continuidade de Negócios estabelecido. Na área de Segurança da Informação, o pilar de Governança de Segurança e Continuidade definirá o método de medição da observância da política, realizado ao menos uma vez por ano.A equipe de Governança deve reportar os resultados do ciclo de vida do BCM para a liderança, incluindo planos de ação necessários para melhorias nas estratégias de contingência.Os resultados de todos os testes para assegurar o cumprimento da estratégia de BCM serão formalizados em um Certificado Anual de Compliance, com a anuência da alta administração e da Diretoria de Tecnologia. Este certificado confirmará que os planos de recuperação de grandes incidentes e negócios foram atualizados e testados para cada área.

As part of BCM, it is essential that FacilitaPay establishes a robust business continuity governance structure to address current and emerging risks. This structure should be able to respond to various types of unexpected events. The Crisis Committee, which operates at FacilitaPay's headquarters under the responsibility of GR&C, is an interdisciplinary committee composed of leaders from various areas. Other specialists may be invited to participate as needed for each specific situation. The main objective of this committee is to address broader strategic implications, including concentration risk issues. In crisis situations, this group is responsible for making decisions about prioritization, resource allocation, delivery and implementation of FacilitaPay's critical processes.

Know Your Employee, Partner and Outsourced Service Providers Manual ("KYE, KYP and KYS Manual")
Compliance Policy
Internal Controls Policy
Risk Management Policy
BACEN Resolution 4557; BCB Resolution No. 198/22; BCB IN No. 103/21.

Any new policy or modification of an existing document must be made available to all interested parties. Policies are available for consultation by employees on FacilitaPay's website. Public documents can be found on FacilitaPay's websites.
Documentos públicos podem ser encontrados nos websites da FacilitaPay.