General Anti-Money Loundering and Terrorist Financing Policy

1. Introduction

1.1 Money laundering and terrorist financing are a global phenomenon and a scourge on the development and well-being of society. Rapid advances in financial information, technology and communications allow cash to flow instantly anywhere in the world.

1.2 T. Garanti Bankası A.Ş. ("Garanti BBVA " or the "Bank"), as a part of an international financial group and as the parent company of a financial group ("Garanti BBVA Financial Group " or the "Group"), is fully aware of the key role that financial institutions play in the prevention of this phenomenon. As a part of a global financial group that operates in multiple social environments whose well-being it is committed to, anti-money laundering and counter-terrorist financing ("AML/CTF") is one of the essential pillars of Banks's corporate culture. Practical statements of the mentioned elements are included in the Financial Group Compliance Program and the Bank Compliance Program and the sub- procedures created in connection with them.

1.3 As a practical response to this commitment, Group has put in place a management model for the anti-money laundering and counter-terrorist financing risk ("AML/CTF model"). A model already applied in the Group, aimed at preventing the use of the products and services offered by the Bank for illicit purposes, and which is already applied within the Group.

1.4 The design, implementation and monitoring of the AML/CTF model falls under Bank Compliance Department, one of the foundations on which the Group strengthens its institutional commitment to engaging in all its operations and businesses in strict compliance with the legislation in force, in accordance with strict canons of ethical behavior and through a proactive risk management.

1.5 This General Anti-Money Laundering and Counter-Terrorist Financing Policy (the "Policy") formalizes the AML/CTF model and establishes a uniform framework for managing this risk in the Group. It has been drafted taking account of applicable regulations and the best practices of the international financial industry in this matter:

Law No. 5549 on the Prevention of Laundering Proceeds of Crime
Law No. 6415 on the Prevention of Financing of Terrorism
Law No. 7262 on the Prevention of Financing the Proliferation of Weapons of Mass Destruction
Financial Action Task Force (FATF) Recommendations and standards issued by the Wolfsberg Group on the prevention of money laundering.

2. Subject matter and scope

2.1 The purpose of this Policy is to establish the common criteria and the framework for action to be followed by the Group to prevent, mitigate and manage the money laundering and terrorist financing risk ("AML/CTF").

2.2 This Policy will apply to GarantiBBVA and companies in which the Group holds a direct or indirect stake of more than 50%, or in which the Group has management control, and which have the status of AML/CTF obliged entity in accordance with any of the following regulations: (i) Directive (EU) 2015/849 of the European Parliament and of the Council of May 20 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing; (ii) Law 10/2010 of April 28 on the prevention of money laundering and terrorist financing; or (iii) the local AML/CTF regulation that is applicable to each branch or subsidiary. The companies of the Group that comply with the above conditions and obliged to comply with the laws mentioned above will be referred to as "obliged entities".

2.3 As regards the issues it regulates, this Policy will prevail over any other internal regulations, which must be coherent and in accordance with the content of the former.

2.4 In the event that an obliged entity of the Group is not obliged according to the applicable local regulation, but is obliged according to the EU or Spanish regulation, the application of this General Policy shall be carried out proportionally to the AML/CTF risk presented by the obliged entity.

2.5 The scope of the Policy is global and independent of the specific jurisdiction where the local unit is located. However, under no circumstances may its application ensue in any breach of applicable legal provisions. Consequently, where the provisions of this Policy conflict with sectoral or local requirements, the specific sectoral or local legislation applicable to the obliged entities will prevail.

2.6 In any case, changes and adaptations to this Policy; It is done under the supervision of the policy officer and with sufficient documentation.

3. General Principles

3.1 Group operates on the principles of:

Integrity
Prudent risk management
Transparency
Achievement of a profitable and sustainable long-term business.
Compliance with applicable law at any given time

3.2 In addition, this Policy establishes the following general AML/CTF principles:

Group's pledge to incorporate measures to help stopping the products and services it offers its clients from being used for illicit purposes
Promotion of a preventive and risk-based approach to AML/CTF risk management, including the development of the necessary culture within the Group.
Inclusion of AML/CTF risk management in the Group’s Risk Appetite Framework,

defining for this purpose the necessary indicators.

Applying equivalent measures to adequately manage AML/CTF risk to the Group's obliged entities, in particular measures concerning client identification and knowledge and the communication of operations likely to be related to money laundering or terrorist financing.
Monitoring financial sanctions programs, which restrict operations with certain countries, entities and individuals.

4. Policy provisions

The Group will apply an AML/CTF model based on the following elements:

AML/CTF Compliance Officer and AML/CTF Team

4.1 Obliged entities must appoint a person responsible for the function of combating money laundering and financing of terrorism within the organization (“Compliance Officer”) and an assistant (“Assistant Compliance Officer”).In those cases in which the size of the entity justifies it, the Compliance Officer may rely on a AML/CTF Team made up by qualified personnel to carry out its functions.

4.2 Compliance Officer and the AML/CTF Team will be a function that acts in good faith, in a reasonable and honest manner, with an impartial and independent will while performing their duties and responsibilities, and that acts independently in a way that does not hinder or disrupt their activities. To do so:

It will occupy a position in the entity's organizational hierarchy that ensures independent action.
It will have sufficient authority and legitimacy to collect the information at any time, or access the records and documentation needed to perform its duties.
It will have sufficient and appropriate human and technical resources to facilitate the performance of its duties autonomously and to ensure that risk is effectively managed.
It will not be affected by commercial, economic or any other objectives that may violate its independence of judgment to suggest or promote actions aligned with ML risk management.

Risk assessment

4.3 AML/CTF Model will be based on the previous understanding of the ML risks to which the Group is exposed as a result of its activity, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels. For this reason, each obliged entity must carry out a risk assessment at least once a year.

4.4 The risk assessment will constitute the necessary basis for identifying areas for improvement in each entity's AML/CTF control framework and establishing, if necessary, additional mitigating measures to strengthen it.

Client identification and knowledge

4.5 Proper client identification and knowledge is one of the processes with the greatest mitigating impact on AML/CTF risk. The business units are responsible for carrying out the

process of identification and knowledge of the customers with whom they maintain business relationships in accordance with the provisions of the internal regulation and equipping with sufficient technological infrastructure to enable to comply with this obligation, both in cases where the relationship is established in person and through digital channels.

4.6 In general, and depending on the applicable regulations, the obliged entities will implement due diligence measures with respect to their clients:

via face-to-face or non-face-to-face means
before establishing a new business relationship or before making one-off transactions, taking into account the thresholds and requirements in the legislation.
where it is necessary to know and document the source of the money coming into the account and the purpose of the business relationship
periodically within the framework of a risk-based approach.

4.7 Obliged entities must retain the documentation or ensure its accessibility when necessary in accordance with the legislation. on their anti-money laundering and counter- terrorist financing obligations.

4.8 In certain circumstances, Group may limit acceptance of certain types of customers who pose a money laundering and terrorist financing risk.

Client segmentation by level of risk

4.9 Obliged entities must define a procedure to segment their clients according to the level of ML risk they present, in a manner consistent with the corporate AML/CTF Model and the specific legislation applicable to them.

4.10 Client risk rating must be kept up-to-date as a result of continuous monitoring of the business relationship. This will determine the type and completeness of the due diligence measures with respect to the client.

Monitoring of operations and reporting of suspicious transactions

4.11 Obliged entities shall refrain from executing any operation where there is a suspicion that it is related to money laundering or terrorist financing; when such abstention is not possible, necessary actions are taken in accordance with the relevant local regulations.

4.12 Obliged entities must have procedures and tools in place for continuous monitoring of their clients' business relationships and one-off transactions within the framework of a risk-based approach, in order to detect possible signs of money laundering or terrorist financing.

4.13 Obliged entities must also establish processes for notifying the local Financial Intelligence Unit (MASAK) of the transactions presenting reasonable signs or suspicion of being related to money laundering or terrorist financing. Such instances will be reported in the means and in accordance with the requirements set forth by the corresponding Financial Intelligence Unit and will be subject to the necessary confidentiality to avoid its disclosure to unauthorized third parties.

4.14 Obliged entities will safeguard the identity of employees who report their suspicions of money laundering or terrorist financing and ensure that these employees are protected from any negative consequences.

Technological infrastructure

4.15 Obliged entities must have the necessary technological infrastructure to adequately address all ML risk management phases.

Training

4.16 Obliged entities will adopt appropriate measures so that their employees receive the necessary training in anti-money laundering and counter-terrorist financing.

4.17 These measures will include the approval of training and communication plans that contain training actions aimed at disseminating the content of the applicable AML/CTF regulation; training in the detection of transactions that may be related to money laundering or terrorist financing; and setting the necessary guidelines on how to proceed in these cases.

International Sanctions

4.18 Group has pledged to comply with international financial sanctions and countermeasures programs, which aim to combat terrorism and its financing, the proliferation of weapons of mass destruction and their financing, drug trafficking, and violations of human rights and civil liberties, among other situations.

4.19 These sanctions or restrictive measures may be directed against certain jurisdictions, legal entities and individuals and do not have the same scope in all cases. On some occasions, they may include arms embargo and other general (totally restricting business relations with the country or jurisdiction) or specific (import and export prohibitions) trade restrictions, as well as financial restrictions, entrance restrictions (visa refusal or travel ban) and other measures.

Independent reviews

4.20 In order to verify compliance with anti-money laundering and counter-terrorist financing obligations and to assess the effectiveness of the internal control measures implemented to mitigate this risk, the AML/CTF programs of obliged entities will be periodically and, in any case, when established by the applicable regulations, subject to independent reviews by the Internal Audit area or external auditors.

4.21 Similarly, the mitigation and control environments for AML/CTF risk will be subject to verification by the Compliance Assurance function in the bank and in any activity or process linked to this risk, even when they are outsourced.

Oversight and monitoring of subsidiaries and branches

4.22 The parent company within the Financial Group will continuously monitor the liable parties to verify the effective implementation of the group's internal regulations on combating money laundering and terrorist financing.

4.23 In this respect, obliged institutions report to the parent institution all operational and management information required to adequately monitor the AML/CTF risks they are exposed to in accordance with the legislation.

4.24 As a general rule, the AML/CTF program of the obliged parties within the group and the necessary information of the relevant institution will be monitored by the Compliance Department of the parent financial institution.

5. AML/CTF Governance Model

5.1 Obliged entities must have an adequate governance model in place for the prevention of money laundering and terrorist financing. This model must clearly assign roles and responsibilities throughout the entity structured around three lines of defense, in accordance with Group's Internal Control Model described in Banks General Policy on Non- Financial Risk Management. The AML/CTF function is therefore not an exclusive task of the only specialist technical units. Instead, the first line of defense is the first control point within the obliged entity and must hold a key role in managing this type of risk.

5.2 The role played by Banks’ corporate bodies, as well as the main executive stakeholders at the executive level in AML/CTF's risk management, is described below.

Corporate bodies

5.3 The Board of Directors. In accordance with the provisions of the Board of Directors Regulations, its duties include the determination and approval of this policy, including the oversight of its implementation, either directly or through its committees.

5.4 The Audit Committee proposes the risk control and management policies for Group's risks. The Committee also monitors the trends in the Group's risks and their alignment with the Group's strategies and policies and Risk Appetite Framework. It assists the Board of Directors in overseeing the Compliance function and implementing the culture of risks and compliance within the Group; and ensures compliance with the applicable national or international anti-money laundering and counter-terrorist financing regulations

Executive level

5.5 Corporate Assurance is one of the components of the Group's internal control model. It seeks to identify and prioritize relevant situations to control and manage non- financial risks. Its aim is to provide senior management with a comprehensive and homogeneous view of the status of the main non-financial risks and relevant situations in Group's control environment. It strives to support rapid forward-looking decision-making, for the mitigation or assumption of the main risks within the Group's risk appetite thresholds. This structure allows the second line of defense to raise matters that it considers appropriate to ensure a proper control environment for the businesses.

5.6 The relevant Member of the Board of the main financial institution responsible for the Compliance function within the Group should be aware of the money laundering and terrorist financing risks to which the Group is exposed, and should propose and implement policies to appropriately manage these risks.

5.7 The Financial Group Compliance Officer within the scope of his responsibilities, is responsible regarding ML risk at Group level for:

Identify the risks of operations and the external regulations with global impact on the Group
Draft the AML/CTF regulatory framework at Group level and propose its approval at the appropriate corporate level
Ensure that the obliged entities have a regulatory body aligned with the Group's regulatory framework and evaluate, where appropriate, the various local adaptations of this framework.
Design the monitoring methodology and metrics to be reported by the obliged entities
Carry out continuous monitoring and oversight of obliged entities
- Working under the relevant senior manager of the Group within the scope of its functions.

5.8 The Compliance Officers of obliged entities within the scope of his responsibilities, is responsible regarding AML/CTF risk at local level for:

Adapt the global AML/CTF regulatory framework locally and propose its approval at the appropriate local level
Manage the ML risk of the obliged entity and lead the continuous improvement of key AML/CTF processes
Prepare regulatory reporting required locally and reporting to Board of Directors
- To prepare the parts of the report on the Financial Group function at the local level of the relevant obliged institution.

5.9 The First line of defense. Composed of the Business and Support Areas, is responsible for the day-to-day management of risk in their products, activities, processes and systems. Preventing ML risk is not the sole responsibility of AML Compliance units. Instead, it is a duty inherent to commercial units, business networks and different lines of activity, because it is the business areas that define the products and distribution channels,

interact with clients and apply them due diligence measures, so they must be very actively involved in prevention efforts. The first level of control in the prevention system of obliged entities is found on establishing a relationship with clients. This relationship is the responsibility of the business units that act as the primary line of defense within the scope of AML/CTF risk management.

5.10 The Third line of defense. It is carried out by the Internal Audit Department, which evaluates the activity performed by the first and second lines of defense. Internal Audit Department conducts the necessary examination in this regard within the framework of the Internal Control Model and provides information independently.

6. Policy governance and oversight model

6.1 This Policy was approved by Banks Board of Directors on June 16, 2022; and will take effect the day following its approval and and will be applicable until the Board of Directors resolves to modify it or approve a new one to replace it.

6.2. The Policy has been prepared and coordinated by the Compliance Department, in collaboration and cooperation with the Legal Services, the General and other relevant units and business lines.

6.3. Financial Group Compliance Officer will be responsible for this Policy at the executive level. As such, they will be charged with submitting the Policy for approval, publishing it and promoting awareness of it on the part of persons subject to it, and, where appropriate, extending it to the applicable subsidiaries within the Group.

6.4. The person responsible for the Policy will identify its degree of application, based on the information provided by those responsible for the areas to which it applies, and will adopt any necessary measures in the event it is not being applied properly, reporting this accordingly.

6.5. For their part, those responsible for the areas affected by the Policy will provide, in their respective areas of responsibility and where appropriate, sufficient means, systems and organisation to facilitate compliance with the same

6.6. The degree of compliance with this Policy and the development thereof will be monitored in accordance with the Internal Control Model. The various control functions of Group will cooperate actively and regularly in monitoring the application of this Policy, in accordance with the powers vested in them.

6.7. The Board of Directors, will directly or through the Audit Committee, monitor the implementation of the Policy on the basis of periodic or subject based reports from the responsible parties in the Compliance unit, the Internal Audit Department and where applicable, the respective control functions existing within Bank.

6.8 At least once a year, or in response to any events requiring changes to this Policy, the global Compliance unit will proceed to review the Policy and submit any updates or amendments deemed necessary or desirable at any given time to the Corporate Bodies of Bank.

6.9. Any failure to comply with the provisions of this Policy or other Internal Regulations implementing the same may result in disciplinary penalties. In any case, failure to comply with the provisions of this Policy will be subject to the applicable regulatory provisions at all times.

6.10. Any persons who have knowledge, findings or suspicions about an action or situation that may be contrary to this Policy, the sub-regulations regarding the implementation of this Policy or the determined values and guidelines regarding the organization, although not within the scope of their responsibility, should carry their issues and take the steps specified in the Code of Ethics and Integrity must report it through the Ethics Notification Line.

Glossary

Garanti BBVA Financial Group (Financial Group): Garanti BBVA Financial Group; Turkey Garanti Bank A.Ş. (Garanti BBVA) and financial institutions that are subsidiaries or affiliates or operating within the borders of the Republic of Turkey under its control and that fall within the scope of the liability within the scope of the Regulation on the Program of Compliance with the Obligations Regarding the Prevention of Laundering of Proceeds of Crime and the Financing of Terrorism. Garanti BBVA is the main financial institution within the said Financial Group.

Financial Group Compliance Officer: The Financial Group Compliance Officer is determined to be the Compliance Officer of the parent financial institution at the same time, in order to carry out the policy at the group level. If the Compliance Officer Assistant(s) of the parent financial institution is(are) designated as Financial Group Compliance Officer Assistant(s). The Financial Group Compliance Officer and Assistant(s) are appointed to report to the Board of Directors of the main financial institution or to one or more members to whom the Board of Directors has delegated its authority.

Money laundering: Money laundering means:

a) the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person's action;

b) the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity;

c) the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity;

d) participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in points (a), (b) and (c).

There will be money laundering even if the behaviors described above are carried out by way of recklessness.

Additionally, money laundering will be considered to take place even when the conduct described in the above paragraphs is carried out by a person or persons that committed the criminal action which generated the assets.

Assets arising from criminal activity are considered to be any kinds of assets whose acquisition or possession originates from a crime, such assets being material or immaterial, movable or fixed, tangible or intangible; as well as the judicial documents or instruments regardless of their form, including electronic or digital, which accredit the ownership of the assets or a right to them, including the amount defrauded in the case of tax crimes.

Actions will be considered money laundering even when activities that have generated the assets took place in another jurisdiction.

Terrorist financing: the provision or collection of funds, by any means, directly or indirectly, with the intention that they be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the offences defined in the legislation in force. Terrorist financing will be considered to exist even when the supply or collection of funds or assets has taken place in another jurisdiction.

Client: A natural person or legal entity that subscribes a product or service with the Bank, or which is party to an one-off operation or transaction. For the purposes of applying this Policy and Compliance Program regulations, all those involved in the operation or transaction must be considered clients.

Corporate Bodies: For purposes of this Policy, Banks Board of Directors and its Committees.

International financial sanctions and countermeasures programs: These are coercive measures that seek, without using armed force, to put pressure on governments, entities and individuals to achieve objectives such as safeguarding certain values such as freedom and security, suppressing terrorism and its financing, consolidating respect for human rights, etc.

MASAK: National central agency responsible for receiving, analyzing and transmitting information on suspicious money laundering transactions to the corresponding authorities.

Internal Regulation: In accordance with the terms of the Internal Regulation Framework, Internal Regulation is understood to mean all mandatory, non-temporary provisions that establish a framework for action applicable to the people, areas and businesses that make up the Group and that are approved internally, whether for purposes of implementing the General Management and Control Framework, meeting regulatory or supervisory requirements or regulating the organization and operation of a particular area of activity.

Change Log

Tarih	Değişiklik Açıklaması	Değişikliği Gerçekleştiren
16.06.2022	Initial version	Selçuk Tok
09.03.2023	Review	Aynur Uslusoy - Şener Buğa
20.03.2024	Review	Yunus Gülen
20.03.2025	Review	AML Stratejileri ve Uygulamaları

Environment, Social and Governance