Política

We are a Colombian multinational company created in 2007 by investors and visionaries from India. Sophos Solutions is a simplified stock company (S.A.S by its acronym in Spanish), offering Consulting, Core Banking Implementation, Testing Factory and Software Factory services primarily for financial and stock market companies. We are currently a company of Advent International.

At SOPHOS, we specialize in IT products and services for the financial sector, offering solutions for Banking Core, Digital Channels, Capital Markets, Risk, Comprehensive Information Management and Data Analysis.

Sophos has a presence in more than 12 countries of America, covering North America, Central America, and South America. Currently, we have offices in Colombia, Mexico, Panama, United States and Chile. We have more than 14 years of experience in IT solutions, always with partners specialized in different services and technologies. In order to gain greater access to national and international markets, the company establishes working relationships with specialized collaborators from all over the world, working remotely and other modes of operation such as NearShore (Latam remote work), OffShore (remote work in other continents), and Inside (customer work).

Considering the company’s growth, the Colombian parent company exercises direct control over each of its subsidiaries (Panama, Mexico, and Chile) and indirect control over its subsidiary (United States), the administrative structure is carried out in a centralized manner. However, for the proper and timely development of functions, powers are granted to natural or legal persons according to their needs.

SOPHOS SOLUTIONS S.A.S implements the Comprehensive Self-Control and Risk Management System of LA/FT/FPADM (hereinafter SAGRILAFT by its acronym in Spanish), with the aim of having policies, procedures, controls and all kinds of mechanisms aimed at protecting the company from being used by any means for money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction, considering that these actions represent a risk to the stability and integrity of the company.

The LA/FT/FPADM Comprehensive Risk Management and Self-Control System applies to all Sophos Solutions collaborators including the parent, subsidiaries and all related parties, interest groups, partners and business partners, understood as customers, strategic allies, business allies, contractors, consultants, subcontractors, domestic and international suppliers, advisors, representatives, intermediaries, investors, licensors, lessors and their analogy to the countries that operate the subsidiaries, in general to all those with whom any business or contractual relationship is established directly or indirectly.

It is applicable to all internal processes that demonstrate risk factors surrounding the applicability and regulation of money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction (LA/FT/FPADM by its acronym in Spanish).

The objective of this system is to prevent, detect and mitigate in a timely manner operations that may be used for money laundering, terrorist financing or the proliferation of weapons of mass destruction against Sophos Solutions and its subsidiaries.

3.4.1 Specific objectives

• Apply procedures to inform current and potential counterparties.
• Create reporting and inquiry channels that are available to collaborators.
• Develop training to publicize the SAGRILAFT/FPADM Policy, as well as the role of each collaborator in preventing LAFT crimes in the organization.
• Build a sanction regime for when the policy or procedures of this manual are not complied with.
• Describe the policies, procedures, documents, and other tools that the company will use for the comprehensive risk management of LA/FT/FPADM.

For the purposes of this manual, all definitions are understood according to those established in Circular 100-000016 of December 24, 2020 of the Superintendencia de Sociedades of Colombia. In addition, the following definitions:

Unlawful activities: Conduct or activities that under an existing rule are unlawful, that is, against the law.

Close Associate: These are legal persons who have as administrators, shareholders, controllers, or managers Politically Exposed Persons, or who have constituted autonomous or fiduciary assets for the benefit of these, or with whom business relations are maintained.

Operation attempted or rejected: It is configured when the intention of a natural or legal person to carry out a suspicious operation is known, but it is not perfected because when attempting to carry it out it ceases or because the controls established or defined do not allow to carry it out. Only attempted or rejected operations that have the characteristics of a suspicious operation should be reported.

Non-Cooperating Countries and High-Risk Jurisdictions: This list refers to the list of jurisdictions that do not meet international standards for combating money laundering and terrorist financing, and the degree of political commitment of their authorities to address the identified deficiencies, as defined by the Financial Action Task Force (FATF).

PEP (Politically Exposed Persons): They may be public servants of any system of nomenclature and classification of jobs of the national and territorial public administration, when in the positions they occupy, they have in the functions of the area to which they belong or in those of the record of employment that they occupy, under their direct responsibility or by delegation, the general direction, of the formulation of institutional policies and of the adoption of plans, programs and projects, the direct management of assets, money or values of the State. These can be through spending management, public procurement, management of investment projects, payments, settlements, administration of movable and real estate. It also includes foreign PEPs and PEPs from international organizations.4

PEP (People exposed publicly): They are those who for their activities have national and/or international recognition. For example, prominent lawyers, senior executives, architects, athletes, celebrities, military and police forces, civil servants, judges, politicians, registrars and prominent religious.

Warning Signs: These are all the particular facts and circumstances surrounding the conduct of transactions specific to each third party with which the Company relates, from which it can be identified in a preventive manner if they are subject to careful and detailed study. We can classify operations into: Unusual and suspicious operations.

For the purposes of this manual, all definitions are understood according to those established in Circular 100-000016 of December 24, 2020 of the Superintendencia de Sociedades of Colombia. In addition, the following definitions:

Unlawful activities: Conduct or activities that under an existing rule are unlawful, that is, against the law.

Close Associate: These are legal persons who have as administrators, shareholders, controllers, or managers Politically Exposed Persons, or who have constituted autonomous or fiduciary assets for the benefit of these, or with whom business relations are maintained.

Operation attempted or rejected: It is configured when the intention of a natural or legal person to carry out a suspicious operation is known, but it is not perfected because when attempting to carry it out it ceases or because the controls established or defined do not allow to carry it out. Only attempted or rejected operations that have the characteristics of a suspicious operation should be reported.

Non-Cooperating Countries and High-Risk Jurisdictions: This list refers to the list of jurisdictions that do not meet international standards for combating money laundering and terrorist financing, and the degree of political commitment of their authorities to address the identified deficiencies, as defined by the Financial Action Task Force (FATF).

PEP (Politically Exposed Persons): They may be public servants of any system of nomenclature and classification of jobs of the national and territorial public administration, when in the positions they occupy, they have in the functions of the area to which they belong or in those of the record of employment that they occupy, under their direct responsibility or by delegation, the general direction, of the formulation of institutional policies and of the adoption of plans, programs and projects, the direct management of assets, money or values of the State. These can be through spending management, public procurement, management of investment projects, payments, settlements, administration of movable and real estate. It also includes foreign PEPs and PEPs from international organizations.4

PEP (People exposed publicly): They are those who for their activities have national and/or international recognition. For example, prominent lawyers, senior executives, architects, athletes, celebrities, military and police forces, civil servants, judges, politicians, registrars and prominent religious.

Warning Signs: These are all the particular facts and circumstances surrounding the conduct of transactions specific to each third party with which the Company relates, from which it can be identified in a preventive manner if they are subject to careful and detailed study. We can classify operations into: Unusual and suspicious operations.

For the purposes of this manual, all definitions are understood according to those established in Circular 100-000016 of December 24, 2020 of the Superintendencia de Sociedades of Colombia. In addition, the following definitions:

Unlawful activities: Conduct or activities that under an existing rule are unlawful, that is, against the law.

Close Associate: These are legal persons who have as administrators, shareholders, controllers, or managers Politically Exposed Persons, or who have constituted autonomous or fiduciary assets for the benefit of these, or with whom business relations are maintained.

Operation attempted or rejected: It is configured when the intention of a natural or legal person to carry out a suspicious operation is known, but it is not perfected because when attempting to carry it out it ceases or because the controls established or defined do not allow to carry it out. Only attempted or rejected operations that have the characteristics of a suspicious operation should be reported.

Non-Cooperating Countries and High-Risk Jurisdictions: This list refers to the list of jurisdictions that do not meet international standards for combating money laundering and terrorist financing, and the degree of political commitment of their authorities to address the identified deficiencies, as defined by the Financial Action Task Force (FATF).

PEP (Politically Exposed Persons): They may be public servants of any system of nomenclature and classification of jobs of the national and territorial public administration, when in the positions they occupy, they have in the functions of the area to which they belong or in those of the record of employment that they occupy, under their direct responsibility or by delegation, the general direction, of the formulation of institutional policies and of the adoption of plans, programs and projects, the direct management of assets, money or values of the State. These can be through spending management, public procurement, management of investment projects, payments, settlements, administration of movable and real estate. It also includes foreign PEPs and PEPs from international organizations.4

PEP (People exposed publicly): They are those who for their activities have national and/or international recognition. For example, prominent lawyers, senior executives, architects, athletes, celebrities, military and police forces, civil servants, judges, politicians, registrars and prominent religious.

Warning Signs: These are all the particular facts and circumstances surrounding the conduct of transactions specific to each third party with which the Company relates, from which it can be identified in a preventive manner if they are subject to careful and detailed study. We can classify operations into: Unusual and suspicious operations.

For the purposes of this manual, all definitions are understood according to those established in Circular 100-000016 of December 24, 2020 of the Superintendencia de Sociedades of Colombia. In addition, the following definitions:

Unlawful activities: Conduct or activities that under an existing rule are unlawful, that is, against the law.

Close Associate: These are legal persons who have as administrators, shareholders, controllers, or managers Politically Exposed Persons, or who have constituted autonomous or fiduciary assets for the benefit of these, or with whom business relations are maintained.

Operation attempted or rejected: It is configured when the intention of a natural or legal person to carry out a suspicious operation is known, but it is not perfected because when attempting to carry it out it ceases or because the controls established or defined do not allow to carry it out. Only attempted or rejected operations that have the characteristics of a suspicious operation should be reported.

Non-Cooperating Countries and High-Risk Jurisdictions: This list refers to the list of jurisdictions that do not meet international standards for combating money laundering and terrorist financing, and the degree of political commitment of their authorities to address the identified deficiencies, as defined by the Financial Action Task Force (FATF).

PEP (Politically Exposed Persons): They may be public servants of any system of nomenclature and classification of jobs of the national and territorial public administration, when in the positions they occupy, they have in the functions of the area to which they belong or in those of the record of employment that they occupy, under their direct responsibility or by delegation, the general direction, of the formulation of institutional policies and of the adoption of plans, programs and projects, the direct management of assets, money or values of the State. These can be through spending management, public procurement, management of investment projects, payments, settlements, administration of movable and real estate. It also includes foreign PEPs and PEPs from international organizations.4

PEP (People exposed publicly): They are those who for their activities have national and/or international recognition. For example, prominent lawyers, senior executives, architects, athletes, celebrities, military and police forces, civil servants, judges, politicians, registrars and prominent religious.

Warning Signs: These are all the particular facts and circumstances surrounding the conduct of transactions specific to each third party with which the Company relates, from which it can be identified in a preventive manner if they are subject to careful and detailed study. We can classify operations into: Unusual and suspicious operations.

For the purposes of this manual, all definitions are understood according to those established in Circular 100-000016 of December 24, 2020 of the Superintendencia de Sociedades of Colombia. In addition, the following definitions:

Unlawful activities: Conduct or activities that under an existing rule are unlawful, that is, against the law.

Close Associate: These are legal persons who have as administrators, shareholders, controllers, or managers Politically Exposed Persons, or who have constituted autonomous or fiduciary assets for the benefit of these, or with whom business relations are maintained.

Operation attempted or rejected: It is configured when the intention of a natural or legal person to carry out a suspicious operation is known, but it is not perfected because when attempting to carry it out it ceases or because the controls established or defined do not allow to carry it out. Only attempted or rejected operations that have the characteristics of a suspicious operation should be reported.

Non-Cooperating Countries and High-Risk Jurisdictions: This list refers to the list of jurisdictions that do not meet international standards for combating money laundering and terrorist financing, and the degree of political commitment of their authorities to address the identified deficiencies, as defined by the Financial Action Task Force (FATF).

PEP (Politically Exposed Persons): They may be public servants of any system of nomenclature and classification of jobs of the national and territorial public administration, when in the positions they occupy, they have in the functions of the area to which they belong or in those of the record of employment that they occupy, under their direct responsibility or by delegation, the general direction, of the formulation of institutional policies and of the adoption of plans, programs and projects, the direct management of assets, money or values of the State. These can be through spending management, public procurement, management of investment projects, payments, settlements, administration of movable and real estate. It also includes foreign PEPs and PEPs from international organizations.4

PEP (People exposed publicly): They are those who for their activities have national and/or international recognition. For example, prominent lawyers, senior executives, architects, athletes, celebrities, military and police forces, civil servants, judges, politicians, registrars and prominent religious.

Warning Signs: These are all the particular facts and circumstances surrounding the conduct of transactions specific to each third party with which the Company relates, from which it can be identified in a preventive manner if they are subject to careful and detailed study. We can classify operations into: Unusual and suspicious operations.

For the purposes of this manual, all definitions are understood according to those established in Circular 100-000016 of December 24, 2020 of the Superintendencia de Sociedades of Colombia. In addition, the following definitions:

Unlawful activities: Conduct or activities that under an existing rule are unlawful, that is, against the law.

Close Associate: These are legal persons who have as administrators, shareholders, controllers, or managers Politically Exposed Persons, or who have constituted autonomous or fiduciary assets for the benefit of these, or with whom business relations are maintained.

Operation attempted or rejected: It is configured when the intention of a natural or legal person to carry out a suspicious operation is known, but it is not perfected because when attempting to carry it out it ceases or because the controls established or defined do not allow to carry it out. Only attempted or rejected operations that have the characteristics of a suspicious operation should be reported.

Non-Cooperating Countries and High-Risk Jurisdictions: This list refers to the list of jurisdictions that do not meet international standards for combating money laundering and terrorist financing, and the degree of political commitment of their authorities to address the identified deficiencies, as defined by the Financial Action Task Force (FATF).

PEP (Politically Exposed Persons): They may be public servants of any system of nomenclature and classification of jobs of the national and territorial public administration, when in the positions they occupy, they have in the functions of the area to which they belong or in those of the record of employment that they occupy, under their direct responsibility or by delegation, the general direction, of the formulation of institutional policies and of the adoption of plans, programs and projects, the direct management of assets, money or values of the State. These can be through spending management, public procurement, management of investment projects, payments, settlements, administration of movable and real estate. It also includes foreign PEPs and PEPs from international organizations.4

PEP (People exposed publicly): They are those who for their activities have national and/or international recognition. For example, prominent lawyers, senior executives, architects, athletes, celebrities, military and police forces, civil servants, judges, politicians, registrars and prominent religious.

Warning Signs: These are all the particular facts and circumstances surrounding the conduct of transactions specific to each third party with which the Company relates, from which it can be identified in a preventive manner if they are subject to careful and detailed study. We can classify operations into: Unusual and suspicious operations.

For the purposes of this manual, all definitions are understood according to those established in Circular 100-000016 of December 24, 2020 of the Superintendencia de Sociedades of Colombia. In addition, the following definitions:

Unlawful activities: Conduct or activities that under an existing rule are unlawful, that is, against the law.

Close Associate: These are legal persons who have as administrators, shareholders, controllers, or managers Politically Exposed Persons, or who have constituted autonomous or fiduciary assets for the benefit of these, or with whom business relations are maintained.

Operation attempted or rejected: It is configured when the intention of a natural or legal person to carry out a suspicious operation is known, but it is not perfected because when attempting to carry it out it ceases or because the controls established or defined do not allow to carry it out. Only attempted or rejected operations that have the characteristics of a suspicious operation should be reported.

Non-Cooperating Countries and High-Risk Jurisdictions: This list refers to the list of jurisdictions that do not meet international standards for combating money laundering and terrorist financing, and the degree of political commitment of their authorities to address the identified deficiencies, as defined by the Financial Action Task Force (FATF).

PEP (Politically Exposed Persons): They may be public servants of any system of nomenclature and classification of jobs of the national and territorial public administration, when in the positions they occupy, they have in the functions of the area to which they belong or in those of the record of employment that they occupy, under their direct responsibility or by delegation, the general direction, of the formulation of institutional policies and of the adoption of plans, programs and projects, the direct management of assets, money or values of the State. These can be through spending management, public procurement, management of investment projects, payments, settlements, administration of movable and real estate. It also includes foreign PEPs and PEPs from international organizations.4

PEP (People exposed publicly): They are those who for their activities have national and/or international recognition. For example, prominent lawyers, senior executives, architects, athletes, celebrities, military and police forces, civil servants, judges, politicians, registrars and prominent religious.

Warning Signs: These are all the particular facts and circumstances surrounding the conduct of transactions specific to each third party with which the Company relates, from which it can be identified in a preventive manner if they are subject to careful and detailed study. We can classify operations into: Unusual and suspicious operations.

SAGRILAFT is divided into two phases:

1. The prevention phase, Sophos Solutions will take the measures at its disposal to prevent being used in carrying out activities that go against its principles and SAGRILAFT/FPADM, within these measures are:

• Counterparty risk analysis processes
• Identification and reporting of warning signs
• Identification of risks

2. In the control phase, Sophos Solutions will implement the tools at its disposal to identify all operations that have been carried out or are intended to be carried out that are against the law and are associated with LA/FT/FPADM activities.

These are systematic, interrelated steps that manage the risk of LA/FT/FPADM.

4.2.1 Identification of LA/FT/FPADM risk

For the identification of the Inherent Risk, Sophos will consider any Risk Factor, internal or external, associated with the activity or incursion into new markets. The Company has and will consider the context of its business, the jurisdictions and regions in which it operates, and the counterparties with which it interacts.

For this, it will be done according to the Risk Assessment Guide in item 5.1 Risk identification. The due diligence process can also identify risks.

The risk identification process is led by the risk department of the company, with the participation of the compliance officer and the members of the evaluated processes.

4.2.2 LA/FT/FPADM risk measurement

At this stage, the probability of occurrence and the impact that would have its materialization of the LA/FT/FPADM risk are assessed.

For this purpose, it shall be done in accordance with the Risk Assessment Guide in item 5.2.1. Determination of inherent risk and sections a) probability and b) impact.

The risk measurement process is led by the risk department of the company, with the participation of the compliance officer and members of the processes evaluated.

4.2.3 LA/FT/FPADM risk control

The LA/FT/FPADM Risk controls will be applied according to the results of the previous stages, with the purpose of establishing its Residual Risk profile. The objective is to mitigate the risk by taking the necessary measures to decrease the probability of occurrence and/or impact to which Sophos is exposed. The Company plans the assessment and types of controls listed in the Risk Assessment Guide in item 3.2.2.

The control design process is led by the risk department of the company, with the participation of the compliance officer and the members of the evaluated processes. Controls are executed by each of the processes where risks are identified and specified in the risk matrix.

4.2.4 Monitoring the LA/FT/FPADM risk management system

• The Compliance Officer will continuously monitor the System to assess the timeliness, effectiveness, and efficiency of controls, ensuring that they are comprehensive and address all LA/FT/FPADM Risk Events identified. This monitoring should be carried out annually. The Company’s employees must constantly monitor their activities to show that there are no LA/FT/FPADM risk situations and that the controls applied operate in a timely, effective, and efficient manner. Any deviation shall be reported to the Compliance Officer.
• The monitoring should be carried out by the Compliance Officer with the respective collaboration of the process leaders, and its purpose is to apply and suggest the necessary corrective and adjustments to ensure an effective management of the LA/FT/FPADM Risk.
• The Compliance Officer will then evaluate the monitoring, its results and, in conjunction with the leaders of the processes, make proposals for improvement and treatment of the detected situations to the Legal Representative and the Board of Directors.
• The statutory auditor also makes periodic reviews to facilitate the detection and correction of SAGRILAFT/FPADM deficiencies, the results of which are communicated to the Board of Directors, the Legal Representative and the Compliance Officer. On these, the Compliance Officer will conduct an assessment and take appropriate action on reported deficiencies.
• The team of Risks holds monthly follow-up meetings to the different areas focusing on the due diligence carried out by the areas where the risks of LA/FT/FPDAM and Bribery and corruption are identified.
• The LA/FT/FPADM risk profile should be presented on a quarterly basis to the legal representative and biannually to the board of directors for monitoring.