FULL
COMPLIANCE
(GRI 2-23-a)
For EBANX, compliance is not just a regulatory requirement, but a strategic pillar and a commitment that defines its identity and reinforces its leading position in the global payments market.
Operating in 29 countries, each with its own set of regulations, requires more than simple adherence: it requires maturity, accountability, and strict risk management standards that exceed even the high expectations set by regulators and partners.
To stay ahead of regulatory changes, EBANX has built a robust and innovative compliance infrastructure. This ensures transaction integrity, effective approvals, and reliable anti-fraud systems, thereby reinforcing confidence in its payment solution.
The maturity of EBANX’s operations is reflected in an approach that prioritizes transparency and performance, meeting the needs of companies seeking efficiency in international transactions. The security of the solutions EBANX offers is non-negotiable, and the company collaborates only with partners that share the same commitment to compliance and responsibility.
Global Compliance
Program
(GRI 2-24)
To grow sustainably, EBANX employs an integrated approach to managing legal aspects, risks, and compliance, ensuring that all operations adhere to applicable rules and regulations. The Global Compliance Program acts as an umbrella for the business’s strategic policies and programs. They are:
Anti-Money Laundering and Counter Financing of Terrorism Program (AML/CFT)
Risk Management Program
Internal Controls Program
Ethics and Integrity Program
Training and Awareness Program
Sustainability Program
A key component of the Global Compliance Program, the Sustainability Program reflects the company's commitment to the issue by structuring processes to formalize, document, measure, and report environmental, social, and governance initiatives and their impacts on the business.
3.1 Anti-Money Laundering and Counter Financing of Terrorism Program (AML/CFT)
Electronic money and digital payment mechanisms have radically transformed the management of financial transactions, affecting both consumers and regulators around the world. While payment innovation opens new frontiers, it also increases exposure to risks such as money laundering.
EBANX maintains a firm commitment to ethics and compliance, aligning its operations with the highest standards of financial integrity. EBANX's Anti-Money Laundering and Counter Financing of Terrorism Program was developed to detect and prevent illegal activities, ensuring adherence to global best practices and the regulatory requirements of each jurisdiction in which it operates.
Year after year, EBANX invests in innovations and advanced technologies to more efficiently detect suspicious activities, thereby reinforcing the security and integrity of its operations.
EBANX remains firmly committed to preventing money laundering and protecting vulnerable populations, upholding the integrity of its operations. The company is dedicated to implementing robust compliance practices that uphold transparency and integrity across all areas of its business.
AML/CFT Pillars
People
Every EBANX employee is responsible for preventing money laundering. The Risk & Compliance team spearheads initiatives on this topic, providing ongoing, specific tools, processes, and training to ensure that professionals are familiar with the policies and prepared to identify and mitigate risks.
Processes
The company enforces strict procedures to identify and verify suspicious behavior, in addition to monitoring and validate sanctions, across all interactions with key stakeholders. This process includes due diligence steps, such as analyzing and validating documents and information to ensure the accuracy of the data provided.
Due diligence processes:
Know Your Merchant (KYM): involves verifying information about merchants using EBANX services. This includes verifying the partner’s proof of identity, addresses, and documents, through globally recognized practices, such as checking sanctions lists and assessing political exposure, all without the need for physical visits.
Know Your Customer (KYC): focused on identifying and verifying customers, KYC collects documents to prove identity, address, financial information and performs checks on restrictive lists. This process helps prevent the misuse of information and avoids unauthorized transactions.
Know Your Partner (KYP): applied to business partners, KYP ensures that all companies associated with EBANX meet compliance requirements. This includes verifying corporate documents, identifying partners and shareholders, and analyzing potential conflicts of interest to ensure alignment with regulatory practices. It also involves evaluating partners' environmental and social practices, promoting transparency, and encouraging more responsible business practices.
Know Your Employee (KYE): Focused on employees, KYE involves analyzing possible conflicts of interest and checking sanctions lists and political exposure to ensure that all team members comply with internal and regulatory policies.
Sanctions checks in the KYM, KYP, KYC and KYE procedures are ongoing, extending beyond the initial onboarding process. This involves continuous monitoring of restrictive lists, such as PEP (Politically Exposed Persons), using reputable systems and providers to ensure compliance.
Systems
All EBANX transactions are continuously recorded and monitored by systems equipped with automatization features that issue personalized alerts and apply specific filters, enhancing the effectiveness and efficiency of the analyses.
In 2023, EBANX significantly optimized its onboarding process, making it faster and more scalable. This evolution was possible thanks to process automation, the review and simplification of forms, and systems adaptations, which strengthened the company's ability to prevent money laundering and terrorist financing.
Throughout the client lifecycle, financial transactions are monitored for potential money laundering risks, with the option to request additional justification related to risk management. The AML team reviews atypical transactions and, if necessary, reports them to the competent bodies.
In accordance with the Anti-Money Laundering and Counter Financing of Terrorism Policy, EBANX does not conduct business with individuals or companies suspected of these practices, those for whom the necessary due diligence has not been carried out, or users deemed unacceptable by EBANX policies.
All restrictions are publicly visible on the list of restricted and prohibited products and services, available on the company's website.
3.2 Risk Management
(GRI 3-3: Risk Management)
For EBANX, risk management is a strategic priority that underpins the integrity and longevity of its operations. The Risk Management Program has been comprehensively developed to identify, assess, and manage risks effectively. It ensures that the company operates in a safe, transparent and sustainable business environment, strengthens internal processes, improves operational efficiency, and promotes stakeholder trust.
EBANX's commitment to excellence in risk management reflects its dedication to offering innovative and reliable payment solutions, thereby contributing to global economic development.
Approach
The Risk Management team, in alignment with EBANX's Senior Management, defines the company's “risk appetite” by setting clear limits on the risks the company is willing to accept. These parameters guide risk management decisions and help prioritize actions. The Risk Committee oversees the implementation of the program and ensures that it aligns with the company's overall strategy.
Lines of defense
In line with best market practices and international standards, EBANX’s risk management model is based on three lines of defense. This model engages all levels and areas of business, with clearly defined roles and responsibilities.
Collaborators are engaged in risk management practices through communications and training on the Global Risk Management Policy, working together to identify and mitigate potential threats.
1st line of defense
Business and support areas constitute the first line of defense. They are responsible for identifying and managing risks directly related to daily operations. This line includes the areas that report to senior management, ensuring that risks are managed at the point of origin.
2nd line of defense
Consists of specialized functions, including internal controls, risk management, compliance, and information security. It is responsible for developing policies, procedures, and controls to mitigate risks, as well as monitoring their effectiveness. Experts provide support and guidance to business areas, helping to identify and assess risks on an ongoing basis. Integrating these functions is essential to ensure that all areas of the company are aligned with the best risk management practices.
3rd line of defense:
Represented by internal auditing, it acts independently to evaluate the program’s effectiveness. It conducts periodic evaluations and provides recommendations for improvements, ensuring that EBANX maintains high governance and compliance standards. This critical function ensures an unbiased and objective view of risk management practices.
At EBANX, the division between the lines is showcased in the following image:
3.3 Risk and
control mapping
(GRI 2-16-b)
EBANX adopts international standards to ensure a robust and efficient risk management framework. Since 2021, the company has been mapping risks and controls using methodologies derived from the Sarbanes-Oxley Act (SOX)¹ and other global reference standards. This approach aims to identify and mitigate operational risks that could jeopardize its goals, such as internal fraud, information manipulation, operational failures, systemic issues, and interruptions in business continuity.
EBANX adopts a rigorous and proactive approach, distinguished by its ability to anticipate and mitigate threats, thereby ensuring the resilience and continuity of its operations. The process involves integrated collaboration between the second line of defense and various areas of the company, with continuous communication to ensure effective alignment in risk management and controls.
Through the Risk and Control Assessment (RCA), the company defines controls, action plans, risk acceptance, and other essential information to maintain risk management within the appetite established by senior management.
¹ Note: Enacted in 2002 in response to major corporate financial scandals, SOX seeks to protect investors by improving the accuracy and reliability of corporate disclosures. SOX compliance is critical for publicly traded companies in the United States, as it helps mitigate financial and operational risks and protect investors.
New risk structure
Since 2022, risk and control mapping has been enhanced to ensure compliance with laws and regulations, while also improving the reliability of financial information and operational efficiency. This process establishes standards that exceed regulatory requirements. EBANX addresses both financial and non-financial risks, such as:
To achieve these objectives, the company evaluates operational and administrative value flows, categorized into six financial cycles: revenues, expenses, treasury, payroll, fixed assets, and accounting. This holistic approach enables a deeper understanding of, and more effective mitigation and prevention of, risks that could impact financial statements.
In addition, the team performs rigorous control tests on critical processes and risks, providing compliance certificates through reports such as SOC 1 SSAE 18, which demonstrate its internal control systems and ability to comply with and exceed regulatory expectations.
The risk mapping cycle that began in 2023 is ongoing and focuses on enhancing the existing risk framework. This reflects a commitment to continuously evolving risk management in response to the increasing complexity of the business environment. Upon completion of the current cycle, a new cycle of reviews will begin, focusing on updates to processes and controls.
SOC 1 TYPE II Certification
In 2023, EBANX renewed its Service Organization Control (SOC) 1 Type II certification, demonstrating its excellence in internal controls. The annual recertification audit is always carried out by one of the Big Four--the largest and most prestigious auditing firms in the world--underscoring the strength of the company's operating practices and its consistent performance over time.
Independent auditing validates the effectiveness of EBANX’s controls on its clients' financial statements, reinforcing trust in the service provided.
SOC 1 TYPE II Certification
In 2023, EBANX renewed its Service Organization Control (SOC) 1 Type II certification, demonstrating its excellence in internal controls. The annual recertification audit is always carried out by one of the Big Four--the largest and most prestigious auditing firms in the world--underscoring the strength of the company's operating practices and its consistent performance over time.
Independent auditing validates the effectiveness of EBANX’s controls on its clients' financial statements, reinforcing trust in the service provided.
3.4 Ethics and
Integrity Program
(GRI 3-3: Ethics and integrity; 2-12-b; 2-15; 2-23)
EBANX’s robust Ethics and Integrity Program feature clear policies and an internal regulatory framework that guides everyone who interacts with the company.
Approved by the Senior Management, the Code of Conduct is EBANX's fundamental regulatory document and serves as the basis for corporate regulations and policies, which are also approved by the C-level.
The Code of Conduct applies to all ebankers, including partners, shareholders, directors, members of the Board of Directors, temporary employees, interns and apprentices, and to business partners as well. It serves as a central reference for the company's ethical standards, outlining expected behaviors in various relationships and detailing potential violations that could lead to financial, reputational or business losses.
In 2024, a new version of the code was released, consolidating the principles and values that define EBANX’s culture. View the full document here.
All EBANX regulatory documents, such as policies and regulations, are reviewed annually, or whenever necessary, and can be accessed on the Compliance & Corporate Governance page of EBANX’s website.
EBANX Helpline
(GRI 2-25; 2-26)
The EBANX Helpline whistleblowing channel is a vital component of the Ethics and Integrity Program. Created in 2019, it is operated by an independent external provider, ensuring impartiality and confidentiality.
Available 24/7 and offering support in Portuguese, English and Spanish, the channel ensures total confidentiality and allows for anonymous reporting in a secure environment. It enables employees and third parties to report illegal or irregular practices, as well as violations of the Code of Conduct, internal policies, and other issues that may harm the company. It serves as a comprehensive communication mechanism and is used not only for complaints, but also for suggestions and questions.
Reporting flow
Cases reported to the channel are analyzed according to internal investigation procedures and are referred to the Conduct Committee based on criteria established in the EBANX Helpline risk matrix.
Annual reports on received and resolved cases indicate the channel's efficiency and are reviewed by the Audit Committee, ensuring that all complaints are handled according to established guidelines.
Nature of the cases
(GRI 205-3; 406-1-b)
In 2023, with the resumption of face-to-face activities and increased promotion of the channel among employees, the EBANX Helpline saw a significant increase in the number of contacts, growing by approximately 17% over the previous year.
However, the number of complaints decreased, which illustrates the effectiveness of the control measures implemented. At the same time, the number of suggestions increased, reflecting greater employee engagement in contributing positively to the company. Most suggestions were related to the benefits offered.
All complaints received were thoroughly investigated by the Risk & Compliance team, which also engages other areas that may contribute to the investigations. In employee-related cases, the professional's direct manager was also involved to provide a broader understanding and effective handling of the situation.
After deliberation, if a complaint is confirmed, the Conduct Committee decides on disciplinary measures in accordance with the EBANX Disciplinary Measures Policy. The process adheres to principles of proportionality, equality and impartiality, ensuring that evidence is considered and the right of defense for those involved is upheld.
There were no cases of corruption, and no employee was fired or punished for that reason. Likewise, no business contracts were terminated for corruption-related violations.
There were also no substantiated cases related to the review of financial reports (including the integrity of financial statements), internal control systems, internal and external auditing processes (including the qualifications, independence, and performance of the independent auditor), or the risk monitoring process and compliance with laws and regulations.
Combating harassment
EBANX ensures that all employees work in a safe, healthy, and respectful environment. As highlighted in the Code of Conduct, the focus is on human relations, the recognition of diversity, and the fight against sexist intimidation as well as sexual or moral harassment.
Analysis of the whistleblowing channel indicates that the main areas of concern are related to human rights and labor relations, with no significant risks of fraud or corruption. In response, the company has implemented ongoing training, guidance, and awareness-raising initiatives on violence, harassment, equality, and diversity in the workplace. See more in Developing Diversities.
In 2023, internal communication and awareness on these issues were further strengthened, particularly through initiatives in partnership with the Internal Commission for the Prevention of Accidents and Harassment (CIPA).
3.5 Training and
Awareness Program
(GRI 205-2)
EBANX has a robust Training and Awareness Program, designed to address business and market demands while supporting internal compliance initiatives.
The culture of integrity and compliance is promoted among employees through a mandatory training journey, known as MUST DO, and general training tailored to regulatory and internal needs.
Upon joining the company, ebankers are required to complete six MUST DO trainings: Code of Conduct; anti-corruption; anti-money laundering and counter financing of terrorism ; anti-money laundering and counter financing of terrorism : sanctions; data privacy; and information security.
100%
In 2023, 100% of employees completed the training, fully meeting the goal of completing the mandatory MUST DO training.
The training is available online through the EBANX Academy and can be accessed at any time and place. Learn more in ebankers. In addition, employees receive communications on compliance topics and manuals with general guidelines, including contact points in the Risk & Compliance department for any questions.
EBANX also extends these trainings to the third parties that work in its day-to-day operations, such as cleaning teams, security guards, and freelancers, through training sent to all new partners hired.
3.6 Information
Security
(GRI 3-3: Privacy and cybersecurity)
In the payments and financial transactions sector, information security is a major risk. This is particularly true for EBANX due to the volume and confidentiality of the data it processes and stores.
The Information Security Policy defines strict guidelines and procedures to ensure the integrity, confidentiality, and availability of information, ensuring regulatory compliance and effective management of risks related to the protection of personal data, financial information, and intellectual property. It provides for continuous monitoring, regular audits, strict access controls, and specific protocols for responding to incidents.
EBANX's investments in modernizing data management processes have resulted in a high level of maturity in information security, as evidenced by international certifications and recognition from merchants.
EBANX holds several certifications that demonstrate its commitment to information security. Since 2014, EBANX has been certified in the Payment Card Industry - Data Security Standard (PCI-DSS), which attests to the security of its card data processing. Since 2019, it has also been ISO/IEC 27001 certified, an international reference standard that verifies the high compliance of the information security management system.
Privacy, data protection, and the ethical use of artificial intelligence
(GRI 418-1 and FN-CF-220a.2)
EBANX has a robust Privacy and Personal Data Governance Program, focusing on both local and global standards. Given the high volume of data processed in its operations, EBANX recognizes that data protection and privacy are integral to the core of its business and all projects developed.
EBANX's global operations require compliance with several privacy and data protection laws. These requirements are monitored and fulfilled by the Privacy team together with the Data Protection Officer. Expansion to new countries necessitates developing and implementing the required obligations and adjustments to ensure compliance. An example of this commitment is the recent System Audit Report (SAR Audit) for Data Localization, which specifically certifies the location of the data in India.
In addition to its operational privacy structure, EBANX has a Data Protection Committee (DPC) that oversees privacy initiatives, makes strategic decisions impacting the business, and promotes the importance of data protection across specific areas of activity.
To protect personal data against unauthorized access in payment transactions, EBANX utilizes several layers of security, such as card tokenization, 3D Secure, and intelligent routing. In addition, the company continuously invests in infrastructure modernization, focusing on data security and the responsible use of artificial intelligence (AI).
EBANX’s governance of AI projects is rigorous, involving careful analysis of the use and impact of these technologies to enhance the company's database, improve decision-making, and elevate security standards.
Employee engagement is another key component of EBANX's security strategy. Ongoing training and phishing prevention campaigns have resulted in susceptibility rates that are below the market average.
In 2023, there were no substantiated complaints of privacy violations, nor were any leaks, thefts, or loss of customer data identified. In addition, there were no financial losses resulting from privacy-related litigation, demonstrating the effectiveness of EBANX's security practices.
Pioneer in ISO 27701
EBANX is the first company in the payments sector to obtain ISO 27701 certification - an extension of ISO 27001, which establishes a Privacy Information Management System (PIMS). This achievement underscores its commitment to privacy and data protection, elevating its data protection and security standards to a new level that differentiate the company in the global payments market.
The ISO 27701 certification encompasses all EBANX operations in the countries where it operates, reinforcing its privacy policies and ensuring alignment with major international data protection regulations.
ISO 27701, achieved in 2024, complements EBANX’s other certifications, such as ISO 27001 - Information Security Management System (ISMS) - and strict compliance with the PCI DSS standard, essential for data protection in credit card transactions.
The certifications obtained by EBANX attest to the maturity of its security processes, ensuring that customer and partner data is protected against unauthorized access.
These achievements not only reflect EBANX's ongoing investment in cutting-edge technologies and the expertise of its teams, but they also demonstrate the company's proactive approach to anticipating emerging threats and information security trends.