Banco do Brasil S A : Specific Policy to Fraud Prevent

#Pública

SPECIFIC POLICY TO FRAUD PREVENT

1. Area responsible for the matter: Institutional Security Unit (USI)
2. Regulation: Integrate Resolution nº 6, Bacen Resolution nº 142, and Bacen Resolution nº 304.
3. Review frequency: at least annually, or extraordinarily, at any time.
4. Introduction and Concept:
5. 1. This Policy guides the behavior of Banco do Brasil. Entities Related to Banco do Brasil (ELBB) are expected to define their directions based on these guidelines, considering the specific needs and the legal and regulatory aspects applicable to them.
   2. This Policy establishes principles and guidelines for preventing, detecting and responding to fraud in products, services, processes and service channels. Guides the management of vulnerability identification and mitigation processes, demonstrating the Bank's commitment to protecting corporate information and other information assets, as well as working to prevent, identify and mitigate vulnerabilities in banking transactions.
   3. The criteria, requirements, standards, and procedures arising from this Policy are defined in internal normative instructions (IN).

   4.4. For the purposes of this Policy, we consider the following definitions:

   1. External Fraud: events related to acts carried out by external agents with the intention of altering or subtracting financial assets, data and information from the Bank or its customers, to obtain personal financial benefit or cause damage to the Bank.
   2. Internal Fraud: events related to acts carried out by employees and other internal agents with the intention of altering or subtracting financial assets, data and information from the Bank or its customers, to obtain personal financial benefit or cause loss.
   3. Products and Services: Banco do Brasil's marketing objects with its customers.
   4. Agents Identification: process of identifying the identity of a person, who may be a client, non-client or employee of the institution.
   5. Agents Qualification: process of attributing to a person, whether client, non-client or collaborator, qualities that differentiate them from others.
   6. Agents Authentication: process of proving a person's identity through access credentials.
   7. Authorization: process of specifying resource access rights and privileges.

1

#Pública

5. Announcements:

1. We verify the appropriate application of the principle of segregation of duties, so that the occurrence of conflicts of interest and fraud is avoided;
2. We adopt protection mechanisms with the aim of mitigating external and internal fraud;
3. We guide our customers on the necessary security precautions when using financial products and services;
4. We guarantee the customer the right to contest transactions, by providing the necessary information to analyze liability, in accordance with pre- established standards and published on the Banco do Brasil website;
5. We carry out prior analysis regarding the security of the service channels used in our transactions;
6. We provide access to transactions after the correct identification of the agent and according to their user profile;
7. We use different mechanisms to enable and control access to financial transaction systems, depending on the type of client and their level of risk;
8. We continuously monitor service channels and use processes, controls and technologies to prevent electronic fraud, internal fraud, document fraud and identity fraud;
9. We report, to the competent authorities, the results of the assessment of occurrences of fraud or attempted fraud, including the preventive, detective, repressive and corrective measures adopted;
10. We adopt actions to properly identify and qualify customers and employees when carrying out transactions, whether financial or not, as well as their administrators and representatives, if any, including the capture, verification and validation of their information, with the aim of knowing their respective identities;
11. We promote the identification of security transactions in isolation, in order to guarantee specific security actions for each incident;
12. We ensure the integrity, reliability, security and confidentiality of transactions carried out, as well as the legitimacy of contracted operations and services provided;
13. We do not allow the opening, contracting or maintenance of accounts, financial products and services anonymously;
14. We provide access to transactions after the customer has been properly authenticated and according to their user profile;
15. We identify and define just one corporate manager of channels, products, services and transactions and assign him responsibilities for managing the security of his asset, in order to speed up the incident containment process;
16. We constantly seek innovation, automation, intelligence and best market practices in channel security and identity verification projects and processes, with a focus on preventing, detecting and responding to fraud, reducing operational costs and reducing detection and response time. incidents and maintaining service availability;

2

#Pública

5.17. We encourage and participate in joint actions, within the scope of the National Financial System, to prevent, detect and respond to banking fraud.

6. Last review date: 03/13/2024.

3