B3 S A Brasil Bolsa Balcão : Compliance and Internal Controls Policy

COMPLIANCE AND INTERNAL CONTROLS POLICY

12/11/2020

PUBLIC INFORMATION

COMPLIANCE AND INTERNAL CONTROLS POLICY

CONTENTS
1	PURPOSE ....................................................................................................	3
2	SCOPE .........................................................................................................	3
3	REFERENCES .............................................................................................	3
4	CONCEPTS ..................................................................................................	4
5	GUIDELINES ................................................................................................	4
6	RESPONSIBILITIES.....................................................................................	7
7	FINAL PROVISIONS ..................................................................................	10
8	CONTROL INFORMATION ........................................................................	10

2	INFORMAÇÃOPUBLICINTERNAINFORMATION- INTERNAL INFORMATION

COMPLIANCE AND INTERNAL CONTROLS POLICY

1 PURPOSE

The purpose of this Policy is to set out concepts, rules and responsibilities governing the functioning of the compliance and internal control framework of B3 S.A. - Brasil, Bolsa, Balcão.

2 SCOPE

This Policy applies to all administrators, employees and interns of B3 S.A. - Brasil, Bolsa, Balcão, its subsidiaries abroad, BSM Market Supervision, Cetip Info Tecnologia S.A., B3 Social, and other associations (Company).

3 REFERENCES

The references for this Policy are the main national and international normative instruments that deal with concepts, rules and responsibilities relating to compliance and internal control frameworks, including:

• The Company's Anti-Corruption and Fraud Prevention Policy;
• The Company's Corporate Risk Management Policy;
• Brazilian Federal Law 4595/1964;
• Brazilian Federal Law 4728/1965;
• Brazilian Federal Law 6385/1976;
• Brazilian Federal Law 10214/2001;
• Brazilian National Monetary Council (CMN) Resolution 2554/1998;
• CMN Resolution 2882/2001; and
• Brazilian Securities and Exchange Commission (CVM) Instruction 461/2007.

3	INFORMAÇÃOPUBLICINTERNAINFORMATION- INTERNAL INFORMATION

COMPLIANCE AND INTERNAL CONTROLS POLICY

4 CONCEPTS

4.1 Regulatory environment

The set of legal, normative and regulatory provisions issued by the bodies that regulate the Company's activities.

4.2 Internal control system

The set of procedures and activities established by the Company to reduce the likelihood of financial losses and damage to its institutional image, enhance the quality of its accounting information and assure compliance with the applicable legislation and regulations.

The Internal Controls and Compliance Department assists the Company in maintaining an effective internal control system, consistent with the nature, complexity and risk of the operations performed by B3, that focuses on:

• Operational efficiency and effectiveness;
• Integrity of data and information records;
• Conformity; and
• A risk-based approach.

5 GUIDELINES

5.1 Implementation, evaluation and maintenance of internal control activities

The Corporate Internal Controls Department is responsible for evaluating and monitoring whether the control activities: (i) are being carried out by the Company's operating areas and (ii) are sufficient, effective and efficient in mitigating risks.

Control activities are evaluated from time to time based on the legislation and regulations in force and on best practices in corporate governance, embodied in

4	INFORMAÇÃOPUBLICINTERNAINFORMATION- INTERNAL INFORMATION

COMPLIANCE AND INTERNAL CONTROLS POLICY

the standards and methodologies established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Control Objectives for Information and Related Technology (COBIT) framework.

The results of evaluations and tasks are duly documented and forwarded to the operating areas responsible for control activities.

Internal control activities must be properly documented by business area managers. The nature and extent of this documentation may take various forms, containing at least:

• Duly formalized policies and procedures;
• Formalization of the responsibility of each professional involved in the relevant business processes, with the appropriate segregation of functions and approval authorities, where applicable. This formalization may take the form of organization charts, responsibility matrices, job descriptions and/or narratives;
• Business process flow charts pinpointing all controls; and
• Supporting documentation for decisions taken regarding the implementation of controls, including cost-benefit assessments.

In addition, the Corporate Internal Controls Department is responsible for complying with the requirements of the Central Bank of Brazil (BCB), particularly in respect to CMN Resolution 2554/1998, and with external auditors in matters relating to the evaluation of the Company's controls.

To this end, business areas must provide the requisite information to the Corporate Internal Controls Department so that it can produce reports on internal controls for approval by the Board of Directors.

5	INFORMAÇÃOPUBLICINTERNAINFORMATION- INTERNAL INFORMATION