XP INC.

Risks, Credit and ESG

Committee Charter

Adopted April 26, 2024

  1. Purpose

The Risks, Credit and ESG Committee (the "Committee") is created by the Board of Directors (the "Board") of XP Inc., a Cayman Islands exempted company with limited liability (the "Company"), to discharge the responsibilities set forth in this charter of the Committee (this "Charter"). The Committee shall have the authority and membership and shall operate according to the procedures provided in this Charter. The Committee shall:

    1. assist the Board in overseeing, and review with management, (i) the Company's identification, assessment and management of key risks, including those relating to cybersecurity, climate, credit, market, reputational, liquidity, and environmental, social and governance (collectively "Enterprise Risks"), and (ii) the Company's initiatives and framework, guidelines, internal policies and processes for monitoring, mitigating and managing such Enterprise Risks;
    2. assist the Board in overseeing, and review with management, (i) the environmental, social and corporate governance ("ESG") issues ("ESG Issues") affecting the
      Company, and liaise, as appropriate, with other committees of the Board regarding such ESG Issues, and (ii) the Company's ESG strategy and priorities, and the implementation of practices, policies and initiatives for mitigating such ESG Issues.
    3. (i) assist the Board in overseeing, and review with management, (a) the credit and lending strategies and objectives of the Company, (b) the credit policies, portfolio limits and portfolio reporting of the Company, and the effectiveness and implementation of such credit policies, and (c) the quality of the Company's credit portfolio and the trends affecting such portfolio;
    4. assisting the Audit Committee in such committee's oversight with respect to the Company's internal controls systems and compliance in connection with financial related risks; and
    5. any additional matters delegated to the Committee by the Board and, where applicable, the Audit Committee.
  2. Membership

The Committee shall consist of at least three members. Members of the Committee shall have an understanding of risk management principles and practices relevant to the Company.

The Compensation, People, Nominating and Corporate Governance Committee shall recommend nominees for appointment to the Committee every two years and as vacancies or

1

[ CLASSIFICAÇÃO: PÚBLICA ]

newly created positions occur. The members of the Committee will serve in the Committee for two-year terms, provided, however, that the Compensation, People, Nominating and Corporate Governance Committee will review and reaffirm the Committee's composition annually. Committee members shall be appointed by the Board and may be removed by the Board at any time. The Board may designate one member of the Committee as the Committee's Chair.

If a member of the Committee is a director of the Board, its resignation or removal as a director, for whatever reason, will automatically constitute resignation or removal, as applicable, from the Committee.

  1. Responsibilities

In addition to any other responsibilities which may be assigned from time to time by the Board or the Audit Committee, the Committee is responsible for the following matters:

  1. ESG, Climate and Cybersecurity Related Responsibilities
    1. With management, provide oversight of (i) ESG issues affecting the Company, and
      1. the Company's ESG strategy and priorities, and the implementation of practices, policies and initiatives for mitigating such ESG Issues.
    3. Review periodically the cybersecurity, climate and ESG related practices and policies of the Company.
    4. Monitor developments relating to, and improving the Board's understanding of, cybersecurity, climate and ESG matters.
    5. Monitor the adherence to regulations and self-regulations related to cybersecurity, climate and ESG matters.
    6. With management, review ESG reporting and scores of the Company, guiding on areas of opportunity.
    7. Ensure that there are mechanisms in place to identify and comply with all applicable laws with respect to cybersecurity, climate and ESG related matters.
    8. Consider and review, at least annually, with the competent management and the internal auditors, the adequacy and effectiveness of the Company's (i) cybersecurity program, procedure and polices, (ii) monitoring of and system of internal controls over cybersecurity matters, including data and privacy protection policies and programs, and (ii) incident reporting policies and procedures.
    9. Discuss with the competent management any significant cybersecurity incidents or risk exposures that have come to management attention during the conduct of their assessments and the steps that management has taken to mitigate such exposures. The Committee will receive periodic updates from the Company's management on cybersecurity.

2

[ CLASSIFICAÇÃO: PÚBLICA ]

  1. Credit, Market and Liquidity Related Responsibilities
    1. Report to the Board regarding credit management.
    2. Provide oversight of the credit and lending strategies and objectives of the Company.
    3. Review and approve credit policies, portfolio limits and portfolio reporting, and oversee the effectiveness of and implementation of such credit policies.
    4. Review the quality of the Company's credit portfolio and the trends affecting such portfolio.
    5. Review periodically the credit, market and liquidity related practices and policies of the Company.
    6. Monitor developments relating to, and improving the Board's understanding of, credit, market and liquidity matters.
    7. Monitor the adherence to regulations and self-regulations related to credit, market and liquidity matters.
    8. Ensure that there are mechanisms in place to identify and comply with all applicable laws with respect to credit, market and liquidity matters.
  3. Risk Management Responsibilities
    1. Monitor the exposure of the Company to Enterprise Risks; and defining the Company's exposure limits to such risks.
    2. Monitor the Company's risk management indicators with respect to Enterprise Risks.
    3. Discuss and approve policies and procedures for managing Enterprise Risks, and define and monitor risks mitigation plans with respect to such risks.
    4. Decide on the establishment of goals related to management of Enterprise Risks.
    5. Ensure appropriate reporting regarding exposures to inherent and residual risks and weaknesses in controls related to Enterprise Risks.
    6. Track the Company's progress against climate risk targets.
    7. Ensure that the identification and measurement of risks are objective and coherent with the Company's standards and applicable rules.
    8. Review and discuss with management the Company's risk appetite, tolerance and strategy relating to Enterprise Risks.

3

[ CLASSIFICAÇÃO: PÚBLICA ]

    1. Ensure that risk control and risk decisions within the purview of the Committee are appropriately informed and reported to the Board and the Audit Committee.
    2. Review, coordinate and discuss with the Audit Committee and management the
      Company's risk governance structure, risk assessment and risk management practices, as well as the guidelines, policies and processes for risk assessment and risk management.
  2. Reporting to the Board and Audit Committee
    1. Report on the Committee's activities and make appropriate recommendations to the
      Board for Board approval. The Committee shall coordinate its activities and reports with the Audit Committee, and shall report to the Audit Committee and the Board periodically.
    2. The Committee shall review and assess the adequacy of this charter annually and recommend any proposed changes to the Board. The Committee will also evaluate on an annual basis the Committee's composition and performance, and shall produce and provide to the Board on an annual basis an evaluation of the Committee's performance of its duties under this charter. The evaluation shall be conducted in such a manner as the Committee deems appropriate. The Chair (or any other member) of the Committee will present the evaluation to the Board.
    3. Ensure communication between the Committee and the Audit Committee regarding responsibilities within the purview of the Committee that relate to responsibilities within the purview of the Audit Committee.

The primary responsibility for assisting the Board in its oversight with respect to internal controls systems and compliance in connection with financial related risks, rests with the Audit Committee. The Committee shall coordinate with the Audit Committee, for the Committee to assist the Audit Committee in the Audit Committee's review of the Company's financial related risks that are within the Audit Committee's purview. The Audit Committee shall have the authority to delegate to the Committee responsibilities related to the Company's internal controls systems and compliance in connection with financial related risks. The Committee shall report to, and ensure communication with, the Audit Committee, as provided under Section III of the Charter.

IV.

Authority and Delegations

The Committee, in discharging its responsibilities, may conduct, direct, supervise or authorize studies of, or investigations into, any matter that the Committee deems appropriate, with full and unrestricted access to all books, records, documents, facilities and personnel of the Company.

The Committee may, subject to the Board's approval, retain or obtain the advice of a consultant, legal counsel or other adviser, and shall be directly responsible for the appointment and compensation of, and oversight of the work of, any such adviser retained by the Committee.

4

[ CLASSIFICAÇÃO: PÚBLICA ]

If approved by the Board, the Company shall provide for appropriate funding, as determined by the Committee, for the payment of reasonable compensation to such adviser retained by the Committee.

  1. Procedures

The Committee shall meet as often as it determines is appropriate to carry out its responsibilities under this charter, but not less frequently than quarterly. The Chair of the Committee shall preside at each meeting and, in the absence of the Chair, one of the other members of the Committee shall be designated as the acting chair of the meeting. The Committee, in consultation with its members, shall determine the frequency and length of the committee meetings and shall set meeting agendas consistent with this charter.

The Committee's meetings shall be called by any member at least 5 (five) business days in advance by correspondence or by email. The materials to be presented, discussed or approved at the meeting shall be sent with the call notice. Should all members be present in the Committee's meeting, the formality of convening a meeting may be waived. The meetings may be held in person, by teleconference, videoconference or other means of communication and the participation will be considered as personal presence at said meeting.

The resolutions of the Committee's meeting shall be passed by a majority of its members. The Committee will maintain written minutes of its meetings and copies of its actions by written consent and will file such minutes and copies of written consents with the minutes of the meetings of the Board. The Committee will regularly report to the Board and the Audit Committee on its activities. The resolutions, statements and opinions of the Committee shall be drawn up and signed by the Chair (or such other Committee member who presided over the applicable meeting as the chairperson).

In addition, the Committee shall separately meet on a periodic basis with management, the officer of the internal audit department or another designated employee and the independent auditors to discuss any matters that the Committee or any of these persons or firms believe should be discussed. The Committee may, at its discretion, invite members of management of the Company and its subsidiaries, as well as auditors and experts, to attend all or any portion of any meeting of the Committee.

In addition to this Charter, the operation of the Committee will be subject to any applicable provisions of the Memorandum and Articles of Association of the Company, the Cayman Islands Law, the rules and regulations of the Securities and Exchange Commission and the listing standards of NASDAQ Stock Market, each as in effect from time to time.

VI.

Limitations Inherent in the Committee's Role

While the Committee is responsible for, in coordination with the Audit Committee (as provided in their respective charters), reviewing the Company's practices with respect to risk assessment and management, it is the responsibility of the Chief Executive Officer and senior management to determine the appropriate level of the Company's exposure to risk. Senior management is also responsible for providing the Committee with appropriate information and reporting to allow the Committee to perform its responsibilities.

5

[ CLASSIFICAÇÃO: PÚBLICA ]

Attachments

  • Original Link
  • Original Document
  • Permalink

Disclaimer

XP Inc. published this content on 26 April 2024 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 20 May 2024 09:38:03 UTC.