1. OBJECTIVE

This document provides the guidelines for the operation of HoldBrasil (Hold). It is intended to maintain a compliance risk management structure that adheres to the best practices in our industry, consistent with the nature, size, complexity, structure, risk profile and model of our business.

2. SCOPE

This Policy applies to all HoldBrasil employees.

3. PRINCIPLES

The Executive Board of Hold (Board) develops a strategic plan that includes periodical implementation capable of:

• Clearly identifying which actions the company must take to achieve its goals;
• Identifying the resources that will be required;
• Minimizing existing risks;
• Building a business continuity structure;
• Setting goals to be used for tracking and measuring results obtained;
• Each year, the Board evaluates whether the proposed actions require updating.

Our Company’s ethical principles are:

• Exhibiting a professional behavior that does not harm the clients, employees or the company, in relation to any transactions made;
• Not using privileged information in negotiations conducted in the industries the company operates;
• Training employees to perform their activities and requiring that they stay abreast of technical skills;
• Keeping control of information flows within the company;
• Promoting a culture of transparency in relation to its activities and reporting any issues that might occur in order to solve them in the best way possible;
• Keeping confidential the transactions made by the company.

3.1 INTEGRITY

Our company keeps in place a structure of internal controls that encompasses the following topics:

• Information Security Policy, procedures, up-to-date and accessible operating systems;
• Control of documents and records;
• Retaining employees who are trained, conscious of and committed to the application of internal control procedures;
• Definition of responsibilities with separation of duties to prevent conflicts of interest;
• Appropriate channels of communication for any questions (Head of Data);
• Assessment of risks and control of internal and external factors that may compromise the transactions made by the company;
• Monitoring of business;
• Periodical testing of electronic systems;
• Access/security/confidentiality of operating systems, with control of employee passwords and codes of conduct;
• Handling of complaints and occurrences;
• Conduct of scheduled internal audits and writing the respective reports;
• Critical analysis of rules and parameters of operation, internal controls and new risk assessment;
• Appeals.

3.2 SEPARATION OF DUTIES

The activities of recording, controlling and checking transactions are carried out employees who are not the same as those who make such transactions.

Procedures related to payment/receiving are separated from departments that do operational activities.

This is meant to minimize the exposure of the company to operational risk. Basically, “separation of duties” can be defined as:

• An employee will not perform two tasks when doing any activity. For example: A person that performs a given task should not be the same person responsible for reviewing, controlling or approving such task.

3.3 CONFLICT OF INTEREST

A “Conflict of Interest” refers to an employee associated with the company who acts or participates (directly or indirectly) in a situation that:

• Affects or compromises the performance of job-related tasks;
• Causes harm to the reputation or image of the company;
• Benefits oneself exclusively to the detriment of the company;
• Competes against the company in relation to any business activities;
• Takes business opportunities away from the company.

The following must be taken into consideration to evaluate and avoid situations that may involve a conflict of interest:

• Perception – Can this activity or operation be perceived as a conflict of interest or a potential conflict of interest by others, including employees, clients, suppliers, competitors, regulators or the public? If this activity or transaction became publicly known, would the situation be embarrassing for you or the company?
• Intent – Does the activity or operation being offered constitute an attempt to influence your judgment?
• Impact – Will the company be at a disadvantage if you take part in this activity or operation?
• Objectivity – Will taking part in this activity or operation affect in any way your ability to remain impartial and objective in relation to any decision concerning a client, employee or supplier?
• Considerations about time – Will the amount of time that this activity or operation requires interfere in your ability to fulfill your job responsibilities efficiently?

A. FIRST LINE OF DEFENSE

ADMINISTRATIVE AND BUSINESS DEPARTMENTS

The first line of defense consists of operational controls in place at the administrative and business-related departments themselves. Since they find themselves closer to the performance of everyday activities, direct managers and employees are responsible for checking compliance risks associated with their activities and for implementing the preventive controls to their work processes.

B. SECOND LINE OF DEFENSE

INTERNAL CONTROLS

Internal controls are intended to help managers identify potential risks and help them develop other controls to mitigate the consequences of those risks.
These controls are checked and updated by means of internal rules.

REMUNERATION

The remuneration of employees is consistent with their duties as a way to discourage behaviors that increase exposure to risk. Remuneration is appropriate to business performance in order not to create conflicts of interest.

C. THIRD LINE OF DEFENSE

AUDITING

The third line of defense consists essentially of audit activities, the purpose of which is to provide an objective and independent evaluation of how risks, controls and governance are managed at the company.

4. RESPONSIBILITIES

EXECUTIVE BOARD

Its goal is to:

• Ensure this Policy is managed appropriately;
• Ensure this Policy is effective and applied continuously;
• Disclose this Policy to all employees and relevant third-party service providers;
• Disseminate integrity and ethical conduct standards as part of Hold’s culture;
• Enforce corrective measures when compliance breaches are identified;
• Provide the necessary means for the proper performance of compliance-related activities.

4.1 OTHER DEPARTMENTS

• Fully abide by the guidelines set out in the rules, including other demands in the market;
• Report to the Head of Data any improvement/implementation needs that may arise regarding the control or identified risks;
• Keep confidential the information obtained as part of their duties and which they may have access to;
• Refrain from using their job or position to illegally obtain advantage for oneself or for third parties, or engage in acts of corruption or bribery;
• Refrain from asking for or requesting gifts or entertainment for oneself or for third parties, or accept any money offered;
• If an employee, during the performance of his or her duties, becomes aware of any practices that violate the established guidelines, this employee must contact the Executive Board.

5. CONFIDENTIALITY

Maintaining confidentiality is important to prevent sensitive information from being used for the benefit of oneself or of a third party.

5.1 ACCESS TO REQUIRED INFORMATION

Hold provides computer, telecommunications and media systems that are consistent with the structure of its business. In doing so, all departments can act independently and are able to have free access to information required for the performance of their duties (using passwords and access control).

5.2 DISSEMINATION OF THE CULTURE OF COMPLIANCE

Periodically, Hold sends out memos related to the subjects of control and compliance for the purpose of disseminating the guidelines of these topics.

5.3 SYSTEM OF INTERNAL POLICIES AND RULES

Departments are to keep all rules and other documents that guide their activities and processes up to date. This procedure is imperative to meet audit requirements and to map out activity risks.

5.4 SANCTIONS

Failure to comply with the guidelines will result in administrative, civil and criminal sanctions where applicable.

After the first violation, the offending employee will be notified of his or her failure to comply with the guidelines. A second violation will subject this user to a written warning.

This user’s immediate superior will be notified of the violation and must take administrative measures. Employees may be given an administrative warning, be suspended or terminated from the company.

An employee may be terminated without receiving a warning or being suspended first if this employee’s immediate superiors deems that the violation is very serious.

5.5 FINAL CONSIDERATIONS

If you have any questions about this Policy, contact the Head of Data or the Legal department.

Cases not provided for in this Policy will be evaluated by the Executive Board of Hold.

6. APPROVAL AND EFFECTIVENESS