VULNERABLE CUSTOMERS POLICY

This policy applies to the SCANDIC brand ecosystem, in particular to the following brands and services:

and for all structures held or supported by SCANDIC FINANCE GROUP LIMITED.

Part 1: Management summary of the policy for vulnerable customers

1. Purpose of the policy

The Vulnerable Customer Policy aims to

• Identify customers whose ability to make their own informed decisions may be limited by personal circumstances.
• Taking into account their special protection needs in all financial, fiduciary, payment and investment services.
• to avoid excessive demands, financial exploitation and serious misjudgements,
• to provide the management of SCANDIC FINANCE GROUP LIMITED with a clear, structured framework for action based on modern European Union standards and international best practice principles.

The guideline applies to the entire SCANDIC brand ecosystem and all related services provided to natural persons.

2. Definition of "vulnerable customers"

Vulnerable customers are natural persons whose ability to protect their own interests, make informed decisions and use financial services responsibly

• is temporarily or permanently impaired by personal circumstances,
• and who are therefore at increased risk of negative financial, legal or emotional consequences.

Possible factors:

• health restrictions (physical, mental, cognitive),
• life-changing events (death of a relative, separation, loss of employment, displacement, war),
• low financial resilience and high vulnerability (lack of savings, excessive debt),
• low financial literacy and lack of digital skills,
• addictions (e.g. gambling addiction),
• coercion, violence or influence by third parties (financial exploitation, blackmail).

3. Key principles

The directive is based on eight key principles:

1. Early detection: risks are identified as early as possible, as far as legally permissible and practically feasible.
2. Proportionality: Measures are tailored to the individual case and the actual risk.
3. Non-discrimination: risk leads to additional protection, not to unjustified discrimination.
4. Transparency and comprehensibility: Products, risks and costs are explained in a clear, structured and comprehensible manner.
5. Protection from harm: The protection of the customer takes precedence over short-term business transactions.
6. Self-determination: Vulnerable customers are empowered to make their own decisions, not disenfranchised.
7. Confidentiality and data protection: Sensitive information is processed only to a limited extent, lawfully and in a protected manner.
8. Documentation and accountability: Decisions and measures taken in dealing with vulnerable customers are documented in a comprehensible manner.

4. Role of management

The management of SCANDIC FINANCE GROUP LIMITED is responsible for:

• establishing a binding framework for dealing with vulnerable customers,
• integrating this topic into the compliance organisation, risk management, product management and processes for preventing money laundering and terrorist financing,
• providing sufficiently qualified staff, technical systems and financial resources,
• establishing clear responsibilities (e.g. appointing a person responsible for the area of "vulnerable customers"),
• regular review and adjustment of the policy.

In this way, the management bears ultimate responsibility for ensuring that vulnerable customers are not overwhelmed, exploited or forced into unreasonable risks.

5. Identification and handling in practice

Vulnerable customers can be identified by:

1. Self-disclosure: The person themselves states that they consider themselves vulnerable due to certain circumstances.
2. Observable signs: Employees notice unusual behaviour, such as severe confusion, emotional overload, difficulty understanding or signs of pressure from third parties.

If a risk is suspected or confirmed, the following principles apply in particular:

• Simplify communication,
• offer additional explanations and written summaries,
• Allow time for reflection before final decisions are made,
• Avoid complex or particularly risky products.
• involve a second person in the discussion if necessary,
• document the situation in the system and escalate it to compliance and risk management in the event of increased risk.

If, despite all measures, fair and secure handling cannot be guaranteed, the business relationship may be rejected or terminated.

6. Connection to risk, compliance and prevention of money laundering

The guideline is part of the overall governance and compliance framework of SCANDIC FINANCE GROUP LIMITED:

• Vulnerable customers are particularly susceptible to abuse, for example as "front men" in connection with money laundering.
• Indications of abuse or illegal use of accounts must be consistently assessed within the framework of existing systems for the prevention of money laundering and terrorist financing and, if necessary, reported.
• Product development, digital platforms and risk management must ensure that vulnerable customers are not structurally disadvantaged or overwhelmed.

7. Training and culture

The guideline will only be effective if:

• Employees receive regular, practical training.
• there is a strong awareness that protecting vulnerable customers is a strategic goal,
• management consistently demonstrates that long-term integrity and customer protection are more important than short-term revenue.

Part 2: Complete policy for vulnerable customers

1. Purpose, scope and principles

1.1 Purpose of the policy

The purpose of this policy is to

• identify vulnerable customers at an early stage,
• take their special needs into account when providing financial, fiduciary, payment and investment services,
• prevent abuse, exploitation, financial exploitation and poor decisions as far as possible,
• and to provide management with clear guidelines and decision-making criteria.

The guideline incorporates European Union standards, international consumer protection principles, requirements for the prevention of money laundering and terrorist financing, and elements of the Supply Chain Due Diligence Act insofar as labour and human rights aspects are concerned.

1.2 Scope

The guideline applies to:

• all customers and potential customers who are natural persons,
• all entities and brands in the SCANDIC brand ecosystem,
• all employees, in particular those in
  • customer service and support,
  • the legal department, compliance function and risk management,
  • prevention of money laundering and terrorist financing,
  • customer service, helpdesk and service ticket processing,
  • product development and sales, including digital platforms.

It is aimed in particular at the management of SCANDIC FINANCE GROUP LIMITED, which is responsible for establishing, monitoring and further developing processes for dealing with vulnerable customers.

1.3 Legal and regulatory framework

The guideline is based, among other things, on:

• Consumer protection principles of the European Union and its Member States,
• fundamental freedoms and rights, in particular the Charter of Fundamental Rights of the European Union,
• Requirements for financial market regulation and the protection of customers of financial services,
• Data protection regulations, in particular the General Data Protection Regulation of the European Union,
• anti-discrimination regulations and human rights protection obligations,
• legal requirements for the prevention of money laundering and the financing of terrorism,
• international labour and human rights standards, in particular the core labour standards of the International Labour Organisation and the United Nations Guiding Principles on Business and Human Rights.

If local regulations, for example in Hong Kong, the United Arab Emirates, the United Kingdom, Ukraine or the Federal Republic of Germany, impose stricter requirements, the stricter requirements shall always apply.

2. Definition and categories of high-risk customers

2.1 Definition

A vulnerable customer is a natural person whose ability to protect their own interests, make informed decisions or use financial services responsibly is temporarily or permanently impaired by personal circumstances, and who is therefore at increased risk of adverse financial, legal or emotional consequences.

2.2 Typical risk factors

Without this list being exhaustive, the following factors, among others, may contribute to vulnerability:

2.3 Effects on the use of financial services

Risks can manifest themselves in the following ways, among others:

• difficulties in understanding products and risks,
• impulsive or highly emotionally driven purchasing and investment decisions,
• increased susceptibility to fraud, deception and manipulation,
• technical barriers to using digital platforms,
• inability to understand contract terms, fees, risks and liability issues,
• repeated complaints, contradictory decisions or conspicuous transactions that indicate overload.

3. Principles for dealing with vulnerable customers

The management is committed to the following basic principles:

1. Early detection: Where legally permissible and practically possible, risks should be identified at an early stage.
2. Proportionality: Measures are tailored to the individual situation of the customer and the specific risk.
3. Non-discrimination: Endangerment does not lead to unjustified discrimination, but to additional protection.
4. Transparency and comprehensibility: Information is provided in an appropriate form, in understandable language and in line with the customer's level of knowledge and education.
5. Protection from harm: The primary goal is to avoid excessive demands, unfair advantages and unreasonable risks as far as possible.
6. Self-determination: Vulnerable customers should be empowered to make their own informed decisions; incapacitation should be avoided.
7. Confidentiality and data protection: Sensitive information about the vulnerability is only processed and protected to the extent that is absolutely necessary.
8. Documentation and accountability: Decisions and measures taken in dealing with vulnerable customers shall be documented in a comprehensible manner.

4. Responsibility of management

The management of SCANDIC FINANCE GROUP LIMITED is responsible for:

• establishing a comprehensive framework for dealing with vulnerable customers,
• integrating the issue into
  • the compliance organisation,
  • risk management,
  • product control and product approval,
  • the processes for preventing money laundering and terrorist financing,
• the provision of sufficient human, technical and financial resources,
• the definition of clear roles and responsibilities, for example by appointing a person responsible for vulnerable customers within the compliance or risk department,
• regular monitoring, reporting and further development of the policy.

5. Identification of vulnerable customers

5.1 Self-disclosure by customers

• Customers are expressly encouraged to inform the company if they consider themselves to be at risk due to their personal circumstances.
• This can be done via customer service, a ticket system, email, telephone or during a personal or virtual consultation.
• Employees respond sensitively, respectfully and confidentially and initiate appropriate steps in accordance with the established processes.

5.2 Observable indications

Employees are trained to look out for possible signs, such as:

• confused, contradictory or rapidly changing statements,
• obviously limited language or comprehension skills,
• repeated questions about simple matters,
• recognisable emotional exceptional situations such as crying, severe nervousness or feeling overwhelmed,
• signs of manipulation or pressure from third parties,
• unusual transaction patterns combined with clear uncertainty about their meaning.

No medical assessment is carried out; this is solely a business-related risk assessment for the protection of the customer.

5.3 Data and internal systems

• To the extent permitted by law, internal systems may note that a customer requires special care, for example, "simplified language and more detailed explanations necessary".
• Health-related details or diagnoses are not recorded.
• Any storage of personal data requires a legal basis and is limited to what is necessary.

6. Measures and processes for dealing with vulnerable customers

6.1 Principle of an individual approach

Each situation must be assessed individually. Possible measures include:

• Adapting verbal and written communication to the customer's needs
• Providing additional written summaries with clear key messages
• Granting longer reflection periods before concluding a contract
• Avoiding particularly complex or high-risk products
• Involving a second employee as a witness and for quality assurance purposes
• Recommendation to involve a trusted person, such as a solicitor, guardian or close relative, if legally permissible and desired by the customer.

6.2 Communication and documentation

• Important discussions with vulnerable customers should, where permissible, be summarised or recorded in writing.
• Key risks, costs, conditions and termination options are explained in detail and in understandable language.
• Customers are expressly invited to ask questions and are given time to consider them.

6.3 Assessment of the suitability and appropriateness of products

• In the case of products requiring intensive advice or involving high risk, such as complex financial instruments, leveraged products or certain crypto assets, suitability and appropriateness checks must be carried out with particular care.
• If there are reasonable doubts that the customer understands or can bear the risks, such products should not be recommended.
• In case of doubt, the following principle applies: protecting the customer takes precedence over concluding a transaction.

6.4 Rejection or termination of business relationships

• If, despite all adjustments, the company cannot ensure that a vulnerable customer can be treated fairly, safely and appropriately, the establishment or continuation of the business relationship may be refused or terminated.
• Reasons for this may include:
  • clear indications that the person could suffer considerable damage as a result of the business relationship,
  • recognisable substantial pressure from third parties or exploitation,
  • use of the account or business relationship for illegal purposes, such as money laundering.
• Decisions must be documented in a comprehensible manner and explained to the customer, insofar as this is legally permissible and reasonable.

7. Connection to compliance, risk management and prevention of money laundering

7.1 Prevention of money laundering and terrorist financing

• Vulnerable customers are particularly susceptible to being misused by third parties for illegal purposes.
• Suspicious circumstances such as unusual transaction patterns, lack of knowledge about the origin or use of funds, or indications of pressure from third parties are assessed as part of the existing processes for the prevention of money laundering and terrorist financing and, if necessary, reported to the competent authorities.
• The vulnerability perspective is an important addition, but does not replace the legal obligations to prevent money laundering and terrorist financing.

7.2 Risk management and product steering

• When developing and modifying products and digital platforms, the needs of vulnerable customers are systematically taken into account, for example through clear user guidance, mandatory risk warnings and appropriate waiting periods before final decisions are made.
• The risk function assesses whether products or processes could systematically disadvantage or overwhelm vulnerable customers and proposes any necessary adjustments.

8. Cooperation with external support and advisory services

8.1 Reference to external support

Depending on their country of residence, vulnerable customers can be made aware of suitable external support services, for example:

• Telephone and crisis services for people with suicidal thoughts, depression or anxiety
• Government or non-profit advice centres for debt and consumer issues
• Organisations that promote mental health
• specialist centres for dementia, visual impairments or hearing impairments.

The specific naming of organisations should be based on the country, language and legal framework of the customer. An internal list with contact details of suitable agencies can be kept as an appendix to the policy.

8.2 Limits of the company's responsibility

• Company employees do not provide medical, psychotherapeutic or legal advice.
• They are not permitted to make diagnoses or initiate treatments.
• They may only inform customers of the possibility of contacting qualified specialist agencies.

9. Data protection and confidentiality

• Information about a possible risk is particularly sensitive customer data and is only collected if it is necessary for the fair, secure and lawful provision of services.
• Such data is processed in accordance with the European Union's General Data Protection Regulation, applicable national data protection laws and internal data protection guidelines.
• The principle of data minimisation applies: only what is absolutely necessary for risk and protective measures is documented.
• Only those persons who absolutely need this information for their work have access to it.

10. Training, awareness raising and corporate culture

10.1 Training

• All relevant employees, particularly those in customer service, customer advisory services, the legal department, the compliance function, risk management, the prevention of money laundering and the prevention of terrorist financing, and the development of information systems, receive regular training on:
  • Defining and identifying vulnerable customers
  • Appropriate and respectful communication
  • documentation, data protection and correct forwarding channels,
  • interfaces for the prevention of money laundering, risk management and product control.

10.2 Culture of protection

• Management sets a clear tone from the top: protecting vulnerable customers is a strategic goal.
• Employees are encouraged to address uncertainties and, when in doubt, to take protective measures rather than ignoring risks due to sales or time constraints.

11. Governance, reporting and continuous improvement

11.1 Responsibilities

• Management may appoint a person or function responsible for the area of "vulnerable customers", typically within the compliance organisation, risk management or customer experience department.
• This function coordinates policies, training, monitoring and reporting.

11.2 Reporting to management

• Key metrics and findings, such as the number of escalated cases, complaints and rejected or terminated business relationships due to vulnerability, are reported regularly to management.
• Serious individual cases involving significant reputational, legal or customer risk must be reported immediately.

11.3 Review and adjustment of the policy

• The policy is reviewed at least once a year and as required, for example following changes in legislation, the introduction of new products or unusual occurrences in practice.
• Adjustments shall be decided by the management of SCANDIC FINANCE GROUP LIMITED.

12. Entry into force

This policy shall enter into force upon resolution by the management of SCANDIC FINANCE GROUP LIMITED.

It supplements and specifies the existing guidelines on:

• Corporate governance and rules of procedure,
• Personnel and career policy,
• Compliance organisation and prevention of money laundering,
• Data protection and information security,
• human rights and environmental due diligence.

Part 3: Internal process flow – customers at risk (for customer support and compliance)

The following process flow serves as an internal manual for employees in customer support, customer advisory services, compliance and risk management.

It is divided into:

• Section A: Initial contact and processing in customer support,
• Section B: Escalation and processing by compliance and risk management,
• Section C: Decisions, implementation and follow-up.

Section A: Initial contact in customer support

Step A1: Receipt of the enquiry

Triggers may include:

• Ticket in the customer system,
• e-mail or written message,
• telephone call or video conference,
• Note from consulting or sales.

The support employee creates a process in the customer system and documents:

• Date and time,
• Name of the customer,
• Communication channel (telephone, email, platform),
• brief description of the issue.

Step A2: Initial assessment – is there a potential risk?

The support employee checks whether there are any indications of a risk, for example:

Decision:

• If there are no indications: Process according to normal procedures.
• If there are indications or the customer expresses concern: continue with step A3.

Step A3: respectful enquiry and awareness raising

The support employee:

1. thanks the customer for their trust and confirms that the situation is being taken seriously;
2. gently asks whether special support is desired, for example:
   • "Would you like me to explain the next steps more slowly and in more detail?"
   • "Would you like a written summary after our conversation?"
   • "Would you like to have a trusted person join the conversation?"

The aim is to clarify whether the case should be marked internally as "at risk" and treated with increased care.

Step A4: Adjusting communication

If a risk is apparent or has been confirmed, the following applies:

• Speak slowly, clearly and without unnecessary technical jargon.
• Explain contexts in short, understandable sentences.
• Check understanding at the end, for example by asking:
  • "Can you please briefly summarise what we have discussed in your own words?"
• Do not force decisions under time pressure, but actively offer time for consideration.

Step A5: Documentation in the system

The support employee documents the following in the customer system:

• that there are indications of a risk,
• what form of support has been offered and, if applicable, agreed upon (written summary, time to consider, consultation with a trusted person, reference to external help),
• whether the customer agrees that increased care should be taken internally.

No diagnoses or detailed health information are stored, only a note that special care is required when dealing with the customer.

Step A6: Decision on escalation to compliance and risk management

If particularly sensitive situations arise, for example:

• suspicion of external control, blackmail or exploitation,
• indications of severe addiction in connection with investments,
• obviously irresponsible risk behaviour despite repeated warnings,
• suspicion that the business relationship is being used for illegal purposes, such as money laundering,

then:

• the support employee creates an internal note,
• marks the case in the system as "Escalation to Compliance and Risk Management",
• forwards the case to the responsible department with a clear, factual summary.

The customer is informed that the case is being forwarded internally for further review, without disclosing any specific suspicions.

Section B: Processing by Compliance and Risk Management

Step B1: Acceptance and registration of the escalated case

The responsible department (Compliance or Risk Management):

• reviews the information provided by Support,
• If necessary, it draws on transaction data, contract documents and previous communications,
• creates a separate process for internal review.

Step B2: Risk analysis

The following questions must be examined and documented:

1. Is there a specific risk to the customer, or is this sufficiently probable?
2. Are there any indications of abuse or pressure from third parties?
3. Are there any indications of money laundering, fraud or other criminal activities?
4. Are the product portfolio currently in use or the intended transactions compatible with the customer's situation?
5. Is there an increased reputational or legal risk for the company?

The assessment is carried out in accordance with the guidelines and existing internal risk and compliance requirements.

Step B3: Determination of appropriate measures

Based on the analysis, measures are proposed, for example:

• Mandatory detailed consultation with documentation (e.g. consultation record)
• restrictions on certain products or transactions for the customer,
• introduction of waiting periods or additional confirmation steps prior to high-risk transactions,
• recommendation to review the entire business relationship in more detail,
• initiation of review and reporting processes in connection with money laundering, if necessary.

All proposed measures are documented in the file with reasons.

Step B4: Consultation with management in serious cases

In significant cases, for example:

• imminent significant financial damage to the customer,
• high risk of criminal activity,
• significant reputational risk for the company,

the compliance or risk department informs the management and submits a recommendation, such as:

• continuation of the business relationship with strict conditions,
• temporary suspension of certain functions,
• Proper termination of the business relationship.

Management makes the final decision on this basis.

Section C: Decisions, implementation and follow-up

Step C1: Decision and operational implementation

The decision made (continuation, restriction or termination of the business relationship) will be:

• documented,
• implemented in the relevant systems,
• communicated to the departments concerned, in particular customer support, customer advisory services and, where applicable, other internal departments.

Step C2: Communication with the customer

To the extent legally permissible and reasonable, the customer will be

• informed in an understandable manner about the essential consequences for the business relationship,
• addressed respectfully and without technical jargon,
• not confronted with criminal assessments, unless there is a legal obligation to disclose.

The aim is to achieve transparency within the scope of legal possibilities, while at the same time complying with ongoing audits and statutory reporting obligations.

Step C3: Documentation and storage

The following is documented:

• what triggered the case (initial situation),
• what indications of risk there were,
• what measures customer support took,
• the assessment made by compliance and risk management,
• what decision was made,
• what changes were made to systems or processes.

Documents are stored in accordance with statutory retention periods and internal guidelines.

Step C4: Feedback in training and process improvement

Findings from real cases are incorporated into:

• future training content for customer support, consulting, compliance and risk management,
• the assessment of whether certain products, communication channels or system interfaces place an excessive burden on vulnerable customers,
• the regular revision of the guideline and process flow.