DEMAŞ A.Ş. Compliance Policy
1. OVERVIEW
DEMAŞ KUYUMCULUK İHRACAT İTHALAT SANAYİ VE TİCARET A.Ş. (hereinafter referred to as “DEMAŞ A.Ş.”) undertakes to be subject to the highest ethical standards in laundering of crime revenues and financing of terrorism, and to conduct its commercial activities in accordance with relevant international standards, as well as complying with local laws and regulations.
DEMAŞ A.Ş. Compliance Policy has been prepared in accordance with the provisions of Law No. 5549 on the Prevention of Laundering of Crime Revenues, Law No. 6415 on the Prevention of Financing of Terrorism and Law No. 7262 on the Prevention of Financing of the Proliferation of Weapons of Mass Destruction.
DEMAŞ A.Ş. takes various measures, including establishing policies and procedures to ensure the necessary compliance of itself and its employees with its obligations arising from the regulatory system in which it operates, including addressing and managing the risks of proceeds of crime that it may be exposed to.
1.1. Purpose
The purpose of DEMAŞ A.Ş. Compliance Policy is to determine the management principles and minimum requirements within the scope of DEMAŞ A.Ş. Compliance Program to prevent DEMAŞ A.Ş. from being used as an intermediary for money laundering or financing of terrorism, and to guide all DEMAŞ A.Ş. employees during the execution of business in accordance with the laws and regulations regarding money laundering and financing of terrorism.
This Policy consists of measures taken with a risk-oriented approach to ensure DEMAŞ A.Ş.'s compliance with the Law, regulations and sub-regulations on the Prevention of Laundering of Crime Revenues and Financing of Terrorism, as stated in the Regulation on Compliance Program with Obligations Regarding the Prevention of Laundering of Crime Revenues and Financing of Terrorism (hereinafter referred to as the Compliance Regulation), published by the Ministry of Finance numbered 26999 on September 16, 2008. DEMAŞ A.Ş. Compliance Policy is reviewed within the scope of the national risk assessment to be published by MASAK and, if necessary, is updated to take into account the issues determined within this scope.

1.2. Scope
Compliance is a DEMAŞ A.Ş.-wide responsibility and should be viewed as an integral part of DEMAŞ A.Ş.'s daily activities. All employees at DEMAŞ A.Ş. (including Senior Executives, Managers and Employees) are responsible for performing their duties with the highest standards of honesty, ethics and integrity, within the framework of the principles included in the policy, which is founded on the basic principles of transparency and accountability at all levels of DEMAŞ A.Ş. and aims to manage compliance risk to protect DEMAŞ A.Ş., its partners and customers,
1.3. Policy Publisher
This policy was prepared by DEMAŞ A.Ş. Compliance Department and approved by DEMAŞ A.Ş. Board of Directors; in this context, any changes and regulations in this Policy must be reviewed and clarified by the Compliance Department and approved by the Board of Directors of DEMAŞ A.Ş.
1.4. Effective Date
This Policy is valid from the date of publication.
1.5. Review
Unless otherwise required, this Policy is reviewed by relevant parties at least once a year. If necessary, necessary updates are made and submitted to the Board of Directors for approval.
1.6. Violation
A violation is defined as any non-compliance with this Policy in the absence of an approved exception request. If a policy violation is identified, the matter must be immediately reported to the Compliance Department and the manager of the appropriate operating unit to evaluate the evidence of the violation and monitor the implementation of necessary corrective measures.
Depending on the type and severity of the violation, the Compliance Department will decide whether this violation will be escalated to higher management or the Board of Directors.
Failure to fulfill the requirements of this Policy may lead to disciplinary measures, including termination of the employee's employment contract, or to the termination of his/her relationship with DEMAŞ A.Ş. In addition, since violations may also mean violations within the framework of legal regulations, they may lead to legal sanctions for employees, managers and/or DEMAŞ A.Ş.

1.7. Roles and Responsibilities
It is ultimately the responsibility of the Board of Directors to conduct the entire compliance program adequately, effectively, and appropriately in terms of the scope and nature of the obligor's activities.
The Board of Directors has appointed DEMAŞ A.Ş personnel at the administrative level, who are entrusted with the necessary authorities, to ensure compliance with the obligations imposed by the Law and the relevant Regulations within the scope of the Law, in accordance with the provisions of Law No. 5549 and Article 16 of the Compliance Regulation titled "Appointment of Compliance Officer and Assistant Compliance Officer".
In accordance with Article 16 of the said regulation, the Compliance Officer has been appointed by the Board of Directors as DEMAŞ A.Ş. Compliance Officer, pursuant to the provision of Article 6 of the regulation, to report to the Board of Directors, provided that the responsibilities of the Board of Directors are reserved. The assistant compliance officer has been appointed as a DEMAŞ A.Ş. personnel, to be affiliated with the DEMAŞ A.Ş. Compliance officer, in the same manner as the compliance officer.
In accordance with the provisions of Article 19 of the Compliance Regulation, the roles, authorities, and responsibilities of DEMAŞ A.Ş. Compliance Officer and Assistant Compliance Officer are as follows:
a) To conduct the necessary work and to conduct the Compliance Program to ensure DEMAŞ A.Ş.'s compliance with the Law and the relevant regulations issued within the scope of the Law,
b) To ensure the necessary communication and coordination with the Financial Crimes Investigation Board (MASAK),
c) To establish and develop DEMAŞ A.Ş. policies and procedures to prevent money laundering and, when necessary, to submit the policies to the approval of the Board of Directors
d) To develop a compliance risk policy on money laundering and financing of terrorism and to conduct relevant risk management activities,
e) To develop transaction monitoring and control policies and to conduct relevant activities, when necessary,
f) To submit the work on training programs related to laundering of crime revenues and financing of terrorism to the approval of the Board of Directors and to ensure the effective implementation of the approved training program,

g) To evaluate the information and findings detected by conducting investigations within the limits of its authority and capabilities about possible suspicious transactions that have been reported to him/her or that he/she has learned ex officio, and to inform MASAK about transactions that it deems suspicious,
h) To take necessary measures to ensure the confidentiality of notifications and other related matters,
i) To regularly keep information and statistics regarding inspection and training activities and to submit them to MASAK within the periods specified in the Regulation,
j) To fulfill the obligation to provide information and documents to MASAK.
In case the compliance officer and assistant compliance officer leave their positions, the provisions of Article 20 of the Compliance Regulation, "Resignation of the compliance officer and assistant compliance officer", are taken into consideration.
1.7.1. Responsibilities of Board of Directors
The Board of Directors is responsible for ensuring that the Compliance Officer and Assistant Compliance Officer have the authority to make decisions with an independent will within the scope of the duties, powers and responsibilities stated above and the authority to request all kinds of information and documents related to its field of activity from all departments and units within DEMAŞ and to access them at any time. Article 5, paragraph 2 of the Compliance Regulation states that risk management, monitoring, and control activities within the scope of the compliance program will be conducted by the compliance officer under the supervision, control, and responsibility of the Board of Directors. Therefore, the Board of Directors is ultimately responsible for the adequate and effective implementation of the entire compliance program within the scope of the activities of the obligor.
The board of directors may delegate (explicitly and in writing) some or all its powers within the scope of the second paragraph above to one or more board members resident in Turkey. The transfer of authority in question does not eliminate the responsibility of the board of directors in this regard.
1.7.2. Responsibilities of DEMAŞ A.Ş Personnel
Successful implementation of DEMAŞ A.Ş. Compliance Policy requires awareness, understanding and active participation of all employees. Accordingly, All DEMAŞ A.Ş. employees are obliged to understand and comply with all the principles of compliance policies and procedures applicable to their areas of responsibility to comply with all laws, rules and standards that will help meet the expectations of customers and authorities in terms of protecting the reputation of DEMAŞ A.Ş. and a fair and harmonious approach to customers.

2. COMPLIANCE RISK
Compliance risk is defined as “the possibility of financial or reputational damage that the obliged parties or obliged employees may suffer due to reasons such as the use of the services provided by the obliged parties for the purpose of laundering of crime revenues or financing of terrorism, or the obliged parties not fully complying with the obligations imposed by the Law and the regulations and communiqués issued pursuant to the Law” in subparagraph (f) of the paragraph 1 of Article 3 of the Compliance Regulation.
Compliance risk is an integral part of DEMAŞ A.Ş.'s overall risk. It is the risk that DEMAŞ A.Ş. may be exposed to if the relevant laws, regulations, sanctions, and embargo programs, including AML/TF prevention, and DEMAŞ A.Ş. Ethical Principles are not acted upon. The definition of "Compliance Risk" specified in the Compliance Regulation is interpreted as the risk of significant judicial and/or administrative sanctions, penalties, financial loss or loss of reputation that DEMAŞ A.Ş. may be exposed to due to violation of the following:
• Laws and other regulations enacted by legislative authorities,
• Decisions published by regulatory or supervisory authorities (BRSA, MASAK, etc.) and other administrative bodies,
• Court decisions,
• DEMAŞ A.Ş. Policies,
• Ethical principles and standards included in the DEMAŞ A.Ş. Code of Conduct and Business Ethics Regulation that DEMAŞ A.Ş. (legal entity) and DEMAŞ A.Ş. employees (real persons acting on behalf of the legal entity) must apply.
Compliance risk is also an integrity risk because DEMAS A.Ş.'s reputation is closely related to its commitment to the principles of honesty and fair dealing. To protect DEMAŞ A.Ş. from any damage or loss, compliance risk must be identified, evaluated, commented on, monitored, and reported to the relevant units in a timely manner.
3. COMPLIANCE PRINCIPLES
Employees at all levels are required to strictly comply with the following principles while performing their duties at DEMAŞ A.Ş.:
3.1. Compliance with Laws, Rules, and Regulations
While performing their duties, employees must comply with the laws, rules, and regulations regarding the activities of DEMAŞ A.Ş. (The main MASAK legislation and sub-regulations, including the legislation on combating AML/TF, are within this scope)

3.2. Promoting Ethical Behavior and Engaging in Ethical Behavior
Employees at all levels are obliged to comply with DEMAŞ A.Ş.'s Code of Ethics and Rules of Professional Conduct, to act respectfully, honestly, in good faith and honestly, to fulfill the duties described in their job descriptions, to avoid abusing their powers, to use the information they can access properly, to avoid engaging in unethical/illegal activities that may harm the reputation of DEMAS A.Ş., to act with full transparency and in good faith, and to report illegal actions/unethical behavior in accordance with applicable policies and procedures.
3.3. Avoiding Conflicts of Interest
Employees must ensure that third parties and their own special situations do not conflict with the interests of DEMAŞ A.Ş. and must act in the best interest of DEMAŞ A.Ş. Employees must not reveal internal DEMAŞ A.Ş. information, and DEMAŞ A.Ş. secret and confidentiality principles must be taken into consideration in works carried out on behalf of the customer, on their own behalf or on behalf of third parties, taking into account the principles of separation of duties.
3.4. Protection of Privacy
Employees must maintain the confidentiality of the information entrusted to them by DEMAŞ A.Ş. and its customers, even if they leave DEMAŞ A.Ş., except where permitted or deemed necessary by law. Maximum attention should be paid to Article 73 of Law No. 5411 titled "Keeping Secrets" and Personal Data Protection Law No. 6698.
3.5. Protection of DEMAŞ A.Ş. Assets
Employees must use DEMAŞ A.Ş. assets for legitimate business purposes.
3.6. Protection of Customer Benefits
Employees must provide service to DEMAS A.Ş. customers with care, honesty and fairly, and must strictly avoid manipulation or unfair treatment. In this regard, DEMAŞ A.Ş. will ensure to carefully examine customers' complaints, process them in a timely manner and document responses according to clear written procedures.

3.7. Notification
Employees are encouraged to report any violations of DEMAŞ A.Ş. policy, ethical principles, professional rules, possible violations of applicable laws and regulations, as well as other inappropriate behavior. How and to whom notifications will be made is stated in detail in the DEMAŞ A.Ş. Ethical Principles.
Employees are protected against any harassment that may be committed by other employees as a result of reporting a violation in good faith.
3.8. Avoiding Disclosure
Disclosure is revealing that there is or will be an investigation in a way that jeopardizes any investigation. Details regarding confidentiality are included in the relevant sections of this document.
4. DEMAS A.Ş. COMPLIANCE MANAGEMENT STRUCTURE
Effective implementation of DEMAŞ A.Ş. Compliance Management is possible with the following components:
• Commitment of the Board of Directors and senior managers to implementation and supervision,
• An effective and accurately defined organizational structure and allocation of necessary personnel,
• Written policies and procedures and training process,
• Monitoring and control,
• Internal audit,
• Information and reporting to the Board of Directors and senior management,
• Communication and interaction with all relevant regulatory and supervisory DEMAŞ A.Ş., such as BIST and MASAK.
Committees of which the general manager is a natural member are organized within DEMAŞ A.Ş. The purpose of the meeting, participating members, meeting frequency and similar information are determined by DEMAS A.Ş. according to the scope of the committee. The agenda consists of observations and follow-up procedures, including action plans for the issues.
The Audit Committee ensures the effectiveness and efficiency of DEMAŞ A.Ş.'s internal control, risk management and compliance program. It also ensures that the operation of internal control systems and the compliance of these systems comply with the law and other relevant regulations.

5. COMPLIANCE FUNCTION
Compliance with DEMAŞ A.Ş. policies and principles is the responsibility of every employee at DEMAŞ A.Ş. In addition, the Compliance Department has been established to ensure that compliance risk is effectively managed and to protect the reputation of DEMAŞ A.Ş. in terms of its shareholders, customers, employees, relevant regulators, and markets. The Compliance Department fulfills its responsibilities in monitoring and providing advice when necessary or requested and works in accordance with the written policies prepared while fulfilling these responsibilities.
The Compliance Department operates under the Board of Directors for an independent structure with sufficient resources, authority, and access to information to effectively fulfill its responsibilities.
Within the scope of DEMAŞ A.Ş. Compliance Policy, the activities of the Compliance Department include monitoring processes within the scope of Legislative Compliance and combating laundering of crime revenues and financing of terrorism, and consultancy and services within DEMAŞ A.Ş. through these processes. In addition to the laundering of crime revenues and financing of terrorism (AML) compliance program and activities, it advises all units on many issues that are compatible with the duties, powers and responsibilities determined by the Compliance Regulation, such as protecting the confidentiality of customer information, ethical principles and rules of conduct, determining policies, practices, activities and monitoring transactions, and determining faults, deficiencies and corrective action plans regarding them, and ensures their implementation and makes the necessary reporting and notifications. Issues regarding identified deficiencies and corrective action plans are reported and communicated to relevant parties and platforms. The Compliance Department also has a role in personnel training.
Details regarding the continuous learning program are included in the relevant sections of the document. Compliance Department personnel are obliged to comply with the confidentiality principles stipulated in the law and relevant regulations, especially the confidentiality of suspicious transaction reports made to MASAK, and internal suspicious activity/transaction reports reported for evaluation by DEMAS A.Ş employees and conduct their activities in accordance with these principles. Details regarding confidentiality are included in Section 8.2 – Suspicious Transaction Reporting.

6. AML/CFT POLICIES and LEGAL REGULATIONS
DEMAŞ A.Ş. employees are obliged to comply with the following.
• T.R. Legislation – regulations or recommended practices issued by the legislature and/or regulatory and supervisory authorities regarding AML and CFT
• Applicable international standards and best practices to the extent that they do not conflict with T.R. Legislation and the activities of DEMAŞ A.Ş.
• DEMAS A.Ş. Policies and Procedures
Accordingly, DEMAŞ A.Ş.'s AML/CFT Policies primarily include:
Laws
• Law No. 5549 on the Prevention of Laundering of Crime Revenues
• Law No. 6415 on the Prevention of Financing of Terrorism
• Law No. 7262 on Preventing the Financing of the Proliferation of Weapons of Mass Destruction
Regulations
• Law on Measures to Prevent Laundering of Crime Revenues and Financing of Terrorism
Regulation
• Regulation on Compliance Program with Obligations Regarding the Prevention of Laundering of Crime Revenues and Financing of Terrorism
• Regulation on Procedures and Principles for the Implementation of the Law on the Prevention of Financing of Terrorism
• Regulation on Procedures and Principles Regarding the Implementation of the Law on Preventing the Financing of the Proliferation of Weapons of Mass Destruction
All compliance Policies established within the scope of combating laundering of crime revenues and financing of terrorism are part of DEMAŞ A.Ş. Compliance Policy and include the measures taken by DEMAŞ A.Ş.
The purpose of the policies is to determine the strategies, internal controls and measures, operational rules and

responsibilities of DEMAŞ A.Ş. to comply with the obligations regarding the prevention of laundering of crime revenues and financing of terrorism, to evaluate customers, transactions and services with a risk-oriented approach and to raise awareness among DEMAŞ A.Ş. employees to reduce the risks they may be exposed to. DEMAŞ A.Ş. employees must perform their duties in compliance with AML/TF Policies and all other policies. All employees should aim to prevent DEMAŞ A.Ş. from being used for laundering of crime revenues and financing terrorism and should immediately report suspicious situations within the scope of such situations. DEMAŞ A.Ş. employees should not provide advice or assistance on any issue to individuals and institutions that act contrary to policies regarding the prevention of laundering of crime revenues and financing of terrorism and should not deliberately neglect/ignore such situations. No relationship should be entered into with persons or types of persons prohibited by DEMAŞ A.Ş. policies.
6.1. Legislation and Embargoes on Combating Laundering of Crime Revenues and Financing of Terrorism
Various laws and regulations have been published in Turkey on Laundering of Crime Revenues, Financing of Terrorism and Embargoes.
6.2. Information and Explanations Regarding Policies on Combating Laundering of Crime Revenues and Financing of Terrorism
DEMAŞ A.Ş. has published different policies and procedures to manage the risks related to the fight against laundering of crime revenues and financing of terrorism and to implement the Compliance Program in an effective, comprehensive, and detailed manner. While policies are the document that sets out the subject lines, the details are reflected in associated procedures, manuals, and workflows. Such policies and procedures are updated when necessary and then relevant employees are informed accordingly.
DEMAŞ A.Ş. Policies cover the internal measures and operating rules regarding the measures included in Chapter 3 of the Measures Regulation titled "Principles Regarding Customer Recognition".
Within the framework of the principle of "Know Your Customer", DEMAŞ A.Ş. takes the necessary measures on the following issues within the framework of the applicable legislation and DEMAŞ A.Ş. Policy and procedures:
• Making identification,
• Recognition of the real beneficiary,
• Providing sufficient information about the purpose and nature of the requested transaction,
• Monitoring the customer's status and transactions throughout the customer relationship,• Taking necessary precautions for customers, activities and transactions that require special attention.

DEMAŞ A.Ş. requires identification and confirmation before establishing a business relationship or performing a transaction. The legislation on the Prevention of Laundering of Crime Revenues and Financing of Terrorism is taken as basis for identification and confirmation. In cases where identification cannot be made or sufficient information cannot be obtained about the purpose of the business relationship, the business relationship is not established, and the requested transaction is not conducted. In this context, DEMAŞ A.Ş. does not open accounts or conduct transactions under anonymous or fictitious names. In addition, situations where identification cannot be made, or sufficient information cannot be obtained about the purpose of the business relationship are also evaluated whether they are suspicious transactions. To determine whether anyone is acting on someone else's account and the identity of the real beneficiary of the transaction, the necessary announcements are hung in its branches where customers can easily see them, to remind those who act on their own behalf or on someone else's account of their responsibilities. In addition, a written statement from the customer is taken regarding whether the customer is acting on someone else's behalf in establishing a permanent business relationship. Even though the person declares that he is not acting on someone else's behalf, if it is suspected that he is acting on his own behalf but, on someone else’s account, DEMAS A.Ş. conducts reasonable investigation to reveal the real beneficiary.
Within the scope of the Know Your Customer Policy, in addition to identification and confirmation with the procedures determined in accordance with local legislation, the names of the customer or the persons associated with the account are checked through lists provided by reputable commercial organizations to identify sanctioned persons, companies, countries and politically influential persons, according to the control result, account opening and/or tightened measures are evaluated.
In terms of the principles regarding the recognition of the customer within the scope of permanent business relationship, information is provided on the customers' business, profession, commercial activities, main customers or suppliers, sources of income and assets, purpose of opening and using the account and similar issues, this information is used for the purpose of making a risk assessment about the customer in terms of laundering of crime revenues and financing of terrorism.
At the customer acceptance stage and throughout the customer relationship, a risk assessment is made for customers in terms of laundering of crime revenues and financing of terrorism, and customers are evaluated as "Low", "Medium" or "High". Within the framework of the risk-oriented approach, tightened measures are implemented for customers considered to be high risk, such as seeking the approval of the senior official, reviewing the customer profile more frequently, detailed customer due diligence and obtaining information about the source of the assets or funds belonging to the customer.
Situations such as the customer being politically influential or being a relative of a politically influential person, having a high-risk geographical connection, operating in cash-intensive or high-cash producing business lines, the establishment of a permanent business relationship being initiated by a deputy authorized by proxy, being a non-profit, non-governmental organization such as an association or foundation, or establishing a relationship between the correspondent and DEMAŞ A.Ş. are some of the criteria that require the customer to be considered high risk in terms of DEMAŞ A.Ş.
Following the customer's acceptance, customer information is periodically reviewed within the framework of a risk-oriented approach to keep information, documents, and records up to date regarding subsequent changes to keep the information up-to-date and valid.
Persons and organizations that will not be accepted as customers by DEMAŞ A.Ş. are determined as follows:
• Parties on sanctions lists (e.g., OFAC, EU, UN, or local authorities),
• Parties whose real identity is unknown or whose address is fictitious and whose identity cannot be identified and confirmed within the framework required by the legislation,
• Parties interested in the production and trade of firearms other than licensed weapons,
• Parties that are not cooperative in providing information such as tax status, tax residence, tax number, etc.,
• Casinos,
• Foreign Exchange Offices,
• Parties who do not have permission to collect aid from official authorities but want to open an account for the purpose of collecting aid,
• Sign companies and shell companies,
• Companies doing business with virtual currencies,
• Offshore institutions,
• Personal accounts used for business purposes,
• Payment institutions,
• Transferred Correspondent Accounts and Nested accounts.
To take the necessary precautions within the framework of monitoring and control activities at DEMAŞ A.Ş., monitoring and control activities are conducted by making systematic arrangements (creating scenarios) and considering the following issues as high risk, and an evaluation is made whether there are any suspicious transactions. A suspicious transaction report is made for cases that are deemed to be suspicious transactions. In this context, the following issues are conducted:
• Monitoring and control of transactions conducted with risky countries,
• Monitoring and control of complex and unusual transactions, including non-face-to-face transactions,
• Monitoring and control customers and transactions in high-risk groups,
• Monitoring and control transactions with scenarios by determining the amount and number of transactions limits to monitor transactions that are not suitable for the financial profile and activities of the customer or are unrelated to their activities,
• Monitoring and control whether the transaction conducted by the customer is compatible with the information regarding the customer's business, risk profile and funding sources,
• Monitoring whether financial transactions that should be done collectively in usual practices are conducted in pieces,
• Independent customers providing the same address, telephone number and similar contact information,
• Monitoring and control of third parties subject to cash transactions through lists (such as KYC 2020 or World Check) that are important for the Prevention of Laundering of Crime Revenues and Financing of Terrorism.
For the risk-oriented control of services that may become open to abuse due to newly offered products and technological developments, the principles and processes regarding the design and implementation of a new product or service have been determined by DEMAŞ A.Ş and subject to certain approvals.
6.2.1. Know Your Customer Policy (KYC Policy)
DEMAŞ A.Ş. Know Your Customer Policy and related procedures or guides include the information that needs to be received and verified for the processes of establishing a business relationship, the controls that need to be made, the forms that need to be filled and the principles for the approvals that need to be obtained.
6.2.2. Laundering of Crime Revenues / Financing of Terrorism Transaction Monitoring and Investigations Policy
DEMAŞ A.Ş. Laundering of Crime Revenues Transaction Monitoring and Investigation Policy and related guides or procedures define the transaction monitoring and investigation principles and methodology adopted by DEMAŞ A.Ş.

6.2.3. Prevention of Laundering of Crime Revenues (AML) and / Financing of Terrorism (CFT) Risk Policy
AML and CFT Risk Policy and related procedures or guides explain the risk assessment process and the appropriate measures required to manage and reduce the identified risks and specify the risk-based approach applied by DEMAS A.Ş.
6.3. Retention of Records
According to Turkish legislation on laundering of crime revenues and terrorist financing, all information, documents, and records received from customers must be protected to allow easy access when necessary. To make such information, documents, and records easily accessible, they must be suitably preserved electronically to enable the retrieval of transactions and to provide evidence in the prosecution of criminal acts.
Article 8 of the Law and Article 46 of the Measures Regulation require an 8-year protection and application period for information, documents, and records within the scope of regulations and measures regarding the prevention of laundering of crime revenues and financing of terrorism. DEMAŞ A.Ş. discloses all requested documents and information to its auditors and other regulatory bodies upon request, in accordance with legal and regulatory requirements.
7. RISK MANAGEMENT
7.1. Compliance Risk Management
The risk management activities carried out within the framework of DEMAŞ A.Ş. Compliance Policy and all other policies and procedures regarding the prevention of laundering of crime revenues and financing of terrorism include business relationships with all its customers, which are defined as "continuous business relationships" in the Measures Regulation, and which have an element of continuity in nature. DEMAŞ A.Ş. does not provide services to individuals or organizations that are not its customers, in other words, with which it does not have a "permanent business relationship".
In accordance with the provisions of the Compliance Regulation, the purpose of the risk management policy within the scope of DEMAŞ A.Ş. Compliance Policy is to identify, rate, monitor, evaluate and reduce the risks that DEMAŞ A.Ş. may be exposed to. Care has been taken to create it in compliance with DEMAŞ A.Ş. AML/TF Risk Management Activities.
In this context, risk management activities include at least the following:

1. Developing methods for defining, rating, classifying, and evaluating customer risk, service risk and country risk,
2. Rating and classifying services, transactions, and customers according to risks,
3. Monitoring and control risky customers, transactions, or services, reporting them to the relevant departments, taking the necessary measures to reduce risks, developing appropriate operating and control rules to ensure that such transactions are conducted and audited when necessary, following the approval of the higher authority,
4. Following national regulations and recommendations, principles, standards, and guides prepared by international organizations,
5. Regular reporting of risk monitoring and evaluation processes to the Board of Directors through senior committees and creation and follow-up of action plans to eliminate malfunctions,
6. Questioning the consistency and effectiveness of risk identification and assessment methods, risk rating and classification methods retrospectively, based on actual transactions.
7.2. DEMAŞ A.Ş. Compliance Risk Management
Effective management of compliance risk is the personal responsibility of all DEMAŞ A.Ş. employees and is based on the following principles:
• Supervision of the Board of Directors and Senior Management on this issue,
• A well-defined organizational structure and personnel employment,
• Documented Policies and Procedures and full compliance of employees with these policies and procedures,
• Monitoring and control activities,
• Statistics and reporting activities,
• Training
• Cooperation and solidarity with internal control and other control units that undertake the internal audit function, a triple main line of defense approach has been adopted at DEMAŞ A.Ş. for compliance risk management, accordingly:
• Department Managers are primarily responsible for effectively managing compliance risk,

• Under Internal Systems; Internal Control Center and Compliance Department, and other Head Office Support Departments, such as Legal counsel,
• Board of Directors and Independent Audit.
Information about the management of compliance risks that DEMAŞ A.Ş. may be exposed to is regularly conveyed to the Board of Directors through the compliance department.
In this direction, DEMAŞ A.Ş. Senior Management is responsible for monitoring compliance risks, creating an organizational structure that will ensure effective implementation, creating a healthy internal control environment and infrastructure, including compliance with ethical principles and rules of conduct, monitoring any disruptions, deficiencies, errors and abuses that may occur in the program covering DEMAŞ A.Ş. employees at all levels, ensuring regular information flow regarding such malfunctions and evaluating the necessary reports.
As noted above, Department Managers who report to Senior Management are primarily responsible for managing compliance risk. To achieve this the following is required:
• Establishing a "compliance culture" in which each employee is aware of their personal responsibilities, including notifying senior management of situations that are against or may arise against the DEMAŞ A.Ş. Compliance Policy/Compliance Program,
• Ensuring that sufficient resources are allocated for compliance risk management,
• Ensuring effective controls and their compliance with compliance risk management objectives,
• Supporting the independence of the Compliance Department: Trying to create the perception of all employees that the compliance department has a function independent of all business units and responsibilities, especially sales, marketing and audit-related activities and all units where revenue-generating activities are conducted.
Business line and/or department managers should clearly share with their employees the expectations of senior management regarding the management of compliance risk and the importance of reporting Compliance Program violations or situations that may lead to Compliance Program violations to senior management.
For this, managers should make announcements or inform the personnel through training on the following issues at least once a year:
• All employees are obliged to fully comply with ethical principles, regulations, policies, and procedures.
• Compliance with laws and other regulations is the personal responsibility of all employees. Therefore, every employee is obliged to know all the regulations, policies and procedures required by their job description and duties. Not knowing the relevant regulations, policies and procedures and not implementing them for the said reason will not be accepted as an excuse and employees are expected to seek assistance from the Compliance Department on any matter they do not know. Failure to comply with the law may lead to judicial and/or administrative sanctions up to imprisonment and disciplinary penalties within the scope of DEMAS A.Ş. Disciplinary Procedure. All managers who are responsible for conducting the annual performance evaluation process for their employees should pay attention to this issue and manage this process by taking into account the successes and failures related to compliance risk management.
DEMAŞ A.Ş. Compliance Officer is responsible for the management of compliance risks that may arise during the operations and activities of DEMAŞ A.Ş. and is the manager of the Compliance Department in this context. Working under the MASAK Compliance Officer, Compliance Department personnel ensure that policies are implemented completely and accurately, monitoring and control processes for customers and transactions are conducted, as well as investigations into suspicious transactions. For this purpose, the Compliance Department uses methods such as monitoring, control, auditing, reporting, etc. and works in cooperation and coordination with the Board of Directors and the Internal Control Department.
To determine the laundering of crime revenues and financing of terrorism risks that DEMAŞ A.Ş. may be exposed to, a triple evaluation method consisting of Customer risk, Product Risk and Country/Geography is used.
7.2.1. Customer Risk
Know Your Customer (KYC) is the first line of defense and is the primary program implemented to prevent DEMAŞ A.Ş. from being used as an intermediary for laundering of crime revenues and financing of terrorism and to prevent such transactions from occurring. Principles Regarding Know Your Customer are based on three main principles:
1. An operation unit officer is assigned at DEMAŞ A.Ş. for each customer relationship, who will be responsible for getting to know the relevant customer during and after the establishment of a permanent customer relationship.
2. Customer information will be recorded in certain forms in accordance with the procedures and principles to be applied to the relevant business unit and is stored for the period specified in the Protection of Records section.
3. Customer information is reviewed in accordance with relevant procedures.
The Know Your Customer program includes the following:

• Identity determination and confirmation.
• Collecting general information about the customer.
• Performing risk rating. (Based on the customer’s profession, country of residence and other relevant indicators)
• DEMAŞ A.Ş. does not provide any products or services to customers whose identities cannot be verified, and a business relationship is not established or maintained with customers who do not provide the necessary information.
• Customer transactions/accounts are monitored within the framework of the rules determined by DEMAŞ A.Ş.
Examples of sectors and professional groups that are considered high risk or prohibited are included in the Prevention of Laundering of Crime Revenues (AML) and Financing of Terrorism (CFT) Risk Policy.
7.2.2. Product Risk
Product and service groups that have a characteristically higher risk of laundering and financing of terrorism:
• Products that support high transaction volumes,
• Cross-border transactions,
• Frequent transactions,
• Products such as cash or precious metals that provide physical transferability.
7.2.3. Country/Geography Risk
DEMAŞ A.Ş. has created its own country/geography risk table according to the Risk Based Approach. This table also includes banned countries.
8. MONITORING AND CONTROL ACTIVITIES
DEMAŞ A.Ş. conducts monitoring and control activities with a "Risk-oriented approach" to ensure the correct and effective implementation of the Compliance Program. The purpose of monitoring and control activities is to protect DEMAŞ A.Ş. from risks related to laundering of crime revenues and financing of terrorism. While monitoring activities are conducted by the Compliance Department, the triple line of defense model specified in the "7.2 DEMAŞ A.Ş. Compliance Risk Management" section has been adopted regarding controls. DEMAŞ A.Ş. implements its monitoring and control activities in accordance with Articles 14 and 15 of the Compliance Regulation.

Transactions are monitored by Compliance Department personnel. To detect unusual transactions, all customer-initiated transactions that are above the specified thresholds are examined and reviewed according to the customer profile, through the automatic transaction monitoring tool, which contains complex and detailed scenarios fed by typologies.
As a result of the review by the Compliance Department personnel, it is evaluated whether the transaction is compatible with the customer profile. Depending on the results of the evaluation, making a Suspicious Transaction Reporting is considered.
8.1. Suspicious Transaction Reporting
Details regarding Suspicious Transaction Reporting are included in the relevant regulations. In addition, suspicious transaction indicators regarding laundering of crime revenues and financing of terrorism are also included in the MASAK Suspicious Transaction Reporting Guide. These directives assist the parties responsible for reporting transactions and incidents related to laundering of crime revenues and financing of terrorism to MASAK.
In accordance with the provisions of the law, in case of suspicion or existence of any information that assets subject to transactions conducted or attempted to be conducted through DEMAŞ A.Ş. have been obtained through illegal means, DEMAŞ A.Ş. is obliged to report these transactions to MASAK through the Compliance Officer.
Any suspicious transactions detected by DEMAŞ A.Ş. employees during the performance of works, transactions or activities and transactions detected during monitoring and control activities are immediately reported to the Compliance Officer in line with the relevant procedures/workflows.
The Compliance Officer is responsible for evaluating the information and findings and reporting suspicious transactions to MASAK.
8.2. Confidentiality of Suspicious Transactions
DEMAŞ A.Ş. cannot provide information to anyone, including the parties to the transaction, that a suspicious transaction report has been made or will be made, other than the information given to the audit personnel assigned to audit the liability and to the courts during the trial.
This obligation covers the persons or Institutions reporting suspicious transactions, or the members of these persons who conduct and manage the transaction de facto, or their legal representatives and proxies, as well as other personnel who are aware in any way that a suspicious transaction report has been made.

The regulation also states that legal entities, compliance officers, legal representatives of obligatory parties, their managers and personnel who fulfill the obligation to report suspicious transactions have no legal or criminal liability.
9. CONTINUOUS LEARNING PROGRAM – TRAINING POLICY
9.1. Training of Employees
Compliance Training activities are coordinated by the Compliance Department under the supervision of the Compliance Officer. DEMAŞ A.Ş. training activities are conducted within the annual training program, including the operation and subjects specified in Articles 22 and 23 of the Compliance Regulation.
All employees regularly receive adequate and up-to-date training and training in accordance with business standards and job descriptions, including laws, regulations, rules, and professional standards, laundering of crime revenues and financing of terrorism and codes of conduct and business ethics charter.
In addition, special training is coordinated if needed according to business line and expertise. All legislative updates are also distributed to relevant employees through notifications and announcements.

9.2. Compliance Department Personnel Training
Training for Compliance Department employees is conducted by the Compliance Officer. In addition, DEMAS A.Ş. Compliance department supports its employees to participate in training activities and international certification programs on preventing laundering of crime revenues and financing of terrorism.
9.3. Training Records
Data regarding participation and completion of training on prevention of laundering of crime revenues and financing of terrorism are kept confidential. Training statistics are submitted to MASAK in the first quarter of each year.

10. INDEPENDENT AUDIT
In addition to the self-checks carried out by each unit and the evaluations made by the Compliance Department, evaluation of the quality and suitability of the relevant processes, the evaluation of whether the methodology adopted by the Compliance Department ensures compliance with the law and relevant regulations, the detectability of violations, the transfer of findings to senior management and the management of corrective actions when necessary are among the responsibilities of the Board of Directors.
The Board of Directors conducts its audits for the adequate and efficient implementation of this program through the Compliance Department audits and audits in other departments. While determining the scope of the audit regarding the compliance program, it is ensured that the defects and risky customers, services and transactions identified in the monitoring and control activities are included in the audit scope.
Findings determined by the Board of Directors are monitored with corrective action plans and reasonable target dates. Significant deficiencies, errors or abuses detected as a result of the internal audit, as well as opinions and suggestions to prevent their reoccurrence, are reported to the board of directors.