EBANX Compliance and Legal Hub

For Customers

Other Documents
EBANX Values
Code of Conduct
Socio-environmental Responsibility Policy
Information Security Policy
Information Security for Third Parties
Responsible Security Vulnerability Disclosure Policy
Gifts, Presents and Hospitality for Third Parties
Sustainability Report 2022
Prohibited Products and Services
EBANX Supply and Partnership Standard
Policy Anti-Bribery and Corruption
Anti-Money Laundering And Counter Financing Of Terrorism Policy
Business Continuity Management
Standard for Vendors and Partners
Corporate Governance Policy

Business Continuity Management

November 26, 2025

Index

  1. Introduction and Objectives

  2. Scope and Coverage

  3. Terms and Definitions

  4. Guidelines

    4.1. Crisis Committee
    4.2. Responsibilities
    4.3 Document Retention

  5. Regulatory References

  6. Publication and Distribution of Policies


1. Introduction and Objectives


Thus, this policy defines procedures to ensure that EBANX:

  • Complies with regulations, legislation, and well-established market practices;

  • Aligns with the business objectives and strategy of the organization;

  • Ensures that all EBANX employees and any other parties acting on behalf of EBANX are aware of their responsibilities regarding recovery and business continuity strategies;

  • Establishes appropriate procedures for business continuity to mitigate risks associated with unplanned service interruptions;

  • Demonstrates agility in evaluating and preventing economic and regulatory impacts on its products and services across the various countries in which it operates;

  • Avoids/reduces damage caused by unexpected events that may interrupt the provision of services to our clients;

  • Protects EBANX operations against breaches of confidentiality, integrity, and availability;

  • Defines, establishes, and maintains effective, sustainable, and measurable business continuity controls.

To achieve this, it is essential to maintain processes that align with well-established market practices, such as ISO 22301, ISO 27001, and BACEN Resolution 4557. This will also ensure the integrity of EBANX operations and strengthen our reliability and the trust of our stakeholders.


2. Scope and coverage


Each business area must maintain an updated Business Continuity Plan considering risks to business requirements, impact analysis, and resources, resulting in the definition of a Business Continuity Strategy.

This policy is applicable to all EBANX companies and considers the Risk Appetite defined in the EBANX Global Risk Management Policy, focusing on processes with medium, high, and very high BIA impacts. In this case, the Business Continuity Management Policy of the company providing coworking services must be followed.


3. Terms and definitions

  • Asset Sustainability Analysis (ASA): Determine the assets (infrastructure and systems) that support critical business processes related to the BIA;

  • Vendor Evaluation: Identify how well suppliers adhere to Business Continuity requirements defined by the Legal, Risk & Compliance department in conjunction with the Risk Management team, focusing on service unavailability from critical suppliers;

  • Internal Demand Evaluation: Evaluate new products, services, processes, projects, and changes, as well as significant alterations to existing products and services and restructuring of environments in the context of Business Continuity;

  • Business Continuity Plan (BCP): A documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue providing its critical services at a predefined acceptable level;

  • Business Impact Analysis (BIA): The process used to assess the criticality and impact of services and processes carried out by areas in case of an unexpected interruption, as well as identifying the ideal recovery time;

  • Business Continuity Management (BCM): A process that identifies potential threats to an organization and the impacts these threats may cause to business operations if realized, and provides a framework for building organizational resilience with the capacity for an effective response that safeguards the interests of key stakeholders, reputation, brand, and value-creating activities;

  • BCM Lifecycle: Refers to a series of business continuity activities that collectively cover all aspects and phases of the BCM program, such as completion/update of BIA documents, BCP, Awareness, and Exercises, which are performed annually;

  • Disaster Recovery Plan (DRP): A business continuity plan in case of a disaster that compromises part or all of the company's resources, including IT equipment, data records, and the physical space of an organization. IT Operations & Security is the area responsible at EBANX for developing, testing, and activating the plan when necessary, and reporting results to the Risk Management governance;

  • Risk and Control Assessment (RCA): A continuous process aimed at mapping key business processes, identifying, evaluating, and monitoring associated risks and controls, identifying risk exposures, and determining corrective actions. RCA updates are conducted annually by the Internal Controls and Information Security teams with support from leadership and the ebankers responsible for process execution;

  • Recovery Time Objective (RTO): The maximum acceptable amount of time a process can be unavailable;

  • Recovery Point Objective (RPO): Considers systems and backup needs (real-time, intraday, last backup, or not necessary) based on how processes can be performed if everything is lost;

  • Training: Trainings occur annually to promote the culture and concept of business continuity,

    conducted online through workshops, live broadcasts, and e-learning. It is recommended that all SPOCs (Single Point of Contact) participate in mandatory training within the deadline set by EBANX.

4. Guidelines


Business Continuity should be an activity owned by the areas, as only the area responsible for its processes can accurately determine its priorities and level of internal and external involvement. C-Level executives and all other leadership levels must be involved in Business Continuity Management for their respective areas and be aware of business continuity issues within their structure.

In addition to existing operations or processes, Business Continuity must consider systems and their relevant information and conduct a realistic and reliable business impact analysis. This information will guide the IT Operations & Security team in constructing the scope of the IT Disaster Recovery Plan (DRP) by sharing data from the Business Impact Analysis (BIA) regarding critical processes versus systems to ensure that all critical systems are covered by the DRP.

The Risk Management team, in conjunction with Facilities, IT Corporate, and IT GRC teams, must be involved in all decisions related to risk concentrated in EBANX offices.

In the event of a crisis threat, the Risk Management area must be notified to analyze the possible impact on EBANX. All available information should be brought to the attention of one or more members of the Crisis Committee for activation. Meetings may take place in person at any of the EBANX units where committee members are present or remotely using available tools.

Active integration by the Risk Management team is necessary to train all ebankers and Leaders so that they are prepared to act with risk prevention in their areas. Leaders should actively take on their role, being responsible for monitoring the activation of the Call Tree and other exercises, as well as informing the Risk Management area of any incidents related to risks.

The BCM Lifecycle involves the annual review of the Business Impact Analysis (BIA) based on the results of the Risk and Control Assessment (RCA) mapping, Business Continuity Plan (BCP), and BCM Training and Exercises conducted for all EBANX business areas.

To measure compliance with the objective of this policy, EBANX will verify annually if all areas comply with the formally established Business Continuity Plan. The Risk Management team in the Global Risk & Compliance area is responsible for defining the measurement method for policy observation, which will be performed at least once a year.

The Risk Management team must inform leadership of the BCM Lifecycle results, including action plans resulting from the need to improve contingency strategies.


4.1. Crisis Committee


As part of BCM, it is crucial to ensure that EBANX has an appropriate business continuity governance structure to handle any current or emerging risks. This structure should be prepared to respond to various types of unexpected events.

The Crisis Committee is an interdisciplinary committee under the responsibility of GR&C that is in place at EBANX headquarters and is composed of leaders from different areas (D and SM Levels). Other people may be invited to participate if there is a need for specific knowledge for that situation.

The Crisis Committee is an interdisciplinary committee in place at EBANX headquarters and is composed of leaders from various areas (D and SM Levels). Additional people may be invited if there is a need for specific knowledge related to the situation.

The main objective of this committee is to address the broader strategic implications, including concentration risk issues. In a crisis scenario, this group is also responsible for making decisions regarding prioritization, resource allocation, delivery, and implementation of critical EBANX processes.


4.2. Responsibilities


Business Areas or Business Support:

✓ Provide relevant business information to support the analysis of critical process availability needs;

✓ Communicate significant changes in processes for the evaluation of the BCMS area and update BIAs and Business Continuity Plans (BCPs) as necessary;

✓ Contribute and participate in BCP and DRP testing and simulations.

Risk & Compliance Department:

✓ Supervise business continuity activities, suggest strategies, support the formalization o regulatory instruments related to business continuity, encourage employee awareness, supervise the implementation of continuity plans and contingency tests.

Managers and Senior Managers:

✓ Ensure effective communication with teams about the importance of business continuity and promote the necessary engagement for the success of initiatives;

✓ Actively participate, when necessary, in business continuity tests and simulations to better understand risks and planned responses;

✓ Monitor business continuity initiative performance, ensuring plans align with company strategic goals;

✓ Support audits or internal and external reviews related to business continuity, ensuring transparency and compliance with standards;

✓ Promote an organizational culture that values business continuity as an integral part of risk management.

SPOCs (Single Point of Contacts):

✓ Centralize and share business continuity-related issues within their areas, and monitor the review and maintenance of Plans and BIAs;

✓ Ensure all critical processes in their area are included in the Business Continuity Plan;

✓ Participate in trainings, workshops, live broadcasts, and e-learnings related to business continuity topics;

✓ Support the dissemination of the business continuity culture.

Governance, Risk, and Internal Controls Area:

✓ Present the BCP to business area managers;

✓ Apply the BIA and ASA to processes indicated by managers;

✓ Ensure that existing or new services guarantee business continuity and BIA for services;

✓ Monitor and evaluate the implementation of business continuity strategies;

✓ Develop and review policies, standards, procedures, and methodologies related to business continuity;

✓ Create, consolidate, and disseminate corporate BIA and ASA, and share necessary data for document preparation;

✓ Address regulatory bodies, internal and external audits, and institutional clients' requests regarding EBANX's business continuity;

✓ Coordinate BCP exercises to validate plans;

✓ Prepare and report the results of BCP tests and simulations to management;

✓ Participate in the Crisis Committee activation, responsible for monitoring, evaluating the situation, and activating the Business Continuity Plan;

✓ Analyze and suggest adjustments to the current policy as per EBANX's internal standards and as necessary.


4.3. Document Retention

All BCM-related documentation can be stored for at least 5 years, following general audit rules and best practices.

Documents to be retained include:

  • Business Continuity Plans (BCPs);

  • Business Impact Analyses (BIAs);

  • Continuity test and exercise reports;

  • Training records.

After this period, documents may be safely discarded, preferably under BCM team supervision, to ensure legal requirements are met. It is recommended to periodically review the retention rule to maintain compliance with industry standards and best practices.


5. Regulatory references


  • ID 319 - EBANX Global Risk Management Policy

• ISO 22301:2019 - ISO Link

• ISO 27001:2022 - ISO Link

• BACEN Resolution 4557 - Link to Resolution


6. Publication and Distributing Policies


This policy and supporting policies, regardless of being a new version of an existing document, must be reviewed by the Global Risk & Compliance team.

Any new policies or modifications to existing documents must be made available to all stakeholders at EBANX.

Policies are available for ebankers on OneTrust, in the section “Policies”.

Public documents can be found on EBANX's websites.