TÜPRAŞ-TÜRKİYE PETROL RAFİNERİLERİ A.Ş.

Regulatory Filings • Apr 26, 2024

Türkiye Petrol Rafinerileri A.Ş.

Policy on Prevention of Laundering the Proceeds of Crime, Financing of Terrorism and Weapons of Mass Destruction

("AML-CFT Policy")

1.	PURPOSE AND SCOPE	3
2.	DEFINITIONS	3
3.	GENERAL PRINCIPLES 4
4.	APPLICATION OF THE POLICY	5
5.	AUTHORITY AND RESPONSIBILITIES	7
6.	REVISION HISTORY	7

1. PURPOSE AND SCOPE

The purpose of this Policy on Prevention of Laundering the Proceeds of Crime, Financing of Terrorism and Weapons of Mass Destruction ("the Policy") is to establish principles and rules to be implemented within Tüpraş as a reflection of Tüpraş's commitment to prevent money laundering and the financing of terrorism.

All employees, directors and officers of Tüpraş shall comply with this Policy, which is an integral part of the Koç Group Code of Ethics and Tüpraş Code of Ethics. Tüpraş also expects and takes necessary steps to ensure that all its Business Partners - to the extent applicable comply with and/or act in accordance with this Policy.

2. DEFINITIONS

"Business Partner" includes suppliers, customers, contractors, and other third parties with whom the company has a business relationship and all kinds of representatives, subcontractors, consultants, etc. acting on behalf of the company, as well as their employees and representatives.

"Criminal Proceeds" refers to the value of assets derived from a crime.

"FATF (Financial Action Task Force)" is an international organization established in 1989 to develop policies and standards to combat a range of crimes, including the prevention of money laundering, human and drug trafficking, terrorism, and the financing the weapons of mass destruction.

"Financing of terrorism" refers to activities that provide financial support to terrorist individuals, groups, organizations, or supporters.

"Government/Public Official" broadly refers to a variety of individuals including but not limited to the following:

• Employees working at government bodies domestically or in a foreign country,
• Employees of government business enterprises (domestic or in a foreign country),
• Employees of political parties, political candidates, (domestic or in a foreign country),
• Any person who holds a legislative, administrative, or judicial position, (domestic or in a foreign country),
• Judges, jury members, or other officials who work at domestic, foreign, or international courts,
• Officials or representatives working at national or international parliaments,
• Arbitrators resorted to, who have been entrusted with a task within the arbitration procedure, to resolve a legal dispute.

"Koç Group" means Koç Holding A.Ş., companies which are controlled directly or indirectly, jointly, or individually by Koç Holding A.Ş. and the joint venture companies listed in its latest consolidated financial report.

"Tüpraş" means Tüpraş, companies which are controlled directly or indirectly, jointly, or individually by Tüpraş and the joint venture companies listed in its latest consolidated financial report.

"Money Laundering" is the process of integrating the proceeds of illegal activities into the financial system as if they had been obtained legally, and concealing the fact that these proceeds were derived from illegal activities.

"Politically Exposed Person ("PEP")"1 refers to individuals who are currently or in the past, either domestically or in a foreign country, elected or appointed to an important public function; board members, senior executives and deputy executives of international organisations and other persons holding equivalent positions; senior politicians; senior officials of political parties; senior judicial, administrative or military officials; senior executives of state-owned enterprises; and the spouses, first-degree relatives (mother, father and children) and relatives of all such persons.

"Ultimate Beneficial Owner ("UBO")" refers to the natural person(s) who ultimately controls or has ultimate influence over a legal entity or an unincorporated entity.

"Weapons of Mass Destruction" refers to nuclear, chemical and biological weapons and ballistic missile programs as defined by the United Nations Security Council Resolutions.

3. GENERAL PRINCIPLES

Tüpraş implements the relevant legislation in all its operations to manage the risks it may be exposed to regarding money laundering, terrorism and the financing of the weapons of mass destruction ("AML-CFT")2 , benefiting from the studies and guidance provided by leading international organizations in this field.

It is strictly prohibited for any employee to be directly or indirectly involved in any activity that facilitates money laundering, the financing of terrorism and Weapons of Mass Destruction, to participate in any transaction that may conceal its illicit nature, or to support, be a party to, or actively participate in any such activity.

In this context, in all transactions that Tüpraş is a party;

• Necessary measures should be taken to effectively manage the risks associated with AML-CFT,
• Due Diligence and, where appropriate, Enhanced Due Diligence3 ("EDD") should be conducted on a regular basis in accordance with legal requirements to identify Business Partners and customers,
• If unusual and suspicious activities are detected, the transaction should be investigated in detail, stopped immediately if necessary and the legal authorities should be informed.4

¹ https://www.fatf-gafi.org/documents/documents/peps-r12-r22.html

² AML-CFT: "Anti-Money Laundering / Countering the Financing of Terrorism"

³ For details, please refer to Koç Group Supply Chain Compliance Policy and Koç Group Sanctions and Export Controls Policy.

⁴ Legal authorities shall be informed by a lawyer appointed by the Chief Legal and Compliance Office or by an external lawyer.

4. APPLICATION OF THE POLICY

4.1. Know Your Business Partner 5

Prior to establishing an ongoing business relationship with a Business Partner, and periodically throughout the established business relationship, or even for one-time transactions of significant size depending on the company's activities and financial structure, the business units are responsible for conducting Due Diligence using a screening tool by taking all necessary commitments in accordance with all the legislation on the protection of personal data in force in the countries where Tüpraş operates. In order to ensure the effective implementation of this study, the following points shall be considered: 6

• The tax office and numbers of Business Partners, as well as the valid identity and address information of their authorized representatives and (if applicable) shareholders, are determined. The information obtained must be verified, if necessary, within the framework of the relevant legislation or if there are doubts as to its reliability and validity. In addition, the identification of the Ultimate Beneficial Owners (UBO) is carried out in accordance with the legislation. Detailed information is obtained about the profession, industry, source of income, duration of operation in that business line, and commercial history.
• Information is obtained on the nature and level of activity of existing and potential business relationships with Tüpraş.
• Information is obtained on the countries and regions in which the declared business is carried out7
• When establishing and maintaining a business relationship, a screening tool is used to regularly check national/international sanctions lists and negative media reports to determine whether the Business Partner8 or UBO has been involved in financial or other serious crimes, as well as any potential risks related to sanctions and export control regulations.9
• Internet, media screening and other databases are used to confirm whether the Business Partner10 or UBO is a public official or a PEP.
• All information, documents, and records obtained are periodically updated and retained for a minimum of 8 years from the date of the last transaction.

If, as a result of the due diligence, taking into account all information received, a negative finding, a reasonable suspicion or a possible violation of this Policy or the law is identified, the Chief Legal and Compliance Office must be informed immediately. The Chief Legal and

⁵ All identity verification procedures set out in this policy also apply to customers with whom a permanent business relationship is established.

⁶ The primary responsibility for the listed processes belongs to the Business Units.

⁷ Business units are required to pay particular attention to business relationships and transactions with natural and legal persons, unincorporated entities and citizens of countries at risk, and to gather and record information, to the extent possible, on the purpose and nature of transactions that do not have a reasonable legal and economic purpose.

⁸ If the counterparty is a legal entity, necessary checks on shareholders (if any) and legal representatives are also conducted through the screening tool.

⁹ For details, please refer to Koç Group Sanctions and Export Controls Policy.

¹⁰ In case the Business Partner is a legal entity, the necessary checks and screenings for shareholders (if any) and legal representatives are also carried out through the screening tool.

Compliance Office may decide to stop the transaction or conduct Enhanced Due Diligence ("EDD"). In this case, the General Manager is informed about the compliance risks identified and the possible impact of these risks and the measures suggested to be taken in case of establishing, terminating or continuing a business relationship. The General Manager shall make the decision to establish, continue or terminate the business relationship taking into account the assessments and recommendations. Decisions taken with the approval of the General Manager shall be regularly reported to Koç Holding Legal and Compliance Department by the Chief Legal and Compliance Office, and the entire process shall be subject to internal audit, if deemed necessary. In case of doubt, the business units or the compliance officers shall consult the Legal and Compliance Department of Koç Holding.

At the stage of signing a contract with a Business Partner, Tüpraş shall ensure that the relevant persons are informed about this Policy. Furthermore, Tüpraş reserves the right to terminate the contract or apply other penalties in the event of a violation of the Policy.

4.2. Suspicious Transactions

If any suspicion arises that the assets involved in the transaction have been obtained illegally or used for illegal purposes, used to finance terrorism, or are related or connected to the same, the Chief Legal and Compliance Office should be informed immediately via the Suspicious Transaction Forms11 .

The following transactions and activities may be considered as examples of suspicious transactions:

• Individuals who do not provide complete information, provide incorrect, inconsistent or suspicious information, or are reluctant, hesitant or obstructive with respect to reporting and/or recordkeeping requirements,
• Requesting payments to be made, especially in cash or cash-like forms, or to different bank accounts on behalf of third parties,
• Persons and transactions related to jurisdictions designated as high-risk12 by the FATF13 .
• Making payments in currencies other than those specified in the contracts, using cryptocurrencies in transactions, or requesting them,
• Making payments to, or receiving payments from, third parties not named in the relevant contracts, or using exchange offices as intermediaries in transactions,
• Making payments to "shell bank" accounts or to individuals or entities located in countries known as "tax havens", or transferring funds to/from unrelated foreign countries,
• Payments to or from organizations where it is not possible to identify the ownership structure or determine the Ultimate Beneficial Owner (UBO),
• Transactions involving persons whose names appear on lists of persons suspected of money laundering as a result of checks carried out using the screening tool,
• Payments made in small amounts and through several different financial institutions.

¹¹ Suspicious Transaction Forms shall be created by the Chief Legal and Compliance Office and shared with business and operational units.

¹² https://www.fatf-gafi.org/en/publications/High-risk-and-other-monitored-jurisdictions.html

¹³ As of the effective date of this Policy, North Korea, Iran and Myanmar are included in the FATF's list of highrisk jurisdictions. Stricter measures may be applied and the list of high-risk jurisdictions may be expanded by the officer or department in charge of compliance in consultation with Koç Holding Legal and Compliance Department.

It is important for all employees to be vigilant in this regard, to act decisively and in accordance with procedures if a risky transaction is identified, and to consult Chief Legal and Compliance Office if in doubt.

4.3. Training

Under the coordination of Tüpraş Chief Legal and Compliance Office, various training and awareness-raising activities are organized to create a common corporate culture, taking into account the legislation, this Policy and other relevant internal procedures regarding the prevention of laundering the proceeds of crime, financing of terrorism and weapons of mass destruction. These activities are carried out in accordance with the latest local and international regulations and regularly reported to Koç Holding Legal and Compliance Department by the Chief Legal and Compliance Office.

5. AUTHORITY AND RESPONSIBILITIES

All employees and directors of Tüpraş are responsible for complying with this Policy, implementing, and supporting Tüpraş's procedures and controls in accordance with the requirements of this Policy. Tüpraş also expects and takes necessary steps to ensure that all its Business Partners to the extent applicable, comply with and/or act in accordance with this Policy.

If there is a discrepancy between the local regulations applicable in the countries Tüpraş operates, and this Policy, the stricter of the two shall prevail, unless such practice is in violation of the relevant local laws and regulations.

If you become aware of any action that you believe is inconsistent with this Policy, the applicable law or the Koç Group Code of Ethics or Tüpraş Code of Ethics, you may seek guidance or report the incident to your line managers or Chief Legal and Compliance Office. Alternatively, you may report the incident to Tüpraş Ethics Hotline via the following link: "koc.com.tr/hotline".

Tüpraş employees may contact the Chief Legal and Compliance Office for their questions regarding this Policy and its application. Violation of this Policy may result in significant disciplinary actions including dismissal. If this Policy is violated by third parties, their contracts may be terminated.

6. REVISION HISTORY

This Policy takes effect on 26 April 2024 as of the date approved by the Board of Directors and will be maintained by the Chief Legal and Compliance Office.

Revision	Date	Description
-	26.04.2024	Approved of Policy