DETERMINACIÓN DE LA VOLATILIDAD DE LAS OPCIONES REALES

7.1 The Paysafe Group’s Risk Management Committee is responsible for assessing and

managing risk for the Paysafe Group. The Risk Management Committee presents the minutes of its meetings along with its findings and risk analyses to the Audit Committee and the Audit Committee periodically reviews the minutes of the meetings of the Risk Management Committee. The Audit Committee has appointed Raymond Chabot Grant Thornton (‘‘RCGT’’) as internal auditor of the Group. An internal audit plan has been agreed with RCGT for FY2015 to FY2018 and their audits commenced in the first quarter of 2015. RCGT has performed quarterly audits on high risk areas as set out in the internal audit plan at a consolidated level as well as quarterly audits for the UK and Isle of Man regulated companies. The results of the internal audits are presented to the Audit Committee at its

quarterly meetings. The Audit Committee reviews each internal audit report,

recommendations and associated management action plans to ensure that the key areas targeted for improvement by the internal audits are appropriately addressed in an expeditious manner.

7.2 Paysafe conducted a risk assessment of the Paysafe Group in 2014 and developed an

enterprise risk management framework for the Paysafe Group. During the risk assessment, 16 key risks were identified and the likelihood of these risks occurring were assessed. Additional risk assessments were also performed in 2014 for the UK and Isle of Man regulated companies in the Paysafe Group. During those risk assessments, 12 and 11 key risks were identified for the UK and Isle of Man regulated companies respectively and the likelihood of these risks occurring were assessed. Using the risk management framework,

the Paysafe Group has a strategy in place to monitor identified risks and to develop risk mitigation strategies at the consolidated level as well as specifically for the UK and Isle of Man regulated companies.

7.3 Prior to the Skrill Acquisition, the Skrill Group engaged KPMG to conduct an enterprise risk

assessment which identified 23 key risks applicable to the entities within Skrill Group and the likelihood of these risks occurring were assessed. In the third quarter of 2015, the Paysafe Group updated its risk register and audit universe to capture new and emerging risks to create a consolidated and updated risk universe and a new consolidated internal audit plan for the Paysafe Group following completion of the Skrill Acquisition. The risk assessment conducted by KPMG in relation to the Skrill Group (prior to Completion) forms part of the Paysafe Group’s updated risk universe and consolidated internal audit plan.

7.4 The Paysafe Group’s platforms provide extensive real-time risk monitoring and decision-

making, using a mix of proprietary rules-based engine technology and third party services. Paysafe’s risk management team is responsible for monitoring and adjusting risk rules and thresholds and for managing events. The risk platforms are autonomous and highly automated through proprietary IP overlaid on enterprise management frameworks. Each of the STP and stored value business divisions leverage proprietary risk management and anti- fraud technologies, customised separately around transaction specifics, volumes and the nature of processes experienced on each divisional platform.

7.5 Merchants and customers also benefit from the Paysafe Group’s risk and anti-fraud

management features, including real-time monitoring of online transactions to mitigate and reduce fraud for merchants, which enables the Paysafe Group to offer some of its qualifying merchants a no chargeback policy. When determining whether to offer no-chargeback protection to merchants, the Paysafe Group conducts a risk based analysis focused on the transactions carried out by each merchant. This is attractive for a large range of merchants who conduct their business over the internet and who may not have the capability or resources to develop their own sophisticated payment and fraud management systems.

Straight Through Processing

7.6 The Paysafe Group’s STP division provides processing services through the multi award-

winning NETBANX gateway, the most recent award being granted in May 2015 when the Paysafe Group was named best payment service provider for the NETBANX gateway by CardNotPresent.com and the Payment XP gateway which is used by Meritus.

7.7 The NETBANX gateway was constructed with risk management in mind and is a full feature

platform enabling both merchants and internal users to manage and mitigate risks on a granular, real-time basis. The overall risk approach is to provide merchants with the necessary tools to prevent fraud and to work with these merchants to create and customise rules and systems, based on the Paysafe Group’s technology, which enhance their risk management capabilities. The Payment XP gateway was also designed to effectively manage risks but it has fewer fraud management tools than the NETBANX gateway and the Paysafe Group plans to commence migration of the Meritus merchants using the Payment XP gateway to the NETBANX gateway during 2016.

7.8 The Paysafe Group’s fraud management solutions available on the NETBANX and Payment

XP gateways comprise proprietary risk rules engines which have customised rules based on a merchant’s business model, industry and/or location and which are designed to minimise fraud on all payment types. The risk rules engines allow for near real-time decisions, leading to a fast response to fraudulent transactions.

7.9 For merchants using the NETBANX gateway, the Paysafe Group provides chargeback and

dispute management services to its merchants, through partnerships with Verifi and Ethoca and, through the use of various third party vendors. For certain higher risk merchants using the Payment XP gateway, the Group mandates the use of Verifi to help with chargeback management and Ethoca to help identify fraudulent transactions.

7.10 For merchants using the NETBANX gateway, the Paysafe Group also offers its merchants

additional services such as device fingerprinting in order to allow merchants to examine the identity of its users and their activities and configures appropriate business rules to identify likely fraudulent activity, IP Geo Location tools to validate the geographic location of visitors to merchants’ websites and identity and age verification services which assist with the

validation of the identity of the merchants’ customers by comparing customers account details against a variety of data sources and/or by asking prospective multiple-choice questions as part of the verification process and 3-D Secure, a technical standard developed by Visa and MasterCard designed to combat online credit card fraud. With 3-D Secure, cardholders who have registered for Verify by Visa or MasterCard SecureCode are required to use passwords to validate their identity whenever they make a purchase on a participating site.

7.11 Also key to the NETBANX gateway is the ability to filter transactions on any data element

provided by the merchant, customer, or other participant in the transaction, such as the issuer or acquirer. The platform allows merchants to easily filter out transactions that do not meet specified criteria, or allow the merchants to suspend and out sort transactions which appear to be fraudulent. Rules can be created allowing merchants or internal staff to monitor the velocity of transactions on multiple data points and take actions when thresholds are exceeded. Back office accounting systems allow the Paysafe Group to suspend individual transactions without holding entire batches, limiting the inconvenience to merchants, should an investigation need to be carried out.

7.12 The Paysafe Group’s merchant risk-monitoring platform leverages all transaction elements

from the NETBANX and Payment XP gateways and allows staff to quickly and efficiently identify merchants whose transactions or other activity raise questions or suspicion of fraud. Daily exception and monitoring reports are reviewed by staff and acted on before any funding is settled to merchants.

7.13 NETBANX operates its bureau business by using a variety of risk management tools. The

Paysafe Group vets merchants before approval to use the bureau business is granted and the transaction fees levied for processing payments using its bureau business are reflective of the higher level of risk being undertaken by the Paysafe Group. Upon accepting a new merchant, the NETBANX system actively monitors trading patterns in order to prevent and detect fraudulent transactions and activity. This risk based approach allows the Paysafe Group to offer its services to customers that may otherwise be rejected by banks as a result of being deemed to be high risk. In this context, ‘‘high risk’’ customers would include companies operating in industries perceived to be high risk, such as online dating, travel services or subscription-based services. Furthermore, this service offers the Paysafe Group an internal risk-based system that assesses and monitors the individual risk profiles of merchants to maintain risk exposure at an acceptable level. The Paysafe Group’s continued compliance with the PCI DSS also allows merchants to manage their own PCI DSS compliance obligations.

Stored Value

7.14 Within the stored value division, NETELLER, Skrill and paysafecard all use an Enterprise

Risk and Transaction Monitoring System (‘‘ERTMS’’) to mitigate the risk of fraud. The

ERTMS platforms provide real-time monitoring and decisions related to NETELLER, Skrill and paysafecard member and merchant activity.

7.15 The ERTMS platforms are fraud mitigation engines that are built upon industry leading

platforms supplied by third party providers, who are suppliers of financial crime, risk, and compliance solutions. The platforms are enterprise grade, fault tolerant and the NETELLER ERTMS has been implemented with active/passive failover redundancy. The NETELLER platform also provides a case management system and a suite of reporting tools. All the ERTMS platforms provide a rules based transaction monitoring engine which allows for the effective implementation of anti-money laundering, KYC, and risk-based rules which are then triggered and partitioned at the appropriate time based on member and merchant activity.

7.16 The NETELLER, Skrill and paysafecard ERTMS platforms enable real-time fraud and anti-

money laundering rules to be created based on events such as new account signups, logins, transactions, or a combination thereof, and can be based on a plethora of attributes, including customer account country, BIN country (where credit cards are used as a funding instrument), IP country, transaction value, transaction frequency, device ID and deposit or withdrawal type. Rules can be set to trigger alerts on transactions, decline a transaction, close an account, challenge a member with a personal verification question, or delay a transaction. The rules can also be adapted based on historical fraud data and also they

continue to evolve based on current transaction data. When the rules are triggered in the ERTMS the relevant transaction may be declined and/or the customer’s account may be frozen.

7.17 Neural modelling and member profiling are utilised by the NETELLER ERTMS to create

adaptive rules based on historical fraud data. Personal Verification Questions rules can be configured to prompt customers with a personal verification question in real-time upon account sign-in or when a transaction is being initiated in order to validate their identity and prevent fraudulent activities.

7.18 In order to significantly enhance fraud mitigation, the Paysafe Group has also fully integrated a real-time device profiling capability into the NETELLER, Skrill and paysafecard ERTMS platforms. This enables the Paysafe Group to perform, in real-time, a series of security checks to validate the reputation of the device being used by the customer. These checks include reviewing the IP address against a database of high risk IP addresses and known proxies, as well as establishing a unique fingerprint of the device. The device fingerprint is generated using more than 200 unique device parameters which are used to determine a fraud risk score. Rules can then be written to either alert or take action based on the risk score or based on any one or combination of the device’s attributes. The device profiling capability can also be used to detect a customer’s new account signups and logins, even where the customer is browsing the internet anonymously.

7.19 The NETELLER, Skrill and paysafecard ERTMS fraud engines also use IP Geo Location

tools to validate the geographic location of devices being used to execute an event or transaction. IP Geo Location information is gathered and factored into the ERTMS fraud related rules. The NETELLER ERTMS system also provides case management functionality that enables risk agents to create unique cases for each account or event. Within the NETELLER ERTMS case management system, case content cannot be changed and viewing is secured on a need to know least permissions basis. Cases are assigned to agents as needed and investigated until resolved which allows the Paysafe Group to manage the NETELLER queues and prioritise high risk events to the appropriate skillsets.

Information Security

7.20 The Paysafe Group’s global information security policy follows industry best practices in

layered security across all computing environments and is assessed by multiple external security providers. The Paysafe Group is a participating member of the Payment Cards

Industry (‘‘PCI’’) Standards Council, and provides thought leadership in the payments

security space with an advisory seat on the tokenization working group, an external working group which aims to find tokenization solutions for companies. Tokenization is the process by which credit and debit card numbers are shortened and replaced with a randomly generated series of numbers and letters called ‘‘tokens’’ which cannot be used to make fraudulent transactions. The use of such tokens serve to enhance the security of cardholder data storage and properly implemented tokenization solutions may remove or reduce the requirement for a merchant to retain a customer’s full card details after an initial transaction has been processed. All platforms are conformant with, and annually assessed and certified to, the PCI DSS. Skrill Limited also holds PCI accreditation and uses tokenization solutions in order to protect the data of its customers. The Paysafe Group has a global data centre presence, connected via an MPLS network and operating production facilities in Montreal, Canada; Douglas, Isle of Man; Dublin, Ireland; Vienna, Austria and Frankfurt, Germany.

Legal Risk

7.21 Paysafe’s Risk Management Committee identifies and evaluates legal risk as part of its

responsibility for assessing and managing risk for the Paysafe Group. The key legal risks identified as being critical to the business of the Paysafe Group are changing regulatory and authorisation requirements and the legal and regulatory environment as it applies to the supply of online gambling services. Please see Part II (Online Gambling Regulation) of this document for a description of the specific risks relating to the operations of the Paysafe Group within the online gambling industry.

Business continuity

7.22 The Paysafe Group has an ongoing Business Continuity Programme covering each of its

offices and departments. The Business Continuity Programme is focused on the people, processes, offices and supporting ICT corporate systems with the primary objective to maintain plans and supporting procedures to enable business operations to continue in the event of an incident or disaster. The Business Continuity Programme is coordinated with the IT leadership who manage the disaster recovery activities which are primarily targeted on the production transaction processing systems. The Paysafe Group’s Business Continuity Programme has a dedicated subject matter expert who leads and coordinates with department and office Business Continuity Programme representatives. The Business Continuity Programme scope has been extended to encompass the new acquired Skrill business. The Directors expect the Paysafe Group’s Business Continuity Programme to be in place by 31 December 2015.

Disaster recovery

7.23 In the event of a major failure of the Paysafe Group’s NETELLER! systems, in accordance

with its disaster recovery plan, the Paysafe Group’s stored value service would be limited to confirming the balances of its customers and returning funds to such customers using a manual process which the Directors expected could take up to one week to complete, depending on the location of the customers. The Paysafe Group has purchased IT infrastructure in order to further enhance its stored value disaster recovery plan. In respect of its stored value services, the Paysafe Group has entered into an agreement with a data centre service provider in Ireland to deliver a Warm-Standby centre in Dublin, being a back- up system which is data mirrored in near real-time, in respect of its stored value systems that are currently operating using the Paysafe Group’s servers in the Isle of Man. All infrastructure and data replication processes for this additional data centre were put in place at the end of June 2015, at which point the site became capable of fulfilling its disaster recovery role, and in the event of the failure of the main server site, switching to the additional data centre could take several hours. Final testing of the site has been completed and the data centre has been fully operational since the end of October 2015.

7.24 In respect of its NETBANX! business, the Paysafe Group has augmented its disaster

recovery capabilities by establishing an active failover processing centre which will have the ability to reroute internet traffic with minimal disruption to the back-up facility for the majority

of the Paysafe Group’s NETBANX! services in the event of the failure of the Paysafe

Group’s straight through processing systems. Traffic between the data centres will be rerouted in less than two minutes if there is a planned outage and in less than fifteen minutes if there is an unplanned event. The processing centre has been fully operational since mid-October 2015. The addition of global load balancing will further enhance the failover capabilities by lowering the time to reroute traffic. Global load balancing is currently being iteratively rolled out, with a target completion of end of January 2016.

7.25 The Paysafe Group’s Hot-Standby data centre in Frankfurt, which serves the Paysafe

Group’s Skrill branded products, is operational and the Paysafe Group’s data centre in Vienna is fully operational and serves as the secondary data centre for paysafecard. Traffic between the data centres can be switched almost immediately. The Paysafe Group will consider transferring the secondary data centre for paysafecard to the Paysafe Group’s data centre in Dublin, Ireland during 2017. The worst case scenario of a corruption of data bases affecting both data centres would result in full functionality not being available for a period of approximately two to four hours. Such procedures may not, however, be sufficient to ensure that the Paysafe Group is able to carry on its business in the ordinary course if they fail or