Corporate Governance

Supply Chain Policy

of SCANDIC FINANCE GROUP LIMITED for the SCANDIC brand ecosystem

1. Preamble

This Supply Chain Policy ("Policy") sets out the binding principles, processes and responsibilities for the integrated, globally oriented management of the supply chain of SCANDIC FINANCE GROUP LIMITED by Scandic Banking Hong Kong, Room 10, Unit A, 7/F, Harbour Sky, 28 Sze Shan Street, Yau Tong, Hong Kong / SAR-PRC.

It applies in cooperation with:

  • SCANDIC ASSETS FZCO, Dubai Silicon Oasis DDP Building A1/A2, Dubai, 342001, United Arab Emirates
  • SCANDIC TRUST GROUP LLC, IQ Business Centre, Bolsunovska Street 13 – 15, Kyiv — 01014, Ukraine
  • LEGIER BETEILIGUNGS GESELLSCHAFT MIT BESCHRÄNKTER HAFTUNG, Kurfürstendamm 14, 10719 Berlin, Federal Republic of Germany
Legal notice: SCANDIC ASSETS FZCO, LEGIER Beteiligungs Gesellschaft mit beschränkter Haftung and SCANDIC TRUST GROUP LLC act as non-operational service providers. All operational and responsible activities are carried out by SCANDIC FINANCE GROUP LIMITED, Hong Kong, Special Administrative Region of the People's Republic of China.

This policy applies to the SCANDIC brand ecosystem, in particular to the following brands and services:

SCANDIC CARDS

as well as for all structures held or supported by SCANDIC FINANCE GROUP LIMITED, insofar as they enable or support financial, fiduciary, payment, investment, security, health, real estate or other services and product offerings within the group.

The policy is designed to be applicable in global legal transactions and to ensure compliance with international, supranational (in particular European Union) and national legal standards.

2. Purpose, objective and scope

2.1 Purpose

The purpose of this guideline is to establish a uniform, transparent and legally compliant supply chain management system that:

  • controls all relevant supply chain processes (planning, procurement, production, service provision, distribution, return and disposal)
  • systematically implements human rights, labour law, environmental and principle-based requirements,
  • ensures compliance with global legal frameworks (including those of the European Union, national legal systems and international standards) and
  • ensures end-to-end traceability and controllability through a digital image as a "digital twin" and a central control and monitoring point for the supply chain.

2.2 Scope

This policy applies to:

  • to all organisational units and brands of SCANDIC FINANCE GROUP LIMITED worldwide,
  • to all group companies and associated companies, insofar as they act on behalf of SCANDIC FINANCE GROUP LIMITED or provide services for the SCANDIC brand ecosystem,
  • to all suppliers, subcontractors, service providers, distribution partners, cooperation partners and other third parties who are directly or indirectly involved in the provision of services or products.

The basic requirements of this policy must be contractually incorporated into the cooperation with suppliers and partners.

3. Definitions

The following terms apply in particular to this policy:

  • Supply chain: All activities and actors from input (resources, data, capital, infrastructure, personnel, services) through conversion (production, project and service provision) to final delivery, use, disposal and aftercare.
  • Supply chain management: Strategic and operational coordination of all supply chain activities to increase effectiveness in terms of customer benefit and efficiency, and to ensure legal compliance, sustainability and resilience.
  • Digital twin: Semantically linked digital representation of all relevant assets, processes, nodes, flows, service levels, risks, controls and events in the supply chain.
  • Central control and monitoring point for the supply chain: Central, digital platform for monitoring and controlling the supply chain in real time with analytics, early risk detection, simulation of different scenarios and recommendations for action.
  • Suppliers and business partners: All external persons, organisations and companies that provide goods, services or other services within the supply chain.
  • Risk-based approach: Prioritisation of measures according to probability of occurrence, severity of possible impacts – in particular on human rights, the environment and legal compliance – and the possibility of control.

4. Basic principles of supply chain management

SCANDIC FINANCE GROUP LIMITED is committed to adhering to the following basic principles:

  1. Global legal compliance: Compliance with all applicable local, national, regional and international regulations, in particular those of the European Union, including the relevant directives and regulations and the national implementing laws based on them.
  2. Respect for human rights and labour standards: Alignment with the United Nations Guiding Principles on Business and Human Rights, the core labour standards of the International Labour Organisation and the relevant international conventions against child labour, forced labour, discrimination and exploitation.
  3. Environmental and climate protection: Integration of environmental and climate-related due diligence obligations, including regulations on deforestation-free supply chains, conflict minerals, the prohibition of products made with forced labour, and the energy efficiency of buildings and products.
  4. Integrity, transparency and responsible corporate governance: Zero tolerance for corruption, money laundering, terrorist financing, tax evasion, market abuse and other economic crimes.
  5. Data protection, data security and digital resilience: Compliance with the General Data Protection Regulation, the Directive on privacy and electronic communications, the Digital Services Regulation, the Digital Markets Regulation, the Directive on measures for a high common level of cybersecurity across the Union, the Regulation on digital operational resilience of the financial sector, the Cyber Resilience Act, the European Health Data Space and the Regulation on artificial intelligence, where relevant.
  6. Risk-based management and continuous improvement: Systematic identification, assessment and treatment of risks along the entire supply chain, including regular audits, monitoring, evaluations and improvement programmes.

5. Integrated process map based on the reference model for supply chain operations

The group-wide process map is based on an adapted reference model for supply chain operations and comprises the following main processes:

  1. Planning
    • Strategy, planning and coordination of capacity, demand, liquidity and campaigns across all brands (SCANDIC PAY, SCANDIC ESTATE, SCANDIC TRADE, SCANDIC FLY, SCANDIC YACHTS, SCANDIC DATA, SCANDIC TRUST, SCANDIC SEC, SCANDIC HEALTH and others).
    • Planning scenarios for legal changes, crises and peaks in demand.
  2. Procurement
    • Selection, qualification and onboarding of suppliers and partners, including identification checks based on the "know your customer" principle, money laundering prevention and determination of beneficial owners.
    • Drafting contracts, agreeing service levels, sustainability and human rights clauses.
  3. Manufacturing, conversion, provision of services
    • Provision of services, project management, content creation, development and operation of systems, medical services, security services, financial and trading services.
    • Ensuring quality and compliance with legal requirements, approval processes.
  4. Delivery and operation
    • Logistics, hosting, operation of platforms, aviation and shipping services, digital distribution, customer service, billing and payment processing.
    • Ensuring availability, performance and compliance with transparency and information requirements, in particular towards consumers and supervisory authorities.
  5. Withdrawal and response
    • Handling complaints, grievances, removal and blocking requests, dealing with incidents in the areas of security, data protection, medicine and operations.
    • Evaluating experiences, creating quality cycles and implementing corrective and preventive measures.
  6. Enabling functions
    • Operation of data centres, identity and access management, security control centres, management of master data and ontologies, financial control, legal and compliance departments, internal auditing.

6. Brand-related end-to-end value streams

The guideline takes into account the specific characteristics of each brand and integrates them into end-to-end value streams.

6.1 SCANDIC PAY, SCANDIC COIN and SCANDIC FINANCE (payments, financing, digital assets)

  • Incoming and procurement: project initiators, investors, payment service providers, card programmes, digital asset issuers, banks.
  • Conversion and services: Project and customer checks, listing of projects and digital assets, orchestration of payment processes, technical and legal mapping of digital assets, implementation of the Regulation on Markets in Crypto-Assets, the Regulation on Information Accompanying Transfers of Funds and Certain Transfers of Crypto-Assets, the Second Payment Services Directive and the Directives on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing.
  • Delivery and operation: operation of platforms, monitoring of money laundering risks, reporting to supervisory authorities, payouts to investors, compliance with data protection and information obligations.

6.2 SCANDIC ESTATE (property development and real estate brokerage)

  • Incoming and procurement: land, real estate properties, developers, construction and service companies, authorities, capital partners.
  • Transformation and services: Project development, valuation, marketing, contract drafting, review of environmental, social and governance aspects, compliance with building and energy efficiency regulations.
  • Delivery and operation: handover and aftercare, property management, management of space and properties, communication and logistics structures.

6.3 SCANDIC TRADE (trading in financial instruments, foreign exchange, crypto assets, commodities and emission allowances)

  • Input and procurement: market data providers, stock exchanges, liquidity partners, clearing houses, supervisory authorities.
  • Transformation and service: order management, risk management including risk measurement, portfolio and financial control functions, trading in traditional financial instruments and digital assets, implementation of the Markets in Financial Instruments Directive, the Markets in Financial Instruments Regulation, the Market Abuse Regulation, the Prospectus Regulation and the regulations on sustainability-related disclosures in the financial services sector.
  • Delivery and operation: settlement, reporting, transparency reports, customer interfaces, end-to-end monitoring.

6.4 SCANDIC FLY (private jet charter and special flights)

  • Inbound and procurement: aircraft operators, aircraft fleets, crews, airports, ground handling companies, security and compliance partners.
  • Conversion and service: flight planning, route optimisation, slot management, safety and evacuation concepts, compliance with European Aviation Safety Agency and aviation authority requirements.
  • Delivery and operation: execution of charter flights, customer service, handling of delays, handling of compensation claims and complaints.

6.5 SCANDIC YACHTS (yacht brokerage and charter)

  • Acquisition and procurement: shipyards, yacht owners, classification societies, insurers.
  • Conversion and services: valuation, mandating, marketing, examination of ownership and legal relationships, handover processes.
  • Delivery and operation: yacht management, crew planning, coordination with ports, logistics, charter processing in compliance with regulations for recreational craft, port and ship safety, and passenger rights.

6.6 SCANDIC DATA (data centre and digital platforms)

  • Receipt and procurement: content from editorial offices, brand and customer data, telemetry data, partner data streams.
  • Transformation and services: processing, integration, storage and analysis of data, development of digital services, high-performance computing, use of artificial intelligence methods.
  • Delivery and operation: Operation of data centres, connection of edge locations and distribution networks for content, monitoring of systems, data backup and disaster recovery in accordance with data protection, data, cyber and platform regulations.

6.7 SCANDIC TRUST and SCANDIC GROUP (trust, asset protection, succession planning)

  • Intake and procurement: clients, family assets, legal and tax framework conditions.
  • Conversion and services: structuring of assets, establishment of trust mandates, succession planning, consideration of environmental, social and governance objectives, compliance with regulations on beneficial owners and cross-border tax arrangements.
  • Delivery and operation: management of trust assets, reporting, cooperation with payment, trade, real estate, yacht and aviation sectors.

6.8 SCANDIC SEC (physical and digital security services)

  • Intake and procurement: threat analyses, properties, locations, persons and assets requiring protection.
  • Transformation and service: Creation of security concepts, planning and implementation of protective measures, detection and response to cyber attacks, compliance with requirements for critical facility resilience and network and information security.
  • Delivery and operation: Operation of security control centres around the clock, planning and implementation of security measures for travel and events, crisis, emergency and evacuation planning.

6.9 SCANDIC HEALTH (medical services, in particular ear, nose and throat medicine)

  • Intake and procurement: Clinics, practices, medical devices and products, patient flows.
  • Transformation and services: Diagnostics, therapy, surgical procedures, quality and hygiene processes in accordance with the requirements for medical devices, in vitro diagnostics and health data.
  • Delivery and operation: Medical care, telemedicine, billing, protection of patient rights and compliance with data protection and data security requirements.

7. Governance, organisation and responsibilities

7.1 Governance structure

  • The Board of Directors of SCANDIC FINANCE GROUP LIMITED has overall responsibility for compliance with and further development of this policy.
  • A group-wide central control and monitoring point for the supply chain will be established, with round-the-clock monitoring, risk management, incident coordination, data and ontology management, security operations, legal and compliance functions, and financial control.
  • Each brand will appoint a person responsible for the supply chain ("Supply Chain Manager") who will ensure the implementation of this policy in their respective area.

7.2 Roles and responsibilities

  • The persons responsible for the supply chain in the brands and the respective operational process owners are accountable.
  • The management of SCANDIC FINANCE GROUP LIMITED is accountable.
  • The legal department, compliance, data protection, information security, internal audit and other specialist departments are consulted.
  • All relevant functions and parties involved, including suppliers, partners and, where applicable, customers, must be informed.

7.3 Order of regulations

This supply chain policy is specified in more detail by specific subordinate policies and manuals, for example by a human rights policy, an environmental and climate policy, a data protection policy, an information security policy and a third-party management policy.

In the event of contradictions, the following applies:

  1. Mandatory legal requirements take precedence.
  2. Thereafter, this supply chain policy shall serve as a framework,
  3. followed by the specific technical guidelines.

8. Requirements for suppliers and business partners

8.1 Minimum requirements

All suppliers and business partners must:

  1. comply with all applicable laws in their jurisdictions, in particular those relating to human and labour rights, environmental, safety and data protection requirements,
  2. strictly exclude forced labour, child labour, human trafficking, discrimination, harassment and other human rights violations,
  3. implement effective measures to prevent corruption, fraud, money laundering and terrorist financing, and maintain transparent structures for beneficial owners,
  4. observe environmental due diligence obligations, in particular with regard to deforestation-free supply chains, conflict minerals and the prohibition of products associated with forced labour,
  5. ensure responsible data processing and an appropriate level of cyber security.

8.2 Checks before entering into a business relationship and during its continuation

A risk-based check is carried out before entering into a business relationship. This includes in particular:

  • Establishing and verifying the identity of the contracting parties and their beneficial owners
  • Checking against sanctions lists and for the presence of politically exposed persons
  • assessing human rights, environmental and compliance risks,
  • Checking the technical and organisational measures in place to protect personal, financial and confidential data.

8.3 Contract drafting

Contracts with suppliers and partners shall include, in particular:

  • a binding reference to this policy and corresponding behavioural requirements for the supply chain,
  • clauses expressly prohibiting forced labour, child labour, corruption, money laundering, tax evasion, cyber attacks and data protection violations,
  • rights to carry out audits and inspections,
  • regulated reporting mechanisms for violations and incidents,
  • appropriate remedial measures and the right to terminate the contract without notice in the event of serious or repeated violations.

9. Risk analysis, due diligence and resilience

9.1 Risk management system

SCANDIC FINANCE GROUP LIMITED operates a group-wide risk management system that:

  • identifies risks in the supply chain across all brands and regions,
  • assesses risks qualitatively and quantitatively,
  • defines appropriate preventive measures, mitigation measures and remedial measures,
  • regularly reviews and updates risks, controls and measures.

9.2 Integration of legal requirements regarding due diligence and sustainability

These include in particular:

  • the Directive on corporate due diligence with regard to sustainability,
  • the Regulation on deforestation-free supply chains,
  • the Regulation on conflict minerals,
  • the Regulation on the prohibition of products associated with forced labour,
  • the Directive on corporate sustainability reporting,
  • Directives on the prevention of money laundering and terrorist financing,
  • Regulations on registers of beneficial owners,
  • the General Data Protection Regulation,
  • the Directive on measures for a high common level of cybersecurity across the Union,
  • the Regulation on digital operational resilience of the financial sector,
  • the legislative act on cyber resilience,
  • the Regulation on data governance,
  • the Regulation on harmonised rules for access to and use of data,
  • the Regulation on Digital Services and the Regulation on Digital Markets,
  • sector-specific regulations in aviation, shipping, medicine, financial markets and payment transactions.

9.3 Measures to strengthen resilience

Examples of measures to strengthen resilience include:

  • multiple data centre locations with redundant infrastructure, automatic failover in the event of failure, protection against attacks to overload services,
  • structured monitoring of legal changes, ongoing training, technical capabilities for short-term adaptation of functions, complete logging of relevant activities,
  • Establishment of alternative suppliers and operators, safeguard mechanisms in contracts, emergency capacities,
  • automatic scaling of technical resources during peak demand and prioritisation of critical services,
  • travel and event safety concepts, evacuation and crisis plans, protected communication channels and crisis teams.

10. Digital twin, central control point for the supply chain and data architecture

10.1 Digital twin

The digital twin of the supply chain includes in particular:

  • projects, transactions, assets, contracts, flights, ships and yachts, real estate properties, campaigns, customers, payments, orders, incidents and mandates,
  • relationships between these entities,
  • service levels, risks, controls and the origin of data.

10.2 Integration and data architecture

The data and integration architecture includes:

  • an integration layer for event-driven processing and periodic batch processing,
  • a semantic layer with a unified data model and ontology that defines entities, characteristics, relationships, and data protection and security labels,
  • application interfaces for centralised monitoring and control of the supply chain with overviews, root cause analyses, instructions for action, simulations and approval processes,
  • A comprehensive security and data protection concept with encryption, access restrictions, secret management and logging of all relevant accesses.

11. Key figures, monitoring and reporting

11.1 Key figures

Key figures are used for control and monitoring, for example:

  • in payment and trading processes: approval rates, time to final settlement, chargeback rate, utilisation of risk and security margins,
  • in the real estate sector: time to contract completion, duration of approval procedures, environmental, social and governance assessments, vacancy rates,
  • in aviation and yacht operations: punctuality rates, frequency of safety-related incidents, utilisation, energy and carbon dioxide consumption,
  • in the data and media sector: availability, delay times, timeliness of data, average time to resolution of incidents,
  • in the areas of trust, security and health: compliance with service levels, audit results, frequency and severity of incidents, response times and satisfaction ratings.

11.2 Monitoring

  • Continuous monitoring of relevant key figures and risks by the central control point for the supply chain,
  • defined thresholds with automatic alerts and escalation paths,
  • Regular reports to senior management and the responsible persons at the brands.

11.3 Public and regulatory reporting

  • Fulfilment of all sustainability and supply chain reporting obligations, including those arising from the Corporate Sustainability Reporting Directive and national supply chain laws,
  • fulfilment of reporting obligations in connection with digital services and markets, as well as other sector-specific reporting requirements.

12. Training, awareness raising and communication

  • Regular training for employees, management and key personnel on the content and implementation of this policy.
  • special training for areas with increased risks, in particular for procurement, legal, compliance, information security, safety, health and information technology,
  • Provision of appropriate information and communication channels so that this policy is accessible and can be applied at all times.

13. Complaint channels, whistleblower systems and remedial measures

  • Establishment of a group-wide system for submitting reports that enables anonymous and confidential reports of actual or suspected violations of this policy
  • Requiring suppliers to operate their own reporting systems or to join the group-wide whistleblowing system.
  • Procedures for the independent investigation, evaluation and documentation of incoming reports and complaints.
  • Definition and implementation of appropriate remedial measures, which may range from training and education measures to process adjustments and personnel or contractual consequences.

14. National legal frameworks

The European directives and regulations referred to in this policy are implemented in the Member States of the European Union through national laws and on the basis of the requirements of national supervisory and control authorities.

SCANDIC FINANCE GROUP LIMITED undertakes to take into account the respective national implementation acts and official requirements in all relevant activities and to supplement local guidelines and process descriptions as necessary.

15. Implementation and transitional provisions

15.1 Phases of implementation

  1. Basic phase (first three months)
    • Inventory of supply chains and supplier relationships,
    • Establishment of an initial digital twin with recording of brands, assets, processes and service levels,
    • Establishment of a central monitoring and control function with overviews, alerts and basic instructions for action
    • Harmonisation of identification and money laundering verification processes and contract registers.
  2. Scaling phase (three to six months)
    • Expansion to comprehensive legal and compliance workflows,
    • Introduction of group-wide identity and access management,
    • Introduction of forecasting models for demand, capacity and sales,
    • Development of a simulator for different scenarios in the supply chain.
  3. Advanced phase (six to twelve months)
    • Partially automated control of responses such as capacity shifts, redirection of payment flows and optimisation of routes and time windows in aviation and logistics
    • Integration of revenue and operational planning across multiple brands,
    • Establishment of continuous reporting on sustainability and due diligence, including external audits.
    • Conducting structured tests to verify resilience, particularly in the area of information security.

15.2 Review and amendment of the policy

  • This policy will be reviewed at least once a year and on special occasions such as significant legal changes, new business models or serious incidents.
  • Amendments shall be decided by the Board of Directors of SCANDIC FINANCE GROUP LIMITED and announced throughout the Group.

16. Final provisions

  • This supply chain policy shall enter into force upon its adoption by the management of SCANDIC FINANCE GROUP LIMITED.
  • It replaces previous regulations on supply chain management insofar as they conflict with the principles set out herein.
  • In countries with mandatory, stricter legal regulations, these regulations take precedence over the provisions of this policy. In all other cases, the provisions of this policy are considered a minimum standard that must not be fallen short of.
  • Failure to comply with this policy may result in labour law, civil law and criminal law consequences and will not be tolerated by SCANDIC FINANCE GROUP LIMITED.

Drafted, signed and approved:

The Board of Directors of SCANDIC FINANCE GROUP LIMITED

Hong Kong, SAR – PRC, 1 January 2026

Legal representation: Clifford Chance, Global Law Firm