Annex No. 1 - AMENDMENT OF CLAUSES IN THE GENERAL TERMS AND CONDITIONS FOR BANKING OPERATIONS FOR INDIVIDUALS 

Starting from 08.04.2025, the GENERAL TERMS AND CONDITIONS FOR BANKING OPERATIONS FOR INDIVIDUALS (hereinafter referred to as "GTC") are amended and supplemented as follows: 

CHAPTER 1 - INTRODUCTION 

In Article 1.5, the definition of "Card" is supplemented with the following paragraph: 

"Card" - ....; the card can be issued either in physical or virtual form, with the available card types being mentioned on the Bank's website raiffeisen.ro, in the Debit Cards/Shopping Cards section." 

In Article 1.5, the definition of "Account" is supplemented with the following paragraph: 

"Account" - ....; any reference to "Account" also includes a reference to "credit card account" unless expressly stated otherwise; 

 In Article 1.6.1, letter h) is amended and will have the following content: 

 "Authorities with powers to issue and administer International Sanctions" - will mean any of: 

.... 

h) the government institutions and agencies of any of the above states, including but not limited to, the Office of Foreign Assets Control (OFAC), the Secretary of the Treasury of the United States of America, the Department of State of the United States of America, the Office of Financial Sanctions Implementation (OFSI) in the United Kingdom (UK), part of Her Majesty's Treasury in the United Kingdom (UK), or any other relevant government institution, regulatory authority, or agency that administers International Sanctions (each authority as modified, supplemented, or replaced periodically). 

 In Article 1.6.1, the definitions of "Sanctions List," "Restricted Party" letter a), "Sanctions," and "International Sanctions" are amended and will have the following content: 

 "Sanctions List" - The "Specially Designated Nationals and Blocked Persons List" maintained by the Office of Foreign Assets Control of the United States of America (USA) (Office of Foreign Assets Control), a government agency in the United States of America, and the Consolidated List of Financial Sanctions Targets in the UK maintained by the Office of Financial Sanctions Implementation in the United Kingdom (UK) (Office of Financial Sanctions Implementation - OFSI) and any equivalent list of the United Nations Security Council or the European Union and any list of persons sanctioned by the Department of State of the United States of America, as published in the Federal Register or any similar list or document administered by any Authority with powers to issue and/or administer International Sanctions, each as modified, supplemented, or replaced periodically; 

"Restricted Party" - any of the following:  

a designated person/entity or a person/entity that is owned/controlled by a designated person/entity (to the extent that it falls within the scope of the relevant sanctions' ownership or control requirements) or a person/entity acting on behalf of a designated person/entity; or 

.... 

"Sanctions" - economic or financial sanctions and restrictions (however described) or embargoes imposed, administered, or enforced periodically by any of the Authorities with powers to issue and administer International Sanctions; 

"International Sanctions" – Sanctions, restrictions, and obligations concerning the governments of certain states, non-state entities, or individuals or legal entities, adopted by the United Nations Security Council, the European Union, the United States of America, international organizations, or through unilateral decisions of Romania or other states that Romania decides to implement to maintain international peace and security, prevent and combat terrorism, ensure respect for human rights and fundamental freedoms, develop and strengthen democracy and the rule of law, and achieve other purposes in accordance with the objectives of the international community, international law, and European Union law. International sanctions particularly target the freezing of funds and economic resources, trade restrictions, restrictions on transactions with dual-use products and military products, travel restrictions, transport and communications restrictions, diplomatic sanctions, or in technical-scientific, cultural, or sports fields. 

CHAPTER 2 - GENERAL PRINCIPLES 

 In Article 2.1 - Provisions regarding the protection of personal data, the following main changes are made, paragraph 2.1.4. – "The Bank processes personal data for the following purposes, as follows 

(...) 

Point 2.1.4.1 – "To fulfill legal obligations, the Bank processes personal data for: (...)" is supplemented with the following paragraph: "transmitting and receiving information within the Raiffeisen Group regarding the non-repayment status; transmitting information about the granted credit, respectively the individual credit risk and the situation of overdue credits (including delays in payment exceeding 30 calendar days) to the Credit Risk Central at the National Bank of Romania (an independent public institution headquartered in Bucharest, Str. Lipscani No. 25, sector 3, Bucharest, which is a specialized structure for collecting, storing, and centralizing information regarding the exposure of each reporting entity - credit institution, non-banking financial institution, payment institution, etc. in Romania, towards those debtors who have benefited from credits and/or commitments whose cumulative level exceeds the reporting limit amount (20,000 lei), as well as information regarding card frauds committed by cardholders." 

  

Point 2.1.4.3- "To fulfill the legitimate interests of the Bank, in the context of its business activities, the Bank processes personal data for: (...)” is supplemented with the following paragraph: 

"(...) increasing the level of digitization and enhanced efficiency at the bank level, by reducing efforts, including financial efforts, to manually perform similar processes, including by creating and implementing advanced analytical models; (...)" 

Point 2.1.4.3 is supplemented by adding a new paragraph at the end, as follows: 

 "Additionally, to fulfill the legitimate interests of the Bank, the Bank processes personal data through low-risk artificial intelligence models, including advanced machine learning, for training and developing these models, for streamlining internal operational activities, improving the bank's results and reports, automated data processing, automating the processing of specific document information by extracting and centralizing this information, automating document drafting and translation, transcribing calls made through the call center and appropriately marking the purposes of communication, creating specific internal documents and analyses, automatically reconciling transactions, systematizing analyses, and creating mechanisms for the automatic extraction of certain data and information, increasing the level of digitization and reducing human intervention, to obtain data/information related to the accounting and profitability of the bank's clients. To the extent that the Bank uses high-risk models or systems, it will comply with the requirements established by Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 establishing harmonized rules on artificial intelligence. 

 To prevent fraud among customers (individuals or legal entities) who make electronic payments, as well as to reduce erroneous transactions generated by incorrect entry of the beneficiary's account (IBAN format), the Bank has implemented the Beneficiary Name Display Service (SANB). 

 This service involves the automatic display of the beneficiary's first name and initial of the last name (in the case of individuals), or the truncated name in the case of the beneficiary being a legal entity, at the time the payer enters the IBAN code in the banking applications through which electronic payments are made. 

 For the operation of this service, to fulfill the legitimate interests of the Bank and TRANSFOND, which acts for these purposes as a joint operator with the Bank and all other banks participating in SANB, the personal data of the Data Subject, namely: the initial of the last name, full first name, and IBAN code are transferred by the Bank to Transfond, where they are stored and periodically updated until the relationship with the Bank ends, to be queried by other banks participating in SANB when the Data Subject whose data is transferred by the Bank will be the beneficiary of electronic payments initiated by clients of other banks participating in SANB, at the time of completing the electronic payment order, after the payer enters the IBAN code of the account to which the payment is to be made." 

 Point 2.1.4.4 is supplemented by adding a new paragraph before the last paragraph, as follows: 

 "Additionally, the Bank will process the personal data of the Data Subjects based on their consent for the remote identification process using video means, for processing biometric data and biometric verification using advanced machine learning models, consent freely given by the Data Subjects through digital platforms that integrate such a verification step, by selecting the appropriate option on the consent capture page, after reviewing the specific information note." 

 Point 2.1.4.5 the first paragraph is amended and will have the following content: 

 2.1.4.5. Profiling and automated decision-making processes: To fulfill the processing purposes mentioned above, in certain situations (e.g., in the context of applying customer due diligence measures to prevent money laundering and combat terrorist financing, including creating and using warning lists, in the context of identifying and assessing potential payment difficulties by determining early warning indicators; in the context of risk assessment conducted to make a decision regarding a credit product application, respectively to provide banking services related to credit products; in the context of preventing and identifying fraud, etc.), the remote identification process using video means and processing biometric data, it is necessary to process personal data by automated means. 

 Such processing activities may also involve evaluating certain aspects related to the Data Subjects for the purpose of analyzing or predicting characteristics concerning them, such as education, age, economic situation, reliability, or behavior (including from the perspective of transactions, respectively activities related to gambling and/or betting). 

 Point 2.1.5, paragraph 1, letters a) and b) are amended and will have the following content: 

 "2.1.5. For the purpose of fulfilling the above-mentioned processing purposes, the Bank processes: 

 personal data directly provided by the Data Subject, including in the context of accessing the Bank's products and services or using applications provided by the Bank, remote identification using video means, and processing biometric data; 

 data obtained from the following external sources: Credit Bureau (if applicable), ANAF (if applicable), National Trade Register Office, Insolvency Proceedings Bulletin, Credit Risk Center, public authorities and institutions, the notary public register available on the website of the National Union of Notaries Public of Romania, the lawyer register available on the website of the National Union of Romanian Bar Associations, the bailiff register available on the website of the National Union of Bailiffs, the public electronic register regarding authorized auditors available on the website of the Public Authority for the Supervision of Statutory Audit Activity, registers available on the website of the Romanian College of Psychologists, the Mediators' Register available on the Mediation Council website, the Romanian Order of Architects, contractual partners (such as debt collection/recovery agencies, service providers), entities within the Raiffeisen Group, the Bank's contractual partners (including eMAG, Vodafone, and other partners with whom Raiffeisen Bank SA collaborates to provide co-branded credit cards), the evaluator indicated for the proposed collateral (if applicable), notaries public (if applicable), the Data Subject's employers (if applicable), the insurance or reinsurance company (if applicable), the Client (Payer), credit institutions, public sources (namely, public registers, World Check, the press, publicly accessible lists or documents regarding the insolvency of individuals), initiators of payment operations, bailiffs, other enforcement bodies, and authorities that can institute precautionary measures and garnishments on the accounts of Data Subjects opened at the Bank, direct debit mandate holders, the legal representative of the minor account holder, the co-debtor who is the applicant for account statements, the employer of the manager account holder of the guarantee account opened for the duration of the employment relationship - when they are the applicant for account statements, the account holder's authorized representative who is the applicant for account statements, other Data Subjects (for example, in the context of debt collection/recovery actions), Transfond. (...)” 

 Point 2.1.5 is amended by adding, after paragraph 3, a new paragraph 4 with the following content: 

"The categories of data processed in the Credit Risk Center are the identification data of the Data Subject, information regarding the type of contracted credit, the degree of indebtedness, and the affiliation to a group of debtors, information related to card frauds committed by holders." 

 As a result of the amendment, paragraph 4 will become paragraph 5, and paragraph 5 will become paragraph 6, which will be amended by adding the following provisions at the beginning: 

 "In order to verify the identity of the person online, in the process of establishing the identity of the Data Subject, the Bank uses a remote identification method using video means and biometric data processing that allows the Bank to fulfill its legal obligations regarding the application of customer due diligence measures and to prevent potential fraud attempts. Remote identification of the data subjects is carried out by the Bank through digital platforms connected to the application authorized by the Bank, through which personal data will be processed for the Data Subject to go through the remote identification process and perform checks to prevent potential frauds, on behalf of the Bank, for the following purposes: (i) verifying the identity document and automatically reading and extracting data through optical character recognition (OCR); (ii) biometric verification of the data subject (through the photograph in the ID and the video recording) and biometric data processing, biometric data processing and biometric verification using advanced machine learning models; (iii) verifying the device from which the original identity document capture and video recording are made; (iv) assigning a unique biometric numeric identifier to the face in the identity document and video recording and verifying facial similarity; (v) other similar checks. For these purposes, the Bank processes the following categories of personal data: photograph of the identity document, information extracted from the identity document and its incorporated security elements, video recordings, biometric data, metadata related to images and the device from which the photographs and recordings were made, IP address, device properties, data about the camera and microphone of the device. (...)" 

 Additionally, point 2.1.5 is amended by adding a new final paragraph with the following content: 

 "In the context of SANB membership, the Bank will query the TRANSFOND database when its Clients complete electronic payment orders and will display to the Clients in the electronic payment order, after completing the IBAN code of the beneficiary's account: the full first name, the initial of the beneficiary's last name, or the truncated name of the legal entity, as additional identification elements of the payment beneficiary that the Payer can verify before authorizing the transaction." 

  

The enumeration in art. 2.1.6 adds the Credit Risk Center, according to the paragraph below: 

 "(… including ANAF, the National Bank of Romania, the Credit Risk Center, and the Financial Supervisory Authority...)" 

In article 2.3.1, the phrase "banking products and services" is replaced with the phrase "products and services offered by the Bank." 

 
CHAPTER 2 - GENERAL CONDITIONS APPLICABLE TO ACCOUNTS 

 In article 3.1, points 3.1.2 and 3.1.3 are amended and will have the following content: 

 3.1.2. The Bank may, but is not obliged to, open Accounts (such as current accounts, savings accounts, deposit accounts, credit card accounts) in the name of the Clients through its operational units and internet banking service under certain conditions, following their request and in accordance with the internal procedures issued by the Bank for this purpose. 

 3.1.3. The Client is obliged to present to the Bank, upon its request, any information and documents that the Bank considers necessary for opening and operating the Accounts, for justifying the requested operations, or for the periodic fulfillment by the Bank of the obligations established by law and/or the Bank's rules and policies. The Client undertakes to provide the Bank, upon its request, with any additional information, documents, or statements necessary to determine the object and/or economic rationale of the transactions, the source and/or destination of the funds withdrawn/deposited in cash, and/or the source of the funds subject to the transactions, regardless of the channel/instrument/service through which they were initiated, to determine the source of funds initially invested in Virtual Currencies and the financial circuit regarding Virtual Currencies (both at purchase and receipt from Virtual Currencies) or other information necessary in the customer due diligence process, data update for the fulfillment by the Bank of the obligations established by law, the Bank's internal rules, and/or International/US Sanctions. 

 In article 3.1, point 3.1.4 paragraph (1) is amended with the content below, and the second paragraph becomes paragraph (2): 

3.1.4 (1) To comply with the Bank's customer acceptance and due diligence policies and legal provisions regarding the prevention and combating of money laundering and terrorist financing, International/US Sanctions, as well as legal provisions regarding the prevention and combating of fraud, the Bank may apply one or more of the measures provided in paragraph (2) in any of the following situations:..... 

 In article 3.2, point 3.2.1 is amended to include the following text at the end: 

 3.2.1. "... Exceptionally, credit card accounts cannot have Authorized Persons." 

 In article 3.6, point 3.6.4 is amended and will have the following content: 

3.6.4 In the cases provided in art. 3.6.3 letters a), b), c), d), f) above, the Bank will notify the Client of the measure taken within a maximum of 5 working days from the decision, according to the rules in section 8.2 "Notifications". In the case provided in art. 3.6.3 letter e), the account closure is done without notification. 

 Article 3.6 is amended with a new point 3.6.7 which will have the following content: 

 3.6.7 (1) Specific Contracts terminate under the conditions and cases mentioned within them, which are supplemented by the account relationship termination cases provided in art. 3.6.3 of this document. 

 (2) The GTC provisions will apply until the Client no longer holds any Specific Contract in force with the Bank, from which date the business relationship with the Bank is considered terminated. However, any complaints, requests, disputes, claims filed/introduced by the Client after the business relationship with the Bank has ended or which were initiated earlier and are ongoing at that date, will be analyzed concerning the provisions of the Specific Contract and/or GTC in force at the date the act/event/obligation complained/requested/contested by the Client was concluded/occurred/performed.  

 

CHAPTER 4 - PROVISIONS REGARDING PAYMENT OPERATIONS 

 In article 4.6, points 4.6.2 and 4.6.3 are amended and will have the following content: 

 4.6.2. The Bank may, at the Client's request, undertake the necessary steps to revoke Payment Orders instructed by the Client after the payment authorization moment (the Client's expression of consent regarding the execution of the payment operation), only if the following conditions are cumulatively met: 

 a) The Client completes the specific form provided by the Bank for revocation purposes. 

 b) The Client pays the fee associated with the requested operation. 

 c) The Payment Order has not yet been executed; 

 d) The currency of the Payment Operation is expressed in lei and the beneficiary's bank is located outside Romania, or the currency of the Payment Operation is in foreign currency, and the beneficiary's bank is located in Romania or outside Romania. 


4.6.3. The Bank cannot guarantee the successful revocation of a Payment Order if: 

 a) the payment instruction has already been transmitted to the beneficiary's bank in the case of interbank payment operations. 

 b) the transaction amount has already been credited to the beneficiary's account in the case of intrabank payment operations; in this case, revocation can only be carried out with the beneficiary's consent. 

 c) The currency of the Payment Operation is expressed in lei and the beneficiary's bank is located in Romania. 


In article 4.9, point 4.9.2 is amended and will have the following content: 

 4.9.2. (1) The Bank acts in accordance with the provisions of national and international legislation and regulations regarding the sanctioning of money laundering and the prevention and combating of terrorism financing, the implementation of International/US Sanctions, established for certain states, entities, and persons, as well as in accordance with regulations regarding: 

 (i) restrictions on operations with dual-use products (export, transfer within the European Union, brokerage services, technical assistance, and transit involving: products, including software and technologies, that can have both civil and military use, and including products that can be used for the design, development, production, or use of nuclear, chemical, or biological weapons, or their delivery systems, including all products that can be used for non-explosive purposes and also contribute in any way to the manufacture of nuclear weapons or other nuclear explosive devices). 

 (ii) restrictions on operations with military products (export, import, and transfer, on a definitive or temporary basis, from or into Romanian territory, brokerage, transit through Romania, transshipments carried out on Romanian territory involving any product from the List of categories of military products subject to export, import, and other operations control regime, provided in the annex to the Government Emergency Ordinance no. 158/1999 regarding the control regime of exports, imports, and other operations with military products and any subsequent normative act that will replace this emergency ordinance. 

 (2) Consequently, the Bank will not be liable for any losses or damages of any kind (including moral) directly or indirectly suffered by the Client or third parties as a result of compliance with these regulations, resulting from: (i) delayed execution/non-execution by the Bank of any Client's payment instruction; (ii) blocking/closing of the Account/payment instruments; (iii) termination of Specific Contracts. 

 In article 5.1, points 5.1.2 paragraph (2), 5.1.3, 5.1.5, and 5.1.6 are amended and will have the following content: 

(3) The virtual card is a card issued exclusively on a digital medium that allows transactions on the internet and at Terminals. For transactions at Terminals, prior registration of the card in Electronic Wallets is required. The virtual card can be viewed and registered in Electronic Wallets exclusively through the Smart Mobile application. 

 5.1.3 Cards can be used in the physical environment (applicable for embossed cards) and in the electronic environment (applicable for flat, embossed, and virtual cards), in Romania and abroad. 

 5.1.5 (1) The Bank delivers the debit/credit card issued on a physical medium (at the first issuance, automatic renewal upon expiration, or reissuance at the Client's request) to the correspondence or domicile address in Romania, communicated by the Client to the Bank through specific forms or channels provided by the Bank, as applicable. The Card User will be informed about the card delivery via SMS to the phone number communicated to the Bank or through push notification via the Smart Mobile application. If the Card cannot be delivered to the Card User after 3 (three) consecutive attempts, the Card will be returned to the Bank and will be delivered to the Client according to the details in paragraph (2). 

 5.1.6 (1) Activation of the physical Card is done by the Card User at the first transaction at POS/ATM/MFM, by inserting the Card into the terminal and entering the PIN code. PIN codes are communicated to the Card User via SMS to the last mobile phone number declared to the Bank at the most recent data update. The parties agree that after the Card is delivered, the Bank may send the Client messages, through any channel, regarding the activation of this payment instrument. 

 (2) All physical cards issued by the Bank have contactless technology, so they can be used either by inserting the Card into the Payment Terminal or by approaching it, with communication being done via radio waves. The Client can request the Bank to deactivate the contactless functionality of the Card at any Bank agency or through the Call Center Service and must follow the deactivation procedure communicated at the time of the request. 

 In article 5.5, point 5.5.2 letter a) is amended and will have the following content: 

 5.5.2 Card Users are obliged: 

 a) to sign the Card issued on a physical medium on the reverse side in the designated box, upon receipt, using a ballpoint pen; 


CHAPTER 6 - SPECIAL SERVICES OFFERED BY THE BANK THROUGH THE RAIFFEISEN BANK TELEPHONE CALL CENTER SERVICE 

 In Chapter 6, point 6.5 letter b) is amended and will have the following content: 

 6.5 .....b) Checking the balance of the Account to which the debit card is attached, for the primary and additional User, respectively the available credit card limit, exclusively for the primary card User; 

  

CHAPTER 8 - FINAL PROVISIONS 

 In article 8.1, points 8.1.3 and 8.1.7 are amended and will have the following content: 

 8.1.3. Changes to Specific Contracts and GTC are communicated to the Client according to the "Notifications" section or through the communication means specific to each service/product according to the Specific Contract. 

 8.1.7. The Bank will automatically apply specific imperative legal provisions related to the services/products offered to the Client, including credit products, to the extent that these differ from those established in the Specific Contracts, without the need to amend these GTC. 

 In article 8.2, point 8.2.1 is amended and will have the following content: 

 8.2.1. Any requests, notifications, approvals, communications ("Notification") arising from these GTC and/or from the Specific Contracts concluded between the Bank and the Client will be made by the Bank in writing, with the Notification being delivered personally and/or sent by mail and/or by fax and/or by email and/or by SMS text message, to the address (postal and/or email), respectively to the contact numbers (fax or mobile phone), as indicated by the Client through the communication channels provided by the Bank for this purpose or by a message posted within the Raiffeisen Online or Smart Mobile application, push notifications in Smart Mobile for holders of these services, or by publication on the Bank's website with personalized access (e.g., Electronic Statement Service). 

In article 8.2, point 8.2.2 is supplemented with point v) having the following content: 

 (v) in the case of push notifications – on the date the message is posted on the mobile device screen. 

 In article 8.3, point 8.3.2 is supplemented with the following paragraph: 

 8.3.2. ...To amicably resolve any disputes regarding investment services and products, the Client may notify, under the law, the "Financial Supervisory Authority (supervisory authority headquartered at Splaiul Independenței no. 15, sector 5, 050092, Bucharest, tel: 0800.825.627, 021.305.3470) or the National Bank of Romania at the above-mentioned contact details. 

 Point 8.10 is introduced, with the content below, and subsequent points will be renumbered accordingly: 

 8.10. Force Majeure and Fortuitous Event 

 8.10.1. Force majeure exonerates the party invoking it from liability, under the law, after notifying the other party. The party invoking force majeure will notify the other party within a maximum of 5 days from its occurrence and will send the supporting documents, certified by the Chamber of Commerce and Industry of Romania according to the law, within 15 days. The termination of the force majeure case will be communicated under the same conditions. 

 8.10.2. The Bank will not be liable to the Client for losses caused by force majeure or fortuitous events (unpredictable and unavoidable events that cannot be controlled by the parties), including but not limited to: nationalization, expropriation, currency restrictions, measures by regulatory bodies, including but not limited to any agency, governmental body, the National Bank of Romania, labor disputes among the Bank's staff or other entities involved in transactions conducted by the Bank on behalf of the Client and whose services are used by the Bank, boycotts, power or communication network outages or the Bank's equipment, international conflicts, violent or armed actions, acts of terrorism, insurrection, revolution, as well as unpredictable natural events with major negative effects. 

 8.10.3. In all cases where the Bank's liability is engaged, it will be limited to covering the direct and actual damage caused to the Client.