

# EXHIBIT 3: POLICIES AND PROCEDURES TO PREVENT THE MISUSE OF MATERIAL NON-PUBLIC INFORMATION

HR Ratings' policies and procedures to prevent the misuse of material non-public information under Rule section 15E(g) of the Exchange Act and 17 CFR 240.17g-4, are stated in the Company's Rules, which are transcribed as follows:

- A. Policies and procedures for the prevention of inappropriate dissemination within and outside the nationally recognized statistical rating organization of material nonpublic information obtained in connection with the performance of credit rating services.
  - I. Code of Conduct. Section V Prevention of the misuse of material non-public or confidential information
    - V.1. Material non-public or confidential information.

Material non-public or confidential information will be understood as all information received by HR Ratings from an entity or issuer or member of the same business group, or from their accountants, attorneys, or other agents, that is visibly classified by the sender as material non-public or confidential, or regarding which the entity or issuer has requested HR Ratings, in writing, be treated as confidential.

Material non-public or confidential information does not include that which has been made public through any action not imputable to HR Ratings prior to or at the time of its disclosure to HR Ratings. In addition, material non-public or confidential information will also not include information for which the entity or issuer has given authorization for its revelation, or that which may be required by any authority.

The handling of and treatment given to material non-public or confidential information will be subject to that provided in this Code, the Internal Control Manual and the non-disclosure agreements entered into between HR Ratings and the entities or issuers rated, between HR Ratings and its employees, and between HR Ratings and its suppliers who may have access to this type of information.

The General Compliance Department will be the responsible area for overseeing compliance with HR Ratings' policies on the prevention of the misuse of material non-public or confidential information by the Agency's employees, management and board members, for which compliance audits may be performed per the terms laid out in the Internal Control Manual.

V.2. Measures to protect material non-public or confidential information.

HR Ratings has established the following policies and mechanisms to ensure material non-public or confidential information is used solely and exclusively for the tasks of the Agency as a rating agency and to prevent the misuse of material non-public or confidential material.



## V.2.1. Receiving information.

The Agency may receive confidential information by email sent to any Agency employee authorized to intervene in the matter or who has been designated to this effect, according to that established in the Internal Control Manual and the General Operations Plan.

# V.2.2. Protection of files and material non-public or confidential information.

All Agency employees and management who handle information provided by entities or issuers are obliged to adhere to the policies and guidelines for the handling, protection, access and safeguarding of information and files, as contained in the HR Ratings Internal Control Manual.

- All HR Ratings employees and management will clear their desks of information at the end of the workday and whenever they are away from their desk, and also, will shred any documents no longer in use.
- Agency employees are strictly prohibited from removing papers or physical files or electronic files, containing material non-public or confidential information, from the Agency's offices.
- HR Ratings employees are strictly prohibited from transmitting, distributing, or sending information classified for internal use outside the Agency. Information for internal use is information provided by the entities or issuers or working documents containing material non-public or confidential information or documentation obtained or elaborated in the execution of their duties.

#### V.2.3. Access to offices.

As an additional measure of protection for files and material non-public or confidential information, access to HR Ratings' offices will be restricted by fingerprint recognition, therefore visitors will be received in meeting rooms located in spaces that are physically separated from the Agency's operation.

## II. Internal Control Manual. Section 4 - Safeguarding Client information

#### 4. Safeguarding Client information

Client files will be stored in an electronic folder on the Agency's internal electronic system (HTRON) and only the analysts authorized for such purposes will have access.

In addition, the working documents and other information will be stored in the protected folders on the Agency's internal server.

It is prohibited to store or hold confidential information or any information generated, received or delivered by HR Ratings or any employee in the exercise of its functions on the computer's hard drive or on the desktop out of the Agency's internal server.

Both the information stored on the Agency's internal electronic system (HTRON) and that stored in the electronic folders on the HR Ratings internal server will be backed up daily.



The backup and custody will be executed under the strictest conditions of security and confidentiality, in adherence of the Agency's disaster prevention procedure for electronic information, which is included in the Technological Infrastructure Protocol.

The employees responsible for the security of electronic information inside the Agency will be held to the same rules of confidentiality and information handling applicable to the individuals involved in the rating process.

As a preventive measure, the people that provide the data backup and outside support services, and also those that, where applicable, provide scanning services for hard copies of information received from Clients will sign a non-disclosure agreement with the Agency, to ensure the proper handling of the information to which they have access.

Client files will be held for at least 5 (five) years or the time set by the applicable law, from the date on which the rating process in question is completed and will be available to the supervisory and regulatory authorities during this time.

#### a. Transmission or distribution of information

Agency employees are strictly prohibited from removing any documents or electronic files containing non-public or confidential information or any information generated, received, or delivered by HR Ratings or any employee in the exercise of its functions from the offices of HR Ratings.

In addition, HR Ratings employees are strictly prohibited from transmitting, distributing, or sending information classified for internal use outside the Agency, with the exception of communications with the Client concerned. Employees are strictly prohibited from sending information for internal use to their personal email outside the Agency.

Information for internal use is that provided by the entity or issuer or working documents containing non-public material or confidential information.

Client information will be sent solely to the person or persons the client has designated as responsible for communication with HR Ratings and must be marked confidential. The designated persons shall be updated on the internal control system (HTRON).

The files corresponding to the analysis reports, press releases, or rating letter will be sent to the persons authorized by the client to send and receive information, through the system the Agency defines to protect non-public material or confidential information.

Analysts will only share information for internal use within the Agency with the members of the analysis team that is handling the matter in question.

Both the Agency and its employees, management, shareholders, and board members are strictly prohibited from disclosing ratings prior to their release through the corresponding means indicated in the Agency's General Operation Plan.



The Agency will release to the public through its webpage the ratings given on securities registered, or to be registered, in the national securities register, and the ratifications, amendments and/or cancellations of these ratings.

The ratings assigned by the Credit Analysis Committee will only be provided to the entity or issuer prior to being released through the corresponding media as outlined in the General Operation Plan. Ratings requested by a third party involving the use of private information will be provided to the third party, applying the policies and procedure contained in the General Operation Plan of the Agency.

As part of the control measures to prevent the misuse of non-public material or confidential information or any information generated, received or delivered by HR Ratings or any employee in the exercise of its functions, the computers of HR Ratings employees will be blocked from extracting information and introducing information via portable storage devices, such as removable hard drives, CDs, USBs, etc.

In the event any information contained on the Agency's internal server is required to be extracted to be stored on a portable device, or the extraction of information contained on a portable device to be introduced into the internal server, the IT Department will be asked to intervene and perform this action using a computer thusly enabled. The IT Department may place the information extracted from a portable device on the internal server, after performing a security check.

Any extraction of information from the internal server or introduction of information into the server will be duly documented in an information input/output log, indicating the name of the person, the type of file and information, and the date of the extraction (download) or introduction (upload). The Compliance Officer may audit these activities.

In addition, the Agency will have a firewall in place to block access to personal email accounts by employees via public websites, therefore employees will only have access to the Agency's email.

The Compliance Officer may conduct audits of the IT infrastructure to verify the firewall and blocking for the extraction of information on the Agency's computers are working correctly.

#### a.1 Principles for the use of social networks

Information posted on corporate and personal social networks circulates freely in seconds. The publication of wrong, offensive or defamatory information or simply a word or comment misspoken could have serious consequences for the corporate image and reputation of HR Ratings. Therefore, all employees shall follow the following guidelines:

- Employees are strictly prohibited from taking pictures or video inside de Agency or at HR Rating events to be posted on social networks.
- All your opinions should be separated from those of HR Ratings.
- Do not share confidential information of HR Ratings, its clients or suppliers.



- Do not ever use the logos or trademarks of HR Ratings without prior written authorization.
- It is prohibited to be rude with your audience.
- Do not ever publish something that can be interpreted as a threat, discrimination or intimidation towards any HR Ratings colleague.
- Be careful with your spelling.
- Treat your coworkers with respect.
- Before making a comment think about how you would express yourself in front of an audience or in a meeting.
- You are responsible for all your comments and posts.
- b. Sending information to the financial authorities

Only the persons authorized by the supervisory and regulatory authorities corresponding will be permitted to send information via the electronic receiving systems of these authorities. In addition, said responsibility may be delegated internally to other Agency employees.

The codes the financial authorities provide to the Agency to access the electronic systems will only be known to and used by the persons designated internally to send information, therefore such persons are obliged to not reveal these codes to third parties and will be responsible for any improper use of same.

- B. Policies and procedures to prevent any person within the nationally recognized statistical rating organization from purchasing, selling, or otherwise benefiting from any transaction in securities or money market instruments when the person is aware of material nonpublic information obtained in connection with the performance of credit rating services that affects the securities or money market instruments.
  - I. Code of Conduct. Section VII "Conflicts of Interest" VII.2 "Measures to eliminate conflicts of interest" VII.2.3 "Securities Transactions".

#### VII.2.3. Securities Transactions

- 1. Will be considered as "Securities Transactions" those operated directly or indirectly on:
  - a) Securities registered in the National Securities Register (the "Register"). Securities are shares, interests, obligations, notes, options, certificates, promissory notes, bills of exchange, and other negotiable instruments, registered or not, that can be traded on the securities markets, which are issued in series or in masse and represent the equity of an entity, a proportional part of an asset, or interest in a collective loan or any individual credit right, under the terms of the applicable local and foreign laws.
  - b) Certificates of deposit, commonly known as American Depositary Receipts ("ADRs") or similar instruments on foreign markets, representing the Securities mentioned in the previous point, or similar or analogous instruments.



- c) Derivative financial instruments as long as their underlying assets are registered Securities.
- d) Bank securities representing debt on a term equal to or less than one year serviced by a credit institution.
- 2. The following investments are not considered Securities Transactions:
  - a) Shares in investment funds.
  - b) Securities issued by any sovereign entity.
  - Indexed trust certificates (representing rights on securities, assets, derivatives, or other assets that seek to replicate the behavior of one or more indexes, financial assets, or reference parameters).
  - d) Certificates referring to a group or basket of shares or price indexes.

The following persons are prohibited from operating or maintaining Securities Transactions involving any entity or issuer that is a client of HR Ratings:

- HR Ratings, as a legal entity;
- Analysts that participate in the rating process of the entity or issuer;
- Members of the Credit Analysis Committee that participate in the rating of the entity or issuer, and
- Persons who, as a result of their duties, may have access to privileged information, per the terms of section VII.2.4 of this Code.

All new Agency employees and board members will submit, on their entry or appointment date, a statement of the Securities Transactions they hold directly or indirectly in any entity or issuer rated by HR Ratings; and also those of their spouse, partner, or minor-aged children using the form contained in **Appendix 1 "Securities Transactions Report"** to this Code.

In addition, all Agency board members and employees who executes a transaction with Securities Transaction of any entity or issuer rated by HR Ratings will notify the Chief Compliance Officer using the form contained in **Appendix 1 "Securities Transactions Report"** hereto, within 10 (ten) business days following the operation of the Transaction in question.

Notwithstanding the above mentioned, all Agency employees and board members must complete and submit **Appendix 1 "Securities Transaction Report"** every 6 (six) months. The semiannual endorsement will indicate all securities transactions operated by the employee or board member to date with any entity or issuer rated by HR Ratings, regardless whether these have been previously reported.

For purposed of reporting bank titles representing a debt equal to or less than one year serviced by a bank rated by HR Ratings, the renewable titles must be reported only once, indicating this characteristic in the report.



The corresponding bank or securities account statement will be appended to the securities transactions report, dated no more than 3 (three) months prior where said operations are stated, having the employees or board members the right to attest information not relevant to the operation reported.

In order all employees and board members of HR Ratings have all the needed information to fulfill the provisions of this sections, HR Ratings will maintain on the Agency's internal electronic system (HTRON) a list of the entities or issuers rated by HR Ratings and which are public (the "Public Ratings List"). All Agency employees and board members will have access to this list.

In addition, the Agency will maintain a list of entities or issuers who request privacy or whose initial rating process has been completed, but their rating has not been released (the "Private Ratings List"), to which only the Agency's Chief Executive Officer, Compliance, Risk and Operations Area personnel, Business Development Department personnel, the analysis Director and the members of the Board of Directors will have access. Both client lists will be maintained current on the Agency's internal electronic system (HTRON).

HR Ratings, through the Compliance Department, will take the measures necessary to ensure that Securities Transactions by members of the Board of Directors, management, the technical personnel responsible for the preparation of reports on and the subsequent surveillance of, the credit quality of securities or clients of the Agency, and employees in general, do not generate any conflict of interest.

The limitations on Securities Transactions laid out in this section and the disclosure of these will apply equally to Transactions operated by the spouse, partner, or minor aged children of the credit analysis management or technical personnel involved in the rating process.

For the purposes of the previous paragraph, HR Ratings employees, management and board members will make every effort to inform themselves of securities transactions operated by their spouse, partner and/or minor aged children. No bank or securities account statement will be required for these transactions.

## VII.2.4. Use of privileged information

For the purposes of this section, a relevant event is any fact, act, or occurrence, of any nature, that could or would influence the prices of registered securities.

HR Ratings board members, management and employees are strictly prohibited from:

- Obtaining any benefit from any Securities Transaction gained from the use of privileged information obtained from having participated in the rating process for these securities, or in the course of their duties.
- Providing or transmitting privileged information to other persons, being required to meet compliance with that established in the HR Ratings Internal Control Manual for the handling of non-public or confidential information.



Issuing recommendations on any securities or negotiable instruments, the price or quote for which could be influenced by the use of privileged information.

It is considered Privileged information the knowledge of relevant events that have not been disclosed to the public by an issuer through the market on which their securities are traded.

It is not necessary that the person know all the details of the relevant event to be considered to have privileged information, provided the part to which they have access could influence the price or quote of an issuer's securities.

The Compliance Department will be responsible for monitoring the policies on securities transactions and the use of privileged information.

Any improper use of privileged information will be considered a very serious fault that will be sanctioned according to the criteria established in **Appendix 12 "Criteria for determining the severity of violations of the Company Rules"** of this Code.

- C. Policies and procedures that prevent the inappropriate dissemination within and outside the nationally recognized statistical rating organization of a pending credit rating action before issuing the credit rating on the Internet or through another readily accessible means.
  - I. Code of Conduct. VI. "Transparency and revelation of information".
    - VI.1 Transparency
      - 1. HR Ratings will take the following measures to guarantee the transparency of its activities:
        - o Inform the entities and issuers, prior to the signing of the service contract, through the Business Development Department, of the current rates or fees for the provision of the rating service. In addition, HR Ratings will inform the entities and issuers, through this same department, of adjustments made to the annual maintenance fees, prior to the payment date for the annual renewal.
        - Prior to the publication of a rating or modification, whenever feasible, HR Ratings will provide all relevant information to the entity or issuer, and also the principal factors that were taken into account to assign a certain rating.

Also, HR Ratings will consider any clarification made by the entity or issuer that would result in a more accurate rating, in accordance with the procedure established in the Agency's General Operations Plan. Under any circumstances, HR Ratings will not offer additional services or renegotiate any clause in the service contract as a result of the clarification procedure outlined here.

HR Ratings may release a rating, or an amended rating, without informing the entity or issuer rated in advance in the event of any circumstance that would directly affect the rating and of which market participants should be informed immediately, given



the material impact the event could have on their perspective of the corresponding entity, issuer, or transaction.

In the event HR Ratings fails to deliver to the entity or issuer rated the analysis report or press release, prior to the release of a rating, HR Ratings will do so immediately following the release giving the reasons for the delay.

- Incorporate into the press release, through which the rating is published, the items indicated in the Agency's General Operations Plan, and those mentioned in the Provisions and in local legislation applicable to HR Ratings, making an effort to use clear and easily understood language.
- In case it has obtained revenues for concepts different from the rating securities service from issuers or entities, HR Ratings will indicate the part such revenues represent in relation with the aggregate revenues earned by each entity or issuer as a result of their main activity.
- Upon publication of a rating, HR Ratings will not disclose any entity or issuer nonpublic or confidential information, according to the instructions of such entity or issuer.
- Ratings that are not required for securities offerings may be kept private until said entity or issuer requests their release. The release of the assigned rating may be executed without calling a Credit Analysis Committee in order to agree on said publication, unless additional information has been provided or there are new elements that may have an impact on the rating assigned.
- 2. The obligation to publish initial ratings for possible securities offerings applies only in the countries where this is required by law.
- 3. The inappropriate dissemination within and outside HR Ratings of a pending rating action before issuing the credit rating on the Internet or through another readily accessible means is strictly prohibited.
- 4. HR Ratings will publish the following information on its website free of charge and non-selectively:
  - O Press releases for the ratings assigned, modifications, or the withdrawal of a rating, and also the decision to suspend the surveillance of a rating, giving the reasons for such action. The foregoing with the exception of private ratings, which will be provided only to the requesting entity or issuer. Press releases will be available on the website of the Agency for at least 12 (twelve) months from their publication.
    - Moreover, HR Ratings will issue a press release on the decision of an entity to rescind their service contract, when it is known that such rescission has resulted from a modification to downgrade their rating, the business day following the rescission.
  - The historic information on the annual rates for default for each of the rating categories, and also the transition matrices across the ratings given.



- The methodologies used for the rating of the entities, issuers and/or offerings, and any material change to these documents, and also the rating process.
- In case of amendments on the rating methodologies and procedure, the reason or justification of said amendments will analyze whether the amendments could result in changes to any current rating.
- Notice of the existence of any significant error identified in any procedure or methodology that could result in any change to any current rating.
- Comments received from the market, in general, through the HR Ratings website, regarding new methodologies or modifications to methodologies, and also those received related to a current methodology, as well as the corrective action taken.

The Agency will maintain public the comments received regarding the draft for a new methodology or modification of a methodology for a minimum of 10 (ten) calendar days, from the date the corresponding draft is published.

The comments received regarding a current methodology will be maintained on the Agency's website until such time as the methodology in question is modified and the draft is published to receive new comments from the market.

- The follow-up processes for a rating, the frequency of the reviews, and also the criteria for the withdrawal or suspension of a rating.
- The structure and voting process for the committees that determine the ratings and the surveillance of the same, accordingly.
- The scales, nomenclatures and their definitions, and also the definition of default as agreed to by the Methodology Committee.
- A list of the ratings given to each entity or issuer from the date of the initial rating action. The foregoing provided the rating has been modified.
- This Code and modifications thereof, within the 2 (two) business days following the date they have been approved by the authority, for such purposes, in charge of the case.
- Contact information for:
  - Any question any market participant may have regarding the rating methodologies.
  - Any question any market participant may have regarding the Agency's company rules.
  - Business and entities or issuers development.
- The annual report, approved by the Board of Directors, containing relevant information on the activities of HR Ratings, its structure, the number of ratings given, changes to the Agency's policies, procedures, and other relevant items



during the corresponding year. The report will be released the same day it is submitted to the CNBV.

- The powers of the Board of Directors and the independent board members, and also the number of independent board members serving the Agency, including the statement explaining that such board members do not meet any of the scenarios mentioned in sections I to V of article 26 of the Securities Market Law.
- Initial ratings, and also changes, modifications, or cancellations of ratings, the same day as issued.
- A list of public ratings, and also the deletions, additions and modifications made on the previous month, within the first 5 (five) business days of each month.
- A history of the ratings granted to each entity, issuer, securities or instruments rated by HR Ratings.

\*\*\*\*\*