WHISTLEBLOWING PROCEDURE

Violation Reporting System

pursuant to Legislative Decree 24/2023 and EU Directive 2019/1937

Society

MyGold S.p.A.

Registered office

Piazzale Cadorna Luigi 9, Milan

Legal Representative

Luca Canella

Version

March 2026

Revision

Annual

Recipients

Internal workers, collaborators, customers and third parties

Website

www.therealmoney.com

1. What is Whistleblowing and Why is it Important?

Whistleblowing is the reporting by a person—an employee, collaborator, customer, or other individual—of unlawful, irregular, or non-compliant behavior that they have become aware of in the context of a work context or a professional or commercial relationship.

MyGold SpA (hereinafter ” MyGold ” or “the Company”), a Professional Gold Operator authorised by the Bank of Italy and registered with the OAM, has adopted this Whistleblowing System in the belief that timely reporting of any violations is a fundamental tool for:

  • Prevent illegal or non-compliant conduct before it causes damage;
  • Protect customers, workers and the integrity of the precious metals trading business;
  • Promote a corporate culture based on legality, fairness and transparency;
  • Comply with the obligations set forth in Legislative Decree 24/2023 and adopt international best practices in governance.

MyGold Whistleblowing System is adopted in compliance with Legislative Decree 24/2023 and represents, for a Professional Gold Operator — Banco Metalli, a voluntary choice of best practices in governance, legality, and transparency, consistent with the highest standards in the precious metals sector and with the AML/CFT obligations set forth by current legislation.

The system adopted by the Company is based on tools that guarantee the utmost confidentiality of the whistleblower’s identity, the protection of personal data, and the absolute prohibition of retaliation of any kind against those who make a report in good faith.

1.2 Objectives of the whistleblowing system

MyGold Whistleblowing System pursues the following fundamental objectives:

  • Prevention: promptly identify non-compliant conduct or conduct that is potentially harmful to corporate integrity;
  • Protection: Protect whistleblowers from any form of retaliation or discrimination;
  • Transparency: ensuring a clear, defined process that is accessible to legitimate parties;
  • Continuous improvement: use reporting as a tool to strengthen compliance controls;
  • Regulatory compliance: ensuring compliance with applicable regulations.

1.3 Scope of application

This document governs the Company’s whistleblowing system and, in particular:

  • a) defines the reporting management system pursuant to applicable legislation;
  • b) establishes organizational roles and responsibilities in managing reports;
  • c) regulates staff training and awareness-raising activities;
  • d) implements a whistleblowing system compliant with Directive (EU) 2019/1937 and Legislative Decree 24/2023;
  • e) ensures the protection of whistleblowers and the correct management of reports of regulatory violations.

1.4 Guiding principles

MyGold ‘s Whistleblowing System is based on the following principles:

  • confidentiality of the whistleblower’s identity;
  • prohibition of retaliation of any kind;
  • access to the system via a single internal channel ( MITWhistle platform );
  • timeliness in managing and responding to reports;
  • proportionality of actions to the seriousness of the violations;
  • traceability of reports and management activities.

1.5 Definitions

Pursuant to Article 2 of Legislative Decree No. 24 of 10 March 2023, the following definitions apply:

Term

Definition

Reporting

The natural person who reports or publicly discloses information about violations acquired in the context of his/her work

Internal reporting

Written or oral communication of information on violations, carried out through the internal reporting channel activated by the Company pursuant to Article 4 of Legislative Decree 24/2023 24/2023

External reporting

Written or oral communication of information on violations, carried out through the external reporting channel activated by ANAC pursuant to Article 7 of Legislative Decree 24/2023 24/2023

Public disclosure

Making information about violations public through the press, electronic media, or means of dissemination capable of reaching a large number of people, pursuant to art. 15 of Legislative Decree 24/2023 24/2023

Violations

Actions or omissions, committed or likely to be committed by the Company, which harm the public interest or the integrity of the entity and which consist of: administrative, accounting, civil or criminal offenses; unlawful conduct relevant pursuant to Legislative Decree 231/2001; offenses falling within the scope of application of European Union or national acts.

Information on violations

Information, including reasonable suspicions, regarding violations committed or likely to be committed in the organization with which the whistleblower interacts in the context of his/her work

Work context

Work or professional activities, present or past, carried out in the context of employment relationships with the Company, through which individuals acquire information about violations

Person involved

The natural or legal person mentioned in the report as the person to whom the violation is attributed or as a person otherwise implicated in the reported violation

Facilitator

The natural person who assists the whistleblower in the reporting process, operating in the same work context and whose assistance must be kept confidential

Retaliation

Any behavior, act or omission, even if only attempted or threatened, carried out as a result of the report and which causes or may cause unjust damage to the reporting person

Protective measures

Measures aimed at protecting the whistleblower, the facilitator and the subjects connected to the whistleblower from retaliation

Report Manager

The individual designated by the Company, with autonomy and independence, responsible for managing the internal reporting channel, identified in the MyGold Compliance Officer .

Anonymous report

Reports made without identifying the whistleblower; if the whistleblower is subsequently identified, the protections provided by Legislative Decree 24/2023 apply. 24/2023

2. Regulatory References

This Procedure is adopted in accordance with the European and national regulatory frameworks regarding whistleblowing, compliance, personal data protection, and corporate risk prevention. Specifically, MyGold ‘s reporting system is governed by the following main regulatory sources:

  • Legislative Decree 24/2023 — implementation of Directive (EU) 2019/1937 on the protection of persons reporting infringements;
  • Directive (EU) 2019/1937 — protection of persons reporting breaches of European Union law;
  • Legislative Decree 231/2001 — regulation of the administrative liability of entities and organizational models;
  • Regulation (EU) 2016/679 (GDPR) and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 — protection of personal data;
  • Legislative Decree 231/2007 — legislation on the prevention of money laundering and terrorist financing;
  • Law 7/2000 — regulation of gold brokerage activities and Professional Gold Operators (OPO);
  • Bank of Italy provisions regarding the organization, procedures, and internal AML controls for Professional Gold Operators.

3. Who Can Make a Report

MyGold ‘s Whistleblowing System is accessible to anyone who, in a work, professional, or commercial context, becomes aware of violations pursuant to applicable law. Reports may be made by both internal and external parties, who are granted the same protections provided by applicable law.

3.1 Internal whistleblowers — workers and collaborators

All individuals who work or have worked for MyGold in any capacity are entitled to make reports:

  • Permanent and fixed-term employees;
  • Collaborators, consultants and freelancers;
  • Interns and trainees;
  • Temporary workers;
  • Directors, auditors and members of corporate bodies;
  • MyGold commercial network ;
  • Former employees or collaborators, for facts of which they became aware during the relationship;
  • Candidates in the selection phase, based on facts learned during the hiring process.

3.2 External whistleblowers — customers and third parties

External parties who have or have had professional or commercial relationships with the Company are also entitled to make reports, including:

  • MyGold customers , limited to facts learned in the context of the relationship with the Company;
  • Suppliers, business partners and third parties who operate or have operated on behalf of the Company;
  • Other persons who, in the context of professional or commercial relationships, have acquired knowledge of significant violations.

3.3 Conditions for the protection of the whistleblower

The protections provided by this Procedure apply to whistleblowers who submit reports pursuant to Legislative Decree 24/2023, provided that, at the time of reporting, they have reasonable grounds to believe that the information communicated is true and falls within the scope of the relevant violations pursuant to applicable legislation. Specifically, the report must be made:

  • based on information learned in the work and professional context;
  • with a reasonable belief in the veracity of the facts reported;
  • without abusing the reporting tool.

Reports made with intent or gross negligence, as well as those that are manifestly false, unfounded, or instrumental, are excluded from protection. Such reports may result in disciplinary liability for workers, civil liability for damages caused to third parties, and criminal liability for defamation (Article 368 of the Criminal Code) or slander (Article 595 of the Criminal Code).

4. What Can Be Reported

Violations — or reasonable suspicions of violations — of the following categories of internal rules and procedures applicable to the Company may be reported:

4.1 Violations of anti-money laundering (AML/CFT) regulations

Pursuant to Legislative Decree 231/2007:

  • Failure to identify customers or violations of customer due diligence obligations;
  • Failure to report suspicious transactions to the UIF;
  • MyGold ‘s internal KYC procedures ;
  • Deficiencies in the prevention of money laundering and terrorist financing.

Suspicious transaction reports (SOS) must be made through dedicated AML channels and not through the whistleblowing system.

4.2 Violations of the Professional Gold Operators Regulations

Pursuant to Law 7/2000 and Bank of Italy provisions:

  • Irregularities in the purchase and sale of investment gold or precious metals;
  • Deficiencies in the traceability and recording of precious metal transactions;
  • Violations of reporting obligations to the Bank of Italy and the OAM;
  • Improper behavior towards customers in the purchase and sale of investment gold.

4.3 Violations of governance and internal controls

Pursuant to Legislative Decree 231/2001 and internal procedures:

  • Deficiencies in corporate governance, internal controls, or conflict of interest management;
  • Behaviors that do not comply with the company’s Code of Ethics and the Company’s principles of integrity;
  • Conduct relevant pursuant to the legislation on the administrative liability of entities ( Legislative Decree 231/2001);
  • Violations of corporate cybersecurity policies and data protection measures.

4.4 Violations of personal data protection

Pursuant to Regulation (EU) 2016/679 (GDPR):

  • Processing of personal data without a valid legal basis or in violation of the principles of the GDPR;
  • Failure to take adequate security measures, including unauthorized access or loss of data;
  • Failure to manage data breach obligations , including failure to notify the Guarantor;
  • Violations of data subjects’ rights.

4.5 What CANNOT be reported through this channel

The following are not included in the scope of this whistleblowing system:

  • Personal complaints relating to employment or business relationships, to be handled through ordinary channels;
  • Differences of opinion on management or strategic choices;
  • Reports that are completely unfounded or manifestly specious;
  • Information already in the public domain, unless it is related to possible significant violations;
  • Reports of suspected money laundering transactions — to be submitted via the dedicated AML channel;
  • Complaints relating to products or services, to be handled through the company complaints procedure.

The reporting system does not replace ordinary assistance or complaint channels.

5. How to Report — The Three Channels

MyGold provides whistleblowers with a reporting system compliant with current legislation, designed to ensure confidentiality, security, and protection of the whistleblower. Reports can also be submitted anonymously. However, providing a personal contact information can facilitate any requests for clarification or updates.

The Company will issue an acknowledgement of receipt of the report within 7 days, pursuant to Article 5 of Legislative Decree 24/2023.

5.1 Official Internal Channel — MITWhistle Platform

The official internal channel for submitting reports is the dedicated digital platform:

( INSERT MITWHISTLE LINK — to be completed )

The platform allows:

  • written and anonymous reports;
  • confidential communication with the report manager;
  • data protection through encrypted systems;
  • separation between the identity of the reporter and the content of the report.
The system is provided by a specialized external provider. The personal data is handled in compliance with current legislation, and privacy roles are defined in accordance with the GDPR.

5.2 Residual alternative channel

Alternatively, and only if it is not possible to use the platform, it is possible to:

  • request a direct and confidential interview with the Compliance Officer;
  • submit a report via confidential written communication.

These channels, however, guarantee the confidentiality of the whistleblower and are managed according to the same protections provided by the legislation.

5.3 External Channel — ANAC

If the conditions set forth by applicable legislation are met, the reporting party may submit a report through the external channel managed by ANAC, pursuant to Article 6 of Legislative Decree 24/2023. 24/2023. Use of the external channel is permitted, among other things, in the following cases:

  • the internal channel is not active or does not comply with the regulations;
  • the internal report has already been made and has not been followed up;
  • there are reasonable grounds to believe that using the internal channel could expose the whistleblower to the risk of retaliation;
  • there is an imminent or obvious danger to the public interest.

5.4 Public disclosure

In the cases provided for by law, the whistleblower may publicly disclose information, for example through the press or media, if: an internal or external report has not been followed up; there is an imminent or evident danger to the public interest; or there are reasonable grounds to believe that the report will not receive an adequate response (Article 15 of Legislative Decree 24/2023).

6. Content of the Report

To enable effective management of the report, it is helpful — but not mandatory — to provide the following information:

  • description of the reported facts (what happened, in what context and with what frequency, if any);
  • dates or period in which the events occurred;
  • place where the events occurred;
  • subjects involved, if known;
  • any supporting documentation ( emails , contracts, screenshots, other);
  • how the facts were learned.

The whistleblower does not need to be absolutely certain that the violation has occurred: it is sufficient to have reasonable grounds to believe that the reported facts are true. Pursuant to Legislative Decree 24/2023, the whistleblower’s protection applies regardless of the outcome of subsequent investigations.

7. Whistleblower Protection Measures

MyGold guarantees maximum protection to those who report in good faith, in compliance with Legislative Decree 24/2023 and EU Directive 2019/1937.

7.1 Confidentiality of identity

The identity of the whistleblower is treated with the utmost confidentiality. It is known only to those authorized to handle the report and is not disclosed to third parties without the whistleblower’s explicit consent. All reports and documents relating to the report are prepared so as not to contain references that could allow the whistleblower to be identified.

The identity of the whistleblower may be revealed only in the following cases provided by law:

  • legal obligation, at the request of the Judicial Authority in the context of criminal investigations;
  • defense needs of the accused, within the limits and according to the guarantees provided by the judicial authority;
  • explicit consent of the whistleblower.

In such cases, where possible and not prejudicial to the investigation or the safety of the whistleblower, the Company will inform the whistleblower in advance.

7.2 Absolute prohibition of retaliation

The Company prohibits any form of retaliation, discrimination, or detrimental behavior toward the whistleblower, their colleagues, or their family members as a result of reporting. Retaliation includes, for example:

  • dismissal, suspension or failure to renew the contract;
  • demotion, transfers or worsening changes in working conditions;
  • reduction in pay or benefits;
  • negative evaluations not justified by objective criteria;
  • mancata promozione o avanzamento;
  • acts of mobbing, isolation or undue pressure;
  • interruption or worsening of the commercial relationship (for external parties).

Reporters who believe they have suffered retaliation can use the internal channel via the dedicated platform or, in cases provided for by law, contact external channels (ANAC) or public disclosure.

7.3 Extended Protection

The protections provided by this Procedure also extend to:

  • facilitators: people who assist the whistleblower in the reporting process (legal, trade union representative);
  • colleagues and family members of the whistleblower who may suffer retaliation in connection with the report;
  • entities controlled by the whistleblower: companies or entities where the whistleblower works or in which he or she holds shares.

7.4 Processing of the whistleblower’s personal data

The whistleblower’s personal data is processed in compliance with Regulation (EU) 2016/679 and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 101/2018. Processing occurs exclusively for purposes related to managing the report and is based on fulfillment of a legal obligation pursuant to Art. 6, paragraph 1, letter c) of the GDPR. The data is retained for the time strictly necessary to manage the report and in any case no longer than 5 years after the closure of the proceeding, unless otherwise required by law. For further information, please refer to the privacy policy available on the company website.

8. How We Handle Reports

MyGold adopts a structured six-phase reporting process, with defined timeframes in compliance with the terms set by Legislative Decree 24/2023: 24/2023:

Phase

Timing

Activity

Responsible

1. Reception

Day 0

Receipt via the MITWhistle platform , automatic logging and registration in the confidential register, with segregation of the reporting person’s identifying information

Compliance Officer / MITWhistle System

2. Confirmation

Within 7 days

Sending a receipt acknowledgement to the reporting party via the platform, with the practice code and an indication of the timing, pursuant to Legislative Decree 24/2023 24/2023

Compliance Officer

3. Evaluation

Within 30 days

Admissibility analysis, assessment of severity and urgency, and possible request for additions to the reporting party

Compliance Officer

4. Investigation

Within 90 days

Documentation collection, interviews with those involved, technical checks, and regulatory analysis. External consultants may be involved, ensuring confidentiality is maintained.

Compliance Officer + any consultants

5. Resolution

Within 90 days

Report submission to the Board of Directors, resolution on corrective and/or disciplinary actions

Board of Directors on the proposal of the Compliance Officer

6. Feedback

Within 90 days

Communication of the outcome to the reporting party (within the limits of confidentiality), initiation of the corrective actions decided upon

Compliance Officer

All stages of the process are conducted with the utmost confidentiality by the whistleblower manager. Confidentiality regarding the whistleblower’s identity extends to all parties involved. The Whistleblower Register is kept confidential and segregated, accessible only to the Compliance Officer and the Board of Statutory Auditors.

9. Management of Conflicts of Interest

MyGold SpA has implemented specific measures to ensure the independent management of reports in cases where conflicts of interest may arise.

9.1 Reporting to the Compliance Officer

If a report concerns the Compliance Officer, it is managed through the MITWhistle platform and assigned directly to the Chairman of the Board of Directors, who is responsible for its investigation. The Compliance Officer is excluded from any access or activity related to the report.

9.2 Reporting regarding the Board of Directors

If the report concerns one or more members of the Board of Directors, the Board of Statutory Auditors is responsible for its management, acting as an independent supervisory body. Reports can be submitted via the MITWhistle platform by selecting the option “reports with conflicts of interest,” or, in cases provided for by law, via the ANAC external channel. The Board of Statutory Auditors may, where necessary, avail of independent external consultants.

10. Relations with the Supervisory Authorities

MyGold cooperates fully with the relevant supervisory authorities:

ANAC

National Anti-Corruption Authority — external whistleblowing channel pursuant to Legislative Decree 24/2023 — whistleblowing.anticorruzione.it

Privacy Guarantor

For questions regarding the processing of personal data — garanteprivacy.it

Judicial Authority

For reports concerning crimes – ordinary procedure

MyGold guarantees that the use of the internal channel does not in any way prejudice the reporting party’s right to use external channels provided for by applicable legislation, in the cases and under the conditions set forth in Article 6 of Legislative Decree 24/2023.

11. Training and Communication

MyGold undertakes to ensure that all subjects to whom this Procedure is addressed are adequately informed and trained on the Whistleblowing System:

  • mandatory training for all staff upon hiring and with annual refresher courses;
  • communication of this Procedure to all collaborators and agents of the MyGold network ;
  • publication of the Procedure on the company website in the dedicated section;
  • making the reporting channel available.

12. Procedure Updates

This Procedure is subject to annual review by the Compliance Officer and the Board of Directors, or whenever significant regulatory changes occur. Any changes are approved by the Board of Directors and promptly communicated to all employees. The updated version is always available on the company website in the Whistleblowing section.