Managing Risk & Compliance We apply the Three Lines of Defense model for In addition, we formally mapped and integrated key Setting Strong Business Resiliency risk management, which consists of management, ESG topics and programs into our enterprise risk Practices & Policies oversight and independent assurance. Our executives taxonomy and strive to continually enhance our risk are responsible for assessing and managing risk management approach globally. For example, in We take an enterprise-wide approach to business with independent guidance and oversight from our 2022, in collaboration with our teams across Europe, resiliency in order to manage and minimize the impacts company-wide Risk and Compliance Oversight we identified an initial set of risk metrics to evaluate of a disaster or other incidents that may disrupt PayPal function. Our Board of Directors is responsible for environmental risk management in the region, in business functions, IT systems, customers and the overall risk assessment and management oversight, accordance with legal requirements. broader financial sector. Our PayPal Resiliency Program with the ARC Committee overseeing and reviewing is designed to reduce continuity of operations risk, our overall risk management framework. Our Internal enable mitigation of potential impacts, prepare teams to Audit program seeks to provide independent assurance respond effectively, maintain operations during periods and is externally assessed by the Institute of Internal of disruption and safeguard employee welfare. This Auditors (IIA) to conform with the IIA Code of Ethics program applies across PayPal and its subsidiaries, and Standards. as well as to third parties acting on our behalf. Protecting the Health & Safety of Our Enterprise Risk and Compliance Management Aligned with the ISO 22301 standard, the Federal Our People Program (ERCM Program) reflects PayPal’s Financial Institutions Examination Council and other PayPal Global Safety and Security teams are tasked programmatic approach to identifying, measuring, governmental regulatory standards, our Enterprise with monitoring, evaluating and responding to acute managing, monitoring and reporting key risks facing Resiliency Policy outlines scenario planning procedures, and chronic physical risks to our operations, including our Company. In 2022, we revised our enterprise risk functional roles and responsibilities, reporting extreme weather and other events, as part of our categories to reflect our latest assessment. expectations and documentation management for incident response procedures. business continuity and disaster recovery at PayPal. Our risk management committees oversee the This includes: We also develop and implement risk management implementation and execution of the ERCM Program, procedures and programs related to the personal including the Enterprise Risk Management Committee • Regular training for identified Incident Response safety of employees, including accident and injury (ERMC). The ERMC is the highest-level risk management Team members across business functions. prevention, wellness promotion and compliance committee and is co-chaired by PayPal’s Chief Risk • Requirements for at least annual tabletop exercises with applicable environmental and health and safety and Compliance Officer and Chief Enterprise Services and testing to provide ongoing readiness. laws and regulations. PayPal’s Environmental Health Officer, which regularly review and discuss the overall • Recovery and restoration protocols following & Safety (EHS) Policy & Procedures align with the effectiveness of the ERCM Program with the ARC an incident. ISO 45001 standard, apply to all PayPal facilities and Committee and the full Board. To further reinforce the functional areas and detail the requirements, roles link between our governance of ESG matters and our and responsibilities related to environmental health risk management programs, we regularly report on and safety risks, controls, monitoring, reporting and emerging ESG trends to a subcommittee of the ERMC. escalation. We are committed to continuing to improve our EHS program and regularly conduct reviews to facilitate compliance with relevant national and local EHS regulatory requirements.