FirstRand Cookie Notice

1. OVERVIEW OF THE FIRSTRAND GROUP

This notice relates to the FirstRand group of companies. References to "FirstRand" or "the group" are to FirstRand Limited and its subsidiary companies, including divisions, segments, business units and branches. Certain subsidiary companies may be excluded from the group description of this notice (such as where the group is involved in private equity investments). The various companies in the group offer financial and non-financial solutions. These solutions include transactional, lending, investment, insurance, telecommunication, technology and consumer products, goods and services. In this notice, solution means any product, service or goods offered by a group company, whether financial or non-financial in nature.

A representation of the simplified group structure that provides an overview of the various businesses/entities that form part of the FirstRand group can be found on FirstRand's website at https://www.firstrand.co.za/the-group/ownership-and-legal-structure/.

2. INTRODUCTION

Privacy is important to the group. This cookie notice applies to all websites that belong to the group and which relate to South Africa, e.g. www.fnb.co.za, www.rmb.co.za, www.wesbank.co.za and www.ashburtoninvestments.com/za (hereinafter referred to as "websites"), and which are authorised on behalf of the group. This cookie notice is available on FirstRand's website.

This cookie notice applies to the group's South Africa-based websites. Please refer to the group customer privacy notice for details of the entities that form part of the group, and the manner in which the group uses personal information. The group privacy notice is available at https://www.firstrand.co.za/investors/esg-resource-hub/policies-and-practices/..

3. WHAT IS A COOKIE?

A cookie is a small piece of data that is placed (usually in the form of a text file) on a user's device, such as a computer, smart phone or tablet, when the user visits a website. A cookie may be labelled with an ID unique to the user and their device. However, the group may not necessarily be able to directly identify the user from the cookie. The purpose of a cookie is to provide a reliable mechanism to "remember" user behaviour (e.g. remembering the contents of an online shopping cart), stateful information (i.e. information which enables the site to keep track of previous actions), and actions the user performed while browsing when not signed up or logged into their online account.

The group does not necessarily know the identity of the user of the device but does see the behaviour recorded on the device. Multiple users of the same device would not necessarily be distinguishable from one another. Cookies could, however, be used to identify the device and, if the device is linked to a specific user, the user would also be identifiable. For example, cookies collected from a device registered to an app (FNB, WesBank, RMB, etc.) will be linked to the user.

In this notice, the term "cookie" can also mean similar tracking technologies that collect data while a user uses FirstRand websites or applications.

4. UNDERSTANDING DIFFERENT COOKIES

First-party and third-party cookies refer to the website or domain using the cookie. Cookies are set by the website that the user is visiting. All cookies are either session cookies or persistent cookies.

First-party cookies

First-party cookies are directly stored by the website (or domain) visited by a user. These cookies allow website owners to collect analytics and data, remember language settings or perform other useful functions that provide a good user experience.

Third-party cookies

Third-party cookies are also set by the website visited but are sent when the user visits the third-party site. Third-party cookies are created by domains separate/different from the website (or domain) that the user is visiting.

• These cookies are usually used for online advertising and cross-site tracking and are accessible on any website that loads the third party's server code, e.g. when a user visits a site and clicks a "like" button, this could be stored in a cookie and, upon visiting the third-party site, the cookie will be used to action the request.
• Another example is when a user browses online for a specific product, finds an advert of interest, clicks on the advert and thereafter closes their browser. Several hours later, the user will notice advertising for the same product that they were browsing for earlier

Sessional cookies

sessional cookie lasts for the length of a user's visit to a website or application. These cookies delete themselves when the user closes their browser or the application, and it can help with security. For example, it can assist in keeping a user logged in as they move around a website.

Persistent cookies

A persistent cookie stays on the user's device when a user closes their browser or application and serves a number of purposes. For example, it can remember certain important information for websites where users have logged in or store their choices for when they revisit a website

5. WHICH COOKIES CAN BE FOUND ON THE GROUP WEBSITES?

When a user visits a group website, the group may include any of the cookies listed in the table below. The table explains what the cookies are used for and the time period for which the cookie could remain valid. Where cookies are only valid for a single session, the cookie will be erased when the user closes their browser. Where cookies persist, the cookie will be stored by the user's browser until deleted by the user.

Types of cookies are outlined in the table below.

Origin	Use	Service	Duration
First-party cookies	Browser/device identification	Enable the group to identify the device/browser.	Persist beyond a single session.
	Authentication	Upon logging into a web server, a cookie will be returned that identifies that the user has been successfully logged in.	Only valid for the single session.
First- and third-party cookies	Analytics	To collect information about how visitors use group websites. This can provide the group with insight on website performance and metrics.	Persist beyond a single session.
Third-party cookies	Marketing and other	Used for tracking, online advertising and marketing purposes.	Persist beyond a single session.

Other terms relevant to cookie usage are outlined in the following table.

Option	Description
HTTP only	Makes the cookie secure by ensuring it is only sent over HTTP protocol. HTTP here only refers to the protocol and communicates clear text as http or https over an encrypted channel. This prevents attackers from secretly extracting it.
Same-site cookie	Makes the cookie secure by limiting the sites to which the cookie is allowed to be sent.
Expiry	Sets the duration a cookie will last before it expires.
Secure	Makes a cookie secure by ensuring it is only sent over a securely encrypted channel.
Path	Helps to protect a cookie by restricting the location where it is allowed to be sent.

6. WHEN WILL THE GROUP USE COOKIES?

The group will only process cookies which identify users for lawful purposes:

• if a user has consented thereto;
• if a person legally authorised by the user, the law or a court has consented thereto on the user’s behalf;
• if it is necessary to conclude or perform under a contract that the group has with the user;
• if the law requires or permits it;
• if it is required to protect or pursue the user’s, the group’s or a third party’s legitimate interest (e.g. for fraud prevention); or
• if the user is a child and a competent person (like a parent) would need to consent thereto on the child’s behalf.

The group may use cookies for reasons including but not limited to:

• fraud, financial crime and other crime prevention, detection or reporting;
• managing and improving security for the group and users (for example to prevent fraudulent use of login details);
• various analytical reasons, for example, how group websites are used so that improvements can be made, for example when users click on an advert for a specific product or solution the number of users interested in such product or solution can be noted;
• tailoring the marketing and advertising users see on social media, applications and websites;
• determining which of the group’s products or solutions may be relevant to a user, for example, to decide which solutions (goods, products, services or rewards) users may be interested in and to customise marketing on various applications and websites, for example when a user clicks on an advert for a current account on the FNB website and such a user interacts with the FNB page, the group will be able to identify that the user is interested in a current account and the user will therefore be shown more current account advertisements; or
• recognising users of group websites, or devices which return to group websites.

7. WHAT HAPPENS IF A USER DOES NOT WANT COOKIES?

All browsers allow users to refuse to accept cookies and to remove current cookies. The methods for doing so vary between different browsers and versions. Users can block cookies on group websites if desired. Blocking certain cookies may have a negative impact on the usability of group websites. For example, the group requires cookies to allow users to log in. By removing first-party cookies, a user's banking experience may be affected as they may be prevented from logging in to the online banking platform.

8. Cookie Consent/Cookie Preference

For the sake of convenience on certain sites (e.g. www.fnb.co.za) a user may self-manage certain cookie preferences (permissions on how the group may use cookies), which means users have the choice to disable first-party and third-party cookie collection.

Users should be aware that necessary cookies cannot be changed (if a cookie preference option is available), as this is a prerequisite for security and functionality purposes.

Should the option be available, users can locate cookie preferences under the legal section of the relevant website.

9. FURTHER INFORMATION ABOUT COOKIES

• Users’ browsers store cookies and group websites cannot access any data on a user’s device.
• As cookies are stored in text files, they cannot be used to distribute viruses to a device.
• On a single device with multiple users the experience of group websites would be customised based on the behaviour of all users using the device and not only an individual user.
• If users disable cookies, previous cookies collected will not be deleted, however, this will prevent the creation of new cookies.
• Expired cookies will be removed automatically.
• A user may delete historically collected cookies via the browser.