Security recommendations

BBVA offers you all the means at your disposal to guarantee security in operations through a Secure Passwords system.

The BBVA Net login password is a private password that must be safeguarded. It is stored irreversibly encrypted in our internal systems, so that no one in BBVA can discover it.

BBVA will never ask you by email or SMS for the BBVA Net credentials or any other personal data or bank details. If you receive a message of this type, please do not provide information via these channels.

Web browsers offer the possibility of saving the usernames and passwords of the websites that require them. At BBVA we recommend never saving your login passwords to our Remote Banking service on a computer or tablet. These devices can be subject to cyberattacks and your passwords may be exposed.

• Use complex passwords that are difficult to figure out and which contain upper and lowercase letters, numbers and symbols.
• Passwords are secret. Do not share them with anyone and change them regularly.
  
• Do not write your password on post-its or in notebooks; memorise it or use specialised password managers.
• On shared computers or those connected to public Wi-Fi networks, do not enter your login credentials or provide personal data, such as postal addresses, telephone numbers, etc.
• If you receive an SMS confirming an operation you did not carry out, contact BBVA UK to report that an operation is taking place without your consent.

• Do not use easily inferable personal data as a secret number, such as your date of birth or registration number, and do not share it with anyone.
• When you make a purchase online, make sure that the website starts with https (and not http), features a closed padlock in the navigation bar and displays –in a visible place– the company's information, their delivery and refund policy and their policy on cookies.
  
• Be suspicious of the e-commerce businesses that offer large discounts on their products (-70%, -80%). Also be suspicious if they contain spelling mistakes and low-quality images.

In addition to the security measures set out by BBVA, you must take certain precautions when browsing the internet and, thus, increase security in your daily activity and avoid being a victim of a cyberattack.

Some of the most frequent cyberattacks and viruses on the network today are:

• Phishing. It consists of sending an email in which the attackers impersonate a well-known company –in most cases– requesting personal data and bank information from the user. You will normally be asked to click on a link that appears in the email so that you enter the requested information, once you are on the wrong page.
  
• Ransomware. They are spread by email with links that enable programs to be installed or infected files to be downloaded. Thus, attackers block the user's computer information and request a ransom so that the user can supposedly retrieve their information.
  
• Trojans. They infiltrate a personal computer and transform its behaviour, so that the offender's computer is able to see the activity carried out.
  

• Operating systems and applications must always be updated.
  
• You must install and keep a firewall and an antivirus active.
• be suspicious of scaremongering emails that inform you that: your account has been suspended and you must reactivate it; an error occurred when logging in; or in which you are asked to verify or update your account information, among other reasons. These emails are fraudulent. Remember that BBVA will never ask you by email or by SMS for your personal data and bank information.
  
• Do not download files onto your computer with the extensions .exe, .bat, .rar, .zip or .ini if the sender is not trusted.
  
• Do not connect any external devices whose origin is unknown, such as pen drives or hard drives, to your equipment.
  
• Only download applications from official stores, such as the Play Store and App Store. Furthermore, check the permissions you give each of them.
  
• On shared computers or if you are connected to a public Wi-Fi network, do not access pages where you have to enter your username and password, and do not provide personal data.

The service

1. User administration:

BBVA Net cash is a multi-user application. It features different user profiles that the company can assign to its employees according to its operational structure.

A specific profile –the administrator– defines and manages the company's users in BBVA Net cash. There may be one or more administrators and there may be different levels of delegation (with no powers or with powers, joint or joint and several). Each user is assigned a profile that is defined with the utmost level of detail.

In the case of authorising operations, the options are:

• No powers: the user cannot authorise operations.
• Powers: joint or joint and several.
• Auditor: they can even stop fully signed orders until the auditor provides authorisation.

This structure enables the circuit of users to be as restrictive as the company wishes, in order to guarantee –at all times– that each user:

• Access only the services and accounts set out by the administrator.
• Can only carry out consultations and operations authorised by the administrator.
• Has or does not have powers to authorise operations.
• Has a monetary limit depending on the operation and account, as defined by the administrator.
• Only if the user is an administrator can they view, in addition to their profile, the list of users defined at their bank, their profiles, access to services and the powers assigned to them.

2. Activity control:

Users can track the bank's operations in BBVA Net cash by:

• The "Statistics" module (Signatures and files: Statistics): view the operations carried out in a specific period.
• The "Order Audit" (Signatures and files: File signature and monitoring): control over the activity of operations of each of the bank's users.
• The "User Audit" (Administration: Audit): it shows the actions each of the administrators has carried out within the circuit of users.

3. User credentials:

BBVA Net cash features two-factor authentication, which basically consists of including a device –token– for validation in the circuit of users and for validation when signing operations. Thus, the system will ask you to enter the six-digit security code (one-time use) generated by the device. This device may be physical or installed on your mobile phone (downloading the BBVA Net cash app).

• Although the passwords do not expire, we recommend you change them every month.
• The length of the login password is 8 alphanumeric characters, in order to make it difficult for third parties to figure it out by testing options.
• Passwords are stored irreversibly encrypted in specialized user and identity management systems, so that no one can obtain them or figure them out.

The login password must be changed upon the first access: to prevent user theft, the first time you connect to BBVA Net cash, you are required to change your access password.

User blocking:

• When entering your username or activation password incorrectly five times in a row, the reference in BBVA Net cash becomes blocked, and it cannot be enabled until BBVA generates a new activation password.
• In the case of the login password, the user is blocked after three failed attempts.
• When entering the security code generated by your security device incorrectly, five times in a row, the user is blocked in BBVA Net cash.
• The user administrator has the power to block access to users at his/her bank, so that, if any employee's contract is terminated, their access can be immediately revoked.

4. Identification and authentication:

Traceability of transactions: each connection and transaction is registered in automated operations records, which record the operation carried out, the date and time of the operation, and the user who carried it out, which allows the validity of the registered operations to be determined.

Information on the last connection:

• If the user connects for the first time, BBVA Net cash will indicate this.
• In successive connections, BBVA Net cash will show the user the date and time of their last connection.

Cookies only active while the user is logged in: Cookies that are installed on the user's operating system, which are necessary for safe browsing on any website, are active only when the user is connected to BBVA Net cash and are deleted when the user disconnects from the application.

Automatic session log-out: As an additional security measure, after 10 minutes of inactivity in BBVA Net cash, the user's session is finalised and they are logged-out of the system.

5. Compliance with national and international regulations:

All BBVA's services fulfil the standards and regulations of the countries in which it operates. BBVA's commitment to these regulations is set out in the Code of Conduct, with which all employees must comply.

Technology

1. Confidentiality and integrity

Of all user credentials:

• All user operational passwords are stored irreversibly encrypted in specialized user and identity management systems, so that no one can obtain them or figure them out.
• BBVA's operational procedures do not require anyone at the bank to have their customers' operational passwords, so no one knows them or will personally ask for them.

Of communications:

• Communications from BBVA's transactional and remote banking services are encrypted using SSL protocol to preserve the confidentiality and integrity of internet communications.
• The certificates used by BBVA to provide this service are generated by Verisign Inc.
• Furthermore, sensitive communications conducted over BBVA's internal networks are appropriately protected according to the operating environment and the protocol used.

Of information.

• The information stored in the internal systems and databases is protected using various security systems, allowing access to authorised employees only.
• BBVA has an automated system for managing information access privileges, which guarantees controlled and restricted access to authorised personnel.

2. Physical security of Data Processing Centres

BBVA's Data Processing Centres are equipped with extensive physical security measures to protect data processing systems, including the following:

• DPC Tier IV Gold in operational sustainability.
• Customised control over access to the premises and the different technical rooms, equipped with systems for detecting dangerous elements.
• Human physical surveillance and video surveillance teams monitoring the perimeter and interior of the facilities on a 24x7 basis.
• Specific detection and protection systems in the event of intrusion, fire, flooding, power cuts and other catastrophic events.

Furthermore, since there are two fully operational Data Processing Centres, BBVA guarantees the safeguarding and recovery of the information, if necessary.

3. Security architecture:

In order to achieve maximum security in the design of its systems, BBVA has set up a specific security architecture especially for systems that provide services to its customers over the internet.

In particular, and to minimise the level of exposure to the internet, only the presentation layer (which performs the functions of user authentication, authorisation of access to web applications and secure session control) is kept exposed by means of a secure reverse proxy.

4. Specific protection systems:

Constantly updated firewalls, antivirus and intruder-prevention systems:

• BBVA segregates its networks and systems with various levels of firewalls.
• Furthermore, BBVA's internal systems are constantly protected by anti-malware and intrusion-detection systems.
• Both types of systems are managed on a 24x7 basis and are constantly updated. This allows for the constant prevention of new threats.
• All security surveillance, alert and response systems in the event of fraud are monitored and supervised by a team of specialists on a 24x7x365 basis at the Data Processing Centre facilities.

Logs of all components: BBVA has –in its remote banking applications and systems– logs of all the critical components, which support the services for detecting fraud attempts and forensic analysis of suspicious activities or operations reported as fraudulent.

Regular review of the service, applying the latest attack techniques: The systems that provide support to remote banking services are regularly reviewed using vulnerability analysis tools.

Internal and external audits: BBVA's systems and processes are subject to regular security audits by the Independent Audit Department and by specific external audits, or those associated with financial or compliance audits.

Protection of user credentials

• Use complex passwords that are difficult to figure out and which contain interspersed upper and lowercase letters, and numbers.
• Do not share your passwords with anyone. Passwords are secret, and they must be known only by their holders for their use.
• Do not write your password on post-its or in notebooks; memorise it or use specialised password managers. You can find free programs of this type at www.osi.es.
• Disable the option to save passwords in your browser. It is safer to enter it each time you log in.
• Change your passwords regularly. If you suspect that someone has discovered your login password, you must change it as soon as possible.
• Do not use the same password for different services (email, Evernote, other banks, etc.).
• Your physical security device is personal and non-transferable.
• If you receive a message requesting your personal passwords, do not provide any details and immediately contact the BBVA Net cash Customer Service.

Protecting your computer

• Keep your operating system and your browser version constantly updated with the corresponding patches, to protect them from any bugs or errors detected.
• Set up your machine and all your programs with the highest levels of security.
• Install and keep a firewall active and always up to date.
• Install and keep your anti-malware programs active and always up to date. Verify external documents you receive with the antivirus.
• Make regular backups of your files.
• Avoid downloads from unknown websites, since they may contain viruses or spy components.
• Do not connect any external devices of unknown origin –such as pen drives, hard drives and the mobile phones of strangers– on your devices.
• Regularly clean your cookies and temporary files.
• Only download programs and applications from official websites.
• Set up an unlock pattern on your mobile phones and tablets, so that they cannot be accessed by a third party.

Secure internet access and browsing practices

• Do not access web pages where you need to enter a username and password, on shared computers or if you are connected to public Wi-Fi networks. Do not provide personal data such as a postal address, telephone number, etc.
• Avoid connecting to private pages using public computers.
• If you have to enter your credentials, check that the server's URL begins with https. This means that you are accessing a secure server.
• Another indication that the server is secure is the presence of a closed padlock (instead of an open one as on any unsafe server) to the right or left of the address (URL).
• Check the web page's security certificates by clicking on the padlock icon that appears when you access a secure area, or check the certificate from the navigation bar, and ensure that the expiry date and the domain of the certificate are valid. The detailed information contains the issuer (Verisign), the validity period and for whom the certificate was issued (BBVA).
• Do not use your browser's "autocomplete passwords" option. If it is enabled, the passwords you enter on the website are stored on your computer, and when you enter your username again, the password field is automatically filled in. This option on a shared computer can enable someone to use your personal credentials.
• Check the date and time of the last connection.
• To safely log out from BBVA Net cash, use the "Quit" button in the top-right corner.

Computer viruses are programs intended to install themselves on a user's computer without their permission and/or knowledge. There are different types of viruses, but all of them tend to have the common characteristic of spreading within the same machine and throughout the network.

It is easy to unknowingly contribute to the spread of viruses by forwarding emails with infected file attachments. It is fundamental to establish the collaboration of all the users ofthe internet to prevent it from spreading.

There are several types of viruses, notably including:

Phishing:

It consists of sending an email in which the attackers impersonate a well-known organisation, requesting details from the user (address, bank details, passwords, etc.). In order for the user to provide these details, in most cases, they must follow a link that appears in the email and, once they are on that false page, enter the requested information.

The basic plan of operation is as follows:

1. A mass message (spam) is spread, informing BBVA Net cash users that they must confirm their login details.

2. The message includes a link to a page where you must confirm the details. Sometimes, clicking the link triggers the download of malicious software.

3. The user accesses the link that leads to a similar web page to the real BBVA Net cash page and trustingly enters their details.

4. Since the page is false and is controlled by scammers, they are the ones who actually receive the user's data, and with it they have free access to the affected user's real account.

Although BBVA will never ask you for your BBVA Net cash login password and signature by email, here are some clues to recognise this type of attack:

- Sometimes, the logo looks distorted or stretched. They also tend to feature spelling mistakes or obsolete expressions.

- They refer to you as "dear customer" or "dear user" rather than including your actual name.

- They warn you that your online banking account/service will close unless you reconfirm your login information immediately.

- The tone of the email is threatening.

- The text refers to "security weaknesses" or "security threats" and requires immediate action.

- The URL is not https:// and the padlock does not appear in the browser's lower bar. False links feature this icon in the window to deceive you.

Ransomware:

It is a lucrative method of technological crime. They are usually concealed as "packet delivery services" or any other credible excuse, and are spread by email with links that enable programs to be installed or infected files to be downloaded. This virus blocks access to the user's computer information, and requests a ransom that will supposedly provide the key to decrypt the information.

A series of instructions to protect you from ransomware are set out below:

• Do not follow links or download the attachments of emails you believe to be suspicious.
• Only use legal software and keep it permanently updated.
• Always have an antivirus installed and up-to-date.
• Make regular backups. If it is infected, you will be able to recover the information without paying the ransom.

Trojans:

They are implanted into a personal computer, masked within a program. They transform the computer's behaviour, so that the offender's computer is able to see the activity carried out. To avoid being infected by a Trojan, you must follow the same instructions as previously mentioned regarding ransomware:

• Do not follow links or download the attachments of emails you believe to be suspicious.
• Only use legal software and keep it permanently updated.
• Always have an antivirus installed and up-to-date.

Hoaxes:

These are emails that disclose specific false rumours with the sole aim of transmitting and increasing low-quality information that is spread over the internet.

In general, they are not too harmful and easy to remove.

To prevent these attacks, follow the stated recommendations and report to us with any suspicious situations or information you receive.

Upon reporting to us, the BBVA Net cash customer service will implement the established fraud action protocol: a team of specialists will take charge of analysing the case.

If the suspicion is confirmed, you will be advised to:

• Format your hard drive.
• Install an updated anti-malware.
• Keep your computer software up-to-date.

In all confirmed cases, the affected user's login password must be changed.

Protection of user credentials

• Use complex passwords that are difficult to figure out and which contain interspersed upper and lowercase letters, and numbers.
• Do not share your passwords with anyone. Passwords are secret, and they must be known only by their holders for their use.
• Do not write your password on post-its or in notebooks; memorise it or use specialised password managers. You can find free programs of this type at www.osi.es.
• Disable the option to save passwords in your browser. It is safer to enter it each time you log in.
• Change your passwords regularly. If you suspect that someone has discovered your login password, you must change it as soon as possible.
• Do not use the same password for different services (email, Evernote, other banks, etc.).
• Your physical security device is personal and non-transferable.
• If you receive a message requesting your personal passwords, do not provide any details and immediately contact the BBVA Net cash Customer Service.

Protecting your computer

• Keep your operating system and your browser version constantly updated with the corresponding patches, to protect them from any bugs or errors detected.
• Set up your machine and all your programs with the highest levels of security.
• Install and keep a firewall active and always up to date.
• Install and keep your anti-malware programs active and always up to date. Verify external documents you receive with the antivirus.
• Make regular backups of your files.
• Avoid downloads from unknown websites, since they may contain viruses or spy components.
• Do not connect any external devices of unknown origin –such as pen drives, hard drives and the mobile phones of strangers– on your devices.
• Regularly clean your cookies and temporary files.
• Only download programs and applications from official websites.
• Set up an unlock pattern on your mobile phones and tablets, so that they cannot be accessed by a third party.

Secure internet access and browsing practices

• Do not access web pages where you need to enter a username and password, on shared computers or if you are connected to public Wi-Fi networks. Do not provide personal data such as a postal address, telephone number, etc.
• Avoid connecting to private pages using public computers.
• If you have to enter your credentials, check that the server's URL begins with https. This means that you are accessing a secure server.
• Another indication that the server is secure is the presence of a closed padlock (instead of an open one as on any unsafe server) to the right or left of the address (URL).
• Check the web page's security certificates by clicking on the padlock icon that appears when you access a secure area, or check the certificate from the navigation bar, and ensure that the expiry date and the domain of the certificate are valid. The detailed information contains the issuer (Verisign), the validity period and for whom the certificate was issued (BBVA).
• Do not use your browser's "autocomplete passwords" option. If it is enabled, the passwords you enter on the website are stored on your computer, and when you enter your username again, the password field is automatically filled in. This option on a shared computer can enable someone to use your personal credentials.
• Check the date and time of the last connection.
• To safely log out from BBVA Net cash, use the "Quit" button in the top-right corner.