Official Information of the Czech National Bank of 10 December 2010 regarding Qualitative Requirements for Conduct of Business

OFFICIAL INFORMATION OF THE CZECH NATIONAL BANK of 10 December 2010 regarding the pursuit of business in the financial market: Qualitative Requirements Relating to the Conduct of Business – Fundamental Information

I. Introductory Provisions

1. This Official Information contains fundamental information for persons operating in the financial market1 as regards the qualitative requirements relating to the performance of activities in the financial market. Information of the Czech National Bank on the qualitative requirements relating to the performance of activities in the financial market is or can also be communicated by means of other separate Official Information.
2. In accordance with the generally applicable principles for proper corporate governance2 , the Czech National Bank expects the provided information on the qualitative requirements relating to the performance of activities in the financial market to be appropriately used, in particular: a) by the bodies and persons responsible for the management and internal control of a company; or, as the case may be b) by shareholders in exercising ownership rights, etc., or by other interested parties. II. Objectives, Assumptions, Principles
3. The Czech National Bank aims to provide comprehensive substantive explications and other information as regards the qualitative requirements relating to the performance of activities in the financial market3 . Through providing interpretations, recommendations

1 Article 49b of Act No. 6/1993 Coll., on the Czech National Bank (hereinafter the “Act on the Czech National Bank”). 2 For instance, the corporate governance principles published and updated by the Organization for Economic Co￾operation and Development (OECD); Green Paper – Corporate governance in financial institutions and remuneration policies, European Commission, June 2010; Art. 13 of Directive 2004/39/EC, in conjunction with Art. 5 to 14 of Directive 2006/73/EC (both the Directives hereinafter jointly the “MiFID”); Art. 22 of Directive 2006/48/EC, in conjunction with Art. 34 of Directive 2006/49/EC (both the Directives hereinafter jointly the “CRD”); Art. 40, 41, 42, 44, 46, 47 and 49 of Directive 2009/138/EC (so-called “Solvency II Directive”). 3 For instance, Article 8b of Act No. 21/1992 Coll., on banks (hereinafter the “Act on Banks”); Articles 5, 31 and 33 of Act No. 42/1994 Coll., on state-contributory supplementary pension insurance (hereinafter the “Act on Supplementary Pension Insurance”), in conjunction with the Official Information of the Czech National Bank of 18 August 2008 regarding the prudential rules for pension funds: System of governance of a pension fund; Article 7a of Act No. 87/1995 Coll., on savings and credit unions (hereinafter the “Act on Savings and Credit Unions”); Article 74 of Act No. 189/2004 Coll., on collective investment (hereinafter the “Act on Collective Investment”); Articles 12, 12a and 12b of Act No. 256/2004 Coll., on capital market undertakings (hereinafter the “Act on Capital Market Undertakings”); Articles 6 and 7 of Act No. 277/2009 Coll., on insurance (hereinafter the “Act on Insurance”); Article 18 of Act No. 284/2009 Coll., on payment systems (hereinafter the “Act on Payment Systems”); the implementing regulations issued on the basis of the said Acts.

• 2 - and guidelines and through communicating other information regarding its approach to the assessment of proposals (at the stage of negotiations regarding entry to the financial market) and to the application of qualitative requirements for the performance of activities by persons providing financial services and being subject to supervision by the Czech National Bank, the Czech National Bank aims to contribute to the quality and transparency of these processes.

2. In compliance with its mission, long-term strategy and contractual obligations4 , the Czech National Bank also systematically aims to purposefully harmonise and integrate the procedures and information relating to the performance of activities in the financial market. The aim of the Official Information regarding qualitative requirements is also to support: a) purposeful convergence of the procedures and information within the framework of regulation and supervision over the national financial market as a whole; b) consistency of the application of the national and European legislation while exercising supervision over the national financial market as a whole; and c) consistency of the application of the related terms and definitions across the national financial market.
3. In its role of the supervisory authority, the Czech National Bank's regulation is based on the applicable European and national legal regulations and the related documents5 . The Czech National Bank also applies certain documents of other relevant authorities and organizations6 as key foundations for its activities, while caring for the safe functioning and development of the financial market in the Czech Republic and while contributing to the stability of the financial system as a whole7 .
4. In relation to the qualitative requirements for the performance of activities in the financial market, the Czech National Bank applies and expects a universal application of the following principles, in particular: a) principle of appropriateness, e.g. the relevance of a certain procedure to a financial services provider with respect to the type of its business activities in the financial market; b) principle of proportionality to the nature, scope and complexity of the area in question; this principle shall be understood as a potential for making a proportionate adjustment

4 For instance, The Mission of the Czech National Bank for the Supervision of the Czech Financial Market; Agreement on cooperation between the Czech National Bank and the Ministry of Finance in the preparation of draft intrastate legal regulations relating to the financial market and other regulations relating to the competences of the parties thereto. 5 For instance, recommendations and communications of the European Commission relating to the financial market; outputs of European groups of regulators and supervisors of the financial market for the implementation or application of directly applicable or incorporated regulations of the European Union regarding the financial market. 6 For instance, 12 Key Standards for Sound Financial Systems, Financial Stability Board (FSB); Core Principles for Effective Banking Supervision, Basel Committee on Banking Supervision (BCBS), 1997; Objectives and Principles of Securities Regulation, International Organization of Securities Commissions (IOSCO), 1998; Core Principles for Systemically Important Payment Systems, Committee on Payment and Settlement Systems (CPSS), 2001; Recommendations for Securities Settlement Systems, CPSS-IOSCO, 2001; Insurance Core Principles and Methodology, International Association of Insurance Supervisors (IAIS), 2003; Recommendations for Central Counterparties, CPSS-IOSCO, 2004; Principles of Private Pension Supervision, International Organization of Pension Supervisors (IOPS), 2006; including the implementing methodologies. 7 Article 2 of the Act on the Czech National Bank.

• 3 - of to a particular application “downwards or upwards” (i.e., the proportionality works both ways); c) principle of materiality (importance) assigned by a financial services provider or by the supervisory authority to a certain area or element of the governance; and d) principle of the priority of the substance over the form (the “substance over form” principle).

5. While supervising compliance with the applicable requirements of legal regulations, the Czech National Bank acts individually, taking into account the specific conditions of the type of business and the arrangement of the performance of the given financial services provider's activities8 . Additionally, the Czech National Bank has expectations based on the principles contained in the published Official Information regarding the qualitative requirements relating to the performance of activities in the financial market; this is without prejudice to the financial services provider’s right to individually stipulate and apply different internal procedures (the “comply or explain” principle). III. Final Provisions
6. More detailed fundamental information of the Czech National Bank for persons operating in the financial market as regards the qualitative requirements relating to the conduct of business in the financial market are contained in Annexes No. 1 to 3 to this Official Information.
7. Any questions regarding the contents of this Official Information can be consulted with the Czech National Bank by means of clearly formulated professional queries, including own proposals for the argued solutions. IV. Repealing Provisions The Official Information of the Czech National Bank of 18 July 2007 regarding the prudential rules for banks, credit unions and investment firms – Recognised standards (published in CNB Bulletin of 6 August 2007 under number 19/2007) is hereby repealed. Vice-Governor: prof. PhDr. Ing. Vladimír Tomšík, Ph.D., signed Annexes More detailed fundamental information for persons operating in the financial market as regards the qualitative requirements relating to the conduct of business in the financial market:
8. Specification of terminology
9. Fundamental objectives, elements and parameters of the governance
10. Recognised standards

8 For instance, Article 25 (3) of the Act on Banks; Article 22 (8) of the Act on Savings and Credit Unions; Article 135 (4) of the Act on Capital Market Undertakings.

• 4 - Financial Market Regulation and Analyses Department Licensing and Enforcement Department Financial Market Supervision Department Responsible: Ing. Mazánková, tel. 224 412 821 Mgr. Vokroj, tel. 224 414 419 Ing. Majer, tel. 224 412 253 Mgr. Čížek, tel. 224 412 526

• 5 - Annex No. 1 More detailed fundamental information for persons operating in the financial market as regards the qualitative requirements relating to the conduct of business in the financial market: Specification of terminology Specification of selected terms

1. Unless expressly stated otherwise, the Czech National Bank (hereinafter the “CNB”), also taking into account the practice established in the sector, uses the following terms: a) authorization to perform activities to summarily refer to a licence, registration, entry in a list or to other forms of permit or official act authorizing an entity to carry on business in the financial market within the defined extent; b) entry to the financial market to summarily refer to the procedure of acquiring an authorization to perform activities, which the CNB is involved in (in its role of the supervisory authority) and which includes, for instance, the submitting of applications for authorizations to perform activities, the assessment of applications for authorizations to perform activities, the granting of authorizations to perform activities and the registration of selected persons with the CNB in relation to their undertaking in the financial market; c) undertaking in the financial market to summarily refer to any and all performance of activities of a financial services provider in the financial market; d) financial services provider (or, as the case may be, “entity” or “company”) to summarily refer to legal entities or natural persons (such as, for instance, European Companies, joint-stock companies, cooperatives, limited liability companies and/or self-employed persons) providing financial services and being subject to supervision by the CNB (e.g. a bank, central depository of securities, electronic money institution, investment fund, investment company, investment firm, regulated market organizer, pension fund, payment institution, insurance company, settlement system operator, savings and credit union and/or reinsurance company); e) activities of a financial services provider (or, as the case may be, “activities”) to refer to any activities performed by a financial services provider (i.e., management, control, distribution, intermediation, information, administration, support and/or other activities) that a financial services provider performs or could perform without contradicting legal regulations or the conditions stipulated for the financial services provider in the authorization to perform activities that has been granted to it; f) governance (or, as the case may be, “system of governance”, “corporate/internal governance” or “management and control system”) to summarily refer to a coordinated system of elements, their mutual links, inputs and outputs in performing the activities of a financial services provider; the fundamental elements of the governance are the general prerequisites for proper corporate governance, a risk management system and an internal control system, including an information system9 that also forms an integral part thereof;

9 For instance, Article 8b of the Act on Banks; Articles 5, 31 and 33 of the Act on Supplementary Pension Insurance, in conjunction with the Official Information of the Czech National Bank of 18 August 2008 regarding the prudential rules for pension funds: System of governance of a pension fund; Article 7a of the Act on Savings and Credit Unions; Article 74 of the Act on Collective Investment; Articles 12, 12a, 12b, 12d, 32, 38 (1) (f), 48 (a) to (c), 83 (9) (k) and (14) of the Act on Capital Market Undertakings; Articles 6 and 7 of the Act on

• 6 - g) information system (or, as the case may be, “information and communication system”) to summarily refer to a functional whole which is used to ensure the gathering, processing, transmission, sharing and keeping of information in any form, including the relevant technical equipment; an information system includes individual information (sub)systems as well as an internal and external communication system of a financial services provider, and its key elements are (i) information and (ii) information and communication equipment and technology, including recording equipment10; h) internal rules to summarily refer to a strategy, organizational rules, plans and other internal documents and normative acts through which objectives, principles, procedures, codes and other rules are stipulated for the performance of activities by a financial services provider11; i) recognised standard to summarily refer to acknowledged and well-established principles and procedures issued by recognised persons and used while performing activities in the financial market12; j) supreme body to summarily refer to a general meeting, members’ meeting or some other body (function) of a financial services provider with analogical competence; k) administrative body to summarily refer to the management body, supervisory body or some other analogical managing body of a financial services provider; l) management body to summarily refer to the board of directors, administrative board/ body or the chairman of the administrative board, an executive or some other body (function) of a financial services provider with analogical competence; m) supervisory body to summarily refer to the supervisory board, administrative board, control commission or some other body (function) of a financial services provider with analogical competence; n) management (or, as the case may be, “senior management”) to summarily refer to senior officers who are directly subordinate to members of the management body and who are responsible for the implementation of approved strategies, principles and objectives (including the elaboration of procedures for their fulfilment) and for the everyday management of the performance of activities of a financial services provider and some other persons with analogical competence (i.e., possibly including the member(s) of corporate bodies); a financial services provider may also include some other persons13 in the management; o) manager to summarily refer to persons managing the activities of a company, particularly to members of corporate bodies and other natural persons who are actually involved in the management of the operation of a company, who decide about its Insurance; Articles 18 and 26 of the Act on Payment Systems; the implementing regulations issued on the basis of the said Acts. 10 For instance, Article 2 (g) of Decree No. 374/2009 Coll., on the pursuit of business of payment institutions, electronic money institutions, small-scale payment services providers and small-scale electronic money issuers; Part I (3) of Annex No. 1 to Decree No. 434/2009 Coll., implementing certain provisions of the Act on Insurance. 11 For instance, Article 9 (1) of Decree No. 123/2007 Coll., stipulating the prudential rules for banks, savings and credit unions and investment firms; Part I (1) of Annex No. 1 to Decree No. 434/2009 Coll., implementing certain provisions of the Act on Insurance. 12 For instance, Article 9 (2) of Decree No. 123/2007 Coll., stipulating the prudential rules for banks, savings and credit unions and investment firms; Part I (1) of Annex No. 1 to Decree No. 434/2009 Coll., implementing certain provisions of the Act on Insurance; Official Information of the Czech National Bank of 26 May 2009 regarding recognised standards in the AML area. 13 For instance, Article 17 of Decree No. 123/2007 Coll., stipulating the prudential rules for banks, savings and credit unions and investment firms.

• 7 - issues or who discharge some other key managerial position such as, for instance, senior employees, managing persons, executives and/or holders of procuration14; p) employee to summarily refer to persons performing certain activities for a financial services provider pursuant to an employment or other similar contract, including members of the bodies and committees (if established) of a financial services provider and other natural persons with analogical competence, including all senior officers, unless it is a natural person working for an outsourcing provider15; q) unit (or, as the case may be, “organizational unit”) to refer to a person or group of persons authorized to perform a certain activity of a financial services provider, including the bodies and committees (if established) or, as the case may be, to refer to the capacity of a financial services provider (personnel, technical, etc. resources and other prerequisites) designed to ensure the performance of a certain activity or set of activities (processes, tasks, powers, etc.); the performance of a specific activity of a financial services provider may, under stipulated conditions, also be delegated to an employee or group of employees of some other party (i.e., including the possibility of using the capacity of outsourcing providers in order to partially or fully ensure the performance of specific activities)16; r) outsourcing provider to summarily refer to any other (third) parties with respect to a financial services provider (irrespective of the fact whether such other party is or is not a financial services provider itself), including other entities within the same business group through which a financial services provider potentially performs some of its activities (implements certain processes, ensures certain functions, provides certain services, etc.); the term “outsourcing” is understood by the CNB as any business arrangement between a financial services provider and some other party made for the purpose of the performance of certain activities of a financial services provider through some other party17; s) risk to summarily refer to the phenomena that have or could have any unfavourable impact on the achievement of the required or expected status or result, cause uncertainty on the part of a financial services provider as regards the expected course or outcome of activities affected by controllable or uncontrollable events (causes, facts, circumstances, factors)18; t) contingency plan to summarily refer to plans (procedures) for non-standard situations, including emergency and crisis (stress) situations, and for the recovery of

14 For instance, Article 4 (5) (d) of the Act on Banks; Article 2a (4) (a) of the Act on Savings and Credit Unions; Article 55 (10) (b) of the Act on Collective Investment; Article 2 (1) of the Act on Capital Market Undertakings; Article 2 (4) (h) of the Act on Payment Systems. 15 For instance, Article 2 (6) (i) of Decree No. 123/2007 Coll., stipulating the prudential rules for banks, savings and credit unions and investment firms. 16 For instance, Article 6 (3) of Decree No. 237/2008 Coll., on the details of certain rules in the provision of investment services; Article 19 (1) of Decree No. 123/2007 Coll., stipulating the prudential rules for banks, savings and credit unions and investment firms; Art. 13 (29) of Directive 2009/138/EC (so-called “Solvency II Directive”). 17 For instance, Article 6 (3) and (4) and Article 84 (2) of the Act on Insurance; Article 81a of the Act on Collective Investment; Article 2 (1) (c) (7), Article 12b (2) (b), Article 12d and Article 16 (3) (e) of the Act on Capital Market Undertakings; Article 26 of the Act on Payment Systems; Article 11 (5) of Act No. 253/2008 Coll., on certain measures against the legitimization of the proceeds of crime and financing of terrorism; Articles 11 and 216 of Decree No. 123/2007 Coll., stipulating the prudential rules for banks, savings and credit unions and investment firms; Article 6 (2) (b) (4) and Article 8 (1) (l) of Decree No. 237/2008 Coll., on the details of certain rules in the provision of investment services; Art. 13 (28) of Directive 2009/138/EC (so-called “Solvency II Directive”). 18 For instance, Part Three, Chapter I, Section 2 of Decree No. 123/2007 Coll., stipulating the prudential rules for banks, savings and credit unions and investment firms; Part Two, Chapter I, Section 3 of Decree No. 237/2008 Coll., on the details of certain rules in the provision of investment services.

• 8 - activities in order to ensure the ability to perform activities on a continual basis and in order to minimize losses in the event of a disturbed performance of activities, including outsourced activities19; u) client to summarily refer to the customers of a financial services provider (including potential clients), including participants, policy holders, users of payment services, depositors and members of cooperatives that are providers of financial services; in legal regulations, the aforementioned terms appear in various forms (some examples are given). Synonyms

2. Unless expressly stated otherwise, the CNB regards the following terms as synonyms: a) service, product; b) client, customer; c) performance of activities of a financial services provider, operation of activities of a financial services provider, doing business (of a financial services provider); d) activities of a financial services provider, operating activities, business activities; e) strategy, conception, policy; f) plan of activities, plan of business activities, business plan; g) line of business, business line, field of business; h) worker, employee; i) clash of interests, conflict of interests; j) extent of accepted risk, accepted risk level, risk tolerance; k) action, activity, process, function, service (partial, specific, certain, individual); l) important activity, important operational activity, critical activity; m) outsourcing, activity performed through some other/third party, severance/delegation of an activity outside of an entity, externally ensured activity, authorization of a third party in relation to performance of an activity/provision of services; n) outsourcing provider, provider of (outsourced) services.

19 For instance, Article 12b (4) of the Act on Capital Market Undertakings; Part 3A (2) of Annex No. 1 to Decree No. 123/2007 Coll., stipulating the prudential rules for banks, savings and credit unions and investment firms; Article 25 (2) (c) of Decree No. 233/2009 Coll., on applications, approval of persons and the manner of proving professional qualifications, trustworthiness and experience of persons, and on the minimum amount of funds to be provided by a foreign bank to its branch.

• 9 - Annex No. 2 More detailed fundamental information for persons operating in the financial market as regards the qualitative requirements relating to the conduct of business in the financial market: Fundamental objectives, elements and parameters of the governance Fundamental objectives of the governance

1. The governance shall systematically ensure proper and prudent performance of activities, including the relevant activities of the bodies and committees (if established) of a financial services provider, including the stipulated professional care in providing services. The governance shall ensure at least: a) performance objective, that is systematic achievement of the expected results in accomplishing the stipulated strategies, objectives and other required outputs, while simultaneously ensuring the efficiency and effectiveness of performed activities and the permanent functioning of the entity; b) compliance objective, that is systematic compliance of the performance of activities with legal and other relevant regulations and rules and with the conditions under which the financial services provider has been granted an authorization to perform activities; and c) information objective, that is efficiency and effectiveness of communication, and the acquisition, record-keeping, transmission, processing, updating, utilization, sharing, notification (reporting), publication (or other form of provision), securing, protection, keeping, reconstructibility, etc. of data or, as the case may be, of information. Example 1: Performance objective focuses, for instance, on the achievement of required financial results and other outputs, on the proper management and maintenance of financial health and stability also in terms of the long-term existence of a company (so-called “going-concern” principle) and continuity of performance of activities also in the case of non-standard conditions or situations, through application of proper and prudent procedures, risk management, emergency planning, etc. Example 2: Compliance objective focuses, for instance, on the ensurance of systematic compliance of internal rules with legal regulations and of systematic compliance of the performance of activities with these regulations, and also includes e.g. efficient and effective mechanisms (including control mechanisms) to ensure observance of stipulated codes of conduct, limits and other arrangements or restrictions such as, for instance, observance of the rules for dealing with clients, for ensuring of protection of personal and other protected data, observance of limits for risk management, implementation of stipulated procedures in the field of prevention of the legitimization of the proceeds of crime and financing of terrorism, so-called “anti-money-laundering” (hereinafter the “AML”), etc. Example 3: Information objective focuses, for instance, on the horizontal and vertical and on the internal and external communication, on the up-to-datedness, comprehensiveness, reliability, sufficiency, adequate availability, etc. of the information used for decision-making and of other information necessary for the performance of activities, including information being published, information being provided to clients and information being provided to supervisory authorities and to other third parties (particularly of accounting, financial and all other important information), security and reliability of information and communication equipment and technology, etc. Fundamental elements of the governance

• 10 -

2. In order to achieve the required objectives, the governance shall include at least the following elements and their mutual links: a) general prerequisites for proper corporate governance, that is for the proper steering, management, organization, control and implementation of the performance of activities; b) risk management system, that is comprehensive principles and procedures for the identification and steering of financial and other risks and risk factors (hereinafter “risks”) associated with the activities performed by a financial services provider; a risk management system shall cover the risks which a financial services provider is or could be exposed to, both in their entirety (“holistic approach”) and in respect of their individual components; and c) internal control system, including the preventive and subsequent verification of the efficiency and effectiveness of the governance and of its elements, including inputs and outputs.
3. The general prerequisites for proper corporate governance shall include at least the following elements and their mutual links: a) overall business strategy, which is to be approved and evaluated by the management body, and the subsequent management of the performance of activities; and b) overall organizational prerequisites (arrangements), within the framework of which approved strategies are being implemented (“activities are being performed”), with a proper, comprehensive, non-conflicting and clear definition of activities and of the related competences, responsibilities and powers of decision, including the competences, responsibilities and powers of the bodies and committees (if established) and including information flows and other arrangements aimed to ensure the activities performed. Example 4: In particular, the overall strategy of a financial services provider and its components and the subsequent strategic and operational planning and management of the performance of activities of a financial services provider defines, in particular, sufficiently specific and controllable objectives for the performance of activities in individual areas (e.g. business objectives) and principles for their fulfilment; the strategy also includes a strategy relating to capital and investment and to the definition of a financial services provider’s approach (attitude) to the risks associated with the performance of its activities in the financial market (“risk appetite”). Example 5: The organizational arrangements and the related internal rules define, for instance, the measures to ensure the functional content of the activities performed, their personnel, technical and other aspects, authorizations of employees to approve and undersign documents within the framework of the activities performed by a financial services provider, information flows, functions which must not be discharged simultaneously, procedures to identify, prevent and manage conflicts of interests within the framework of the activities performed by a financial services provider (also from the clients’ perspective) and other procedures for the proper and prudent performance of activities, including e.g. procedures to be followed while adopting or amending internal rules, accounting procedures, client communication procedures, procedures for the acquisition, record-keeping, processing, keeping, etc. of information, risk management procedures, procedures for the handling of potential claims and complaints, procedures to be followed in non-standard situations, etc. The organizational prerequisites also include, for instance, prerequisites for the proper operation of the management body and of the supervisory body with respect to the nature, scope and complexity of the activities performed by a financial services provider, e.g. definition of requirements for the composition of the bodies, for the expertise, experience, practice and other requirements for the performance of activities of a body member (activity, quality, personal attendance at meetings, etc.), for the manner of acting and decision-making of the bodies, for the identification, prevention and management of conflicts of interests

• 11 - within the framework of the activities performed by the bodies and committees (if established) and by their members, etc.

4. A risk management system shall include at least the following elements and their mutual links: a) strategy for the approach to risks; and b) specific procedures for the identification, evaluation, measuring (quantification), monitoring and notification (reporting) of risks and for the adoption of informed decisions, and measures to reduce the occurrence or impacts of risks in accordance with the risk profile of a financial services provider and with the approved risk management strategy. Example 6: The foundation of a risk management strategy (strategy for the approach to risks) of a financial services provider is a sufficiently specific delimitation (internal definition) of the individual risks which a financial services provider is or could be exposed to, of the criteria for the assessment of their importance from the perspective of a financial services provider, the determination of the accepted level (including limits) of all material risks run by a financial services provider and of the manners for their prevention, minimization or coverage. A strategy for the approach to risks includes, for instance, a strategy for the management of the solvency and liquidity risk, of the strategic, reputational and operational risk (including legal risks, compliance risks, risks associated with the utilization of models, risks associated with new activities, risks associated with unexpected extraordinary events, risks associated with outsourcing, etc.) and the concentration risk, risks specifically associated with the line of business of a financial services provider (market risks, underwriting risks, credit risks, market infrastructure risks, etc.) and other risks and risk factors attached to the activities performed and the impacts of the internal or external environment such as, for instance, the impact of a financial services provider’s incorporation into a specific business grouping (group).
5. An internal control system shall always include at least the following elements and their mutual links: a) controls along the management line and along the organisational line, if different; and b) control mechanisms for the individual processes, functions, services, systems, etc., and the governance as a whole, including the mechanisms of internal financial control and the mechanisms of independent internal assurance on activities (review). Example 7: An internal control system can be internally structured as follows, for instance: i) accounting, physical and other automated and other controls (control mechanisms) for the individual processes, functions, services, systems, etc., both preventive and subsequent; the physical controls are aimed, for instance, to restrict access to tangible property, financial assets, etc., to carry out regular stocktaking of property, etc.; ii) specialized internal control functions; the internal control functions perform, for instance, the control of risk management, compliance, the provision of independent internal assurance on activities (or findings on deficiencies discovered), with special emphasis on the provision of independent internal assurance on the completeness, conclusiveness, correctness and reliability of bookkeeping, on the reliability of financial and other important information and on the reliability and sufficiency of internal controls (control mechanisms) and of the risk management system, where the risk management function, compliance function and internal audit function shall always be provided with an appropriate degree of independence, including a possibility of direct reporting to the managing bodies of the company and to the relevant committees (if established); iii) principles and procedures for continuous updates and periodic verification of the efficiency and effectiveness of the governance and of its elements, including inputs and outputs, always including adequate independent verification and including the adoption of measures to remedy any identified deficiencies and to check their implementation; and iv) other appropriate internal control mechanisms to protect the system of governance and its elements against failure and to ensure the timely detection and removal of deficiencies in terms of the focus,

• 12 - execution or resources used to perform activities, if such a need follows from specific or any foreseeable circumstances of the performance of activities of a financial services provider with respect to their nature, scope and complexity, e.g. so-called “whistle-blowing”. Example 8: Controls or, as the case may be, control mechanisms shall be implemented, for instance, by way of introducing security elements, the “four-eyes” principle, obligatory preventive or subsequent controls of business, accounting, etc. operations, obligatory disclosure of potential conflicts of interests, procedures for the escalation of potential problems, controls incorporated into the procedures for the preparation of new internal rules and for the implementation of amendments thereto, various limits, execution of shadow (fictitious) purchases (“mystery shopping”), etc. Further, controls shall be carried out, for instance, in terms of compliance with legal and internal rules and limits, controls of data processing and correctness, controls of adequacy of the internal financial and other reporting, controls of approval and authorization of transactions exceeding the defined limits, controls of communication with clients, controls of the details of selected transactions, controls of the efficiency and effectiveness of the security elements in place, reconciliation, controls of compliance with qualification requirements, and potentially also of employee trustworthiness depending on the activities (functions) performed by the employees, verification of inputs and outputs of the risk management systems and models used, controls of adequacy and appropriateness of the documentation on activities, controls of sufficiency and reliability of the archiving and keeping of data and documents, controls of the performance of activities of the senior management while implementing the approved strategies (as carried out by the management body and its members), controls of the performance of activities of specialized internal functions (managing, controlling, etc.), evaluation of employees, controls of the removal of identified deficiencies, etc. Fundamental parameters of the governance

6. The introduction, maintenance and systematic application of an adequate system of governance lies within the competence, and is the responsibility, of the management body. Example 9: The key elements of this overall responsibility include, for instance, the responsibility for financial health, for the overall strategy, for the strategic management of business activities and for the risk management, the organizational arrangements to support the required performance of activities and to prevent the occurrence of clashes of interests and undesirable procedures (e.g. improper use of means, prioritization of short-term objectives, obstruction of transparency, etc.), active and qualified supervision over the activities performed by the senior management and by the internal control functions (risk management, compliance, internal audit, etc.) that support the activities of the given body (function), and the communication and assertion of corporate values and visions. The activities of the management body shall also be supported by specialized committees (commissions, etc.) such as, for instance, committee on the management of assets and liabilities, pricing committee, committee on new products, loss commission, etc.; the activities of the management body shall also include the formulation, support and assertion of ethical principles and of the expected models of behaviour, etc. The overall responsibility of the management body for the introduction, maintenance and systematic application of an adequate management and control system may not be delegated and this responsibility shall also apply in the case of outsourcing, whether within a group which a financial services provider also belongs to (e.g. for the purposes of cost sharing within the group, etc.) or outside of a group.
7. The governance shall cover all of the activities performed by a financial services provider. Example 10: The governance also includes, for instance, a system of internal principles, procedures and control measures in the AML area, processes for emergency planning in the event of non-standard situations, processes associated with the potential utilization of outsourced services, processes for the preparation, approval and implementation of new activities, products or systems, or for the implementation of other changes to the performance of activities of a financial services provider, including organizational or technological changes, entry to a new market or to a new client segment, acquisitions, etc.

• 13 -

8. In order to achieve the required objectives, the governance shall meet the following qualitative parameters, in particular: a) it shall be appropriate to the size, manner of management, number of employees, nature, scope and complexity of the activities performed by a financial services provider; b) it shall be proportional to the size, manner of management, number of employees, nature, scope and complexity of the activities performed by a financial services provider; c) it shall be comprehensive and cover all of the activities in an interrelated manner; d) it shall use and ensure adequate resources, systems and processes; e) it shall be functional or, as the case may be, efficient and effective; f) it shall be forward-looking; g) it shall be risk-based; h) it shall be sufficiently transparent both internally and externally; i) it shall be continuously updated with regard to the estimated and actual development of the internal and external environment, including the development of the economic cycle, development in the field of regulation and development in the field of proper corporate governance standards; j) it shall be regularly (and always in the event of a material change) reviewed internally and adjusted as necessary; and k) it shall be sufficiently protected against failure; both in its entirety and in respect of its individual components. Example 11: In order to comply with the principle of comprehensiveness [subparagraph c) above], interrelatedness of the following elements shall be ensured, for instance: i) overall strategy and its component parts; ii) capital planning and risk management; iii) business strategy and risk management strategy; and iv) risk management and remuneration. Example 12: Compliance with the principle of continuous updating [subparagraph i) above] shall be understood as, for instance: i) continuous updating of the contents of individual internal rules; ii) continuous updating and development of an information system; and iii) adjustments to the functional contents of selected departments, e.g. in connection with the introduction of an important product or process. Example 13: Compliance with the principle of internal review [subparagraph j) above] shall be understood as, for instance: i) review of the governance or of its elements by the internal audit function; and ii) directed review of the up-to-datedness and sufficiency of the governance, e.g. following a merger or acquisition, for instance in terms of continuing up-to-datedness and sufficiency of resources, defined employee qualification requirements, control mechanisms, principles and procedures for risk management, etc.
9. In order to ensure the determined objectives, parameters and other requirements for the performance of activities, a financial services provider shall select, incorporate into its internal rules and continually apply appropriately selected standards while performing its activities (Annex No. 3 to this Official Information).

• 14 -

10. In order to ensure that the applied arrangements, strategies, procedures and mechanisms and the selected and applied standards systematically and permanently ensure the proper and prudent (i.e., reliable and secure) performance of activities, including the stipulated professional care in providing services, a financial services provider shall ensure that the governance and its elements, including inputs and outputs, are controlled, evaluated and corrected, if necessary. Example 14: The relevant bodies, functions, persons and committees (if established) shall, for instance: i) verify the arrangements, strategies, procedures and mechanisms introduced and applied by a financial services provider; ii) evaluate the nature and importance (seriousness, extent) of potential deficiencies (e.g. missing control mechanisms) and risks which a financial services provider is or could be exposed to; and iii) without undue delay ensure the appropriate updates or changes to the governance or to the relevant element thereof.

11. A financial services provider shall perform the review and evaluation of the governance and of its elements in the periodicity, structure and intensity adequate to the importance of the individual areas and elements of the governance, taking into account their nature, scope and complexity. Example 15: A financial services provider shall determine that, for instance: i) the extent of internal controls and evaluation of the governance and of its elements shall be at least equivalent to the extent of the requirements for the financial services provider following from legal regulations which govern the performance of its activities in the financial market and its authorization to perform activities; and ii) any important changes to activities or to the environment shall always constitute a reason to review the governance or the relevant elements thereof. Example 16: The management body shall, for instance: i) at least once a year ensure an overall review and evaluation of the governance; and ii) based on the overall review and evaluation of the governance, determine whether the introduced and applied arrangements, strategies, procedures and mechanisms and the capital of the financial services provider still ensure the proper and prudent performance of activities, including the stipulated professional care in providing services, particularly the fulfilment of approved objectives, compliance with the requirements agreed at the financial services provider’s meetings with clients and adequate risk management and coverage. Example 17: Within the scope of supervising whether the governance of a financial services provider is efficient and effective, the supervisory body shall, for instance: i) regularly discuss issues relating to the financial situation and management of the company, internal controls, steering of the risks which the financial services provider is or could be exposed to, fulfilment of the determined objectives, remuneration system, etc.; ii) discuss also the strategic orientation of the financial services provider; and iii) at least once a year (and usually always in the case of an important change) evaluate the overall efficiency and effectiveness of the governance; the activities of the supervisory body shall be supported by its committees (if established), e.g. nomination committee, remuneration committee, etc.

12. The nature of the matter implies that an adequate system of governance must comply with the aforementioned fundamental characteristics for the entire period of time during which a financial services provider performs activities in the financial market by means of that system of governance.

• 15 - Annex No. 3 More detailed fundamental information for persons operating in the financial market as regards the qualitative requirements relating to the conduct of business in the financial market: Recognised standards Practical procedures, recommendations, standards

1. Selected principles and procedures relating to the performance of activities in the financial market are contained – apart from legal regulations – also in various recommendations, codes, technical standards, sample contracts, rules, terms and conditions, etc. (hereinafter “standards”). Example 1: The standards focus, for instance, on the operation of various payment, settlement and other systems, on the trading on financial markets, on contractual relations and on the dealing with clients, on accounting, on risk measuring, management and coverage, on the performance of the actuarial function, on the testing and validation of internal/own models, on internal controls, on the audit function, on the ensurance and control of compliance, on the performance of stress testing, on the prevention of the legitimization of the proceeds of crime and financing of terrorism, on the implementation of new activities and on change management, on the use of outsourcing, on the ensurance of continuity of the performance of activities, etc. Illustrative examples of specific documents may include, e.g. Guidance paper on preventing, detecting and remedying fraud in insurance (IAIS, October 2009), Compliance and the compliance function in banks (BCBS, April 2005), Principles on outsourcing of financial services for market intermediaries (IOSCO, February 2005). Example 2: The standards shall be published or used by, for instance: i) individual financial services providers in the implementation, maintenance and application of the requirements stipulated for them by legal regulations, etc.; ii) interest groups (associations) of financial services providers; iii) groupings of authorities supervising the financial market; iv) statutory auditors or audit firms (hereinafter “auditors”) while performing potential external verification of the systems of governance of financial services providers or of selected elements of such systems20, etc.; v) other persons operating (also) in the financial market, e.g. advisory or rating agencies; vi) other interested parties (stakeholders), particularly shareholders, investors and clients; vii) specialized press, academic community, educational institutions and their students and other segments of the public or individuals; and viii)the CNB in its role of the authority supervising the financial market (i) in the field of regulation of selected entities, markets and instruments of the financial market of the Czech Republic, including so￾called “soft regulation”21; (ii) within the framework of its activities while exercising supervision; and (iii) while performing the information duties set out for the CNB (so-called “supervisory disclosure”). Recognised standards
2. The CNB regards as recognised standards such outputs, in particular, that comply with the following requirements for the originator, process of preparation, contents, manner of publication and updating of the document: a) the document is published by a knowledgeable, stable, transparent and renowned party in the role of the publisher and expert guarantor of the document (so-called “standard setter”);

20 For instance, Article 22 of the Act on Banks, Article 8b of the Act on Savings and Credit Unions. 21 For instance, Article 49b (6) of the Act on the Czech National Bank.

• 16 - b) the publisher of the document guarantees and evaluates the published output and, if necessary or purposeful, ensures its potential updates, unless it is a document the essence or nature of which implies that it is a one-off output; c) the document is commonly (in a non-commercial manner, free of charge) and publicly (directly) accessible to a sufficient extent, e.g. through the website of the publisher and expert guarantor of the document; d) the preparation and potential updates of the document are carried out in a transparent manner, the document is usually subject to public comments in such a manner that both the financial services provider and the CNB and other persons operating in the financial market are, with reasonable efforts, able to get actively involved in the process of its preparation or updating, e.g. in the form of their correspondence-based attendance at the public consultation on the draft document prior to its publication or update; and e) the document is already (rather) universally used within the framework of the financial market, or usable in the near future (e.g. a standard for a new financial market product, or a standard for a new area of activities in the financial market or for its regulation and supervision).

3. In particular, the requirements for recognised standards are complied with by the European standards for the single European financial market5 . However, a financial services provider may also select the Official Information of the CNB as a recognised standard. The European standards and Official Information of the CNB are directly applicable and, from the perspective of the CNB in its role of the supervisory authority, they have priority over any other standards. Potentially recognisable standards
4. The general requirements for recognised standards are usually also complied with by the outputs of the following globally recognised standard setters in the field of regulation and supervision over financial markets and in the field of financial stability: Financial Stability Board (FSB), Joint Forum (JF), Basel Committee on Banking Supervision (BCBS), Committee on Payment and Settlement Systems (CPSS), International Association of Insurance Supervisors (IAIS), International Organization of Pension Supervisors (IOPS) and International Organization of Securities Commissions (IOSCO), unless any specific provision of such an output contradicts the requirements of legal regulations, the European standards or Official Information of the CNB.
5. As regards other (potential) recognised standards – on condition of compliance with the general prerequisites (paragraph 2 above) and accordance with the requirements of legal regulations, the European standards and Official Information of the CNB – the following outputs may be considered, for instance: a) other internationally recognised standard setters in respect of specific areas relevant to undertaking in financial markets such as, for instance, standards of the Organization for Economic Co-operation and Development (OECD) for corporate governance, or standards of the Financial Action Task Force (FATF) for the AML area; and b) nationally or professionally recognised standard setters in respect of specific areas relevant to undertaking in the financial market such as, for instance, standards of professional, interest and other associations and groups. Application

• 17 -

6. Considering a specific standard as an appropriately selected standard in a particular case always requires an assessment of the general prerequisites and, in particular, of compliance with legal regulations and of the conformity of the contents of such a standard with the European standards and Official Information of the CNB, as well as of its adequacy for the given financial services provider.
7. Standards shall be applied in a manner reflecting the size, manner of management, number of employees, nature, scope and complexity of activities that a financial services provider performs or intends to perform, and reflecting the development of the internal and external environment. The application of a standard by a financial services provider must neither contradict the provisions of legal regulations nor circumvent their purpose.