Notice No. 03/2026 of 23 February - Financial System - Corporate Governance Code for Financial Institutions

PUBLISHED IN THE OFFICIAL GAZETTE, FIRST SERIES, NO. 33 OF 23 FEBRUARY 2026 NOTICE No. 03/2026 SUBJECT: FINANCIAL SYSTEM - Corporate Governance Code for Financial Institutions

Whereas it is necessary to adjust the rules and procedures regarding corporate governance and internal control of Financial Institutions, aiming at alignment with best practices and the stability of the Angolan financial system; Pursuant to the combined provisions of paragraph 2 of Article 71 and subparagraphs k) and l) of paragraph 1 of Article 166 of Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law, and of subparagraph f) of paragraph 1 of Article 31 and paragraph 1 of Article 98, both of Law No. 24/21 of 18 October, the National Bank of Angola Law; I DETERMINE:

CHAPTER I General Provisions Article 1. (Object) This Notice aims to regulate corporate governance and the internal control system, as well as to define the minimum standards upon which the organizational culture of financial institutions, hereinafter referred to as institutions, must be based.

Article 2. (Scope)

1. This Notice applies to Banking Financial Institutions under the supervision of the National Bank of Angola, as provided for in paragraph 2 of Article 7 of Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law.
2. The provisions of this Notice also cover Non-Banking Financial Institutions under the supervision of the National Bank of Angola, namely: CONTINUATION OF NOTICE No. 03/2026 Page 2 of 104 a) Microfinance institutions, as provided for in subparagraph c) of paragraph 3 of Article 7 of Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law; b) Shareholding management companies, as provided for in Article 229 of Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law; c) Payment system operating companies, as provided for in Article 10 of Law No. 40/20 of 16 December, the Angolan Payment System Law, and subparagraph k) of paragraph 3 of Article 7 of Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law; d) Payment service providers with assets equal to or greater than Kz 4,000,000,000 (four billion Kwanzas), for a period of 3 consecutive years.

Article 3. (Definitions) Without prejudice to the definitions established in Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law, for the purposes of this Notice, the following are understood as: CONTINUATION OF NOTICE No. 03/2026 Page 3 of 104 a) Executive Director: a member of the governing body with responsibilities for day-to-day management, without prejudice to the overall duties inherent to their office; b) Independent Non-Executive Director: a member of the governing body who performs their functions independently in accordance with Article 64 of Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law; c) Non-Executive Director: a member of the governing body, who must participate in the strategic decision-making process, advise, supervise and evaluate the activity of the executive committee, without prejudice to the overall duties inherent to their office; CONTINUATION OF NOTICE No. 03/2026 Page 4 of 104 d) Risk Appetite: the aggregated level and types of risk that an institution is willing to assume, defined in advance and within its risk capacity, in order to achieve its strategic objectives; e) Conflict of Interest: a situation in which shareholders, members of the governing bodies or employees have their own interests, directly or indirectly, in a relationship between the institution and third parties, from which they expect to obtain benefits; f) Control Deficiency: an error in the design or use of the policies or processes of the internal control system, with a negative impact on its objectives and principles; g) Parent Company: a legal entity that exercises a relationship of control or group over another legal entity, designated as a subsidiary, when these are financial institutions under the supervision of the National Bank of Angola; h) Risk Factor: aspects or characteristics of financial products and markets, participants in the business relationship, and processes in force within the institution, which influence risk; i) Control Functions: each of the components of the internal control system, whose responsibility consists of monitoring compliance of their actions with legislation and internal procedures, managing and monitoring the risk to which the institution is or may be exposed, carrying out objective and reliable assessments and analyses, as well as reporting their audits to the governing body; j) Business Functions: functions directly linked to the main activity or core business of the institution; k) Support Functions: functions whose day-to-day operations are not directly related to the institution's business, yet assist and complement it; CONTINUATION OF NOTICE No. 03/2026 Page 5 of 104 l) Day-to-Day Management: decisions made on a daily and recurring basis regarding matters concerning the administration of the institution, excluding those related to the definition of business strategy, organizational and functional structure, disclosure of legally or statutorily required information, and relevant operations based on their amount, associated risk, or special characteristics; m) Corporate Governance: the set of relationships, policies, and processes involving shareholders, members of the governing and supervisory bodies, and employees of the institution in coordination with supervisory authorities, external auditors, and other financial market agents, aimed at achieving strategic objectives, as well as promoting organizational transparency, control, and supervision, specifying for this purpose the functions assigned to the various organizational units and the competencies, responsibilities, and level of authority of the various participants in the institution; n) Portfolio/Division: specific functions or superintendence of organizational units, assigned to an executive director, without prejudice to the responsibilities assigned to the governing body; o) Risk Profile: a representation of the institution's actual risk exposure, which is intrinsically linked to its business strategy, and depends on the type of activities carried out by the institution, as well as the risk inherent to them; p) Segregation of Functions: a set of internal control rules and guidelines aimed at decentralizing management, establishing independence between control, business, and support functions; q) Organizational Silos: organizational barriers that hinder or prevent timely, objective, concise, effective, and complete communication and cooperation between various organizational units or functions; CONTINUATION OF NOTICE No. 03/2026 Page 6 of 104 r) Internal Control System: an integrated set of policies and processes, permanent and transversal to the entire institution, carried out by the governing body and other employees, aimed at achieving objectives of efficiency in operations execution, risk control, reliability of accounting and management support information, and compliance with legal standards and internal guidelines; s) Risk Tolerance: the maximum amount of risk that an institution is capable of assuming, given its capital base, risk management, and control capabilities, as well as its regulatory constraints; t) Transactions with Related Parties: transfer of resources, services, or obligations between the institution and related parties, including holders of relevant management functions or offices within the meaning of paragraph 39 of Article 3 and paragraphs 1 and 2 of Article 68 of Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law, as well as subparagraph b) of Article 3 of Notice No. 11/20 of 11 April, regardless of whether there is a price debt.

CHAPTER II Conduct and Organizational Culture Article 4. (Organizational Culture)

1. The organizational culture of the institution must be a constant concern of the governing and supervisory bodies, based on solid foundations and high standards of internal control regarding the authorization, execution, recording, accounting, and control of operations, through: a) Adherence to high ethical and integrity principles, embodied in codes of conduct and policies that identify and mitigate conflicts of interest; b) Definition and implementation of processes aligned with internal control principles and practices, which determine that there is an understanding of relevant risks and how they can be managed; CONTINUATION OF NOTICE No. 03/2026 Page 7 of 104 c) Adequate segregation between authorization, execution, recording, accounting, and control functions, adapted to the size, nature, and complexity of the activity.
2. The organizational culture must be known to all employees, who must contribute to an efficient internal control system, thereby understanding their role in the implemented system.
3. The governing body must promote an organizational culture of ethics, compliance, and transparency.
4. The governing body ensures that service providers with whom the institution interacts in the context of any activity or function it subcontracts promote an organizational culture based on ethical standards comparable to those of the institution itself.

Article 5. (Code of Conduct)

1. The governing body must define and formally establish a code of conduct, applicable to its own actions and those of the institution's employees.
2. For the purposes of the preceding paragraph, the code of conduct aims to: a) Establish high standards of conduct in accordance with ethical, regulatory, and deontological principles, promoting transparency in relationships involving governing bodies and employees; b) Inhibit participation in illegal activities and excessive risk-taking; c) Contribute to the transparency of contractual relationships between the institution and its counterparties; d) Stipulate the prohibition for members of governing bodies and employees to accept, for their own benefit or that of third parties, offers and other benefits or rewards in any way related to the functions performed, which must be refused and returned; e) Without prejudice to the preceding subparagraph, the possibility of accepting offers and other benefits or rewards of mere hospitality in accordance with social customs, provided they do not constitute a relevant material or non-material advantage; f) The need for immediate communication to the compliance function of all offers and other benefits or rewards, for analysis, decision on the course of action, and corresponding recording.
3. The code of conduct must include, at a minimum, the following structural elements: a) Scope and objectives of the institution; b) General principles of conduct; c) Deontological rules; d) Rules to be considered in transactions with related parties; e) Prevention of criminal activities, notably money laundering and market abuse; f) Rules for non-compliance; g) Duty of confidentiality; h) Prohibition of improper use of insider information; i) Duty of loyalty; j) Activities performed concurrently with functions held at the institution, liberal professions, benefits, and contacts with the media, social networks, and other external entities.
4. The code of conduct must be published and disseminated internally, and must be known to everyone, including the financial group, when applicable.
5. The code of conduct must define and concisely and objectively distinguish acceptable or expected behaviors from unacceptable behaviors, considering the institution's strategy and risk profile.
6. The code of conduct must provide that the governing body, holders of relevant management positions, and other employees carry out the institution's activities in accordance with applicable legislation and regulation, as well as internally adopted policies and procedures.
7. The governing body must review the code of conduct at least once a year, and it must contain the opinion of the supervisory body.
8. Whenever changes to the code of conduct occur, these must be recorded and communicated to the National Bank of Angola.

Article 6. (Duties of the Governing Body)

1. Without prejudice to the provisions of paragraph 1 of Article 72 of Law No. 14/21 of 19 May, the General Regime of Financial Institutions Law, and the company's statutes, the governing body must: a) Regularly discuss, in its meetings and in meetings with other members of the executive committee, matters related to conduct and organizational culture, and ensure the recording of respective conclusions; b) Adopt measures that value behaviors aligned with an organizational culture with the characteristics described in paragraph 1 of Article 4 of this Notice, including appropriate and proportional disciplinary measures whenever non-compliance with conduct rules is detected; c) Promote a control environment that values internal control as an essential element for the resilience and long-term good performance of the institution; d) Inform the different structural units, through regular communications, about the institution's risk tolerance level, adopt concrete measures to promote strong awareness among all employees of aversion to risk levels exceeding defined limits, and ensure that all employees know their responsibilities regarding risk taking and control; CONTINUATION OF NOTICE No. 03/2026 Page 8 of 104 e) Promote an organizational environment that encourages employees to freely and openly share their opinions and to report upwards the existence of problems without fear of retaliation, and to not adopt or tolerate aggressive management practices; f) Promote the implementation of training actions, mandatory upon commencement of duties and renewed every two years or whenever there are relevant content changes, aimed at raising awareness among all employees, including members of the governing and supervisory bodies, regarding the institution's values and current conduct rules, ensuring that employees are aware of the legal and disciplinary consequences that may result from improper conduct; g) Promote, throughout the year, the communication and dissemination of the conduct rules in force at the institution, so as to make them present in day-to-day management and decision-making processes; h) Ensure that in the recruitment and selection process for new employees, including members of governing bodies, candidates' adherence to the institution's ethical standards is assessed; i) Act with diligence, loyalty, and neutrality in relationships maintained with third parties, and ensure that impartial, transparent, and auditable internal procedures are adopted when hiring services and acquiring or disposing of assets by the institution; j) Ensure the independence and effectiveness of internal control functions, even when the internal audit function is performed by third parties; k) Provide the necessary means for internal control functions to be carried out adequately; l) Promptly inform those responsible for the internal audit activity of any material change in the institution's strategy, risk management policies, and processes.
2. The governing body promotes periodic and independent assessments, to be carried out by an entity external to the institution, regarding the institution's conduct and values, which also cover the conduct and values of the governing body itself and its committees.
3. The governing body is responsible for defining, implementing, and reviewing the internal control system annually, to ensure that, on a permanent basis, the objectives set out in Article 29 of this Notice are achieved.
4. The governing body is responsible for the business strategy and financial solidity, major decisions on human resources, internal organization, structure, governance practices, risk management, and compliance obligations.
5. For the purposes of paragraphs 3 and 4, the governing body must guarantee, at a minimum: a) A duly formalized strategy, focused on the long-term solvency of the institution, supervision of the corporate governance structure, and periodic review thereof, to ensure that this structure remains aligned with the size, nature, complexity, business strategy, activity, geographic footprint, and current regulation; b) The definition of the institution's risk appetite, together with the risk management officer, which must take into account the competitive and regulatory landscape, the institution's long-term interests, risk exposure, and capacity for efficient risk management; c) The existence of high ethical and professional values; d) An adequate and transparent organizational structure; e) Alignment of the remuneration policy with the institution's strategy and risk profile, to, among other objectives, inhibit excessive risk-taking; f) The independence, status, and effectiveness of internal control functions, which must be equipped with sufficient human and material resources to fulfill their mission; g) The identification, assessment, monitoring, control, and reporting of various categories of risks, aimed at obtaining a well-founded understanding of their nature and magnitude; h) The preparation of financial statements in accordance with policies and processes that ensure their reliability, timeliness, consistency, and understandability; i) The existence of processes for identifying and assessing transactions with related parties, to ensure that they are processed under conditions identical to those practiced with unrelated parties; j) The existence of sufficient human, material, and technical resources to achieve the institution's objectives, and consistent policies for employee recruitment, assessment, promotion, compensation, and training; k) The timely execution of its guidelines, notably those aimed at introducing corrections and improvements to the internal control system; l) The approval of compliance policies and guidelines, similar to the internal control system policies and guidelines; m) The supervision of the integrity, independence, and efficiency of the institution's whistleblowing channels' policies and procedures; CONTINUATION OF NOTICE No. 03/2026 Page 9 of 104 n) The communication to the National Bank of Angola of the existence of operations suspected of criminal activities or situations of material fraud to the security, sound and prudent conduct, and reputation of the institution.
6. The governing body is responsible for guaranteeing the institution's governance structure and data quality.
7. For the purposes of the preceding paragraph, the National Bank of Angola establishes in specific regulation the principles, as well as the rules and procedures of the data governance structure.

Article 7. (Conflicts of Interest)

1. The governing body approves, after a prior opinion from the supervisory body, a policy for the prevention, communication, and remediation of conflicts of interest, applicable to members of the governing and supervisory bodies, holders of relevant management functions, and other employees of the institution.
2. The policy for the prevention, communication, and remediation of conflicts of interest applies to actual or potential conflicts of interest and covers institutional conflicts of interest and conflicts of interest regarding employees, including, in this case, financial, professional, personal, and political conflicts of interest.
3. The governing body ensures that the institution's policy for the prevention, communication, and remediation of conflicts of interest includes, at least, the following elements: a) The obligation for covered employees to avoid situations that may give rise to conflicts of interest; b) The obligation to immediately communicate to the institution any situation of conflict of interest covered by the policy and the procedure that employees follow for this purpose, including the minimum content of information to be transmitted to the institution for CONTINUATION OF NOTICE No. 03/2026 Page 10 of 104 purposes of assessing the existence of actual or potential conflicts of interest and weighing their relevance; c) The procedure to be observed prior to accepting a position or function to be exercised concurrently with the position held at the institution; d) An exemplary list of measures to mitigate institutional conflicts of interest or conflicts of interest regarding employees; e) The obligation for the institution to record the conflicts of interest of covered employees, as well as the measures implemented or to be implemented to manage them, in order to allow for their continuous monitoring and assessment; f) The procedure to be observed by the institution regarding the assessment of communicated conflict of interest situations, especially in cases where the conflict of interest is accepted, including the need for this assessment to be adequately documented and the functions involved in each phase of the said procedure;
4. Conflicts of interest covered by the policy for the prevention, communication, and remediation of conflicts of interest include any conflicts of interest resulting from past positions held and past personal and professional relationships, and the policy in question must establish the relevant time period to be considered for this purpose.
5. The governing body ensures that the policy referred to in this article is adequately implemented at the institution, is subject to periodic reviews, and is disseminated internally to all employees, and is also published on the institution's website.

Article 8. (Related Parties)

1. The governing body is responsible for ensuring that the institution identifies, in a complete and updated list, at least quarterly, its CONTINUATION OF NOTICE No. 03/2026 Page 11 of 104 related parties, making it available to the National Bank of Angola whenever requested.
2. The list referred to in the preceding paragraph includes the name or corporate name of the related party, the tax identification number or identification number of