Compliance and the Compliance Function in a Banking Corporation

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-1 COMPLIANCE AND THE COMPLIANCE FUNCTION IN A BANKING CORPORATION Table of Contents Topic Sections Page in directive General Remarks 1–9 308-2 Corporate governance 10–15 308-4 Features of the function 16–21 308-7 Duties of the function 22–27 308-9 Scope of activity 28–30 308-11 Chief Compliance Officer 31–36 308-12 Outsourcing 37–38 308-13 Foreign bank 39 308-14

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-2 A. General Remarks Introduction

1. The complexity and development of banking activity require a banking corporation to be especially meticulous about adhering to the compliance directives as defined below. Lack of adherence to compliance directives is liable to expose the bank to material losses and adverse publicity, which are liable to lead to a negative impact on the corporation’s image and reputation.
2. Banking corporations must observe the compliance directives in all jurisdictions in which they conduct business. The structure and organization of the compliance function and its areas of responsibilities must be in line with the legal and regulatory requirements of the countries in which they operate.
3. Compliance starts at the board of directors and senior management, particularly regarding the personal example of upper echelons. Therefore, to ensure appropriate and effective compliance, the senior functions at a banking corporation must create an organizational environment and culture that emphasizes high standards of honesty and integrity, in its business conduct, and they must at all times strive to observe the spirit as well as the letter of the law.
4. A banking corporation that knowingly takes part in transactions that are intended to be used by its customers to avoid regulatory or financial reporting requirements, to evade tax payments or to facilitate illegal conduct, exposes itself to significant compliance risk.
5. Compliance is part of a banking corporation’s organizational culture. It is not just the responsibility of the compliance function, as defined below, but applies to every function at the banking corporation and it is to be viewed as an inseparable part of the banking corporation’s business activities.
6. The compliance function, as an independent function, serves as a second line of defense. This approach is consistent with the three lines of defense detailed in Section 4 of Proper Conduct of Banking Business Directive 310 on “Risk Management” (hereinafter, “Directive 310”).
7. The compliance function is to act in accordance with the principals detailed below. Application
8. This directive shall apply to a banking corporation as defined in the Banking (Licensing) Law, 5741–1981, including a banking corporation that is a joint services company (“banking corporation”). Definitions
9. In this directive: “Compliance directives”—Laws, standards, regulations (in this regard, to include opinions that are set by the Banking Supervision Department when handling public enquiries), internal procedures and code of ethics that are applicable to the banking corporation’s banking activities;

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-3 “Compliance risk”—The risk of legal or regulatory sanctions, material financial loss, or loss to reputation a banking corporation may suffer as a result of its failure to comply with the compliance directives; “Compliance function”—an independent function responsible for managing compliance risk at the banking corporation; “Chief compliance officer”—The head of the compliance function at a banking corporation; “Compliance function staff”—Banking corporation employees who carry out compliance responsibilities and are subordinate to the Chief Compliance Officer; “Internal audit function”—As defined in Proper Conduct of Banking Business Directive no. 307 on “Internal Audit Function” (“Directive 307”); “Compliance outsourcing arrangement”—An agreement between the banking corporation and a subcontractor for supplying compliance services. “Branches”—As defined in Proper Conduct of Banking Business Directive no. 301 on “Board of Directors”.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-4 B. Corporate governance Board of directors 10. The board of directors is responsible for overseeing the management of the banking corporation’s compliance risk, and in this regard the board of directors shall: (a) Approve the banking corporation’s compliance policy as detailed in Sections 12–14 below, including a charter that regulates the establishment of a permanent and effective compliance function; (b) Outline the ways to bring to employees’ knowledge, the compliance policy principals and the importance it ascribes to it; (c) Ensure that compliance issues are handling rapidly and effectively by senior management with the assistance of the compliance function and other functions as detailed in Section 22(b) below; (d) Assess, at least once a year, the extent to which the banking corporation is effectively managing its compliance risk; (e) Determine the type, content, and frequency of reports that are to be submitted to it regarding compliance issues; (f) Holding a meeting with the Chief Compliance Officer, at least once a year, in order to assist the board of directors in assessing the effectiveness of the compliance risk management at the banking corporation. This meeting can also be held with one of its committees, as noted in Section 35(e)(3) of Proper Conduct of Banking Business Directive 301, “The board of directors”. Senior management 11. Senior management is responsible for the banking corporation’s effective management of compliance risk, including: (a) Formulating a written compliance policy that contains the basic principles to be followed by management and employees, as detailed in Sections 12–14 below; (b) To take all necessary measures to ensure that the banking corporation can rely on a permanent and effective compliance function; such measures include allocating adequate resources, including human resources, to the compliance function for achieving its goals; (c) To identify and assess, at least once a year, the main compliance risk issues facing the banking corporation and determine plans to manage and deal with them. The plans are to address shortfalls in policy, procedures, implementation, or execution, that are related to how effectively existing compliance risks have been managed, and to the need for additional policy documents or procedures for handling new compliance risks identified as a result of the annual compliance risk assessment, as noted in Section 23(i) below; (d) To report to the board of directors or one of its committees (the risk management committee or audit committee), at least once a year, on the management of compliance risk at the banking corporation, in a manner that will assist the board to make an informed assessment on the extent of effectiveness with which the banking corporation manages its compliance risk; (e) To report immediately to the board of directors or one of its committees (the risk management committee or audit committee) on any material compliance failures, such as failures that hold significant risk and are liable to lead to legal or regulatory sanctions, financial loss, or loss to reputation;

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-5 (f) To adopt take significant actions or other remedial actions such as adding controls and even ceasing activities, with regard to a breach of compliance policies that was identified. Compliance policy 12. (a) The policy is to detail the manner in which the banking corporation is to prepare the implementation of this directive, including the main processes in which compliance risks will be identified and managed at all levels of the corporation; (b) The compliance policy will be set on a group basis, with necessary changes; (c) In order to increase the clarity and transparency of the policy, in appropriate cases, there should be a distinction between standards applying to all the banking corporation’s employees and standards applying to certain groups of employees. 13. Compliance policy is to include, among other things, the following issues: (a) Uniform definitions for ensuring consistency in identification, in rating exposures, and in risk management goals; (b) Defining the compliance function’s areas of authority and responsibilities, as detailed in Chapter D below; (c) The relationships between the compliance function and other functions that serve as the second line of defense, and between it and the internal audit function, as detailed in Section 4(b) of Directive 310; (d) Dividing the responsibilities related to compliance activities between the various divisions in the banking corporation, as noted in Chapter D below; (e) A description of the methodology and tools that will be made available to banking corporation employees who will support the ongoing internal control with regard to compliance, including work procedures, automated reports, ongoing training and instruction of managers and employees in areas relevant to their work; (f) The types of reports and reporting mechanisms that will be available to the Chief Compliance Officer in order to enable him or her to verify the preparedness of the banking corporation for compliance with the compliance directives prior to embarking on new activity and ahead of setting a new compliance instruction; (g) The types of reports, their format and frequency, that the Chief Compliance Officer is to submit to the banking corporation’s management and board of directors; (h) The types of disciplinary measures that will be adopted against banking corporation employees who violate compliance directives. 14. The policy document will be reviewed at least once per year, and will be updated in view of developments and changes in the banking corporation’s external activity environment, strategy, products, activities, and systems. The relationship with the internal audit 15. (a) The compliance function is part of the second line of defense, and therefore is subject to independent audit by the internal audit function, which serves as the third line of defense; (b) The internal audit function’s risk assessment methodology should include compliance risk. The internal audit function is to set audit specifications for examining the effectiveness and adequacy of the compliance function, including testing of controls commensurate with the perceived level of risk;

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-6 (c) The banking corporation will set down in writing the manner in which risk assessment roles and the carrying out of audits will be divided between the compliance function and the internal audit function; (d) The internal audit function will update the Chief Compliance Officer regarding the findings of audits related to compliance.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-7 C. Features of the function Permanent function 16. A banking corporation is required to have a permanent compliance function as part of the banking corporation’s compliance policy. Independent function 17. The compliance function of the banking corporation is to be independent of activities it examines. The independence relies on the following components, detailed in this Directive: Having a formal status for the function; appointing a Chief Compliance Officer, avoiding conflicts of interest for the function and for the head of the function; providing resources and comprehensive access to data. Charter 18. The compliance function shall be granted a formal status within the banking corporation, in order to provide it with an appropriate status, authorities, and independence. The compliance function’s status will be anchored in a charter that is to be distributed to all of the organization’s employees. The charter will anchor the following topics: (a) The compliance function’s role and areas of its authority (b) The means to ensure independence (c) The right to receive the information necessary for it to fulfill its roles, and banking corporation employees’ obligation to cooperate in providing the information (d) The right to conduct checks related to possible violations of the compliance policy, and to the extent necessary, to appoint external experts to carry out this task; (e) Formal obligation to report to senior management, as detailed in Section 23(i) below; (f) The right to report independently to senior management its findings regarding irregularities or possible violations, and to the extent necessary to turn directly to the board of directors or one of its committees while bypassing the regular chain of reporting; (g) The charter will anchor the compliance function’s ability to carry out its roles, in accordance with its judgement, in every one of the banking corporation’s divisions, and it will have right to carry out examinations of possible violations of the compliance policy, and to receive professional support from experts in the banking corporation or outside of it, for the carrying out of its task, where necessary; (h) The compliance function shall have full access to all of the banking corporation’s records and files as well as to every employee in the corporation, as necessary, based on its judgement, for the carrying out of its role; (i) The banking corporation shall establish an appropriate mechanism for collaboration between the various divisions, including functions dealing with compliance issues in the first line of defense (the business line), and between them and the Chief Compliance Officer, which will be able to ensure that the Chief Compliance Officer fulfills his role effectively; (j) The banking corporation shall set down lines of reporting or other functional relationships between employees carrying out compliance tasks in the first line of defense and the compliance function. Conflict of interest

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-8 19. (a) Compliance function staff and the Chief Compliance Officer need to be located in an organizational status that does not create nor is liable to create a potential conflict of interest with their responsibility to the compliance issue; (b) In cases detailed in Section 33 below, conflicts of interest are to be avoided between the other responsibilities borne by the compliance function staff and their responsibilities in the area of compliance; (c) Compliance function staff will only receive instructions regarding compliance from the Chief Compliance Officer or someone acting on his behalf. 20. Remuneration of compliance function staff will be based primarily on achieving the goals of the function, as noted in Section 10 of Proper Conduct of Banking Business Directive 301A on “Remuneration policy at a banking corporation”. Resources and professional capabilities 21. The compliance function should have the appropriate and necessary resources to carry out its responsibilities effectively. In particular: (a) Compliance function staff should have the necessary qualifications, experiences, and professional and personal qualities to enable them to carry out their specific duties. (b) Compliance function staff should have a sound understanding of compliance directives and their practical impact on the banking corporation’s activities. (c) The professional skills of the compliance function staff should be maintained, especially with respect to keeping up to date with developments in compliance directives, through regular and systematic education and training.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-9 D. Duties of the function Duties of the function 22. (a) The compliance function is responsible for assisting senior management in effectively managing the compliance risks facing the banking corporation; (b) A banking corporation may manage compliance risk derived from compliance directives that are not detailed below through other functions in the second line of defense, in the manner detailed in this directive; in such a case, the division of responsibilities between functions should be clear. Said compliance directives in this regard are in relation to the following areas: conflict of interest, a bank’s fairness vis￾à-vis its customers, prohibition on money laundering and financing of terrorism; advising a customer; privacy protection (excluding information technology aspects); tax issues that are relevant to products or services to customers or similar directives. 23. The compliance function’s tasks include, among other things, the following: (a) To advise senior management on compliance directives, including updating management on developments in the area; within this framework, to examine significant changes abroad in the compliance directives and enforcement policy that apply to the banking corporation and its branches, including on customers’ activity. The identification and assessment processes that are at the basis of the update are also to include lessons from significant compliance events that are to be anchored in the banking corporation’s procedures or through another documented method that will ensure their integration into the process. (b) To assist senior management in training employees in the appropriate implementation of compliance directives, through regulating policy and procedures and other documents such as compliance manual, internal codes of conduct, and practice guidelines. (c) To act as a contact point within the banking corporation for compliance enquiries from employees; (d) To identify, document, and actively assess the compliance risks associated with a banking corporation’s activities, including the development of new products, business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships. (e) To participate in the authorization process of a new product or new business activity, as noted in Section 16(c) of Directive 310; (f) To consider ways to measure compliance risk (e.g., by using performance indicators) and use such measurements to enhance risk assessment. Technology can be used as a tool in developing performance indicators by aggregating or filtering data that may be indicative of potential compliance problems (e.g., an increasing number of customer complaints, irregular trading or payments); (g) To assess the appropriateness of the banking corporation’s compliance procedures and guidelines, promptly follow up any identified deficiencies, and, where necessary, formulate proposals for future amendments; (h) To monitor and test compliance by performing sufficient and representative compliance testing. The results of the compliance testing should be reported up through the compliance function reporting line in accordance with the banking corporation’s internal procedures; (i) The Chief Compliance Officer should report on a regular basis to senior management on compliance matters. The report should refer to the compliance risk assessment that has taken place during the reporting period including any changes in

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-10 the compliance risk profile, summarize any identified breaches and/or deficiencies and the corrective measures recommended to address them and report on corrective measures already taken. The compliance program 24. (a) The compliance function shall carry out its responsibilities in accordance with a compliance program that sets out its planned activities, such as: implementation and review of specific policies and procedures, assessment of compliance risk, formulation of compliance models and educating employees on compliance matters; the compliance program is to include the timing and frequency of planned compliance activity (b) The compliance program is to be risk-based and subject to the oversight of the Chief Compliance Officer to ensure proper coverage across business activities and coordination between risk management functions; (c) The compliance function is to set in writing the principles of its risk assessment methodology, and it is to update the principles on an ongoing basis, in order to reflect changes in the system of internal control or work processes, and their integration into new activity lines; (d) Based on the results of the risk analysis, a multiyear work program is to be determined, which will take into account the level of structural risk inherent in the activities. The program is to take account as well of the expected developments and innovations and the high risk generally involved in new activities. 25. The compliance program shall be brought before the management for discussion and for approval to the board of directors. The plan will review and update on a regular basis whenever necessary. 26. The compliance program will be based on, among other things: (a) The compliance policy determined by the board of directors. (b) The results of the survey of compliance risk; it is clarified that this survey can be conducted as part of the survey detailed in Section 27 of Proper Conduct of Banking Business Directive 350 on “Operational Risk Management”; (c) The results of the audit of compliance (by the internal audit function, the external auditor, and the Supervisor of Banks). (d) Customers’ complaints. (e) New compliance directives and ongoing amendments to existing ones, and changes in the activities of the banking corporation, including information as noted in Section 23(a) above and its possible ramifications. 27. The compliance program is to include details on the following issues: (a) Compliance issues; (b) Details of the personnel that are to deal with compliance and the professional capabilities required and other resources required; (c) Timetable for carrying out compliance tasks; (d) Audits that will take place within a reasonable time after correcting a deficiency; (e) Time allocated to tasks and activities.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-11

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-12 E. Scope of activity 28. (a) A banking corporation conducting international activity through branches in a specific jurisdiction, shall comply with the local laws and regulations, as well as to the Israeli compliance directives that apply to it; (b) A banking corporation’s compliance function shall verify that branches have been provided with tools to implement group compliance policies and to effectively manage their compliance risk. 29. (a) The Chief Compliance Officer at the parent corporation shall verify, through coordination with other risk management functions at the banking corporation, that employees with appropriate expertise and relevant experience in the jurisdiction in which they work are filling the compliance positions at branches abroad; (b) The Chief Compliance Officer at the parent corporation shall verify the implementation of the group policies at branches as well, and include in the compliance function’s multiyear work plan a check of subsidiaries to which the directive does not apply; (c) The Chief Compliance Officer at a branch shall be professionally subordinate to the Chief Compliance Officer of the parent company. 30. The banking corporation is to establish procedures to identify and assess the possible growth in reputation risk that may derive from the banking corporation offering products or conducting activities, in certain jurisdictions, that are prohibited in Israel.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-13 F. Chief Compliance Officer 31. (a) The Chief Compliance Officer shall be competent, experienced, and knowledgeable enough to discharge his duties and responsibilities as prescribed in this directive; (b) The Chief Compliance Officer shall be a member of the banking corporation’s senior management, or directly subordinate to such a member, who is not responsible on an area in which business activities take place. 32. Every banking corporation shall appoint a group compliance officer who will be responsible to identify and monitor compliance risk at the banking group. 33. (a) The Chief Compliance Officer shall also be responsible for the banking corporation fulfilling its obligations under Section 8 of the Prohibition on Money Laundering Law, 5760-2000. Nonetheless, in a case where a Chief Compliance Officer is a member of management at the banking corporation, the person responsible for meeting the obligations may be directly subordinate to the Chief Compliance Officer, as noted in subsection 7(a) of Proper Conduct of Banking Business Directive 411, “Prohibition on Money Laundering and Financing Terrorism, and Identification of Customers”; (b) The Chief Compliance Officer shall not fill another role at the banking corporation; nonetheless, the Chief Compliance Officer may fill another similar role as defined in domestic or foreign law. Appointment and cessation of tenure of Chief Compliance Officer 34. The Chief Compliance Officer shall be appointed by the management of a banking corporation. 35. (a) A banking corporation is to submit a written report to the Supervisor of Banks on the appointment of a Chief Compliance Officer; (b) When appointing a Chief Compliance Officer in branches abroad, if required, a similar report shall be submitted to the Supervisor of Banks in the host country. 36. (a) The removal of a Chief Compliance Officer from his or her position, for any reason, shall be with the prior authorization of the board of directors. (b) The Supervisor of Banks is to receive a report on the cessation of the tenure of the Chief Compliance Officer, which is to include the circumstances of the cessation of the Chief Compliance Officer’s tenure.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-14 G. Outsourcing the compliance function 37. (a) Compliance is a core risk management activity within the banking corporation. With that, specific tasks of the compliance function may be outsourced; (b) A banking corporation that seeks to outsource significant compliance activities, shall notify the Supervisor of Banks in advance, and provide its reasons. 38. (a) The banking corporation is to verify that the outsourcing arrangements do not impede the effective supervision by the Supervisor of Banks. (b) The banking corporation’s board of directors and senior management are responsible for ensuring that the compliance function’s tasks are carried out appropriately and effectively, even if some were outsourced. (c) The Chief Compliance Officer is to supervise the compliance tasks carried out through outsourcing.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Compliance and the Compliance Function in a Banking Corporation Page 308-15 H. A foreign bank 39. This directive applies to a foreign bank, with necessary changes. Among other things: (a) When carrying out its responsibilities detailed in Section 23, the compliance function may make use of the parent company’s compliance function; (b) In preparing the compliance program, as noted in Sections 24–27, the compliance function may rely on risk assessment methodologies that were set at the parent company, but it is to verify that they are in line with, and updated for, the Israeli branch’s activities; (c) In exceptional cases, a foreign bank, which is of the opinion that certain sections of this Directive do not apply to it, may contact the Supervisor of Banks to align their applicability or manner of implementation, for said foreign bank. Revisions Circular 06 number Version Details Date 2064 1 Original directive January 17, 2002 2459 2 Revision June 3, 2015 2598 3 Revision December 23, 2019 2669 4 Revision September 30, 2021