Minimum Requirements for the Management of Culture and Conduct Risk for Supervised Entities

Prudential Supervision Policy Statement No: 3 MINIMUM REQUIREMENTS FOR THE MANAGEMENT OF CULTURE AND CONDUCT RISK FOR SUPERVISED ENTITIES NOTICE TO COMMERCIAL BANKS, CREDIT INSTITUTIONS, INSURANCE COMPANIES, INSURANCE BROKERS, FNPF, FOREIGN EXCHANGE DEALERS, STOCK BROKER/DEALER, SECURITES EXCHANGE, FIJI DEVELOPMENT BANK, AND MANAGEMENT COMPANIES OF MANAGED INVESTMENT SCHEMES Reserve Bank of Fiji February 2024

2 PART 1: PRELIMINARY 1.0 Introduction 1.1 This Policy is issued pursuant to: a) Section 14(3) of the Banking Act 1995; b) Section 3(2)(a) of the Insurance Act 1998; c) Section 3(1)(a) of the Reserve Bank of Fiji (Capital Markets and Securities Industry) Regulations 2015; d) Legal Notice 88 of 2002 Delegation of Powers and the Exchange Control Act 1985; and e) Section 119 (1) of the Fiji National Provident Fund Act 2011 and the Fiji National Provident Fund Regulations 2014. 1.2 This Policy applies to all licensed commercial banks and credit institutions, the Fiji Development Bank, the Fiji National Provident Fund, licensed insurance companies and insurance brokers, licensed securities exchange, management companies of managed investment schemes, stock brokers/dealers and licensed foreign exchange dealers, hereinafter referred to collectively as “Supervised Entities” for the purpose of this Policy. 1.3 This Policy must be read in conjunction with the Financial Sector Development Policy Statement No. 3 (FSDPS No.3) – Policy on Protection and Fair Treatment of Financial Consumers. 1.4 The Reserve Bank of Fiji (“Reserve Bank”) recognises that there is no ‘one￾size-fits-all’ approach. As such, the Reserve Bank aims to set out in this Policy the minimum requirements for the establishment of an acceptable framework that is holistic and effective, for the management of culture and conduct risk within all supervised entities. 1.5 As evident in other jurisdictions, the lack of accountability for misconduct is a key cultural driver of misconduct. In this regard, this Policy also seeks to set out the Accountability Regime for all responsible persons of the supervised entities. 1.6 The minimum standards under this Policy have been aligned to international best practice. Supervised Entities should not adopt a ‘check-box’ mentality in implementing the requirements of this Policy. Therefore, each supervised entity must ensure that its framework for the management of culture and conduct risk is effective and commensurate to the nature, size, risk profile and complexity of its business operation. 1.7 In preparing the requirements of this Policy, reference has been made to international standards, best practices and guidance from institutions such as the Basel Committee on Banking Supervision, the International Finance

3 Corporation, relevant financial sector regulators, the Group of Thirty and Starling Insight1 . 2.0 Background 2.1 Culture is a set of shared values and assumptions within an organisation. It reflects the underlying ‘mind-set of an organisation’, the ‘unwritten rules’ for how things really work. It shapes judgement, ethics and behaviours displayed at those key moments, big or small, that matter to the performance and reputation of a supervised entity. 2.2 It has been recognised that organisational culture can have a material impact on the soundness of financial institutions and the broader financial system. The behaviours and ‘mind-sets’ of financial institutions can threaten sound decision-making, prudent risk-taking and effective risk management, which can weaken its financial soundness, operational resilience, adversely impact its reputation and lead to the instability of the financial system. 2.3 Corporate culture and conduct risk are intrinsically linked, with culture as a critical factor in managing conduct risk. While the definition for conduct risk is still evolving, for the purpose of this Policy, conduct risk is defined as: “the way in which staff conduct themselves and treat customers that leads to the detriment of the interest of customers, which results in reputational issues that impact the stability of the institution and the overall market and financial system.” 2.4 The key components of conduct risk are: a) culture, ethics, and integrity; b) corporate governance and tone from the top; and c) conflict of interest. 3.0 Objectives of the Policy 3.1 The objectives of the Policy are to: a) enhance clarity in individual accountability for specific roles and responsibilities for senior management of the supervised entity; b) ensure that the board and senior management of the supervised entity play a leading role in establishing the supervised entity’s culture and behavioural standards that promote prudent risk-taking and fair treatment of customers2 ; and c) ensure that supervised entities establish policies and processes to promote sound risk culture and address conduct risk within the respective supervised entity.

1 Starling, 2018. Culture & Conduct Risk in the Banking Sector, s.l.: Starling Trust. 2 Refer to the Reserve Bank’s Policy on Protection of Financial Consumers for detailed requirements for fair treatment of customers.

4 PART 2: REQUIREMENTS OF THE POLICY 4.0 Sound Culture and Conduct Risk Management 4.1 Role and Responsibilities of the Board 4.1.1 Each supervised entity’s board of directors or its proxy is ultimately responsible for promoting a sound organisational and risk culture within the entity, and setting an appropriate ‘tone from the top’, to minimise the event of misconduct by senior management and all employees of the supervised entity. 4.1.2 The board must, at a minimum: a) establish the supervised entity’s conduct risk tolerance level and ensure that this is clearly articulated and communicated to all levels of management; b) ensure that the supervised entity’s conduct risk management framework is documented, approved, and reviewed at least annually; c) establish the supervised entity’s culture, corporate values and behavioural standards that promote prudent risk-taking and fair treatment of customers; d) promote, together with senior management, a sound corporate and risk management culture within the supervised entity which reinforces ethical, prudent and professional behaviour; e) ensure the competency of senior management and appropriate personnel in identifying, measuring, monitoring and controlling conduct risk in terms of expertise, resources and systems, and in taking appropriate and prompt remedial actions to address concerns when necessary; f) establish clarity in individual responsibilities in the supervised entity’s overall management structure to ensure that members of senior management are held to account for matters under their responsibility; g) establish and maintain appropriate engagement strategies with its key stakeholders, such as depositors, policyholders, investors, pension fund members, relevant counterparties, shareholders and regulators, to ensure transparent and timely communication of relevant material information; h) ensure that senior management notifies the Reserve Bank as soon as it becomes aware of any material adverse developments, regarding but not limited to misconduct, lapses in risk management and controls, or breaches of legal or regulatory requirements, that have the potential to cause widespread disruption to the supervised entity’s day-to-day operation, services or activities, and/or significantly impact the supervised entity’s customers and other stakeholders, or the safety and soundness of Fiji’s financial system; and i) ensure the regular review of its incentive system where appropriate, to induce behaviours which promote its desired culture and values.

5 4.2 Role and Responsibilities of Senior Management 4.2.1 The senior management of the supervised entity is primarily responsible for the implementation of strategies, policies and procedures approved by the board. 4.2.2 The responsibilities of senior management in promoting the management of conduct and culture risk include, but are not limited to: a) implementing the supervised entity’s approved conduct risk management framework and ensuring that it is clearly articulated and communicated to all levels of management and all employees; b) upholding the supervised entity’s culture, corporate values and behavioural standards that promote prudent risk-taking and fair treatment of customers; c) promoting, together with the board or its proxy, a sound corporate and risk management culture within the supervised entity which reinforces ethical, prudent and professional behaviour; d) abiding to their own individual work responsibilities and being accountable for matters under their responsibility; e) implementing and maintaining appropriate engagement strategies with key stakeholders, such as depositors, policyholders, investors, pension fund members, relevant counterparties, shareholders and regulators, to ensure transparent and timely communication of relevant material information; f) notifying the Reserve Bank as soon as it becomes aware of any material adverse developments, including but not limited to misconduct, lapses in risk management and controls, or breaches in legal or regulatory requirements, that have the potential to cause widespread disruption to the supervised entity’s day-to-day operation, services or activities, and/or significantly impact the supervised entity’s customers and other stakeholders, or the safety and soundness of Fiji’s financial system; g) maintaining a register for cases of misconduct; and h) assisting the board in reviewing the supervised entity’s incentive system where appropriate, to induce behaviours which promote its desired culture and values. 4.3 Sound Culture 4.3.1 Each supervised entity is required to establish an effective framework for incorporating a sound corporate culture, with regard to the following key areas: (i) Governance a) Board and senior management should: o lead by example thereby setting a proper ‘tone from the top’; o lead the establishment of culture and behavioural standards, encouraging prudent risk-taking and fair treatment of customers and staff.

6 b) Senior management is expected to put in place effective mechanisms for ensuring the desired culture is understood and shared by staff; c) Supervised entities should establish a board-level committee3 , chaired by an independent board member4 , to advise and assist the full board in discharging its responsibilities for culture-related matters; d) The board-level committee: o may be assisted by the internal audit function or other experts where appropriate; o should introduce a regular process to review and confirm the effectiveness of the overall culture enhancement initiatives; o should approve, review and assess, at least annually, the adequacy of any relevant statement which sets out culture and behavioural standards, and ensure that such statement is translated into policies and procedures (including training) that are relevant to the day-to-day work of all levels of staff. (ii) Rewards and Recognition systems5 a) Rewards and recognition systems of a supervised entity, such as staff recruitment, performance management, remuneration and promotion systems, must by holistic and should not only reward good performance, but should also take into account staff adherence and non-adherence to culture and behavioural standards, to avoid rewarding staff for achieving short-term business performance at the expense of the interest of customers and the safety and soundness of the supervised entity. b) Supervised entities must put in place appropriate penalties, for individuals engaging in inappropriate behaviour. c) To enhance the rewards system, the remuneration structure must take into account the complexity and respective seniority of staff and their assigned responsibilities. (iii) Assessment and Feedback mechanisms a) Supervised entities should (i) develop appropriate tools to monitor adherence to cultural and behavioural standards; and (ii) develop an effective escalation policy (including whistle￾blowing mechanism) to allow the timely reporting of any illegal, unethical or unacceptable practices, observed by staff and stakeholders in a confidential setting, without the risk of reprisal. The effectiveness of such channels of escalation should be reviewed from time to time.

3 Either by a stand-alone committee or the remit of an appropriate board-level committee (e.g. audit or remuneration committee) to be expanded to encompass culture-related responsibilities. 4 Supervised entities that are established as statutory bodies may hold further discussions with the Reserve Bank on the requirement for independent board members to chair the board committee that oversees the entity’s culture￾related matters. 5 Refer to the Prudential Supervision Policy Statement (PSPS) No.1: “Minimum Requirements for Corporate Governance of Licensed Entities” for further guidance on incentive systems.

7 b) Results from the relevant assessment and feedback mechanisms must be assessed and reported to senior management and the relevant board-level committee, at least annually, and as and when required. 4.3.2 Schedule 2 provides further guidance on the key areas described above. 4.4 Risk Culture 4.4.1 Risk culture is the subset of organisational culture, which governs how the supervised entity and its employees manage the risks associated with its strategies, operation, technology and other inherent risks. Risk culture defines how the supervised entity creates risk awareness within the entity, setting of risk appetite, assigning accountability and alignment of incentives to risk taking and the overall process of risk mitigation. 4.4.2 Getting the right culture may not solve all the supervised entities’ challenges, however, an effective risk culture may help to bind together elements such as governance, risk management, compliance, high-level systems and controls, and makes the supervised entity cohesive and stronger. 4.4.3 In developing and enabling an appropriate risk culture, a supervised entity must consider the following principles: a) the board or its proxy, senior management, and employees should:- a. Mission, vision and values – clearly understand the purpose for the supervised entity’s existence, its values and ethics; b. The right tone at the top – take responsibility for risk management, and ‘walk the talk’; c. Consistent application of risk management principles –apply risk management principles consistently, in making day-to-day decisions; d. Risk management responsibility – recognise that risk management is their responsibility; and e. Open discussions and collaboration to mitigate risks – actively participate in discussions on risks facing the supervised entity; b) the supervised entity should:- a. Common understanding of risk management terms – have a shared definition and firmly entrenched understanding of risks; b. Timely, transparent, and honest communications on risk – ensure that all stakeholders (including internal & external) are made aware of exposure to key risks, as well as relevant mitigation and controls in place; and c. Reporting processes – have processes for risk reporting to the board or its proxy, and key stakeholders, including safe whistle￾blowing procedures.

8 4.5 Conduct Risk 4.5.1 The values, attitude, and behaviour of its employees of all levels of a supervised entity, drive the manner in which the supervised entity conduct its business and how it interact with its stakeholders. The board or its proxy and senior management, have a critical role in defining and taking steps to actively and consistently embed the conduct standards that would be expected of all employees. The tone-from-the-top, and how this is reinforced by way of policies, systems, and processes of the supervised entity have significant impacts on the effectiveness with which the desired conduct standards are cascaded down and embedded throughout the organisation. 4.5.2 The Reserve Bank has issued corporate governance policies (PSPS No.1 6 and SSPS No.17 that set out the requirements and expectations on the conduct of supervised entities. To supplement these existing regulatory requirements and underscore the Reserve Bank’s expectations on supervised entities’ responsibility for fostering sound culture and effective conduct risk management, this Policy requires each supervised entity to establish and maintain a documented framework (including business model8 , policies and standards) for the effective management of conduct risk, which must be integrated into the supervised entity’s overall risk management framework. 4.5.3 The conduct risk management framework must include, at a minimum, the following: a) conduct risk appetite statement set by the board; b) conduct risk tolerance limits set by the board; c) conduct risk management strategy, policies and procedures; d) code of conduct and ethical standards9 ; e) conduct risk management responsibility, with clearly defined lines of authority and accountability, responsibilities and reporting structure. 4.5.4 While the board and Chief Executive Officer (CEO or equivalent title) are ultimately responsible for leading and managing culture within the supervised entity, each supervised entity must put in place documented policies and processes, that set expectations for all employees in terms of adhering to the supervised entity’s desired corporate culture and risk culture, and the board approved code of conduct and ethical standards of the supervised entity.

6 Prudential Supervision Policy Statement No. 1: Minimum Requirements for Corporate Governance of Licensed Entities (banking, insurance and capital markets industries) 7 Superannuation Supervision Policy Statement No. 1: Minimum Requirements for Corporate Governance for the Fiji National Provident Fund 8 Business model is articulated through a collection of business processes that provide the fabric of its commercial operating model, range from customer on-boarding to product design, product marketing, product sale/advice, product post-sale, customer servicing, compliant handling, etc. and span across all channels, customer segments and geographies. 9The PSPS No. 1 requires supervised entities of the banking, insurance and capital markets industries to have documented code of conduct and ethical standards. The SSPS No.1 has similar requirements for the FNPF.

9 4.5.5 The code of conduct creates a common culture to ensure that employees know and understand the supervised entity’s expectations of them. The following are guidelines that a supervised entity should consider in developing an effective code of conduct: a) simple, principles-based, concise and written in simple language that is easily understood by all employees; b) does not include any legal language; c) must apply to all board members, senior management, and employees, regardless of one’s hierarchy within the supervised entity; d) developed by a cross-functional team to ensure that it addresses all relevant areas and represent the supervised entity’s corporate value. The team should ideally be made up of representatives from the human resources, risk management, internal audit, communication, legal and any other function that may be deemed relevant; e) be regularly reviewed to ensure its relevance; f) include, at the minimum, the following elements:  highlight the supervised entity’s Vision, Mission and Values;  uphold the law;  ethical competition;  ensure health and safety;  avoid conflicts of interest;  accepting business courtesies such as gifts, meals, refreshments and entertainment;  offering business courtesies;  use of supervised entity’s resources; and  confidential and proprietary information. 4.5.6 Each supervised entity must put in place appropriate policies, systems, and processes for regular monitoring, reporting, and escalation to the board and senior management on matters relating to misconduct of the supervised entity and its employees, as well as a consequence management system for the transparent investigation of breaches and disciplinary procedures. 4.5.7 Each supervised entity must establish and maintain appropriate engagement strategies with its key stakeholders and relevant counterparties, shareholders and the regulator, to ensure transparent and timely communication of relevant material information. 4.5.8 The board and senior management must regularly review the adequacy and effectiveness of the supervised entity’s conduct risk management framework, taking into account any gaps between observed behaviours and the supervised entity’s desired culture and standards of conduct. 5.0 Individual Accountability – Senior Management 5.1 Clarity in individual responsibilities and the overall management structure of the supervised entity will ensure that senior management are held to account for matters under their responsibility. This is fundamental to an effective

10 governance framework and facilitates greater transparency in the management and decision-making process of the supervised entity. 5.2 The board or its proxy of each supervised entity must clearly identify the members of the senior management who have responsibility for functions that are core to the management of the supervised entity’s business affairs, and these Core Management Function (CMF) must reflect the actual oversight responsibilities and decision-making authority, regardless of his or her physical location. Schedule 3 provides a list of CMF titles for reference. 5.3 Each supervised entity should assess and review how each CMF applies in the context of its operation in Fiji, and consider designating senior management for CMF which are relevant to their circumstances, but are presently not assigned to any individual. 5.4 Supervised entities may deviate from the list of the CMF provided in Schedule 3 if the supervised entity has determined that any of the CMF are not applicable to their circumstances. Therefore, the onus is on the supervised entity to identify other individuals who would be considered senior management by virtue of their seniority, decision making authority, and responsibilities, even if the particular function that they manage does not fall within the list of CMF in Schedule 3. 5.5 Supervised entities are responsible for conducting the necessary due diligence and fit and proper assessment prior to the appointment of senior management, and must put in in place robust standards and processes to assess the fitness and propriety of each member of senior management prior to appointment and on an on-going basis, which should be in line with the applicable Reserve Bank requirements for fit and proper assessment. 5.6 As part of its internal governance framework, a supervised entity should articulate the role and responsibilities of its senior management and its overall management structure, and must maintain documented, accurate and comprehensive records of these arrangements, which must be approved by the board of the supervised entity. 5.7 Supervised entities must have clear documented specification of each senior management’s individual areas of responsibility and his or her appointment and responsibilities in management committees, and ensure that each member of senior management acknowledges his or her specified roles, responsibilities and reporting lines. 5.8 Supervised entities must document an appropriate delineation of the supervised entity’s overall management structure, including reporting relationships among senior management and management committees, between senior management or management committees and the board, and across entities within the supervised entity’s group (if applicable). 5.9 Supervised entities must put in place appropriate incentive, escalation, and consequence management policies that hold senior management

11 accountable for the effective performance of their specified roles and responsibilities, including the conduct of their reporting staff and the conduct of the business under their purview. 5.10 Supervised entities’ succession plans must be regularly reviewed and updated, including the identification of potential candidates and appropriate handover policies and procedures, to facilitate smooth transition in the senior management team. 5.11 The emphasis on individual accountability does not absolve the collective accountability of management committees and vice versa. A key objective of forming management committees is to leverage the diverse views and expertise of individual members to derive a collective decision on the supervised entity’s business affairs. This should be reinforced, rather than displaced, by a strong culture of individual accountability. 5.12 In setting up management committees, supervised entities should establish a formal mandate and articulate the terms of reference and reporting lines for each management committee. Individual senior management constituting the committee are expected to have a robust understanding of the matters under their purview, and how these interact with the supervised entity’s business and risks. Therefore, it is the responsibility of each member of senior management to determine the issues that ought to be raised at the relevant committee meetings and make constructive contributions to the discussion, in order to facilitate more informed decision-making by the committee collectively. 6.0 Independent Review and Audit 6.1 Each supervised entity must conduct periodic reviews of the supervised entity’s culture and conduct related matters. The reviews should be conducted by independent parties, such as internal or external auditors, with relevant skills and expertise. 6.2 Such reviews should, among other things, cover the following areas: a) the clarity and adequacy of the supervised entity’s individual accountability regime for senior management and ownership of risks; b) the adequacy of internal systems and procedures for identifying, measuring, monitoring and mitigating conduct risk; c) the appropriateness and effectiveness of the supervised entity’s risk culture and the overall corporate culture; the internal escalation channels; incentive systems; internal and external feedback and complaints10 assessment; and product development, marketing and delivery process; d) the adequacy of board oversight in relation to culture and conduct risk related matters; e) the adherence to established internal policies by the supervised entity, senior management and all employees of the supervised entity; and

10 Refer to Reserve Bank’s ‘Complaints Management Policy’ as defined in the Schedule.

12 f) the adherence to the code of conduct and ethical standards by the supervised entity’s employees. 7.0 Reporting to the Reserve Bank of Fiji 7.1 Supervised entities are required to notify the Reserve Bank, using the reporting details specified in Appendix 1(i), as soon as it becomes aware of any material adverse developments, including but not limited to misconduct, lapses in risk management and controls, or breaches in legal or regulatory requirements that have the potential to cause widespread disruption to the supervised entity’s day-to-day operation, services or activities, and/or significantly impact the supervise entity’s customer and other stakeholders, or the safety and soundness of Fiji’s financial system11 . 7.2 Furthermore, supervised entities are also required to submit Quarterly Reports to the Reserve Bank using the prescribed Return in Appendix 1(ii). PART 3: OVERSIGHT AND IMPLEMENTATION ARRANGEMENTS 8.0 Oversight by the Reserve Bank of Fiji 8.1 Each supervised entity must provide to the Reserve Bank its initial Culture and Conduct Risk Policy and all related policies and procedures within 12 months after the implementation of this Policy. In the event of major changes made to the requirements of the supervised entity’s Culture and Conduct Risk policy and all related policies and procedures, copies of the revised policy must be submitted to the Reserve Bank within 30 days after changes have been approved by the supervised entity’s board. 8.2 The Reserve Bank will assess the compliance of each supervised entity with the requirements of this Policy in the course of its supervision. 8.3 A supervised entity that fails to comply with the requirements of this Policy will be subject to sanctions by the Reserve Bank. 8.4 The Reserve Bank may adjust or exclude a specific requirement in this Policy by providing a written notice. 9.0 Implementation Arrangements 9.1 This Policy applies to all supervised entities as described in paragraph 1.2 above.

11 Supervised entities of the Banking Industry are to report all incidents referred to in this section through the reporting process under the Banking Supervision Policy Statement No 16 on the Minimum Requirements for the Management of Operational Risk for Licensed Financial Institutions in Fiji. All other supervised entities captured under this Policy are required to report incidents as per Paragraph 7.1 and 7.2 of this Policy.

13 9.2 This Policy becomes effective from 01 April 2024 with full compliance required within 12 months from the effective date, and will be reviewed as deemed necessary. Reserve Bank of Fiji February 2024 Appendices: Schedule 1 - Interpretations Schedule 2– Key Areas to Address a Sound Culture Schedule 3 – Core Management Functions Appendix 1(i) and 1(ii) – Reporting Forms

14 SCHEDULE I 12 Interpretation – (1) Any term or expression used in this Policy that is not defined in this Policy” a) which is defined in the Banking Act 1995, Insurance Act 1998, the Companies Act 2015, Reserve Bank of Fiji (Capital Markets and Securities Industry) Regulation 2015; and the Fiji National Provident Fund Act 2011, Exchange Control Act 1985 and the Fiji National Provident Fund Regulations 2014, unless the context otherwise requires, have the meaning to it by the said Acts; and, b) which is not defined in the Acts and which is defined in any of the Reserve Bank of Fiji Policy Statements shall, unless the context otherwise requires, have the meaning given to it by those policy statements. (2) In this Notice, unless the context otherwise requires: ‘Acts’ means the Banking Act 1995, Insurance Act 1998; Reserve Bank of Fiji (Capital Markets and Securities Industry) Regulation 2015; the Exchange Control Act 1985; Fiji National Provident Fund Act 2011 and Fiji National Provident Fund Regulations 2014. ‘Board’ means the board of directors of the supervised entity. ‘Business Unit’ means a segment of the supervised entity which has a specific function, e.g. human resources, or a branch and is headed by a manager. It may be also known as a department, division, or a functional area. ‘Complaints Management Policy’ refers to Supervision Policies issued by the Reserve Bank of Fiji as follows – (a) BSPS 13 – Minimum Guidelines on Complaints Management for Banks and Credit Institutions (b) ISPS 9 – Minimum Guidelines on Complaints Management for Insurers (c) CMSPS 3 – Minimum Guidelines on Complaints Management for Capital Market Participants (d) SPS 3 – Minimum Guidelines on Complaints Management for Fiji National Provident Fund (e) RFEDS 3 – Minimum Guidelines on Complaints Management for Restricted Foreign Exchange Dealers & Money Changers ‘Incentives’ means the additional payments given to bank employees on attainment of certain performance measures at the end of a reporting period. ‘Material Risk Taker’ means an officer who is not a member of the senior management of a supervised entity and who:

12 Definitions adopted from various sources such as the Basel Committee on Banking Supervision, the International Finance Cooperation and the Monetary Authority of Singapore

15  Can materially commit or control a significant amount of the supervised entity’s resources or whose actions are likely to have a significant impact on its risk profile; and/or,  Is among the most highly remunerated officers in the supervised entity. ‘Risk Appetite’ means the aggregate level and types of risk a supervised entity is willing to assume, decided in advance and with its risk capacity, to achieve its strategic objectives and business plan. ‘Risk Appetite Statement’ means the written articulation of the aggregate level and types of risks that a supervised entity will accept or avoid, in order to achieve its business objectives. It includes quantitative measures expressed relative to earnings, capital or solvency, risk measures, liquidity and other relevant measures as appropriate. It should also include qualitative statements to address reputation and conduct risks as well as money laundering and unethical practices. ‘Risk Culture’ means a supervised entity’s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during day-to-day activities and has an impact on the risk they assume. ‘Risk Limits’ means the specific quantitative measures or limits based on, for example, forward-looking assumptions that allocate the supervised entity aggregate risk to business lines, legal entities as relevant, specific risk categories, concentrations and, as appropriate. ‘Risk Management’ means the process established to ensure that all material risks and associated risk concentrations are identified, measured, limited, controlled, mitigated and reported on a timely and comprehensive basis. Risk Profile’ means Point-in-time assessment of a supervised entity’s gross risk exposures (i.e. before the application of any mitigants) or, as appropriate, net risk exposures (i.e. after taking into account mitigants) aggregated within and across each relevant risk category, based on current or forward-looking assumptions. ‘Senior Management’ means officers holding senior management responsibilities that may materially affect the whole or a substantial part of the supervised entity’s business or financial standing. ‘Tone at the top’ means the atmosphere that is created in the workplace by the supervised entity’s leadership, and that trickles down to all employees.

16 SCHEDULE II – Key Areas to Address a Sound Culture

1. Governance A supervised entity must articulate and communicate its desired culture and values clearly to all its staff. While culture statements are promulgated from the top, the following factors must be taken into full consideration by each supervised entity:  Lead by example: Members of the senior management should lead by example to demonstrate their commitment to promote proper culture and values, e.g. by participating in training and/or examinations relating to culture and ethics;  Relevance to different levels of staff: a supervised entity should supplement existing codes of conduct, values statements and related ethics and compliance manuals, with summary sheets that set out the conduct and behaviours expected from its staff in carrying out their day-to-day responsibilities. In particular, Risk Appetite Statements should be generally formulated in simple language with specialised quantitative targets which are not directly related to the operations of middle level and frontline staff.  Effective and continual communication from the top and training: Chief executive and other members of senior management should communicate regularly with employees to share examples of desirable and undesirable behaviours and promote an open exchange of views within the supervised entity. Such communications need reinforcement throughout an employee’s employment lifecycle, including recruitment, on-boarding, ongoing training (specifically on ethical values and conduct issues with case studies to provide guidance on dealing with ‘grey areas’), remuneration and promotion.  Clear ownership of risk and culture reform: A supervised entity should put in place a clear ownership structure for the core risks and culture reform initiative, e.g. supervised entities may appoint senior staff members as ‘conduct risk champions’ to take responsibility for cascading messages relating to conduct risk, to different levels of staff of the supervised entity.
2. Rewards & Recognition Systems A supervised entity must regularly review its rewards and recognition system where appropriate to induce behaviours that would promote its desired culture and values. The following factors must be taken into full consideration by each supervised entity:  Avoidance of over-reliance on sales/revenue targets in performance measurement: A supervised entity should minimise the use of a quantitative, formula-based target such as sales quota, profits target, as the sole or primary determinant of a staff’s performance and remuneration, bearing in mind the inherent risks and limitations of such targets;  Adequate consideration of behavioural indicators: a supervised entity’s line managers must take into account risk management, compliance and conduct-related behaviours of the individual employees assessing the performance of individual employees;  Separate performance rating for adherence to corporate values: a supervised entity should adopt appropriate weight for a separate rating in

17 respect of staff adherence to ‘corporate values’ in the annual performance assessments, with implications for the determination of variable remuneration of employees.  Balance use of incentive and disincentives: a supervised entity’s incentive system should be designed to include both sanction for mis￾behaviours and rewards for promoting positive behaviours, such as through monetary (e.g. positive adjustment to variable remuneration) and non￾monetary (e.g. recognition scheme) rewards for those employees who demonstrate exemplary behaviours that enhance the culture of the supervised entity. 3. Assessment and Feedback Mechanisms Each supervised entity must establish effective mechanisms to assess the actual behaviour of all staff and provide useful feedback and recommendations to assist management to consider whether any enhancements are necessary. Similar mechanisms must be established to collect feedback from its customers to improve customer experience of the supervised entity’s products and services. The following factors must be taken into full consideration:  Monitoring core parameters: a supervised entity should produce a dashboard of indicators to assess the supervised entity’s culture, and should carryout trend analysis of these indicators. Some examples of these indicators include risk limit breaches, compliance breaches, transactional communication, surveillance, staff feedback surveys, customer feedback survey and complaints (identifying trends and root causes), whistle-blower reports;  Staff feedback: supervised entities may collect qualitative information relating to culture from staff through employee surveys, focus group discussions or individual interviews, in designing the structure and content for such exercises, supervised entities should ensure to minimise any potential bias arising from employees who attempts to provide answers that are regarded as ‘correct’ rather than ‘honest’;  Customer feedback: a supervised entity should conduct customer satisfaction surveys to assess customer experience with the supervised entity’s products and services. Supervised entities should also conduct mystery shopping programmes and review customer complaints to collate feedback from customers to assess whether or not the behaviour of the customer-facing staff is in line with the supervised entity’s culture and behavioural standards;  Sharing of lessons learned: a supervised entity should share lessons from internal misconduct and disciplinary cases (without breaching any privacy law) with employees to reinforce proper understanding of the supervised entity’s culture and behavioural standards. A supervised entity may also illustrate the consequences for inappropriate behaviours and transgressions. It should also gauge views and responses in such case studies to identity possible weaknesses and remedial measures;  Internal escalation channels: a supervised entity should design and put in place appropriate escalation channels for staff to directly report issues and concerns (including ‘whistle-blowing’ and unusual activity reporting), or to provide general feedback or comments, to senior management and/or a dedicated team without the need to go through line management or local

18 offices, while protecting staff from reprisals. Each reported case that warrant investigation should be subject to independent review or investigation. The supervised entity’s escalation policy should describe the types of issues to escalate, and when, to whom, and how to escalate those issues. The escalation policy should require compulsory escalation of significant matters by staff (e.g. failure to promptly escalate significant issues to appropriate parties may be subject to disciplinary actions) and/or there is an incentive arrangement to encourage employees to speak up.

19 SCHEDULE 3 – Core Management Functions For the purpose of this Policy, senior management performing ‘Core Management Functions’ include the following roles, by whatever name described:

1. “Chief Executive Officer”, who is principally responsible for the management and conduct of the business of the supervised entity, in accordance with the strategy and risk appetite approved by the Board or proxy, as applicable;
2. “Chief Financial Officer”, who is principally responsible for managing the financial resources and financially reporting processes of the supervised entity;
3. “Chief Risk Officer” or “head of risk” who is principally responsible for establishing and implementing the risk management framework to identity, monitor, and manage the risks of the supervised entity;
4. “Chief Operating Officer” or “head of operations”, who is principally responsible for managing the day-to-day operation of the supervised entity;
5. “Chief Information Officer” or “chief technology officer” or “head of information technology”, who is principally responsible for establishing and implementing the overall information technology strategy, overseeing the day-to-day information technology operations, and managing the information technology risks of the supervised entity;
6. “Head of Business Functions”, who is principally responsible for the management and conduct of a function which undertakes the business activities of the supervised entity;
7. “Head of Actuarial” or “appointed actuary”, who is principally responsible for the actuarial function, including but not limited to valuation of liabilities, financial condition investigation, product pricing;
8. “Head of Human Resources”, who is principally responsible for establishing and implementing the supervised entity’s employment policies and processes, including on recruitment, on-boarding, regular training, performance evaluation, compensation, promotion, consequence management and termination;
9. “Head of Compliance”, who is principally responsible for monitoring and managing the supervised entity’s compliance and regulatory requirements under the applicable laws and regulations as well as internal policies and procedures;
10. “Head of Financial Crime Prevention”, who is principally responsible for establishing and managing the policies, systems, and processes to counter the risks of the supervised entity’s involvement in money laundering, terrorism financing, bribery, corruption and for filling Suspicious Transactions Reports (STRs); and
11. “Head of Internal Audit”, who is principally responsible for ensuring the adequacy and effectiveness of the supervised entity’s internal controls, and reporting directly to the Board Audit Committee or the supervised entity’s head office, as appropriate, on these matters.

20 Appendix 1(i) – Prescribed Incident Reporting Details: Reporting Entity: _______________________________ Date:_______________ Incident Type: Incident Details: Incident Number: Value of Loss (if applicable): Actions taken by the Reporting Institution: Next Course of Action (include timeline to resolve the incident): Risk Level (Low, Medium, High13):

13 As per the reporting entity’s internal risk assessment.

21 Appendix 1(ii) – Incident Reporting: Quarterly Return Reporting Entity:

---

Date:_______________ Incident Type Incident Number Incident summary Value of Loss Incidents Resolved during the Quarter Pending incidents during the Quarter