Regulation on Credit Risk Management at Banks and Savings Banks

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE Page 1 of 20  Official Gazette of the Republic of Slovenia, No. 115/21 of 16 July 2021 (in force since 17 July 2021) Pursuant to point 3 of the first paragraph of Article 109 and point 1 of Article 155 of the Banking Act (Official Gazette of the Republic of Slovenia, No. 92/21; hereinafter: the ZBan-3), and the first paragraph of Article 31 of the Bank of Slovenia Act (Official Gazette of the Republic of Slovenia, Nos. 72/06 – official consolidated version, 59/11 and 55/17), the Governing Board of the Bank of Slovenia hereby issues the following REGULATION on credit risk management at banks and savings banks

1. GENERAL PROVISIONS Article 1 (Content of the regulation) (1) This regulation sets outs the rules relating to the following areas of credit risk management at banks and savings banks (hereinafter: banks): (a) loan origination; (b) credit risk monitoring; (c) assignment of debtors and exposures to credit rating grades; (d) credit protection management; (e) creation of value adjustments and provisions; (f) the early warning system for increased credit risk; (g) management of non-performing and forborne exposures; (h) data and credit documentation management; (i) reporting on credit risk. (2) Wherever this regulation makes reference to the provisions of other regulations, these provisions shall apply in the aforementioned regulations as amended from time to time. (3) These provisions shall not prejudice the requirements imposed on the banks by other applicable regulations governing the credit risk management. Article 2 (Definitions of terms) (1) The terms used in this regulation shall have the same meanings as in the ZBan-3 or in Regulation 575/2013/EU of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (hereinafter: Regulation 575/2013/EU), and in regulations issued on their basis. (2) The following definitions shall apply for the purposes of this regulation: (a) “credit assessment of the debtor” means an assessment of credit quality of the debtor which is reflected in the assignment of the debtor to an adequate rating grade in accordance with the provisions of Section 4 of this regulation; (b) the “rating grade” means a risk category within the rating scale of a rating system, to which debtors or exposures with similar credit risk are assigned;

Page 2 of 20 (c) the “rating system” means all of the methods, processes, controls, data collection and IT systems that support the assessment of credit risk, and the assignment of debtors and exposures to rating grades; (d) a “valuer” is an independent and qualified valuer, i.e. a person who possesses the necessary qualifications, ability and experience for conducting valuations, and is independent from the credit decision process with regard to transactions collateralised by the property subject to valuation; (e) the “central credit register” is the central credit register administered by the Bank of Slovenia in accordance with the Central Credit Register Act (Official Gazette of the Republic of Slovenia, No. 77/16); (f) the “valuation date” is the date to which a valuation applies; (g) “concession (forgiveness)” means forgiveness granted to the debtor by changing the original terms of lending on legal or economic grounds relating to the debtor’s financial difficulties; (h) “credit” is any on-balance-sheet or off-balance-sheet exposure that results in the bank being exposed to credit risk; (i) “credit risk” is the risk of a loss as a result of the failure of the debtor or the counterparty to settle liabilities within the contractually agreed deadline; (j) “advanced statistical models” are collateral assessment statistical models meeting the conditions from Section 7.4 of the Guidelines on loan origination and monitoring (EBA/GL/2020/06), including the model’s reliability; (k) “non-performing exposures” are non-performing exposures as defined in Article 47a of Regulation 575/2013/EU; (l) “exposures in default” are exposures in relation to which a default has occurred as defined in Article 178 of Regulation 575/2013/EU; (m) a “business entity” is a legal person, sole trader or a registered professional; (n) “residual risk” is the risk of the effectiveness of credit protection being less than expected, as a result of the occurrence or increase of other risks (e.g. legal risk, operational risk, liquidity risk, market risk) owing to the use of credit protection; (o) “forborne exposures” are forborne exposures as defined in Article 47b of Regulation 6575/2013/EU; (p) “valuation standards” are the applicable international and European valuation standards, namely the International Valuation Standards adopted by the International Valuation Standards Council (IVSC), the European Valuation Standards adopted by the European Group of Valuers’ Associations (TEGOVA), and the valuation standards adopted by the Royal Institute of Chartered Surveyors (RICS); (q) “concentration risk” is the risk of excessive direct and/or indirect exposure arising from the credit risk of a bank or banking group vis-à-vis an individual client, a group of connected clients, or clients linked by common risk factors; (r) “credit risk in foreign currencies” is the credit risk inherent in foreign currency loans where the borrowers have not used a foreign exchange hedge; (s) “validation” means the independent vetting of the adequacy of a rating system and its compliance with the relevant requirements for the rating system. 2. LOAN ORIGINATION Article 3 (Loan origination process) (1) The bank shall put in place a loan origination process that draws distinctions at least by the type of debtor, the source of cash flows for repaying the credit (e.g. borrower’s income, income generated by financial assets), the exposure amount and the complexity of the product.

Page 3 of 20 (2) The bank shall have a clearly defined process for approving new credit, and for modifying, renewing and refinancing existing credit. (3) The bank shall put in place a clear and consistent organisational structure for credit decision￾making. The credit approval policy and process shall include a clear segregation of powers and duties with regard to credit approval within the framework of the bank and among the entities within the framework of the banking group. Article 4 (Credit decision-making powers) (1) The bank shall ensure that credit decision-making powers are delegated to persons with the requisite knowledge, competence and professional experience. In its internal acts the bank shall provide a detailed definition of the delegation of credit decision-making powers. The powers shall be clearly delegated across the appropriate levels of the bank, and shall draw distinctions with regard to the type, purpose and amount of the credit. The credit documentation shall make clearly evident who approved the credit. (2) In making individual decisions as to granting a loan, the bank shall adequately consider the characteristics, including the size and complexity, of the relevant credit as well as the type and risk profile of the borrower. The structure of credit decision-makers shall comply with the bank’s credit risk appetite, reflect the bank’s business model, and ensure objectivity, impartiality and appropriate treatment of conflicts of interests. The powers and limitations of each decision-maker shall be clearly identified. The risk management function shall provide adequate controls over credit-risk taking, and shall be independent from the commercial operations unit. When the credit approval decision is less significant from the perspective of risk, the commercial operations unit may decide on the matter alone. The credit decision shall be clear and well documented. (3) In the event of the commercial operations unit and the risk management unit disagreeing with regard to credit approval, the bank shall ensure that the established decision-making rules are adhered to. (4) The bank shall put in place clear rules and procedures with regard to powers in the treatment and approval of exceptions (e.g. adjustment of credit assessment, credit approval under terms that deviate from the accepted standards of lending and credit protection policy). Lending that does not comply with the policy and the prescribed terms may only be proposed in exceptional cases. Such cases shall be documented and substantiated, and the power of approval of such transactions shall lie with the relevant body of the bank. The bank shall ensure the monitoring of circumstances and conditions prevailing at the time of approval of transactions that are not in line with the policy and prescribed terms. (5) If automated decision-making is applied in the credit granting process, the bank shall have established clear policies regarding the products, segments and limitsfor which automated decision￾making is allowed. Article 5 (Credit granting criteria) (1) The key criterion in credit granting is an assessment of the client’s creditworthiness. (2) The bank shall put in place appropriate and precisely defined credit granting criteria, which shall include at least the following:  the target market segment, as defined by the credit risk-taking and credit risk management strategy;

Page 4 of 20  the purpose of the credit and sources of repayment thereof (in assessing the consumers’ ability to repay their debts, the bank considers all relevant factors that could influence the current and future repayment capacity of the borrower, while in the case of lending to business entities the bank considers the cash flow from ordinary business activities as the primary source of repayment);  the client’s current risk profile;  the debtor’s repayment history, the current credit repayment capacity, and projections of future cash flows on the basis of various scenarios;  the quality and amount of credit protection;  loan terms, including contractual commitments limiting the client’s risk level in the future;  possible impact of environmental factors and climate change on the client’s financial performance in the future;  an assessment of the senior management’s level of expertise and capability, the client’s position in the sector and the general situation in the sector (in the case of corporate loans). Article 6 (Assessment of credit risk) (1) Before the approval of any credit or the conclusion of any other contract based on which an exposure to credit risk arises on the part of the bank, the bank shall assess and analyse quantitative and qualitative information and other significant factors that facilitate a comprehensive assessment of the debtor’s ability to settle the liabilities to the bank. The bank shall take account of the client’s links to other persons that could affect its creditworthiness. It shall provide for an appropriately professional and objective evaluation of the credit risk assessment, and shall obtain sufficient information about the client to be able to determine its risk profile or assess its creditworthiness and to assign it an appropriate credit assessment. It shall be particularly prudent when establishing a contractual relationship with a client for the first time. In its bylaws the bank shall prescribe the minimum scope of information that it is necessary to obtain from the client for an appropriate credit risk assessment and that is included in the proposal for credit approval. (2) For the purposes of assessing the client’s creditworthiness the bank shall obtain data from the central credit register about the borrower and connected clients to which the bank is exposed as defined in point (a) of Article 7 of this regulation. (3) Banks participating in syndicated loans and other banking consortiums may not rely solely on the analysis of the bank that is leading the consortium, but instead shall themselves conduct independent and thorough analysis of credit risk in the same way as if they were independently approving the credit. (4) In its policies the bank shall define leveraged transactions. The definition shall consider the level of the leverage and the aim of the transaction. Transactions with the excessive leverage should be an exception and should be treated in accordance with the credit risk-taking and risk management strategy. The bank shall set up an adequate structure of leveraged transactions management and monitoring. Article 7 (Identification of connections) The bank shall put in place a mechanism for identifying, monitoring and reporting connections: (a) between clients in accordance with point (39) of Article 4(1) of Regulation 575/2013/EU (connected clients); (b) with persons in special relationship with the bank. Article 8

Page 5 of 20 (Consideration of credit protection) (1) The bank shall consider the debtor’s solvency as the primary source of credit repayment, while the credit protection accepted for a particular credit represents a secondary source of credit repayment. The bank shall assess the credit quality of the underlying debtor or underlying exposure without regard to the existence of credit protection. (2) Before approving the credit, the bank shall verify all relevant documentation on the basis of which it ascertains the legal efficiency and enforceability of credit protection, and shall assess the value of the credit protection as defined in Section 5 of this regulation. (3) When the value of the credit protection is largely dependent on the credit risk of a provider of unfunded credit protection that is a third party, the bank shall also assess the credit risk of the aforementioned party. Article 9 (Limits on exposure to credit risk) The bank shall ensure that credit is approved within the framework of adopted risk-taking appetite and approved limits on exposure to credit risk. Article 10 (Mechanisms for product pricing) The bank shall ensure that the credit approval process includes appropriate mechanisms for product pricing that are in accordance with the adopted credit risk management policies and take account of the debtor’s credit risk, the type of product, the exposure amount, and the type and value of credit protection. Article 11 (Contractual commitments) When concluding a loan agreement the bank shall assess the adequacy of the contractual commitments to be contained in the agreement. The contractual commitments shall be clear, reasonable and feasible. In assessing the adequacy of individual contractual commitments the bank shall inter alia take account of the type and value of the transaction, the type and risk assessment of the debtor, the requisite information about the debtor and contract law. When the bank is unable to include all of the contractual commitments that it generally uses, it shall state the reasons in the credit file. 3. CREDIT RISK MONITORING Article 12 (Credit monitoring system) (1) The bank shall put in place a clear and consistent organisational structure, policies, processes and bylaws with regard to the monitoring process in accordance with the adopted credit risk management strategy, and a clear segregation of duties between the monitoring process and the credit approval process. (2) The bank shall put in place a system of continual monitoring of the credit portfolio that includes analytical procedures and methodologies for assessing or measuring credit risk. The system shall provide relevant information about the structure and quality of the credit portfolio and the concentration of credit risk at the bank and also at the level of the banking group.

Page 6 of 20 (3) For the purposes of managing concentration risks, the bank shall put in place and maintain appropriate limits on exposure to credit risk. The limits shall include on-balance-sheet and off￾balance-sheet exposures. (4) An effective credit monitoring system shall:

• ensure that the bank is able to regularly monitor the debtor’s operations and its creditworthiness throughout the duration of the credit relationship,
• monitor the fulfilment of the conditions deriving from the loan agreement,
• in the case of purpose-specific loans, monitor the use of the approved funds for the agreed purposes,
• monitor the regularity of payments, and identify breaches of contractual obligations,
• monitor the performance of the contractual commitments and record any breaches thereof, and monitor the enforcement of contractual sanctions in the event of breaches of the contractual commitments,
• monitor the loan-to-value (LTV) ratio, and the coverage of the exposure by credit protection,
• monitor the adequacy of the amount of value adjustments and provisions created,
• monitor concentration risk and any deviations from the limits referred to in the third paragraph of this article put in place,
• ensure the effective and timely identification of increased credit risk and non-performing credits,
• monitor the risk inherent in credit in foreign currencies. (5) The bank shall put in place and enforce internal controls and procedures to allow exceptions, escalations, and deviations from policies, procedures and limits to be reported promptly to those responsible for taking action. (6) In the assessment of individual credits and the credit portfolio, the bank shall take account of potential adverse changes in the future economic environment and shall periodically assess exposure to credit risk in extreme conditions (analysis of scenarios and stress tests).

4. ASSIGNMENT OF DEBTORS AND EXPOSURES TO RATING GRADES Article 13 (Assignment of debtors and exposures) (1) Within the framework of the credit approval and monitoring process, the bank shall assign a debtor or an exposure to a rating grade on the basis of clear rating criteria. The criteria shall be sufficiently precise to allow employees in the credit approval and monitoring process to make the same interpretations and consistently assign debtors and exposures with similar credit risk to the same rating grades. The assignment methodology shall be based on statistical models or other methods, and shall take account of the requirements set out by this section. Article 14 (Assignment of debtor in the case of group of connected clients) (1) In the process of assigning a debtor that is part of a group of connected clients to the appropriate rating grades, the bank shall include information on the existence of the group of connected clients such that the assignment of individual entities in the group of connected clients is consistent with the structure of the group. In so doing the bank shall at least take account of the type of connections between entities in the group.

Page 7 of 20 (2) The bank shall put in place procedures and processes that ensure that in the event of the default of an individual client in the group in accordance with Article 178 of Regulation 575/2013/EU it reviews and defines the impact of the default on the credit assessments of other entities in the group. (3) Cases in which debtors may be assigned higher credit assessments than the parent undertaking in the group shall be defined in advance by the bank. Decisions on cases of this type and any other cases shall be documented and appropriately substantiated by the bank. Article 15 (Rating systems) (1) The bank shall put in place rating systems that provide for the evaluation of credit exposures and their assignment to appropriate rating grades. (2) The bank shall put in place rating systems that suit the attributes of individual portfolios to ensure that material changes in individual portfolios are reflected in a change in the credit risk assessment. (3) The bank shall document material elements of the structure and functioning of internal rating systems which include at least portfolio differentiation, rating criteria, the responsibilities of those undertaking assessment, the frequency of the assessment, and the management oversight of the rating system. Article 16 (Consideration of relevant and up-to-date information) (1) The bank shall put in place procedures, mechanisms and criteria for obtaining all appropriate, currently available and up-to-date quantitative and qualitative information about the debtor and the exposure that is relevant to credit processes and rating systems. (2) In the event that information is deficient, missing or out-of-date, the bank shall apply an appropriate measure of conservativeness in assigning debtors or exposures to rating grades. (3) When external credit assessments are the bank’s main criterion in the assignment of debtors or exposures to rating grades, the bank shall also take account of other relevant information set out in its assignment methodology. (4) The bank shall review the appropriateness of the assignment of individual debtors and exposures at least once a year, and shall adjust them as appropriate. The bank shall undertake a new assignment if it obtains material information about the debtor or exposure. The bank shall specifically set out the criteria for the more frequent review of high-risk debtors or non-performing exposures. Article 17 (Adjustment of credit rating) (1) When assigning debtors or exposures to rating grades, the bank shall clearly define the grounds and ranges in which an adjustment of the credit rating is allowed, and in which phase of the assignment process an adjustment may be undertaken. (2) All adjustments of credit rating shall be clearly and transparently documented and substantiated. (3) The bank shall regularly monitor the number of adjustments of credit ratings and the grounds therefor, and shall regularly review the reliability of the adjustment process and consequently the functioning of the rating system.

Page 8 of 20 Article 18 (Requirements with regard to rating models) (1) In the use of rating models for assigning exposures to rating grades, the bank shall put in place a process for collecting and evaluating quantitative and qualitative data inputs into the model, including an assessment of the accuracy, completeness and appropriateness of the data. The bank shall prove that the data used to build the model is representative of the population of the bank’s actual debtors or exposures. (2) The bank shall complement the statistical model by human judgement to review the adequacy of the assignment of debtors and exposures with regard to the results of the model. All relevant information not considered by the model shall be taken into account in the final assignment of the debtor or exposure on the basis of human judgment. The bank shall document how human judgement and the model’s results are to be combined. (3) The bank shall prove that the model has good predictive power, and is as impartial as possible. (4) The bank that uses an external model or parts of an external model for assignment shall also take account of the following requirements:  users shall be appropriately trained in the use of the model,  in-house instructors must be available,  a plan for ensuring confirmation of the suitability of the external model must be drawn up,  the ongoing furthure development of the model, when necessary, must be ensured,  the possibility of assessing the performance of the model and, when necessary, making adjustments, even when the external provider ceases to provide support or in similar cases, shall be ensured. Article 19 (Documentation) (1) The bank shall document the reasons for selecting qualitative and quantitative criteria for assignment, and analysis that supports such a selection. The bank shall document all major changes in the assignment process. The organisation of the assignment process shall also be documented, including the internal control system in this area. (2) The bank shall formulate and document a model development methodology encompassing at least the following:  the adequacy of the model with regard to the attributes of the portfolio for which it is being used,  a description of data sources,  a definition of default and the loss given default,  a definition of predictive variables,  a precise description of the functional concept, theory and assumptions of the model in question,  the technical specifications of the model,  a description of the statistical methods for confirming the adequacy of the model,  a description of the circumstances in which the model does not work effectively. (3) The use of an external model shall not exempt the bank from the obligation of documentation or any other requirement for the system of assigning exposures to rating grades.

Page 9 of 20 Article 20 (Validation) (1) The bank shall have clearly defined rules and processes for regular validations and modifications of rating systems, which shall include or take account of at least the following:  appropriate methods for assessing the adequacy of rating systems with regard to their complexity and scope;  a clear definition of the validation process, the scope of validation, and the standards and limitations of validation;  descriptions of all validation tests and a list of the data used for validation, including a definition of the timeframe of data capture;  standards of data clean-up and data sources for validation;  back testing;  business cycles and the related systemic fluctuations, and experience of default events. (2) The bank shall ensure the independence of the validation process from the model development process and other credit processes. Roles and responsibilities in the validation process shall be defined in detail. (3) The bank shall conduct a validation of rating systems for material portfolios at least once a year. (4) The results of validations shall be analysed and adequately documented by the bank. Any deficiencies identified in the performance of rating systems shall be taken into account by the bank when they are being modified. The bank shall set out the criteria that require a modification or an upgrade of a specific rating system. 5. CREDIT PROTECTION MANAGEMENT Article 21 (General requirements with regard to credit protection) (1) The bank shall have a written credit protection policy, which shall be approved by and reviewed at least once a year by the management body. The bank shall define at least the following in its credit protection policy:  types of acceptable credit protection with regard to the type of debtor and transaction,  the permitted loan to value (LTV) ratio for specific types of credit protection,  the documentation required to ensure the legal certainty of individual types of credit protection,  the methodology for valuing individual types of credit protection, which sets out the methods and monitoring or frequency of valuation,  the methodology for determining the level of correlation between the value of the credit protection and the debtor’s credit quality,  the procedures and processes for the prompt enforceability of each type of credit protection,  the types of credit protection where a physical inspection of the assets pledged as collateral is required. (2) The bank shall have at its disposal all the requisite documentation based on which the legal certainty of credit protection and the effectiveness of its management are established. The bank shall ensure: (a) the legal certainty of credit protection by meeting all contractual and legal requirements in connection with the enforceability of credit protection under the law that applies to it, and

Page 10 of 20 (b) the effective management of credit protection on the basis of adopted measures, procedures and policies that provide for prompt realisation and appropriate certainty with regard to the amount of repayment from the credit protection used. (3) The bank shall assess the value of credit protection on the basis of a predefined credit protection valuation methodology. The bank shall regularly monitor the value of credit protection for the duration thereof, shall adjust the value on the basis of appropriate valuation, and shall take account of any prior encumbrances. (4) The bank shall give special consideration to credit protection whose value is highly volatile and/or that is the subject of a very lengthy realisation process. (5) The bank shall provide for adequate treatment and control of residual risk inherent in the use of credit protection. Article 22 (Credit protection monitoring) (1) The bank shall provide for regular monitoring of the value of credit protection and its legal efficiency and enforceability at appropriate time intervals beginning from the approval of the transaction depending on the type of credit protection. The bank shall monitor the value of credit protection more frequently in the event of significant changes in the conditions on a market of relevance to the credit protection, and shall review it each time that the information at the bank’s disposal indicates a significant decline in the value of the credit protection. Article 23 (Real estate collateral) (1) When taking account of real estate collateral in the estimation of credit risk losses, the bank shall provide at least the following documentation: (a) a directly enforceable notarial record of collateral in the form of an entry of a mortgage on the pledger’s real estate, and a final court order allowing the registration of the mortgage, or in the case of a proposal for the entry of the mortgage regarding which there are no ancillary or main entries in the land register that might affect the entry of the mortgage, an independent legal opinion with regard to the efficiency and enforceability of such a proposal, unless the bank owns the real estate; (b) a current land register extract; (c) an insurance policy for the real estate issued or assigned for the benefit of the bank, with the bank establishing procedures for monitoring whether the real estate is adequately insured against damage for the duration of the credit relationship; (d) the documented value of the real estate, which also applies each time that the real estate is revalued. (2) Point (a) of the previous paragraph notwithstanding, in the case of collateral in the form of a maximum mortgage on real estate, instead of a directly enforceable notarial record of collateral via the registration of a mortgage on the mortgagor’s real estate the bank shall provide for a valid lien agreement and a land registry permit for the establishment of a maximum mortgage on the mortgagor’s real estate, and other documents that make evident which claims are secured by the maximum mortgage and to what degree. The other requirements referred to in the previous paragraph of this article shall remain the same even in the case of collateral in the form of a maximum mortgage. (3) The market value of the real estate as estimated by a valuer in accordance with the valuation standards on the basis of a comprehensive inspection of the real estate shall be taken into account

Page 11 of 20 as the value of the real estate collateral. The valuation may not be more than one year old when the real estate is received as collateral. (4) Notwithstanding the previous paragraph, the valuer may ascertain the value of the residential real estate without inspecting it if it uses advanced statistical models. In this case the valuer shall review and approve the value deriving from the model. If the valuer assesses that the value deriving from the model is not adequate considering the properties of the real estate, the latter shall be valued at its market value as defined in the previous paragraph of this article. (5) When estimating credit risk losses, the bank shall only take account of the value of the real estate collateral that remains after offsetting the amounts of all the liabilities whose settlement is secured by the same real estate and that are entered in the land register under the real estate in question with a higher priority (seniority), and after offsetting a proportionate amount of those liabilities that are entered in the land register under the real estate in question with the same priority. (6) While the real estate collateral is valid, the bank shall regularly monitor the value of the real estate as follows:  at least once a year in the case of commercial real estate;  at least once a year in the case of residential real estate used as collateral for non-performing exposures;  at least once every three years in the case of other residential real estate. (7) The sixth paragraph of this article notwithstanding, the bank shall monitor the value of real estate more frequently whenever there is a significant change in market conditions and/or whenever there are signs of a material decline in the value of individual real estate collateral. The bank shall define a quantitative threshold of material decline in the value of credit protection for each type of real estate that it accepts as collateral for the repayment of exposures in its real estate collateral valuation methodology. (8) The bank may use statistical methods to monitor the value of real estate used as collateral, and to identify real estate that needs revaluation. (9) The market value of the real estate may be reassessed either by the valuer or the revaluation may be made using statistical models taking into account other applicable regulations. (10) The previous paragraph notwithstanding, the market value of the real estate shall be undertaken by the valuer in the following cases: (a) whenever the information at the bank’s disposal indicates that the value of the real estate may have declined materially relative to general market prices; (b) at least every three years for real estate used as collateral for an exposure that exceeds EUR 3 million or 5% of the own funds of a bank. (11) The bank shall formulate a policy and a procedure for regularly vetting the independence and qualifications of valuers and the quality of valuations. The quality assurance process shall be carried out by a risk management unit that is independent of the credit approval, credit monitoring and assessment of client creditworthiness. The result of the quality assurance process is an appropriately approved list of valuers, which shall be updated regularly.

Page 12 of 20 Article 24 (Movable property collateral) (1) In estimating credit risk losses the bank shall take account of movable property collateral if, in addition to the general requirements set out in Article 21 of this regulation, at least the following conditions are met: (a) for the movable property used as collateral there are publicly available market prices that come from reliable information sources (e.g. public indices, price lists or catalogues) and reflect the price of the transactions under normal conditions; (b) the bank has priority over other creditors in the realisation of the collateral, by means of an exclusive exemption from the rights of senior creditors set out by legislative regulations; (c) the bank regularly monitors the value of the movable property used as collateral, at least once a year, or more frequently in the event of significant changes on the market; (d) the bank takes full account of the potential deterioration or obsolescence of the movable property used as collateral during valuation and revaluation; (e) the movable property used as collateral is appropriately insured against the risk of damage, and the bank has put in place monitoring procedures with regard to the adequacy of that insurance; (f) the collateral is entered in the register of non-possessory liens and goods in distraint pursuant to the Decree on the register of non-possessory liens and goods in distraint (Official Gazette of the Republic of Slovenia, No. 85/20) or in a similar register pursuant to substantively equivalent regulations of other countries, except when the bank owns the movable property. (2) In its policy and procedures the bank shall determine the thresholds and approaches that the valuer is to comply with in making the valuation of individual movable property collateral while considering the market value of real estate. (3) The bank shall value the real estate used as the collateral for non-performing exposures at its market value, and shall regularly assess their realisation. If significant price volatility exists in the market, the valuation shall be conservative enough. Article 25 (Consideration of credit protection in estimation of credit risk losses) (1) In the estimation of credit risk losses for the purpose of creating value adjustments and provisions, the bank shall take account of credit protection in accordance with the provisions of this section. (2) In the estimation of future cash flows from the realisation of credit protection, the bank shall take account of the value of the credit protection, the relevant haircuts, the period to realisation, the liquidation or selling costs, whether the sale of collateral is consensual or non-consensual, etc. The assumptions applied shall be realistic, and based on empirical data, and shall take account of current and future market conditions. The bank shall appropriately document those assumptions, and shall verify them regularly. (3) A period of no less than four years, or a period of no less than six years in the case of collateral in the form of a maximum mortgage on real estate, shall be taken into account as the credit protection realisation period when estimating expected cash flows from the realisation of real estate collateral, unless the bank can prove that the aforementioned period is shorter on the basis of its own data and appropriate analysis or on the basis of other data sources. (4) The bank shall put in place appropriate records of realised credit protection for individual types of credit protection.

Page 13 of 20 6. CREATION OF VALUE ADJUSTMENTS AND PROVISIONS Article 26 (Creation of value adjustments and provisions in accordance with IFRS) (1) The bank shall put in place a process for the timely creation of value adjustments and provisions for credit risk losses with regard to the credit quality of the debtors or exposures in the credit portfolio. (2) The bank shall formulate a methodology for the calculation of value adjustments and provisions for credit risk losses that complies with the applicable international financial reporting standards (hereinafter: the IFRS), Guidelines on credit institutions’ credit risk management practices and accounting for expected credit losses (EBA/GL/2017/06) and other relevant regulations. (3) The bank shall regularly monitor the coverage of exposures by value adjustments and provisions for credit risk losses with regard to the credit risk of the entire portfolio, and individual segments of the credit portfolio, most notably exposures in default. (4) The bank shall ensure that the process for the creation of value adjustments and provisions for credit risk losses is not the responsibility of the commercial operations unit. 7. EARLY WARNING SYSTEM Article 27 (Early warning system) (1) Within the framework of the credit risk management system the bank shall put in place an early warning system (hereinafter: EWS) designed to provide early warning of increased credit risk and potential defaulters. The EWS shall ensure that:  in the very early phase (as early as possible) potential difficulties on the part of a debtor in repaying debt are identified, and  the deterioration of the credit quality of the exposure and the transition of the exposure to default status are prevented by means of timely corrective measures and the monitoring of the implementation of such measures. (2) The EWS, which the bank shall set out in a special policy, shall include the following:  qualitative and quantitative EWS indicators for identifying potential difficulties on the part of the debtor in repaying debt,  processes for taking measures after the identification of increased credit risk,  the monitoring of debtors with increased credit risk and the implementation of measures,  information support that provides for the production of reports for analytical purposes (sensitivity analysis) and the notification of the management body and the senior management,  the assurance and oversight of the quality of the early warning process, and inclusion on a watch list,  vetting of the adequacy of the indicators at least once a year on the basis of a defined methodology. (3) When there are signs of potential difficulties in the repayment of an exposure, they shall be examined by an independent unit or function within the risk management department, the ongoing monitoring department or the back-office department (the EWS unit), and on the basis of comprehensive analysis of the EWS indicators it shall decide whether it is necessary to move the exposure to the watch list and to take appropriate corrective measures with clearly defined custodians and deadlines for implementation, which shall be upheld.

Page 14 of 20 (4) For standard products or individual portfolios the bank may put in place a methodology and system for automatic classification to the watch list, and for the imposition of corrective measures on the basis of defined indicators. (5) The bank shall conduct enhanced monitoring of exposures on the watch list. Corrective measures shall be implemented at the level of the group of connected clients. (6) The EWS indicators for the inclusion in the watch list shall be applied at the level of the exposure or debtor, and at the portfolio level. (7) The bank shall define the period within which a decision with regard to the further treatment of a debtor or exposure on the watch list is to be taken. When an exposure on the watch list does not default, the bank shall set out a maximum period within which an individual exposure may be on the watch list. After the end of this period the exposure shall be withdrawn from the watch list; if the quality of the exposure further deteriorates, the exposure shall be transferred to the NPE workout unit. Successful fulfilment of corrective measures may also be considered as the end of the period on the watch list. In designing appropriate timeframes for the completion of corrective measures, the bank shall apply the materiality principle. 8. MANAGEMENT OF NON-PERFORMING AND FORBORNE EXPOSURES 8.1.Non-performing exposures Article 28 (Non-performing exposures strategy management ) (1) The banks with a gross NPL ratio equal to or grater than the threshold defined in paragraph 11 of the Guidelines on management of non-performing and forborne exposures (EBA/GL/2018/06) shall establish a non-performing exposures strategy in line with the aforementioned guidelines. The strategy shall lay out at least time-based quantitative targets (increased repayments, reduced losses, decreased level of non-performing exposures, etc.), supported by an appropriate comprehensive operational plan to meet these targets. The non-performing exposures strategy and the operational plan shall be approved and reviewed by the management body at least once a year. (2) The strategy shall also serve as the basis for designing the internal organisational structure, allocating internal resources (human capital, information systems and financing) and designing appropriate controls (policies and procedures) for monitoring interim performance and adopting corrective measures to ensure that the overall targets of reducing non-performing exposures are met. Article 29 (Management of non-performing exposures) (1) The bank shall define clear criteria and procedures based on which non-performing exposures, when they are identified as such, are transferred from the commercial (originating) unit to a special unit responsible for the management of non-performing exposures. The bank shall have in place a clearly defined process for managing non-performing exposures which, considering the size and type of non-performing exposures portfolio, is distinguished with regard to the risk profile, size and complexity of exposure, and the type of credit protection. (2) The non-performing exposures management unit shall have the requisite expertise and sufficient legal support, and shall be independent of the commercial unit, not merely from the perspective of

Page 15 of 20 operational management of the relations with the client (e.g. negotiations on the forbearance plan, judicial enforcement), but also from the perspective of the decision-making process and support services (e.g. administration of the credit, documentation). (3) When the client transferred to the non-performing exposures management unit is part of a group of connected clients, it shall be necessary to transfer the entire group of connected clients to the unit. (4) In the case of a banking group, it shall be necessary to adopt a unified approach to the management of non-performing exposures. (5) The non-performing exposures management unit shall report directly to the risk management function. (6) The bank shall have clearly defined criteria for restoring non-performing exposures to ordinary consideration at the commercial unit. Article 30 (Monitoring non-performing exposures) (1) The monitoring of non-performing exposures shall be based on the targets defined in the non￾performing exposures strategy and in the relevant operational plans, which are then transmitted down into operational targets of the non-performing exposures management unit. (2) The bank shall define key performance indicators based on which the management body and the senior management are able to monitor the performance of the non-performing exposures management unit. (3) The bank shall put in place clear procedures to connect the results of monitoring of indicators of non-performing exposures in appropriate and timely fashion to the evaluation of credit risk and the creation of value adjustments and provisions for credit risk losses. Article 31 (Recovery of non-performing exposures) (1) Insofar as the bank assesses that the forbearance of a non-performing exposure to a debtor is not reasonable, it shall formulate an approximate timetable for the recovery of the exposure, either directly from the debtor, or if the exposure is secured, from the realisation of the credit protection. To this end the bank shall define precise criteria based on which a decision is made to recover the exposure or shall set approximate deadlines for its final recovery (directly from the debtor or from the realisation of credit protection), and shall establish a record of monitoring of the deadlines of the actual recovery of non-performing exposures. (2) The bank shall put in place a computer-supported record based on which the amount of non￾performing exposures actually repaid directly from the debtor or from the realisation of credit protection, the timeframe of such repayments and the amount of write-offs of these exposures are monitored. (3) When the debtor is undergoing bankruptcy proceedings, the bank shall ensure that the relevant departments and/or external contractors are included in the credit protection realisation process. (4) The bank shall conclude the recovery procedure for non-performing exposures in the following cases: (a) on the basis of a final court order on the completion of bankruptcy proceedings;

Page 16 of 20 (b) on the basis of a final decision on the confirmation of compulsory composition for that part of exposure regarding which the bank’s right to enforce payment in a judicial or other procedure conducted by the competent state authority is terminated; or (c) on the basis of a resolution of the management body, should continuing legal proceedings be economically unjustifiable, particularly if the costs of judicial proceedings would exceed the repayment of the exposure, or all actions to achieve the repayment of the exposure that would be taken with the diligence of a good manager have been taken. Article 32 (Writing-off non-performing exposures) (1) Should the bank assess in recovery procedures that an on-balance-sheet exposure (or a part thereof) will not be repaid and that the conditions for derecognising the exposure from the statement of financial position have been met in accordance with the IFRS, it shall derecognise the exposure from the statement of financial position and administer it in the off-balance-sheet records until the acquisition of a legal basis for concluding the recovery procedure in the amount owed. Derecognising the exposure from the statement of financial position requires a resolution of the management body or of the persons authorised by the management body to this end. (2) The bank shall put in place an internal policy with regard to the prompt write-off of exposures that does not yet constitute the irrevocable contractual forgiveness of the debt, in which it shall define a maximum period from the occurrence of default after which the bank derecognises an on-balance￾sheet exposure from statement of financial position or provides for the complete coverage of the exposure by value adjustments or provisions for credit risk losses. 8.2.Forborne exposures Article 33 (Forborne exposures) (1) The bank shall forbear exposures to a debtor by undertaking one or more activities that it would not decide to undertake were the debtor in a normal economic and financial position. Forbearance measures consist of concessions to (forgiveness for) a debtor that is experiencing or is likely to experience difficulties in meeting its financial commitments (financial difficulties). Forbearance arises as a result of the debtor’s inability to repay a debt under the initial contract terms, either by modifying the terms of the initial contract or by concluding a new contract under which the bank and the debtor agree the partial or total repayment of the original debt. Contracts with an embedded forbearance clause are also subject to this framework. (2) In the forbearance of exposures, financial difficulties and the ability to repay a debt shall be assessed by the bank at the level of the debtor. All legal entities in the debtor’s group that are included in the accounting consolidation of the group, and natural persons controlling the group shall be considered a debtor. The debtor’s ability to repay the debt is assessed by the bank, in addition to the possibility of the foreclosure of other assets or repayment via the liquidation of collateral, primarily from the perspective of the impact of the forbearance on the sufficiency of cash flows from the debtor’s operations or from the perspective of the possibility of controlling those related undertakings that are capable of generating cash flows from operations.

Page 17 of 20 Article 34 (Analysis of alternative forbearance solutions) (1) The bank shall draw up an appropriate forbearance plan for exposures, and shall monitor its implementation and effects. (2) In the forbearance process the bank shall apply a solution which, using the net present value approach, it estimates to be the most appropriate one, and is to contribute to the lasting resolution of the debtor’s financial difficulties. To this end the bank shall compare the net present value of expected cash flows taking account of the forbearance agreement, and the net present value of expected cash flows before forbearance was undertaken. In the analysis of alternative forbearance solutions, the bank shall take account of options such as the realisation of credit protection, the sale of the financial asset (exposure), the termination of the contract, and other possible activities. The bank shall appropriately document all decisions taken on the forbearance of exposures in the credit documentation. (3) In its internal policy the bank shall determine a threshold of exposure value for which it assesses that forbearance from the perspective of the estimated costs and benefits is justified. 8.3.Corporate restructuring Article 35 (Participation in corporate restructuring) (1) In corporate restructuring, a bank that has decided in conjunction with other banks and a corporate entity to seek an agreed solution for the corporate entity shall take action without any unnecessary delay to facilitate the corporate entity’s continuation as a going concern if it assesses that such a restructuring is feasible and reasonable. In so doing it shall uphold good business practice and good banking practice as is, among others, summarised in the Slovenian principles of financial restructuring of debt in the corporate sector. (2) If several banks are involved in corporate restructuring, the role of the coordinator who leads negotiations between the banks and the corporate entity shall be assumed by the bank with the largest exposure to the corporate entity, unless mutually agreed otherwise by the banks. Article 36 (Formulation and monitoring of the implementation of the restructuring plan for corporate exposure) (1) The bank shall obtain at least the following information about the corporate entity for the purpose of drawing up the corporate exposure forbearance plan: (a) a detailed itemisation of the reasons for the corporate entity’s difficulties that led to the need for exposure restructuring; (b) the plan for the operational restructuring, ownership restructuring or financial restructuring of the corporate entity; (c) a projection of the corporate entity’s cash flows for a period of at least three years or for the period defined in the restructuring plan (quarterly projections for the current year, and annual projections for other years), including the assumptions on which the forecasts of future cash flows are based. (2) The bank shall draw up the following on the basis of the information referred to in the first paragraph of this article:

Page 18 of 20 (a) an assessment of the feasibility of the plan for the operational restructuring, ownership restructuring or financial restructuring of the corporate entity; (b) analysis of the possible methods of restructuring of the corporate exposure, and the arguments for the restructuring method chosen; (c) a new amortisation schedule for the repayment of the loan, which is the basis for monitoring the implementation of the exposure restructuring plan. In deciding on the corporate restructuring method the bank shall primarily take account of the cash flows that the corporate entity will generate during the restructuring period and the likelihood that the forecasted cash flows will actually be realised (sensitivity analysis) as a result of the operational restructuring, ownership restructuring or financial restructuring. The bank shall treat the existing credit protection in accordance with Section 5 of this regulation. (3) If the bank concludes a restructuring agreement with the corporate entity on the basis of the documentation referred to in paragraph two of this article, within the framework of monitoring the implementation of the exposure restructuring plan it shall monitor the implementation of the overall corporate restructuring plan and the resulting effects in the implementation of this plan. To this end the bank shall obtain from the corporate entity, on at least a quarterly basis, up-to-date information on the corporate entity’s financial position, of the fulfilment of its commitments under the restructuring plan, and other facts that could affect its ability to repay the loan. Given the scale of its exposure to the corporate entity, the bank may also require more detailed information of realised cash flows in the previous period and cash flow projections for the upcoming period. (4) Unless stipulated otherwise by an agreement between the banks, in the case referred to in the second paragraph of Article 35 the coordinator shall be responsible for gathering the information referred to in the first and second paragraphs of this article and for preparing the documentation referred to in the second paragraph of this article, and shall forward this information to the other banks that concluded the restructuring agreement. (5) The information and documentation referred to in the first to third paragraphs of this article shall form an integral part of the bank’s credit file on the corporate entity in question. 9. MANAGEMENT OF DATA AND CREDIT DOCUMENTATION Article 37 (Data management) (1) The bank shall put in place an appropriate information infrastructure for the collection and storage of data deriving from the processes of the identification, measurement or assessment, control and monitoring of credit risk. The bank shall regularly review the appropriateness of the information infrastructure. (2) The bank shall collect and store data used to measure or assess credit risks, especially data on past credit losses. (3) The bank shall design procedures and processes that ensure data quality from the perspective of its accuracy, integrity, reliability and timeliness in all credit risk management processes. The accuracy of the data means the reliability of the data with regard to ensuring a high level of confidence as to the correctness of the data. The integrity of the data means the inclusion of all significant data required in individual credit risk management processes, where the bank minimises the occurrence of data shortfalls. The reliability of data means the data is detailed and impartial. (4) Data quality shall be reviewed at least once a year by the internal audit function.

Page 19 of 20 (5) For the purpose of reducing the impact of human error, the bank shall provide for the automation of all material processes. Information systems shall be reliable, appropriately documented and regularly reviewed. Article 38 (Administration and content of credit files) (1) The bank shall ensure that information and documentation about debtors are kept by administering credit files. The credit file shall contain the basic information about the debtor, information about the financial position thereof, and the details of the credit relationship. (2) Business entities’ credit files shall include at least the following: (a) basic information about the debtor (business name, registered office, number of employees, ownership structure, senior management, direct and indirect capital links); (b) details of the debtor’s principal creditors and debtors; (c) financial statements for the last three years; (d) information from the central credit register about the debtor and connected clients, including their indebtedness, which is obtained by the bank before credit approval; (e) analysis and an assessment of the credit risk of the debtor and related parties (for at least those entities in the debtor’s group which are included in the accounting consolidation of the group) or of the exposure; (f) in the event of the default of the debtor/exposure, analysis and an estimate of the cash flows for the settlement of the liabilities; (g) a list of the on-balance-sheet and off-balance-sheet exposures to the debtor and connected clients (by individual type of instrument and transaction); (h) the application for approval of the transaction and the proposal by technical personnel; (i) the resolution by the body responsible for approving the transaction; (j) the contract concluded for the transaction, and documentation that makes evident the grounds for any non-inclusion of standard contractual commitments; (k) analytical book-keeping records; (l) evidence of the credit protection and documentation of the realisation of the credit protection; (m) the information and documentation referred to in the second paragraph of Article 34 and the first to third paragraphs of article 36 of this regulation; (n) other significant documentation. (3) The provisions of paragraph two of this article shall also apply mutatis mutandis to the administration of natural persons’ credit files. (4) The bank shall draw up guidelines for administering the credit files that cover updating the credit file, obtaining financial information and conducting correspondence in connection with repayment, and shall designate the persons responsible for ensuring that the credit files are correct and complete. 10. REPORTING ON CREDIT RISK Article 39 (Credit risk report) (1) The bank shall put in place processes that enable to prepare structured credit risk report, including assessments of future trends for the relevant managerial levels at the bank. The bank shall take

Page 20 of 20 account of the results of this analysis in formulating its credit risk-taking and credit risk management strategies and policies, and shall determine their adequacy. (2) The bank shall put in place processes that enable to prepare credit risk reports for the purposes of supervisory reporting, which includes ensuring the quality of the data in the reports and an appropriate process for approving the reports before submission to the supervisor. 11. FINAL AND TRANSITIONAL PROVISIONS Article 40 (Entry into force) This regulation shall enter into force on the day after its publication in the Official Gazette of the Republic of Slovenia. Article 41 (Cessation of validity of the regulation) On the day that this regulation enters into force, the Regulation on the credit risk management at banks and savings banks (Official Gazette of the Republic of Slovenia, Nos. 68/17, 78/19 and 92/21 – ZBan￾3) shall cease to be in force. Ljubljana, 13 July 2021 Boštjan Vasle President Governing Board of the Bank of Slovenia