Bank of Uganda Consolidated Corporate Governance Guidelines

BANK OF UGANDA CONSOLIDATED CORPORATE GOVERNANCE GUIDELINES OCTOBER 2022

2 Contents I. Glossary, Definitions and Abbreviations................................................................................... 3 II. OBJECTIVES........................................................................................................................... 4 III. RATIONALE .......................................................................................................................... 4 IV. APPLICATION AND PROPORTIONALITY....................................................................... 4 V. TRANSPARENCY AND INTEGRITY .................................................................................. 7 REGULATORY REQUIREMENTS & GUIDANCE.................................................................. 7 A. Board Charter ....................................................................................................................... 7 B. Board Composition............................................................................................................... 8 C. Board Chairperson ................................................................................................................ 8 D. Responsibility of the Board Chairperson ............................................................................. 9 E. Executive Director(s)............................................................................................................ 9 F. Company Secretary ............................................................................................................. 10 G. Selection of Directors......................................................................................................... 10 H. Succession Plan for Directors............................................................................................. 11 I. Responsibilities of the Board ............................................................................................... 11 J. Duties of the Directors......................................................................................................... 12 K. Directors’ Code of Conduct................................................................................................ 13 L. Board Meetings................................................................................................................... 14 M. Evaluation of the Board of Directors................................................................................. 14 N. Selection, performance evaluation and succession planning of the CEO and senior managers............................................................................................................................. 15 O. Managing Conflict of Interest ............................................................................................ 16 P. Disclosure and Transparency .............................................................................................. 16 Q. Risk management ............................................................................................................... 17 R. Risk Appetite Statement ..................................................................................................... 17 S. Board Committees............................................................................................................... 18 T. Governance of Information Technology (IT) ..................................................................... 22 U. Control Functions............................................................................................................... 22 V. Anti- Money Laundering Compliance Officer................................................................... 25 W. Governance of Group Structures....................................................................................... 25 X. Parent/Holding Company Boards....................................................................................... 26 Y. Subsidiary Boards............................................................................................................... 27 Z. Complex and/or Opaque Structures.................................................................................... 27

3 I. GLOSSARY, DEFINITIONS AND ABBREVIATIONS Acts The Financial Institutions Act, 2004 and the Micro Finance Deposit-Taking Institutions Act 2003. Board or Board of Directors Board of directors of a financial institution appointed to act on behalf of the shareholders in the overall interest of the financial institutions. Chief Executive Officer (CEO) Managing Director (MD) The Chief Executive Officer (CEO) and Managing Director (MD) are used interchangeably. Functionally these positions are high-level decision-making positions charged with the overall management of an SFI. Corporate Governance The process and structure used to direct and manage the business and affairs of a financial institution with the objective of ensuring and enhancing safety and soundness as well as shareholder value. Corporate Governance shall cover the overall environment in which the financial institution operates comprising a system of checks and balances which promotes a healthy balancing of risks and returns. Director A natural person occupying the position of a director, by whatever name called, of a financial institution. Domestic Systemically Important Bank (DSIB) An SFI designated as a significant financial institution according to the pre-defined criteria put in place by the BOU. Independent Director A director who has no relationship or interest in the financial institution or any of its subsidiaries or affiliates or their related interests. Executive Director A director who is an officer or employee of the financial institution. Non-Executive Director A Director not involved in the day-to-day management of the financial institution. Supervised Financial Institution (SFI) Any institution licensed and supervised by the Bank of Uganda. Control functions Functions that are directly related to the internal control processes of the SFI and include Compliance, Risk management and Internal Audit. These functions are independent of operational functions in the SFI.

4 II. OBJECTIVES The objectives of these Guidelines are to: 1- Outline the corporate governance principles and compliance steps which all SFIs must comply with; 2- Provide a consolidated guidance to supplement the regulations and guidance notes issued by Bank of Uganda predating this guidance; 3- Issue additional guidance to the industry in line with the international standards including those related to holding companies and subsidiary structures. 4- Ensure a degree of uniformity in the application of corporate governance practices. III. RATIONALE 5- Financial institutions play the important role of providing finance to commercial enterprises, basic financial services to a broad segment of the population and access to the payment systems. Accordingly, the importance of robust corporate governance practices in these institutions cannot be overemphasized. 6- Given the special position of trust held by financial institutions in the Ugandan economy and their access to government safety nets, it becomes all the more important that financial institutions have strong corporate governance systems in place. 7- Increasing globalization of financial markets, emergence of conglomerate structures, technological advances and innovations in financial products require new approaches to corporate governance practices; 8- Weak corporate governance is one of the major causes of corporate entities’ failures in Uganda, therefor robust governance practices are paramount for the safety and soundness of the institutions and the industry as a whole. IV. APPLICATION AND PROPORTIONALITY 9- This guidance is applicable to all SFIs in Uganda. 10- Varying levels of compliance proportional to the level and complexity of operations conducted in each SFI is expected. Relevant applicability of rules is outlined in the Applicability Grid included in this guidance. 11- SFIs providing Islamic Banking services shall have separate Sharia Boards with their own specific Corporate Governance Principles to govern Islamic Banking operations. 12- The control functions, as described under the definitions section of this guidance, can be headed by the same individual in the SFI only under exceptional circumstances, and only upon prior approval by BOU. The BOU may permit SFIs with limited operations to be eligible for the consolidation of control functions

5 under a single designee (i.e. “double hatting”) where the scope and depth of operations of the SFI allow such consolidation. 13- Where such “dual hatting” is unavoidable (e.g. in smaller SFIs where resource constraints exist), the roles for dual hatting should be compatible – for instance, the Chief Risk Officer may also have lead responsibility for a particular risk area. Such arrangements should not overlap between control and operational functions and should not weaken checks and balances within the SFI. 14- BOU shall not allow dual hatting in Tier 1 institutions. 15- SFIs should consider the applicability grid for applicability of waivers. In all instances, where double hatting of responsibilities is considered, the SFI must seek prior approval from BOU. A. APPLICABILTY GRID Chapters/Types of SFIs the business of a commercial bank ( Class 1) the business of a post- office savings bank ( Class 2) the business of a merchant bank ( Class 3) & MDIS the business of a mortgage bank ( Class 4) the business of a credit institution( Class 5) the business of an acceptance house ( Class 6) the business of a discount house ( Class 7) the business of a finance house( Class 8) SA CCOs Board Charter Board Composition The four eyes principle and Executive Director Chairperson Board Meetings Developing overall strategy and corporate values Implementing and monitoring the business strategy and corporate values Selection and performance evaluation of CEO and senior management Selection and Continuous Assessment of Directors Duties of the Directors Directors’ Code of Conduct Management composition, qualifications, and responsibilities Managing Conflict of Interest Disclosure and transparency Senior management oversight Risk management Risk Appetite Statement Compensation

6 Chapters/Types of SFIs the business of a commercial bank ( Class 1) the business of a post- office savings bank ( Class 2) the business of a merchant bank ( Class 3) & MDIS the business of a mortgage bank ( Class 4) the business of a credit institution( Class 5) the business of an acceptance house ( Class 6) the business of a discount house ( Class 7) the business of a finance house( Class 8) SA CCOs Internal Audit Function External Audit Audit Committee Compliance Function The Asset Liability Management Committee The Risk Management Committee Company Secretary The Compensation Committee Parent company Boards Subsidiary Boards Complex and/or Opaque Structures Waiver not applicable Waiver applicable –Subject to prior BOU approval Not Applicable

V. TRANSPARENCY AND INTEGRITY 16- The Board shall reinforce sound corporate governance principles which shall cover the following: a. Board structure, including size, membership, qualification, and relevant committees; b. Senior management structure, including responsibilities, reporting lines, qualifications, and experience of relevant individuals; c. Basic organizational structure, including line of businesses and legal entity structures; d. Information about the incentive structure of the financial institution, including remuneration policies, executive compensation, bonuses, and stock options; e. Nature and extent of transactions with affiliates and related parties; f. Mandate of the Board, its duties and objectives, and composition while specifically providing guidance on “inside” and “independent” Directors; g. Board’s expectations of management and its performance in meeting them; and h. Feedback received from stakeholders of the financial institution shall be properly documented and procedures established to deal with any concerns raised. REGULATORY REQUIREMENTS & GUIDANCE A. Board Charter 17- The Board operational structure, including its membership, high level responsibilities and other procedural matters should be guided by a comprehensive Board Charter approved by the Board. In addition, each committee of the Board shall have comprehensive Charters/Terms of Reference which set out the committee’s purpose, composition, required quorum, frequency of meetings and scope of deliberations. The Board Charter should, at a minimum provide guidance on: a. General duties and responsibilities of the Board and its sub-committees. b. Board Composition including minimum number of Independent Non-Executive Directors; c. The role of the Board Chairperson and the role of the Managing Director and Executive Directors; d. Directors’ nomination process; e. The tenure and retirement age of Directors; f. Remuneration of Non-Executive Directors; g. Succession Planning for Board members; h. Areas that may constitute conflict of interest within the context of Board operation and its activities; i. Matters reserved for the Board; j. The role of the Company Secretary; k. General Operations of the Board e.g. Board evaluations, remuneration etc.

8 B. Board Composition 18- An SFI shall have no fewer than five Directors who are fit and proper persons, duly vetted 1 by the BOU and who satisfy the qualifications of Directors stipulated under the Companies Act, and section 53 (1) of the Financial Institutions Act, 2004. 19- Prospective Board members shall not be permitted to attend Board meetings until Bank of Uganda approval of their appointment has been obtained. 20- The Executive Director(s) shall be answerable to the Board through the Managing Director and shall report to the Managing Director in the execution of their day-to-day responsibilities. 21- The Board should have at least four (4) Independent Non-Executive Director (INEDs) to facilitate constitution of committees which require membership of INEDs. 22- Every Board shall have at least two Executive Directors, resident in Uganda. These Directors must be knowledgeable in the financial institution’s long-term strategy, have the ability to influence the institution’s policy, and shall be able to appropriately direct the business of the institution (“four eyes principle”). 23- At least five of the Directors shall possess demonstrated expertise and experience relevant to the functions of the financial institution and the principal issues that face the institution such as financial controls, capital management, banking risks and corporate planning. 24- In order to enhance independence and objectivity of the Board, no more than 50% of the Directors shall be employees of the institution or any of its subsidiaries or affiliates, except in cases of subsidiaries of foreign-owned banks, and where the Central Bank is satisfied that the employees are deemed fit and proper persons by the home country regulator of the financial institution. 25- The Board of the SFI shall establish the necessary procedures to ensure that each Director discharges his/her duties in the best interest of the SFI. 26- All SFIs must immediately notify BOU of any change in the composition of substantial shareholders, Directors and Heads of Departments or functions. 27- All SFIs must seek BOU approval before confirming the appointments of Directors and Senior Managers. C. Board Chairperson 28- The Chairperson of the Board must be an Independent Director, resident in Uganda, 29- The Chairperson shall possess experience and competence to fulfil the responsibilities that come with this leadership role. 1 In addition to the MD/CEO, BOU vets all substantial shareholders, Directors, and senior managers under the "fit and proper test”. Accordingly, all SFIs must seek approvals for these high-level functions. Relevant documentation must accompany the applications for approvals including the curriculum vitae, references, and Personal Declaration Forms.

9 30- The Chairperson shall promote high standards of integrity and governance across the SFI and will ensure effective communication between the Board, Management, shareholders and wider stakeholders. 31- The CEO/MD of the financial institution shall not serve as the Chairperson of the Board. 32- The Chairperson shall not serve as a Chair or member of any sub-committee of the Board. 33- Where an SFI has a Deputy/Vice Chairperson, that person must also strictly fulfill the independence criteria applicable to the Board Chairperson and his/her role and mandate must be explicitly provided for in the Board Charter. D. Responsibility of the Board Chairperson 34- The responsibilities of the Board Chairperson will include the following: a. Provide overall leadership and direction to the Board and the SFI; b. Chair meetings of the Board of Directors; c. Ensure that Board meetings are properly conducted; d. Ensure that the Board functions in a cohesive manner; e. Take a lead role in the assessment, improvement and development of the Board; f. Ensure effective communication between the Board, Management, Shareholders and wider stakeholders; g. Represent the SFI, together with Managing Director to customers, the public, the media, and staff. E. Executive Director(s) 35- In addition to the MD/CEO, SFIs shall have at least one additional Executive Director who understands the strategy, products and risks of the SFI. 36- The key responsibilities of the Executive Director in executing his/her executive powers under the "Four-Eyes" responsibility shall include the following: a. Provide effective checks and balances on incidents of improper or imprudent day-to-day management actions; b. Be involved in the approval of all major management decisions and transactions committing the SFI; c. Provide leadership and direct strategy and policy, together with the MD/CEO. Reporting line of the Executive Director 37- The ultimate responsibility for the overall day-to-day management of the SFI is entrusted with the MD /CEO as delegated by the Board. 38- The Executive Director therefore shall report to the MD /CEO of the financial institution in the execution of his/her day-to-day responsibility of the financial institution. 39- In a situation where the Executive Director's opinion contrasts with the MD/CEO, and the latter takes the final decision on the course of action (i.e. whether to execute or withhold a

10 transaction), the Executive Director should, as a matter of emergency, report to the Board of Directors for intervention.) F. Company Secretary 40- The SFI shall have a suitably qualified and experienced Company Secretary, to facilitate effective management of Board affairs. 41- The Company Secretary shall be a senior manager of the SFI and shall be vetted by Bank of Uganda. In exceptional circumstances, the role of Company Secretary may be outsourced only upon prior BOU approval. 42- The Company Secretary shall report to the Board, through the MD/CEO. 43- The duties of the Company Secretary will be clearly documented in the Board Charter and will include the following: a. Draw up the Annual Calendar for Board meetings; b. Ensure that the meeting Agenda and Board Packs are circulated at least seven days ahead of the scheduled meetings; c. Organise and send out notifications of Board meetings and meetings of Shareholders; d. Record and produce minutes of the Board, Board Committees Annual General Meetings and Extraordinary Meetings; e. Advise Directors and shareholders on the legal and governance implications of proposed resolutions; f. Ensure that resolutions are filed and registered with the relevant registries and communicated to the relevant persons; g. Ensure that the Board Charter and committee Terms of Reference are reviewed periodically for alignment with changes in the operating environment; h. Monitor changes in the shareholding of the SFI and maintain the shareholders’ register. G. Selection of Directors 44- The SFI shall establish a Nominations committee or a similar body to identify and nominate candidates to the Board in line with specified criteria. 45- The Board of Directors shall ensure that Directors are qualified for their positions, have a clear understanding of their role in corporate governance and are not subject to undue influence from management or outside concerns. 46- There should be a clear and rigorous process in place to identify, assess and select candidates for Director roles, with nominations made internally by the Board. At a minimum, the selection process should consider the following:

11 a. Knowledge, skills, and experience; b. Integrity and reputation; c. Ability to fully carry out Directorship duties; d. Possible conflicts of interest involving management and shareholders, past or present positions held and personal, professional, or economic relationships that may impede a Director’s ability to perform their duties objectively and independently; and e. Ability to have frank and open discussion among the Board members. 47- The appointment of the Non-Executive Directors shall be formalized through letters of appointment which should, at a minimum, stipulate the tenure of service, remuneration, duties, and responsibilities of the Director. 48- No Director shall simultaneously serve as a Board member of any other SFI or in any executive capacity with any other SFI in Uganda. 49- SFIs shall establish an orientation program for new Directors as well as refresher programs for the existing Directors that shall include a discussion of the responsibilities and legal obligations of a Director and the Board as a whole, the nature of business of the institution, conditions in the industry, corporate strategy and expectations from Directors. H. Succession Plan for Directors 50- In the interest of board continuity, SFIs shall have a succession policy to prepare for vacancies on the Board. 51- To that end, the Board Charter must include a policy statement outlining the process the Board must follow to plan for the replacement of Directors. 52- The statement should clearly state the authority responsible for Directors’ succession planning and the SFI should have in place a succession roadmap, keeping in mind Directors’ skills matrix, tenure of service as well as strengths and/or weaknesses identified in Personal Development Plans. 53- The Board shall develop a staggered retirement plan to facilitate orderly succession of Board members. I. Responsibilities of the Board The Board has four key responsibilities, namely: providing strategic direction, policy formulation, decision making and providing oversight on executive management. Accordingly, the Board shall inter-alia be responsible for the following: 54- Define the SFI’s strategic goals and approve the SFI’s long and short-term business strategies including the annual operating plan and capital expenditure budget; 55- Review the performance of the SFI against the approved strategy and hold senior management accountable for the SFI’s performance; 56- Approve the overall risk appetite of the SFI and ensure that Management strikes an appropriate balance between promoting long-term growth and delivering short-term objectives;

12 57- Approve policies which spell out all elements of risk management as well as internal control processes; 58- Set limits of authority specifying the threshold for large transactions which the Board must approve. This will include approving delegated authorities for expenditure, lending and other risk exposures; 59- Appoint and monitor management and put in place appropriate structure and procedures to achieve the corporate strategy; 60- Ensure clear demarcation of responsibilities of the Board and management in the interest of an effective accountability regime; 61- Steer the capital adequacy assessment process, capital and liquidity plans as well as the SFI’s compliance with regulatory requirements and internal controls; 62- Ensure that a robust finance function responsible for accounting and financial data is in place. 63- Promote high standards of “risk culture” and reinforce responsible corporate behavior across the business lines; 64- Limit risk taking within the boundaries set and in line with the approved risk appetite. 65- Promote appropriate legal and ethical behavior; 66- Ensure that staff are aware of the ramifications and disciplinary actions that may ensue for any conduct that is not in compliance with corporate goals set forth by the Board or management. 67- Ensure that the control functions i.e Risk, Compliance, and Audit Departments of the SFI are adequately staffed, and are able to perform their functions independently, effectively and efficiently; 68- Seek expert opinion in fields where the Board may lack the necessary expertise. J. Duties of the Directors In accordance with section 56 (1) of the FIA, 2004, a Director shall stand in a fiduciary relationship and shall owe the SFI and its shareholders the following duties: 69- a duty to act honestly and in good faith; 70- a duty to act in the best interest and for the benefit of the financial institution; 71- a duty to act independently, free from undue influence of any other person; 72- a duty to access necessary information to enable him or her to discharge his or her responsibilities; 73- Understand their oversight role and provide a “checks and balances” function vis-à-vis the day￾to-day management of the financial institution; 74- Be aware of self-dealing prohibitions and unduly favorable treatment of related parties and always act in the best interest of the SFI. 75- Dedicate sufficient time to meet their responsibilities; 76- The board of directors as an organ and each director individually shall immediately report in writing to the Central Bank if they have reason to believe that: (a) the financial institution may not be able to properly conduct its business as a going concern;

13 (b) the financial institution appears to be or is likely in the near future to be unable to meet all, or any of its obligations; (c) the financial institution has suspended or is about to suspend any payment of any kind, through no fault of the counterparty; (d) the financial institution does not or may not be able to meet its regulatory capital requirements. K. Directors’ Code of Conduct 77- The Board shall develop a Code of Conduct for its members to focus the Board and each Director on areas of ethical risk, help foster a culture of honesty and accountability, and provide guidance to Directors in complying with applicable laws, rules and regulations. 78- All Directors are required to sign the Code of Conduct as proof of having read and familiarized themselves with the contents of the document. 79- The Directors' Code of Conduct applies to all members of the Board without regard to whether they are also employees of the SFI subsidiaries, or the wider group of related companies. 80- The Directors' Code of Conduct shall broadly cover the following key areas: (a) Compliance with Laws, Rules and Regulations: All Directors are required to comply with applicable laws, rules and regulations as required by the BOU and other regulatory authorities. (b) Fair and Honest Dealing:-Directors shall deal fairly and honestly with shareholders, employees and all stakeholders of the SFI. Directors shall behave in an ethical manner and shall not take unfair advantage of anyone through manipulation, concealment, abuse of privileged information, misrepresentation of material facts, or any other unfair dealing. (c) Conflicts of Interest: Directors must adhere to the highest standards of honesty and ethical conduct. These include, but are not limited to, sensitivity to the existence of a conflict of interest or the appearance of a conflict of interest. Conflicts of interest can arise in many ways, and Directors must always be sensitive to those situations in which they are most likely to be present and how to handle them when they arise. (d) Material Non-Public Information, and Insider Information: In the conduct of business, Directors may come into possession of material non-public information or inside information. This information could concern a client, a portfolio, the market or the SFI itself. Non-public information must be kept confidential and Directors are prohibited from using such information in ways that violate the law, including for personal gain. (e) Confidential Information: All information (including any in electronic format) that is created or used in support of the business activities of the SFIs is a valuable asset, which must be protected from unauthorized disclosure. Directors must maintain the confidentiality of information entrusted to them by the SFI except where disclosure is properly authorized by the SFI or is legally mandated. (f) Anti-Discrimination:- Directors will refrain from discrimination or harassment in all its forms whether overt or subtle, which undermines the integrity of the SFI and creates a hostile environment. (g) Gifts and Relationships with Customers:- Directors should refrain from accepting gifts other than those of nominal value, or lavish entertainment, or other valuable benefits or special

14 favors from customers and must observe any limits imposed by the SFI with respect to the acceptance of gifts or gratuities. L. Board Meetings 81- The Board shall receive, at least seven days ahead of Board meetings, sufficient information to judge the performance of management and assess both the quantitative and qualitative performance of the institution, the observance of prudential norms, customer satisfaction, service quality, market share and market perception. 82- The reports should, at a minimum, provide the Board the following information: a. changes in business strategy, risk profile/risk appetite; b. the SFI’s performance and financial condition; c. breaches of risk limits or compliance rules; d. internal control failures; e. any legal or regulatory concerns; and f. issues raised as a result of the SFI’s whistleblowing procedures. 83- The Board and Board Committee meetings should be held at-least once in every quarter of the calendar year. 84- The Board/Company Secretary shall ensure that clear and complete minutes of the Board meetings are circulated to members. M. Evaluation of the Board of Directors 85- The Board must perform evaluations of the full Board, Board committees, and the individual Directors including the Board Chair at least once a year. a. The evaluation process should be comprehensive, covering all aspects of the Board’s structure, composition, responsibilities, and processes as well as individual directors’ competencies and respective performance on the Board. b. The Board should perform a review of the effectiveness of its own governance practices, as a part of the evaluation process mentioned under the preceding paragraphs or as a separate review. c. An action plan arising from these evaluations should be discussed and agreed by the Board. d. The Board evaluation process assists in identifying Directors' training needs and should be a requisite before reappointment of Directors. e. Once an INED has served on the Board for nine (9) years, an assessment of the continued independence of the INED must be carried out annually. 86- The SFI must have a continuous professional development program in place for all Directors to enable them keep abreast of emerging issues pertinent to the business conducted by the SFI.

15 N. Selection, performance evaluation and succession planning of the CEO and senior managers 87- To ensure that there is an appropriate level of oversight by management, the Board must ensure that the SFI has in place, a senior management team that consists of a core group of officers responsible for the financial institution. The senior management team should have the requisite skills to manage the business under their supervision and supervise the key individuals in these areas. 88- It is the responsibility of the Board to select the MD/ CEO, and members2 of senior management. 89- The Board shall interview at least three (3) candidates for all Senior Management positions. 90- Appointment letters for senior managers must include a requirement to undergo BOU vetting and shall explicitly state that the confirmation of senior managers is subject to prior BOU approval. 91- The Board should ensure that a succession plan is in place for all senior management positions. The Board should review the succession plan at least annually, to ensure it is dynamic and reflects ongoing changes arising from the new hires, exits and restructuring of some functions. 92- The CEO bears the ultimate delegated responsibility for managing the affairs of the SFI and shall report directly to the Board of Directors. Accordingly, the performance evaluation of the CEO and his/her appraisal instrument must be completed by all the Non-Executive Directors, including the Board Chairperson. 93- The Board shall approve the corporate objectives which are entrusted to the CEO to achieve and set out the basis for measuring the CEO’s effectiveness in achieving corporate objectives. 94- The CEO’s performance shall be assessed against both subjective and objective performance criteria as specified by the Board and agreed at the beginning of the appraisal period. 95- The CEO's appraisal instrument shall be completed by all members of the Board. Compensation/ Human Resources Committee (BCOMP/BHRC), and the results thereof consolidated into a report providing an overall rating and appropriate recommendations. 96- A consolidated report shall be presented to the full Board by the Chairperson of the BCOMP/ BHRC for discussion and approval. 97- The CEO's performance evaluation shall not be deemed complete unless the entire Board has reviewed and approved the BCOMP/BHRC report. 98- The CEO's effectiveness, as a member of the Board, shall be evaluated during the annual Board evaluation of individual Directors. 99- SFIs may elect to evaluate the CEO's performance by the full Board directly. 100- The Executive Director (ED) is answerable to the Board through the CEO. The ED shall therefore report to the CEO of the SFI in the execution of his/her day-to-day responsibilities and the CEO shall be responsible for reviewing the performance of the ED against agreed performance measures. 101- The Board of Directors shall review the evaluation completed by the CEO and make recommendations thereon, as appropriate. The ED’s appraisal shall only be finalized after the Board has reviewed and endorsed the recommendations made by the MD/ CEO. 2 Key members include any individual who functionally or operationally head the business or control functions in the SFI.

16 102- Senior Managers shall be evaluated by the CEO or ED according to their approved reporting lines. In order to ensure that evaluations are fair and consistent, the report on the evaluation of senior managers shall be presented to the Board for final approval. The Performance Management cycle for Senior Managers will be deemed to be complete, only after final sign off by the Board of Directors. O. Managing Conflict of Interest 103- The Board shall ensure that SFIs have in place a policy on conflict of interest detailing the process to identify and avoid possible conflicts of interest that may be detrimental to the Board’s ability to perform its responsibilities. 104- At a minimum, the policy should include the following: a. Specify situations where conflicts can occur; b. Obligations for each Director to disclose their known interests that may conflict with the interests of the Board at the commencement of every financial year and at any time thereafter that such an interest arises; c. A requirement for Directors to declare their interest and recuse themselves from the relevant Board or Board Committee deliberations and decisions; d. Procedures covering related party transactions and arm’s length provisions; and e. Procedures for the Board to follow when conflicts of interest are present. 105- It is the Board’s responsibility to ensure that appropriate public disclosures are made, and relevant conflict of interest information is transmitted to the relevant regulators. 106- These include the SFI’s disclosure approach to manage existing or possible material conflicts of interest and conflicts that may arise in relation to any transactions within the same group that the SFI operates. P. Disclosure and Transparency 107- SFIs shall operate with full transparency towards their stakeholders including shareholders, depositors, and market participants. 108- SFIs shall disseminate information to their stakeholders on a timely basis to assess the effectiveness of the Board and senior management regarding the governance of the SFI. The level and depth of disclosures should be commensurate with the size and complexity of the operations, as well as the risk profile of the SFI. 109- At a minimum, the following information should be disclosed on an annual basis: a. Material information covering the SFI’s objectives, organizational and governance structures and policies. b. A list of specialized committees, their scope of responsibilities and meeting frequencies. c. The remuneration approach, ownership structure and voting rights. d. Related party transactions.

17 e. Incentive and compensation policy, including the performance measurement criteria and aggregate information on remuneration. f. The financial reporting framework applicable to the SFI and explanation of any material differences between applicable analysis periods. 110- SFI shall disclose their risk profile, specific exposures, and risk mitigation measures in an aggregate fashion and without breaching any confidentiality. 111- The Board shall satisfy itself that procedures are in place to ensure that the financial institution is satisfying its disclosure obligations and that the information being disseminated is true and accurate. Q. Risk management 112- The Board has primary responsibility of understanding the risks ran by a financial institution and ensuring that the risks are managed appropriately. Accordingly, the Board shall: a. Formulate a clear philosophy for each risk area; b. Design and approve structures that include clear delegation of authority and responsibility at each level; c. Review and approve policies that clearly quantify acceptable risk, and specify the quantity and quality of capital required for the safe operation of the financial institution; d. Periodically review controls to ensure that they remain appropriate and make periodic assessment of the long-term capital maintenance program; e. Obtain explanations where positions exceed limits, including reviews and approvals/authorization of credit granted to substantial shareholders, directors and other related parties and executive management significant credit exposures, and adequacy of provisions made and institute a process that ensures adequate reporting of limit exceptions, compliance failures and any matters relevant to the overall control framework of the SFI; f. Ensure that the internal audit function includes a review of adherence to policies and procedures; g. Formally delegate to management, the authority to formulate and implement strategies; and h. Specify the content and frequency of reports. R. Risk Appetite Statement 113- It is the responsibility of the Board to develop the SFI’s “Risk Appetite” with consideration given to the SFI’s business environment, competitive environment, regulatory developments and its long-term strategy. 114- The Board may utilize the senior management and the Chief Risk Officer to adequately monitor the SFI’s operations in line with the Board’s stated risk appetite. 115- The development of an effective Risk Appetite Statement should be driven by both top-down Board leadership and bottom-up management involvement. 116- The Risk Appetite Statement should:

18 a. Communicate the SFI’s risk appetite effectively throughout the SFI, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the SFI; b. Include both quantitative and qualitative considerations; and c. Clearly establish the individual and aggregate levels and types of risk that the SFI is willing to assume prior to engaging its business activities in order to conduct its operations within its risk capacity. S. Board Committees 117- The Board shall establish specialized Board committees as provided under the Financial Institutions (Corporate Governance) Regulations, 2005. 118- In addition to the committees outlined in the Corporate Governance Regulations, SFIs may constitute additional Board committees, depending on the complexity of their operations. 119- All Board committees shall be chaired by an Independent Non-Executive Director. 120- Every Board committee shall have approved Term of Reference that outline the committee’s functions, mandates and working procedures, including its membership, tenure for its members and a viable rotation schedule. 121- Each committee should maintain appropriate records, minutes and supporting documentation evidencing reviews and resolutions passed during the execution of responsibilities outlined in Terms of Reference. Board Audit Committee 122- The Board of Directors shall constitute, from among its members three (3) Directors, a committee on audit in accordance with section 59 of the FIA 2004; 123- The Board Audit Committee Chairperson must have an Accounting/Audit background. 124- All members of the Board Audit Committee, including its Chairperson, must be independent Non-Executive Directors. 125- The Chairperson of the Board Audit Committee should not chair any other committee of the Board. 126- The Board Audit Committee should meet at least once annually with the Internal and External Auditors and in the absence of SFI management, to allow the exchange of views and discussion of concerns in an open and frank manner. The deliberations of these meetings must be documented. Key Responsibilities of the Board Audit Committee 127- The responsibilities of the Board Audit Committee shall, at a minimum, include: 128- Appointment, and removal of the Head of Internal Audit and any other staff members of the audit function; 129- Disclose the removal of the Head of Internal Audit to the regulator as soon as practicable, but in any case, no later than two weeks after the date of removal, giving reasons for the removal;

19 130- Conduct the performance evaluation of the Head of Internal Audit. The evaluation shall be performed by the whole Board Audit Committee; 131- Take measures to enhance the independence and stature of Internal Auditors 132- Approve the Internal Audit Charter, Annual Audit Plan and budget; 133- Receive and review periodic reports from the Internal Auditor on the results of the internal audit activities or other matters that the Internal Auditor deems necessary; 134- Review the internal controls, operating procedures and systems, and Management Information Systems of the SFI; 135- Bring matters surrounding the operational efficiency, independence, and effectiveness of the audit function to the attention of the Board of Directors on a regular basis; 136- Review the financial statements of the SFI and make recommendations on them; 137- Provide oversight on the financial institution’s Internal and External Auditors; 138- Ensure that Management takes appropriate corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations and other problems identified by Internal and External Auditors; 139- Utilize, in a timely and effective manner, the findings of internal and external auditors as an independent check on the information received from management on the operations and performance of the financial institution; 140- Require timely correction by management of problems identified by the Internal and External auditors; 141- Oversee the establishment of accounting policies and practices; 142- Ensure the periodic review of the Internal Audit function by an independent party to establish the independence of the function in line with International Internal Audit Standards; and 143- All other duties as outlined in Section 59 (7) of FIA 2004. The Asset Liability Management Committee (ALCO) 144- The Board of Directors shall constitute an Asset Liability Management Committee (ALCO) in accordance with section 60 FIA, 2004 consisting of not less than two Non-Executive Directors. 145- ALCO shall perform such functions as the Board of Directors shall specify in relation to establishing guidelines on the financial institution’s tolerance for risk and expectations from investment that shall include but not be limited to the following: a. limits on loan to deposit ratio; b. limits on loan to capital ratio; c. limits on exposure to single or related customers; d. flexible limits on the percentage reliance on a particular deposit category; e. maximum dependence on inter-bank and other volatile funding instruments; f. limits on maximum and minimum maturities for newly acquired categories of assets and liabilities; g. limits on maximum and minimum maturities for existing categories of assets and

20 liabilities; h. limits on the sensitivity of the net interest margin on changes in market interest rates; i. maximum percentage imbalance between rates and sensitive assets and liabilities; j. limits on minimum spread acceptable between costs and yields of liabilities and assets; k. limits on minimum liquidity provision to be maintained to sustain operations while longer term adjustments are made; l. quantification of primary sources of funds; m. monitoring of the financial institution’s policies, procedures and holding portfolio to ensure that goals for diversification, credit, quality, profitability, liquidity, community investment, pledging requirements and regulatory compliance are met; and n. generally implementing the asset/liability (funds) management policy of the financial institution. Board Risk Committee 146- Each SFI shall have a Board Risk Committee to provide oversight of the institution’s overall risk strategy. The Board Risk Committee should have the majority of its membership comprised of independent Directors and shall be chaired by an independent Director. 147- Members of the Board Risk Committee should have experience in risk management practices relevant to the complexity of operations conducted by the SFI. Key Responsibilities of the Board Risk Committee The Board Risk Committee shall: 148- Oversee senior management’s implementation of the duly approved risk management framework, limits and procedures relating to all key risks inherent in the financial institution’s business activities. 149- Ensure the SFI has in place appropriate policies and procedures governing its operations. 150- Review SFI’s risk policies at least annually and submit them for the Board’s approval. 151- Advise the Board on the development and implementation of the SFI’s risk appetite and report on the state of key risk events, risk culture and the performance and interaction of the Chief Risk Officer. 152- Provide oversight over the SFI’s capital management as well as all risks inherent in the SFI’s operations including: strategic, operational, credit, liquidity foreign exchange, interest rate and compliance risks. 153- Interact with the Chief Risk Officer on an ongoing basis and receive regular reporting and communication with the CRO about the SFI’s risk profile, risk culture and its overall risk￾taking activities including limits, breaches and risk mitigation measures.

21 Board Credit Committee 154- The Board Credit Committee shall provide oversight on credit operations in line with the SFI’s credit strategy. Key Responsibilities of the Board Credit Committee The Board Credit Committee shall have the following key responsibilities: 155- Approve and oversee compliance with the SFI’s lending policy. 156- Delegate lending limits to approved sanctioning authorities of the SFI. 157- Approve credit facilities that are above the sanctioning authority of Management. 158- Approve credit facilities granted to Shareholders, Directors, senior management and other related parties (i.e: Insider Loans). 159- Approve policies and procedures governing the implementation of the International Financial Reporting Standard 9 (IFRS9). 160- Ensure the SFI has robust Information Technology systems, internal control processes and sufficient human resources for successful implementation of IFRS9 161- Approve a governance framework to oversee the implementation of IFRS 9, highlighting the role of the Board and senior management in the implementation of the standard. 162- Approve sound methodologies for measuring Expected Credit Losses (ECLs), to enable appropriate and timely recognition of ECLs. 163- Assist the Board in discharging its responsibility by reviewing the quality of the loan portfolio. 164- Ensure the SFI holds adequate provisions for bad debts in compliance with BOU guidelines on risk classification and provisioning. 165- Approve the write-off of non-performing credit facilities. 166- Ensure that the credit policy and risk lending limits are reviewed at least annually. Board Compensation Committee 167- SFIs shall have a Compensation/Remuneration committee responsible for overseeing the remuneration system’s design and operation and in ensuring that remuneration is appropriate and consistent with the SFI’s culture, long-term business strategy and risk appetite. 168- The Compensation committee must be chaired by an independent Non-Executive Director. 169- The MD/CEO and ED should not be members of the Board Compensation/Remuneration committee. Key Responsibilities of the Board Compensation Committee 170- The Compensation Committee shall provide oversight on the remuneration of senior management and other key personnel and ensure that compensation is consistent with the institutions SFI’s culture, objectives, strategy and control environment.

22 171- Ensure that Human Resource policies and structures are sound, effective and consistent with the SFI’s risk management practices. 172- Approve the organizational structure of the SFI as well as any changes to the structure. 173- The Compensation Committee, as delegated by the Board of Directors, shall approve the compensation of senior management and other key personnel. 174- Approve salary scales, with a view to ensuring that staff do not overly depend on short-term performance or encourage excessive risk-taking. T. Governance of Information Technology (IT) 175- SFIs shall put in place a comprehensive IT governance framework which supports effective and efficient management of IT resources. 176- The Board may establish a Board IT committee or delegate the oversight of IT operations to a suitable committee of the Board, such as the Board Risk Committee. Key Responsibilities of the IT Risk Committee The main objective of the IT committee shall be to: 177- Approve the SFI’s IT strategy and provide direction on IT activities; 178- Ensure that IT staff are adequately skilled to manage IT resources; 179- Monitor the progress of technology IT projects, services and investments as well as the disposal of IT property; 180- Provide oversight over IT governance controls supporting outsourced IT services; 181- Responsibility for the implementation of IT management should be assigned to the Head of IT/Chief Information Officer (CIO) who shall act as the first line of defence between the Board and management on IT-related issues; 182- The Board should ensure that the information and intellectual property contained in the information systems are protected; 183- The Board should ensure that IT Risk is considered as part of the SFI’s enterprise-wide risk assessment; 184- The IT Risk committee shall measure and understand the company’s overall exposure to IT risks and ensure proper processes are in place to manage these; 185- The Board shall assume full oversight of the SFI’s IT and Cyber Security infrastructure. To that end, the Board shall have access to all key reports on IT operations including reports on assessments conducted by the Group, for SFIs that are a part of Group structures. U. Control Functions Internal Audit Function 186- All SFIs shall appoint Internal and External auditors in accordance with sections 61 and 62 of the FIA 2004 to perform the functions stipulated in the Act,

23 187- The Internal Audit function should have a direct reporting line to the Board through the Board Audit Committee 188- The Audit function must be independent of the operational aspects of the SFI. 189- The Head of Internal Audit should have the following powers: a. Have adequate seniority to be able to carry out its mandate with sufficient standing, skills, as well as resources and authority within the SFI to enable it to carry out the audit function effectively and objectively; b. Have full and unfettered access to any records of the SFI; c. Conduct his/her functions in line with the national and international Audit standards; d. Have staff with adequate skills and knowledge to effectively audit the business lines and functions; e. Follow up on internal audit issues identified on a timely manner; and f. Annually perform an audit of the SFI’s risk management framework commensurate with the level and depth of operations conducted by the SFI. Reporting line and Appraisal of the Internal Auditor 190- The Head of Internal Audit shall report to the Board through the Board Audit Committee (BAC). 191- Since the Internal Auditor also interfaces with senior management in so far as executing his/her duties, he/she will have a dotted reporting line to the MD/CEO. 192- The performance of the Head of Internal Audit shall be evaluated at least annually by the whole Board Audit Committee. 193- The Board Audit Committee may use its discretion to seek the views of the CEO with regard to the performance of the administrative tasks assigned to the Internal Auditor. External Auditors 194- In line with section 67 of the FIA, every SFI shall appoint an External Auditor which shall serve the SFI for a continuous period of not more than four years. The Management Risk Committee 195- SFIs shall constitute a Management Risk Committee composed of Heads of Business Units and chaired by the Managing Director or Executive Director. 196- The key functions of the Management Risk Committee should essentially be, among others, to formulate risk strategies and develop sound risk management policies and procedural guidelines for Board approval. 197- The Committee shall review the identified institution-wide risks, measure and monitor these risk exposures and determine whether the risk decisions are in line with approved risk strategies, policies as well as risk tolerance/ appetite levels.

24 198- The Management Risk Committee should have clear and well-defined Terms of Reference and meet on a regular basis to effectively execute its mandate. Risk Manager or Chief Risk Officer (CRO) 199- SFIs shall have a Risk Manager/CRO with sufficient authority, stature, independence, and resources. The Risk Manager should be a senior manager and a member of the Management Risk Committee. 200- The appointment and dismissal of the CRO, as well as other changes to the CRO position should be approved by the full Board, or if delegated by the Board, by the Board Risk Management committee. 201- Head Risk/CRO should report to the Chief Executive Officer/Managing Director. 202- In order to maintain the independence of this role, the Head Risk/CRO should not have management or financial responsibility in respect of any operational business lines or revenue￾generating functions. 203- The role of the Risk manager should be distinct from other executive functions and business line responsibilities and should generally avoid “dual hatting”. For instance, the Chief Operations Officer, Chief Finance Officer, Chief Internal Auditor, Head of Compliance, or other senior management should not also serve as the Risk Manager. 204- The Head Risk/CRO should have unfettered access to the Board Risk committee, to enhance the independence of this role. 205- Interaction between the Risk Manager and the Board should occur regularly and be documented. 206- The Head Risk should be responsible for the risk management function and the institution’s comprehensive risk management program across the entire organization. The Head Risk/CRO shall coordinate the activities of the Management Risk Committee, consolidate risk reports from Heads of Business Units and report to the Management Risk Committee. 207- The CRO shall have access to all business lines to enable him/her gain in-depth understanding of the underlying risks. Risk Identification, Monitoring and Control 208- SFIs shall put in place an adequate risk management framework to enable the timely identification and management of inherent risks in its operations. 209- SFI should have accurate data in order to adequately identify and mitigate risks and allow sound decisions to control its primary risks. 210- The Risk management function should have adequate systems in place to consolidate and assess relevant data, able to model and apply stress testing based on relevant scenarios. 211- Results of the risk assessments conducted by the risk management function must be disseminated to Management and the Board regularly.

25 212- Risk management function should also be involved in the assessment of new products or services that the SFI is planning to engage in and provide relevant risk assessment and impact analysis to management and the Board. 213- The risk identification process must include risk mitigation and techniques and approaches to mitigate inherent or emerging risks in the SFI commensurate with the risk appetite statement of the Board. 214- The Risk management function should be actively involved in the identification and mitigation of risks arising from mergers and acquisitions. Compliance Function 215- SFIs shall have an independent Compliance function mandated to assess, monitor and report on the compliance of the SFI with existing rules and regulations, including the governance rules outlined in this guidance. 216- The Compliance function shall report to the Board, through the Board Risk Committee and shall have sufficient authority, independence, resources, and access to the Board. 217- The compliance function should provide advice to the Board and management regarding SFI’s compliance with applicable laws, guidance and standards while providing support for the operational support to comply with the same. 218- The SFI's senior management must develop the compliance policy and have it approved by the Board. 219- The Board is responsible for the oversight of the compliance function, which includes approval of its Policies and Procedures governing the identification, assessment, continuous monitoring and reporting of the compliance risks inherent in its operations. V. Anti- Money Laundering Compliance Officer 220- The position of Anti-Money Laundering Control Officer (AMLCO) shall be held by a person at Senior Management level. 221- In line with international best practices, BOU expects the AMLCO to have a direct reporting line to Executive Management or the Board of the SFI. This shall enable him/her to directly articulate any issues exposing the SFI to money laundering risks. Additionally, the AMLCO should be the contact point for internal and external authorities, including supervisory authorities or the Financial Intelligence Authority, concerning Anti-Money Laundering issues. 222- The AMLCO role can be held by an independent Senior Manager or be held by either the Head of Risk or the Head of Compliance. W. Governance of Group Structures 223- For any entity operating in Uganda under a group structure and supervised by the BOU, it is both the subsidiary Board and management’s responsibility to thoroughly understand the risks within the group structure and take necessary measures to mitigate them.

26 224- SFIs shall avoid, to the extent possible, creating opaque structures that may impede effective Board and management oversight. 225- The Board shall ensure that risk management practices, corporate values, and strategic objectives are aligned throughout the consolidated entities and implementation of group or similar policies are aligned across the organizational structures. X. Parent/Holding Company Boards 226- When an SFI is operating within a group structure, the Board of the parent company shall have adequate oversight over its subsidiaries while considering the specific requirements and nuances in each jurisdiction. 227- Where an SFI is operating within a group structure as a parent/holding company, the Board shall have adequate oversight to ensure that significant risks that might have an impact on the entity as a whole or each subsidiary are given due consideration at the parent/holding company level. 228- It is the responsibility of the Board and management of the parent entity to implement the necessary governance structure within the consolidated entity. 229- Accordingly, at the highest organizational level where holding, parent or other similar entities exist, the Board shall establish: a. A group organizational, operational, control and governance framework and define the roles and responsibilities of the controlling entity and subsidiaries. This includes a well￾functioning audit and control framework at the controlling entity level and a framework of coordination within the compliance with different regulators and stakeholders; b. The subsidiary level Board and management structure with a view to manage the consolidated risks that the whole entity faces; c. A framework to enable top level Board to make regular assessments of the effectiveness of (a) and (b) above and ensure that adequate policy and procedures are in place to affect the same; d. A control framework across different business in the group to identify and manage intra￾group conflicts of interest, including systems to allow adequate levels of information exchange, as well as efficient and effective supervision of the group; e. Ensure adequate resources are in place to monitor the compliance of subsidiaries within the group with all applicable legal, regulatory and governance requirements, regardless of their geographic locations or regulatory boundaries; and f. A comprehensive framework to allow effective relationships with relevant regulators. 230- When Board meetings of entities within the group structures (i.e. SFIs within the Group structures) are held, it should be ensured that attendance of observers or invitees are managed via invitations only and only to address specific agenda items. 231- Invitees and attendees must recuse themselves from the meeting following the completion of their presentations.

27 Y. Subsidiary Company Boards 232- The Board shall establish an effective risk management and corporate governance frameworks at subsidiary level; 233- It is important that adequate levels of coordination between the top-level entities and subsidiaries exist to ensure that effective risk management structures across different entities of the holding company or the parent structures are always maintained. This includes an effective framework of authorities and reporting obligations from subsidiaries to parent and holding companies. 234- The risk management practices, corporate values and strategic objectives must be aligned throughout the consolidated entities and the implementation of group or similar policies must be aligned across the organizational structures, including any subsidiaries operating in Uganda. Z. Complex and/or Opaque Structures 235- SFIs shall put in place appropriate policies, procedures and processes for the approval and maintenance of entities created within the group structure. 236- Deploy a centralized approval process for the creation and management of the entities within the structure. 237- Subject the group entities to same controls, including ensuring a viable internal and external audit process similar to those deployed at regulated SFIs. 238- Require periodic and independent reviews of these structures.