Corporate governance standards in banks

‘Approved’ Central Bank of The Republic of Azerbaijan Resolution № 41/11 Corporate governance standards in banks

1. General provisions 1.1. These Standards have been developed in line with Clause 34.4 of the Law of the Republic of Azerbaijan ‘on Banks’ (hereinafter – the Law), as well as corporate governance principles for banks and Principles for Enhancing Corporate Governance issued by the Basel Committee considering international corporate governance practice and determine corporate governance standards in banks. 1.2. The objective of these standards is to launch reliable and transparent management and reporting systems and ensure effective internal control and risk management guided by the requirements, set out by the corporate governance law 1.3. Items 3.9, 18 and 19 of these Standards also apply to local branches of foreign banks.
2. Definitions 2.1. The definitions used herein bear the following meanings: 2.1.1. corporate governance – a management method, which ensures setting of strategic objectives and targets based upon bank’s strategic view, tools, and processes in place to achieve them, clear segregation of authorities across all management levels, as well as introduction of an effective internal control system to provide efficient risk management and transparent performance. 2.1.2. internal control system – a system covering the management and organizational structure that provides monitoring of bank's activities, including risk management, compliance, and internal audit functions. 2.1.3. strategic vision – long-term performance program targeting stronger market position and higher value. 2.1.4. mission statement – summary of key principles of the strategic vision. 2.1.5. strategic plan – a periodic plan, which links the strategic vision to clearly defined measurable goals and coordinated measures. 2.1.6. fiduciary duties – tasks aimed at protection of bank’s current and future interests. 2.1.7. risk management – the process, which addresses identification, evaluation, management, monitoring and reporting of risks, inherent to bank’s performance. 2.1.8. strategic planning process – development of a strategic plan to set and achieve long-term performance targets. 2.1.9. independence – ability to make objective and independent decisions without being directly and/or indirectly influenced by the bank and/or other outsiders. 2.1.10. financial indicators – relative quantitative indicators, used to evaluate bank’s performance results, computed based upon financial statements.

2.1.11. Chief Financial Officer (CFO) – Management Board member, who is directly in charge of bank’s financial management divisions. 2.1.12. Chief Risk Officer (CRO) – Management Board member, who controls activities of bank’s structural divisions in connection with the risk management function. 2.1.13. Chief Compliance Officer (CCO) – Management Board member, who controls activities of bank’s structural divisions in connection with the compliance function. 2.1.14. Corporate secretary – bank employee who supports effective functioning of the Supervisory Board, Chair of the Supervisory Board and Supervisory Board committees and meet the requirements specified in Item 11.6 herein. 2.1.15. special category employees - the following employees who perform functions that have a considerable influence on the bank's risk profile: 2.1.15.1. Management Board members. 2.1.15.2. Heads of bank’s control function (structural units engaged in risk management, compliance, and internal audit functions). 2.1.15.3. bank employee, who is engaged in the structural unit with a significant influence on the bank's risk profile (e.g. issue of loans, treasury, project management, etc.) determined in the bank's remuneration policy, whose total income (salaries and bonuses) received from the bank during the recent year is not less than the annual average amount of the position salary and its additions paid to the members of the bank’s Management Board during the calendar year (and whose activities affect the bank's risk profile. 2.1.16. data users – existing and potential shareholders, market players and other stakeholders, who are interested in obtaining data related to bank’s performance. 2.1.17. reward - payments made by the bank in the form of money, shares and other financial instruments in exchange for the professional activity of employees. There are two types of rewards – fixed or variable. One-time rewards-gifts not provided for by the salary system and paid to bank's employees based on the decision of the bank's management (holidays, special days, and other payments of a social nature) do not qualify to this decision. 2.1.18. fixed reward– a type of reward whose conditions and volume are determined in advance without considering any criteria related to bank's performance. 2.1.19. variable reward – the type of reward based on bank's performance results and determined in accordance with key performance indicators (KPI) of bank employees or other indicators determined by the bank's management. 2.1.20. risk – probability that costs (losses) caused by probable or unexpected events will have a negative impact on bank's capital and liquidity position. 2.1.21. risk management system – the system comprising the risk management elements specified herein. 2.1.22. risk limit – maximum limit of the assumed risk per type of activity of the bank.

2.1.23. stress-test – a tool for assessing potential impact of one or more shocks on a bank's financial standing. 2.1.24. shock – a probable and measurable event that can potentially affect bank's operations. 2.1.25. risk profile - the aggregated level of risks the bank is exposed to. 2.1.26. risk appetite – the amount of the risk, the bank is willing to take within its risk-taking capacity to achieve its strategic goals. 2.1.27. risk-taking capacity – the maximum amount of risk that the bank can take without violating capital, liquidity, and other prudential requirements. 2.1.28. risk appetite statement – a document that reflects total risk limits that the bank will assume to achieve its business goals. 2.1.29. risk culture – the bank's set of norms, approaches and behaviors on risk identification, acceptance, and management, as well as risk decision-making. 2.1.30. bank product – a method of presentation of types of activities conducted by the bank. 2.1.31. compliance risk – the risk of corrective measures and sanctions, financial losses, or loss of reputation that the bank may face as a result of non-compliance with the legislation and the requirements of legal acts regulating the financial markets. 2.1.32. environmental, social, and economic factors (ESG factors) – the set of ecological (climate change, environmental degradation, ecosystem disruptions, etc.), social (equal opportunities and access to the labor market, labor relations, social protection, inclusiveness, consumer safety and data privacy, etc.), and governance (remuneration, transparency, risk management system, etc.) factors. 2.1.33. green imitation – the imitation of a product or service’s sustainability nature in communications regarding sustainability-related activities of a bank, its subsidiaries, or its financed clients. 2.1.34. ESG risks – the risk of negative financial consequences arising in bank’s operations, financial condition, or invested assets as a direct or indirect result of the impact of ESG factors on traditional banking risks (credit, market, operational, liquidity, and reputational risks) 2.1.35. ESG opportunities – potential positive impacts of ESG factors on bank’s operations, financial condition, and long-term sustainability. 2.2. For the purposes of these Standards the definitions ‘related party,’ ‘systemically important bank’ and ‘fit and proper person’ bear the meanings specified in the Law. The definitions ‘Sustainable loan,’ ‘Green loan,’ and ‘Sustainability-linked loan’ have the meanings defined in the ‘Regulations on credit risk management in banks’ approved by Resolution No. 46/4 of 21 September 2023, of the Management Board of the Central Bank of the Republic of Azerbaijan (hereinafter – the Central Bank). 3. Core corporate governance principles 3.1. The application of corporate governance in a bank is provided by the Supervisory Board. The Management Board should provide effective implementation of the strategy and policies approved by the Supervisory Board.

3.2. A bank should have a management and organizational structure based on main activity directions, segregation of authorities, effective risk management, an adequate internal control system, including accounting procedures, effective information systems and an effective remuneration policy. The bank's organizational structure is approved by the general meeting of shareholders or by the Supervisory Board, if authorized. The organizational structure should be regularly revised and updated, as necessary. 3.3. The management and organizational structure, as well as the segregation of authorities should be commensurate with the nature, size, and complexity of bank’s operations, avoid a conflict of interests and communicated to the bank’s staff. 3.4. Every bank establishes its strategic vision and develops a mission statement for the strategic planning period on its basis. The strategic vision and the mission statement are approved by the Supervisory Board and presented to bank’s shareholders for information. 3.5. A strategic plan should be elaborated based upon the bank’s strategic vision and mission statement. The strategic plan is approved by the Supervisory Board and covers at least a three-year period. The plan is revised based on results of the previous year after the end of each year and in case of a change to the bank’s risk profile, as well as in case of any events and threats in the external environment affecting bank’s activities, relevant changes are made to the strategic plan. The strategic plan and changes made therein are submitted to the bank’s shareholders and the Central Bank for information within 30 (thirty) days upon the date of approval. The plan addresses bank’s strategic vision, mission statement, risk analysis, development priorities and types of activities to be provided, strategic targets and actions plan on them, the organizational structure required for the implementation of the strategic plan and financial forecasts. 3.6. To ensure its long-term sustainability, a bank should take into account in its strategy those ESG factors that have or may have a significant impact on its activities. The bank should analyze and assess current and potential impacts of ESG factors on its operations and operating environment in the short, medium, and long term. The bank should clearly define the distribution of duties and authorities within its organizational structure with respect to the management of ESG risks and opportunities and incorporate them into its risk management system. 3.7. The bank’s Supervisory and Management Boards should be aware of bank’s goals, activity targets, internal risks, as well as events and threats in the external environment that affect bank’s activities. The Supervisory Board of the bank holding company should be aware of all risks that the bank holding company and its subsidiary bank will face and will affect its activities. In this case, the activity of the Supervisory Board of the bank holding company should not compromise the independence of the Supervisory Board of the subsidiary bank. In the bank's subsidiary located in a foreign country, the requirements of these Standards are applied to the extent that they do not conflict with the corporate governance standards established in the host country.

3.7-1. Where the bank is part of a group of companies (holding) operating in various fields, the bank's Supervisory Board should be informed about the structure of the group (holding), the activities of its companies, and the risks that the bank may face as a result of these activities. 3.8. The bank should have a reporting system that effectively informs Supervisory and Management Boards on its operations, financial standing, risks faced and decisions affecting bank's business processes. All transactions in the bank are reflected in the main automated transaction system, and bank staff should have access to this system within their authority. Operations of branches and divisions should be reflected in the main automated operational system of the bank in a real time mode. 3.9. Every bank establishes rules of ethical conduct in relation to its employees, as well as managerial bodies and internal committees. The document should address the behavior for the members of the Supervisory Board, including independent members of the Supervisory Board, independent external members of the Supervisory Board’s committees, members of the Management Board, and other bank employees at least at work and outside of work on behalf of the bank, avoiding corruption, preventing the legalization of criminally obtained property and the financing of terrorism, working in other organizations and holding managerial positions, attitude to bank property, protection of the person who provides information to the bank management on the violation of the legislation and bank’s internal rules from pressure, including financial or moral damage, insults and threats, as well as the protection of the confidentiality regime and legality in the bank. 4. Supervisory Board 4.1. The Supervisory Board oversees the bank and its subsidiaries to ensure performance of the bank, its structural units, and subsidiaries under the legislation. 4.2. To ensure more effective oversight over bank’s management and performance, the Supervisory Board is entitled to request any report and information on the bank’s performance from bank’s managerial bodies, it oversees, and internal committees, as well as structural units. 4.3. The Supervisory Board should ensure harmony of the corporate governance system, procedure and regulations and internal control mechanisms of the bank’s subsidiary vendors (hereinafter – the subsidiary) created under the Law with the risks inherent to the subsidiary’s activity, apply their adequate oversight, as well as periodically evaluate subsidiaries’ relations to each other and to the bank. 4.4. The Supervisory Board oversees frank and timely implementation of methods and internal procedures determined in the accounting policy. 4.5. Where the bank is a subsidiary of another legal entity, the Supervisory Board assesses instructions of the parent company whether they have a negative impact on bank’s financial standing and contradict the legislation, including prudential rules and takes actions according to assessment findings. 4.6. When determining the meeting procedure of the Supervisory Board the following should be considered:

4.6.1. The Supervisory Board may convene next and extraordinary meetings. Probable venue and timing for the next meeting is defined at a current meeting of the Supervisory Board at the latest. If there are any changes to the venue and timing, as well as holding of the meeting, Supervisory Board members, as well as related structural units should be accordingly informed in advance. 4.6.2. The order and timing of delivery of a written notice (electronically or in a hard copy) on the meeting agenda to every member of Supervisory Board should be determined. 4.6.3. The agenda should be attached with detailed and fully elucidated written materials, which address topics to be discussed at the meeting. Each Supervisory Board member should be provided with the information and reports to be submitted on the periodicity set by bank’s internal rules together with the agenda of the next meeting. The information and reports should at least cover bank’s financial standing and financial sustainability indicators, annual budget analysis, all considerable correspondence with the Central Bank, tax, executive and other public authorities (institutions) (shortcomings revealed in bank’s activities, obligatory instructions, decrees, etc.) and the implied actions plan, innovations in the legal framework regulating bank’s activities, proposals by the internal and external audit and the status of their implementation, and analysis of the risks exposed by the bank. 4.6.4. The agenda is developed considering proposals provided by members of the Supervisory Board, the Audit Committee, and the Management Board, as well as shareholders with qualifying holding or owners of at least 5 (five) percent of voting shares. Topics on the agenda are discussed at the meeting. Urgent and unexpected issues not on the agenda may be discussed and relevant decisions taken if all Supervisory Board members are participating and there is an agreement with simple majority of votes. 4.6.5. Under Article 28 of the Law regarding the topic discussed at the meeting, the information on the interest declared by the member of the Supervisory Board is included in meeting minutes. 4.7. Supervisory Board members may participate in meetings either personally or via telecommunication facilities (video conference, phone call, or dedicated software (application)), and e-mail. Meeting minutes should include notes on member’s participation via telecommunication or e-mail; meeting’s video- or audio-recording, or other supporting documents of participation should be stored in the bank for at least three years on durable media. Each Supervisory Board member should voice exact and implicit attitude (for or against) to the issue on the agenda, personally sign meeting minutes or submit a written document on his attitude to the issue, his/her signature being approved as per the legislation. If the Chair of the Supervisory Board is unable to attend the meeting, he may be replaced by the Deputy Chair of the Supervisory Board, and in the absence of the deputy, by another member of the Supervisory Board appointed based on the voting at the Supervisory Board meeting. If any Supervisory Board member misses three meetings on end, the Chair of the Supervisory Board, or his

substitute, should submit a written notice to the Central Bank no later than 5 working days upon the last meeting. 4.8. Supervisory Board meeting minutes are delivered to the Central Bank quarterly, no later than the end of the following month. 5. Fiduciary duties of the Supervisory Board 5.1. Each member of the Supervisory Board should: 5.1.1. be aware of bank’s financial standing, as well as its all-main operations, and regularly analyze reports submitted by internal committees. 5.1.2. be aware of key events occurred in banking and other financial sectors and available trends. 5.1.3. decide and vote solely based upon his/her judgment and internal belief to protect bank’s interests. 5.1.4. not prefer interests of any shareholder or a group of shareholders when voting or decision-making or not act under their instructions, avoid deciding to earn short-term income confronting the bank’s interest and against long-term risks. 5.1.5. protect bank’s legal interests, not criticize the bank, other Supervisory Board members and bank officers before the public. 5.1.6. avoid negative impact of his/her business activity on the bank. 5.1.7. not disclose any confidential information, known to him/her, regarding to performance of duties and responsibilities on the bank, related parties, customers, and other persons, who are in business relations with the bank, to any persons, except for the cases specified in the law. 5.1.8. discuss problems related to internal control, results of financial activities and strategic plan implementation in the bank with bank’s related officials. 5.1.9. ensure independency of the Audit Committee. 5.1.10. ensure independence of internal auditors’ activities, only issue recommendations to the Audit Committee, which establish key directions of the internal audit plan and ensure accountability of the internal audit unit to the Audit Committee. 5.1.11. ensure delivery of all necessary information and documents by bank employees to internal auditors on the bank and related parties. 5.1.12. at least once a year evaluate qualifications of Management Board members, their services in bank’s operation with profit, financial stability, and timely attainment of strategic goals, as well as their fitness to the positions they hold. 5.1.13. Taking into account Sub-items 12.2.10 and 12.2.10-1 of these Standards, the Supervisory Board should determine a clear allocation of duties and powers of its committees, the Management Board, and relevant structural units with respect to the management of ESG risks and opportunities and oversee the management of these risks within the bank. 6. Composition of the Supervisory Board

6.1. The composition of the Supervisory Board in terms of number is established in accordance with the size and complexity of operations of the bank considering the requirements of Article 25.2 herein. 6.2. The Supervisory Board should comprise members with diverse skills, qualifications, and expertise in banking, while considering the principle of gender diversity in its composition. 6.3. In other banks, except for state owned banks at least the one-third of Supervisory Board members should be independent members (in the calculation, the result is rounded up to one higher whole number (e.g., if the number of Supervisory Board members is 5 (five), the requirement for the number of independent members is defined as 2 (two), if the number of members of the Supervisory Board is 7 (seven), the requirement for the number of independent members is defined as 3 (three). An independent member of the Supervisory Board should meet all below requirements: 6.3.1. except for the cases specified in Item 6.3-1 of these Standards, a person nominated for the position of an independent member should not be an employee of the bank at the time of nomination. Individuals who were previously employed by the bank may only be appointed as independent members after a cooling-off period. This cooling-off period must be at least two￾thirds of the duration of the individual’s employment at the bank, but not less than three years. 6.3.2. except for the below cases, a person should not have been an employee of a related party of the bank in the last three (3) years: 6.3.2.1. if the person is an independent member of the Supervisory Board of a local bank's foreign subsidiary, a foreign bank or foreign bank holding company that is the parent entity of a local subsidiary bank, or another subsidiary bank of that parent entity in other countries, provided that a document certifying his/her status as an independent member, issued by the banking regulation and supervision authority of the foreign entity's or foreign subsidiary bank's home country, is submitted to the Central Bank. 6.3.2.2. if the individual is an employee or consultant who is not involved in the bank's activities at a multilateral development bank or an international financial institution that is a shareholder of the bank. 6.3.3. be a ‘cross-representative’ in management bodies (e.g., a member of the bank's Supervisory Board is a member of the executive body of another legal entity, and a member of the supervisory board of that legal entity is a member of the bank's executive body). 6.3.4. own more than 2% of preferred shares or ordinary shares of a bank or its related party, regardless of the size. 6.3.5. over last 3 (three) years be the head and members of the supervisory board and executive body of the bank or its related party (except for the independent member of the supervisory board of the bank’s related party), as well as have kinship with the shareholders provided for in Article 49-1.1.3 of the Civil Code of the Republic of Azerbaijan with the shareholders owning more than 2% of preferred shares or ordinary shares regardless of the size. 6.3.6. conduct external audit of the bank over last 3 (three) years. 6.3.7. be a contract party with a value of more than 0.025% of bank's assets, including an external service provider, as well as a customer of the bank with an asset

or liability of more than 0.025% of bank's assets over last 3 (three) years (this indicator is calculated separately across the types of operations (e.g. the ratio of bank's credit exposure to bank's assets and similarly the ratio of deposits to assets of the person as of the appointment date or as of the periodic assessment date according to Item 6.5 herein). At the same time, be the head or an authorized representative of the party to the contract which is a legal entity, including external service provider and customer’s management body according to the criteria specified in this sub-item. 6.3.8. earn other income from the bank other than the salary and reward set for Supervisory Board members, and payment of dividends (on up to 2% of his/her preferred shares) over last 3 (three) years. 6.3.9. have any other relation, including business relation compromising his/her independency in addition to the above. 6.3-1. The following persons may be appointed as independent members of the Supervisory Board without the cooling-off period specified in Item 6.3.1 of these Standards being applied: 6.3-1.1. a person who is a member of the Supervisory Board of the bank. 6.3-1.2. a person who has been a member of the bank's Supervisory Board and has not subsequently held any other position at the bank. 6.3-1.3. a person who is (was) a member of the committees of the Supervisory Board and has not held any other position at the bank. 6.3-2. The provisions of Item 6.3-1 of these Standards do not apply to persons who have worked at the bank for more than 9 (nine) years in total, or to those appointed after 8 September 2024, who have worked for more than 6 (six) years (including those who have served as independent members of the Supervisory Board). 6.3-3. If a person has not worked at the bank for at least two-thirds of the period during which he/she was a member of the Supervisory Board or its committees (at least 3 (three) years), the period specified in Item 6.3-2 of these Standards is calculated from the moment of reappointment. 6.4. Duration requirements provided for in Items 6.3 and 6.3-2 herein include the period prior to the date of entry into force of these Standards. 6.5. Compliance of the independent member of the Supervisory Board with the requirements of Item 6.3 herein should be ensured during his/her appointment as an independent member of the Supervisory Board, as well as during his/her entire activity in the bank. For this purpose, compliance of those members with relevant requirements is assessed under the periodicity set by bank’s internal rules. 6.6. Taking into account the requirements of Items 6.3-2 and 6.3-3 of these Standards, a person may not serve as an independent member of the Supervisory Board for more than 6 (six) years from the date of his/her appointment as an independent member at the bank. 7. Supervisory Board Committees 7.1. To make management in the bank more effective and boost risk control, the Supervisory Board establishes Supervisory Board committees (hereinafter – committee). The composition, functions and authorities of committees, the decision-making procedure are determined by their statutes considering the requirements herein.

Committees are independent from the Management Board and are accountable to the Supervisory Board in their activities. 7.2. Every bank establishes Audit, Risk Management and Corporate Governance Committees. 7.3. In addition to Item 7.2 herein to make the bank performance more effective, a Compliance Committee and/or other committees on various aspects of the activities of the Supervisory Board may be established at a bank considering bank’s systemic importance, risk profile, as well as complexity and nature. Where the Compliance Committee is not established at the bank, the Risk Management Committee provides compliance of the bank performance with the requirements of the legislation, legal acts regulating financial markets and internal rules. 7.4. Committees are competent with the participation of over half of their members at meetings. Committees take decisions with simple majority of votes of members, participating in the meeting. Committee members may not abstain during voting. In the event of a tie, the vote of the head of the Committee is deemed decisive. 7.5. Committee members may participate at meetings personally or via telecommunication facilities (video conference, phone calls or dedicated software (application), and e-mail. Meeting minutes should include notes on member’s participation via telecommunication or e-mail; meeting’s video- or audio￾recording, or other supporting documents of participation should be stored in the bank for at least three years on durable media. Each Committee member should voice clear and implicit attitude (for or against) to the topic on the agenda, personally sign meeting minutes or submit a written document on his/her attitude to the issue, his/her signature being approved as per the legislation. 7.6. Taking into account the requirements specified in sections 8 to 10 of these Standards regarding the composition of the Audit, Risk Management, Corporate Governance, and Compliance (if established) Committees, the following should be ensured: 7.6.1. Committees should have at least odd number of three persons. 7.6.2. The committees may consist of members of the Supervisory Board, or independent external members in cases where the number, knowledge, skills, or experience of Supervisory Board members are insufficient for the committee's activities. 7.6.3. Heads and members of committees are appointed by the Supervisory Board. 7.6.4. Committee members are appointed from among Supervisory Board members. 7.6.5. At least 1 (one) member of committees is an independent member of the Supervisory Board. 7.6.6. Knowledge, skills, and expertise of committee members should comply with activities of the committee. The compliance should be considered during the appointment of committee members by the Supervisory Board. 7.6.7. bank's shareholders may not be members of the Audit, Risk Management, Corporate Governance, or Compliance (if established) Committees. 7.7. Independent members of committees should not: 7.7.1. be a member of the bank's Supervisory Board at the time of appointment.

7.7.2. have worked at the bank for at least last 2 (two) years prior to the appointment date: 7.7.2.1. a person who has been a member of the bank's Supervisory Board and has not subsequently held any other position at the bank. 7.7.2.2. A person who is (was) a member of the committees of the Supervisory Board and is not holding (did not hold) any other position at the bank. 7.7.3. meet the requirements specified in Articles 10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.9 herein with respect to officers. 7.7.4. during his/her membership in the committee, the person should not hold a position in a foreign subsidiary of a local bank, a holding company that is the parent entity of a local subsidiary bank, a foreign bank or foreign bank holding company, or in any other bank operating in the Republic of Azerbaijan, as well as in a local branch of a foreign bank. 7.7.5. have kinship specified in Article 49-1.1.3 of the Civil Code of the Republic of Azerbaijan with management body members, as well as heads of bank’s structural units over last 2 (two) years. 7.7.6. own over 2% of bank’s preferred or ordinary shares regardless of the size. 7.7.7. be a contract party with a value of more than 0.025% of bank's assets, including an external service provider, as well as a customer of the bank with an asset or liability of more than 0.025% of bank's assets over last 2 (two) years. At the same time, not be the head or an authorized representative of the party to the contract which is a legal entity, including external service provider and customer’s management body according to the criteria specified in this item. 7.7.8. have any other relation, including business relation compromising independence in addition to the above. 8. Audit Committee 8.1. In addition to the requirements specified in Item 7.6 herein the following also should be provided in terms of the composition of the Audit Committee: 8.1.1. At least the one third of the Audit Committee is composed of (in the calculation, the result is rounded up to one upper whole number) Supervisory Board members. The remaining part may be formulated of independent external members. 8.1.2. The Audit Committee chair may not be the Chair of the Supervisory Board and/or other committees. 8.1.3. The Chair of the Supervisory Board may not be an Audit Committee member. 8.2. In addition to the authorities specified in the Law and the Law of the Republic of Azerbaijan ‘on Internal Audit,’ the Audit Committee also: 8.2.1. oversees the improvement of the bank’s accounting policy. 8.2.2. monitors the transparency, integrity of bank’s financial statements and prudential reports, whether the reports were developed by adhering to information security requirements, ensuring bank’s compliance with legislation and the requirements outlined herein. 8.2.3. reviews recommendations of the external audit and other third parties with respect to effectiveness of internal control and risk management systems in the bank.

8.2.4. submits internal audit plans to the Central Bank within 10 (ten) working days upon approval. 8.2.5. submits the report on internal audit reviews conducted in the bank within a year to the Central Bank after the end of each calendar year by the end of the next quarter, as well as ensure the submission of information on individual internal audit reviews at the request of the Central Bank. 8.2.6. issues proposals to the Supervisory Board on the statute of the internal audit unit and its maintenance cost. 8.2.7. issues proposals to the Supervisory Board on salary amounts, promotion, dismissal, or release, as well as compensation of internal auditors. 8.2.8. meets with the external auditor before the commencement of the audit review, ensures timely and complete submission of all essential information and bank documents on activities of the bank and its subsidiaries to the external auditor in connection with the external audit. 8.2.9. requests the external auditor to immediately provide him/her with information on key facts and events discovered during the audit review, as well as discusses that information and audit findings with the external auditor. 8.3. Audit Committee meetings are held no less than once every three months, at least 5 (five) working days before the next meeting of the Supervisory Board. 8.4. The Chair and other members of the Management Board, the external auditor, heads of the bank's internal audit, compliance, risk management, financial management and other functions may be invited to Audit Committee meetings without voting rights. 8.5. The internal audit review, not provided for in the approved internal audit plan of the bank, is conducted based on the decision of the general meeting of shareholders or the Supervisory Board, as well as at the request of the shareholders who own more than ten percent of ordinary shares of the bank or the Management Board. The Audit Committee takes necessary actions in this regard. 9. Risk Management Committee 9.1. In addition to the requirements specified in Item 7.6 herein the following also should be provided in terms of the composition of the Risk Management Committee: 9.1.1. The Risk Management Committee Chair may not be the Chair of the Supervisory Board and/or other committees. 9.1.2. At least 1 (one) member of the Risk Management Committee should have at least 5 (five) year work experience in risk management, and other members should have at least 5 (five) year work experience in economy, finance, information technologies, audit, law, or other fields related to banking. 9.2. The Risk Management Committee: 9.2.1. reviews the risk management statement, the risk management policy and rules, risk limits, as well as changes therein and submits to the Supervisory Board for approval.

9.2.2. provides the Supervisory Board with recommendations on the bank's current and future risk appetite for individual and aggregate risk types, as well as indicators for compliance with the risk appetite. 9.2.3. reviews the risk management policy of the bank at least once a year. 9.2.4. monitors availability of procedures that provide compliance of bank’s activities with the risk management policy, as well as application of the risk appetite statement by the Management Board. 9.2.5. reports to the Supervisory Board on the status of the bank's risk culture, as well as any deviations from the risk management policy and risk limits. 9.2.6. cooperates with the chief risk officer and oversees his/her activities. 9.2.7. monitors compliance of bank’s capital and liquidity management targets, and all risks inherent to the bank, including credit, market, operational, reputation and other risks with the risk appetite. 9.2.8. receives reports from the CRO and related structural units on the current risk profile, status of risk culture, risk appetite and the use of risk limits, violations of risks limits and risk reduction measures. 9.3. Meetings of the Risk Management Committee are held no less than once every three months, and results of the meeting are reported to the Supervisory Board. The CRO, in his/her absence, the head of the risk management department, participates in meetings of the Risk Management Committee. The Chair and other members of the Management Board, as well as heads of bank's structural units may be invited to meetings of the Risk Management Committee. 9.4. Effective communication and coordination should be arranged between Risk Management and Audit Committees to ensure prompt information sharing and effective management of all risks. 10. Corporate Governance Committee 10.1. The Corporate Governance Committee discharges corporate governance, remuneration and appointment functions in the bank. 10.2. Regarding corporate governance the Committee: 10.2.1. monitors compliance of the bank’s organizational and management structure with corporate governance standards, reports to the Supervisory Board on detected incompliances and their causes, makes proposals to the Supervisory Board on their elimination and improvement of corporate governance. 10.2.2. makes proposals to the Supervisory Board on the introduction of amendments to the legislation regarding corporate governance. 10.2.3. ensures timely disclosure and accuracy of information to be disclosed to the public about the bank's corporate governance. 10.3. Regarding the remuneration the Committee: 10.3.1. prepares and submits to the Supervisory Board for approval the bank's remuneration policy based on the principles specified in Section 18 herein. 10.3.2. monitors the remuneration process, evaluates the efficiency of the remuneration system together with the Risk Management Committee annually.

10.3.3. submits proposals on the amount of remuneration to the relevant management body of the bank in accordance with Section 18 herein. 10.3.4. assesses the implementation of KPIs on special category employees. 10.3.5. reviews the effect of internal and external events on the remuneration policy and process. 10.4. Regarding appointments the Committee: 10.4.1. provides recommendations and opinions on new and potential candidates for membership of the Supervisory Board, the Management Board and Supervisory Board committees. 10.4.2. monitors the staffing of the Supervisory Board, its committees, and the Management Board. 10.4.3. establishes criteria for the appointment, duties, and remuneration of independent members of the Supervisory Board and Supervisory Board committees. 10.4.4. establishes criteria for the selection of an independent external expert in the cases provided for in Item 11.1 herein. 10.5. The Corporate Governance Committee may receive support from bank's control function units and other committees in preparation of the variable remuneration amount and remuneration policy. 10.6. The Corporate Governance Committee engages in monitoring the implementation of the bank's human resources policy. 11. Support for activities of the Supervisory Board and its committees 11.1. In every bank, the Supervisory Board and its committees have an opportunity to use independent external expert services in matters that require special knowledge and skills for effective performance of their duties. 11.2. The cost of using an independent external expert service is borne by the bank. 11.3. A conflict of interest between the independent external expert and the bank should be avoided. The independent external expert should not participate in meetings and the decision-making of the Supervisory Board and its committees, and his/her advice should be unbiased and independent. 11.4. In every bank, a Corporate Secretary function is established to support effective functioning of the Supervisory Board, the Chair, and committees of the Supervisory Board. All members of the Board have access to advice and services of the Corporate Secretary. 11.5. The corporate secretary is appointed and dismissed by the decision of the Supervisory Board. The bank’s related party may not be appointed as a corporate secretary. 11.6. The corporate secretary should: 11.6.1. have at least 3 (three) year experience in financial markets. 11.6.2. have higher education in the law, economy, or management. 11.7. To ensure effective performance of the corporate secretary, the Office of the Corporate Secretary may be established by the decision of the Supervisory Board. When

the Office of the Corporate Secretary is established, the number, composition and duties of the office staff are determined in internal rules of the bank. 11.8. The Corporate Governance Committee sets the compensation of the corporate secretary. 11.9. The corporate secretary at least: 11.9.1. works effectively with all Supervisory Board members, provides impartial advice, and acts in accordance with bank's goals. 11.9.2. provides advice to the Chair of the Supervisory Board on corporate governance, together with him/her periodically reviews compliance of the bank's corporate governance with bank's goals (e.g., evaluating activities of the Supervisory Board and its committees) and determines necessary actions to strengthen the bank's corporate governance structure. 11.9.3. provides necessary resources to increase knowledge and skills of Supervisory Board members, as well as organizes trainings and supports their professional development (these measures should be aimed at increasing the effectiveness of activities of Supervisory Board members and be consistent with their evaluation results). 11.9.4. provides access to independent external expert services for Supervisory Board members for effective performance of their duties. 11.9.5. ensures the convening and holding of meetings of the general meeting of shareholders, the Supervisory Board, and its committees, prepares the agenda for those meetings, provides them with updated information and other necessary resources before the meeting. 11.9.6. supports the development of policies and procedures necessary for effective functioning of the Supervisory Board and its committees. 11.9.7. ensures effective communication between the Supervisory Board, its committees, the Management Board, and shareholders. 11.9.8. provides access to the information required to be disclosed by the bank to shareholders and other investors. 12. Management Board 12.1. The Management Board ensures the management and implementation of bank's activities, compliance of the financial control system with the requirements of financial management and reporting, the implementation of the budget, submission of reports to public authorities (institutions) in accordance with the requirements of the legislation and their accuracy. 12.2. The Management Board: 12.2.1. develops bank’s draft strategic vision and mission statements. 12.2.2. develops a strategic plan based on the strategic vision and mission statement. 12.2.3. ensures the implementation of the approved strategic plan. 12.2.4. analyzes the implementation of the strategic plan at least once every six months and reports to the Supervisory Board on its findings.

12.2.5. reviews the strategic plan every year after the end of the year based on results of the previous year and, if required, makes proposals to the Supervisory Board to make changes. 12.2.6. ensures timely publication of annual financial statements to data users. 12.2.7. creates a financial planning system and analyzes status of annual budget implementation. 12.2.8. consents to bank's annual budget prepared under the leadership of the CFO and submits for approval to the general meeting of shareholders or, if authorized, to the Supervisory Board before the beginning of the budget year. 12.2.9. ensures the implementation of the risk management policy. 12.2.10. measures and analyzes the risks to which the bank is exposed, including ESG risks, and takes necessary actions to address any identified weaknesses. 12.2.10-1. ensures the establishment of control mechanisms to prevent green imitation and the accuracy and transparency of the data disclosed regarding sustainability indicators. 12.2.11. decides on the introduction of a new bank product. 12.2.12. submits reports to the Risk Management Committee on risks and their management. 12.2.13. creates relevant conditions for the risk management unit to operate adequately to bank risks. 12.2.14. reviews the contingency plan together with the Risk Management Committee and submits to the Supervisory Board. 12.2.15. ensures the cooperation of other structural units with the risk management unit, as well as takes actions to prevent interference into its activities. 12.2.16. approves internal rules except for the cases specified in regulations of the Central Bank and if authorized by the Supervisory Board. 12.3. The Management Board is accountable to the Supervisory Board. 12.4. The Management Board should professionally and consciously discharge its duties and responsibilities in the internal control and risk management systems. 12.5. Only a member of the Management Board may exercise control over bank’s one or several structural units (excluding the internal audit unit). 12.6. The CFO, who is the member of the Management Board: 12.6.1. develops financial management and reporting methods, internal procedures, including reports submitted to the management and the accounting policy covering financial control mechanisms. 12.6.2. ensures the proper organization of the work of the structural units responsible for treasury, asset, and liability management functions of the bank, when they are not overseen by accounting, reporting, and financial control, or by another member of the Management Board. 13. The risk management and internal control system 13.1. A risk management system should be established in the bank commensurate with the type and size of operations, the nature and environment of activities, complexity, and risks, including ESG risks, faced. The risk management system combines 3 (three) defense lines:

13.1.1. Defense line 1: includes structural units responsible for identification, evaluation, management, reporting and monitoring of risks that pose direct risks to the bank and risks on products, services, activities, processes, and systems at an initial phase, including bank’s branches and divisions. 13.1.2. Defense line 2: includes structural units engaged in risk management and compliance functions in the bank. 13.1.3. Defense line 3: includes the structural unit engaged in the internal audit function authorized to assess Defense lines 1 and 2. 13.1-1. The same structural unit should not conduct functions related to different lines of defense. 13.2. Bank’s risk appetite statement, risk management organizational structure, the risk management policy, risk limits, risk management on new product and services, consolidation of data and risk reporting and contingency plan are main elements of the risk management system. 13.3. The risk appetite statement should fully cover all material risks and the risk appetite should be commensurate with the bank’s business strategy. The statement determines resilience zones of the risk appetite on qualitative and quantitative indicators covering the risks exposed by the bank and, in case of discrepancies, actions to be taken by the bank. The statement is revised based on results of the previous year after the end of each calendar year during the first quarter of the next year and, if required, relevant changes are made. Compliance of risk appetite statement indicators with tolerance zones is monitored monthly. 13.4. The risk management policy covers at least the arrangement of the risk management, including segregation of authorities, types of activities of the bank, business processes and the risk management on information systems, as well as bank’s risk approach to the introduction of new activity types and systems. The risk management policy is revised at least once a year and, if required, changes are made therein. 13.5. In line with the risk appetite, risks limits are set on the entire bank in accordance with the bank’s size, risk profile and activity directions. The Management Board approves sub-limits within the risk limits approved by the Supervisory Board. Risk limits are monitored on an ongoing basis and are adjusted to current market conditions and the bank’s strategy. 13.5-1. The bank’s risk appetite and risk management system should take into account the ESG risks faced by the bank and establish effective mechanisms for their identification, measurement, monitoring, and management. 13.6. The internal control system should ensure long-term profitability of bank’s activities, the organization of a reliable and transparent reporting system, compliance with the requirements of legal acts regulating banking activities, and business continuity in emergencies. 13.7. The internal control function includes structural units performing functions of Defense lines 2 and 3 (risk management, compliance, internal audit). At least the following should be provided on the internal control function:

13.7.1. authorities of structural units engaged in the control functions should be clearly specified and should not be dependent on business lines and units they examine. 13.7.2. heads of the structural units engaged in the control function should not perform different executive tasks simultaneously, and employees of the structural units engaged in the control function should not have executive obligations in the areas they monitor. 13.7.3. heads of the structural units engaged in the control function should report directly to the Supervisory Board and its committees, if necessary. 13.7.4. heads of the structural units engaged in the control function are appointed and dismissed at the decision of the Supervisory Board. Information on the dismissal (with reasons for the dismissal and information on the new manager) should be reported to the Central Bank within 5 (five) working days after the decision was made. 13.7.5. structural units engaged in the control function should have adequate resources (e.g., professional staff, IT systems, access to necessary information sources, etc.) and authority to perform their duties effectively and objectively. 13.8. The internal control system of the bank should be monitored on an ongoing basis. The structural units included to the internal control function should immediately report identified shortcomings that will have an adverse effect on bank's financial resilience indicators to the bank's Supervisory Board, its committees, and the Management Board, and other shortcomings on a periodic basis determined by bank's internal rules. 14. The risk management function 14.1. The organizational structure of risk management in banks ensures clearly defined risk management powers and responsibilities, communication, and information flow between all levels of the organizational structure, actions against the conflicts of interests between structural units and authorized persons, an independent and transparent decision-making process, and an effective reporting system. 14.2. The Supervisory Board ensures the establishment of the risk management system, approves the risk management policy, internal rules, and organizational structure, as well as the risk appetite statement, risk limits and the contingency plan, monitors risk management efforts by the Management Board, evaluates the effectiveness of the risk management system at least once a year. 14.3. The main executor of the elements of the risk management system is the bank’s centralized unit that manages bank’s risks or some structural units, depending on the size and complexity of bank's activities. The structural unit(s) engaged in risk management is/are responsible for risk assessment, analysis, monitoring, reporting, conducting stress tests together with relevant structural units and preparing the actions plan, as well as internal risk management rules, the risk appetite statement, and the contingency plan together with relevant structural units of the bank. 14.4. Heads of structural units engaged in the risk management function should have at least 4 (four) year experience in risk management and be appointed by the Supervisory Board at the recommendation of the Risk Management Committee. The

staff of the unit should have access to any database in the bank, internal operating systems, as well as internal audit reports. 14.5. In the process of risk management, structural units of the bank engaged in business functions manage risks within their authority in their daily activities and ensure compliance with relevant risk limits. The powers of the Risk Management Committee, the Management Board, the CRO and internal audit unit in the process of risk management are determined in these Standards. 14.6. The risk management process covers procedures and evaluation methodologies necessary for effective risk management in banks. Methods of identification and evaluation of risks occurring in banking are applied in line with the bank’s risk profile and complexity. Both financial and non-financial risks that include ESG risks factors should be considered during risk evaluation. 14.7. Every bank develops and updates at least annually stress testing models depending on the size of the bank and complexity of its activities to identify and assess events likely to have adverse effect on the bank’s risk profile. Stress testing is provided at least every six months and an actions plan is developed based on its findings. Stress test findings and the actions plan is delivered to the Central Bank together with prudential reports of the relevant period. 14.8. Before introducing a new product or service, including beginning the implementation of projects the bank analyzes its compliance with the bank’s strategy and effect on the risk profile beforehand and upon introduction, and identifies related risks. Assessments are provided by structural units engaged in risk management and compliance functions and results are reported to the Risk Management Committee. 14.9. A contingency plan, addressing actions to be taken to prevent risks occurring in emergencies and ensure business continuity, is elaborated at every bank. The plan should address the classification of emergencies, powers of responsible persons, actions against risks, the source of capital funds to be attracted, the policy to protect against the reputation risk, and classification of bank operations and activity types in terms of their significance. The plan is revised at least once a year and relevant changes are made, if necessary. Checks (tests) to evaluate the adequacy of the measures provided for in the contingency plan by comparing probable results of risk events with actual results should be conducted with the periodicity established by internal rules of the bank. 15. Chief risk officer 15.1. The chief risk officer: 15.1.1. develops the risk management policy considering the opinion of the Management Board and submits to the Risk Management Committee. 15.1.2. coordinates activities of the Management Board and structural units on risk management. 15.1.3. reports to the Management Board on findings of risk limits monitoring monthly, as well as with respect to the risk profile of the bank. In case of discrepancies on risk appetite indicators, informs without delay the Supervisory Board and the Risk Management Committee indicating reasons. In case of violation, submits the action plan

on risk reduction or adapting risk limits to market conditions, together with monitoring findings of the next month, to the Supervisory Board and the Risk Management Committee at the latest. 15.1.4. ensures reliable, transparent, comprehensive, and timely preparation of periodic reports indicating types and size of risks related to bank's activities. 15.1.5. submits proposals on improving the risk management system to the Supervisory Board and the Risk Management Committee. The Supervisory Board and the Risk Management Committee may request the opinion of the Management Board on the proposals if they find it necessary. 15.1.6. ensures compliance of the bank’s risk exposure to its risk-taking capability. 15.1.7. takes measures on increasing knowledge and skills of the staff of structural units engaged in the risk management function. 15.1.8. attends Supervisory Board meetings in the review of the risk appetite statement, as well as in discussion of the issues related to risk management. 15.2. In the event of dismissal of the CRO, the bank should submit information on this decision (with the reasons for the dismissal and information on the new executive of this position) to the Central Bank within 5 (five) working days after the decision was made. 15.3 The CRO may hold a meeting with the Supervisory Board, the Risk Management Committee, or an independent member of the Supervisory Board without the presence of the Management Board. 15.4. The CRO may veto decisions on lending, investments, and new products. In this case, the Management Board may discuss the issue with the written justification of the CRO within 7 (seven) working days with the Risk Management Committee and then the Supervisory Board, or directly with the Supervisory Board. The Supervisory Board decides on the matter within the next 15 (fifteen) working days, and during this period the implementation of decisions of internal bank committees on issues vetoed by the Management Board and the CRO is suspended. 15.5. Except for the cases set out in Item 15.5-1 of these Standards, the CRO may not simultaneously hold the position of the chair of the Management Board, the CFO, the head of the internal audit unit or any other position in the bank. 15.5-1. . When the Chair of the Management Board is absent (due to reasons such as business trips, vacation, temporary incapacity, dismissal, etc.), the CRO may temporarily perform the duties of the Chair of the Management Board for a period of up to 3 (three) months, prioritizing the main responsibilities of the CRO. If such a situation lasts more than one month, the bank should immediately notify the Central Bank accordingly. 15.6. The performance of the CRO is reviewed and evaluated by the Risk Management Committee on an annual basis. 15.7. When the CRO is absent, the delegation of his/her duties (excluding administrative tasks) to other members of the Management Board is determined based on the decision of the bank's Supervisory Board. 16. Compliance

16.1. Every bank formulates an independent compliance function with specialized human and technological resources adequate to the nature of its activity, the size and complexity of its operations. 16.2. The bank’s compliance function: 16.2.1. determines internal procedures and methods, as well as actions to be taken to identify, measure, monitor and control the bank’s compliance risk. 16.2.2. submits reports to the Supervisory Board on a periodical, in the event of considerable compliance risks resulting from violations, on an extraordinary basis. 16.2.3. informs the Central Bank on risks and shortcomings detected and likely to have adverse effect on bank’s sustainability indicators, as well as actions taken or to be taken on their elimination. 16.2.4. develops training programs for bank staff related to compliance risks and ensures the implementation of the program together with related structural units. 16.2.5. participates in the development of internal risk management rules and monitoring of the observance of the risk appetite statement and policy in coordination with the risk management unit. 16.2.6. supports the Management Board in compliance risk management continuously. 16.2.7. participates in the development and introduction of new bank products and services. 16.2.8. ensures internal communication regarding new requirements covered by compliance risks. 16.2.9. determines and periodically evaluates the conflict of interests in the decision-making process on banking activities. 16.2.10. monitors appeals by citizens related to activities of the bank. 16.3. The compliance function may involve employees of other structural units and/or external experts to investigate detected violations. 16.4. The head(s) of the compliance function should: 16.4.1. have at least 4 (four) year work experience in the control function in the banking sector. 16.4.2. be fit and proper persons. 16.5. For an effective compliance function, adequate information sharing with the internal audit unit should be ensured; the internal audit unit should assess how effective the function is at least once a year. 16.6. The head(s) of the compliance function should be appointed by the Supervisory Board at the recommendation of the Compliance Committee, if there is not such a committee in the bank, at the recommendation of the Risk Management Committee. 16.7. A chief compliance officer may be appointed in the bank to strengthen the compliance function considering systemic importance, risk profile, complexity, and nature of activities of the bank. Where no chief compliance officer appointed in the bank, the CRO controls compliance of bank’s activities with the legislation and legal acts regulating financial markets.

16.8. When the Chair of the Management Board is absent (due to reasons such as business trips, vacation, temporary incapacity, dismissal, etc.), the CCO may temporarily perform his/her duties for a period of up to 3 (three) months, prioritizing the main responsibilities of the CCO. If such a situation lasts more than one month, the bank should immediately notify the Central Bank accordingly. 17. Internal audit 17.1. The internal audit function is Defense line 3 of the risk management system. It provides an independent support service to Supervisory and Management Boards regarding the quality and effectiveness of the internal control and risk management system to protect the bank and its reputation. 17.2. All areas of bank's activities (including outsourcing) are included in the scope of the audit function. 17.3. To make audit function effective, the Supervisory Board ensures full and unconditional access of the audit function to the entire database, including the management information system and bank's property, as well as timely and effective actions taken by the Management Board at recommendations of the audit function. 17.4. When performing audit activities, internal auditors should comply with the legislation, the statute of the internal audit service, professional standards, principles, guidelines, and rules established by the Institute of Internal Auditors. 17.5. The internal audit department should include specialists in areas that require high technical knowledge and experience (e.g., IT, risk assessment on loans and securities, payment services, modeling, etc.). 17.6. In the areas requiring special knowledge and skills, the internal audit unit may use outsourcing (except for the bank's external auditor). The internal audit unit is responsible for the effectiveness and quality of the audit work conducted in this way. 17.7. To avoid the possibility of loss of objectivity related to continuous performance of similar tasks, personnel within the internal audit unit is rotated every now and then without prejudice to auditing. The rotation order is defined in the bank's internal audit policy. 17.8. The head of the internal audit service is responsible for preparing the annual audit plan. The plan should consider the needs of the Supervisory and Management Boards regarding the improvement of oversight. The plan implementation audit may conduct reviews in any area of bank's activities, considering the requirements of Item 8.5 herein. 17.9. The Audit Committee approves the audit plan. The budget for the plan should be sufficient to ensure activities of the internal audit function and should be able to adapt to potential changes in the bank's risk profile. 17.10. The internal audit evaluation framework includes at least the following: 17.10.1. effectiveness and efficiency of internal control and risk management systems, including the ESG risk management. 17.10.2. adequacy of stress testing in the bank. 17.10.3. quality and adequacy of risk management function resources (e.g., staff, software, etc.).

17.10.4. consistency, accuracy, integrity, accessibility, confidentiality, and comprehensiveness of the information used on internal and external reporting. 17.10.5. effectiveness and completeness of the management information system. 17.10.6. compliance of bank’s activities with the legislation and legal acts regulating financial markets. 17.10.7. protection and security of assets. 17.10.8. adequacy of credit management. 17.10.9. effectiveness and efficiency of IT, cyber and information security. 17.11. To make the internal audit more effective, the Management Board should inform the internal audit function on internal initiatives and projects, improvements, changes to products and operations. 17.12. Internal audit reports are developed based on internal audit review findings. Audit findings are justified with facts and responsible persons (structural units) are indicated in reports. 17.13. The audit unit monitors the results of actions taken by the Management Board regarding the audit report and reports to the Audit Committee and the Supervisory Board at least twice a year on the status of implementation of recommendations. 17.14. The Audit Committee assesses the effectiveness of the internal audit function no less than once a year, and the external audit no less than once in two years. If findings of recent three external audit evaluations are satisfactory, the effectiveness of the internal audit function may be evaluated no less than once every five years. 17.15. Findings of external auditing of the internal audit function and actions plan on elimination of detected shortcomings are submitted to the Central Bank within 10 (ten) working days after obtaining results of the review, and the report on the implementation of the plan is submitted to the Central Bank on a semiannual basis within 10 (ten) working days after the end of each half-year. 18. Requirements for remuneration and dividend payment in banks 18.1. Every bank establishes a remuneration policy in line with its risk management policy. The remuneration policy should: 18.1.1. be oriented towards achieving bank’s strategic targets. 18.1.2. be based upon bank’s long term activity results and profitability. 18.1.3. be adequate to bank’s risk appetite, including ESG risks, and contain excess risk perception; . 18.1.4. not promote short-term income earning by assuming long-term risks. 18.1.5. avoid the conflict of interests. 18.2. The remuneration payment should avoid the deterioration of capital adequacy and liquidity indicators. 18.3. The amount of variable bonus given to the bank employee should depend on the level of implementation of quantitative and qualitative indicators set by the bank with respect to the bank employee, KPIs (maturity of loans issued with the participation of an employee of the structural unit engaged in the issuance of loans, the sector to

which the loans are issued, the concentration of the loan portfolio issued with the participation of the employee, the volume of non-performing loans in the portfolio, the position of the borrower in the sector, etc.). 18.4. Remuneration of bank employees and members of management bodies except for members of the Supervisory Board who receive remuneration in the form of a percentage of bank's retained earnings) should not depend on rewards (without the position salary). 18.5. The remuneration policy should separately address terms and conditions on granting bonuses for bank employees and members of managerial bodies at least under the following categories: 18.5.1. special category staff of the bank. 18.5.2. bank staff engaged in the control function (this category includes staff of structural units of the bank engaged in risk management, compliance, and internal audit functions). 18.5.3. staff of the structural unit of the bank dealing with the repayment of overdue loan claims for more than 90 (ninety) days. 18.5.4. other employees not listed in sub-items 18.5.1 – 18.5.3 herein. 18.6. When determining and paying variable compensation for special category employees, as well as managers of a local branch of a foreign bank (head of the branch and his/her deputy, as well as the employee, responsible for one or some structural units) the remuneration policy should address at least the following requirements: 18.6.1. A decision on a variable compensation is made once a year. At that, except for the cases where the general meeting of shareholders of a bank that meets the norms of minimum aggregate capital, the capital adequacy ratio and special reserves, but operates at a loss, makes decisions that provide for the granting of a variable reward (e.g., regarding the expansion of activities, change of business profile, financial rehabilitation, etc.), the bank should generate net profit according to results of the financial year approved by an external auditor. The decision of the general meeting of shareholders on bank’s operating at a loss should be addressed in the strategic plan, as well as during this period, the maximum amount of the variable reward across the categories specified in Item 18.5 herein and financial indicators to be used in the calculation should be determined by internal rules of the bank. 18.6.2. When deciding on the variable reward for Management Board members, as well as management staff of the local branch of the foreign bank, the bank should comply with all prudential norms established by the Central Bank both as of the end of the financial year and as of the date of the decision on remuneration. When deciding on variable compensation for other special category staff minimum amount of aggregate capital, the capital adequacy ratio and special reserves should comply with the norms established by the Central Bank both as of the end of the financial year and as of the date of the decision on remuneration. 18.6.3. Where the amount of variable remuneration is set in relation to amount of net profit and/or other financial indicators of the bank, these indicators should be based on financial statements approved by an external auditor or in the cases provided for in sub-item 18.6.1 herein on bank’s internal rules.

18.6.4. payment of at least 60 (sixty) percent of the reward in the form of money (at least 30 (thirty) percent in the case of a decision made by a 90 percent majority of shareholders with voting rights in the case of systemically important banks) is deferred and paid in equal parts over the next 3 (three) years. The requirement of this sub-item does not apply to bank employees provided for in sub-item 2.1.15.2 herein in cases where the amount of the variable reward set for them is 50 (fifty) percent or less of total amount of salary paid to them during a year. 18.6.5. reward provided in the form of stocks and other financial instruments may be either sold to or paid by the bank at least over the next 3 (three) years in equal installments. 18.6.6. if at least one of the following cases occurs, the deferred part of the reward payable for that year is not made: 18.6.6.1. if, considering the exception specified in sub-item 18.6.1 herein, the bank operates at a loss as per results of any subsequent financial year. 18.6.6.2. if, considering the exception specified in sub-item 18.6.1 herein, and except for the cases where the general meeting of shareholders deciding on the reduction of the bank’s profit targets, the net profit earned falls below 25 (twenty-five) percent of the net profit of the reward calculation year. 18.6.6.3. if the bank violates prudential norms set by the Central Bank. This requirement applies only to Management Board members. 18.6.6.4. if the bank violates prudential norms set by the Central Bank on the minimum amount of aggregate capital, the calculated capital adequacy ratio, or special reserves. This requirement applies to the special category staff. 18.6.7. Any portion of the reward deferred in any form is not accepted as collateral liabilities due to the bank. 18.6.8. Where the employees specified in Item 18.6 herein are removed or released from their posts the deferred portion of the reward is paid as per sub-items 18.6.3-18.6.7 herein. 18.7. Full or partial cancellation and/or refund of the deferred part of variable bonuses should be agreed between the special category staff and the bank. Such cases may include conclusion and/or execution of transactions by an employee that significantly harms the bank contrary to the legislation, violation of rules of ethical conduct that have an adverse effect on the bank’s business reputation, as well as other illegal actions (inactions) that cause considerable damage to the bank. The bank should determine the period of such agreements and clear qualitative and quantitative criteria for their application (e.g., violations of the law that expose the bank to financial or reputational losses). 18.8. The amount of rewards to be paid to the bank staff specified in sub-item 18.5.2 herein should not depend on the activity of the structural unit under review or compromise staff independence. 18.9. The remuneration policy determines the cases of non-payment of the reward, including its deferred part to the bank staff specified in sub-items 18.5.1, 18.5.2 and 18.5.4 herein and members of managerial bodies. These cases should include at least the following:

18.9.1. until all credit liabilities are met in the bank that obtained a lender of last resort loan from the Central Bank. 18.9.2. in case the Central Bank issues obligatory instructions for the bank on creation of special reserves, increase of capital or elimination of the cases of violation of the capital adequacy ratio, until the said instruction is fulfilled by the bank in full. 18.9.3. in case the Central Bank sanctions the dismissal of bank officers (in relation to the persons specified in sub-item 18.5.1 herein). 18.10. The remuneration policy is approved by the Supervisory Board. The remuneration policy and changes therein are submitted to the Central Bank within 30 (thirty) days upon the date of approval. 18.11. The remuneration of Supervisory Board members and independent external members of Supervisory Board committees should be commensurate with their authority, functions, experience, and responsibilities, and should be determined in the form of a fixed reward. The decision on their remuneration is made by the general meeting of shareholders. 18.12. The Supervisory Board approves the decision on remuneration of special category staff and the staff attributed to other categories. When deciding to remunerate the bank staff attributed to other categories the bank should earn net profit according to results of the financial year approved by the external auditor (considering the exception specified in sub-item 18.6.1 herein), as well as the minimum amount of bank’s aggregate capital, the capital adequacy ratio and special reserves should be compliant with prudential norms set by the Central Bank both as of the end-year and the date of decision of remuneration. 18.13. Copies of decisions on remuneration specified in Items 18.11 and 18.12 herein are submitted to the Central Bank within 15 (fifteen) days after decisions are taken. 18.14. A report on the amount of rewards granted by the bank during the year and based on the annual results, as stipulated in Items 18.5 and 18.11 of these Standards, to the individuals specified (indicating the reward amount for each individual) should be submitted to the Central Bank by July 7th of the following year. If the Central Bank requests information regarding the rewards paid to special category employees, the reward amount per special category employee should be specified 18.15. A decision on payment of dividends, including interim dividends is made by the general meeting of shareholders. At that, the relevant decision is made based on annual (interim) financial statements approved by an external auditor (reviewed by an external auditor for interim dividend payments) or annual (interim) financial statements submitted to the Central Bank for prudential purposes. In this case, if the net profit in reports is different, the lower profit is taken as the basis by the bank. 18.16. The bank pays dividends by notifying the Central Bank accordingly no later than 5 (five) working days from the date of the decision. 19. Data disclosure 19.1. The data used in decision-making in banks, as well as the data made public should be adequate and comprehensive. Data should be reliable, updated, accessible

and consistent. Bank’s communication channels should ensure that the staff fully understand and adhere to internal regulatory documents, including remuneration policies and procedures, as well as communicate relevant information to the relevant staff. The bank should have a recovery and business continuity plan in place to avoid data loss during unexpected events. 19.2. Financial statements, which reflect bank’s performance and financial standing, are developed separately and on a consolidated basis in accordance with the International Financial Reporting Standards, while annual financial statements are approved by an external auditor and disclosed jointly with the auditor opinion within the period, specified in Article 45 of the Law of the Republic of Azerbaijan on Banks. The annual financial report and consolidated financial statements are published on the bank’s website together with the auditor opinion as per the legislation. Annual financial statements may be published in print media too. 19.3. Every bank discloses the following group of information to data users to allow taking economic decisions, assessing bank’s financial standing, and effectively comparing various banks when making decisions: 19.3.1. information on bank’s financial indicators. 19.3.2. general information on the bank and its performance. 19.3.3. information on the structure and adequacy of bank capital. 19.3.4. information on the management of bank risks. 19.3.5. information on bank’s sustainability indicators. 19.4. The composition of the groups of information specified in Item 19.3 herein is specified in Annex 1 herein. 19.5. The information specified in sub-items 19.3.1, 19.3.3 and 19.3.4 herein is disclosed no less than once a quarter before the 15th of the first month of the next quarter, the information specified in sub-item 19.3.2 and 19.3.5 herein no less than once a year, and in the event of significant changes to that information – no less than once in half a year. 19.6. The information should adhere to the principles of reliability, comprehensibility, promptness, significance, actuality, comparability, when being disclosed a balance between transparency and protection of commercial interests should be maintained. 19.7. The order and periodicity of data disclosure, composition, and order of delivery to users, as well as the mechanism of coverage of these processes with internal control are established with internal rules approved by the Supervisory Board given the requirements herein. 19.8. Every bank may disclose other information about its activity that it finds important, except for the information protected by law. 19.9. The disclosed information is placed in a separate section of the bank's website, clearly visible to users, structured in an accessible format and in excel or another exportable format. Financial statements should be kept on the bank's website for at least three years from the date of posting, while other disclosed information until updated. The date the disclosed information was posted on the bank's website and the information on the person responsible for responding to requests for disclosed

information (first, last names, phone number, e-mail address) should be indicated. In addition, the same information may be placed in other media outlets. Based on requests by data users, the data should be made available directly to them at no charge. 19.10. Financial statements and other disclosed information are signed by the Chair of the Management Board and the CFO. 20. Final provisions 20.1. The requirements for the remuneration process specified in Item 18 herein do not apply to the remuneration for 2023 and remuneration for the said period is provided in accordance with the requirements of regulations available until the day these Standards took effect. 20.2. Banks should submit to the Central Bank a strategic plan valid for the current period until 31 March 2024. 20.3. After the date of entry into force of these Standards, banks are required to assess the compliance of the introduction of corporate governance with these Standards every three months and submit to the Central Bank its results within 15 (fifteen) working days after the completion of the assessment. 20.4. Sub-item 7.6.7 of these Standards does not apply to shareholders holding up to 10 (ten) percent of the bank's capital who are members of the Risk Management, Corporate Governance, and Compliance (if established) Committees until 8 September 2025.

Annex 1 to the ‘Corporate governance standards in banks’ Composition of groups of information disclosed to data users

1. Information on financial indicators 1.1. Report on financial standing in thousand manats Reporting period End of the previous year 1 Assets: 1.1 Cash and equivalent, including blocked cash funds 1.2 Trade and investment securities 1.3 Deposits with banks and other financial institutions 1.4 Loans to banks and other financial institutions 1.5 Loans to customers 1.5.1 a) consumer loans 1.5.2 b) business loans 1.5.3 c) real estate loans 1.5.4 d) other loans 1.5.2 (Loan loss provisioning) 1.5.3 Loans to customers (net) 1.6 Property and equipment 1.7 Intangible assets 1.8 Deferred tax assets 1.9 Loan loss provisioning on off-balance sheet assets 1.10 Other assets 2 Liabilities 2.1 Deposits 2.1.1 a) individuals 2.1.2 b) legal entities 2.2 Amounts due to the Central Bank and other state funds 2.3 Amounts due to credit institutions and other financial institutions 2.4 Debt securities 2.5 Current tax liabilities

2.6 Deferred tax liability 2.7 Subordinated debt liabilities 2.8 Other liabilities 3 Equity: 3.1 Paid-in capital 3.2 Gain (loss) from share depreciation 3.3 Retained earnings 3.4 General reserves: 3.4.1 a) loans, leases, and other exposure 3.4.2 b) valuation of fixed assets 3.4.3 c) other general reserves 4 Total liabilities and equity 1.2. Income statement in thousand manats Current period Year-over￾year 1 Interest income: 1.1 Loans to customers 1.2 Loans to banks and other financial institutions 1.3 Deposits with banks and other financial institutions 1.4 Trade and investment securities 1.5 Other interest income 2 Interest expenses: 2.1 Deposits 2.2 Amounts due to the Central Bank and state funds 2.3 Attracted loans 2.4 Money market instruments 2.5 Securities 2.6 Other interest expenses 3 Net interest income (expenses) 4 Non-interest income: 4.1 Fees and commissioning income 4.2 Gain (loss) from foreign exchange (including exchange rate changes) 4.3 Gain (loss) from sale and revaluation of securities 4.4 Other income 5 Non-interest expenses: 5.1 Wages and salaries and other types of compensation 5.2 General and administrative expenses

5.3 Amortization cost 5.4 Other expenses 6 (Loan loss provisioning) 7 Gain (loss) before profit tax) 8 Profit tax 9 Net profit for the period 1.3. Cash flow statement in thousand manats Current reporting period Previous reporting period 1 Cash flow from operating activity 1.1 Interest received 1.2 Interest paid 1.3 Fee and commission received 1.4 Fee and commission paid 1.5 Net receipts from foreign exchange operations 1.6 Net realized gains from derivative financial instruments in foreign currency 1.7 Salaries and other compensations paid 1.8 General and administrative expenses paid 1.9 Receipts from loss loans 1.10 Other operating income received 1.11 Other operating expenses paid 2 Cash flows used in operating activities before changes in operating assets and liabilities 2.1 Net increase/decrease in operating assets 2.1.1 Net increase (decrease) in loans to banks and deposits 2.1.2 Net increase (decrease) in loans to customers 2.1.3 Net increase (decrease) in other assets 2.2 Net increase/decrease in operating liabilities 2.2.1 Net increase (decrease) on deposits attracted from banks and other financial institutions 2.2.2 Net increase (decrease) in liabilities on Central Bank 2.2.3 Net increase (decrease) in customer deposits and current accounts 2.2.4 Net increase (decrease) in other liabilities

3 Cash flows used in operating activities before income tax 3.1 Income tax paid 4 Net cash funds generated/used in operating activities 5 Cash flows from investment activities 5.1 Purchases of property, equipment, and advance payments 5.2 Proceeds from sale of property and equipment 5.3 Purchase of intangible assets 5.4 Proceeds from sale of intangible assets 5.5 Dividends received 5.6 Sale and redemption of investment securities available for sale 5.7 Other 6 Cash flows generated/used from/in investment activities 7 Cash flows from financing activities 7.1 Acquisition of other debt liabilities 7.2 Repayment of other debt liabilities 7.3 Acquisition of subordinated debts 7.4 Repayment of subordinated debts 7.5 Proceeds from share capital issuance 7.6 Repayment of other financial liabilities 8 Cash flows from (used in) financing activities 9 Cash and equivalent at the beginning of the period 10 Net increase (decrease) in cash and cash equivalents 11 Effect of exchange rate changes on cash and cash equivalents 12 Cash and cash equivalents as of the end of the period

1.4. Report on changes in capital structure in thousand manats 1 1. Tier I capital (fixed capital) (should not be less than 50% of total regulatory capital) 1.1 common stocks (fully paid) 1.2 non-cumulative preferred call stocks 1.3 additional funds coming from issuance of stocks 1.4 net retained earnings (losses), total 1.4.1 profit (loss) of previous years 1.4.2 (less) loss of current year 1.4.3 capital reserves (funds) 1.5 other 2 Deductions from Tier I capital 3 Tier I capital after deductions (row 1 less row 2) 4 Tier II capital 5 Total Regulatory Capital (3+4) 6 Deductions from total regulatory capital: 7 Total Regulatory capital after deductions (5-6) 8 Net risk-weighted assets in percentage 9 Tier I capital adequacy ratio (3:8) x 100 10 Total regulatory capital adequacy ratio (7:8) x 100 2. General information on the bank and its activities 2.1. financial indicators for the reporting period 2.2. General information on operations with related parties (size, number, etc.) 2.3. attracted funds 2.4. information on management bodies and officials (branch managers on local branches of a foreign bank (the head of the branch and his/her deputy, as well as its employee who exercises control over one or several structural units)), their main and additional places of employment, telephone number, e-mail address, education, and qualification 2.5. organizational structure 2.6. development policy (bank’s strategic vision and mission statement, strategic targets) 2.7. return on share capital and the dividend policy 2.8. the size and source of investments 2.9. turnover of and yield on securities (including the type, form, state registration number, face value of investment securities, rights of owners, maturity) 2.10. public projects

2.11. information on bank’s ratings, if any (the name of the rating agency, the date of rating, bank’s current and previous rating) 2.12. information on bank’s internal committees, their objectives and composition 2.13. information on significant changes in the bank management and organizational structure 2.14. main principles of the remuneration policy 2.15. information on the external auditor, auditing the recent financial year of the bank 2.16. information on bank branches/divisions and representative offices (name, address, types of activities and contact details) 2.17. information on bank subsidiaries (name, activity directions) 2.18. information on shareholders with qualifying holding in bank capital and their participation share obtained as per the legislation on the securities market Note: Local branches of foreign banks are not subject to the requirements of Items 2.6, 2.7, 2.9, 2.12, 2.16 and 2.17. 3. Information on the structure and adequacy of bank capital 3.1. Amount of total regulatory capital 3.2. Amount and components of Tier I and II capital 3.3. Deductions from total regulatory capital 3.4. Size of risk weighted assets (per risk weight) 3.5. Bank’s actual indicators on total regulatory and Tier I capital adequacy and leverage ratios compared with the requirements set in regulations of the Central Bank.

4. Information on the management of bank risks 4.1. Credit risk 4.1.1 Sectorial and delinquency breakdown of the lending portfolio in thousand manats Sectorial breakdown of the lending portfolio Total Principal debt Current Delinquent days 1-30 days 31-60 days 61-90 days 91-120 days 121- 150 days 151- 180 days 181- 210 days 211- 240 days 241- 270 days 271- 300 days 301- 330 days 331-365 (366) days 1 year and over Lending portfolio, including -Business -Consumer -Real estate -Other loans 4.1.2 Collateral breakdown in thousand manats Sectorial breakdown of the lending portfolio Total Unsecured Secured with cash Secured with gold Secured with real estate Secured with movable property Secured with guarantee Secured with derivatives Lending portfolio, including -Business -Consumer

-Real estate -Other loans 4.1.3. the amount of overdue loans and its weight in the lending portfolio 4.1.4. total non-standard loans, their amount per sub-category and weight in the lending portfolio 4.1.5. the amount of general and special reserves for loans and their ratio to the lending portfolio 4.1.6. geographical breakdown of loans, including overdue loans 4.1.7. breakdown of loans, including overdue loans across economic sectors 4.1.8. amount of large credit debts and its ratio to total regulatory capital. 4.2. Liquidity risk in thousand manats Number of days left to maturity Instant 1 - 7 days 8-30 days 3-6 months 6- 9 months 9 months￾1 year 1-2 years 2-5 years over 5 years Total

1. Assets 1.1 Cash and equivalent 1.2 Securities 1.3 Loans to customers (net) 1.4 Loans to credit institutions and other financial institutions (net) 1.5 Short-term financial instrument 1.6 Derivative financial instruments 1.7 Bank deposits 1.8 Other financial assets 2 Liabilities 2.1 Amounts due to the Central Bank and other public institutions

2.2 Funds attracted from credit institutions and other financial institutions 2.3 Customer deposits: 2.3.1 demand deposits 2.3.2 term deposits 2.4 Subordinated liabilities 2.5 Debt securities 2.6 Other financial liabilities 3 Liquidity gap

4.3. Market risk 4.3.1. Currency risk in thousand manats Financial assets and liabilities Total AZN USD EUR Other 1 Assets 1.1 Cash and cash equivalents 1.2 Securities 1.3 Loans to customers 1.4 Loans to credit institutions and other financial institutions 1.5 Derivative financial instruments 1.6 Short-term financial instruments 1.7 Fixed assets 1.8 Other assets 2 Liabilities 2.1 Amounts due to the Central Bank and other public institutions 2.2 Funds attracted from credit institutions and other financial institutions 2.3 Deposits of customers 2.3.1 a) demand deposits 2.3.2 b) term deposits 2.4 Subordinated liabilities 2.5 Debt securities 2.6 Other liabilities in % 3 Open currency position ratio[1] 3.1 Total OCP on freely convertible currencies 3.2 Total OCP on closed currency 3.3 OCP on precious metals 3.4 Total OCP In addition to the above table, the bank should disclose the following information on the currency risk: 1.1. A list of (hedging) instruments used to prevent the currency risk, and their brief explanation 1.2. Maturity breakdown of assets and liabilities per currency (national and foreign).

4.3.2. Interest rate risk in thousand manats 1 Total assets by interest rates 1.1 0-3 months 1.2 3-6 months 1.3 6-12 months 1.4 12-24 months 1.5 24-36 months 1.6 over 36 months 2 Total interest rate sensitive liabilities 2.1 0-3 months 2.2 3-6 months 2.3 6-12 months 2.4 12-24 months 2.5 24-36 months 2.6 over 36 months 3 Gap 3.1 0-3 months 3.2 3-6 months 3.3 6-12 months 3.4 12-24 months 3.5 24-36 months 3.6 over 36 months In addition to the above table, the bank should disclose the following information on the interest rate risk: 1.1. Interest rate sensitivity classification 1.2. Classification of assets and liabilities with fixed and variable interest rates 4.4. Other risk management related information 4.1. The risk management policy of the bank 4.2. Total off-balance sheet liabilities and amount by their types.

5. Information on bank’s sustainability indicators 5.1. Qualitative sustainability information
6. Governance Note Please describe how responsibilities for managing ESG risks and opportunities are distributed within the governance structure (roles, powers, obligations, and related policies). Please provide information on the Management Board’s competencies required for managing ESG risks and opportunities. If training programs for skills development are stipulated, please specify. Please provide information on the oversight established by the Supervisory Board and its committees regarding the management of ESG risks and opportunities within the framework of the bank’s strategy, key operational decisions, and other related policies, including the frequency with which such oversight is exercised. Please provide information on the Supervisory Board’s role in setting targets related to ESG risks and the mechanism for monitoring progress toward these targets, including whether performance indicators are used for this purpose and whether such indicators are integrated into the remuneration policy Please provide information on governance processes, control mechanisms, and procedures in place at the management level for monitoring, managing, and overseeing ESG risks
7. Strategy Note Please provide information on current and anticipated impacts of ESG risks (including climate-related physical and transition risks) on the bank’s business model and risk profile, as well as the procedures for assessing the potential impact of these risks on the bank’s business lines, customer base, product portfolio, and geographical presence Please provide information on how the bank takes ESG risks into account in its strategic decision-making process, the response measures implemented to address these risks, and, if applicable, any transition plan publicly disclosed by the bank. Please indicate whether climate-related targets have been established by the bank, whether such targets have a significant impact on the bank’s business strategy and decision-making processes, as well as provide information on the integration of these targets into the strategic framework. Please provide information on current and expected impacts of ESG risks on the bank’s financial position, financial performance (revenues, expenses, access to capital, etc.), and cash flows, as well as on the assessment process.

Please provide information on products and services aligned with the bank’s sustainability targets, their management and assessment framework, and their integration into the bank’s overall strategy. 3. Risk management Note Please provide information on the ESG risks that may impact bank’s operations, classifying these risks as physical risks (floods, droughts, etc.) or transition risks (carbon taxes, technological changes, etc.), along with their likelihood of occurrence and the risk assessment process over short-, medium-, and long-term time horizons. Please provide information on internal processes and policies the bank applies to identify, assess, prioritize, and monitor ESG risks. If climate scenario-based analyses are used in the assessment of these risks, please indicate the methodology of the scenarios applied and the impact of the results on the bank’s decision-making processes. Please provide information on the integration of the processes applied by the bank to identify, assess, prioritize, and monitor ESG risks into the overall risk management framework, as well as how these processes are reflected in the bank’s risk appetite, limit setting, internal control systems, and reporting procedures. 5.2. Quantitative sustainability data

1. Sustainable loan portfolio Total (in thousand manats) Ratio to total loan portfolio (in %) Out of which NPL (in thousand manats) 1.1. Total green loans 1.1.1. Renewable energy 1.1.2. Energy efficiency 1.1.3. Sustainable water management 1.1.4. Pollution prevention 1.1.5. Green transport 1.1.6. Sustainable agriculture, farming and aquaculture 1.1.7. Biodiversity and conservation 1.1.8. Circular economy and waste management 1.1.9. Green buildings and sustainable construction 1.1.10. Green services 1.2. Total non-green sustainability￾linked loans
2. Other data

2.1. ESG-compliant loans / Total loans (%) 2.2. Loans rejected after ESG screening (% of total loans) 2.3. Bank’s Scope 1, 2, and 3 GHG emissions, MtCO₂e (million tons of carbon dioxide equivalent) Note: First, second, and third‑scope emissions in line 2.3 of Clause 5.2 of Annex 1 to these Standards mean the GHG emissions defined in accordance with the Corporate Standard of the Greenhouse Gas Protocol, developed by the World Resources Institute (WRI) and the World Business Council for Sustainable Development (WBCSD). 5.3. Loan portfolio and emissions data Loan portfolio Total (in thousand manats) NPLs (in thousand manats) NPLs/total loan portfolio (%) Financed emissions (MtCO2e) Total loan portfolio, including

1. Industry
2. Agriculture
3. Construction
4. Transport 5.Information and communication
5. Trade
6. Other non-production and service
7. Central executive power bodies and municipalities
8. Public organizations
9. Consumer loans granted to individuals for personal, family, or other purposes (if measured).
10. Other loans (if measured) [1] The open currency position should be mentioned by indicating prudential norms of the Central Bank