Recommendation Z regarding internal governance rules in banks

Financial Supervision Authority Recommendation Z regarding internal governance rules in banks Warsaw, October 2020

Recommendation Z Page 2 of 53 INTRODUCTION Recommendation Z regarding internal governance rules in banks (hereinafter referred to as Recommendation Z or the Recommendation) is issued pursuant to Article 137(1)(5) of the Act of 29 August 1997 – Banking Law (Journal of Laws of 2019, item 2357, and of 2020, items 284, 288, 321, and 1639), hereinafter referred to as the "Banking Law Act".

Recommendation Z constitutes a collection of good practices regarding internal governance rules. Internal governance includes in particular: the bank's management system, the bank's organization, operating rules, powers, duties and liabilities, as well as the mutual relationships between the supervisory board, the management board, and persons holding key functions in the bank.

In the Polish legal order, requirements for banks in this regard have been regulated, inter alia, in the Banking Law Act and in the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and internal control system, remuneration policy, and detailed method of estimating internal capital in banks (Journal of Laws of 2017, item 637).

Selected issues in this area are also the subject of documents issued by the Financial Supervision Authority, in particular: Recommendation H regarding the internal control system in banks and "Corporate Governance Principles for Supervised Institutions", or Recommendation M regarding operational risk management in banks.

Recommendation Z complements, specifies, and develops issues regarding internal governance in banks, which have already been regulated in the aforementioned provisions and documents of the Financial Supervision Authority1. In cases where the scope of Recommendation Z overlaps with the scope of "Corporate Governance Principles for Supervised Institutions", the provisions of the Recommendation shall take precedence. In areas not regulated in the Recommendation, the "Corporate Governance Principles for Supervised Institutions" shall apply.

The provisions of Recommendation Z were prepared primarily with due regard to the guidelines of the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA): • Guidelines on internal governance (EBA/GL/2017/11) of 21 March 2018; and • Guidelines on the assessment of the suitability of members of the management body and key function holders (EBA/GL/2017/12) of 21 March 2018.

The Recommendation also takes into account selected recommendations contained in: • guidelines of the Basel Committee on Banking Supervision (BCBS): "Corporate governance principles for banks" (July 2015); • guidelines of the Organisation for Economic Co-operation and Development (OECD): "G20/OECD Principles of Corporate Governance" (September 2015); and • the document of the European Association of Co-operative Banks (EACB): "Corporate Governance in Co-operative Banks - Key Features" (2016).

The Recommendation also takes into account conclusions arising from observations and experience related to supervisory activities, including findings of inspections conducted in banks, assessment of banks' statutory solutions, and other supervisory actions.

Recommendation Z aims to disseminate good practices and counteract the adoption by banks, within the scope of the Recommendation, of incorrect practices that increase the risk of their activities, and consequently to increase the resilience of these institutions to difficult market conditions and thereby increase the stability of the financial sector.

The Recommendation provides for a proportionality-based approach. This means that its provisions should be applied by banks taking into account the scale, complexity, and nature of their activities (i.e., such factors as, for example, the legal form in which the bank operates, the size of its activities, the types of risks associated with the conducted activities, internal organization, ownership structure, geographical area of activity, or the stage of corporate development). This applies in particular to cooperative banks and affiliated banks that are participants in protection systems, as referred to in the Act of 7 December 2000 on the functioning of cooperative banks, their affiliation, and affiliated banks (consolidated text: Journal of Laws of 2020, item 449, with later amendments), as well as to the issue of ensuring proper internal governance throughout the group (Recommendation 1.4), with respect to entities forming part of the bank's capital group (e.g., as a result of debt-to-equity conversion within recovery actions or due to the specificity or business model of the group), which do not provide financial services to which the standards of internal governance resulting from Recommendation Z might be impossible or unjustified to apply.

In the case of a cooperative bank or an affiliated bank that is a participant in the protection system referred to in the Act of 7 December 2000 on the functioning of cooperative banks, their affiliation, and affiliated banks, the tasks referred to in the Recommendations should be performed based on the guidelines of the entity managing that protection system.

Cooperative banks and affiliated banks that are participants in the protection system should transmit to the Financial Supervision Authority – through the entities managing the protection system – information on the manner of taking into account the principle of proportionality, along with appropriate justification demonstrating its proportionality, rationality, and appropriateness, in accordance with the "comply or explain" rule.

Provisions of the Recommendation relating to banks that are dominant entities in a group should be understood as directed to entities at the highest, national level of consolidation.

The Financial Supervision Authority emphasizes that, in addition to the Recommendation, banks should also apply the provisions of other Financial Supervision Authority Recommendations in the scope relating to issues that are the subject of this document, according to the rules specified therein, as well as other recognized national and international codes or standards regarding internal governance rules2. In such a case, however, to avoid ambiguity regarding the adopted rules of conduct, the bank should clearly disclose, inter alia, which documents it follows in its activities and to what extent.

The Financial Supervision Authority expects that Recommendation Z will be implemented in banks no later than 1 January 2022.

1 In the Recommendation, the manner in which issues in the discussed area have been regulated within the implementation of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ EU L 176 of 27.6.2013, p. 338, with later amendments) (so-called CRD Directive) into the Polish legal order was taken into account – in the Act of 29 August 1997 – Banking Law and in the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and internal control system, remuneration policy, and detailed method of estimating internal capital in banks issued on its basis, including inter alia: subjecting members of the supervisory board and management board of the bank to the requirement of possessing knowledge, skills, and experience appropriate to the functions performed and duties entrusted, and providing guarantees of due performance of these duties, division of competences in the management, and introduction of a three-level structure of the risk management system and internal control system operating in the bank.

2 E.g., "Good Practices of Companies Listed on the Warsaw Stock Exchange 2016" prepared by Warsaw Stock Exchange S.A.

Recommendation Z Page 3 of 53

Glossary of Used Terms

1. Risk appetite – the current and future willingness of the bank to take on risk.
2. Significant bank – a bank as referred to in Article 4(1)(35) of the Banking Law Act.
3. CRD Directive – Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ EU L 176 of 27.6.2013, p. 338, with later amendments).
4. Business activity – the area of activity within which the subject matter of the bank's activity, constituting a potential source of revenue, profit, or value for the bank, is directly realized, e.g., granting loans, accepting deposits, operating bank accounts and monetary settlements, etc.
5. Group – a group of entities consisting of a dominant entity, dependent entities, and entities in which close links exist, as referred to in Article 4(1)(15)(a) of the Banking Law Act.
6. Business unit – an organizational unit or department whose primary task is to conduct business activity.
7. Organizational unit – a fundamental element of the organizational structure, separated due to functions in the organization or according to other criteria (e.g., geographical or product-based); organizational units include, for example: headquarters, branches, regions, brokerage office; organizational units may also be separated within the organizational structure of higher-level organizational units – e.g., sub-branches within branches, cash points, agencies, within branches or sub-branches.
8. Key functions in the bank – organizational positions identified, in accordance with Article 22aa(10) of the Banking Law Act, based on the bank's appropriate policies, other than the functions of members of the supervisory board and management board, with which is associated a scope of duties, powers, and liabilities enabling significant influence on the management of the bank, e.g., director of a significant business line, director of a significant branch in another Member State, chief accountant, head of the internal audit unit, head of the compliance unit, director of the credit risk department; when determining key functions in the bank, one should take into account positions identified based on Commission Delegated Regulation (EU) No 604/2014 of 4 March 2014 supplementing Directive 2013/36/EU of the European Parliament and of the Council with regard to regulatory technical standards for qualitative criteria and appropriate quantitative criteria for determining categories of employees whose professional activities have a material impact on the risk profile of the institution (OJ EU L 167 of 06.06.2014, p. 30, with later amendments); the category "key functions in the bank" within the meaning of Recommendation Z is identical to the category "persons holding key functions" referred to in the Guidelines on the assessment of the suitability of members of the management body and persons holding key functions (EBA/GL/2017/12) of 21 March 2018.

Recommendation Z Page 4 of 53

9. Risk management unit – the organizational unit (or units) responsible for risk management at the second level, within the scope referred to in § 3(1) of the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and internal control system, remuneration policy, and detailed method of estimating internal capital in banks.
10. Organizational department – a single- or multi-person element of the organizational structure separated within an organizational unit to perform specific tasks, including projects; organizational departments include, for example: department, office, team, project team, section, single-person workstation, etc.; organizational departments may be part of higher-level organizational departments – e.g., divisions within a department, sections within divisions.
11. Dominant entity – a dominant entity within the meaning of Article 4(1)(8) of the Banking Law Act.
12. Dependent entity – a dependent entity within the meaning of Article 4(1)(9) of the Banking Law Act.
13. Related entities – entities in which close links exist, as referred to in Article 4(1)(15) of the Banking Law Act, and capital- or organizationally related entities, as referred to in Article 4(1)(16) of the Banking Law Act.
14. CRR Regulation – Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, amending Regulation (EU) No 648/2012 (OJ EU L 176 of 27.6.2013, p. 1, with later amendments).
15. Organizational position – a basic element of the organizational structure of a bank, organizational unit, or organizational department, separated to perform specific tasks by one person; managerial positions (e.g., president, vice-president, board member), managerial positions (e.g., director, head, manager), and executive positions – subordinate to managerial or executive positions and not performing managerial functions – can be distinguished.

Recommendation Z Page 5 of 53

16. Management system, internal control system, and risk management system – should be understood in accordance with the Banking Law Act.
17. Management levels3 – a three-level method of organizing the risk management system and internal control system operating in the bank, specified in the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and internal control system, remuneration policy, and detailed method of estimating internal capital in banks.

3 The classification adopted in accordance with the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and internal control system, remuneration policy, and detailed method of estimating internal capital in banks. In Recommendation H regarding internal control in banks, the term "lines of defense" was used to designate this category.

Recommendation Z Page 6 of 53

LIST OF RECOMMENDATIONS A. GENERAL RULES OF INTERNAL GOVERNANCE IN THE BANK Recommendation 1 The bank shall have an internal governance system that is compliant with legal provisions, transparent, and effective, specified in the bank's articles of association and in the bank's adopted hierarchical system of internal regulations (strategy, policies, procedures, instructions, etc.). Internal governance includes in particular: the bank's management system, the bank's organization, operating rules, powers, duties and liabilities, as well as the mutual relationships between the supervisory board, the management board, and persons holding key functions in the bank.

Recommendation 2 The organization of the bank should contribute to ensuring effective and prudent management of the bank, both on an individual basis and at the group level.

B. OPERATING RULES, POWERS, DUTIES, LIABILITY, MUTUAL RELATIONSHIPS OF THE SUPERVISORY BOARD AND MANAGEMENT BOARD, AND SUITABILITY OF MEMBERS OF THESE BODIES AND PERSONS HOLDING KEY FUNCTIONS IN THE BANK

1. Responsibility of the management board and supervisory board Recommendation 3 The management board of the bank is responsible for designing, implementing, and operating the management system in the bank, in particular for consciously making and implementing decisions regarding matters essential for the functioning of the bank, selecting goals, methods, and means of action, including the organization of the bank and its activities, directing current activities, planning, and controlling achieved results. The supervisory board bears responsibility for effective exercise of continuous supervision over all areas of the bank's activity, including the implementation of the management system in the bank and the assessment of the adequacy and effectiveness of this system. The bank is obliged to provide the supervisory board with access to information, resources, and support necessary for the supervisory board to perform its tasks.

2. Functions of the supervisory board and management board Recommendation 4 The tasks of the supervisory board and management board of the bank should be coordinated with each other in a manner ensuring the effective operation of these bodies in the interest of implementing the bank's management strategy and risk management strategy.

3. Composition, appointment, and dismissal of members of the supervisory board and management board Recommendation 5 The bank should ensure an appropriate composition of the supervisory board and management board and have an internal regulation approved by the respective general meeting (meeting of representatives4) or supervisory board, relating to the appointment and dismissal of members of these bodies.

4. Identifying key functions in the bank and appointing and dismissing persons holding these functions Recommendation 6 The management board of the bank should develop and implement, in written form and approved by the supervisory board, a policy for identifying key functions in the bank and appointing and dismissing persons holding these functions.

5. Suitability and assessment of suitability of members of the supervisory board and management board and persons holding key functions in the bank Recommendation 7 Members of the supervisory board and management board and persons holding key functions in the bank should always meet the condition of suitability, i.e., possess the knowledge, skills, and experience necessary to perform the functions or positions and duties entrusted to them and provide guarantees of due performance of these duties5.

6. Engagement, independence, and management of conflicts of interest in the supervisory board and management board Recommendation 8 Each member of the supervisory board and management board of the bank should perform duties actively, with due care and engagement. They should make assessments based on their own, independent judgment and objective, substantive arguments and make decisions in accordance with these assessments. Members of the supervisory board and management board and persons holding key functions in the bank should thoroughly

4 In cooperative banks where the general meeting is replaced by a meeting of representatives. 5 In addition to these recommendations regarding qualifications and assessment of qualifications of members of the supervisory board and management board and persons holding key functions in the bank, banks should apply appropriate guidelines of the European Banking Authority in this regard.

Recommendation Z Page 7 of 53

understand the applicable management rules in the bank and their role.

7. Organizational functioning of the supervisory board and management board Recommendation 9 In areas not specified by legal provisions and the bank's articles of association, the supervisory board and management board of the bank perform their tasks based on written regulations.

Given the responsibility of the general meeting (meeting of representatives) for supervising the performance of tasks by the supervisory board, if the regulation of the supervisory board is not adopted by the general meeting (meeting of representatives) but by the supervisory board, the general meeting (meeting of representatives), according to the solution adopted in the bank, is informed about the adopted regulation or approves it.

It is recommended that the regulation of the management board be adopted or approved by the supervisory board. If the regulation of the management board is not adopted or approved by the supervisory board, then the management board should inform the supervisory board about its adoption or approval.

Recommendation 10 Regardless of requirements established in legal provisions, the supervisory board, taking into account the scope and degree of complexity of the bank's activity and the need to support the supervisory board in performing specific functions, should consider establishing specialized committees appointed to perform these functions.

Recommendation 11 Within the committees established by the supervisory board, referred to in Recommendation 10, a bank other than a significant bank may in particular establish a risk committee and a nominations committee, operating based on regulations approved by the supervisory board, specifying in particular the composition, frequency of meetings, and scope of action.

C. STANDARDS OF CONDUCT OF THE BANK AND CONFLICTS OF INTEREST AT THE BANK LEVEL 8. Standards of conduct of the bank Recommendation 12 The bank should have written rules of ethics, adopted by the management board and approved by the supervisory board, specifying norms and ethical standards of conduct for members of bodies and employees of the bank, as well as for other persons through whom the bank conducts its activity.

9. Conflicts of interest at the bank level Recommendation 13 The management board of the bank should develop, approve, and implement, in written form and approved by the supervisory board, an effective policy for managing conflicts of interest6. Management of conflicts of interest should be carried out based on appropriate, approved rules.

6 A conflict of interest may arise as a result of the bank's involvement in activities in different areas and roles (e.g., when the bank grants a loan or credit to a company whose shares are simultaneously the subject of transactions concluded by this bank) or between stakeholders of the bank or its clients, and members of the supervisory board, management board, or persons holding key functions (e.g., when the bank establishes business relations with an entity in which one of the members of the supervisory board or management board of the bank is financially involved). A conflict of interest arises in particular in the situation when an employee of the bank is a member of the supervisory board of the bank. A conflict of interest may also arise in the situation when persons related by family ties are on the management board of the bank. A conflict of interest may also appear when the bank belongs to a group. In such a case, the relationship of subordination and information flow between the bank, its dominant entity and/or other dependent entities, may lead to the emergence of similar conflicts of interest as described above (e.g., access to reserved, confidential, or otherwise sensitive information originating from different entities of the group or pressure to conduct business activities on non-market terms).

Recommendation Z Page 8 of 53

D. POLICY ON OUTSOURCING ACTIVITIES, REMUNERATION RULES IN THE BANK, AND DIVIDEND POLICY 10. Policy on outsourcing activities Recommendation 14 Responsibility for proper management of risks associated with outsourced activities, including activities referred to in Articles 5 and 6 of the Banking Law Act, the performance of which has been entrusted to external entities based on Articles 6a-6d of the Banking Law Act, lies with the management board of the bank.

11. Remuneration rules in the bank Recommendation 15 The management board of the bank should develop and implement, in written form and approved by the supervisory board, remuneration rules in the bank7. Remuneration rules in the bank should be understandable and transparent.

7 These rules should in particular take into account provisions specified in Articles 9ca-9f of the Banking Law Act and EBA guidelines on proper remuneration policy, referred to in Article 74(3) and Article 75(2) of Directive 2013/36/EU, and information disclosure in accordance with Article 450 of Regulation (EU) No 575/2013 (EBA/GL/2017/13).

Recommendation Z Page 9 of 53

12. Dividend policy Recommendation 16 The management board of the bank should develop and implement, in written form and approved by the supervisory board, a dividend policy.

13. Policy on outsourcing activities Recommendation 17 The management board of the bank should ensure that the bank has a policy on outsourcing activities, which defines the scope of activities that may be outsourced, the criteria for selecting service providers, and the procedures for monitoring outsourced activities.

14. Risk management system Recommendation 18 The bank should have a risk management system that ensures the identification, measurement, monitoring, and control of all material risks to which the bank is or may be exposed.

15. Internal control system Recommendation 19 The bank should have an internal control system that ensures the reliability of financial reporting, compliance with laws and regulations, and the effectiveness and efficiency of operations.

16. Internal audit Recommendation 20 The bank should have an internal audit function that is independent and objective, providing assurance to the supervisory board and management board regarding the effectiveness of risk management, internal control, and governance processes.

17. Compliance function Recommendation 21 The bank should have a compliance function responsible for monitoring compliance with laws, regulations, and internal policies.

18. Remuneration policy Recommendation 22 The remuneration policy of the bank should be consistent with and promote sound and effective risk management and should not encourage risk-taking beyond the level of effective risk management. The policy should include provisions on the deferral of variable remuneration, the proportion of fixed and variable remuneration, and the application of malus and clawback mechanisms.

19. Dividend policy Recommendation 23 The dividend policy of the bank should be consistent with its capital position and risk profile and should be approved by the supervisory board.

20. Outsourcing policy Recommendation 24 The outsourcing policy of the bank should ensure that the bank remains able to fulfill its regulatory obligations and that the service provider performs the outsourced activities in accordance with applicable laws and regulations.

21. Risk appetite statement Recommendation 25 The bank should have a risk appetite statement that defines the level and types of risk the bank is willing to take in order to achieve its strategic objectives.

22. Stress testing Recommendation 26 The bank should conduct regular stress tests to assess its resilience to adverse scenarios.

23. Business continuity planning Recommendation 27 The bank should have a business continuity plan that ensures the continuity of critical operations in the event of a disruption.

24. Data governance Recommendation 28 The bank should have a data governance framework that ensures the quality, integrity, and security of data.

25. IT risk management Recommendation 29 The bank should have an IT risk management framework that ensures the security and resilience of its IT systems.

26. Cybersecurity Recommendation 30 The bank should have a cybersecurity policy that protects its IT systems and data from cyber threats.

27. Anti-money laundering and counter-terrorist financing Recommendation 31 The bank should have policies and procedures to prevent and detect money laundering and terrorist financing.

28. Sanctions compliance Recommendation 32 The bank should have policies and procedures to ensure compliance with applicable sanctions.

29. Consumer protection Recommendation 33 The bank should have policies and procedures to ensure fair treatment of customers and protection of consumer rights.

30. Environmental, social, and governance (ESG) factors Recommendation 34 The bank should consider ESG factors in its risk management and decision-making processes.

31. Climate risk Recommendation 35 The bank should assess and manage climate-related risks.

32. Digital transformation Recommendation 36 The bank should have a strategy for digital transformation that aligns with its overall business strategy and risk appetite.

33. Innovation Recommendation 37 The bank should foster innovation while managing associated risks.

34. Talent management Recommendation 38 The bank should have a talent management strategy to attract, develop, and retain skilled employees.

35. Diversity and inclusion Recommendation 39 The bank should promote diversity and inclusion in its workforce and governance bodies.

36. Corporate social responsibility Recommendation 40 The bank should engage in corporate social responsibility activities that align with its values and strategic objectives.

37. Stakeholder engagement Recommendation 41 The bank should engage with stakeholders to understand their expectations and concerns.

38. Transparency and disclosure Recommendation 42 The bank should provide transparent and timely disclosure of material information to stakeholders.

39. Ethics and integrity Recommendation 43 The bank should promote a culture of ethics and integrity throughout the organization.

40. Whistleblowing Recommendation 44 The bank should have a whistleblowing policy that protects whistleblowers and ensures the investigation of reported issues.

41. Board evaluation Recommendation 45 The bank should conduct regular evaluations of the performance of the supervisory board and management board.

42. Succession planning Recommendation 46 The bank should have a succession planning process for key positions.

43. Training and development Recommendation 47 The bank should provide regular training and development opportunities for employees.

44. Performance management Recommendation 48 The bank should have a performance management system that aligns employee performance with strategic objectives.

45. Remuneration alignment Recommendation 49 The bank should align remuneration with long-term performance and risk management.

46. Shareholder rights Recommendation 50 The bank should respect and facilitate the exercise of shareholder rights.

47. Related party transactions Recommendation 51 The bank should have policies and procedures to manage related party transactions and prevent conflicts of interest.

48. Capital management Recommendation 52 The bank should have a capital management policy that ensures adequate capital levels.

49. Liquidity management Recommendation 53 The bank should have a liquidity management policy that ensures adequate liquidity levels.

Recommendation Z Page 10 of 53

12. Dividend policy Recommendation 16 The management board of the bank should develop and implement, in written form and approved by the supervisory board, a dividend policy.

13. Policy on outsourcing activities Recommendation 17 The management board of the bank should ensure that the bank has a policy on outsourcing activities, which defines the scope of activities that may be outsourced, the criteria for selecting service providers, and the procedures for monitoring outsourced activities.

14. Risk management system Recommendation 18 The bank should have a risk management system that ensures the identification, measurement, monitoring, and control of all material risks to which the bank is or may be exposed.

15. Internal control system Recommendation 19 The bank should have an internal control system that ensures the reliability of financial reporting, compliance with laws and regulations, and the effectiveness and efficiency of operations.

16. Internal audit Recommendation 20 The bank should have an internal audit function that is independent and objective, providing assurance to the supervisory board and management board regarding the effectiveness of risk management, internal control, and governance processes.

17. Compliance function Recommendation 21 The bank should have a compliance function responsible for monitoring compliance with laws, regulations, and internal policies.

18. Remuneration policy Recommendation 22 The remuneration policy of the bank should be consistent with and promote sound and effective risk management and should not encourage risk-taking beyond the level of effective risk management. The policy should include provisions on the deferral of variable remuneration, the proportion of fixed and variable remuneration, and the application of malus and clawback mechanisms.

19. Dividend policy Recommendation 23 The dividend policy of the bank should be consistent with its capital position and risk profile and should be approved by the supervisory board.

20. Outsourcing policy Recommendation 24 The outsourcing policy of the bank should ensure that the bank remains able to fulfill its regulatory obligations and that the service provider performs the outsourced activities in accordance with applicable laws and regulations.

21. Risk appetite statement Recommendation 25 The bank should have a risk appetite statement that defines the level and types of risk the bank is willing to take in order to achieve its strategic objectives.

22. Stress testing Recommendation 26 The bank should conduct regular stress tests to assess its resilience to adverse scenarios.

23. Business continuity planning Recommendation 27 The bank should have a business continuity plan that ensures the continuity of critical operations in the event of a disruption.

24. Data governance Recommendation 28 The bank should have a data governance framework that ensures the quality, integrity, and security of data.

25. IT risk management Recommendation 29 The bank should have an IT risk management framework that ensures the security and resilience of its IT systems.

26. Cybersecurity Recommendation 30 The bank should have a cybersecurity policy that protects its IT systems and data from cyber threats.

27. Anti-money laundering and counter-terrorist financing Recommendation 31 The bank should have policies and procedures to prevent and detect money laundering and terrorist financing.

28. Sanctions compliance Recommendation 32 The bank should have policies and procedures to ensure compliance with applicable sanctions.

29. Consumer protection Recommendation 33 The bank should have policies and procedures to ensure fair treatment of customers and protection of consumer rights.

30. Environmental, social, and governance (ESG) factors Recommendation 34 The bank should consider ESG factors in its risk management and decision-making processes.

31. Climate risk Recommendation 35 The bank should assess and manage climate-related risks.

32. Digital transformation Recommendation 36 The bank should have a strategy for digital transformation that aligns with its overall business strategy and risk appetite.

33. Innovation Recommendation 37 The bank should foster innovation while managing associated risks.

34. Talent management Recommendation 38 The bank should have a talent management strategy to attract, develop, and retain skilled employees.

35. Diversity and inclusion Recommendation 39 The bank should promote diversity and inclusion in its workforce and governance bodies.

36. Corporate social responsibility Recommendation 40 The bank should engage in corporate social responsibility activities that align with its values and strategic objectives.

37. Stakeholder engagement Recommendation 41 The bank should engage with stakeholders to understand their expectations and concerns.

38. Transparency and disclosure Recommendation 42 The bank should provide transparent and timely disclosure of material information to stakeholders.

39. Ethics and integrity Recommendation 43 The bank should promote a culture of ethics and integrity throughout the organization.

40. Whistleblowing Recommendation 44 The bank should have a whistleblowing policy that protects whistleblowers and ensures the investigation of reported issues.

41. Board evaluation Recommendation 45 The bank should conduct regular evaluations of the performance of the supervisory board and management board.

42. Succession planning Recommendation 46 The bank should have a succession planning process for key positions.

43. Training and development Recommendation 47 The bank should provide regular training and development opportunities for employees.

44. Performance management Recommendation 48 The bank should have a performance management system that aligns employee performance with strategic objectives.

45. Remuneration alignment Recommendation 49 The bank should align remuneration with long-term performance and risk management.

46. Shareholder rights Recommendation 50 The bank should respect and facilitate the exercise of shareholder rights.

47. Related party transactions Recommendation 51 The bank should have policies and procedures to manage related party transactions and prevent conflicts of interest.

48. Capital management Recommendation 52 The bank should have a capital management policy that ensures adequate capital levels.

49. Liquidity management Recommendation 53 The bank should have a liquidity management policy that ensures adequate liquidity levels.