Agreement No. 007-2011 Establishing Operational Risk Management Standards

Republic of Panama Banking Superintendence AGREEMENT No. 007-2011 (December 20, 2011) "Establishing Standards on Operational Risk"

THE BOARD OF DIRECTORS

In exercise of its legal powers, and

CONSIDERING:

That following the issuance of Decree-Law 2 of February 22, 2008, the Executive Branch prepared a systematic ordering in the form of a single text of Decree-Law 9 of 1998 and all its modifications, which was approved by Executive Decree 52 of April 30, 2008, hereinafter referred to as the Banking Law;

That in accordance with what is established in numeral 1 of Article 5 of the Banking Law, it is the objective of the Superintendence to ensure the solidity and efficiency of the banking system;

That in accordance with Article 6 of the Banking Law, it is the function of the Banking Superintendence to ensure that banks maintain appropriate solvency and liquidity coefficients to meet their obligations;

That in accordance with the technical power established in Article 11, Literal I, numeral 5 of the Banking Law, it corresponds to the Board of Directors to fix, within the administrative scope, the interpretation and scope of legal or regulatory provisions on banking matters;

That in accordance with the technical power established in Article 11, Literal I, numeral 3 of the Banking Law, it corresponds to the Board of Directors to approve the general criteria for the classification of risk assets and the guidelines for the constitution of reserves to cover risks;

That in accordance with what is established in Article 72 of the Banking Law, regarding the valuation of other risks, it is established that for the determination of the capital adequacy index, the Superintendence may take into account the existence of other risks, such as market risk, operational risk, and country risk;

That in accordance with what is established in Article 16, Literal I, numeral 22, it is an attribute of the Superintendent to evaluate the financial indicators of banks and banking groups that allow for the follow-up of main banking risks, such as capital adequacy, credit, liquidity, operational, market, and others that the Superintendence deems convenient.

That Principle No. 7 for effective banking supervision of the Basel Committee establishes that banks must have an integral risk management process, which includes oversight by the board of directors and senior management, to identify, evaluate, monitor, and control or mitigate all substantial risks and evaluate their overall capital sufficiency with respect to their risk profile;

That banking entities, according to their characteristics, operations, and products offered, assume operational risks, for which reason, within their risk management process, they must evaluate this risk;

That in working sessions of this Board of Directors, the need and convenience of elaborating a standard that establishes the general framework for operational risk management has been made evident.

AGREES:

OPERATIONAL RISK MANAGEMENT STANDARD

CHAPTER I GENERAL CONSIDERATIONS

ARTICLE 1.- OBJECTIVE AND CRITERIA. This Agreement establishes the principles, general criteria, and minimum parameters that banks must observe in the design, development, and application of their operational risk management, which must include identification, measurement, mitigation, monitoring, and control, and reporting.

ARTICLE 2.- SCOPE OF APPLICATION. The provisions of this Agreement are applicable to:

1. Official banks.
2. General license banks.
3. International license banks of which the Banking Superintendence exercises origin supervision.

In the case of international license banks of which the Superintendence exercises destination supervision, these must establish through their internal mechanisms an adequate operational risk management, which will be subject to review by this Superintendence. Notwithstanding the foregoing, the Superintendent may require the local management, when deemed convenient, the operational risk management requirements established in this Agreement.

ARTICLE 3.- DEFINITIONS AND TERMS. For the purpose of applying the provisions contained in this Agreement, the following shall be understood:

1. Board of Directors. The body responsible for the direction and control of the bank, which safeguards the achievement of the best interests of the entity without participating for any reason in the direct management of the bank's business activities.

2. Senior Management or Top Management: Is the highest executive authority (called general manager, executive vice president, executive president, or any other denomination), as well as the second highest-ranking executive (called deputy general manager, or any other denomination) and other managers and collaborators who perform key functions that must report directly to the aforementioned.

3. Integral Risk Management. Is the process by which the bank identifies, measures, monitors, controls, mitigates, and reports to the operational areas within the bank, the different types of risk to which it is exposed according to the size and complexity of its operations, products, and services.

4. Operational Risk: Is the possibility of incurring losses due to deficiencies, failures, or inadequacies of human resources, processes, technology, infrastructure, or by the occurrence of external events. This definition includes the legal risk associated with such factors.

5. Legal Risk: Is the possibility of incurring losses as a result of non-compliance with norms, regulations, or procedures with possible legal consequences, as well as by effect of contractual stipulations. Legal risk also arises from malicious, negligent, or involuntary actions that affect the formalization, effectiveness, or execution of contracts or transactions.

6. Operational Risk Event: Is a potential event or series of events, of internal or external origin, that if they occur could cause financial losses to the bank.

7. Operational Risk Incident. Is an event or series of events that have occurred, of internal or external origin, that could cause financial losses to the bank.

8. Operational Risk Factor. Is the primary cause or origin of an operational risk event. Factors can be internal (human resources, processes, technology, and infrastructure, over which the organization can have direct control) and external (events whose causes and origin escape the control of the organization).

9. Process. Is the set of activities that transform inputs into products or services with value for the user, whether internal or external.

10. Business Line. Is a specialization of the business that groups processes aimed at generating specialized products and services to serve a segment of the target market.

CHAPTER II APPROPRIATE ENVIRONMENT FOR OPERATIONAL RISK MANAGEMENT

ARTICLE 4.- ORGANIZATION. Banks, in accordance with the complexity of their operations and their risk profile, must have an organizational structure that promotes the adequate administration of operational risk. They must also clearly define responsibilities and the degree of dependence and interrelation among the different areas of the bank.

As established in the Integral Risk Management Agreement, the organizational structure must incorporate a risk management unit, which must be independent. This unit must have within its functions the management of operational risk.

Likewise, the risk committee must ensure adequate operational risk management.

ARTICLE 5.- MANAGEMENT STRATEGY. Banks must define the strategy to manage operational risk. To this end, they must establish a methodology that allows for the identification, measurement, mitigation, monitoring, and control, and reporting of said risk.

Considering that all areas of the bank generate potential operational risk events, the strategy must have the support of the board of directors and involve all personnel.

The strategy used must be updated periodically based on risk tolerance and changes in the market and economic environment that could affect the bank's operations. Furthermore, it is important that the strategy defines or identifies adequate resources in terms of trained personnel, processes, information systems, and all the necessary environment for operational risk management.

ARTICLE 6.- POLICIES. Banks shall design operational risk policies, which must include at least the following:

1. The functions and responsibilities of the board of directors, senior management, risk committee, and the risk management unit.
2. The manner and periodicity with which the board of directors and senior management must be informed, among others, about the bank's exposure to operational risk and of each business unit.
3. The acceptable risk level by the bank, based on frequency and severity.
4. The process that must be followed for the approval of proposals for new operations, products, and services, among other aspects.
5. The operational risk indicators defined by the bank.

CHAPTER III OPERATIONAL RISK MANAGEMENT

ARTICLE 7.- FACTORS OR CATEGORIES OF OPERATIONAL RISK. Banks shall consider the following operational risk factors:

1. Human Resources. Banks must manage human capital adequately and appropriately identify failures or deficiencies associated with the "people" factor, such as: lack of adequate staff, negligence, human error, sabotage, fraud, theft, appropriation of sensitive information, nepotism, inappropriate interpersonal relationships, and unfavorable work environment, lack of clear specifications in personnel hiring terms, among others.

2. Internal Processes. In order to guarantee the optimization of resources and the standardization of activities, banks must have documented, defined, and permanently updated processes.

Banks must appropriately manage risks associated with processes that allow the performance of their operations and services, given that their inadequate design can result in deficient operation development.

3. Technology. Banks must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; that avoids business interruptions, and that ensures that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making.

In addition to the above, they must comply with the requirements established in the norms on this matter issued by the Banking Superintendence.

4. External Events. Banks must manage the risks of losses derived from the occurrence of events outside the control of the institution that could alter the development of their activities. Risks involving legal contingencies, failures in public services, the occurrence of natural disasters, attacks, and criminal acts, as well as failures in critical services provided by third parties, must be taken into consideration.

ARTICLE 8.- MANAGEMENT. The operational risk management process comprises the stages of identifying, measuring, mitigating, monitoring, and controlling, and reporting on operational risk events.

ARTICLE 9.- IDENTIFICATION. As part of operational risk management, the bank must identify operational risk events or incidents by grouping them as follows:

1. Internal Fraud. Losses derived from any type of action in which bank employees are involved, aimed at defrauding, improperly appropriating assets, or violating regulations, laws, or internal policies.

2. External Fraud. Losses derived from any type of action by a third party aimed at defrauding, improperly appropriating an asset, or violating legislation.

3. Labor Relations and Workplace Safety. Losses derived from actions incompatible with legislation or labor agreements, with safety and hygiene at work, with the payment of claims for personal damages, or with cases related to discrimination as well as violation of the code of ethics.

4. Practices Related to Clients, Products, and Business. Losses caused by the failure to meet an obligation towards clients or derived from the nature and design of a product or service. Additionally, practices related to clients include abuse of trust, abuse of confidential client information, fraudulent negotiation in bank accounts, money laundering, and sale of unauthorized products.

5. Damage to Physical Assets. Losses derived from damage or harm to material assets as a consequence of natural disasters or other events.

6. Business Interruption due to Information Technology Failures. Losses derived from interruptions in business and failures in systems.

7. Deficiency in Execution, Delivery, and Process Management. Losses derived from errors in the processing of operations or in the management of processes, as well as from relationships with counterparties (suppliers, clients, depositors, etc.).

The identification of operational risk events or incidents must be grouped by risk types, in accordance with what is established in Annex 1. Likewise, it is convenient that the identification of loss events can be additionally grouped according to the business lines that the bank maintains, as expanded in Annex 2.

ARTICLE 10.- MEASUREMENT. As part of operational risk management, the bank must evaluate operational risk events and incidents. This implies measuring potential losses in terms of probability of occurrence (frequency) and impact (severity).

The evaluation or measurement of operational risk events and incidents is important for the bank because based on this, coverage mechanisms such as capital requirements can be established. Additionally, it is important because based on said evaluation or measurement, mitigation measures must be established to seek to minimize losses.

ARTICLE 11.- MITIGATION. As part of operational risk management, once operational risk events and incidents and failures or vulnerabilities related to the factors of this risk and their incidence for the institution are identified, senior management must decide whether the risk should be assumed, shared, avoided, or transferred, reducing its consequences and effects.

Likewise, senior management will have a clear vision of the different types of exposure to operational risk and their priority, in order to take decisions and actions. These can be, among others: review strategies and policies; update or modify established processes and procedures; implement or modify risk limits; constitute, increase, or modify controls; implement contingency plans; review terms of contracted insurance policies; hire services provided by third parties; or others, as appropriate.

Senior management must establish an action plan to implement measures that seek to mitigate identified risk events. This plan must detail the actions to be implemented, the estimated execution time, and the direct responsible parties for said execution.

ARTICLE 12.- MONITORING AND CONTROL. As part of operational risk management, the bank must carry out monitoring to ensure that all actions implemented to mitigate a risk event are fulfilled within the established deadlines and that the implemented measures have effectively contributed to reducing the risk for the particular event and for the entire institution in general.

ARTICLE 13.- REPORTING. As part of operational risk management, the bank must ensure that the board of directors and senior management receive timely information on all risk management being carried out and on the level of operational risk to which the bank is exposed.

This stage also involves that operational areas receive periodic information regarding events and incidents so that they take action regarding them.

ARTICLE 14.- METHODOLOGY. Banks will establish, based on their risk profile and complexity of their operations, a methodology that incorporates all stages of operational risk management and that meets the following requirements:

1. Be duly documented.
2. Be implemented in all areas of the bank.
3. Allow for continuous improvement of operational risk management.
4. Be integrated into all risk management processes of the institution.
5. Establish procedures that ensure compliance.
6. Be approved by the risk committee.

ARTICLE 15.- MANAGEMENT MANUAL. Banks will have an operational risk management manual that groups the management policies for this risk, the functions and responsibilities of the involved areas, the methodology, and the periodicity with which the board of directors and senior management must be informed about exposure to operational risk.

Given that all bank employees participate in operational risk management, it is recommended that the operational risk management manual be available to them through the dissemination mechanism the bank deems convenient.

Banks must submit to the Superintendence, no later than January 1, 2013, the operational risk management manual mentioned in this article. Likewise, they must promptly submit any updates or changes made to it.

CHAPTER IV RESPONSIBILITIES

ARTICLE 16.- OF THE BOARD OF DIRECTORS. The bank's board of directors is responsible for ensuring an adequate environment for operational risk management, as well as for fostering an internal environment that facilitates its development. Among its specific responsibilities are:

1. Approve the operational risk management policy, which also comprises the corresponding methodology.
2. Approve the necessary resources for the adequate development of operational risk management, in order to have appropriate infrastructure, methodology, and personnel.
3. Monitor that the risk committee fulfills the functions assigned to it regarding operational risk labor.
4. Require senior management to evaluate, periodic reports on exposure levels to operational risk, its implications, and relevant activities for its mitigation and/or adequate administration.
5. Know the main operational risks assumed by the bank, and ensure effective management and adequate criteria that allow establishing the level of risk tolerance regarding consequences and effects.
6. Ensure that the bank has effective operational risk management and that it is within the established tolerance limit.

ARTICLE 17.- OF THE RISK COMMITTEE. The risk committee established in accordance with the Integral Risk Management Agreement issued by this Superintendence is in charge of ensuring sound management of the bank's risks and will perform at least the following functions:

1. Consider and propose for approval by the Board of Directors the operational risk management methodology.
2. Evaluate, review, and propose for approval by the Board of Directors the operational risk management policies.
3. Ensure that an adequate operational risk management process is maintained and keep the board of directors informed about its effectiveness.
4. Supervise that operational risks are effectively and consistently identified, measured, mitigated, monitored, and controlled.
5. Propose mechanisms for the implementation of corrective actions required in case of deviations with respect to the operational risk tolerance level.
6. Support the work of the risk management unit in the implementation of operational risk management.

ARTICLE 18.- OF SENIOR MANAGEMENT. Senior management is in charge of implementing risk management as approved by the board of directors, and its responsibilities include the following:

1. Create and foster an organizational culture of operational risk management and establish adequate internal control practices, including standards of conduct, integrity, and ethics for all employees.
2. Administer the operational risk management process and ensure its integrity according to the guidelines established by the board of directors.
3. Provide the necessary resources to allow the implementation of operational risk management.
4. Ensure that the strategies and objectives of operational risk management are met.

ARTICLE 19.- OF THE RISK MANAGEMENT UNIT. In accordance with what is established in the Integral Risk Management Agreement, the risk management unit has within its functions to manage operational risk. In addition to the responsibilities established in the cited Agreement, it must:

1. Design and submit for approval by the board of directors, through the risk committee, the policies for operational risk management.
2. Design and submit for approval by the risk committee, the methodology for operational risk management.
3. Present to the board of directors through the risk committee the ideal structure for operational risk management, designating the responsible persons or coordinators of the different functional units for operational risk management activities.
4. Implement the operational risk management methodology.
5. Support and assist operational and business areas in the implementation of the operational risk methodology.
6. Elaborate an opinion on possible operational risks linked to new products or services, prior to their launch.
7. Report timely and in a complete and detailed manner the failures in the different operational risk factors to the board of directors through the risk committee.

ARTICLE 20.- OF THE INTERNAL AUDIT UNIT. The internal audit unit will evaluate compliance with the procedures used for operational risk management developed in accordance with what is provided in this Agreement, as well as the effectiveness of the controls established within the operational risk management framework.

CHAPTER V OTHER PROVISIONS ON MANAGEMENT

ARTICLE 21.- BUSINESS CONTINUITY PLAN AND INFORMATION SECURITY. As part of adequate operational risk management, the bank must have a business continuity plan and information security policy that ensures the availability, integrity, and confidentiality of information and systems, and that allows the bank to continue its critical operations in the event of a disruption.

The business continuity plan must include procedures for the recovery of critical operations, the identification of critical resources, and the establishment of recovery time objectives. It must be tested periodically to ensure its effectiveness.

Information security policies must define the measures to protect information assets, including access controls, encryption, and incident response procedures. These policies must be aligned with international standards and best practices.

Banks must submit their business continuity plan and information security policy to the Superintendence upon request.

ARTICLE 22.- REPORTING REQUIREMENTS. Banks must report to the Superintendence any significant operational risk events that result in losses exceeding the thresholds established in their internal policies. Reports must be submitted within the timeframe established by the Superintendence.

Significant operational risk events include those involving fraud, legal risks, external events, and other events that have a material impact on the bank's financial position or reputation.

ARTICLE 23.- SUPERVISION. The Banking Superintendence will supervise the compliance of banks with the provisions of this Agreement. Supervision activities may include on-site inspections, reviews of internal documents, and interviews with bank personnel.

The Superintendence may impose sanctions on banks that fail to comply with the provisions of this Agreement, in accordance with the applicable legal framework.

ARTICLE 24.- TRANSITIONAL PROVISIONS. Banks must comply with the provisions of this Agreement within the timeframe established herein. Specifically, banks must submit their operational risk management manual to the Superintendence no later than January 1, 2013.

ARTICLE 25.- REPEAL. This Agreement repeals Agreement No. 007-2011 and Agreement No. 11-2014, to the extent that they are incompatible with the provisions of this Agreement.

ARTICLE 26.- EFFECTIVE DATE. This Agreement enters into force on the date of its publication in the Official Gazette.

Given in Panama City, on December 20, 2011.

THE BOARD OF DIRECTORS

[Signatures]

Banking Superintendence of Panama