Notice No. 01/2022: Corporate Governance Code for Banking Financial Institutions

PUBLISHED IN THE OFFICIAL GAZETTE, FIRST SERIES, NO. 19, OF 28 JANUARY 2022 NOTICE NO. 01/2022 SUBJECT: FINANCIAL SYSTEM

• Corporate Governance Code for Banking Financial Institutions

Whereas the recent alignment of the Angolan Financial System (AFS) with internationally accepted best practices, introduced by Law No. 14/21 of 19 May, General Regime Law for Financial Institutions, particularly regarding the Corporate Governance Code for Banking Financial Institutions, which aims to strengthen the financial legal framework, conferring adequate mechanisms and procedures to address current challenges for good corporate governance, proportionate to the business plan, complexity of activities carried out, and associated risks; Pursuant to the combined provisions of letters k) and l) of paragraph 1 of Article 166 of Law No. 14/21 of 19 May, General Regime Law for Financial Institutions, and letter f) of paragraph 1 of Article 31 and letter f) of paragraph 1 of Article 54, both of Law No. 24/21 of 18 October, Law of the National Bank of Angola.

DETERMINES: Chapter I General Provisions Article 1. (Object)

CONTINUATION OF NOTICE NO. 01/2022 Page 2 of 55 This Notice aims to regulate internal governance and control systems, as well as define the minimum standards on which the organizational culture of Banking Financial Institutions, hereinafter abbreviated as “Institutions”, must be based. Article 2. (Scope)

1. This Notice applies to Banking Financial Institutions under the supervision of the National Bank of Angola, as provided for in paragraph 2 of Article 7 of Law No. 14/21 of 19 May, General Regime Law for Financial Institutions.
2. Also covered by the provisions of this Notice are Non-Banking Financial Institutions under the supervision of the National Bank of Angola, as provided for in paragraph 3 of Article 7 of Law No. 14/21 of 19 May, General Regime Law for Financial Institutions, namely: a) Shareholding management companies; and, b) Payment system operating companies, in accordance with Article 10 of Law No. 40/20 of 16 December, Law of the Angolan Payment System, and letter k) of paragraph 3 of Article 7 of Law No. 14/21 of 19 May, General Regime Law for Financial Institutions. Article 3. (Definitions) Without prejudice to the definitions established in Law No. 14/21 of 19 May, General Regime Law for Financial Institutions, for the purposes of this Notice, the following shall be understood: a) Executive Director: member of the governing body with responsibilities in day-to-day management, without prejudice to the overall duties inherent to their position; b) Independent Director: member of the governing body who exercises their functions independently in accordance with letter r) of this article; c) Non-Executive Director: member of the governing body, who must participate in the strategic decision-making process, advise, oversee, and evaluate the activities of executive directors, without prejudice to the overall duties inherent to their position; d) Risk Appetite: the aggregated level and types of risk that an Institution is willing to assume, defined in advance and within each institution's risk capacity to achieve its strategic objectives and business plan; e) Beneficial Owner: entity with the true economic interest in holding an asset, possessing its ultimate control or in carrying out a transaction; f) Audit Committee: unit responsible for overseeing the performance of the Institution's external auditor; g) Conflict of Interest: situation in which shareholders, members of governing bodies, or employees have personal interests in a relationship of the Institution with third parties, from which they expect to obtain benefits; h) Control Deficiency: error in the design or operation of the policies or processes of the internal control system, with a negative impact on its objectives and principles; i) Parent Company: legal entity that exercises a relationship of control or group over another legal entity, designated as a subsidiary, when they are Financial Institutions under the supervision of the National Bank of Angola; j) Risk Factor: aspect or characteristic of financial products and markets, participants in the business relationship, and processes in place at the Institutions, which influences risk; k) Function: integrated set of processes carried out recurrently to achieve specific objectives of the Institution and which, autonomously, corresponds to a structural unit; l) Control Functions: each of the components of the internal control system, whose responsibility consists of monitoring the compliance of their actions with legislation and internal procedures, managing and monitoring the risk to which the Institution is or may be exposed, carrying out objective and reliable assessments and analyses, independently, as well as reporting their examinations to management bodies; m) Business Functions: comprise functions directly linked to the main activity or core business of the Institution; n) Support Functions: comprise the Institution's activities, whose day-to-day operations are not directly related to the Institution's business, yet assist and complement it; o) Day-to-Day Management: set of decisions, taken on a daily and recurrent basis, on matters concerning the administration of the Institution, excluding those related to defining the business strategy, organizational and functional structure, disclosure of legally or statutorily required information, and relevant operations based on their amount, associated risk, or special characteristics; p) Corporate Governance: set of relationships, policies, and processes involving shareholders, governing bodies, and employees of the Financial Institution in coordination with supervisory bodies, external auditors, and other financial market agents, aimed at achieving strategic objectives, as well as promoting organizational transparency and conducting control and oversight of the Institutions, specifying for this purpose the functions assigned to various organizational units and the competencies, responsibilities, and level of authority of the various participants in the Institutions; q) Financial Group: set of resident and non-resident companies, having the nature of Financial Institutions, with the exception of Financial Institutions linked to insurance and social security activities, in which there is a relationship of control by a parent company supervised by the National Bank of Angola over the other companies comprising it; r) Independence: capacity to make evaluative judgments and take correct, objective, and independent decisions regarding the policies and processes of the Financial Institution without the influence of daily management and external interests contrary to the objectives of the Financial Institution, it being considered that a member of the governing body does not meet the independence requirements whenever any of the following situations occurs: i. Has or had, in the last twelve months, an executive director position at the Institution; ii. Provides or provided, in the last twelve months, services to the Institution; iii. Holds or represents a holder of a qualified participation in the institution's capital, or a participation exceeding 2%, which allows, in the understanding of the National Bank of Angola, to exercise significant influence on the institution; iv. Receives a variable component of remuneration granted by the Institution; v. Holds positions in the governing bodies of another company, without a formal process to investigate potential conflicts of interest having taken place; vi. Has a relationship of spouse, descendant, or ascendant, of first and second degree, with a person covered by at least one of the situations provided for in items i to v of this letter; and, vii. Is covered by at least one of the situations referred to in items i, iv, and vi, in a company that is in a relationship of control or group with the one in which they are a member of the governing body. s) Systemically Important Banking Financial Institutions: Banking Financial Institutions, qualified as such by the National Bank of Angola; t) Governing Body: person or group of persons, elected by shareholders, tasked with representing the company, deliberating on all matters, and performing all acts to achieve its corporate purpose; u) Portfolio Management: assignment of specific functions or supervision of organizational units to a member of the governing body, without prejudice to the responsibilities assigned to the governing body;

CONTINUATION OF NOTICE NO. 01/2022 Page 3 of 55 v) Risk Profile: representation of the actual risk exposure of an Institution, which is intrinsically linked to the business strategy, and depends on the type of activities carried out by the Institution, as well as the risk inherent to them; w) Compliance Policy: document with guidelines, whose objective is to ensure compliance with ethical principles and national and international legal and regulatory requirements that directly or indirectly govern all activities of the Institution; x) Remuneration Policy: set of policies and processes aimed at establishing the criteria, frequency, responsible parties for performance evaluation, and the form, structure, and conditions for payment of remuneration; y) Remuneration: set of economic benefits attributed to members of governing bodies and employees of an Institution, as consideration for services rendered, which may be periodic or non-periodic, fixed or variable, monetary or non-monetary, including, inter alia, salaries, performance bonuses, allowances, and pension liabilities; z) Risk: possibility of a future event occurring with a negative impact on the net position of the Institutions, considering the following categories in particular: i. Credit Risk: arising from the failure to meet financially contractual commitments by a borrower or counterparty in transactions; ii. Strategy Risk: arising from adverse changes in the business environment, the inability to respond to these changes, and inadequate strategic management decisions; iii. Liquidity Risk: arising from the institution's inability to meet its obligations when they become due; iv. Market Risk: arising from adverse movements in the prices of bonds, shares, or commodities, including exchange rate and interest rate risk: a. Exchange Rate Risk: arising from movements in exchange rates, resulting from exchange positions originating from the existence of financial instruments denominated in different currencies; b. Interest Rate Risk: arising from movements in interest rates, resulting from mismatches in amount, maturities, or interest rate reset periods, observed in financial instruments with interest receivable and payable; v. Operational Risk: arising from inadequate internal processes, people, or systems, possibility of occurrence of internal and external fraud, as well as external events, including information systems and compliance risk; vi. Compliance Risk: arising from violations or non-compliance with laws, rules, regulations, contracts, prescribed practices, or ethical standards; vii. Information Systems Risk: arising from inadequacies in information technologies in terms of processing, integrity, control, availability, and continuity, resulting from inadequate strategies or uses; and, viii. Reputational Risk: adverse perception of the Institutions' image by clients, counterparties, shareholders, investors, supervisors, and the general public. aa) Segregation of Functions: set of internal control rules and guidelines aimed at decentralizing management, establishing independence between control, business, and support functions; bb) Organizational Silos: organizational barriers that hinder and/or prevent timely, objective, concise, effective, and complete communication and/or cooperation between various organizational units and/or functions; cc) Internal Control System: integrated set of policies and processes, of a permanent and cross-cutting nature throughout the institution, carried out by the governing body and other employees, in order to achieve objectives of efficiency in the execution of operations, risk control, reliability of accounting and management support information, and compliance with legal standards and internal guidelines;

CONTINUATION OF NOTICE NO. 01/2022 Page 4 of 55 dd) Risk Tolerance: maximum “amount” of risk that an Institution is capable of assuming, given its capital base, risk management, and control capabilities, as well as its regulatory constraints; ee) Transactions with Related Parties: transfer of resources, services, or obligations between the Institution and a related entity, regardless of whether there is a price debit; and, ff) Business Units: departments or areas of the institution that represent and perform a specific function. Chapter II Corporate Governance Article 4. (Principles) The “Corporate Governance Code for Institutions” is based on the following principles: a) Promotion of a culture of transparency within the Institutions; b) Contribution to strengthening institutional integrity, aiming to promote greater confidence, quality, and security of products and services marketed in the financial system; c) Favoring convergent policies within the organizational context; d) Promotion of timely, clear, and transparent access to information; e) Promotion of communication between the governing body, oversight bodies, and established committees; f) Independent and autonomous action, with free access to the information necessary to exercise functions or duties; g) Continuous monitoring of the regulatory environment and disclosure of applicable standards for the action of responsible areas; and, h) Assessment of compliance with regulations and implementation of process and procedure manuals, as well as other institutional policies concerning the Institutions' activities that mitigate associated risks. Article 5. (Culture and Organizational Structure)

1. The organizational culture of the Institution must be a constant concern of the governing and oversight bodies, based on solid foundations and high standards of internal control regarding the authorization, execution, recording, accounting, and control of operations, namely through: a) Adherence to high ethical and integrity principles, embodied in codes of conduct and policies that identify and mitigate conflicts of interest; b) Definition and implementation of processes aligned with internal control principles and practices, which determine that there is knowledge of relevant risks and how they can be managed; and, c) Adequate segregation between authorization, execution, recording, accounting, and control functions, adapted to the size, nature, and complexity of the activity.
2. The organizational culture must be known to all employees, who must contribute to an efficient internal control system, and thus must understand their role in the implemented system.
3. The organizational structure, considered in its organic and functional aspects, must: a) Be adequately defined, thereby supporting activity and the implementation of an adequate and effective internal control system; b) Be compatible with the strategy, adapted to the volume, nature, and complexity of the activity carried out, and provide sufficient human resources in terms of number, knowledge, and experience for the tasks assigned to them; and, c) Be transparent, coherent, objective, and clear in the definition of organizational units, duties, competencies, responsibilities, and authority, respecting the segregation of functions and establishing precise lines for reporting information.
4. Whenever the scope of activity and associated risks of an Institution is reduced, and due to limited available human resources, total segregation of potentially conflicting functions is unfeasible, alternative control procedures must be implemented to avoid or minimize to the greatest extent the risk of conflicts of interest occurring.
5. The organizational structure, including the competencies and responsibilities of each organizational unit and/or function, reporting and authority lines, and the degree and scope of cooperation between various departments or functions, must be documented, analyzed, and periodically reviewed, aiming to guarantee its permanent adequacy. Article 6. (Corporate Governance)
6. The corporate governance model must be compatible with the size, nature, complexity, structure, risk profile, and business model of the Institution.
7. The governing body is responsible for defining policies, and must approve and supervise the implementation of the Institution's strategic objectives by management, governance structure, and organizational culture.
8. The governing and oversight body or body with delegated competencies provided for in Articles 12, 13, 15, and 16, all of this Notice, must: a) Meet at formally defined intervals, without prejudice to extraordinary meetings determined by relevant events;

CONTINUATION OF NOTICE NO. 01/2022 Page 5 of 55 b) Properly formalize work orders, agendas, and other supporting documents for the meetings referred to in letter a) of this paragraph, as well as share them in advance; c) Briefly and objectively reflect deliberations in minutes, in order to guarantee the justification of decisions taken, as well as reflect the meaning of voting statements, if requested; d) Ensure that all decisions are properly justified; and, e) Make minutes and other documents referred to in letter b) of this paragraph known to all members and collect the signatures of all participants in the meetings on the minutes. 4. Institutions may hire independent consulting services to assist entities or bodies with delegated competencies, maintaining responsibility for the functions assigned to them. 5. When outsourcing services for the exercise of functions, Institutions must ensure the exact compliance with the objectives and principles of corporate governance set forth in this Notice, particularly regarding the responsibilities of the governing body. 6. The governing body must promote the formalization, dissemination, and periodic review of the corporate governance model in force at the Institution. 7. The principles established in the preceding paragraphs must be consistently applied within the financial group, with the parent company responsible for implementing a solid corporate governance model, guaranteeing: a) To its governing bodies a complete, true, and up-to-date view of the company belonging to the financial group, as well as its respective capital, organic, and functional structures; and, b) A correct information disclosure policy, in accordance with Articles 24 and 25 of this Notice. Article 7. (Corporate Governance Model)

1. Institutions must define, implement, and periodically review their corporate governance model, at least once a year, encompassing the capital structure, business strategy, risk management policies and processes, organizational units and structures, and applied policies, namely: a) The remuneration policy; b) The internal control policy; c) The compliance policy; d) The policy on transactions with related parties and prevention of conflicts of interest; e) The transparency and information disclosure policy; f) The code of conduct; and, g) The whistleblowing channel.
2. The governing body is the ultimate responsible party to shareholders, regulators, and other stakeholders.
3. The governing body must develop a corporate governance and risk structure that facilitates supervision and contributes to defining the Institution's strategy, risk culture, and risk appetite.
4. The corporate governance structure must facilitate and enable independent assessments of the quality, accuracy, and effectiveness of the Institution's risk management duties, financial reports, and regulatory compliance.
5. Changes to the corporate governance model must be communicated in advance to the National Bank of Angola, requiring a prudential justification for why the Institution considers that the new corporate governance model contributes to a healthier and more prudent management, considering the Institution's situation. Article 8. (Capital Structure)
6. Institutions must ensure the transparency of their capital structure, by identifying holders of qualified participations, considering the entire chain of entities to whom the participation is attributed in accordance with the following paragraph.
7. In the calculation of qualified participations, in addition to those relating to direct participations, voting rights must be considered:

CONTINUATION OF NOTICE NO. 01/2022 Page 6 of 55 a) Belonging to companies that are in a relationship of control or group with the participant; b) Belonging to third parties, but on behalf of the participant; c) Belonging to third parties with whom the participant has entered into an agreement for the exercise of associated rights, except in cases where, under the same agreement, the participant is bound to follow the third party's instructions; d) Belonging to the members of the governing bodies of the participant, in cases where the participant is a company; e) That may be acquired by the participant through an agreement previously entered into with their respective holders; f) Relating to shares pledged to the participant, in cases where voting rights have been attributed to them; g) For which the holders have granted discretionary exercise powers to the participant; h) Belonging to persons who have entered into some agreement with the participant for concerted exercise of influence over the participating company; and, i) Attributable to the persons referred to in the preceding letters, by the articulated and joint application of the cri