Bank of Israel Circular C-06-2581: Amendments to Proper Conduct of Banking Business Directive No. 301

Bank of Israel Banking Supervision Department Policy and Regulation Division 1 November 13, 2018 Circular Number C-06-2581 To: The banking corporations and credit card companies Issue: The Board of Directors (Proper Conduct of Banking Business Directive no. 301) Introduction

1. The technological innovation and development are changing, and will change, the face of banking, from the perspective of products and services to customers as well as from the perspective of banking corporations’ internal processes. The various processes in traditional banking such as customer service, remote identification of customers, monitoring risks, and operations, are undergoing broad changes that are made possible by the advance of technology. In parallel, the financial innovation promotes the creation of new competitors in the financial world that present new challenges to the banking system. Accordingly, the Banking Supervision Department sees great importance in accelerating the existing banking corporations’ adjustment to the new world, in the areas of technology-based business innovation, infrastructures, management and use of information. The Banking Supervision Department even encourages collaboration between the banking corporations and fintech companies, in order to enable the banking corporations to more easily implement innovation through increased efficiency, with the goal of adding value for customers through better products and services. In order to achieve these goals, the Banking Supervision Department is acting on several levels, including: removing regulatory barriers and leading comprehensive infrastructure projects. As a complementary step to these activities, the Banking Supervision Department is of the opinion that in parallel, increased involvement by the banking corporation’s board of directors is required in these areas, through establishing a board committee designated for issues of technology and technological innovation.
2. Likewise, and further to the goals of improving the efficiency of the board’s work and enhancing its professional skills, a requirement was added of establishing policy regarding the maximum term of committee chairpersons.

Bank of Israel Banking Supervision Department Policy and Regulation Division 2 3. After consulting with the Advisory Committee on Banking Business Affairs, and with the consent of the Governor, I have decided to amend Proper Conduct of Banking Business Directive no. 301 on “The Board of Directors” (hereinafter, “the Directive”). The main updates to the directive 4. Mandatory Committee Pursuant to the stipulations of Section 21, the board of directors shall appoint the following committees: (a) An Audit Committee, as described in Sections 35 and 36 (b) A Remuneration Committee, as described in Section 38 (c) A Risk Management Committee, as described in Section 39 (d) An Information Technology and Technological Innovation Committee, as described in Section 39a below. This subsection shall not apply to a banking corporation that is a controlled banking corporation and receives information technology services from the banking corporation that controls it. (Section 33 of Proper Conduct of Banking Business Directive no. 301.) Explanation The board of directors is required to appoint an Information Technology and Technological Innovation Committee. A banking corporation that is a banking corporation controlled by a banking corporation and that receives information technology services from the banking corporation that controls it, is not obligated to establish such a committee. 5. Information Technology and Technological Innovation Committee (a) The board of directors shall appoint an “Information Technology and Technological Innovation Committee”, and at least one of the Committee members is to have proven knowledge and experience in the information technology (IT) area. (b) The Committee shall maintain a contact with the Information Technology manager and the Information Security manager as the positions are defined in Proper Conduct of Banking Business Directive no. 357, with the Cyber Security

Bank of Israel Banking Supervision Department Policy and Regulation Division 3 Manager as defined in Proper Conduct of Banking Business Directive no. 361, and with the function responsible for the innovation area. (c) The Committee shall discuss, monitor, and make recommendations to the board on the following issues: (1) IT policy and strategy and its management, including cyber and information security, the banking corporation’s technological infrastructures, use and management of databases, technological innovation to support business innovation, and their alignment with the overall strategy and policy of the banking corporation. (2) The manner of the banking corporation’s preparation for banking of the future and business–related handling of the challenges of technological innovation in general and disruptive innovation in particular. (3) A framework for managing technological risk, including cyber and information security risk and innovation risk. (4) A disaster recovery plan and the extent of its alignment with the work framework principles for managing business continuity. (5) Annual work plan and goals. (6) Adequate allocation of resources for realizing the banking corporation’s planned activity in the area of information technology, information management, and innovation. (d) The Committee will coordinate and maintain a work interface with the other board committees, as relevant, so that an issue discussed in one committee does not necessarily have to be discussed in another as well. (e) Whenever required by various Proper Conduct of Banking Business Directives to hold a discussion with the board of directors plenum on issues related to information technology, the Committee shall hold a preliminary discussion as needed and shall submit its recommendations to the board plenum. (Section 39a of Proper Conduct of Banking Business Directive no. 301) Explanation 5.1. The various functions of the board’s Information Technology and Technological Innovation Committee require knowledge and expertise in a range of issues: IT policy and strategy, cyber and information security, technological infrastructures, use and management of databases, financial innovation, and more. In order for the Committee’s discussions to be effective, and for the Committee to be able to adequately challenge the banking corporation’s senior management regarding its

Bank of Israel Banking Supervision Department Policy and Regulation Division 4 decisions in these areas, a requirement was set for at least one Committee member to have proven knowledge and experience in information technology. 5.2. It was also established that within the framework of its day to day work, the Committee is to maintain contact with the main position holders in the areas of technology and innovation at the banking corporation, including the function responsible for innovation areas at the banking corporation. 5.3. The board’s Information Technology and Technological Innovation Committee shall deal with a range of issues related to the IT area at the banking corporation. This includes dealing with, among other things, the banking corporation’s IT policy and strategy, it preparedness for disaster recovery, the appropriate allocation of resources for carrying out its work plan, and the framework for managing the technological risks it faces. 5.4. In addition, the board committee will emphasize the spheres of technological innovation that supports financial innovation, the banking corporation’s preparedness for banking of the future, competition created with new technology￾based financial entities, as well as the new risks faced by the banking corporation resulting from the new activities that it intends to enter and the technologies it intends to adopt. Particular emphasis shall be placed on innovation risks in the adoption of new technologies. 5.5. In order to prevent duplication, the Committee shall coordinate and maintain a work interface with the other board committees, as relevant, so that the issue discussed at one does not have to be discussed in another as well. 5.6. It was also established that any where a Proper Conduct of Banking Business Directive establishes that there is a requirement to hold a discussion with the full board plenum on issues related to the banking corporation’s information technology—for example, Section 3 of Proper Conduct of Banking Business Directive no. 357 on “Information Technology Management”, the Committee is required to hold a preliminary discussion on the issue and to submit its recommendations to the board plenum. 6. The composition of the board committees and their work procedures Section 34(e) adds a requirement to establish limitations on the maximum term of service of committee chairpersons. Explanation

Bank of Israel Banking Supervision Department Policy and Regulation Division 5 The addition of the limitation on the maximum term of service of committee chairpersons is intended to refresh the collective thinking of committee members and to promote new points of view. Effective date 7. The amendments to the directives pursuant to this circular go into effect with its publication, except for: 7.1. The requirement in Section 33(d) to establish an Information Technology and Technological Innovation Committee at credit card companies, for which the effective date shall be March 1, 2019. 7.2. The requirement in Section 39a(a) , according to which at least one member of the Information Technology and Technological Innovation Committee is to have knowledge of information technology issues, for which the effective date shall be July 1, 2020. Update of file Update pages for the Proper Conduct of Banking Business Directive file are attached. Following are the provisions of the update: Remove page Insert page (7/17) [23] 301-1-52 (11/18) [24] 301-1-53 Sincerely, Dr. Hedva Ber Supervisor of Banks