Decision on Governance Arrangements in Credit Institutions

Pursuant to Article 44 paragraph (2) item 3) of the Central Bank of Montenegro Law (OGM 40/10, 06/13, 70/17), Article 47 paragraph (5), Article 104 paragraph (5) and Article 120 paragraph (3) of the Law on Credit Institutions (OGM 72/19), the Council of the Central Bank of Montenegro, at its meeting held on 26 November 2020, passed the following DECISION ON GOVERNANCE ARRANGEMENTS IN CREDIT INSTITUTION I BASIC PROVISIONS Subject Matter Article 1 This decision governs in more detail governance arrangements in a credit institution that refer to the organisational structure of a credit institution, internal controls mechanisms, the conditions and the manner of performing control functions in a credit institution (hereinafter: the governance system), and more detailed tasks and the manner of organisation of the supervisory board of the credit institution. Definitions Article 2 The terms used in this Decision shall have the following meaning:

1. risk management system means the overall organisational structure, rules, processes, procedures, systems and resources to identify, measure, assess, contain, monitor and report on risk exposure and overall risk management, and it implies the establishment of an adequate corporate governance and risk culture, and the adoption of the strategy, policy and other internal acts on risk management;
2. risk culture means norms, attitudes and behaviours related to risk awareness, risk assumption and risk management, and the controls that shape the decisions on risks;
3. risk profile means the measurement or assessment of all risks to which a credit institution is or might be exposed in its operations;
4. risk appetite means the level and types of risk a credit institution is willing to assume within its defined risk capacity to achieve its strategic objectives;
5. risk capacity means the maximum level of risk a credit institution is able to assume given its capital base, its risk management and control capabilities, and its regulatory constraints;
6. stress testing means an assessment of the impact of particular events and processes, including microeconomic and macroeconomic scenarios, on the overall capital position of a credit institution or funding sources and liquidity by means of a projection of capital sources and capital requirements of a credit institution or the

impact of shocks on the credit institution's overall liquidity position, including the determination of capital requirements. 7) malus means a contractual clause under which an employee agrees that a credit institution is not obliged to pay out or vest a part of the deferred unpaid variable remuneration or the whole of the deferred unpaid variable remuneration if the outcomes of previously assumed risks lead to a downturn in performance or subdued financial performance of the credit institution; 8) clawback means a contractual clause under which an employee is obliged to return ownership of an amount of variable remuneration, either paid out or vested, to the credit institution if risk outcomes lead to a downturn in performance or subdued financial performance, and such provision may be contracted for deferred and non￾deferred variable remuneration. II GOVERNANCE ARRANGEMENTS Establishing and assessing efficiency of the governance arrangements Article 3 (1) For the purpose of establishing and implementing the governance arrangements, a credit institution shall:

1. establish clear and consistent internal lines of responsibility for the assumption and management of risks including the separation of authorities and responsibilities with active involvement in the process of managing all material risks;

2. ensure that adequate resources are allocated to the management of all material risks, including an adequate number of employees possessing the necessary knowledge and experience to be involved in managing all material risks, and for the valuation of assets, the use of external credit ratings and internal models related to those risks;

3. establish and ensure the implementation of the risk culture;

4. establish and ensure the implementation of a code of ethics and standards of professional conduct for the employees in a credit institution; (2) When assessing the efficiency of the governance arrangements, including the adequacy of procedures and efficiency of risk control function, compliance function and internal audit function (hereinafter: the control functions), in accordance with Article 55 paragraph (6) of the Law on Credit Institutions (OGM 72/19) – (hereinafter: the Law), the following shall be taken into account in particular:

5. the work methodology of a control function;

6. realisation of the work plan of a control function;

7. the number of employees included in the operation of a control function;

8. the structure and content of reports of a control function;

9. findings of a control function during the period covered by the assessment of the adequacy of procedures and efficiency of a control function;

10. credit institution's risk profile;

11. risk management strategy and policy; and

12. other internal acts which the management board of the credit institution (hereinafter: the management board) deems to have effect on the adequacy of procedures and efficiency of a control function. (3) With regard to the issues on the governance arrangements in credit institution referred to in Article 104 paragraph 1 of the Law that are not specified by this Decision, the provisions of separate regulations of the Central Bank governing risk management, remuneration policies and practices and recovery plan of the credit institution shall apply. Cooperation and exchange of information on governance arrangements Article 4 When establishing, implementing and overseeing the governance arrangements, the management board and supervisory board of the credit institution (hereinafter: the supervisory board), in accordance with the powers specified by the Law, shall cooperate and exchange relevant information. Oversight of the governance arrangements Article 5 The oversight of the implementation and efficiency and effectiveness of the governance arrangements shall include:

13. whether the risk culture of the credit institution is consistently implemented;

14. the implementation of the code of ethics and standards of professional conduct of employees;

15. the implementation of the policies for determining and reducing actual and potential conflicts of interest and managing those conflicts of interest; and

16. whether the management board undertakes appropriate measures to remove deficiencies determined by the oversight.

1. Organisational structure of a credit institution Establishing organisational structure Article 6 (1) A credit institution shall establish, pursuant to the Law, an adequate, transparent and operational organisational structure. (2) Organisational structure referred to in paragraph (1) of this Article shall be harmonised with the established overall strategy and business policy, risk management strategy and risk appetite of the credit institution. (3) A credit institution shall ensure that all reporting lines, powers and responsibilities are clearly defined, in particular between holders of key functions.

(4) Organisational structure referred to in paragraph (1) of this Article shall enable:

1. the supervisory board to oversee risks to which a credit institution is or might be exposed in its operations;
2. the management board to manage risks in an efficient manner; and
3. the Central Bank of Montenegro (hereinafter: the Central Bank) to perform supervision or oversight of the credit institution in an efficient manner. (5) Organisational structure of a credit institution shall enable the supervisory board adequate access to information on risk profile of the credit institution and, where needed and appropriate, access to the risk control function and advices of the external experts, and other information determined by the supervisory board for the purpose of performing activities referred to in Article 4 of this Decision, other activities specified by the Law and regulations adopted pursuant to the Law. Prevention of money laundering and terrorist financing Article 7 (1) Organisational structure of a credit institution shall be established in such a way that it may not be used for the purposes connected with the money laundering, terrorist financing or other punishable offences and it shall not be unnecessarily exposed to those activities. (2) Powers and responsibilities defined in the credit institution’s organisational structure must be determined in a way that ensures that the credit institution performs activities that have clear economic and legal purpose and prevent exposure of the credit institution to an increased risk of money laundering and terrorist financing or other punishable offences. (3) With the aim of determining whether the organisational structure referred to in paragraph (1) of this Article may be used for the purposes related to the money laundering and terrorist financing or other punishable offences, the credit institution shall analyse in particular to what extent:
4. the established organisational structure meets the prescribed standards related to tax transparency and prevention of money laundering and terrorist financing;
5. the organisational structure will enable the activities of the credit institution in accordance with the law;
6. the organisational structure may be used for concealing the identity of beneficial owner;
7. the requirements of the customers might require the establishment of new organisational structure.

Risk culture Article 8 (1) A credit institution shall determine in its internal act a risk culture that is adjusted to the risk management strategy and its risk profile. (2) A credit institution shall ensure education for employees on the risk culture in such a way that employees at all levels are clearly informed of the authorities, roles and responsibilities assigned to them in the risk assumption and management process. Code of ethics and Standards of professional conduct Article 9 (1) A credit institution shall determine code of ethics and standards of professional conduct of employees that shall include in particular:

1. the obligation of the employees to act in accordance with the credit institution’s internal acts the corporate values;

2. the responsibilities of the employees to ensure in their work that the credit institution's activities are within risk appetite and internal limits;

3. examples of acceptable and unacceptable behaviour of employees, linked in particular to financial misreporting, misconduct and other punishable offences;

4. the obligation of the employees to act with honesty and integrity and perform their duties with due skill, care and diligence; and

5. the expectations from employees that they are aware of the responsibility for misconduct, potential legal actions and sanctions. (2) A credit institution shall ensure that the compliance function or another organisational part defined by a credit institution monitors and reviews compliance of the employees’ conduct with the standards referred to in paragraph (1) of this Article, establish a process for removing non-compliance with those standards, and regularly report the results of the review to a credit institution's management board. Managing conflict of interest Article 10 (1) Organisational structure of a credit institution shall ensure limitation and prevention of conflict of interest at credit institution level, or conflict of interest of the credit institution and private interests of its employees, including members of the supervisory board. (2) A credit institution shall adopt and implement internal acts for identifying, assessing, mitigating or preventing actual and potential conflicts of interest and identify measures to manage conflict of interest. (3) Measures referred to in paragraph (3) of this Article shall at a minimum include:

6. prevention of conflicts of interest from adversely affecting the interests of its clients of the credit institution;

7. the physical separation of certain business lines or of responsibilities of organisational units;

8. a segregation of duties in the credit institution, or entrusting activities and operations to different persons that might lead to the conflict of interest;

9. establishing adequate procedures for transactions with connected persons that might lead to conflict of interest (e.g. requiring transactions to be conducted at arm’s length);

10. prevention of conflict of interest based on the activities performed by the employees outside the credit institution. (4) A credit institution shall ensure that the members of supervisory and management boards do not participate in reaching decisions if they are connected with the subject of the decision making in the manner that would create conflict of interest or if their objectivity or action in fulfilling their duties in the prescribed manner is threatened in any way. (5) A parent credit institution in Montenegro shall also consider in its conflict of interest policy the conflicts of interest that may arise on consolidated basis. Content of conflict of interest internal acts Article 11 (1) The internal act referred to in Article 10 paragraph (2) of this Decision shall determine in particular:

11. situations or relationships where conflicts of interest may arise, in particular:

• economic interests (e.g. shares, holdings or similar economic interests of the credit institution's clients, intellectual property rights, loans granted by the credit institution to clients owned by employees);
• personal or professional relationship with the owners of qualifying holdings in the credit institution;
• personal or professional relationship with an employee of the credit institution or relationship with entities included within the scope of prudential consolidation in accordance with the regulations;
• previous activities and duties performed by the employees or members of the supervisory board;
• personal or professional relationship with relevant external stakeholders of the credit institution (e.g. being associated with material suppliers, consultancies or other service providers); and
• political influence or relationships with politically exposed persons.

2. a person responsible for receiving reports on actual and potential conflicts of interest of employees and communication method to that person;
3. the conflict of interest that is persistent and needs to be managed permanently and conflict of interest that occurs unexpectedly with regard to a single event (e.g.

a transaction, the selection of service provider, etc.) and may usually be managed with a one-off measure. (2) A credit institution shall ensure that employees promptly disclose to the person referred to in paragraph (1) item 2) of this Article any matter that may result, or has resulted, in a conflict of interest. 2. Mechanisms of internal controls and control functions Mechanisms of internal controls Article 12 (1) A credit institution shall, in accordance with Article 119 of the Law, establish, maintain, and improve internal controls system which shall, applying mechanisms of internal controls, cover all business lines and organisational units, including control functions, outsourced activities and channels of information sharing. (2) Mechanisms referred to in paragraph (1) of this Article should ensure a clear, transparent and documented decision-making process, a clear allocation of authorities and responsibilities the implementation of which shall include, in an adequate manner, all employees, in particular senior management, supervisory and management boards. (3) A credit institution shall ensure through its control functions:

1. access to all business lines, organisational units, and if applicable, subsidiaries and undertakings included in accounting or prudential consolidation; and

2. where needed, right to direct inform the supervisory board and/or appropriate working body of the supervisory board. Content of the control function internal acts Article 13 Internal acts that a credit institution shall adopt for each control function shall in particular contain:

3. the objectives, scope and modus operandi or methodology of a control function;

4. the organisation of the control function;

5. the measures ensuring the independence and objectivity of each control function;

6. the authorities, responsibilities and relationships with other organisational units;

7. mutual relationships with other control functions;

8. the duties and responsibilities of a person responsible for the operation of each control function as a whole;

9. the measures for ensuring and monitoring professional qualification, adequate expertise and experience of the persons responsible for carrying out control functions;

10. the authorities and responsibilities of control functions associated with examination of outsourced activities in accordance with the provisions of regulations governing outsourcing of credit institution's business activities, where applicable;

11. the right of access to all the relevant data, information, information system and other resources necessary to carry out the activities; 10)the manner of cooperation with external auditor and the Central Bank; and

12. reporting within the credit institution. Requirements for carrying out the control functions Article 14 (1) A credit institution shall ensure the necessary resources and funding for the execution of the annual plan of each control function and provide professional training of the persons responsible for carrying out the control function activities. (2) Persons responsible for carrying out the control function activities must meet the eligibility requirements specified by the separate regulation of the Central Bank (3) In addition to the requirements referred to in paragraph (2) of this Article, a person responsible for the internal audit function must also meet the requirements for carrying out internal audit specified by the law governing the auditing activities. Control function annual work plan Article 15 (1) The annual work plan of the control function shall include in particular:

13. a list of all the planned activities of individual control function;

14. business areas to be covered by the plan; and

15. deadlines for carrying out the planned activities of the control function. (2) For the purpose of developing annual work plan referred to in paragraph (1) of this Article, a credit institution shall ensure to the person responsible for the work of each control function the information about planned organisational and other changes and activities of the credit institution. Control functions activities Article 16 (1) A credit institution shall ensure that the control functions, within their authorities, monitor the implementation of the policies, processes and procedures set out by the credit institution for the purpose of establishing and implementing an effective internal controls system.

(2) A credit institution shall put in place implementation of recommendations and measures to eliminate illegalities, irregularities, deficiencies and weaknesses identified by the control functions, including the manner of resolving. Activities of the risk control function Article 17 (1) A credit institution shall ensure that the following activities are carried out within the risk control function:

1. participating in the risk management strategy and policy development and review, and their oversight;
2. developing independent information, analyses and expert judgement on risk exposures;
3. giving advice on risk management decisions made and reporting to the management board, the supervisory board or the relevant working body of the supervisory board as to whether risk exposures and risk decisions are consistent with the credit institution’s risk appetite and risk management strategy.
4. participating in the adoption of all major decisions related to risk management, including decisions made by business lines or organisational units, without voting right;
5. analysing the risks of new products, implementation of significant changes to existing products, including significant changes to related processes and systems in the credit institution’s activities, exceptional transactions, as well as the entry to new markets and dealing in new financial instruments;
6. making proposals and recommendations for improving the risk management system;
7. monitoring and analysing the risk profile of the credit institution against the strategic goals and risk appetite or limits, proposing remedial measures and informing competent body of the credit institution;
8. carrying out stress testing;
9. identifying and assessing the risks related to transactions with connected persons; 10)analysing, monitoring and reporting to the management board, supervisory board and relevant working body of the supervisory board on the adequacy of the credit institution’s internal capital and internal liquidity, and reviewing the strategies and procedures for the assessment of the necessary internal capital and internal liquidity; (2) A credit institution shall ensure that the risk control function regularly informs the management board, the supervisory board and/or risk committee of the supervisory board of the assumptions used for risk analysis, and potential shortcomings of that analysis.

Activities of the compliance function Article 18 (1) A credit institution shall, within its compliance function, ensure that the following activities are carried out:

1. identifying, assessing and monitoring compliance of the credit institution with regulations, internal acts and standards;

2. identifying and assessing the risk on potential non-compliance to which the credit institution is or might be exposed;

3. assessing the effects that new regulations will have on the operation of a credit institution;

4. verifying compliance of new products or activities with relevant regulations in cooperation with the risk control function;

5. reporting on risk referred to in item 1) of this paragraph to the management board, the supervisory board and the relevant bodies of the supervisory board, and other relevant persons;

6. advising the management board and other responsible persons on the implementation of relevant laws and internal acts, taking into account amendments thereof;

7. cooperating and exchanging information with the risk control function in relation to risk referred to in item 1) of this paragraph and its management; and

8. monitoring and giving recommendations on relevant training programmes. (2) A credit institution shall ensure that:

9. its subsidiaries and branches operating in another country are compliant with local laws and regulations of that country; and

10. its subsidiary and branch operating in another country inform the person responsible for the operation of the compliance function in the credit institution if local laws and regulations of that country prevent the disclosure and exchange of information related to compliance monitoring between undertakings within the group. Activities of the internal audit function Article 19 (1) A credit institution shall ensure that internal audit function carries out independent audit and provide independent, objective and unbiased assurance of the compliance of activities in the credit institution, including outsourced activities, with the credit institution’s policies and procedures and with the requirements of the Central Bank. (2) Internal controls system efficiency and effectiveness shall be assessed within the internal audit function. (3) A credit institution shall ensure that the following activities are carried out within the internal audit function in particular:

11. assessment of the appropriateness of governance arrangements in the credit institution;

12. assessment of the adequacy of compliance with policies, regulations and other requirements and with the risk appetite and risk management strategy;

13. assessment of the correctness and effectiveness of implementation of the identified procedures and the compliance of these procedures with the applicable laws and regulations and with decisions of the management board and the supervisory board;

14. assessment of the adequacy, quality and effectiveness of the controls performed and the reporting done by the organisational units and the risk control and compliance functions;

15. assessment of the accuracy and reliability of the accounting records system and financial statements;

16. audit of outsourced activities;

17. assessment of strategies and procedures in place to assess the adequacy of internal capital and internal liquidity;

18. audit of the information system;

19. verification of the reliability of the internal and external reporting systems and timeliness and accuracy of the reports prescribed in the Law, regulations adopted under the Law and other regulations; 10)assessment of the methods for protecting assets of credit institution; 11)assessment of data collection systems and the validity of information that is disclosed in accordance with the regulation of the Central Bank governing public disclosure of data by credit institutions, and other regulations; (4) An internal audit function shall evaluate the reliability of the credit institution’s assumptions, information, methods and techniques used in its internal models, as well as the quality of the method for identifying and assessing risk and the risk mitigation measures taken. (5) An internal audit function shall also determine the internal audit programme for each audit area. Control function work reports Article 20 (1) Work report of each control function shall include in particular:

20. data on the realisation of the annual work plan, including also planned but not executed work activities, specifying the reasons for the non-execution;

21. a list of all the planned work activities carried out;

22. a list of all the extraordinary work activities carried out;

23. a summary of the most important facts identified during controls, audits and other work activities carried out;

24. an assessment of the adequacy and efficiency of the internal controls system in the areas covered by control and audit;

25. an assessment of the adequacy and efficacy of the system for the management of individual risks or all risks in a credit institution; and

26. information on the implementation of realised proposals, recommendations and measures for the elimination of illegalities, irregularities, deficiencies and weaknesses identified in the course of controls or audits and the reasons for their non-execution. (2) Each control function work report shall be signed by the person responsible for the work of the control function concerned. (3) The compliance function and the risk control function shall deliver the report to the credit institutions' management board and the risk committee or another working body of the supervisory board, and the credit institution's supervisory board on a semi-annual basis, and to the Central Bank on an annual basis. (4) The internal audit function shall deliver the report to the credit institutions' management board and the audit committee or another relevant standing working body of the supervisory board on a quarterly basis, to the credit institution's supervisory board on a semi-annual basis, and to the Central Bank on an annual basis. (5) A credit institution shall deliver the control function work reports referred to in paragraphs (3) and (4) of this Article to the Central Bank by 31 March of the current year for the previous year. III SUPERVISORY BOARD ORGANISATION Establishing standing working bodies of the supervisory board Article 21 (1) The supervisory board of the credit institution that is significant in terms of its size, internal organisation and the nature, scale and complexity of activities it performs, shall establish nomination committee, risk committee and remuneration committee as standing working bodies in accordance with Article 47 paragraph (1) of the Law. (2) A significant credit institution, within the meaning referred to in paragraph (1) of this Decision, shall be any credit institution designated in accordance with the Law as other systemically important institution (O-SII) and any credit institution whose three-year average amount of assets reported in its audited financial statements at the end of the previous three business years exceeds EUR 250,000,000. (3) The provisions of this Decision shall apply to the functioning and the composition of other working bodies established by the supervisory board other than standing working bodies referred to in paragraph (1) of this Article.

(4) Duties and responsibilities of the working bodies of the supervisory committee must be clearly identified and segregated. Composition of supervisory board standing working bodies Article 22 (1) Independent supervisory board members shall be appointed, as a rule, members of the standing working bodies of the supervisory board. (2) All members of the standing working bodies of the supervisory board may not, as a rule, be at the same time members of other standing working body. (3) Members of the standing working bodies of the supervisory board shall have, individually and collectively, appropriate knowledge, skills and expertise required for performing duties in a working body. (4) A chairperson of the supervisory board in a significant credit institution may not be the chairperson of risk committee in that credit institution. (5) A chairperson of the risk committee in a significant credit institution may not be the chairperson of any other working body of the supervisory board of that credit institution. Modus operandi of supervisory board standing working bodies Article 23 (1) Standing working bodies of the supervisory board shall document the agendas of meetings and their conclusions. (2) Standing working bodies of the supervisory board shall regularly report to the supervisory board on their conclusions referred to in paragraph (1) of this Article. (3) Working bodies of the supervisory board shall mutually cooperate. (4) A credit institution shall ensure that the standing working bodies of the supervisory board have adequate information and data necessary to perform their tasks, including external experts’ advices. (5) Standing working bodies of the supervisory board shall determine the nature, the amount, the format and the frequency of the information which they are to receive from organisational units, or functions within the credit institution.

Risk committee duties Article 24 In addition to the activities referred to in Article 49 paragraph (1) of the Law, the risk committee shall perform the following activities:

1. provide the supervisory board with recommendations on necessary adjustments to the risk strategy resulting from, inter alia, changes in the business model of the credit institution, market developments or recommendations made by the risk control function;

2. provide support in the oversight of the implementation of risk management strategy, and in particular liquidity, market, credit and operational risks for the purpose of their assessment against approved risk appetite and risk management strategy;

3. provide advice on the appointment of external consultants that the supervisory board may decide to engage;

4. analyse a number of possible scenarios, including stressed scenarios, to assess how the credit institution’s risk profile would react to the effects of that scenario;

5. analyse the recommendations of internal or external auditors and follow up on the appropriate implementation of measures taken. Nomination committee duties Article 25 In addition to activities referred to in Article 48 paragraph (1) of the Law, the nomination committee shall prepare a description of duties and qualifications to perform the functions of a member of the management board or supervisory board and the expected commitment to performing those functions. Remuneration committee duties Article 26 (1) In addition to activities referred to in Article 50 paragraph (2) item 1) of the Law, the remuneration committee shall:

6. provide support and give advices to the supervisory board on the remuneration policy, practices and processes;

7. verify if the existing remuneration policy is adequate and, where necessary, give proposals for changing those policies including the proposals of the plan to remove identified deficiencies;

8. proposes the appointment of external consultants for remuneration that the supervisory board may decide to engage for advice or support;

9. ensure the adequacy of information to be provided to the shareholders on remuneration policies and practices, in particular on the proposed higher maximum ratio between fixed and variable components of total remuneration;

10. assess the mechanisms and systems adopted to ensure that the remuneration system properly takes into account all types of risk, and capital structure, that the overall remuneration policy is in line with the general strategy, objectives, corporate culture and the long-term interest of a credit institution and that it promotes sound and efficient risk management;

11. assess the achievement of performance targets of remuneration policy and the need for subsequent risk adjustments, including the application of malus and clawback arrangements;

12. review a number of possible scenarios to test how the remuneration policy and practice will react to future external and internal events;

13. test the criteria used for determining variable remuneration prior to their determination and pay-out. (2) A member of the remuneration committee who is not a member of the risk committee shall participate in the meetings of the risk committee and vice versa. (3) The remuneration committee shall oversee and monitor the remuneration of persons managing the control functions. IV. CLOSING PROVISIONS Repealed regulations Article 27 As from the commencement date of application of this Decision, the Decision on the basics of internal controls system in banks (OGM 68/08) and the Decision on Internal Audit in Banks (OGM 68/08) shall be repealed. Entry into force Article 28 This Decision shall enter into force on the day following that of its publication in the Official Gazette of Montenegro, and it shall apply from the date of application of the Law on Credit Institutions (OGM 72/19). THE CENTRAL BANK OF MONTENEGRO

CHAIRMAN No. 0101-7060-2/2020 G O V E R N O R, Podgorica, 26 November 2020 Radoje Žugić, m.p.