FMA Minimum Standards for Lending Business and Other Transactions with Counterparty Risks (Recast April 2022)

Document No.: 01 / 2022 Publication date: 28 April 2022 FMA MINIMUM STANDARDS FOR LENDING BUSINESS AND OTHER TRANSACTIONS WITH COUNTERPARTY RISKS FMA-MS-K (Recast 2022)

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 2 FMA Minimum Standards for Lending Business and other transactions with counterparty risks Recast - April 2022 (FMA-MS-K) TABLE OF CONTENTS 1 Preliminary remarks ......................................................................................................................... 3 2 Scope and Definitions ...................................................................................................................... 5 3 Strategic framework conditions ........................................................................................................ 8 3.1 Responsibility of management board members ......................................................................... 8 3.2 Risk strategy ............................................................................................................................... 8 3.3 New types of business transactions ......................................................................................... 10 4 Organisation ................................................................................................................................... 11 4.1 Internal guidelines .................................................................................................................... 11 4.2 Organisational structure ........................................................................................................... 12 4.2.1 Functional separation ...................................................................................................... 12 4.2.2 Voting ............................................................................................................................... 15 4.3 Employees ................................................................................................................................ 16 4.4 Technical and organisational resources ................................................................................... 17 4.5 Documentation ......................................................................................................................... 17 5 Granting and processing of lending transactions ........................................................................... 17 5.1 General ..................................................................................................................................... 17 5.2 Loan origination ........................................................................................................................ 18 5.3 Risk assessment ...................................................................................................................... 19 5.3.1 Checking of creditworthiness and collateral valuation ..................................................... 19 5.3.2 Risk classification procedures ......................................................................................... 20 5.4 Further processing of loans ...................................................................................................... 21 5.5 Monitoring of loan disbursements ............................................................................................ 22 5.6 Intensified handling ................................................................................................................... 23 5.7 Dealing with problem loans ...................................................................................................... 23 5.8 Risk provisioning ...................................................................................................................... 24 6 Risk management and risk controlling ........................................................................................... 25 6.1 General ..................................................................................................................................... 25 6.2 Early-warning procedure .......................................................................................................... 25 6.3 Risk management and risk limitation ........................................................................................ 26 6.4 Reporting .................................................................................................................................. 27 6.4.1 Risk report on counterparty risk ....................................................................................... 27 6.4.2 Ad-hoc reporting .............................................................................................................. 29 6.5 Dealing with organisational deficiencies ................................................................................... 30 Annex: Comparison of FMA-MS-K and EBA Guidelines ....................................................................... 30

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 3 1 PRELIMINARY REMARKS

1. These FMA Minimum Standards do not constitute a Regulation. They serve as guidance for credit institutions and financial institutions and reflect the FMA's legal interpretation and the FMA's practical recommendations for conduct. No rights and obligations extending over and above the provisions of the law can be derived from them. The FMA reviews on a case￾by-case basis whether the non-observance of supervisory expectations in Minimum Standards also breaches legal provisions, especially Article 39 paras. 2 and 5 of the Austrian Banking Act (BWG; Bankwesengesetz)1 as well as Article 5 para. 1 of the FMA Regulation on Credit Institution Risk Management (KI-RMV; Kreditinstitute-Risikomanagementverordnung)2 . These FMA Minimum Standards replace the FMA Minimum Standards for Lending Business and other Transactions with Counterparty Risks dated 13.04.2005, with effect from 01.07.2022. The FMA advises that the following Guidelines issued by the European Banking Authority (EBA) set further-reaching requirements in some areas:

• EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06, hereafter: LO-GL) 3 ,
• EBA Guidelines on management of non-performing and forborne exposures (EBA/GL/2018/06, hereafter: NPE-GL) 4 ,
• EBA Guidelines on internal governance (EBA/GL/2021/05, hereafter: IG-GL) 5 ,
• EBA Guidelines on outsourcing (EBA/GL/2019/02, hereafter: OUTS-GL) 6 ,
• EBA Guidelines on credit institutions’ credit risk management practices and accounting for expected credit losses (EBA/GL/2017/06, hereafter CL-GL) 7 ,
• EBA Guidelines on arrears and foreclosure (EBA/GL/2015/12, hereafter: AF￾GL)8 .

1 The Austrian Banking Act (BWG; Bankwesengesetz), published in Federal Law Gazette no. 532/1993 as amended. 2 Cf. Regulation of the Financial Market Authority (FMA) on the proper capture, management, monitoring and limitation of the types of risk specified in Article 39 para. 2b BWG (Regulation on Credit Institution Risk Management – KI-RMV; Kreditinstitute-Risikomanagementverordnung) published in Federal Law Gazette II No. 487/2013 as amended. 3 Pursuant to Article 69 para. 5 BWG as well as Article 16(3) of Regulation (EU) No 1093/2010 ("EBA Regulation") the FMA shall take European convergence in respect of supervisory tools and supervisory procedure into account when performing its duties. To this end, the FMA shall participate in the activities of the EBA and apply the Guidelines, Recommendations, Standards and other measures passed by the EBA. The FMA declared itself as “fully compliant” with regard to the LO-GL on 21.08.2020. The FMA declared itself as “fully compliant” with regard to the NPE-GL on 04.06.2018. 5 The FMA is “fully compliant” with the IG-GL in both its previous and new versions with the exception of the requirements for the independence of the nomination committee. 6 The FMA declared itself as “fully compliant” with regard to the OUTS-GL on 30.09.2019. 7 The FMA declared itself as “fully compliant” with regard to the CL-GL on 17.11.2017. The FMA declared itself as “fully compliant” with regard to the AF-GL on 19.08.2015.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 4 The explicit references in these FMA-MS-K Minimum Standards to the further￾reaching requirements in the aforementioned EBA Guidelines are intended to serve towards a better understanding of the overlaps in the regulations, but should not however be considered as an exhaustive list. With regard to the aforementioned EBA Guidelines, the LO-GL in particular should be highlighted. These Guidelines apply equally to competent supervisory authorities and supervised credit institutions, and have applied since 30.06.2021. The LO-GL contain inter alia special requirements for the granting of credit to consumer and microenterprises and small enterprises. Furthermore, the LO-GL also sets out specific requirements for the management of all credit risks – independent of the granting of credit, with the exception of debt securities, debt securities and securities financing transactions (see Chapters 4 and 8 LO-GL). The scope of application of the FMA-MS-K remains unaffected by this. 2. These FMA Minimum Standards shall not prevent credit institutions from setting stricter standards. Other FMA Minimum Standards shall remain unaffected. The FMA would like to point out that the specific format of the requirements are the members of the management board’s personal responsibility as stated in particular in Article 39 paras. 1 and 2 BWG; in particular, they shall be guided by the size and nature of the credit institution, as well as the nature, scope, complexity and risk level of its business activities. Therefore, based on the banking law requirements pertaining to the due diligence to be exercised by the management board members in particular, it may be necessary to go beyond the supervisory expectations set out here in the FMA-MS-K. 3. The objective of these minimum standards are uniform standards for credit risk management. This shall be accompanied by an adequate limitation of counterparty risks, the enhancement of risk management, the avoidance of conflicts of interests, the strengthening of risk (cost) awareness as well as increased efficiency of internal processes. These FMA Minimum Standards do not stipulate the circumstances and conditions under which (sub-)segments of lending business or of other transactions entailing counterparty risks may be outsourced. The scope of application of these minimum standards also extends to cases where such transactions are fully or partly outsourced to third parties. 4. The FMA Minimum Standards take the heterogeneous structure of credit institutions and the diversity of lending business into account since the methods included shall be deemed as supervisory expectations for achieving the intended objectives. Irrespective of this, the requirements set out in the LO-GL are in any case observed. When drawing up the FMA-MS-K, the heterogeneous structure of credit institutions and the diversity of lending business were sufficiently taken into

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 5 account by ensuring the corresponding flexibility, adequacy and proportionality of the supervisory expectations. The Minimum Standards also make sure that the design remains flexible with regard to the ongoing development of the processes, systems and procedures in lending business. 2 SCOPE AND DEFINITIONS 5. These minimum standards shall apply to all credit institutions licensed to carry out one or more banking activities listed in Article 1 para. 1 nos. 1 to 12 and nos. 15 to 18 BWG. In applying Chapters 5 and 6 for credit institutions with a total risk exposure pursuant to Article 92 (3) of Regulation (EU) No 575/2013 (CRR)9 of less than EUR 375 million as of the last balance sheet date, a proportional implementation, and that therefore deviates from the rules contained in these chapters, is therefore permissible to the extent that the continuing fulfilment of the objective of these chapters is ensured, where permitted by the nature, scope and complexity of their conducted lending transactions. The due diligence requirements pursuant to Article 39 paras. 1 and 2 BWG shall in any case apply to the management board members of all credit institutions. The FMA-MS-K shall not apply to the following credit institutions due to their specific business activities:

• Investment fund management companies as defined in Article 1 para. 1 no. 13 BWG,
• Real estate investment fund management companies as defined in Article 1 para. 1 no. 13a BWG,
• Corporate provision funds as defined in Article 1 para. 1 no. 21 BWG,
• Out-and-out exchange bureaux as defined in Article 1 para. 1 no. 22 BWG,
• Payment institutions that only conduct money remittance business pursuant as defined in Article 1 para. 2 no. 6 of the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018). Such credit institutions have been exempted from its scope, as they do not conduct "lending business" as defined in these Minimum Standards when performing their specific business activities and therefore the supervisory expectations would not be appropriate.

6. The FMA-MS-K also cover Austrian credit institutions where they are active in other Member States (Article 2 no. 5 BWG) under the freedom to provide services and/or the freedom of establishment (Article 10 BWG).

9 Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 646/2012, OJ L 176, 27.6.2013, p. 1, as amended.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 6 7. Pursuant to Article 4 (3) of Regulation (EU) No 1024/2013 (SSM-R)10 within the scope of its competence for the supervision of significant credit institutions as defined in Art. 6 (4) SSM-R, the ECB shall apply all relevant Union law. Where the Union law consists of Directives that have been transposed into national law, then it applies the national legislation, by which these Directives have been transposed. The ECB is not however bound to observe soft law instruments under national law, under which the FMA-MS-K also falls. While it remains the ECB’s discretion, regarding the interpretation of national law, whether it also chooses to apply it in the prudential supervision of significant credit institutions, there is no obligation to do so. The FMA-MS-K are therefore in any case applicable to less significant credit institutions. The decision regarding the extent to which the FMA-MS-K shall also be applicable for significant credit institutions is the responsibility of the ECB. 8. The supervisory expectations for strategic framework conditions as well as for risk management also related to group risk management in groups of credit institutions (Article 30 paras. 7 and 8 BWG). With regard to the application to group risk management in groups of credit institutions where parts of this group are domiciled in other Member States or third countries, it must be noted that the supervisory expectations contained in these Minimum Standards cannot apply if the legal systems of the countries of incorporation contradict such expectations. The FMA-MS-K shall not apply to subordinated credit institutions domiciled abroad. Any obligations required to be met in conjunction with the consolidation of credit institutions are excluded from this exception. Regardless of whether only the supervisory expectations for groups of credit institutions concerning strategic framework conditions (Chapter 3) and risk management (Chapter 6) are relevant with regard to group risk management are relevant, it is necessary to emphasise that the due diligence obligations pursuant to Article 39 BWG shall also apply to managers of superordinate credit institutions in relation to groups of credit institutions (cf. Article 30 para. 6 BWG). However, the FMA maintains the view that the responsibility does not include the risk management of the individual credit institution belonging to a group of credit institutions. The superordinate credit institution is in the position to summarise, assess and manage the risks of the individual banking subsidiaries, including its own risks (cf. Article 30 para. 8 in conjunction with Article 39 paras. 1 and 2 BWG). The group-wide system shall primarily focus on the risks at portfolio level.

10 Regulation (EU) No 1024/2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions; OJ L 287, 29.10.2013, p. 63, as amended.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 7 9. The scope of these Minimum Standards shall apply to all transactions entailing counterparty risks. For the purpose of these Minimum Standards, counterparty risks shall mean the risks of a counterparty's partial or complete default, taking into account any existing country risks; these risks may take effect both with on-balance sheet transactions (asset items of the balance sheet) and off-balance sheet transactions and special off-balance sheet transactions. For the purpose of these Minimum Standards, all transactions entailing counterparty risks shall be called "credit transactions". The term "counterparty risks” used here is more comprehensive than the term "credit risk" as defined in Article 4 para. 1 KI-RMV. While “credit risk” as defined in the KI-RMV is the exposure consisting in the danger of a partial or complete default on contractually agreed payments, the term "counterparty risks" covers all risks due to defaults of counterparties, not only in the case of credit transactions. For the sake of simplicity, however, and for the purposes of these FMA- MS-K, all transactions entailing counterparty risks shall be called "credit transactions". 10. Any decision on new loans, overdrafts, loan increases, extensions, deferrals and other risk-relevant decisions in connection with credit transactions, irrespective of whether they are made only by the credit institution itself or jointly with other credit institutions (e.g. syndicated lending) shall be deemed a "lending decision" within the meaning of these Minimum Standards. Furthermore, the setting of borrower-related limits and the decision on participating interests shall also be deemed lending decisions. The definition of counterparty limits for trading transactions as well as the setting of issuer limits of credit institutions shall also be deemed lending decisions. With regard to participating interests, it has to be mentioned that only participations held as a substitute for loans are fully covered in the FMA-MS-K, whereas strategic participations are not. However, the supervisory expectations in relation to the risk strategy and risk management and risk controlling refer to all participations. In this case, there is no differentiation regarding whether or not the participations are securitised. Decisions about loans to strategic participations are fully covered in the FMA-MS-K. Decisions on collateral or the purpose of use, for example, may be considered "other risk-relevant decisions in connection with credit transactions".

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 8 3 STRATEGIC FRAMEWORK CONDITIONS 3.1 RESPONSIBILITY OF MANAGEMENT BOARD MEMBERS 11. With regard to lending business and other transactions entailing counterparty risks, management board members shall be responsible for the strategic framework conditions, the proper organisation, the structuring of the processes of granting and processing loans and their subsequent development as well as the proper risk management and risk controlling of lending business within the scope of Article 39 BWG. The management of counterparty risks should be incorporated appropriately into a comprehensive bank-wide risk management procedure. The procedure addresses interdependencies between different types of risk (counterparty risk, market risk, liquidity risk, operational risk etc.). For credit transactions that fall within the scope of application of the LO-GL, para. 25 of the LO-GL shall apply in this context. 3.2 RISK STRATEGY 12. Within the scope of the business strategy, the management board members shall also define a risk strategy. In this context, risk strategy shall mean a forward-looking, written definition of risk parameters to be achieved by the credit institution. This definition shall be based on the analysis of the initial situation and the assessment of the risks associated with lending business, taking into account the risk-bearing capacity of the credit institution. The responsibility for the risk strategy must not be delegated. The development of the counterparty risk shall be planned based on the risk strategy, continuously adapted based on current data and co-ordinated with the ongoing development of the risk-bearing capacity. The methods for determining the risk-bearing capacity may include, for example:

• orientation towards regulatory provisions under banking law,
• methods based on the profit and loss account,
• methods based on the balance sheet,
• methods based on the profit and loss account and the balance sheet,
• methods based on the market value. The appropriateness of the risk strategy shall depend on the size and nature of the credit institution as well as on the nature, scope, complexity and risk level of the credit transactions in particular. The credit institution shall be responsible for the detailed design of the risk strategy.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 9 Supporting sector-wide risk strategies may only partially cover this issue. The decision on risk strategy lies with the management body, and may not be delegated. Delegation of the preparation of the decision, however, may be delegated. For credit transactions that fall within the scope of application of the LO-GL, para. 25a of the LO-GL shall apply in this context. 13. The risk strategy shall cover the entire lending business, taking into account the nature, scope and risk level of the transactions. This shall comprise, for example, the planning according to credit types, industry focuses, geographic dispersion (including regions, countries) and the distribution of the exposures in the risk classification procedure as well as according to size categories. Parallel risks (Article 39 para. 1 BWG) shall be considered and adequate attention paid to limiting them. The items listed in sentence 2 shall be understood as examples. It is the credit institution's responsibility to specify towards which categories the risk strategy is to be oriented; this will depend on the business structure of the credit institution in particular. The segmentation criteria have a logical and appropriate connection with the intended goals and core business areas. When designing the risk strategy, macroeconomic aspects, in particular the economic situation, shall be adequately taken into account. For credit transactions that fall within the scope of application of the LO-GL, paras. 34-37 of the LO-GL shall apply in this context. 14. When defining the risk strategy, the staff capacities necessary for its implementation as well as the technical and organisational facilities shall be taken into account. For credit transactions that fall within the scope of application of the LO-GL, paras. 79 et seq. of the LO-GL shall apply in this context. 15. The management board members shall be responsible for the proper implementation of the risk strategy. They shall review and as necessary adapt the risk strategy on an annual basis. The credit institution's supervisory body under company law shall be informed of the risk strategy and any amendments to it. "Supervisory body under company law" within the meaning of these Minimum Standards shall mean the supervisory board or the supervisory body competent under the law or the articles of association. It is deemed appropriate to document the submission to the supervisory body under company law. The annual review shall not affect the specification of the planning period of the risk strategy.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 10 For credit transactions that fall within the scope of application of the LO-GL, para. 25 of the LO-GL shall apply in this context. 16. The definition of the risk strategy and any amendments to it shall be documented in a verifiable manner and communicated within the credit institution in an appropriate manner. 3.3 NEW TYPES OF BUSINESS TRANSACTIONS 17. Prior to taking up new types of business transactions – in new products, types of transaction or in new markets (including new distribution channels) – a corresponding plan shall be drawn up and put down in writing. The plan shall be based on the findings of the analysis of the risk level of these new types of business transactions and the resulting effects on the processes of lending and loan processing, on risk management and risk controlling as well as on the risk strategy. The credit institution shall be responsible for designing the plan, which shall follow the principle of proportionality, i.e. it shall be dependent on the complexity and risk level of these new types of business transactions as well as existing business. If the new business is initiated and arranged by a third party, in particular by a central unit, and the credit institution is mainly involved in the distribution, parts of the supervisory expectations laid down in this chapter may be met by the initiator. In this case, the supervisory expectations laid down in this point shall be met if the distributing credit institution has ascertained that the initiator meets the supervisory expectations. Parts of the supervisory expectations may also be covered by a general product launch process, including such processes that are performed once per product in a group of credit institutions. 18. The plan shall present the major impacts associated with the taking up of business in terms of economics, staff, organisation, IT, accounting and law that are of considerable significance. When drawing up the plan, the respective units shall be involved. Against the background of paras. 18 - 21 of the “FMA Minimum Standards on the Internal Audit Function” (hereinafter referred to as FMA-MS-IR) the internal audit function shall not be responsible for the drawing up of such plans. The internal audit function shall only be permitted to be involved in an advisory capacity to the management body, provided that the advisory role of the internal audit function is defined in writing and is clearly separated from the responsibility for the drawing up of plans. Regarding new types of business transactions for which there is no experience about the risks that they entail, due consideration shall be given to the security of moneys entrusted to the credit institution by third parties and the preservation of own funds (Article 39 para. 1 BWG). In addition, administrative, accounting and control procedures shall be established that permit the recording and evaluation

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 11 of potential risks resulting from such new types of business transactions to as great an extent as possible (Article 39 para. 2 BWG). 19. Approval of the plan shall be obtained from the member of the management board responsible for back office matters. The approval may be delegated within the sphere of back office in consideration of the risk level, provided that clear guidelines have been issued for this purpose and the directors are informed about the decisions. A suitable reporting procedure shall be established in the case of delegation. The product catalogue shall be presented to the management board members. 4 ORGANISATION 4.1 INTERNAL GUIDELINES 20. The management board members shall make sure that lending business will only be carried out under framework conditions that are specifically laid down in internal guidelines. For credit transactions that fall within the scope of application of the LO-GL, para. 25 lits. d and e of the LO-GL shall apply in this context. 21. The internal guidelines shall be defined in writing, be written clearly and comprehensibly and the current version communicated to the employees concerned in an appropriate manner. The management board members shall make sure that the internal guidelines are reviewed annually, and adapted as necessary. Of course, the specific review as to whether the internal guidelines are up-to-date may be delegated. The management board members shall make sure that the need for updating is afforded consideration on a regular basis and that proposals for updates are submitted. For credit transactions that fall within the scope of application of the LO-GL, paras. 34 and 43 of the LO-GL shall apply in this context. Furthermore, the provisions contained in paras. 231 to 234 of the IG-GL are also addressed. 22. Taking into account the nature, scope, complexity and risk level of the lending business, the internal guidelines shall refer to the following areas in particular: a. rules governing the assigning of tasks, the assignment of competencies and monitoring; b. instructions and processing principles for the processes of lending, further processing of loans, monitoring of loan disbursements, intensified handling and dealing with problem loans as well as risk provisioning;

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 12 c. instructions and processing principles for the processes of risk analysis and for risk classification procedures to assess the counterparty risk and, if necessary, the sectoral risk as well as the country risk and the specific risk associated with property/project financing; d. creating, valuing, examining, administrating and liquidating collateral; e. ongoing assessment of the exposures, particularly with regard to any necessary risk provisioning measures; f. monitoring the timely submission and ensuring the timely evaluation of the documents required for the assessment of the counterparty risks plus the dunning procedure for missing documents; g. handling of overdrafts and arrears along with the dunning procedure; h. early detection, recording, presentation, aggregation, planning, managing, limiting and monitoring of counterparty, as well as, where applicable, sectoral risk, country risk and other concentration risks, i. early detection, recording, presentation, aggregation, planning, managing, limiting and monitoring of specific risks in the case of property/project financing and complex financing structures (e.g. ABS, CMBS, leveraged transactions), j. reporting; and k. IT processes. The adequacy of internal guidelines as well as which different risks in lits. c, g and h shall be considered to what extent depends in particular on the size and nature of the credit institution as well as on the nature, scope, complexity and risk level of its credit transactions. The credit institution shall be responsible for the detailed design of the internal guidelines. 4.2 ORGANISATIONAL STRUCTURE 4.2.1 FUNCTIONAL SEPARATION 23. The key principle for defining the processes in lending business shall be a clear functional separation of the following spheres:

• “Front office” (Markt): units that initiate transactions and have a vote in lending decisions.
• “Back office” (Marktfolge): units that cannot be assigned to the front office sphere, and which have a further vote in lending decisions independent of that of the front office sphere. The term “vote” means a consenting or rejecting view about an application for a loan, given following the processing of application in an orderly manner that is considered as preparation for a lending decision. The vote itself does not constitute the lending decision, but considered as a preparatory action for it. Therefore, the competence for passing a lending decision may differ from the voting competence.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 13 There is a formal separation into front office and back office. The aim of this functional separation in particular is to develop risk management further, with the principal focus being on avoiding clashes of interests. Earnings-based interests should upstage risk-based interests; both interests should enjoy equal standing and complement each other, which should result in lending decisions being taken objectively. Within the respective front office and back office spheres, the credit institutions shall be responsible for their structural organisation. Risk controlling duties (cf. Chapter 6) are conducted by back office and not by front office. In light of the complexity and risk level of the transactions, in some large credit institutions, division into three parts (front office, back office and risk controlling) may be appropriate on the basis of Article 39 paras. 1 and 2 BWG. Decisions involving the supervisory body under company law shall not affect this functional separation, i.e. the functional separation of the management body should also be taken into account with these decisions. The supervisory body's consent shall not be a substitute for the back office’s vote. Parts of the back office function may in particular in the case of centrally organised credit risk control units that are established outside the credit institution, provided the same purpose, namely avoiding conflicts of interests, is served and the ultimate responsibility for the lending decision remains with the directors. The FMA’s view is that functional separation does not conflict with the mandatory requirements under company law. The supervisory expectation regarding functional separation shall not apply to units required under company law to be assigned to the management body as a whole. Furthermore, the collective responsibility of the management body under company law and the management board members' comprehensive supervisory powers stipulated by company law shall not be affected either. The possibility of the entire management board to take charge of areas of responsibility at any time does not contradict the FMA-MS-K. 24. The front office sphere is separate from the back office sphere in terms of organisational structure. The separation of both spheres must also be taken into account in the event of deputisation. A regulation on representation within the meaning of this clause may be stipulated both at a horizontal and vertical level. It should be designed in such a way that the functional separation will also be maintained in the event of deputisation. This shall apply for any case of deputisation, not just in the case for the first instance of deputisation. The functional separation shall exist up to and including the level of the management board members. The credit institution shall have adequate IT procedures, systems and competences in order to be able to ensure the functional separation.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 14 25. The following tasks shall be performed outside the area of front office: a. Responsibility for the development and quality of the processes and sub-processes of lending and loan processing (points 33 & 34), b. Defining and regularly reviewing the criteria for the reclassification of exposures as requiring intensified handling or processing of problem loans (point 37), c. definition of guidelines for risk analysis and monitoring that they are observed (point 52); d. Valuation of the collaterals defined pursuant to point 45, e. Responsibility for the development, quality and monitoring of the application of the risk classification procedures (points 33 & 34), f. Responsibility for the restructuring or liquidation process or for the monitoring of such processes (point 60); g. preparing the decision on the amount of risk provisioning or the write￾down for certain exposures (point 63); h. Risk controlling tasks (point 65), in particular drawing up the risk report (point 75), i. Involvement of an expert body in the reviewing of loan documentation (Point 40), j. Strategic risk management tasks, k. Second voting regarding the credit decision (point 27). Assigning certain tasks to a unit that is independent from the sphere of “front office”, such as responsibility for the development of certain processes, the drawing up of guidelines or the development of criteria, shall not affect the responsibility and any existing decision-making competences of the management body as a whole. This rather refers to the possibility to create "departmental competencies" as established under stock corporation law. Outside of the supervisory expectation stated in point 25 regarding the allocation of duties, there is also a far-reaching leeway with regard to allocation to one or other of the spheres, provided that the avoidance of conflicts of interest in ensures by means of the allocation of duties. In decentralised sectors and groups of credit institutions, some of the tasks listed in point 25 are to a certain extent handled by centralised units. Provided competences are also centralised outside the “front office” sphere, it may be assumed that the aforementioned supervisory expectation has been met. It should not be excluded in the event of such an allocation of duties that the front office know-how will be appropriately incorporated into the processes. 26. In the case of trading transactions, the front office sphere’s vote may be exercised by the trading division while setting counterparty limits; in this case, the orderly reviewing of counterparty risks must also be ensured. The same shall apply in setting issuer limits for trading transactions. When dealing with counterparty and issuer limits, it shall be ensured that the separate limits from the credit and trading units are combined in an orderly

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 15 manner to create a total limit. All types of trading positions and participating interests shall be included – in the case of the latter including both strategic interests and participating interests substituting for loans. Conversely, the vote of the “trading unit” shall not be exercised by the “back office”. 4.2.2 VOTING 27. As a rule, a lending decision shall also require a positive vote from “back office” in addition to a positive vote from the “front office” sphere. As in the case of functional separation, the main priority here is to avoid any clashes of interests and to strengthen the quality of the lending decision through a standardised inclusion of risk aspects. The credit institution alone shall be responsible for the specific design of the risk strategy. For example, “front office” passing on a complete loan application to “back office” may be seen to be its affirmative vote. Exceptions are only possible in the cases covered by points 29 and points 60. The vote of “back office” is based on the assessment of the loan application both with regard to the borrower (e.g. credit quality, unsecured exposure) as well as with regard to their business as a whole (e.g. sectoral or country limits). Any further-reaching provisions on adopting resolutions, for example, pursuant to the Aktiengesetz (AktG; Stock Corporation Act)11, Gesetz über Gesellschaften mit beschränkter Haftung (GmbHG; Act on Limited Liability Companies)12 , Genossenschaftsgesetz (GenG; Cooperative Association Law)13, the Banking Act (BWG; Bankwesengesetz) or the articles of association shall remain unaffected. In particular, this concerns the dual control principle set out in law in Article 5 para. 1 no. 12 BWG. 28. Clear and unambiguous rules are defined for lending decisions that either lead to the loan being granted or rejected, or to the lending decision being escalated to a higher level of competence. Across all levels of decision￾making – including at the level of the management board members – and in particularly in the case of decisions taken by a committee (e.g. the lending committee) suitable rules shall ensure that a positive lending decision shall not be able to be made in the case of a negative vote by the respective “back office” decision-makers involved. Where there is a lending committee, in which the director of the back office unit is a member, and whose vote is necessary for a decision to be obtained that the

11 Federal Act on Stock Companies (AktG; Aktiengesetz), published in Federal Law Gazette no. 98/1965 as amended. 12 Act of 6th March 1906, on limited liability companies (GmbHG; GmbH-Gesetz), published in Reich Law Gazette No. 58/1906 as amended. 13 Act on commercial and industrial cooperative societies (GenG; Genossenschaftsgesetz), published in Reich Law Gazette No. 70/1873, as amended.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 16 aforementioned shall only apply up to the level of the lending committee, but not above it. Decisions in the escalation procedure must be documented and justified. Lending decisions taken at director level, that are made despite a negative vote by the “back office” decision-makers shall be documented and justified in the risk report and are regularly brought to the attention of the supervisory body. 29. For lending decisions regarding certain types of transaction with a low risk level or credit transactions below certain amounts, determined based on their risk level, the directors may determine that only the vote of the “front office” is necessary. These definitions shall be explained in the internal guidelines. The organisational separation between “front office” and “back office” shall remain unaffected. In this case, proportionality shall be considered, i.e. the definition of “low risk profile” is appropriate in relation to the risk bearing capacity of the institution. When defining “low risk profile”, the following parameters shall in any case be taken into account:

• historic experience of default and need for write-downs,
• the rating of the borrower,
• (Unsecured) exposure amount,
• type of transaction
• the risk bearing capacity of the bank
• involvement of the risk management function in the identification and monitoring of risk (drawing up a rating, loan origination standards, valuation of collaterals, early-warning system, drawing up of standard loan contracts). The following types of lending business will require separate votes from “front office” and “back office”:
• Transactions with customers in the pre-default class/es.
• Non-standard types of transactions or products (e.g. project financing, speculative immovable property financing, start-ups) as well as loans that are under intensified handling. The customary banking principle of dual control shall also by observed below the threshold for double voting. 4.3 EMPLOYEES

30. The employees entrusted with the individual processes of lending business as well as their deputies shall have the necessary expertise for assessing the risks of credit transactions. Suitable training and education programmes shall ensure that their level of qualification corresponds to the current state-of-the-art. Suitable measures, especially deputisation rules, shall be taken to make provisions for unforeseen staff absences. The

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 17 structuring of the remuneration and incentive systems shall not contradict the goals laid down in the FMA-MS-K, in particular the objective of avoiding clashes of interests. For credit transactions that fall within the scope of application of the LO-GL, paras. 66 and 79-83 of the LO-GL shall apply in this context. 4.4 TECHNICAL AND ORGANISATIONAL RESOURCES 31. The capacity of the technical and organisational resources, in particular IT systems, shall be appropriate for the nature, scope, complexity and risk level of the transactions. The functioning of the IT systems, IT and computer processes, databases and contingency plans as well as the quality of the data contained in these databases shall be reviewed on a regular basis and suitable measures shall be taken to ensure this functional viability. For credit transactions that fall within the scope of application of the LO-GL, paras. 60, 61, 240, 243, 246, 247, 249 and 269 of the LO-GL shall apply in this context. 4.5 DOCUMENTATION 32. The credit documents necessary for the initial and ongoing evaluation of the transactions shall be written systematically and in a way that is easily verifiable by third-party experts and kept in accordance with the documentation requirements. It shall be ensured that the documents are kept up-to-date and complete. 5 GRANTING AND PROCESSING OF LENDING TRANSACTIONS 5.1 GENERAL 33. The processes for the granting and processing of lending transactions as well as the related duties, competencies and responsibilities shall be clearly defined and co-ordinated. 34. The responsibility for the development and quality of these processes and sub-processes shall lie outside the sphere of “front office”. 35. The level of detail of all the process documentation (including ongoing reviews under point 40) shall be sufficient so that a expert third party is able to check whether the expectations set out in the FMA-MS-K as well as the LO-GL have been observed.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 18 For credit transactions that fall within the scope of application of the LO-GL, para. 38 LO-GL and the requirements set out in Annexes 1 to 3 of the LO-GL shall apply in this context. 36. The internal guidelines contain different processing principles structured both by types of transaction, the borrowers’ creditworthiness as well as by limits (limit of lending amount, borrower’s limit, limit in relation to a group of connected clients). The types of transaction, for example, may be differentiated by consumer loans, investment financing, property development financing, property/project financing, participating interests substituting for loans etc. 37. The definition and the regular review of the criteria governing the reclassification of exposures as requiring intensified handling or problem loan processing must lie outside the front office. “Front office” know-how may contribute to the definitions in an evidence-based and appropriate manner. 38. The decision-making hierarchy shall define the criteria for assigning the decision on an exposure to a certain decision-making level. The criteria for assigning the decision to a certain decision-making level may include, for example, the risk classification, the type or amount or the transaction, and the collateralisation of the credit transaction to be approved. 5.2 LOAN ORIGINATION 39. The loan origination process encompasses all steps of required operations up until the provision of the loan, for fulfilling the contract or establishing a line of credit. All significant criteria for assessing the counterparty risk will be subjected to an appropriate risk analysis. 40. Contractual agreements in lending business shall be concluded based on legally validated and correct documentation. Legally validated standard texts shall be used for individual loan agreements that are updated on an ongoing basis. Where a deviation from the standard texts is necessary for credit transactions, defined in accordance with their nature, complexity and risk level, for example in the case of customised agreements, a review shall be conducted by an expert body prior to concluding the agreement. The expert body shall possess the required expertise for assessing the risk associated with the deviation from the standard text. Precise legal knowledge, knowledge of the internal guidelines and procedures as well as the ability to assess risks for the credit institution are prerequisites. The expert body may be, for example, the legal department of the credit institution or an external body that is independent from the borrower (e.g. a lawyer).

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 19 For credit transactions that fall within the scope of application of the LO-GL, para. 198 LO-GL as well as Annexes 1 to 3 of the LO-GL shall apply in this context. 5.3 RISK ASSESSMENT 5.3.1 CHECKING OF CREDITWORTHINESS AND COLLATERAL VALUATION 41. An adequate risk analysis of the qualitative and quantitative aspects significant for the counterparty risk of a credit transaction shall be carried out based on criteria defined by the credit institution, with the intensity of this activity depending on the nature, scope, complexity and risk level of the commitment. High-risk features of the exposure shall be highlighted and, if necessary, displayed under the presumption of various scenarios. The documents used for the assessment shall be reviewed by the employees responsible for the assessment. In the case of subsidised loans and loans extended by building societies, specific characteristics resulting from the subsidy shall be taken into account. In the case of terms being changed subsequently, especially those in consumer loans – the requirements set out under consumer protection law shall be considered, which naturally remain unaffected by these FMA Minimum Standards. In the case of non-standardised business processes or exposures with a high amount of risk, it is particularly important to depict various scenarios. “Various scenarios” shall include, in particular, worst-case scenarios. Irrespective of this, the sensitivity analyses stipulated in Section 5.2 of the LO-GL must also be applied. For credit transactions that fall within the scope of application of the LO-GL, Chapters 5.1 and 5.2 LO-GL as well as the requirements set out in Annexes 1 to 3 of the LO-GL shall apply in this context. 42. The value and enforceability of collateral shall generally be assessed before a lending decision is made. Existing information on collateral values may be used if there is no indication of changes in value. An automatic update of collateral values without an explicit review shall not be considered sufficient. For credit transactions that fall within the scope of application of the LO-GL, Chapter 7 as well as paras. 137, 163, 179 and 180 of the LO-GL shall also apply in this context. 43. If the value of collateral depends significantly on the financial situation of a third party, the creditworthiness of the third party shall be reviewed. The value of collateral depends on a third party especially in the case of a guarantee, a letter of comfort or a collateral promise.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 20 When taking personal collaterals into account in internal risk management, in contrast to real collaterals, the probability of default of the protection provider shall be applied. For credit transactions that fall within the scope of application of the LO-GL, para. 100 of the LO-GL shall also apply in this context. 44. In such cases that external bodies are consulted for the risk analysis, they shall be required to possess the necessary general and specific expertise. For credit transactions that fall within the scope of application of the LO-GL, para. 211 of the LO-GL shall also apply in this context. In this context it is also necessary to refer to para. 70 of the OUTS-GL. 45. The types of collateral accepted by the bank and the procedures and systems for calculating the value of each type of collateral shall be set out clearly in the internal guidelines. The assessment of certain collateral in accordance with its risk profile that has been specified with regard to the risk situation of the credit institution shall not be carried out by front office. The criteria for determining the risk level of collateral can be, for example: amount of coverage, legal enforceability, possibility of liquidation. The values of collaterals and lending values are calculated in a consistent manner (using market-typical valuation procedures) and documented in a plausible manner, and regularly validated, and which reflect the expected proceeds of their disposal. 46. The risk analysis results shall principally be taken into account when defining terms and conditions. For credit transactions that fall within the scope of application of the LO-GL, Chapter 6 of the LO-GL shall also apply in this context. 5.3.2 RISK CLASSIFICATION PROCEDURES 47. The credit institution shall establish meaningful risk classification procedures for the initial, routine or ad-hoc assessment of counterparty risk and the allocation to a risk class. The internal guidelines shall define criteria that ensure that - in the course of their assessment - risks are logically assigned to a risk class. Provided that, and to the extent that, sectoral procedures correspond to the FMA￾MS-K and are actually applied by the individual credit institution, the supervisory expectation is also met at the level of individual credit institutions. 48. It shall be ensured, where applicable, that any sectoral and country risks as well as specific risks in relation to property/project financing are suitably assessed within the risk classification procedures.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 21 49. The key indicators for determining counterparty risk in the risk classification procedure must also include qualitative criteria (soft facts) wherever possible and meaningful to do so in addition to quantitative criteria. Risk classification procedures take into account all the criteria regarding credit quality that are available to the institution. Where correlated risk factors are present, those that affect the stability or selectivity of the model used may not be used. All criteria and their interplay with one another shall be documented in a plausible manner. For credit transactions that fall within the scope of application of the LO-GL, para. 265 of the LO-GL shall also apply in this context. 50. All risk classification procedures as well as their outcomes will be validated at regular intervals using market-typical quantitative and qualitative methodologies at the level of the credit institution that applies them. Where the portfolio of a credit institution applying them is too small to conduct a quantitative validation, then such a validation may be conducted jointly for several institutions. The qualitative validation in this case also encompasses some aspects of the rating process, such as reviewing of data quality, and the quality of the applied rating (including the age of the rating, the correctness of segmentation, overrides or ensuring that the default event is detected correctly). If the validation process is performed by an external body, then the credit institution shall in any case conduct a plausible internal appraisal, and take necessary measures. 5.4 FURTHER PROCESSING OF LOANS 51. The further processing of loans is intended to monitor whether the borrower is fulfilling the terms of the contract. In the case of special￾purpose loans, the institution shall monitor whether the funds made available are being used as agreed (monitoring the loan purpose). The earmarking of the funds is deemed to exist in the case that the borrower is contractually bound to use the funds made available for a specific purpose, e.g. in the case of subsidised loans or property/project financing, and in such cases that the available funds for items that simultaneously serve as collateral for the exposure. For credit transactions that fall within the scope of application of the LO-GL, para. 251 of the LO-GL shall also apply in this context. 52. On at least an annual basis, the counterparty risk of each borrower shall be subject to an appropriate risk analysis, with the intensity of the analysis dependent on the risk level of the exposure. The rating shall in any case be updated. For credit transactions that do not fall within the scope of para. 29, in addition a review of the performance to date

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 22 (above all risk-relevant aspects such as the development of credit quality, payment history, value of collaterals or macroeconomic development) as the forecast and the exposure strategy. The nature and scope of the risk assessment are defined by the credit institution in the internal guidelines. The risk analysis about risky exposures should include case-by-case documentation about compliance with the corresponding analysis rules. For credit transactions that fall within the scope of application of the LO-GL, paras. 257 and 260 of the LO-GL shall apply in this context. 53. The value of collateral shall be examined at suitable intervals during the further processing of loans. The schedule for examining the individual types of collateral shall be defined in the internal guidelines. In the case of the borrower defaulting, the value of a collateral shall be updated by means of an valuation relating to the case in hand, and subsequently updated again on an annual basis, until the default status has ended. In this context, Chapter 9 of the NPE-GL shall also apply. For credit transactions that fall within the scope of application of the LO-GL, Chapter 7 of the LO-GL shall also apply. 54. Ad-hoc risk analyses of exposures, including collateral, shall be conducted immediately whenever the credit institution receives information from internal or external sources that indicate a substantial adverse change in the risk assessment of the exposures or the collateral. 55. The timely presentation of the documents required to assess the counterparty risk shall be monitored and their evaluation in a timely manner shall be ensured. The specific deadlines are defined in the internal guidelines. A dunning procedure shall be instituted for documents that have not been submitted. 5.5 MONITORING OF LOAN DISBURSEMENTS 56. For loan processing, control measures shall be established to ensure that the conditions for disbursement are met. In particular, it shall be checked whether the specified decision-making hierarchy has been adhered to and whether the requirements and/or conditions set forth in the loan agreement were met before disbursement. The checking of the conditions shall also include that the necessary internal formal and material review steps were taken, and that approvals are duly present, even where they are not part of the loan agreement. The organisational structure shall designed in such a way that there is a functional separation that is suitable for avoiding conflicts of interest between the organisational unit that initiates the transaction and the organisational unit that releases the disbursement.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 23 The results of the loan disbursement monitoring shall be documented. 5.6 INTENSIFIED HANDLING 57. Intensified handling shall mean in particular that special attention shall be paid to credit transactions whose risk assessment has changed for the worse due to specific reasons but which should not yet be considered bad loans. The internal guidelines shall include criteria that specify in what event an exposure shall be given special attention with respect to the risk level. In this context paras. 272, 274 and 275 of the LO-GL shall apply. In addition, the following criteria shall also be applied: a. reluctant submission of accounting documents and/or false and incomplete data; b. bill or cheque protests; c. a loss event on the borrower’s side with material repercussions; d. external market information about changes that have occurred or are imminent, that may substantially worsen creditworthiness; e. classification as a forbearance measure pursuant to Article 47b CRR (“forborne”). In addition, Section 4 of the AF-GL is relevant for consumer lending under the Mortgage and Immovable Property Credit Act (HIKrG; Hypothekar- und Immobilienkreditgesetz)14 . 5.7 DEALING WITH PROBLEM LOANS 58. Loans shall be in any case considered as problem loans where they satisfy the definitions in the NPE-GL of non-performing loans (NPLs) or non￾performing exposures (NPEs). The NPE-GL shall be applied for such loans in accordance with the scope of application defined therein. In addition, the credit institution may also define additional criteria with regard to which loans are considered to be problem loans. 59. The internal guidelines shall define the criteria governing the transferring of non-performing exposures to the employees, divisions or external experts specialising in restructuring or liquidation of them, or their involvement (dealing with problem loans). The possibility exists to outsource restructuring and liquidation functions to external experts. In particular, the credit institution shall continue to possess the necessary know-how and adequate resources, to be able to assess the work of external experts with regard to its quality and plausibility. The relevant provisions regarding outsource shall be observed.

14 Mortgage and Immovable Property Credit Act (HIKrG; Hypothekar- und Immobilienkreditgesetz), published in Federal Law Gazette I No. 135/2015 as amended.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 24 In addition, Section 4 of the AF-GL is relevant for consumer lending under the HIKrG. 60. The responsibility for the restructuring or liquidation process or the monitoring of these procedures shall be performed outside of the sphere of “front office”. In this context, para 63 of the NPE-GL shall also apply. Lending decisions regarding dealing with problem loans, irrespective of their risk profile, may be taken based solely on the vote of the back office area, provided doing so was defined beforehand by the credit institution. 61. If, following a thorough examination, the credit institution decides to restructure the exposure, the parties involved in the restructuring shall develop and implement a restructuring plan. The implementation of the restructuring strategy and the effects of the measures shall be monitored. The credit institution’s decision as to whether the exposure shall be restructured or liquidated as well as the decision with whom to co-operate in the restructuring or liquidation phase remain unaffected by the FMA-MS-K. A “restructuring plan” is a plan for the restructuring of the exposure, either as a standardised plan, or drawn up on for the exposure in question. The credit institution shall apply the principle of proportionality in deciding whether such an individual plan should be drawn up. In the case of significant problem loans, which are defined in accordance with their risk level, the members of the management board shall be informed at regular intervals about the status of their restructuring or liquidation process. In addition, Section 4 of the AF-GL is relevant for consumer lending under the HIKrG. 62. If an exposure is to be recovered, the credit institution, involving external experts as applicable, depending on the amount or risk level of the exposure as well as the complexity of the liquidation process, shall develop a liquidation strategy. In the case of highly standardised business areas, such as the standardised retail banking business, a generally applicable recovery procedure may be drawn up. In this context, it is also necessary to refer to paras. 116 et seq. of the NPE-GL. 5.8 RISK PROVISIONING 63. The internal guidelines shall define objective and logical criteria that indicate the need for risk provisioning or a need for a write-down for the credit transaction, taking into account the applicable legal provisions, in particular the accounting standards. The responsibility for preparing the decision on the amount of risk provisioning or write-downs for credit transactions that exceed certain amounts, which shall be defined in

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 25 accordance with their risk profile, shall take place outside of the sphere of “front office”. For credit transactions that fall within the scope of application of the CL-GL, Chapter 4.2 of the CL-GL shall also apply in this context. 64. The necessary risk provisioning or write-downs and the need for them shall be calculated in a timely manner and carried forward. In this context, "subsequent valuation" does not mean "entry". Entries depend on the existing applicable accounting standards, which, of course, remain unaffected by these provisions. “Subsequent valuation” means that risk provisioning and write-downs, and the need for them shall be kept up-to-date and logical and shall build on the previous periods, i.e. be “carried forward”. 6 RISK MANAGEMENT AND RISK CONTROLLING 6.1 GENERAL 65. An early-warning system, a system or procedure for managing and limiting risk, as well as a corresponding reporting system shall be established that is commensurate to the nature, scope, complexity and risk level of the transactions. The execution of these tasks shall be set up as a routine and standardised process. "Systems" shall mean automated, in particular It-based processes, whereas "procedures" are standardised but not necessarily automated processes, which may be covered by means of procedural and organisational measures, especially by ensuring compliance with internal guidelines and handling principles. The aforementioned tasks shall be set up as a routine and standardised process. 66. The systems and procedures shall ensure that material risks in lending business are detected early, reported, described, aggregated, planned, managed, limited and monitored. They also guarantee permanent risk monitoring at portfolio level. In particular, they shall ensure that risk is balanced and compatible with the risk strategy. 67. Risk-relevant information shall be forwarded immediately to the decision makers specified in the decision-making hierarchy in order to enable the earliest possible initiation of adequate counter-measures. 6.2 EARLY-WARNING PROCEDURE 68. The purpose of the procedure for early detection of risks is to identify undesirable developments with respect to borrower-related and overall business risks at an early stage. This should enable the credit institution to

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 26 take countermeasures as early as possible. To this end, the credit institution shall develop strong indicators for early risk detection. The credit institution can select the procedure. The early-warning signals utilised by the credit institution, shall also contain portfolio-specific and product-specific indicators as well as forward-looking indicators, depending on their applicability and availability. In contrast to the regular risk analysis mentioned in point 52, which takes place at certain dates, the borrower-related early-warning procedure takes the form of ongoing monitoring that focuses on identifying negative changes in the risk assessment that occurs between the dates when regular risk analysis is conducted. For credit transactions that fall within the scope of application of the LO-GL, paras. 269 to 274 of the LO-GL shall also apply in this context. 6.3 RISK MANAGEMENT AND RISK LIMITATION 69. The management board members shall take suitable measures to ensure that the management and limitation of borrower-related risks as well as overall lending business-related risks. In the case of borrower-related risks, in particular the creditworthiness of the borrower taking into consideration groups of connected clients or third parties and the value and enforceability of collateral shall be taken into account. The following can especially be considered as overall lending business-related risks: sectoral risk, distribution of exposures categorised by size and risk classes, and, where applicable, country risk and other parallel risks. Such risks can in particular be limited by implementing an adequate limit system. However, other procedures can also be considered. 70. The measures to limit the borrower-related and overall business risks shall be structured in accordance with the credit institution’s risk-bearing capacity. The relationship between such measures and the risk bearing capacity shall be reviewed by the management board members in relation to the risk strategy at appropriate intervals, but at least on an annual basis. For credit transactions that fall within the scope of application of the LO-GL, para. 25 of the LO-GL shall apply in this context. 71. No lending transaction shall be concluded without a lending decision. In this context, a lending decision, as defined in point 10 is also to be understood as the definition of a borrower-related limit (lending amount limit, borrower's limit, limit relating to the group of connected clients) as well as amending decisions (e.g. releasing of collaterals, waivers on compliance with contractual clauses).

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 27 In the case of personal loans, the setting of the borrower-related limit shall be equivalent to the granting of the loan or overdraft facility. This supervisory expectation does not mean that overdrafts are not allowed, but that the credit institution shall base the exceeding of a limit on a lending decision (cf. also point 73 below). Automated lending decisions or limit specifications, especially where made by means of a risk classification procedure, may also correspond to this supervisory expectation. For credit transactions that fall within the scope of application of the LO-GL, paras. 53 to 55 and paras. 63 to 69 of the LO-GL shall also apply in this context. 72. All transactions shall immediately be counted against the borrower-related limits. Depending on the credit transactions’ risk level, adherence to the borrower-related limits shall be monitored on an ongoing basis. 73. The credit institution shall establish a procedure defining how to handle overdrafts and unpaid instalments, which measures to take, and how to carry out dunning procedures. "Procedures" shall include standardised processes that are not necessarily automated but can also be defined by procedural and organisational measures, especially by ensuring compliance with internal guidelines and processing principles. In both instances, it is important that the tasks mentioned shall be routine and standardised procedures. An overdraft constitutes the exceeding of an authorised limit, and shall require the immediate implementation of a measure (reduction of the exposure within a specific period of time, a lending decision, etc.). 6.4 REPORTING 74. Reporting shall be based on data that is complete, accurate, of integrity and up-to-date. 6.4.1 RISK REPORT ON COUNTERPARTY RISK 75. Depending on the risk situation in lending business, a unit independent of “front office” sphere shall draw up risk reports at regular intervals, at the least on a quarterly basis, with group risk reports at least semi-annually, that address the most important structural features of lending business. This report shall be made available to the management board members. The management board members shall forward the report to the supervisory body under company law. The risk report to the supervisory body under company law may be abridged and condensed but must not omit any major risks. There is a certain relationship between point 75 and the credit institution’s risk strategy (point 12 et seq.): The risk report in particular provides the management

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 28 board members with feedback about whether and to what extent the risk strategy has been observed. This enables the management board members to take countermeasures to pursue the risk strategy or to adjust the risk strategy at an early stage. For credit transactions that fall within the scope of application of the LO-GL, para. 74 of the LO-GL shall also apply in this context. 76. The risk report shall be drawn up in a systematic, clear and meaningful manner containing a description and an assessment of the risk situation. The management board members shall certify that they have read and acknowledged the report. The measures required and initiated based on this report shall be documented clearly and meaningfully. 77. Taking into account the nature, scope, complexity and risk level of the credit transactions as well as the type and size of the credit institution and its core business areas, the risk report shall contain the following overall business and borrower-related information, including a forward-looking risk assessment, conclusions and any proposals on how to act, on the following respective points: a. development of the credit portfolio as a whole, broken down by major risk-relevant structural features, for example by sectors, countries, asset classes, risk classes and size categories; b. development of the extent of the limits granted and information on the level of utilisation; c. development of uncollateralised portions, broken down by risk classes; d. development of new types of transactions; e. development of risk provisioning and the need for risk provisioning, or write-downs and the need for write-downs; f. individual exposures as well as overdrafts (extent, number of days) with significant risk profile and how they are collateralised; g. lending decisions that were taken in dealing with problem loans (see point 58) regarding significant problem loans, h. an overview about the volume of lending under intensified handling, the dealing with problematic loans and forbearance measures (Article 47b CRR); i. an overview about the non-performing loans; j. risk bearing capacity in relation to counterparty risk; k. stress testing in relation to counterparty risk; l. risk concentrations in relation to counterparty risk; m. additional internal reporting pursuant to Article 15 of Regulation (EU) 2022/439 for credit institutions using IRB models15; n. Lending decisions that deviate from standard policies, procedures and criteria for the granting of credit.

15 Commission Delegated Regulation (EU) 2022/439, 20.10.2021.

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 29 o. Lending decisions that are taken by directors, where the vote of the director of the “back office” unit deviates from that of the director of “front office” (see point 28). As a rule, existing reporting procedures shall be taken into account and due care taken to ensure that the content of internal and external reports remains as similar as possible. Therefore, with regard to point 77 the same commonly used definitions may be used as are used in reporting. Deviations may however arise in some points that relate to the divergent intention of internal and external reporting activities. The credit institution shall be responsible for determining the risk report’s level of detail. It shall be based on the nature, scope, complexity and risk level of the credit transactions as well as the type and size of the credit institution and its core business areas. In the case of points that refer to the "development", they shall illustrate at least the three preceding periods. Regarding the utilisation of limits mentioned in lit. a they shall first and foremost refer to overall business-related limits (in particular at portfolio and sub-portfolio level), defined by the credit institution within the framework of a limit system or other portfolio management measures. "New types of business transactions" mentioned in lit. c shall mean credit transactions as defined in point 17. With regard to lit. d, it must be mentioned that "risk provisioning" shall mean entered risk provisions, while "need for risk provisioning" shall mean risk provisions that have not yet entered that appear to be appropriate to be recognised by the credit institution in line with the criteria defined in point 63. The same shall apply to write-downs and the need for write-downs. Individual exposures and overdrafts should be included in the report for documentation purposes, even where there have been no changes compared to the proceding period. Such a report may be abridged and shall include a reference to the last previous period where changes had occurred. "Lending decisions" as mentioned under lit. g shall be understood as only meaning positive lending decisions. 6.4.2 AD-HOC REPORTING 78. The management board members and the decision-makers involved shall be notified of events that have a significant risk level for the credit institution. The reporting and where applicable any measures initiated based on reporting shall be clearly documented. Events considered as having a significant risk level may, for example, include: development of problem loans and loans under intensified handling, substantial exceeding of limits or deterioration of creditworthiness of individual exposures with significant risk level, significant need for risk provisioning or write-downs,

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 30 signs of organisational deficiencies or deficiencies in processes, applied systems and procedures and resulting losses. In relation to the risk level, the internal guidelines shall define when the risk level shall be classified as “significant”. 79. The management board members shall be notified immediately if there is a substantial need for risk provisioning or write-downs. For this purpose, criteria shall be set out in the internal guidelines, about when they are classified as “significant”. 6.5 DEALING WITH ORGANISATIONAL DEFICIENCIES 80. Where indications arise about organisational deficiencies or deficiencies within processes, their causes shall be analysed, relevant conclusions drawn and any required measures shall be implemented immediately and documented. Losses resulting from organisational or process deficiencies shall be adequately documented. The credit institution shall assign which organisational unit shall be responsible for these tasks. They may be assigned to the internal audit function. ANNEX: COMPARISON OF FMA-MS-K AND EBA GUIDELINES The following table serves as guidance about the extent to which additional provisions set forth in the EBA Guidelines listed in point 1 must also be taken into account in relation to the individual provisions in the FMA-MS-K. Para. FMA MS-K Para. EBA LO-GL Para. other EBA GLs Strategic framework conditions 3.1 Responsibility of Directors 11 25 3.2 Risk strategy 12 25a 13 34-37 14 79 ff 15 25 16 - 3.3. New types of business transactions; 17 - 18 - 19 - 4 Organisation

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 31 4.1 Internal guidelines 20 25 lits. d & e - 21 34, 43 231-234 IG-GL 22 - - 4.2 Organisation al structure 4.2.1 Functional separation 23 - - 24 - - 25 - - 26 - - 4.2.2 Voting 27 - - 28 - - 29 - - 4.3 Staff members 30 66, 79-83 - 4.4 Technical and organisational resources 31 60, 61, 240, 243, 246, 247, 249, 269

4.5 Documentation 32 - - 5 Granting and process of lending transactions 5.1 General 33 - - 34 - - 35 38 - 36 - - 37 - - 38 - - 5.2 Loan origination 39 - - 40 193-198 - 5.3 Risk analysis; 5.3.1 Checking of creditworthiness and collateral valuation 41 84-192 - 42 137, 163, 179, 180, 206-239

43 100 - 44 211 70 OUTS-GL 45 - - 46 199-205 - 5.3.2 Risk classification procedure 47 - - 48 - - 49 265 - 50 - -

MINIMUM STANDARDS ON LENDING BUSINESS VERSION APRIL 2022 PAGE 32 5.4 Further processing of the loan 51 251 - 52 257, 260 - 53 206-239 178-234 NPE-GL 54 - - 55 - - 5.5 Monitoring of disbursements 56 - - 5.6 Intensified handling 57 272, 274, 275 Section 4 AF-GL 5.7 Dealing with problem loans 58 - - 59 - Section 4 AF-GL 60 - 63 NPE-GL 61 - Section 4 AF-GL 62 - 116 et seq. NPE-GL 5.8 Risk provisioning 63 - 25-85 CL-GL 64 - - 6 Risk management and risk controlling 6.1 General 65 - - 66 - - 67 - - 6.2 Early-warning procedure 68 269-274 - 6.3 Risk management and risk limitation 69 - - 70 25 - 71 53-55, 63-69 - 72 - - 73 - - 6.4. Reporting 74 - - 6.4.1 Risk report on counterparty risk 75 74 - 76 - - 77 - - 6.4.2 Ad-hoc reporting 78 - - 79 - - 6.5 Addressing organisational deficiencies 80 - -