Instruction No. 03/2022 of 29 March

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 1 of 30 INSTRUCTION NO. 03/2022 dated 29 March SUBJECT: FINANCIAL SYSTEM

• Stress Tests WHEREAS it is necessary to regulate the processes and methodologies for conducting stress tests that Banking Financial Institutions must implement, under Article 31(3)(c) of Circular No. 01/22 of 28 January on the Corporate Governance Code for Banking Financial Institutions, combined with Article 40 and Article 44(10) of Circular No. 08/21 of 5 July on Prudential Requirements; IN ACCORDANCE WITH Article 166 of Law No. 14/21 of 19 May, the General Regime for Financial Institutions Law, combined with Articles 31(d) and (f) and Article 98(1) of Law No. 24/21 of 18 October, the National Bank of Angola Act; IT IS HEREBY DETERMINED:

1. Object This Instruction establishes the requirements, methodologies and organizational processes for conducting stress tests that Banking Financial Institutions must implement, under capital adequacy and risk management.
2. Scope This Instruction applies to Banking Financial Institutions, supervised by the National Bank of Angola, as provided for in Law No. 14/21 of 19 May, the General Regime for Financial Institutions Law, hereinafter collectively referred to as Institutions.

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 2 of 30 3. Definitions Without prejudice to the definitions established in Law No. 14/21 of 19 May, for the purposes of this Instruction, the following shall apply: 3.1. Scenario Analyses: the assessment of an Institution's or portfolio's resilience to a given scenario that includes a set of risk factors. 3.2. Sensitivity Analyses: assessments of the impact resulting from the variation of a single risk factor or multiple simple risk factors on capital or liquidity, for a specific portfolio or across the entire Institution. 3.3. Risk Appetite: the aggregated level and types of risk that an Institution is willing to assume, defined in advance within each Institution's risk capacity to achieve its strategic objectives and business plan. 3.4. Anchor Scenario: a scenario designed by the supervisor to define the severity level for a given stress test, required from Institutions, either as the scenario to be applied in the stress test or as a severity reference parameter for developing the Institution's own scenarios. 3.5. Systemic Interaction and Second-Order Effects (feedback effects): effects arising from risk propagation, notably the spread of a Bank to another within the same financial system and from the financial system to the real economy. 3.6. Systemic Event: an event likely to have serious negative consequences for the financial system or the real economy. 3.7. Idiosyncratic Event: an event likely to have serious negative consequences for a single Institution, a single group or an Institution within a group.

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 3 of 30 3.8. Parent Company: a legal entity that exercises a relationship of control or group membership over another legal entity, designated as a subsidiary, when they are Financial Institutions supervised by the National Bank of Angola. 3.9. Risk Factor: an aspect or characteristic, notably of financial products and markets, business relationship participants and existing processes within Institutions, that influences risk. 3.10. Subsidiary: a legal entity over which another legal entity, designated as the parent company, holds control; it is considered that a subsidiary of a subsidiary is also a subsidiary of the parent company from which both depend. 3.11. Financial Group: a set of resident and non-resident companies possessing the nature of Financial Institutions, excluding those linked to insurance and social security activities, in which there is a control relationship by a parent company supervised by the National Bank of Angola over other constituent companies. 3.12. ICAAP (Internal Capital Adequacy Assessment Process): regular assessment of the amounts, types and distribution of internal capital that an Institution considers sufficient to cover risk levels according to its nature, for which it is or may be exposed. 3.13. ILAAP (Internal Liquidity Adequacy Assessment Process): regular assessment of the amounts, types and distribution of internal liquidity that an Institution considers sufficient to meet its third-party obligations. 3.14. Governing Body: a person or group of persons elected by shareholders, responsible for representing the company, deliberating on all matters and performing all acts to achieve its corporate purpose.

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 4 of 30 3.15. Dynamic Balance Sheet Assumption: methodological assumption according to which the impact of stress test scenarios must be measured based on the possibility of a non-constant balance sheet and an evolving business model throughout the projection period, in which the stress test result reflects a combination of the imposed scenario and management response measures, reducing result comparability between Institutions, as well as the extent of management response measures may be conditional or unconditional. 3.16. Static Balance Sheet Assumption: methodological assumption according to which it is necessary to measure the impact of stress test scenarios based on a constant balance sheet and an unaltered or stable business model throughout the projection period, meaning that assets and liabilities held to maturity are replaced by elements with similar characteristics in bank projections. 3.17. Risk Appetite Framework (RAF): determines the Institution's risk approach, including policies, processes, limits, controls and systems, which together represent the strategy for defining, communicating and monitoring risk appetite; it must include all relevant risks (financial and non-financial), allowing a holistic, conscious and integrated view of risk to define the degree of risk appetite, must be articulated and formally approved by corporate bodies and disseminated throughout the Institution. 3.18. Risk: possibility of a future event occurring with negative impact on the Institution's net position. 3.19. Credit Risk: arising from the default of contractually established financial commitments by a borrower or counterparty in operations;

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 5 of 30 3.20. Liquidity Risk: arising from the Institution's inability to meet its obligations when they become due; 3.21. Market Risk: arising from adverse movements in the prices of bonds, shares or commodities, which includes exchange rate and interest rate risk. 3.22. Exchange Rate Risk: arising from movements in exchange rates resulting from currency positions originating from financial instruments denominated in different currencies; 3.23. Interest Rate Risk: arising from movements in interest rates resulting from mismatches in value, maturities or repricing periods of financial instruments with receivable and payable interest; 3.24. Operational Risk: arising from inadequate internal processes, people or systems, possibility of occurrence of internal and external fraud, as well as external events, which includes system and information risk and legal risk; 3.25. Scenario Severity: degree of severity of assumptions or deterioration of the scenario (from a base to an adverse scenario), expressed in terms of underlying macroeconomic and financial variables (or any other assumptions). Generally, the greater the scenario severity, the greater the impact of the stress test on the Institution, thus determining the actual severity of the stress test. 3.26. Stress Tests: risk management technique aimed at assessing potential effects on an Institution's financial conditions, resulting from changes in risk factors or stress scenarios according to exceptional but plausible events. 3.27. Bottom-up Approach Stress Test: stress test in which Institutions use internally developed models and rely on their assumptions or scenarios, with possible constraints defined by the supervisor.

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 6 of 30 3.28. Liquidity Stress Test: assessment of the impact of certain developments, including macro and microeconomic scenarios, from a financing and liquidity perspective and shocks to the Institution's overall liquidity position, including with regard to minimum requirements. 3.29. Solvency Stress Test: assessment of the impact of certain developments, including macro or microeconomic scenarios, on an Institution's overall capital position, including its own funds requirements, through projection of the Institution's resources and capital needs, evaluating its loss absorption capacity and impact on its solvency position. 3.30. Reverse Stress Test: technique consisting of identifying critical points in the Institution's financial situation that compromise the viability or sustainability of its business model and, consequently, assessing the severity level of scenarios and/or shocks on risk factors that lead to reaching said critical points. 4. Stress Test Program 4.1. Institutions must conduct a stress test program adequate to their size, systemic importance, nature and level of complexity of the activity carried out, in accordance with the annexes to this Instruction. 4.2. Institutions must have a stress test program covering at least the following: a) Internal governance mechanisms, including lines of responsibility and a description of the entire process for designing, approving, executing, monitoring performance, periodically evaluating the stress test program and its results, as well as reporting in accordance with Annex I of this Instruction; b) General principles and, in the case of a group, the scope of included entities and coverage of stress tests, in accordance with Annex II; c) Relevant data infrastructure, including the description and inventory of relevant software applications used in stress tests, as detailed in Annex III; d) Types of stress tests and methodological details as per Annex IV; e) Material risks considered in light of their activity, according to Annex V; f) Possible interconnections between different stress tests (solvency and liquidity) and the application of the stress test program, within ICAAP/ILAAP objectives and management actions based on identified vulnerabilities, according to Annex VI. 4.3. The governing body is responsible for ensuring the adequate implementation of the stress test program by the institution, including reporting relevant information. 5. Objectives For the purposes of the preceding section, Institutions must conduct the stress test program with the following objectives: a) Assess the Institution's resilience and identify potential vulnerabilities arising from adverse shocks; b) Establish a set of management actions based on identified vulnerabilities; c) Establish an interconnection between stress tests and continuous Institution management (risk appetite framework, budget, recovery plan), as well as support capital and liquidity planning and management (ICAAP and ILAAP);

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 8 of 30 d) Ensure that the level of own funds and liquidity is sufficient against the risks to which the Institution is exposed, considering credit, market, operational, liquidity and interest rate risk in the banking book as provided for in Circular No. 08/21 of 5 July on Prudential Requirements; and e) Support the assessment of strategic options. 6. Information Reporting Institutions must report stress test information on an individual and consolidated basis, semi-annually and annually, through explanatory notes attached to this Instruction. 7. Sanctions Non-compliance with this Instruction constitutes an administrative offense punishable under Law No. 14/21 of 19 May, the General Regime for Financial Institutions Law. 8. Transitional Provisions Institutions must comply with this Instruction within 90 (ninety) days of its publication. 9. Doubts and Omissions Doubts and omissions arising from the interpretation and application of this Instruction are resolved by the National Bank of Angola. 10. Revocation All regulations contrary to this Instruction are hereby revoked, namely Instruction No. 02/17 of 30 January on Stress Tests and Directive No. 03/DRO/DSI/18 of 12 July on the Implementation Guide for Stress Test Programs.

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 9 of 30 11. Entry into Force This Instruction enters into force on the date of its publication. PUBLISHED: Luanda, 29 March 2022. THE GOVERNOR JOSÉ DE LIMA MASSANO

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 10 of 30 ANNEX I Governance Aspects of Stress Tests

1. The governing body is responsible for ensuring the definition, formalization and conduct of stress tests in the Institution's risk management as provided for in Article 40 and Chapter IX of Circular No. 08/21 of 5 July on Prudential Requirements, as well as information reporting.
2. Without prejudice to the preceding paragraph, for stress tests, the governing body may delegate functional competencies to relevant organizational structures, as provided in Article 16 of Circular No. 01/22 of 28 January on the Corporate Governance Code for Banking Financial Institutions.
3. For this purpose, the types of stress tests conducted, their hypotheses, criteria, assumptions and results, specific vulnerabilities identified and proposed management actions must be reported regularly to the governing body.
4. Without prejudice to Circular No. 01/22 of 28 January on the Corporate Governance Code for Banking Financial Institutions, the Institution must ensure that its governing body fully understands the impact of stress events on the Institution's overall risk profile.
5. The governing body must understand material aspects of the stress test program to be able to: a) Actively participate in discussions with stress test committees, when applicable, top management or external consultants involved in stress tests; b) Evaluate the main assumptions underlying stress tests, such as scenario selection; c) Understand decisions resulting from stress test results and justify them to the National Bank of Angola.
6. The stress test program must be executed in accordance with the Institution's relevant internal policies and procedures, ensuring clear assignment and allocation of responsibilities and sufficient resources for program execution.
7. Institutions must ensure that all elements of the stress test program are adequately documented and regularly updated in internal policies and procedures.
8. Institutions must ensure that the stress test program is effectively communicated to relevant business lines and management levels, thereby improving risk culture.
9. The governing body in its executive function must consider stress test results when defining the Institution's business and risk strategy and making relevant decisions affecting capital and liquidity, notably in the context of ICAAP and ILAAP.
10. The governing body must ensure that stress test results contribute to the process of establishing the Institution's risk appetite limits. Independent Validation and Internal Audit Process
11. The risk committee or equivalent body, the validation process and internal auditors must regularly evaluate the Institution's stress test program.
12. The Institution must include the stress test program in its internal audit plan.
13. The competent area must independently validate the stress test program, assessing the plausibility of assumptions and presented results, as well as identifying improvement needs prior to implementation.
14. For this purpose, the Institution must ensure that data infrastructure, assumptions and underlying modeling process are sufficiently robust.
15. Institutions must document the independent validation process of the stress test program, including frequency, contents, controls and tests performed, as well as main validation results.
16. Without prejudice to Chapter IV of Circular No. 01/22 of 28 January on the Corporate Governance Code for Banking Financial Institutions, the internal audit function must include in its activity planning a cross-sectional evaluation of the Institution's stress test program, presenting conclusions and recommendations in the annual internal audit report.

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 12 of 30 ANNEX II General Principles of the Stress Test Program

1. The parent company must develop a group stress test program to be approved and monitored by the governing body and executed by top management, within its centralized risk management policy.
2. Institutions must ensure that their stress test programs are viable and feasible, informing the decision-making process at all appropriate management levels regarding all existing and potential material risks.
3. Institutions must regularly evaluate their stress test programs to determine effectiveness and robustness, updating them at least once a year based on quantitative and qualitative analysis.
4. For this purpose, in evaluating the stress test program, Institutions must consider at least the following elements: a) Program effectiveness in achieving intended objectives; b) Potential need for improvements; c) Identified risk factors, definitions, justification of relevant scenarios, assumptions, model performance and sensitivity of results to these assumptions; d) Adequacy of possible interconnections between different stress tests; e) Assessment received from the National Bank of Angola in the context of its supervisory test or other stress tests; f) Adequacy of data infrastructure, notably regarding system implementation and data quality; g) Appropriate level of top management and governing body involvement; h) All assumptions, including business/management assumptions and planned management actions, based on purpose, type and results of stress tests, including an assessment of the feasibility of management actions in stressed situations and a dynamic business environment; and i) Adequacy of relevant documentation.
5. Institutions must ensure effective dialogue with participation from experts in relevant business areas, guaranteeing that the program and its updates have been duly evaluated by top management and monitored by the governing body. Scope and Coverage of Stress Tests
6. Stress tests must cover all significant risks, considering the Institution's equity and off-balance sheet elements.
7. Stress tests must capture risks at multiple levels within the Institution, according to the proportionality principle, ranging from sensitivity analysis focused on a portfolio to scenario analyses covering the entire Institution.
8. Stress tests must consider changes between risk types and risk factors at the individual entity level and group level, including correlations that tend to increase during periods of economic or financial difficulty, requiring case-by-case analysis of certain correlation behaviors in specific scenarios.
9. Institutions must include in portfolio-level stress tests all risk types that significantly affect them, using sensitivity or scenario analyses, as well as identifying risk factors and the appropriate level of stress.
10. Institutions must ensure that portfolios and business units or lines undergo stress tests to identify intra- and inter-risk concentrations, i.e., concentrations of common risk factors within and between risk types including contagion effects.
11. Institutions must conduct stress tests at individual entity and group levels, considering the impact on aggregated dimensions, solvency level, liquidity or results.
12. For this purpose, Institutions must consider the following: a) Risks may not be adequately captured by simple aggregation of stress tests at individual portfolio, individual risk area or group business unit levels; b) Correlations, exposure offsets and individual concentrations may lead to double counting of risks or underestimation of stress test risk factor impacts; and c) Relevant risks may emerge at the group level originating from individual Institutions comprising it, ensuring that all significant risks and corresponding risk factors are identified at the group level.

CONTINUATION OF INSTRUCTION NO. 03/2022 Page 15 of 30