Region

Jurisdiction

Regulator

2022-11-07

Adjustments to Proper Conduct of Banking Business Directives for New Banking Corporations

The Supervisor of Banks issues directives adjusting regulatory requirements for new and forming banking corporations in Israel to encourage competition while maintaining a risk-based approach. The document defines eligibility criteria based on asset size and activity complexity, granting exemptions or modified standards for capital, liquidity, governance, and risk management during a transition period. It mandates specific operational preparations, including the development of an exit plan, and outlines the process for entities to graduate from a limited license to full banking status.

Israel

Bank of Israel

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-1 1 Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Table of contents Chapter Title Page Chapter A General Remarks 480-2 Chapter B Proper Conduct of Banking Business Directives concerning Capital Measurement and Adequacy, Leverage, and Liquidity 480-5 Chapter C Proper Conduct of Banking Business Directives concerning Management and Control 480-6 Chapter D Proper Conduct of Banking Business Directives concerning Credit and Investments 480-10 Chapter E Proper Conduct of Banking Business Directives concerning Financial Risks 480-11 Chapter F Proper Conduct of Banking Business Directives concerning Technology and Cyber 480-12 Chapter G Banking Corporation in Formation 480-14

The Banking Supervision Department promotes competition in the banking system by encouraging the establishment of new banks, inter alia.
This Directive marks the continuation of the Supervisory policy concerning the establishment of new banks in Israel; its purpose is to adjust the Proper Conduct of Banking Business Directives of the Supervisor of Banks to a banking corporation in formation and a new banking corporation on the basis of a risk-based approach. The Directive exempts said corporations from implementing certain Proper Conduct of Banking Business Directives or sets adjustments to the directives. This is done in directives in which it is found that the burden of compliance for a banking corporation in formation or a new banking corporation is disproportionate to the risks that these corporations may face or to the systemic risk that they are liable to create in view of the restrictions on the type and scale of their activity.
The terms used in Chapters B–G shall carry the meanings shown in the relevant Proper Conduct of Banking Business Directive unless stated otherwise. Scope of Application
All Proper Conduct of Banking Business Directives shall apply to a new banking corporation, subject to the provisions of Chapters B–F of this Directive, and only Chapter G shall apply to a banking corporation in formation, all of which subject to the provisions of Section 5. Additional adjustments to the Supervisor’s directives
The Supervisor of Banks may issue specific directives that are different from those specified below, including additional adjustments to Proper Conduct of Banking Business Directives that shall apply to a specific new banking corporation or a specific banking corporation in formation, or may exempt a new banking corporation or a banking corporation in formation from a given directive. Such determinations shall be made if circumstances so warrant in consideration of the risk profile of the new banking corporation or the banking corporation in formation, its size, and the type of its activity, and if an adequate level of sound banking management is maintained. Rationales for making such determinations shall be expressed in writing. For the purposes of this Directive, the provisions of Section 5 of Proper Conduct of Banking Business Directive no. 100 shall not apply. Definitions

“Non-complex activity” Activity in which a bank is allowed to engage, provided: (1) Extension of credit includes only retail and small-business credit; (2) Trading book activity does not exceed the total set for tradingbook transactions in Section 683(ii) of Directive no. 208.

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-3 3 For this purpose— “Small business”—a micro or small business as defined in Section 79a(5) of Reporting to the Public Directive of the Supervisor of Banks no. 634. “Limited license” A banking license that limits the scope of activity in the following ways: (1) the bank’s outstanding credit to the public shall not exceed NIS 100 million. (2) the bank’s balance of deposits from the public shall not exceed NIS 100 million. A limited license shall be valid from the date the banking corporation commences its activity as set forth in Section 21 of the Banking (Licensing) Law, 5741-1981. “Banking corporation in formation” A banking corporation that does not belong to an existing banking group, does not have branches or subsidiaries abroad, engages in non-complex activity, and has a valid limited license. “New banking corporation” A banking corporation that has received, after the promulgation of this Directive, a banking license that is not a limited license, does not belong to an existing banking group, does not have branches or subsidiaries abroad, engages in non-complex activity only, and meets the two following criteria (hereinafter: quantitative criteria): (1) Its total consolidated balance-sheet assets do not exceed 1 percent of the total balance-sheet assets of the banking system or NIS 16 billion, whichever is smaller; (2) Its total deposits from the public do not exceed 0.5 percent of total deposits from the public in the banking system or NIS 6 billion, whichever is smaller. Each of the quantitative criteria shall be calculated on the basis of the average of the two years preceding the date of measurement or on the basis of existing data in the new banking corporation’s financial statements if the new banking corporation has not completed two years of activity. For this purpose—“total balance-sheet assets” and “total deposits from the public” shall be as expressed in the annual audited financial statements drawn up in accordance with the Reporting to the Public Directives of the Supervisor of Banks. In an acquirer that has become a new banking corporation, total balance-sheet assets shall be calculated net of “Credit card receivables guaranteed by

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-4 4 banks,” according to the meaning of this term in the Reporting to the Public Directives of the Supervisor of Banks. Transition from banking corporation in formation to a new banking corporation 7. An entity that applies to establish a new banking corporation shall complete the preparations within a period of up to three years from the time the limited license is granted. Said preparations include raising capital; filling positions on the Board of Directors and in senior management; hiring staff; developing and establishing operating infrastructures and systems, formulating mechanisms of corporate governance, auditing, and risk management, and closing regulatory gaps relative to the directives that apply to a new banking corporation. Insofar as said preparations have not been completed by the end of said three years but have reached advanced stages, the Supervisor shall consider recommending to the Governor to grant an extension of the limited license for an additional year. 8. If the Governor approved, by the end of the period set forth in Section 7, that the banking corporation in formation has completed its preparations as required, the restrictions established in the limited license shall be nullified, the corporation shall cease to be a banking corporation in formation, and the provisions of this Directive in regard to a new banking corporation shall apply thereto. 9. If the banking corporation in formation has not completed its preparations by the end of the period set forth in Section 7, its limited license shall expire. 9A.To eliminate doubt, an entity that fails to comply with all the conditions established in the definition of a “banking corporation in formation,” including the level of activities specified in a limited license, the process described in this Chapter for the receipt of a limited banking license shall not apply. Exit plan 9B. A new banking corporation must put together an exit plan. The exit plan shall be a contingency plan that enables the new banking corporation to terminate its activity (by being sold, closed down, or in any other way) without adversely impacting its customers or the banking system , and enables the new banking corporation to sustain “essential operations and services” as this term is defined in Proper Conduct of Banking Business Directive no. 355, until it is deactivated. Said exit plan shall be invoked, for example, if the business model is shown to be inapplicable or if the new banking corporation proves unable to raise the requisite capital. The exit plan shall be tailored to the business plan of the new banking corporation and to the level of its actual activity and its complexity. The Board of Directors shall approve the plan at least once per year and shall also approve changes made therein. A banking corporation that ceases to be a new banking corporation 10. The Supervisor of Banks may establish a transition period that shall not exceed three years, for a banking corporation that has ceased to be a “new banking corporation” for applying a

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-5 5 specific Proper Conduct of Banking Business Directive or all relevant Proper Conduct of Banking Business Directives. Chapter B: Proper Conduct of Banking Business Directives concerning Capital Measurement and Adequacy, Leverage, and Liquidity Proper Conduct of Banking Business Directives no. 201–211, concerning capital measurement and adequacy 11. Proper Conduct of Banking Business Directive no. 201 (hereinafter: Directive 201) shall apply to a new banking corporation mutatis mutandis: Instead of the contents of Section 40(b), the following shall appear: (1) A banking corporation that has total credit-risk assets not in excess of NIS 600 million shall hold Common Equity Tier 1 Capital in a sum no smaller than NIS 50 million. (2) For a banking corporation that has more than NIS 600 million in total credit-risk assets, the minimum capital adequacy target shall be the following: (a) Common Equity Tier 1 Capital to weighted risk assets shall be no smaller than 8 percent; (b) Total capital to weighted risk assets shall be no smaller than 11.5 percent. Notwithstanding the provisions of Subsections (a) and (b), a banking corporation that has more than NIS 600 million in total credit-risk assets but not more than NIS 5 billion may maintain a ratio of Common Equity Tier 1 Capital to weighted risk assets that is no smaller than 10 percent. For the purposes of this Section, “credit-risk assets” are risk assets calculated on the basis of Proper Conduct of Banking Business Directive no. 203; however, if the total credit-risk assets of a banking corporation do not exceed NIS 600 million, risk assets calculated in accordance with Proper Conduct of Banking Business Directive no. 203 on account of software costs shall not be included. 12. Proper Conduct of Banking Business Directives no. 202–211 shall not apply to a new banking corporation as stated in Section 40(b)(1) of Directive 201, as it is phrased in Section 11. Proper Conduct of Banking Business Directive no. 218, “Leverage Ratio” 13. Proper Conduct of Banking Business Directive no. 218 – (a) shall not apply to a new banking corporation that has total credit-risk assets not exceeding NIS 600 million. (b) Instead of the wording in Section 7 of the Directive, a new banking corporation that has total credit-risk assets in excess of NIS 600 million shall maintain a leverage ratio of not less than 4 percent on a consolidated basis. For this purpose, “credit-risk assets” are those calculated on the basis of Proper Conduct of Banking Business Directive no. 203.

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-6 6 Proper Conduct of Banking Business Directives no. 221, “Liquidity Coverage Ratio” and no. 222, “Net Stable Funding Ratio” 14. Proper Conduct of Banking Business Directive no. 221 (hereinafter: Directive 221) and Proper Conduct of Banking Business Directive no. 222 shall not apply to a new banking corporation that chooses to maintain a liquidity ratio calculated on the basis of the following (hereinafter: simple liquidity ratio): (a) A new banking corporation shall, at any time, maintain liquid assets in a sum no smaller than the total of the following three: (1) total balance-sheet liabilities that have contractual maturities within 30 days of the time of the calculation (including the 30th day), multiplied by the rate of 20 percent; (2) total balance-sheet liabilities that have contractual maturities after 30 days from the time of the calculation, multiplied by the rate of 10 percent; (3) 20 percent of total off-balance-sheet credit instruments, multiplied by the rate of 10 percent. (b) For this purpose – (1) “liquid assets”—Level 1 assets as the meaning of this term in Directive 221; (2) “balance-sheet liabilities” and “off-balance-sheet credit instruments”— as the meaning of these terms in the Reporting to the Public Directives of the Supervisor of Banks. (c) The simple liquidity ratio shall be calculated for all currencies together. However, a new banking corporation that has significant currency activity shall hold liquid assets in a quantity commensurate with its foreign-currency needs in an ordinary business situation and under stress tests. For this purpose, “significant currency activity”—total foreigncurrency sector constitute a “main currency” as defined in Section 50(a)(3) of Reporting to the Public Directive no. 633. Chapter C: Proper Conduct of Banking Business Directives concerning Management and Control Proper Conduct of Banking Business Directive no. 301, “Board of Directors” 15. Proper Conduct of Banking Business Directive no. 301 shall apply to a new banking corporation mutatis mutandis: (a) Frequency of reports – (1) Instead of the contents at the end of Section 8(a), the following shall appear: “report to be presented at a frequency that the Board of Directors shall determine, commensurate with the level of activity and the pace of its development”; (2) In Section 18(d)(1), instead of “at least once every six weeks,” the wording shall be “at least once per quarter”. (b) Number of directors—in Section 22(a), instead of “no less than 7 directors,” the wording shall be “no fewer than five directors”.

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-7 7 (c) Fitness of directors—at the end of Section 25, the following shall appear: “Notwithstanding the foregoing, in a Board of Directors that has up to seven members, at least one director shall have "banking experience" and at least one director shall have "accounting and financial expertise".” In a Board of Directors that has more than seven members, at least two directors shall have “banking experience.” (d) Chair of the Board of Directors—Section 28(d) shall not apply until the end of three years from the date on which a banking license that is not a limited license, is received. (e) Composition and modus operandi of board committees—in Section 34(b), the contents of the end of the Section regarding Section 28(d) shall not apply until the end of three years from the date on which a banking license that is not a limited license is received, with the exceptions of the Audit Committee and the Remuneration Committee. (f) Audit Committee— (1) At the end of Section 35(b), the following shall appear: “If the Board of Directors has up to seven members, the Audit Committee shall have at least one director who has accounting and financial expertise.” (2) Instead of the contents of Section 35(g), the following shall appear: “The Audit Committee shall meet at least four times per year.” (g) Remuneration committee—instead of the contents of Section 38(b), the following shall appear: “In a new banking corporation to which Section 118a of the Companies Law does not apply, a remuneration committee need not be appointed. If no such committee is appointed, the Board of Directors or the Audit Committee shall fullfil its duties, mutatis mutandis. If a remuneration committee is appointed, it is not mandatory that at least one of its members has expertise and experience in risk-management and control activities.” (h) Risk-management committee—instead of the contents of Section 39, the following shall appear: “A new banking corporation need not appoint a risk-management committee. If it does not appoint such a committee, the Board of Directors shall fullfil its duties.” (i) Information-technology and innovation committee—instead of the contents of Section 39A, the following shall appear: “A new banking corporation need not appoint an information-technology and innovation committee. If it does not appoint such a committee, the Board of Directors shall fullfil its duties.” (j) Frequency of meetings of the Board of Directors—in Section 40(a), instead of “at least once a month,” the expression “at least once per quarter” shall appear. (k) Attending meetings of the Board of Directors—in Section 41(a), the end of the Section, beginning with the words “and shall not be absent,” shall be deleted. (l) Sector conflict of interest— (1) In Section 55(b), instead of “of three outside directors,” the wording shall be “among all outside directors”. (2) In Section 55(c), instead of “once per half-year,” the wording shall be “once per year”.

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-8 8 Proper Conduct of Banking Business Directive no. 307, “Internal Audit Function” 16. Proper Conduct of Banking Business Directive no. 307 shall apply to a new banking corporation mutatis mutandis: (a) In Section 47, instead of “every half-year”, the wording shall be “once per year”. (b) In the heading of Section 55b, instead of “Biannual Reporting,” the expression “Annual Reporting” shall appear, and in Subsection (1) therein, instead of “issued in the half-year reporting period,” the wording shall be “issued in the reporting year”. Proper Conduct of Banking Business Directive no. 308, “Compliance and the Compliance Function in a Banking Corporation” 17. Proper Conduct of Banking Business Directive no. 308 shall apply to a new banking corporation mutatis mutandis: In Section 33, instead of the wording in Subsection (b), the following shall appear: “The Chief Compliance Officer may hold an additional function in a new banking corporation, provided he is not responsible for an area of business activity in which concern is raised about conflict of interest between his position and the other function, and subject to the prior approval of the Supervisor of Banks.” Proper Conduct of Banking Business Directive no. 308A, “Handling of Public Complaints” 18. Proper Conduct of Banking Business Directive no. 308A shall apply to a new banking corporation mutatis mutandis: (a) Instead of the contents of Section 7(b), the following shall appear: “The Ombudsman and the staff of the function for handling public complaints may hold additional posts, provided nothing on this account shall create a conflict of interest with said duties of theirs, and provided written notice to the Supervisor of Banks is given.” (b) In Section 12, instead of “once every half-year,” the wording shall be “once per year” shall appear. Proper Conduct of Banking Business Directive no. 309, “Controls and Procedures relating to Disclosure and Internal Control over Financial Reporting” 19. Proper Conduct of Banking Business Directive no. 309 shall apply to a new banking corporation mutatis mutandis: (a) In Section 4, instead of “at the end of each quarter,” the wording shall be “at the end of every year”. (b) In Section 6, instead of the expression “that occurred in any quarter,” the following shall appear: “that occurred in any quarter or in any other period, provided it does not exceed one year.”

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-9 9 Proper Conduct of Banking Business Directive no. 310, “Risk Management” 20. Proper Conduct of Banking Business Directive no. 310 shall apply to a new banking corporation mutatis mutandis: In Section 10, instead of the wording in Subsection (b)(2), the following shall appear: “The Chief Risk Officer shall be an employee of the new banking corporation; the Chief Risk Officer may have responsibilities in risk areas, such as Chief Compliance Officer, manager of the operational risk function, Anti-Money Laundering and Countering Financing of Terrorism Officer, or Credit Control Officer, and may also have additional headquarter or control duties. This is subject to the following conditions: (1) The new banking corporation shall ensure that the entirety of the Chief Risk Officer’s responsibilities is commensurate with the level of the corporation’s activity, the complexity of its activity, and the risk characteristics inherent to its activity. (2) The responsibilities of the function must not impair its independence and its ability to carry out its work efficiently. (3) Prior permission from the Supervisor of Banks to hold an additional post as the Chief Accounting Officer is needed."

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-10 10 Chapter D: Proper Conduct of Banking Business Directives concerning Credit and Investments Proper Conduct of Banking Business Directive no. 313, “Limitations on the Indebtedness of a Borrower and a Group of Borrowers” 21. Proper Conduct of Banking Business Directive no. 313 shall apply to a new banking corporation mutatis mutandis: Instead of the wording in Section 4(b)(2), the following shall appear: “Until the end of three years from the date on which a banking license that is not a limited license is received, the indebtedness of a banking group of borrowers or a credit-card group of borrowers to a new banking corporation, after deducting the sums specified in Section 5, shall not exceed 50 percent of the banking corporation’s capital; from the end of three years from the receipt of a banking license that is not a limited license, the indebtedness of a banking group of borrower or a credit-card group of borrowers to a new banking corporation, after deducting the sums specified in Section 5, shall not exceed 25 percent of the banking corporation’s capital.” Proper Conduct of Banking Business Directive no. 315, “Industry Indebtedness Limitation” 22. Proper Conduct of Banking Business Directive no. 315 (hereinafter: Directive 315) shall not apply to a new banking corporation unless the total indebtedness of borrowers that are not “private individuals” as the meaning of “credit to private individuals” in Section 14 of Appendix 5 to Directive no. 651 of the Supervisor of Banks’ Reporting to the Public Directives, exceeds NIS 2 billion. However, a new banking corporation, to which Directive 315 does not apply, is required to maintain an industrial segmentation of its borrowers. Proper Conduct of Banking Business Directive no. 318, “Collateral Database” 23. (a) Proper Conduct of Banking Business Directive no. 318 (hereinafter: Directive 318) shall not apply to a new banking corporation unless at least one of the following conditions obtains: (1) It engages in granting housing loans, as these are defined in Proper Conduct of Banking Business Directive no. 451. (2) It has reached the threshold established in Section 22 of this Directive. (b) A new banking corporation, to which Directive 318 does not apply, shall establish and maintain a collateral management system adequate to its business and risk-management needs.

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-11 11 Chapter E: Proper Conduct of Banking Business Directives concerning Financial Risks Proper Conduct of Banking Business Directive no. 333, “Management of Interest-Rate Risk” 24. (a) Proper Conduct of Banking Business Directive no. 333 (hereinafter: Directive 333) shall not apply to a new banking corporation unless at least one of the following conditions obtains: (1) The total balance-sheet assets of the new banking corporation, on a consolidated basis, exceeds 0.5 percent of total balance-sheet assets of the banking system; (2) The new banking corporation engages in activities that entail a high exposure to interest-rate risks. For this purpose, the expression “high exposure to interest-rate risks” denotes an exposure that if measured by the standardized shock, in the meaning of this term in Addendum 2 of Directive 333, results in a decrease in the economic value of the banking corporation at the extent of more than 10 percent of equity. (b) A new banking corporation to which Directive 333 does not apply shall manage its interest-rate risk using common tools and shall act within the risk-management framework set forth in Proper Conduct of Banking Business Directive no. 310. For this purpose, the expression “common tools” denotes one or more of the financial instruments, models, or measurement methods of interest-rate risk management included in the Proper Conduct of Banking Business Directives or in European or US banking regulation. Proper Conduct of Banking Business Directive no. 339, “Market Risk Management” 25. (a) Proper Conduct of Banking Business Directive no. 339 (hereinafter: Directive 339) shall not apply to a new banking corporation unless its trading-book activity (balance-sheet and off-balance sheet, including all foreign-currency positions), exceeds 5 percent of total assets of the banking corporation; for this purpose, the expression “trading book” shall carry the meaning shown in Sections 685–689(iii) of Proper Conduct of Banking Business Directive no. 208. (b) A new banking corporation to which Proper Conduct of Banking Business Directive 339 does not apply shall manage its market risk with common tools and within the riskmanagement framework set forth in Proper Conduct of Banking Business Directive no. 310. For this purpose, the expression “common tools” denotes one or more of the financial instruments, models, or measurement methods of interest-risk management included in the Proper Conduct of Banking Business Directives or in European or US banking regulation.

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-12 12 Chapter F: Proper Conduct of Banking Business Directives concerning Technology and Cyber Proper Conduct of Banking Business Directive no. 357, “Information Technology Management” 26. Proper Conduct of Banking Business Directive no. 357 (hereinafter: Directive 357) shall apply to a new banking corporation mutatis mutandis: (a) Per approval of the Board of Directors and a prior written notice to the Banking Supervision Department, an information technology manager may also serve as an information security manager and a cyber defense manager provided he or she has appropriate professional training and relevant experience in all of these fields. (b) A new banking corporation may outsource the function of information security manager provided the Board of Directors so approves, a written notice is submitted to the Banking Supervision Department in advance, and said manager complies with the conditions for outsourcing the function of cyber defense manager established in Section 28 of this Directive. In the case of said outsourcing, the provisions of Subsection (a) shall not apply. (c) Notwithstanding the contents of Sections 8 and 11 concerning risk assessment and safety survey of the information technology array (hereinafter: technology surveys): (1) A new banking corporation may perform the technology surveys as part of the operational risk survey referenced in Section 27 of Proper Conduct of Banking Business Directive no. 350 and this, without derogating from the requirements concerning the frequency of said technology surveys. (2) A new banking corporation may assign responsibility for performing said technology surveys to the operational risk management officer. Proper Conduct of Banking Business Directive no. 359A, “Outsourcing” 27. Cancelled. Proper Conduct of Banking Business Directive no. 361, “Cyber Defense Management” 28. Proper Conduct of Banking Business Directive no. 361 (hereinafter: Directive 361) shall apply to a new banking corporation mutatis mutandis: Notwithstanding the contents of Section 17— A new banking corporation may outsource the function of cyber defense manager provided the Board of Directors approves, a written notice is submitted to the Banking Supervision Department in advance, and the following conditions are met: (a) The cyber defense manager shall be a specific employee of the service provider, who shall provide said service on the scale of a full-time post solely for the new banking corporation;

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-13 13 (b) The new banking corporation shall ensure that the service provider has taken appropriate measures to prevent conflicts of interests between the services it provides for other customers and those it provides for the new banking corporation. Proper Conduct of Banking Business Directive no. 362, “Cloud Computing” 29. Instead of the contents of Section 5 of Proper Conduct of Banking Business Directive no. 362, the following shall appear: “A new banking corporation may use cloud-computing services for core activities or core systems per prior approval of the Supervisor of Banks.”

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-14 14 Chapter G: Banking Corporation in Formation 30. Proper Conduct of Banking Business Directives, with the exceptions specified below, shall not apply to a banking corporation in formation. 31. The following provisions shall apply to a banking corporation in formation in addition to the requirements set forth in its license: (1) Capital requirements—the equity of a banking corporation in formation shall be no smaller, at any time, than 60 percent of that required of a new banking corporation in accordance with Section 11. (2) Liquidity requirements a. A banking corporation in formation shall define liquidity risk appetite, establish guidelines for a funding policy, and formulate a plan for the maintenance of sufficient financial resources to statisfy liquidity needs during its period as a banking corporation in formation. b. A banking corporation in formation shall, at all times, hold liquid assets at a rate no smaller than 20 percent of its total deposits from the public; said liquid assets shall be kept in reserve with the Bank of Israel (not including the monetary liquidity requirement) and in Israel government bonds. (3) Corporate governance—a banking corporation in formation shall appoint the following functions, which shall act in accordance with the following provisions: a. Board of Directors—Proper Conduct of Banking Business Directive no. 301 shall apply to a banking corporation in formation, mutatis mutandis in respect of a new banking coropration in Chapter C of this Directive. b. Internal Audit—a banking corporation in formation shall have an independent internal auditor and an independent Internal Audit function as set forth in Proper Conduct of Banking Business Directive no. 307. The internal audit work shall include preparation of work plans, audit and evaluation of available information, communication of findings, and monitoring of recommendations and topics. The scope of auditing, the inputs to be allocated to the auditing work, and the internalauditing tools shall be commensurate to the level and type of the activity. c. Risk management—Proper Conduct of Banking Business Directive no. 310 shall apply, mutatis mutandis in respect of a new banking corporation in Chapter C of this Directive. c1. Handling of Public Complaints -Proper Conduct of Banking Business Directive no. 308A, shall apply, mutatis mutandis in respect of a new banking corporation in Chapter C of this Directive. d. Business continuity—Proper Conduct of Banking Business Directive no. 355 shall apply. (4) Senior management Fit and Proper —cancelled.

Supervisor of Banks: Proper Conduct of Banking Business [3] (03/22) Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation Page 480-15 15 (5) Compliance and anti-money laundering and countering financing of terrorism — Proper Conduct of Banking Business Directives no. 308 and no. 411 shall apply. (6) Outsourcing—Proper Conduct of Banking Business Directive no. 359A shall apply. (6a) Technology and cyber a. Information-technology management—Proper Conduct of Banking Business Directive no. 357 shall apply, mutatis mutandis in respect of a new banking corporation in Chapter F of this Directive. b. Cyber-defense management—Proper Conduct of Banking Business Directive no. 361 shall apply, mutatis mutandis in respect of a new banking corporation in Chapter F of this Directive. c. Cloud computing—Proper Conduct of Banking Business Directive no. 362 shall apply, mutatis mutandis in respect of a new banking corporation in Chapter F of this Directive. d. Supply chain cyber risk management—Proper Conduct of Banking Business Directive no. 363 shall apply. e. Reporting of technological failures and cyber events—Proper Conduct of Banking Business Directive no. 366 shall apply. f. E-banking—Proper Conduct of Banking Business Directive no. 367 shall apply. (7) Exit plan—an exit plan in the meaning of this term in Section 9b of this Directive shall be formulated.

Updates Circular 06 no. Version Details Date 2608 1 Original circular March 8, 2020 2669 2 Update September 30, 2021 2700 3 Update March 15, 2022