Decision on Internal Capital Adequacy Assessment of a Credit Institution

Pursuant to Article 44 paragraph (2) item 3) of the Central Bank of Montenegro Law (OGM 40/10, 06/13, 70/17), and Article 136 paragraph (4) of the Law on Credit Institutions (OGM 72/19), the Council of the Central Bank of Montenegro, at its meeting held on 28 December 2020, passed the following DECISION ON INTERNAL CAPITAL ADEQUACY ASSESSMENT OF A CREDIT INSTITUTION I. BASIC PROVISIONS Subject matter Article 1 This Decision governs the procedure of internal capital adequacy assessment of a credit institution, the method of and the time limits for reporting to the Central Bank of Montenegro (hereinafter: the Central Bank) on the adequacy of internal capital of a credit institution, including the internal capital calculation. Definitions Article 2 For the purpose of this Decision, the following definitions shall apply:

1. Small and non-complex credit institution means a credit institution:

• that is not a large credit institution within the meaning of item 2) of this paragraph;
• whose total amount of assets on an individual basis or, if applicable, on a consolidated basis is on average lower than or equal to the threshold of 200,000,000 euros for the four years period immediately preceding the current annual reporting period;
• which applies simplified recovery plans in accordance with the Law on Credit Institutions (OGM 72/19) - (hereinafter: the Law), or a resolution plan in accordance with the law governing the resolution of credit institutions;
• whose transactions from the trading book are classified in accordance with Article 103, paragraph (1) of the Decision on Capital Adequacy of Credit Institutions (hereinafter: the Decision on Capital Adequacy);
• whose total amount of positions in derivatives held for trading does not exceed 2% of its total balance sheet and off-balance sheet assets, and the total amount of its positions in derivatives does not exceed 5%, determined in accordance with Article 298 paragraph (3) of the Decision on Capital Adequacy;
• which has more than 75% of consolidated total assets and consolidated total liabilities, except for intra-group exposures in both cases, which relates to transactions with other counterparties with head office in Montenegro or the European Economic Area; and
• which does not apply internal models to meet prudential requirements in accordance with this Decision, except for subsidiary undertakings that apply

internal models developed at the group level, provided that the group is subject to reporting requirements at the consolidated level; 2) large credit institution means a credit institution that:

• is classified as a global systemically important credit institution (G-SII credit institution), in accordance with the Law;
• is considered other systemically important institution (OSICIs) in accordance with the Law;
• represents one of the three largest credit institutions in Montenegro; and or
• has an amount of assets on an individual basis or, if applicable, on a consolidated basis, equalling to 500,000,000 euros or more;

3. risk profile means the measurement or assessment of all risks to which a credit institution is or might be exposed in its operations;
4. stress testing means the assessment of the impact of certain developments and processes, including micro- or macroeconomic scenarios, on the overall capital position of a credit institution or sources of funding and liquidity, by means of projecting the credit institution’s capital sources and requirements or the impact of shocks on the overall liquidity position of the credit institution, including determining capital requirements; Internal capital strategy Article 3 (1) Internal capital strategy is to ensure that the maintained capital levels are supportive of the factors such as the expected placement growth, future sources of funds and their use, dividend policy and any changes in the minimum level of own funds determined in line with the Decision on Capital Adequacy. (2) For the purpose of determining internal capital adequacy, a credit institution shall adopt a capital plan clearly defining:
5. the strategic objectives and time horizons for their realisation considering the impact of macroeconomic factors and changes in the economic cycle on strategic plans;
6. capital planning processes and responsibilities for these processes;
7. the method by which a credit institution is to comply with capital requirements in the future;
8. the relevant limits related to capital (e.g. the impact of a change in regulations or of the adoption of new regulations);
9. general contingency plans (e.g. the way of raising additional capital, business activity restriction or the application of risk mitigation techniques). Assessment process establishment and implementation Article 4 (1) A credit institution shall establish an adequate procedure for ongoing assessment and maintenance of internal capital, while taking into consideration credit institution’s risk profile, risk management and risk mitigation techniques. (2) For the purposes referred to in paragraph (1) of this Article, the target external rating, market position, entrance to new markets, capital accessibility and other

strategic objectives shall be taken into account, and the credit institution shall analyse and document the impact of these factors on the level of internal capital. (3) The process referred to in paragraph (1) of this Article shall be considered adequate if:

1. it is based on the identification, measurement or assessment, aggregation and monitoring of significant risks;
2. it ensures adequate internal capital, while taking into consideration risk profile of a credit institution; and
3. it is adequately incorporated into the governance arrangements of a credit institution. (4) A credit institution shall document and regularly review the assessment procedure it determines. (5) The internal audit function of a credit institution shall assess the appropriateness of the procedure referred to in paragraph (1) of this Article, at least once a year. (6) The guidelines given in Annex 1, which forms an integral part of this Decision, shall apply to the determination and implementation of the internal capital adequacy assessment process. II. INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS 2.1. Process scope Phases of the process Article 5 (1) Internal capital adequacy assessment process shall include:
4. the identification of risks;
5. the measurement or assessment of individual risks and the determination of related internal capital requirements for the termination of total internal capital; and
6. the comparison of the required own funds and the required internal capital. (2) A credit institution shall perform internal capital assessment in line with the paragraph (1) of this Article at a minimum on an annual basis, and more often in the case of a significant change in the risk profile.

2.2. Risk identification Significant risks Article 6 (1) A credit institution shall on the basis of its risk profile identify significant risks to which it is or might be exposed to in its operation, and which will be covered in its internal capital adequacy assessment process, taking into account the type, scope and complexity of its activities and the markets in which it operates. (2) In order to identify significant risks in line with paragraph (1) of this Article, a credit institution shall analyse the following:

1. credit risk, market risk and operational risk, also including other risks for which capital requirements are calculated under Decision on Capital Adequacy;
2. the risks which are not fully covered by minimum capital requirements referred to in the Decision on Capital Adequacy (currency induced credit risk, residual risk and risks arising from securitisation transactions, a possible underestimation of credit risk due to the use of the Standardised Approach, a possible underestimation of operational risk due to the use of the Basic Indicator Approach or the Standardised Approach);
3. interest rate risk arising from non-trading activities, risk of excessive leverage, concentration risk, reputational risk and strategic risk;
4. liquidity risk and funding risk, including intra-day liquidity, encumbered assets and collateral management;
5. the impact of external factors (economic and business environment); and
6. other risks to which it is exposed or could be exposed to in its operations, not referred to in items 1) to 4) of this paragraph. (3) The identification of all risks and the determination of their significance must be based on a comprehensive assessment of the risks to which a credit institution is or might be exposed to, and which are inherent in individual operations, products, activities, processes and systems of a credit institution, both on the portfolio and individual product basis. (4) The risk identification process must also include an assessment of the financial position of a credit institution and the environment in which it operates. (5) By way of derogation from paragraph (2) of this Article, a small and non-complex credit institution shall within the internal capital and internal liquidity adequacy assessment process analyse, at a minimum, the following:
7. concentration risk;
8. risk related to management;
9. interest rate risk arising from non-trading book activities;
10. liquidity risk including the possibilities of raising additional capital;
11. risk of excessive leverage;
12. strategic risk; and
13. the impact of external factors.

(6) Notwithstanding paragraph (5) of this Article, a small and non-complex credit institution may allocate for those risks an internal capital requirement in the amount of at least 5% of total capital requirements for risks referred to in paragraph (2) item 1) of this Article instead of risk assessment referred to in paragraph (5) of this Article. Risk definitions Article 7 (1) For the purpose of managing risks referred to in this Decision, a credit institution may, in addition to the indicators determined by the Law and regulation of the Central Bank regulating risk management in credit institution, determine other indicators (hereinafter: risk definition), on the condition that it gives a detailed explanation thereof. (2) Where a credit institution uses different definitions of the risks for which the calculation of capital requirements is prescribed in the Decision on Capital Adequacy, it shall explain the impact of the application of these definitions on the level of capital requirements of the credit institution under the Decision on Capital Adequacy. 2.3. Measurement or assessment of individual risks and the determination of related internal capital requirements Risk measurement or assessment methodology Article 8 (1) When calculating internal capital requirements, a credit institution shall by quantitative methods measure or, if the risks are difficult to quantify, assess significant risks using the methodology and approaches which are the most suitable for its organisation and business activities. (2) A credit institution shall establish for which risks, in addition to credit risk, market risk, credit valuation adjustment risk (CVA) and operational risk, it is appropriate to use quantitative methods when determining internal capital requirements, and for which risks it is more suitable to exclusively use risk mitigation or control measures instead of determining internal capital requirements. (3) A credit institution may use various approaches to calculate internal capital requirements for various types of risk, on the condition that it defines an adequate methodology to measure or assess each risk and that it documents and explains the following:

1. the risk measurement methods/approaches;
2. the assessment of non-measurable risks; and
3. all corrections in risk amounts undertaken when a credit institution establishes that the methods used to measure or assess a specific risk fail to show the current exposure of the credit institution to that risk.

(4) When calculating internal capital requirements for credit risk, credit valuation adjustment risk, operational risk and market risks, a credit institution may do one of the following:

1. apply the approaches it uses for the calculation of own funds requirements under in line with the Decision on Capital Adequacy;
2. apply the advanced approaches referred to in the Decision on Capital Adequacy; or
3. use other approaches determined by the credit institution. (5) Where the calculation of capital requirements in line with the Decision on Capital Adequacy is based on a rating by an external credit assessment institution or on the fact that the exposure is unrated, a credit institution shall take into consideration other relevant information when calculating internal capital requirements for credit risk. (6) Internal capital requirements for significant market risks for which capital requirements referred to in the Decision on Capital Adequacy are not calculated must be appropriate. (7) A credit institution which has, in calculating capital requirements for position risk in accordance with the Decision on Capital Adequacy, netted off its positions in one or more of the equities constituting a stock-index against one or more positions in the stock-index future or other stock index product shall calculate and maintain adequate internal capital to cover losses from basis risk caused by the future's or other product's value not moving fully in line with that of its constituent equities. (8) A credit institution shall calculate and maintain adequate internal capital if it holds opposite positions in stock-index futures which are not identical in respect of either their maturity or their composition or both. (9) When using the treatment in Article 452 of the Decision on Capital Adequacy, a credit institution shall calculate the internal capital requirement against the risk of loss which exists between the time of the initial commitment and the following working day. (10) A credit institution may, when calculating internal capital requirements for interest rate risk arising from non-trading activities, apply the simplified calculation of estimate of a change in the economic value of the non-trading book prescribed in the regulation governing on the interest rate risk management. Stress testing Article 9 In order to make a quality assessment of its risk exposure, a credit institution shall regularly, at a minimum on an annual basis, carry out scenario and sensitivity analyses for all significant risks and internal capital, and the credit institution shall take the results obtained into account when assessing and maintaining an adequate level of internal capital.

2.4. Determining total internal capital Defining available internal capital Article 10 A credit institution shall define the categories and constituent elements of capital used to calculate the available internal capital, taking into account which individual elements of capital best demonstrate the real value of assets and liabilities and the loss absorbing capacity. Calculation of total internal capital requirements Article 11 (1) A credit institution shall determine total internal capital requirements by adding up capital requirements for:

1. the risks requiring the calculation of capital requirements under the Decision on Capital Adequacy; and
2. other significant risks. (2) By way of derogation from paragraph (1) of this Article, a credit institution may use complex approaches for the calculation of total internal capital requirements, on the condition that it documents and explains the following:
3. the basic methodological assumptions, with the exception of perfect positive correlations between risks, and that it ensures their robustness by performing stress testing; and/or
4. any other methodology/approach to determine total required internal capital, including the one based on the simulation of concurrent changes in multiple risk factors. (3) A credit institution shall maintain internal capital at least at the level of total internal capital requirements. (4) A parent credit institution in Montenegro shall determine, in addition to internal capital requirements on a consolidated or sub-consolidated basis, for each member of a group of credit institutions in Montenegro which is a credit institution and for each member of a group which the parent credit institution assesses as important for the business of the group, internal capital requirements on an individual basis. 2.5. Comparison of required own funds and required internal capital Process of comparison Article 12 (1) A credit institution shall compare required internal capital and required own funds and state their similarities and differences.

(2) Where it is established by the internal capital adequacy assessment process that the amount of required internal capital is lower than the minimum level of required own funds referred to in Article 101 of the Decision on Capital Adequacy, a credit institution shall maintain a level of own funds at a minimum equal to that prescribed in Article 101 of the Decision on Capital Adequacy. (3) A credit institution shall at the end of a business year (as at 31 December) calculate:

1. the total amount of required internal capital, and

2. the target level of available internal capital at the end of the current financial year, in accordance with the business plan, while taking into account the level of own funds as determined in line with the Decision on Capital Adequacy. (4) A credit institution shall incorporate into the annual business plan corrective measures to be taken in the event of errors or changes in the assessments of internal capital adequacy. III. INTEGRATION OF THE INTERNAL CAPITAL ASSESSMENT PROCESS INTO GOVERNANCE ARRANGEMENTS Use of assessment results Article 13 (1) The internal capital assessment process must be a constituent part of a credit institution's governance arrangements. (2) A credit institution shall make use of the results of the internal capital adequacy assessment process at a minimum in the following processes:

3. when defining and monitoring the realisation of the risk management strategy;

4. when allocating capital to individual organisational units;

5. when adopting decisions on lending and budgeting issues; and

6. when adopting major strategic decisions (e.g. to launch a new product, enter a new market, etc.). (3) The internal capital assessment process must enable the management and supervisory boards of a credit institution at all times to assess and/or evaluate all significant risks to which the credit institution is or might be exposed to in its operation. Duties of the management and supervisory boards Article 14 (1) When it comes to the assessment of internal capital, the supervisory board of a credit institution shall:

7. supervise an adjustment of the internal capital assessment process with regard to significant changes in the strategies, policies, organisation and business environment;

8. supervise that the results of the internal capital adequacy assessment process are used for strategic purposes and in the decision-making process; and

9. analyse the realisation of the risk-taking and risk management strategy in relation to the available and required internal capital. (2) When it comes to the assessment of internal capital, the management board of a credit institution shall:

10. ensure the implementation of the internal capital assessment process and its compliance with strategic policies of the credit institution;

11. ensure that all risks are included into the process referred to in paragraph (1) of this Article;

12. ensure the use of appropriate assessment methods;

13. prescribe in detail the internal capital assessment process (the methods used, the assumptions, the assessment process, and the method of maintaining an adequate internal capital level) and the internal capital allocation process in line with the provisions of this Decision;

14. ensure that the internal capital assessment process is documented;

15. ensure adequate resources to implement the internal capital assessment process and a full understanding of the process by all included employees;

16. ensure that the internal capital assessment process is a constituent part of the governance activities of a credit institution; and

17. ensure a regular assessment of the appropriateness of the internal capital assessment process.

18. give its assessment of the capital adequacy of the credit institution on an annual basis, in accordance with the results of ICAAP and other relevant information, by making a statement on capital adequacy. Outsourcing Article 15 (1) A credit institution may outsource a part of a phase of the internal capital adequacy assessment process referred to in Article 5, paragraph (1) of this Decision. (2) The provisions of the regulation governing risk management related to outsourcing shall apply to the outsourcing referred in paragraph (1) of this Article. Assessment process on a consolidated basis Article 16 A credit institution which in accordance with the Law applies the provisions of this Decision on a consolidated basis for a group of credit institutions in Montenegro shall:

19. when managing risks at the level of the group, define and align the processes and procedures, tasks and responsibilities of individual persons and organisational units as well as reporting lines within the group;

20. ensure that the methodologies of risk measurement and/or assessment are aligned at the level of the group;

21. assess significant risks of all undertakings within the group including its own risks and the risks inherent in the conduct of business activities with persons outside the group which have an impact on the overall risk profile of the group;

22. calculate the required internal capital on a consolidated basis and on an individual basis and adjust the required internal capital and required own funds;

23. integrate the internal capital assessment process on a consolidated basis into the management and decision-making process of a credit institution; and

24. report to the Central Bank on the internal capital assessment process on a consolidated basis, in line with Article 17 and 18 of this Decision. IV. REPORTING TO THE CENTRAL BANK Report content Article 17 (1) A credit institution shall inform the Central Bank in writing on the implementation of internal capital assessment process. (2) The report referred to in paragraph (1) of this Article shall at least include the following:

25. general information and summary;

26. business model and strategy description;

27. management information;

28. the description of the manner for determining significant risks;

29. the manner of managing significant risks (individually for each risk);

30. the manner of measuring or assessing significant risks and determining adequate amounts of internal capital requirements;

31. the methods for determining total internal capital and capital plans;

32. other information. (3) The report referred to in paragraph (1) of this Article shall include a list of internal acts of a credit institution, indicating the dates of their adoption and their last amendments, as well as a list of internal reports of a credit institution relevant for internal capital assessment process, specifying the timeframes of their production and governance levels they are intended for. (3) A credit institution is not required to prepare elements of reports submitted to the Central Bank as part of other reporting requirements, for the purposes of the report referred to in paragraph (1) of this Article. Time limits for reporting and report template Article 18 (1) A credit institution shall prepare a report on the internal capital assessment process as at 31 December of the previous year and submit it to the Central Bank at the latest until 30 April of the current year.

(2) Reports referred to in paragraph (1) of this Article shall be prepared using a template given in Annex 2 integral to this Decision. V. TRANSITIONAL AND FINAL PROVISIONS Submitting first ICAAP reports Article 19 Notwithstanding Article 18 paragraph (1) of this Decision, credit institutions shall submit to the Central Bank the first report on the internal capital adequacy assessment process in accordance with this Decision, within six months from the date of application of this Decision, as at 31 March of year in which this Decision starts to apply. Entry into force Article 20 This Decision shall enter into force on the day following that of its publication in the Official Gazette of Montenegro, and it shall apply from the date of application of the Law on Credit Institutions (OGM 72/19). THE COUNCIL OF THE CENTRAL BANK OF MONTENEGRO CHAIRMAN Decision no. 0101-7725-14/2020 G O V E R N O R, Podgorica, 28 December 2020 Radoje Žugić, m.p.

ANNEX 1 GUIDELINES for the internal capital adequacy assessment process of credit institutions (ICAAP)

1. INTRODUCTION Sound, effective and comprehensive internal capital adequacy assessment process of credit institutions (hereinafter: ICAAP) comprise a clear assessment of the risks to capital, and have well-structured risk governance and risk escalation processes based on a well-thought out and thorough risk strategy that is translated into an effective risk limit system. A sound, effective and comprehensive ICAAP is based on the economic and the normative perspectives that complement each other. ICAAP also represents an input factor in the supervisory review and evaluation process (hereinafter: SREP). It feeds into all SREP assessments and into the capital determination process in accordance with this Decision. A good ICAAP reduces a credit institution’s uncertainty concerning the risks that the institution is or may be exposed to, and gives supervisors an increased level of confidence in the credit institution’s ability to continue operating by maintaining adequate capitalisation and by managing its risks effectively. This requires the credit institution to ensure that all material risks are identified, effectively managed and covered by a sufficient amount of high quality capital. These guidelines are aimed at assisting credit institutions in strengthening their ICAAPs and at encouraging the use of best practices leading to more consistent and effective supervision, with a focus on key aspects of supervision that will be discussed during ICAAP assessment of each credit institution under SREP. A credit institution should ensure that its ICAAP remains comprehensive and proportionate to the nature, scale and complexity of its activities, bearing in mind that proportionality is not to be applied in a way that undermines the effectiveness of its ICAAP.
2. TERMINOLOGY The terminology used in this Annex shall have the following meanings: Adverse scenario: A combination of assumed adverse developments in internal and external factors (including macroeconomic and financial developments) that is used to assess the resilience of the capital adequacy of the credit institution to potential adverse developments over a medium-term horizon. It should cover at least three years. The assumed developments in internal and external factors should be combined in a consistent way and be severe but plausible from the credit institution’s perspective,

reflecting the risks and vulnerabilities that are assessed as representing the most pertinent threats to the credit institution. Baseline scenario: A combination of expected developments in internal and external factors (including macroeconomic and financial developments) that is used to assess the impact of those expected developments on the capital adequacy of the credit institution over a medium-term horizon. The baseline scenario should be consistent with the basis of the credit institution’s business plans and budget, and cover a time horizon of at least three years. Capital adequacy statement: A formal statement from the management body providing its assessment of the capital adequacy of the credit institution and explaining its main supporting arguments. Diversification effect: A reduction in the overall risk quantification of a credit institution stemming from the assumption that individually estimated risks will not materialise to the full extent at the same time (lack of perfect correlation). Economic capital adequacy concept: An internal concept aimed at ensuring under the economic perspective that the financial resources (internal capital) of the credit institution will enable it to cover its risks and maintain the continuity of its operations on an ongoing basis. Economic capital adequacy takes into account economic value considerations. It is the responsibility of the credit institutions themselves to implement adequate risk quantification methodologies – there is no general expectation that credit institutions will utilise “economic capital models” to ensure economic capital adequacy. Economic internal perspective: An ICAAP perspective under which the credit institution manages its economic capital adequacy by ensuring that its economic risks are sufficiently covered by available internal capital. Economic risk: A risk that may impact the economic value of the credit institution, thus impacting economic capital adequacy. When identifying, assessing and quantifying such risks, the credit institution should take into account economic value considerations. Economic value considerations. The economic value concept is based on the value of assets, liabilities, risks and the credit institution as such from an economic perspective. The economic value is not based on accounting or regulatory provisions. However, depending on the accounting standards applied, the economic value concept can be similar to the fair value concept underlying the valuation of certain assets and liabilities in particular accounting categories. In line with those standards, the economic value/fair value could be defined as the estimated price at which an asset could theoretically be sold to a third party or a liability settled in an orderly transaction under the relevant market conditions. In the regulatory world, the economic value concept is reflected in, for example, the Economic Value of Equity (EVE). The use of the term “considerations” means that the Central Bank does not prescribe a particular methodology for determining economic values. Rather, it is the responsibility of the credit institutions themselves to apply adequate methodologies for identifying and quantifying their economic risks and their internal capital, in line with economic value considerations.

Expected and unexpected losses: The expected loss is the statistical mean loss the credit institution expects over a given period of time. The unexpected loss is the total loss exceeding the mean loss, stemming from a downside tail event. Gross approach in risk identification: The gross approach means that risks are first identified without taking into account specific actions designed to mitigate them. Hidden losses and reserves: Valuation differences between accounting values and economic values of balance sheet positions. ICAAP architecture: Different elements of the ICAAP and how they interlink. The ICAAP architecture should ensure that the different elements of the ICAAP fit together coherently and that the ICAAP is an integral part of the credit institution’s overall management framework. The credit institution should maintain, as part of its ICAAP documentation, a description of the overall ICAAP architecture that explains how the ICAAP is integrated and how its outcomes are used in the credit institution. ICAAP outcomes: Any information that results from the ICAAP and adds value to decision-making. Internal review and validation: Internal review covers a broad range of controls, evaluations and reports aimed at ensuring that ICAAP strategies, processes and methodologies remain sound, comprehensive, effective and proportionate. Validation, as part of the internal review, encompasses processes and activities assessing whether the risk quantification methodologies and risk data of the credit institution adequately capture relevant aspects of risk. In a proportionate way, the validation of risk quantification methodologies is expected to be conducted independently and respect the principles underlying the respective standards established for Pillar 1 internal models. Limit system: A documented and hierarchical system of limits set in line with the overall strategy and risk appetite of the credit institution in order to ensure that risks and losses can be limited effectively in line with the capital adequacy concept. The limit system should lay down effective boundaries for risk taking for, for example, different risk types, business areas, products and group entities. Taken actions: Actions taken by the credit institution to keep the capital at adequate levels, i.e. within the risk appetite. Management buffer: An amount of capital above the regulatory and supervisory minima and internal capital thresholds that the credit institution considers necessary in order to sustainably follow its business model and to remain flexible regarding possible business opportunities, without endangering its capital adequacy. Material risk: A capital-related downside risk that, based on the credit institution’s internal definitions, has a material impact on its overall risk profile, and thus may affect the capital adequacy of the credit institution.

Medium-term time horizon: A time horizon expected to capture the capital position over the upcoming three years. Normative internal perspective: A multi-year ICAAP perspective under which the credit institution manages its capital adequacy by ensuring that it is able to fulfil all of its capital-related legal requirements and supervisory demands and cope with other internal and external capital constraints on an ongoing basis. Proportionality: A principle in according to which ICAAP shall be proportionate to the nature, scale and complexity of the activities of the credit institution concerned. Reverse stress test: A stress test which starts from the identification of the pre-defined outcome (non-viability of the business model) and then explores scenarios and circumstances that might cause that outcome to occur. Risk horizon: The risk horizon is the assumed period of time over which the risk is assessed. Under the economic perspective, the risk horizon is usually one year, and under regulatory perspective it is at least three years. Risk identification process: A regular process the credit institution uses to identify risks that are or might be material for the credit institution. Risk inventory: A list of identified risks and their characteristics. The risk inventory is the result of the risk identification process. Risk quantification: The process of quantifying identified risks by developing and using methodologies to determine risk figures and enable a comparison between the risks and the available capital of the credit institution. Risk taxonomy: A categorisation of different risk types/factors enabling the credit institution to assess, aggregate and manage risks in a consistent way through a common risk language and mapping. Risk tolerance: The types of risks and levels of those risks that the credit institution does not intentionally expose itself to, but accepts/tolerates. 2. ICAAP PRINCIPLES Principle 1 – Role of the credit institution’s management body in the governance of the ICAAP Supervisory and management board should approve all key elements of the ICAAP, in line with internal policies of the credit institution, thus regulating powers of the supervisory board and the management board. Supervisory and management board should establish a governance framework with a clear and transparent assignment of powers and responsibilities.

Internal review and validation. Regular internal review covers both qualitative and quantitative aspects, including, for example, the use of ICAAP outcomes, the stress￾testing framework, risk capture and the data aggregation process, including proportionate validation processes for the internal risk quantification methodologies used. For this purpose, the credit institution should have in place adequate policies and processes for internal reviews, to be conducted by the control functions (risk management, compliance and internal audit). It is necessary to ensure proactive adjustment of the ICAAP to any material changes that occur, such as entering new markets, providing new services, offering new products, or changes in the structure of the group. ICAAP outcomes and assumptions should be the subject to adequate internal review, covering, for example, capital planning, scenarios, and risk quantification. The extent to which this challenge should be quantitative as opposed to qualitative depends on the nature of the element assessed. This review should take due account of the limits and constraints arising from the methodologies employed, the underlying assumptions and the input data used in quantifying the risk. The purpose of the review is to scrutinise whether the internal processes, chosen methodologies and assumptions have led to sound outcomes (“back-testing”) and whether they remain appropriate with a view to the current situation and future developments. The outcome of this review should be thoroughly assessed, documented and reported to the supervisory board and management board. In case any weaknesses have been identified, effective follow-up actions should lead to a quick rectification of the findings. Capital adequacy statement. The capital adequacy statement (CAS) provides assessment of the capital adequacy of the credit institution and explains its main supporting arguments, backed by information it considers relevant, including ICAAP outcomes. Principle 2 - The ICAAP is an integral part of the overall management framework In addition to an adequate quantitative framework for assessing capital adequacy, a qualitative framework needs to ensure that capital adequacy is actively managed. This includes the monitoring of capital adequacy indicators to identify and assess potential threats in a timely manner, drawing practical conclusions and taking preventive action to ensure that both own funds and internal capital remain adequate. The quantitative and qualitative aspects of the ICAAP should be consistent with each other and with the credit institution’s business strategy and risk appetite. The ICAAP should be integrated into the business, decision-making and risk management processes of the credit institution. The ICAAP should be consistent and coherent throughout the group of credit institutions.

Credit institutions should maintain a sound and effective overall ICAAP architecture and documentation on the interplay between the ICAAP elements and the integration of the ICAAP into the overall management framework. The ICAAP should support strategic decision-making and ensure that the credit institution maintains adequate capitalisation. All methods and processes used by the credit institution to steer its capital adequacy, as part of the operational or strategic capital adequacy management process, should be approved, thoroughly reviewed, and properly included in the ICAAP and its documentation. The ICAAP as an integral part of a credit institution’s management framework. In order to assess and maintain adequate capital to cover the credit institution’s risks, the internal processes and arrangements should ensure that quantitative analysis of risks, as reflected in the ICAAP, is integrated into all material business activities and decisions. This integration may be achieved by using the ICAAP for, for example, the strategic planning process at the level of a credit institution or at group level, monitoring capital adequacy indicators to identify and assess potential threats in a timely manner, drawing practical conclusions and taking preventive action, determining capital allocation, and ensuring the ongoing effectiveness of the risk appetite framework (RAF). ICAAP-based risk-adjusted performance indicators should be used in the decision￾making process (for example, when determining variable remuneration or when discussing business and risks at all levels of the credit institution, including, inter alia, risk management boards and other similar boards). The overall ICAAP architecture. Supervisory board and management board ensure that there is an adequate ICAAP architecture, as well as that the different elements of the ICAAP fit coherently together and that the ICAAP is an integral part of the credit institution’s overall management framework. For the purpose of ensuring that internal capital adequacy is maintained, ICAAP documentation should include a description of the overall ICAAP architecture, for example an overview of the key elements of the ICAAP and how they work together, explaining how the ICAAP is integrated into the credit institution’s functioning and how its outcomes are used in the credit institution. This ICAAP architecture description should explain the high-level structure of the ICAAP, how its outcomes are used in decision-making, and the connections between, for example, business and risk strategies, capital plans, risk identification processes, the risk appetite statement, limit systems, risk quantification methodologies, the stress-testing programme, and reporting to the supervisory and management boards.

Management reporting. The ICAAP is an ongoing process. The credit institution should integrate ICAAP outcomes (such as how material risks, key indicators, etc. are evolving) into its internal reporting to different managerial levels at appropriate frequencies. The frequency of reporting to the management body should be at least on a semi-annual basis, but, depending on the size, complexity, business model and risk types of the institution, reporting might need to be more frequent to ensure timely management action. The ICAAP outcomes for risk quantification and capital allocation, should represent a key performance benchmark and target against which each financial and other outcome of each risk-taking organisational unit is measured. The ICAAP and the risk appetite framework. Credit institutions should formalise the interplay between RAF and other strategic processes, such as ICAAP, the recovery plan and the remuneration policy. RAF of a credit institution should be closely interlinked with the ICAAP and a cornerstone of sound risk and capital management. When determining risk appetite, the credit institution should set out both a clear and unambiguous view on and intended actions with regard to its risks in line with its business strategy, including readiness for taking on or avoiding certain types of risks, products or regions. The credit institution’s overall risk profile should ultimately be constrained and driven by the group-wide RAF and its implementation. Furthermore, the RAF is a critical element of the credit institution’s strategy development and implementation process. In a structured manner, the RAF links risks taken to the credit institution’s capital adequacy and strategic objectives. As part of the RAF, the credit institution should determine and take into account its management buffers. The credit institution should clearly express how the implementation and monitoring of its strategy and risk appetite are supported by its ICAAP, and how this effectively enables it to comply with the agreed risk boundaries set out in the risk appetite statement. In order to facilitate sound and effective risk management, the credit institution should use the ICAAP outcomes when setting up an effective risk monitoring and reporting system and an adequately granular limit system (including effective escalation procedures) that allocates specific limits to, for example, individual risks, sub-risks, entities and business areas, which helps operationalise the risk appetite of the credit institution or the group. Consistency between ICAAPs and recovery plans. A recovery plan aims at providing measures to be taken by the credit institution to restore its financial position following a significant deterioration. Since insufficient capitalisation is one of the key threats to business continuity/viability, the ICAAP and the recovery plan should be parts of the same risk management continuum. Accordingly, a credit institution should ensure consistency and coherence between their ICAAPs, on the one hand, and their recovery plans and arrangements (e.g. thresholds for early warning signals and recovery indicators, escalation procedures, and potential management actions) on the other. Moreover, potential ICAAP management actions with material impact should be reflected without delay in the recovery plan, and vice versa, to ensure that the

processes and the information included in related documents are consistent and up to date. Consistency and coherence across groups. The ICAAP should ensure capital adequacy at relevant levels of consolidation and for applicable entities of the group. In order to be able to effectively assess and maintain capital adequacy across entities of a group, the strategies, risk management processes decision-making and the methodologies and assumptions applied when quantifying capital need to be coherent across the relevant perimeter. The credit institution should also assess possible impediments to capital transferability within the group in a conservative and prudent manner and take them into account in its ICAAP. Example: Consistency between the ICAAP and the recovery plan. To ensure the overall consistency of recovery and ICAAP arrangements, a credit institution should be consistent across the continuum of potential capital impacts and corresponding management actions in its ICAAPs and its recovery plans. More specifically, this means, for example, that capital indicators used in the recovery plan for identifying significant actual and likely future deteriorations in the quantity and quality of capital should be consistently taken into account in the ICAAP. More specifically, under normal circumstances capital levels should be managed via the ICAAP so as to stay above the thresholds for capital indicators in the recovery plan by a prudent margin. Likewise, the management actions in the ICAAP and the recovery plan should also be consistent: where a credit institution assumes similar actions in its recovery plan and its ICAAP, this could lead to an overestimation of the effectiveness of recovery options in the calculation of the overall recovery capacity if some of them have already been used under the ICAAP. Therefore, in order to avoid overlaps between recovery options and ICAAP management actions, which might lead to “double-counting”, a credit institution should perform a re-assessment of the feasibility and effectiveness of the recovery options aimed at including them in the recovery plan. For instance, the capacity of a credit institution to raise capital in a recovery situation may be severely affected if the credit institution has already raised capital under its ICAAP in a situation that does not fall under the recovery plan. This could impact the types and volume of extra capital that could be raised as well as the specification of issuance conditions. Another example are management actions related to the reduction of risk. For instance, if certain assets are sold under the ICAAP in a situation that is not a recovery situation, then those assets cannot be sold again later, i.e. this action cannot be a feasible recovery option anymore. Another connection between ICAAPs and recovery plans is reverse stress testing. This instrument should be used by credit institutions as part of their ICAAPs to assess which scenarios would bring them into a situation that would threaten their ability to pursue their intended business model (and therefore their ICAAP objectives). In the context of recovery planning, “reverse stress testing should be considered as a starting point for developing scenarios that should be only ‘near-default’; i.e. they would lead to a credit institution’s or a group’s business model becoming non-viable unless the recovery actions were successfully implemented.

Principle 3 - The ICAAP contributes fundamentally to the continuity of the credit institution by ensuring its capital adequacy from different perspectives A credit institution should implement a proportionate ICAAP that is prudent and conservative and integrates normative and economic perspectives. The credit institution should implement a normative perspective, which is a multi-year assessment of the credit institution’s ability to fulfil all of its capital-related regulatory and supervisory requirements and demands and to cope with other external financial constraints on an ongoing basis. This includes the assessment of a credible baseline scenario and adequate, institution-specific adverse scenarios, as reflected in the multi￾year capital planning and in line with the overall planning objectives of the credit institution. The normative perspective should be complemented by an economic perspective, under which the credit institution should identify and quantify all material risks that may cause economic losses and deplete internal capital. In accordance with this economic perspective, the credit institution should ensure that its risks are adequately covered by internal capital. Both perspectives should mutually inform each other and be integrated into all material business activities and decisions of a credit institution. Contribution of the ICAAP to the continuity of the credit institution. The objective of the ICAAP is to contribute to the credit institution’s continuity from a capital perspective by ensuring that it has sufficient capital to bear its risks, absorb losses and follow a sustainable strategy, even during a prolonged period of adverse developments. The credit institution should reflect this continuity objective in its RAF (as specified under Principle 2) and to use the ICAAP framework to reassess its risk appetite and tolerance thresholds within its overall capital constraints, taking into account its risk profile and vulnerabilities. Within these capital constraints, the credit institution should assess and define management buffers above the regulatory and supervisory minima, as well as internal capital needs that allow it to sustainably follow its strategy. The management buffers do not refer to available capital (“headroom”). Rather, they reflect the credit institution’s view on the capital it needs to sustainably follow its business model. The management buffer concept does not actually set new minimum capital requirements above the existing legal minima. Although it is generally expected that management buffers will be larger than zero, in theory an institution may also be able to argue that, depending on the scenario assessed, a management buffer of zero would still allow it to sustainably follow its business model. When aiming for sufficient management buffers over the medium-term horizon, the credit institution should take into account, for example, the expectations of markets, investors and counterparties, possible restrictions on distributions stemming from the maximum distributable amount (MDA), and the reliance of the business model on the ability to pay out bonuses, dividends and payments on Additional Tier 1 (AT1) instruments. In addition to such external constraints, the management buffers should cushion uncertainties around projections of, and possible resulting fluctuations in, capital ratios, to reflect the credit institution’s risk appetite and to allow it some flexibility in its business decisions.

Normative internal perspective. The normative internal perspective is a multi-year assessment of the credit institution’s ability to fulfil all of its capital-related quantitative regulatory and supervisory requirements and demands, and to cope with other external financial constraints, on an ongoing basis. In addition to requirements such as those on the leverage ratio, large exposures as well as own funds requirement and eligible liabilities referred to in Article 29 of the Law on Resolution of Credit Institutions, the credit institution should take into account additional capital requirements referred to in the Decision on Capital Adequacy of Credit Institutions, (Pillar 1) and this Decision (Pillar 2), buffers prescribed by the Law, as well as other additional capital requirements for Pillar 2 – (hereinafter: P2R). The normative perspective should take into account all material risks affecting the relevant regulatory ratios, including own funds and risk exposure amounts, over the planning period. Therefore, although its outcomes are expressed in regulatory metrics, the normative perspective is not limited to the risks recognised by the own funds requirements from the Decision on Capital Adequacy of Credit Institutions. When assessing its capital adequacy under the normative perspective, the credit institution should take into account all relevant risks it has quantified under the economic perspective and assess if and to what extent those risks may materialise over the planning period, depending on the scenarios applied. The credit institution should maintain a robust, up-to-date capital plan that is compatible with its strategies, risk appetite and capital resources. The capital plan should comprise baseline and adverse scenarios and to cover a forward-looking horizon of at least three years. The credit institution should also take developments beyond this minimum horizon into account in their strategic planning, in a proportionate manner, if they will have a material impact. The credit institution should also take into account the impact of upcoming changes in legal, regulatory, and accounting frameworks and make an informed and reasoned decision on how to address them in the capital planning. Regarding the future levels should take into account all information about future changes in these positions. The credit institution should treat P2R and P2G information as external information, and in the absence of these information it should use available P2R and P2G information. For cases according to baseline scenario, including baseline projections in capital plans, the credit institution shall, in addition to the total SREP capital requirement (TSCR), to account for its combined buffer requirement (CBR), i.e. the overall capital requirement (OCR), and the Pillar 2 guidance (P2G). The credit institution should take the above into account to determine appropriate management buffers and implement capital plans that allow it to comply with the OCR plus the P2G over the medium term under expected baseline conditions (see Figure 1).

Figure 1: Adverse capital ratio projections under the normative perspective The credit institution should meet its TSCR at all times, including under prolonged periods of adverse developments that imply a serious CET1 depletion. In sufficiently adverse scenarios it might be acceptable for the credit institution not to meet its P2G and combined buffer requirements. However, the credit institution should determine adequate management buffers on top of the TSCR to take into account the above considerations, and implement them in capital plans. This would allow it to stay above its TSCR and to fulfil, for example, market expectations even under adverse conditions over the medium-term horizon. If the credit institution assumes management actions in its capital plan, it should also assess the feasibility and the expected impact of such actions under the respective scenarios, and it should be transparent about the quantitative impact of each action on projected figures. Where relevant, the assumptions used should be consistent with the recovery plan. Economic internal perspective. The credit institution should manage its capital adequacy from the economic perspective by ensuring that its risks are adequately covered by internal capital. Economic capital adequacy requires the internal capital of the credit institution to be sufficient to cover its risks and support its strategy on an ongoing basis. Under this perspective, the credit institution’s assessment should cover the full universe of risks that may have a material impact on its capital position from an economic perspective. In order to capture the undisguised economic situation, this perspective is not based on accounting or regulatory provisions. Rather, it should take into account economic value considerations for all economically relevant aspects, including assets, liabilities and risks. Thus, although the ICAAP is based on the assumption of – and aimed at ensuring – the continuity of the credit institution, the credit institution should manage its economic capital adequacy on the basis of economic value considerations. The credit institution should manage economic risks

and internal capital adequately, and assess them as part of its stress-testing framework and its monitoring and management of capital adequacy. The credit institution should use its own processes and methodologies to identify, quantify, and set aside internal capital against the expected losses (as far as these are not considered in the determination of internal capital) and unexpected losses that it might be subject to, taking into account the principle of proportionality. The credit institution should perform a point-in-time risk quantification of the current situation as at the reference date. This should be complemented by a medium-term assessment of the impact of material future developments that are not incorporated in the assessment of the current situation, e.g. potential management actions, changes in the risk profile or in the external environment. Management actions include, inter alia, capital measures, acquisitions or sales of business lines. The credit institution should use the outcomes and metrics of the economic capital adequacy assessment in its strategic and operational management and when reviewing its risk appetite and business strategies. The credit institution should identify internal capital deficiencies and to take effective measures (e.g. capital increase, risk reduction). The economic capital adequacy of the credit institution requires active monitoring and management. For this reason, the credit institution should prepare and plan procedures and management actions to be taken to address situations that would lead to insufficient capitalisation. When the credit institution identifies a significant downward trend in its economic capital position, it should consider measures to maintain adequate capitalisation, reverse the trend, and review its strategy and risk appetite. Accordingly, when the credit institution falls below its internal capital adequacy threshold, it should be able to take necessary measures and explain how the capital adequacy will be ensured over the medium term. Interaction between the economic and internal normative perspectives. Under the economic perspective, economic risks and losses affect internal capital. Some of those risks, or risks related to them, may also partially or fully materialise later under the normative perspective via accounting losses, own funds reductions or prudential provisions. Therefore, the credit institution should assess under the normative perspective the extent to which the risks identified and quantified under the economic perspective may impact its capital and total risk exposure amount (TREA) in the future. Hence, the projections of the future capital position under the normative perspective should be duly informed by the economic perspective assessments. More specifically, risks and impacts that are not necessarily apparent when focusing solely on the accounting/regulatory capital framework, but could materialise and affect future regulatory own funds or the TREA, should be considered. Conversely, the credit institution should use the outcomes of the normative perspective to inform the economic perspective risk quantifications and adjust or complement the latter if they do not adequately capture the risks arising from the adverse scenario(s) considered. This is particularly relevant for risks that are more difficult to quantify. Adjustments to the risk quantification in the economic perspective should be fully justified and documented.

Since the capital definitions and levels, the risk types and their amounts, and the minimum capital ratios usually differ between the two perspectives, and since – over time and across credit institutions – one is not systematically more stringent than the other, effective risk management requires the implementation of both perspectives. Figure 2 Overview of ICAAP perspectives and key features Example: The economic perspective informs the normative perspective. The credit institution should quantify the profit and loss (P&L) impact of interest rate risks in the banking book under the normative perspective, even though they are not considered in Pillar 1 capital requirements. While the economic impact of interest rate changes for banking book positions is immediately visible to the full extent under the economic perspective, it can take several years for the full impact of P&L effects on Pillar 1 capital ratios to show under the normative perspective. Consequently, the credit institution should consider potential losses stemming from all risks that are captured by the economic perspective, including risks not considered by Pillar 1, in the normative perspective, in particular in the adverse scenario projections. As an illustrative example, the credit institution might come to the conclusion in its economic perspective

that its economic value would decline by 10 million euros over the next year if interest rates were to increase by 200 basis points. In its normative perspective scenarios, it would then be expected to assess the respective impact on its P&L and, ultimately, on its own funds and Pillar 1 ratio over the capital planning horizon, e.g. via a P&L decrease of 1.5 million euros in the first year, 1.3 million euros in the second and 1 million euros in the third. Another example is hidden losses. While assets are conceptually taken into account at economic value/net present value under the economic perspective, the normative perspective is based on accounting and prudential values. Hidden losses become apparent when comparing accounting values and economic values. Having determined the total volume of hidden losses, the credit institution needs to decide the extent to which those hidden losses may also materialise in the balance sheet/P&L account, and this should be taken into account in the normative perspective. If, for example, a credit institution has a government bond portfolio that is subject to total hidden losses of 10 million euros, it should determine what part of those hidden losses would affect its projected regulatory own funds, subject to the respective underlying medium-term scenarios. In this example, the credit institution may conclude that accounting losses of 1 and 2 million euros would occur in years 1 and 2, respectively, owing to haircuts on the nominal value of the underlying bonds. These losses would need to be taken into account in the projections produced under the normative perspective. To sum up, there are several channels through which the risks identified and quantified in the economic perspective impact the projections under the normative perspective: negative P&L impacts, direct own funds reductions, increased provisioning and increased TREA. In all cases, credit institutions should take a differentiated approach when translating risks into impacts on projected Pillar 1 ratios. Economic perspective risks will generally not impact Pillar 1 projections one-to-one. The extent to which risks impact those projections depends for example on the scenario considered, and the applicable accounting rules and regulatory provisions. Example: The normative perspective informs the economic perspective. The medium-term assessments of the normative internal perspective and the respective underlying scenarios should inform the forward-looking view of the economic internal perspective insofar as these changes are not reflected in the point-in-time risk quantification at the respective reference date. The projected management actions foreseen in the normative perspective, e.g. capital measures, dividend payments, or acquisitions or sales of business lines, should also be assessed to establish their impact on the economic substance of the credit institution. By contrast, expected changes in interest rate curves and management actions that have already been decided upon and that will occur during the risk horizon (of usually at least one year) are usually taken into account in the short-term point-in-time assessment under the economic perspective. The adverse projections of the normative perspective should simulate institution￾specific vulnerabilities. If such projections show a material impact stemming from a particular risk type, e.g. migration risk, then the credit institution should ensure that this risk is adequately quantified in the point-in-time calculation or complementary assessments (e.g. stress testing) under the economic perspective. For example, a credit institution with a material equity portfolio addresses this risk exposure by

assuming a severe stock market downturn in its normative perspective. In practice, if the credit institution uses a value-at-risk (VaR) approach for quantifying market risk in its economic perspective and the data underlying the risk quantification only contain smooth stock market developments, then the risk quantification underestimates the market risk. The credit institution may either adjust its risk quantification assumptions, or allocate additional internal capital to the market risk that is not captured by the risk quantification, or take other measures to ensure sufficient capital to cover the risk. It is the credit institution itself that decides how to ensure that the risk is effectively managed and covered by internal capital. Principle 4 - All material risks are identified and taken into account in the ICAAP The credit institution is responsible for implementing a regular process for identifying all material risks it is or might be exposed to under the economic and normative perspectives. All risks identified as material should be addressed in all parts of the ICAAP in accordance with an internally defined risk taxonomy. A credit institution should identify, at least annually risks that are material, using its own internal definition of materiality, and establish an internal risk inventory. For all risks identified as material, the credit institution should either to allocate capital to cover the risk or to document the justification for not holding capital. Risk identification process. The credit institution should implement a regular process for identifying all material risks at least on an annual basis, and include them in a comprehensive internal risk inventory. Using its internal definition of materiality, it should ensure that the risk inventory is kept up to date. It should adjust the internal risk inventory whenever it no longer reflects the risks that are material, e.g. because a new product has been introduced or certain business activities have been expanded. The risk identification should be comprehensive and take both normative and economic perspectives into account. In addition to its current risks, the credit institution should consider in its forward-looking capital adequacy assessments any risks, and any concentrations within and between those risks, that may arise from pursuing its strategies or from relevant changes in its operating environment. The risk identification process should follow a “gross approach”, i.e. without taking into account specific techniques designed to mitigate the underlying risks. The credit institution should assess the effectiveness of these mitigating actions The supervisory and management board shall, within their powers, decide which risk types are to be considered material, and which material risks are to be covered by capital. This includes a justification of why a certain risk the credit institution is exposed to is not considered material. Internal risk inventory. When determining its internal risk inventory, the credit institution is responsible for defining its own risk taxonomy. In its risk inventory, the credit institution should take into account the underlying risks, where material,

stemming from its financial and non-financial participations, subsidiaries and other connected entities, end the like. Where a credit institution outsources its operations to a service provider, it should be able to identify, assess and quantify the underlying risks in the outsourcing arrangement as if the institution itself still performed the operations. Such identification, assessment and quantification should take place before the outsourcing is implemented, taking into account the specificities connected with having the services performed outside of the credit institution. Principle 5 - Internal capital is of high quality and clearly defined The credit institution should define, assess and maintain internal capital under the economic perspective. Internal capital should be consistent with the economic capital adequacy concept and internal risk quantifications of the credit institution, of sound quality, and determined in a prudent and conservative manner. The credit institution should show clearly, assuming the continuity of its operations, how its internal capital is available to cover risks, thereby ensuring that continuity. The credit institution should recognise that, owing to different valuation methodologies and assumptions for assets, liabilities and transactions, the available internal capital under the economic perspective may differ significantly from the own funds under the normative perspective. The credit institution should take a prudent approach when defining its available internal capital. This prudence applies to all underlying assumptions and methodologies used for the quantification of internal capital. If the credit institution uses the own funds as a starting point for its internal capital definition, it is expected that a large part of its internal capital components will be expressed in Common Equity Tier 1 (CET1) own funds. In addition, certain adjustments are conceptually necessary to arrive at the capital that is in line with the economic value concept underlying the economic perspective. Adjustments are expected for hidden losses and for capital items that have loss-absorption capacity only in the case of non￾continuation of the credit institution. The risk-bearing capacity of a large part of the internal capital should still be generally consistent with the loss-absorption capacity of CET1 capital. Credit institutions applying a model-based net present value approach should only use methodologies and assumptions that are understandable, clearly outlined and justified, and following a prudent approach. Capital items that have loss-absorption capacity only in the case of non-continuation of the credit institution should be treated as liabilities in such net present value approaches. For example, the credit institution should notice that the economic value of its debt decreases together with a downgrade of its own creditworthiness. The credit institution should be transparent about its internal capital, enabling a reconciliation, i.e. a comparison of differences and commonalities, between own funds under the normative perspective and available internal capital under the economic perspective insofar as possible.

Principle 6 - ICAAP risk quantification methodologies are adequate, consistent and independently validated The credit institution is responsible for implementing risk quantification methodologies that are adequate for its individual circumstances under both the economic and normative perspectives. In addition, the credit institution should use adequate methodologies for quantifying the potential future changes in own funds and TREA in its adverse scenarios under the normative perspective. The credit institution should apply a high level of conservatism under both perspectives to ensure that rare/tail events are considered appropriately. The key parameters and assumptions should be consistent throughout the group and between risk types. All risk quantification methodologies should be subject to independent internal validation. The capital institution should establish and implement an effective data quality framework. Comprehensive risk quantification. The ICAAP should ensure that risks that the credit institution is/may be exposed to are adequately quantified. The credit institution should implement risk quantification methodologies that are tailored to its individual circumstances, (i.e. they should be in line with its risk appetite, market expectations, business model, risk profile, size and complexity). For risks that are difficult to quantify (e.g. because of missing data or the absence of established quantification methodologies), the credit institution should develop adequate methodologies to quantify unexpected losses, including using expert judgement. In such cases, the credit institution should determine sufficiently conservative risk figures, taking into consideration all relevant information and ensuring adequacy and consistency in its choice of risk quantification methodologies. Risk measurement of difficult to quantify risks has to be consistent and comparable, as far as possible, with overall risk measurement assumptions. The credit institution should ensure that such risks are appropriately factored into the risk management and risk control processes, regardless of whether they are quantified using traditional models or scenario analysis, or informed by other estimates. The key parameters and assumptions cover, inter alia, confidence levels, correlation assumptions, and scenario generation assumptions. Level of conservatism. The risk quantification methodologies and assumptions used under the economic and normative perspectives should be robust, sufficiently stable, risk sensitive, and conservative enough to quantify losses that occur rarely. In a sound ICAAP the overall level of conservatism in the assumptions under the economic perspective is generally at least on a par with the level underlying the risk quantification methodologies of the Pillar 1 internal models. The Pillar 1 capital requirements are, however, should not be regarded as a floor in the internal risk quantifications of the capital institution. The overall level of conservatism is determined by the combination of underlying assumptions and parameters, as long as the overall level of conservatism remains high. Instead of mechanically aiming at external credit rating objectives and statistical confidence levels, the credit institution should calibrate its risk quantification

methodologies on the basis of its own risk appetite. For this purpose, the credit institution should consider possible losses it is willing and able to absorb over time. Based on this analysis, the credit institution should establish and maintain risk quantification methodologies, including the assessment of stress events, that provide it with sufficient confidence that possible losses stemming from rare tail events or severe future developments are addressed in its strategies and risk appetite, and that these losses will not exceed the quantified risk. If there are differences between the quantification of risks in Pillar 1 and ICAAP, the credit institution should explain the main drivers for them. Choice of risk quantification methodologies. It is the responsibility of the credit institution to implement adequate methodologies both to quantify its risks and to determine projections using (amended) Pillar 1 methodologies (e.g. to take into account concentration risks), economic capital models, stress test results or other methodologies, such as multiple scenarios, to quantify the risks it is or may be exposed to. The methodologies used should be consistent with each other, with the perspective considered and with the definition of capital. They should capture the risks to which the credit institution is exposed in an adequate and sufficiently conservative manner, taking into account the principle of proportionality. This means, for example, that larger or more complex credit institutions, or credit institutions that have more complex risks, should use more sophisticated risk quantification methodologies to capture the risks in an adequate manner. However, the credit institution should implement risk quantification methodologies that it uses for its own internal risk management and decision-making. The credit institution should be able to demonstrate the adequacy of the methodologies for its individual situation and risk profile. In the case of vendor models, they should be tailored to the credit institution’s risk profile. Data quality. The credit institution should deploy adequate processes and control mechanisms to ensure the quality of data. Data quality comprises the completeness, accuracy, consistency, timeliness, uniqueness, validity and traceability of the data. The data quality framework should ensure reliable risk information that supports sound decision-making, and it should cover all relevant risk data and data quality dimensions. Risk diversification effects. The credit institution should take a prudent approach whenever assuming risk diversification effects and be aware that risk diversification will not be taken into account in the SREP.

The credit institution should be fully transparent about assumed risk diversification effects and, at least in the case of inter-risk diversification, report gross figures before diversification in addition to net figures. The credit institution should ensure that risks are adequately covered by capital, even in times of stress when diversification effects may disappear or behave in non-linear ways (even reinforcing each other in an extreme scenario). For example, adding the separately estimated risk components may not be as conservative as often thought, because non-linear interactions may lead to compounding effects. The institution should target diversification effects in its stress-testing framework, involving, for example, intra-risk and inter-risk correlations and diversification between group entities. Independent validation. ICAAP risk quantification methodology should be subject to regular independent internal validation, respecting, in a proportionate way, the principles underlying the respective standards established for Pillar 1 internal models, taking into account the materiality of the risks quantified and the complexity of the risk quantification methodology. Depending on the size and complexity of the credit institution, various organisational solutions may be adopted to ensure independence between the development and validation of risk quantification methodologies. However, it should be noted that the independent validation will not be conducted by the internal audit function. The overall conclusions of the validation process should be reported to supervisory board and to the management board, used in the regular review and adjustment of the quantification methodologies, and taken into account when assessing capital adequacy. Depending on the nature, size, scale and complexity of its risks, the credit institution may employ one of the following three organisational arrangements to ensure the independence of the validation function from the methodology development process (i.e. design, development, implementation and monitoring of the risk quantification methodologies):  separation into two different units reporting to different members of the senior management;  separation into two different units reporting to the same member of the senior management;  separate staff within the same unit. Principle 7 - Regular stress testing is aimed at ensuring capital adequacy in adverse circumstances The credit institution should perform a tailored and in-depth review of its vulnerabilities, capturing all material risks on a credit institution-wide basis that result from its business model and operating environment in the context of stressed macroeconomic and financial conditions on a yearly basis and more frequently, when necessary, depending on the individual circumstances. On the basis of this review, the credit institution should

define an adequate stress-testing programme for both normative and economic perspectives. As part of the stress-testing programme, the credit institution should determine adverse scenarios to be used under the normative perspective, taking into account other stress tests it conducts. The application of severe, but plausible macroeconomic assumptions and a focus on key vulnerabilities should result in a material impact on the credit institution’s internal and regulatory capital, for example with regard to the CET1 ratio. In addition, the credit institution should conduct reverse stress testing in a proportionate manner. The credit institution should continuously monitor and identify new threats, vulnerabilities and changes in the environment to assess at least quarterly whether its stress-testing scenarios remain appropriate and, if not, adapt them to the new circumstances. The impact of the scenarios should be updated regularly (e.g. quarterly). In the case of material changes, the credit institution should assess their potential impact on its capital adequacy over the course of the year. Determination of the stress-testing programme. The stress-testing programme should cover both the normative and the economic perspective. When defining the set of internal stress scenarios and sensitivities, the credit institution should use a broad set of information on historical and hypothetical stress events, including supervisory stress tests. However, although it should take supervisory stress tests into consideration, it is the credit institution’s own responsibility to define scenarios and sensitivities in the manner that best addresses its individual situation and to translate them into risk, loss and capital figures. Stress-testing activities under the economic perspective should not be multi-year scenario projections, as explained under Principle 3 of these Guidelines. Depending on the approach taken by the credit institution, the stress tests under the economic perspective are used, for example, to assess the sensitivity of risk quantifications to modelling assumptions and risk drivers or to assess the impact of changes in external conditions, in particular adverse developments, on the economic capital adequacy. When defining stress-testing scenarios, e.g. for the projections under the normative perspective, credit institutions should capture their material risks, given their individual business model, risk profile and the external conditions they face. Other stress tests conducted, e.g. sensitivity analysis, should inform the scenarios used by revealing the material vulnerabilities of the credit institution. Severity level of adverse scenarios under the normative perspective. In its baseline assessment, the credit institution should assume developments that it would assume under expected circumstances, taking into account its business strategy, including credible assumptions on revenues, costs, risk materialisations, etc.

In adverse scenarios under the normative perspective, the credit institution should assume exceptional, but plausible developments with an adequate degree of severity in terms of their impact on its regulatory capital ratios, in particular the CET1 ratio. The level of severity should correspond to developments that are plausible, but as severe from the credit institution’s perspective as any developments that might be observed during a crisis situation in the markets, factors or areas that are most relevant for the credit institution’s capital adequacy. The range of adverse scenarios should adequately cover severe economic downturns and financial shocks, relevant institution-specific vulnerabilities, exposures to counterparties, and plausible combinations of these. Coherence versus targeting key vulnerabilities. In stress testing, the credit institution should focus on its key vulnerabilities when attempting to define plausible adverse scenarios. ICAAP stress tests should be interconnected; i.e. the underlying assumptions, stress test results and projected management actions should be mutually taken into account. Reverse stress testing. In addition to stress-testing activities that assess the impact of certain assumptions on capital ratios, the credit institution should conduct reverse stress-testing assessments. These assessments should start from the identification of the pre-defined outcome, such as the business model becoming unviable (e.g. a breach of its TSCR or management buffers). Such reverse stress tests should be used to challenge the comprehensiveness and conservatism of the ICAAP framework assumptions, under both the normative and the economic internal framework. Reverse stress tests should be conducted at least once a year. Depending on the likelihood of the resulting scenarios, it may be necessary to immediately address the scenarios by taking or preparing management actions in the ICAAP in order to prevent a recovery situation that would occur if one or more of the reverse stress-testing scenarios assessed in the ICAAP were to become reality. Moreover, reverse stress testing in the ICAAP context could be seen as a starting point for developing recovery plan scenarios.

ANNEX 2 REPORT ON THE IMPLEMENTATION OF THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS

1. OPŠTE INFORMACIJE I REZIME 1.1. Key information Name and head office of the credit institution Period covered by the report [1 January 20xx – 31 December 20xx ] Date of report compilation Date of approval by the management board Contact persons(s) Function Organisational unit Phone and e-mail address Management board member responsible for the content of the report [Name and surname] Signature of the management board member

---

[In this part of the report, the credit institution (hereinafter: CI) has to state key information on the internal capital adequacy assessment process (hereinafter: ICAAP) which include the name of the CI, if ICAAP is applied on an individual basis, i.e. the name of the parent CI if ICAAP is applied on a consolidated basis for a group of CI in Montenegro or on a consolidated basis on a subgroup level in accordance with the Law.] Unless otherwise specified, all numerical amounts are shown in thousand EUR. 1.2. Scope of application Level of application [Specify if it is on a consolidated basis on the level of a group of CI in Montenegro or on an individual basis] Name and head office of the [Specify the names of the undertakings included in ICAAP on a consolidated basis.

members of a group of CI If a CI considers that an individual undertaking is not adequately included in ICAAP, it has to indicate such information and specify the measures and the timeframe for resolving such a situation.] 1.3. SUMMARIES Risk profile and capital requirements [Specify all significant risks to which the CI is or might be exposed and the amount of total internal capital requirements and the amount of capital requirements in accordance with the Decision on capital adequacy of credit institutions. Also, explain the differences between internal and own funds requirements.] [Provide a summary of the analysis of the risk profile.] Business model and strategy [Describe briefly the business model and the present financial condition of the CI, specifying the amount of total assets and the most important asset items, total income, total expenses and profit. Specify any expected changes in the present business model, the expected future business environment, business plans and the projected financial condition for the following year. Describe briefly the link between the business strategy and ICAAP. Governance [Describe briefly overall governance arrangements of the CI (risk assumption, risk management and risk control in general) and the role of the management board. Specify also other key persons and organisational units involved in ICAAP, including their powers and responsibilities. State if risk management arrangements of the CI are adequate and if they have any deficiencies. Describe the key components of ICAAP (such as identification and measurement of risks, stress testing, capital and liquidity planning, structure of limits and escalation procedures in cases where the limits are exceeded). Describe the degree of ICAAP integration in risk management and overall governance of the credit institution. Describe the degree of integration of solvency and liquidity stress testing and particularly ICAAP stress testing and the role of reverse stress testing.] Capital and liquidity plan [Briefly describe capital and dividend policy planning for the next three years. Specify how the CI plans to manage capital in the future and how it will be used.] Self-assessment and planned measures for ICAAP improvement. [Briefly specify self-assessment of ICAAP adequacy, and, where applicable, specify the planned improvements and the timeframe for their implementation. Provide internal audit report on ICAAP and the results of validation of the methodologies used in ICAAP (where applicable). Indicate whether, based on the results of ICAAP, any significant changes have been planned (or were made) to strategies, risk appetite frameworks, risk management framework or business model.] Other information [Provide other information and the results of ICAAP not covered by other parts of this report. Describe briefly the manner of data collection for the purposes of ICAAP,

IT infrastructure used (including subsidiaries, where relevant) and, if relevant, any planned changes to the existing framework.] 2. BUSINESS MODEL AND STRATEGY 2.1. Business model and strategy [Describe the business model, indicating core business lines, geographic concentrations, subsidiaries and key products offered by the CI, as well as main income and cost drivers by core business lines, markets and subsidiaries. Specify any expected changes in the present business model, the expected business environment, business plans and the projected financial condition for the next year for main core business lines, markets and subsidiaries. Describe in more detail if the CI intends to make operating changes to its business (e.g. IT infrastructure). Describe the link between the business strategy and ICAAP.] 3. GOVERNANCE 3.1. Role of the supervisory board, the management board and senior management Organisational structure [[Provide a detailed organisational chart of CI management, indicating the boards, functions and organisational units included in ICAAP. The diagram of the reporting lines related to risk management and ICAAP may be indicated in the organisational chart or separately.] ICAAP [Describe ICAAP setup and its key components. Indicate the factors that were taken into account in the definition of ICAAP. Indicate the frequency of ICAAP. Specify reports associated with ICAAP, their frequency and whom they are submitted to. State internal bylaws that define the manner of setting up ICAAP and indicate their status (new, unamended, slightly amended, etc.). State ICAAP-related powers and responsibilities. Role of the management board and supervisory board [Describe the role of the management and the supervisory board in ICAAP. Describe the role of the committees set up by the management and the supervisory board, which participate in ICAAP. State the decisions adopted by the management and the supervisory board based on analysis of ICAAP-related reports.] Role of the senior management [Role of the senior management of the CI in ICAAP as regards their scope, methodologies and objectives.] 3.2. Risk assumption and management strategy Principles of risk management

[State the most important principles of risk assumption and management and provide a list of internal bylaws in which they are specified. Describe the process and frequency of risk management strategy and business strategy harmonization.] Risk assumption and risk appetite [Describe the risk assumption strategy and indicate who is responsible for its implementation. Indicate the risk appetite – provide a quantitative measure in the form of an absolute amount of internal capital and internal capital requirements or in the form defined by the CI in its internal bylaws. Describe the framework of limit allocation within the group (if applicable). Describe how the risk appetite framework is linked to the business strategy, ICAAP, i.e. capital and liquidity planning and risk management / governance on the level of a CI. State internal bylaws that define the risk assumption strategy and indicate their status (new, unamended, slightly amended, etc.).] 3.3. Internal control system [Describe the powers and responsibilities of internal control functions in ICAAP.] 3.4. ICAAP monitoring [Describe the manner of assessment of ICAAP appropriateness by the internal audit and other independent audits. Specify reports made by the internal audit and independent audits of ICAAP and provide a summary of key findings relating to the period covered by the report. Specify measures taken based on the findings of the internal audit and independent audits of ICAAP.] 3.5. Self-assessment of ICAAP [Indicate how it is organised and who is responsible for conducting self-assessment of ICAAP. Describe briefly the findings of self-assessment of ICAAP: assessment of the ICAAP appropriateness, identified weaknesses and deficiencies and planned changes and improvements. Include also an assessment of ICAAP appropriateness taking into account the planned changes in the risk management strategy.] 4. IDENTIFICATION OF SIGNIFICANT RISKS 4.1. Risks to which a credit institution is or might be exposed [Describe the manner and frequency of risk identification and specify and explain the factors taken into account by the CI in the process.] [Specify all the risks to which the CI is exposed and, if applicable, own definition of each risk. A CI using the prescribed definitions of risks should indicate that fact in the table below. If the definition of risk differs from the prescribed definition, the CI has to provide an explanation of the differences in the scope and the explanation of the impact of the use of that definition on the level of capital requirements. Also, indicate if definitions of individual risks include risk subgroups. The list of risks has to include the risks prescribed by Article 6, paragraph (2) or (5) of the Decision. Complete the Table 1 below.

Where different ICAAP processes and assumptions for group entities are used, please provide their description.] [Describe the framework and process used to collect, keep and aggregate data across various levels of the institution, including the flow of data from subsidiaries to the group. Describe IT systems used for collecting, keeping, storing, aggregating and distributing data on risks used in ICAAP. Indicate if checks are made of data used for ICAAP and the mechanisms/methods used for these checks.] [State internal bylaws used by the CI to define the processes for making a list of risks to which it is or might be exposed and indicate their status (new, unamended, slightly amended, etc.).] Table 1. Risks to which a CI is or might be exposed to 4.2. Risk profile and risk significance [Describe the approach to the identification of risk significance and specify the factors used to determine the significance of each individual risk.] [Describe the method for the assessment of risk factors, such as rating, assessment, risk scale, weight of individual factors in the calculation, the ratio of final score and total risk significance, i.e. the meaning of individual score.] [State significant risks and those that are not significant. For each significant risk, indicate the assigned risk significance score, providing an explanation for that score, and indicate how that risk is treated in ICAAP. Indicate whether it is a qualitative and/or a quantitative treatment of risk in the ICAAP framework, where the quantitative treatment implies the treatment that results in internal capital requirements. For each risk identified as non-significant, the CI has to provide an explanation based on the assessment of the previously defined risk factors.] [Complete the tables below (or enter own internal table/descriptive overviews and explanations of the risk significance score and their treatment in ICAAP).] [State internal bylaws used by the CI to determine the identification of the risk profile and risk significance and indicate their status (new, unamended, slightly amended, etc.).] Risk Definition of the risk Explanation of the difference in the scope of the definition and the impact of the difference on the capital requirements level Credit risk Market risks Operational risk ...

Table 2 Significant risks Risk Risk significa nce score Explanation of risk significance score Treatment in ICAAP Qualitative (YES/NO) Quantitativ e (YES/NO) ... Table 3 Non-significant risks 5. MANAGEMENT OF SIGNIFICANT RISKS (EACH RISK INDIVIDUALLY) A CI has to complete this part of the report for each significant risk individually (producing as many copies of this part of the report as there are identified significant risks referred to in item 4.2 of the report). 5.1.1. Risk management [credit risk, market risks, operational risk, liquidity risk, interest rate risk arising from non-trading activities, concentration risk ...] [Describe the organisational setup of risk management.] [Describe the method for identifying risk appetite.] [Describe the methodology for measuring and assessing risks and the processes for risk containment, including the implementation of limits.] [State measures and procedures taken in the event of non-compliance with the policies and procedures in place and in the event of crisis situations.] [State major databases set up by the CI for the purposes of risk management and provide a brief description of how they are used.] [Indicate regular and ad-hock risk reports made for the management and supervisory board and committees and the name of organisational unit / the person that produced the reports.] [Describe how stress testing is made (types of tests, scope, frequency, procedures and actions taken by the CI in the event of unfavourable results of stress testing). Describe the use of stress testing and its integration in risk management and control functions.] Non-significant risks Explanation why a risk is not significant ...

[Describe briefly the results of self-assessment of the adequacy of risk management, governance (e.g. organisational setup, delegation of tasks, etc.) measurement/assessment methodology and the associated procedures and the internal controls system.] [State internal bylaws for risk assumption and management and indicate their status (new, unamended, slightly amended, etc.).] 6. MEASUREMENT OR ASSESSMENT OF SIGNIFICANT RISKS AND THE DETERMINATION OF RELATED AMOUNTS OF INTERNAL CAPITAL REQUIREMENTS 6.1. Methodology for the assessment of internal capital requirements for credit risk 6.1.1. A CI uses the Standardised Approach or the Internal Ratings Based Approach referred to in the Decision on capital adequacy This method may be chosen only by a CI whose internal capital requirements calculation does not differ from the calculation of own funds requirements prescribed by the Decision on capital adequacy in terms of scope or the prescribed capital adequacy ratio. A CI using the Standardised Approach for the purposes of own funds requirements may, if it proves that all the prescribed conditions have been met, for the purposes of internal capital requirements, use the Internal Ratings Based Approach. If the calculation of capital requirements pursuant to the Decision on capital adequacy is based on the rating provided by an external credit assessment institution or on the fact that an exposure has no rating, a CI is obligated, when calculating internal capital requirements for credit risk, to take into account other relevant information. [Indicate the approach chosen by the CI and explain the reason for selecting that approach.] [If applicable, explain the assessment of possible credit risk underestimation due to the use of the Standardised Approach.] 6.1.2. A CI has improved the approaches used in the calculation of own funds requirements referred to in the Decision on capital adequacy or uses other approaches [Indicate the approach chosen by the CI and explain the reason for selecting that approach.] [Provide a detailed explanation of approach modification and arguments based on data. The level of detail must be proportionate to deviation from the prescribed methodology.] [If the modified approach covers, in addition to the basic credit risk, specific risks such as residual risks, country risk, etc., these risks have to be specified and arguments have to be provided showing how capital requirements for each of the specified risks have been assessed and, if possible, the relevant amount of the internal capital requirements included, for each specified risk, in the amount of the internal capital requirements for credit risk, has to be specified. However, if the CI has identified the concentration risk and currency induced credit risk as significant risks and calculated internal capital requirements for these risks, these risks should be presented separately in item 6.4 Methodology for the assessment of internal capital requirements for currency induced credit risk, i.e. in item 6.5 Methodology for the assessment of internal capital requirements for

concentration risk and in the Template for the assessment of internal capital requirements adequacy.] [If internal models are used for the calculation of internal capital requirements, describe how the CI ensures reliable results (validation concept, a description of the approach to internal validation (procedure, frequency) and the contents of validation and indicate the reference to the available results of internal validations /assessments of methodology made by an independent validation function.] [State internal bylaws that prescribe in detail the methodology for the assessment of internal capital requirements for credit risk and indicate their status (new, unamended, slightly amended, etc.).] 6.1.3. If the amount of internal capital requirements for credit risk includes an assessment based on stress testing, provide a detailed description of the assumptions and the method for the calculation and indicate the amount of additional internal capital requirements for credit risk based on stress testing. 6.2. Methodology for the assessment of internal capital requirements for market risks 6.2.1. A CI uses the approaches referred to in the Decision on capital adequacy This method may be chosen only by a CI whose internal capital requirements calculation does not differ from the calculation prescribed by the Decision on capital adequacy neither in terms of the scope nor in terms of the prescribed capital adequacy ratio. A CI that does not apply the internal model to calculate own funds requirements may, if it proves compliance with all the prescribed conditions, for the purposes of the internal capital requirements calculation, use the internal model as prescribed by the Decision on capital adequacy. [Indicate the approach chosen by the CI and explain the reason for selecting that approach.] 6.2.2. CI has improved the approaches referred to in the Decision on capital adequacy [Provide arguments explaining approach modification. If the modified approach, in addition to position, currency and commodity risks and the exceeding of large exposures, also covers additional market risks, for instance the position risk of equity instruments in the non-trading book positions, these have to be specified and arguments have to be provided explaining how capital requirements for each of the specified risks were assessed indicating, where possible, the relevant amount of internal capital requirements. However, if the interest rate risk arising from non-trading activities is significant for the CI and the CI calculates internal capital requirements for that risk, this risk should be shown separately in item 6.6. Methodology for the assessment of internal capital requirements for interest rate risk arising from non-trading activities and in the Table 6. Minimum capital requirements and the assessment of internal capital requirements.] [If internal models are used for the calculation of internal capital requirements, describe how the CI ensures reliable results (validation concept, description of the approach to internal validation (procedure, frequency) and the contents of validation and indicate the reference to the available results of internal validations/ assessments of methodology made by an independent validation function.]

[State internal bylaws that prescribe in detail the methodology for the assessment of internal capital requirements for market risks and indicate their status (new, unamended, slightly amended, etc.).] 6.2.3. If the amount of internal capital requirements for market risks includes an assessment based on stress testing, provide a detailed description of the assumptions and the method for the calculation and indicate the amount of additional internal capital requirements for credit risk based on stress testing. 6.3. Methodology for the assessment of internal capital requirements for operational risk 6.3.1. A CI uses the approaches referred to in the Decision on capital adequacy This method may be chosen only by a CI whose internal capital requirements calculation does not differ from the calculation prescribed by the Decision on capital adequacy neither in terms of the scope nor the prescribed capital adequacy ratio. A CI using the simplified approach for the purposes of own funds requirements may, if it proves that all the prescribed conditions have been met, for the purposes of internal capital requirements, use the Standardised or Advanced Measurement Approach. A CI using the Standardised Approach for the purposes of own funds requirements may, if it proves that all the prescribed conditions have been met, for the purposes of internal capital requirements, use the Advanced Measurement Approach. [Indicate the approach chosen by the CI and explain the reason for selecting that approach.] [If applicable, explain the assessment of any operational risk underestimation due to the use of prescribed approaches and provide a detailed analysis of exposures not covered by these approaches.] 6.3.2. A CI has improved the approaches referred to in the Decision on capital adequacy [Provide arguments explaining approach modification (assumptions and method for the calculation). If the modified approach covers also additional exposures to operational risk, these exposures have to be specified and arguments have to be provided showing how capital requirements for these exposures have been assessed and the relevant amount of internal capital requirements has to be specified.] [If internal models are used for the calculation of internal capital requirements, describe how the CI ensures reliable results (validation concept, description of approach to internal validation (procedure, frequency) and the contents of validation, and indicate the reference to the available results of internal validations/ assessments of methodology made by an independent validation function.] [State internal bylaws that prescribe in detail the methodology for the assessment of internal capital requirements for operational risk and indicate their status (new, unamended, slightly amended, etc.).] 6.3.3. If the amount of internal capital requirements for operational risk includes an assessment based on stress testing, provide a detailed description of the assumptions and the method for the calculation and indicate the amount of additional internal capital requirements for operational risk based on stress testing.

6.4. Methodology for the assessment of internal capital requirements for currency induced credit risk 6.4.1. A CI uses a modification of the prescribed approaches referred to in the Decision on capital adequacy This method may be chosen by a CI whose internal capital requirements calculation for credit risk does not differ from the calculation prescribed by the Decision on capital adequacy, but for the purposes of calculation of internal capital requirements for currency induced credit risk it modifies the prescribed approaches by, for instance, higher risk weights in the Standardised Approach. [Provide a description of the approach used by the CI, explain the reasons for the selection of that particular approach and, where applicable, specify higher risk weights.] [Explain the assessment of a possible underestimation of the currency induced credit risk due to the use of this approach.] 6.4.2. A CI uses other approaches [Provide a detailed explanation of the approach and arguments based on data.] [State internal bylaws that prescribe in detail the methodology for the assessment of internal capital requirements for currency induced credit risk and indicate their status (new, unamended, slightly amended, etc.).] 6.4.3. If the amount of internal capital requirements for currency induced credit risk includes an assessment based on stress testing, provide a detailed description of the assumptions and the method for the calculation and indicate the amount of additional internal capital requirements for currency induced credit risk based on stress testing. 6.5. Methodology for the assessment of internal capital requirements for concentration risk A CI has to analyse concentration risk by taking into account as a minimum: • each individual exposure, direct or indirect, to a single person or a group of connected persons, i.e. to the central counterparty; and • a group of exposures to the same economic sector. A CI may also analyse other factors of concentration risk, such as for instance, a group of exposures to the same geographic region and the same activity or commodity and the use of credit risk mitigation techniques, including in particular risks associated with large indirect credit exposure to a single collateral provider which may lead to losses that might jeopardise its on-going operations or lead to a significant change in its risk profile. [In this part, provide basic information on the analysis and measuring of concentration risk. Describe key assumptions and the method for measuring concentration risk.] 6.5.1. A CI uses other approaches [Provide a detailed explanation of the approach and arguments based on data.] [State internal bylaws that prescribe in detail the methodology for the assessment of internal capital requirements for currency induced credit risk and indicate their status (new, unamended, slightly amended, etc.).] 6.5.2. If the amount of internal capital requirements for concentration risk includes an assessment based on stress testing, provide a detailed description of the assumptions and the method for the calculation and indicate the amount

of additional internal capital requirements for concentration risk based on stress testing. 6.6. Methodology for the assessment of internal capital requirements for interest rate risk arising from non-trading activities 6.6.1. A CI uses the simplified approach for the calculation of the assessment of changes in the economic value of non-trading activities, prescribed by the decision regulating the management of interest rate risk in the non-trading book [The CI may, when calculating internal capital requirements for interest rate risk arising from non-trading activities, use the simplified approach for the calculation of assessment of change in the economic value of non-trading activities prescribed by the decision regulating the interest rate risk in the non-trading book. The CI indicates that it has selected the simplified approach and assesses a possible underestimation of the interest rate risk arising from non-trading activities due to the use of the prescribed approach.] 6.6.2. A CI uses another method for the calculation of internal capital requirements for interest rate risk arising from non-trading activities [Explain in detail the approach to the calculation of internal capital requirements for interest rate risk arising from non-trading activities and provide arguments supporting the selection of that approach in terms of the risk profile and risk management system of the CI.] [State internal bylaws that prescribe in detail the methodology for the assessment of internal capital requirements for interest rate risk arising from non-trading book activities and indicate their status (new, unamended, slightly amended, etc.).] 6.6.3. If the amount of internal capital requirements for interest rate risk arising from non-trading activities includes an assessment based on stress testing, provide a detailed description of the assumptions and the method for the calculation and indicate the amount of additional internal capital requirements for interest rate risk arising from non-trading activities based on stress testing. 6.7. Methodology for the assessment of internal capital requirements for other risks 6.7.1. A CI uses the simplified calculation for the assessment of internal capital requirements for other risks 6.7.1 Option for small and non-complex credit institutions To be filled by small and non-complex credit institution that uses the option referred to in Article 6 paragraph (6) of the Decision [The CI specifies the selected percentage and provides the arguments for its selection.] 6.7.2. A CI uses other methods for the assessment of internal capital requirements for other risks [Describe key assumptions and the method for measuring each of the significant other risks.] [State internal bylaws that prescribe in detail the methodology for the assessment of internal capital requirements for each of the other significant risks and their status (new, unamended, slightly amended, etc.).] 6.7.3. If the amount of internal capital requirements for each of the other significant risks includes an assessment based on stress testing, provide a detailed description of the assumptions and the method for the calculation and

indicate the amount of additional internal capital requirements for that risk based on stress testing. 6.8. Methodology for the assessment of external factors and stress testing – for the assessment of total internal capital requirements based on the results of stress testing [Specify external factors analysed by the CI under ICAAP and how these factors are included in ICAAP.] Describe unfavourable scenarios taken into account in ICAAP framework, providing a specification of scenario assumptions and key macroeconomic variables and a description how reverse stress testing were used for the calibration of the seriousness of the scenarios used. Describe how stress testing is included in ICAAP, indicating capital planning and allocation of internal capital by scenarios reported to the management body.] [Provide a detailed description of the stress testing framework, the methodology and models, assumptions and the scope of data used. Specify quantitative results of stress testing and their impact in an individual year of stress on key indicators and key values, including profit/loss, exposure amount, the amount of Tier 1, Common Equity Tier 1 capital and total capital and capital ratio. Where applicable, specify the amount of additional internal capital requirements based on stress testing for any of the significant risks or for the assessment of total internal capital requirements.] [State internal bylaws that prescribe in detail the stress testing procedure and the manner in which it is included in ICAAP and their status (new, unamended, slightly amended, etc.).] 7. DETERMINING TOTAL INTERNAL CAPITAL AND CAPITAL PLANS 7.1. Methodology for the assessment of total internal capital requirements [A CI determining total internal capital requirements by summing up internal capital requirements for all significant risks has to complete the Table 6 Minimum capital requirements and the assessment of internal capital requirements. A CI using a more complex approach for the calculation of total internal capital requirements, in addition to completing the Table 6 Minimum capital requirements and the assessment of internal capital requirements, has to explain in detail the selected approach and state the reason for selecting that approach, state the amount of total internal capital requirements before and after the effect of diversification and state the internal bylaws that prescribe in detail the methodology for the assessment of total internal capital requirements. If a CI includes in the amount of total internal capital requirements, additional capital requirements for risks that cannot be expressed numerically, the CI should describe the manner of calculation, state the amount of additional capital requirements and explain what they relate to. 7.2. Defining the available internal capital [Complete the table given below.] [State and explain the differences between the component parts of the available internal capital and own funds.

Specify the methodology/assumptions for the allocation of internal capital by group entities (where applicable) and the procedures for subsequent follow-up of the use of internal capital in relation to the allocated one, as well as escalation procedures.] [State internal bylaws that prescribe in detail the methodology for determining the available internal capital.] Table 4. Own funds and internal available capital No. Item Own funds Intern al capital

1. TOTAL CAPITAL 1.1 TIER 1 CAPITAL 1.1.1 COMMON EQUITY TIER 1 CAPITAL (CET1) 1.1.1.1 Capital instruments eligible as CET1 capital 1.1.1.2 Share premium 1.1.1.3 Retained earnings 1.1.1.3. 1 Previous years' retained earnings 1.1.1.3. 2 Profit or loss eligible 1.1.1.4 Accumulated other comprehensive income 1.1.1.5 Other reserves 1.1.1.6 Funds for general banking risk 1.1.1.7 Transitional adjustments due to grandfathered CET1 capital instruments 1.1.1.8 Minority interest given recognition in CET1 capital 1.1.1.9 Transitional adjustments due to additional minority interest 1.1.1.10 Adjustments to CET1 due to prudential filters 1.1.1.11 (–) Goodwill 1.1.1.12 (–) Other intangible assets 1.1.1.13 (–) Deferred tax assets that rely on future profitability and do not arise from temporary differences net of associated tax liabilities 1.1.1.14 (–) IRB shortfall of credit risk adjustments to expected losses 1.1.1.15 (–)Defined benefit pension fund assets 1.1.1.16 (–)Reciprocal cross holding in CET1 capital 1.1.1.17 (–)Excess of deduction from AT1 items over AT1 capital 1.1.1.18 (–)Qualifying holdings outside the financial sector which can alternatively be subject to a 1250% risk weight 1.1.1.19 (–)Securitisation positions which can alternatively be subject to a 1250% risk weight 1.1.1.20 (–)Free deliveries which can alternatively be subject to a 1250% risk weight

1.1.1.21 (–)Positions in a basket for which an institution cannot determine the risk weight under the IRB Approach, and can alternatively be subject to a 1250% risk weight 1.1.1.22 (–)Equity exposures under an internal models approach which can alternatively be subject to a 1250% risk weight 1.1.1.23 (–)CET1 instruments of financial sector entities where the institution does not have a significant investment 1.1.1.24 (–)Deductible deferred tax assets that rely on future profitability and arise from temporary differences 1.1.1.25 (–)CET1 instruments of financial sector entities where the institution has a significant investment 1.1.1.26 (–)Amount exceeding the 17.65% threshold 1.1.1.27 Other transitional adjustments to CET1 capital 1.1.1.28 (–)Additional deductions of CET1 capital in line with Article 2 of the Decision on capital adequacy 1.1.1.29 CET 1 capital elements or deductions – other 1.1.2 ADDITIONAL TIER 1 CAPITAL 1.2 TIER 2 CAPITAL 7.3. Capital plans [Complete the table given below. Indicate the planned absolute amount and the structure of internal capital and own funds that the CI will use to cover significant risks arising from its operations over the next three years. Compare the amount of the capital planned with the amount currently available at 31 December 20xx and explain any differences.] [Specify the factors taken into account by the CI in the determination of capital planning strategy. In particular, indicate if the CI has taken into account the targeted credit rating in capital planning. If so, indicate the targeted credit rating.] [Indicate key determinants of capital planning, such as strategic objectives of the CI, the time horizon covered by the plan, capital planning procedures and the responsibility for the procedure, the manner in which the CI will meet capital requirements in the future, relevant capital-related restrictions (e.g. the effect of legislative changes or enactment of new legislation) and general contingency planning (e.g. how additional capital is obtained, business activity limitation or use of credit risk mitigation techniques) etc. Enclose with this report the adopted capital plan.] [Specify dividend policy of the CI and subsidiaries included in the ICAAP.]

Table 5. Capital planning CAPITAL PLANNING Item Current year Current year + 1 Current year + 2 Current year + 3 Planned own funds ratio Planned own funds Planned available internal capital Planned internal capital requirements Table 6. Minimum capital requirements and assessment of internal capital requirements MINIMUM CAPITAL REQUIREMENTS AND ASSESSMENT OF INTERNAL CAPITAL REQUIREMENTS Risk PILLAR I (Decisi on on capital adequa cy) PILLAR II (ICAAP) Minimu m capital require ments Methodolo gy for the assessmen t of internal capital requiremen ts Internal capital requirem ents

1. Credit risk Counterparty risk or basic credit risk Currency induced credit risk Concentration risk Sovereign credit risk Credit valuation adjustment risk Residual risk ....... ......
2. Market risk
3. Interest rate risk arising from non￾trading activities
4. Operational risk
5. Additional risk-weighted exposure amount for fixed overheads
6. Other risks significant for a CI a) Strategic risk

b) Reputational risk c) Business risk ... 7. Risk of model deficiencies 8. Liquidity risk (funding risk) 9. Deficiencies in internal governance on CI level 10. Effect of external factors and results of stress testing 11. Effects of diversification (–) a) within the risk b) between risks 12. TOTAL OWN FUNDS/INTERNAL CAPITAL REQUIREMENTS 8. OTHER INFORMATION 8.1. Outsourcing Where a CI has outsourced a phase of a process, indicate what it has outsourced and how it has done it, indicating the service provider and its compliance with the provisions regulating outsourcing. 8.2. Inclusion in consolidated ICAAP [If the CI is a subsidiary of a parent credit institution/EU or third country parent undertaking, describe briefly the methods and the manner of harmonizing the internal capital and internal liquidity adequacy assessment process of the CI with the process implemented by the parent credit institution / parent undertaking.] 8.3. Other: [Provide other information and results of internal capital and internal liquidity adequacy assessment process not covered by previous parts of this report.]