FMA Circular 03/2023 on the Assessment of Suitability of Executive Directors, Non-Executive Directors and Key Function Holders

FMA CIRCULAR ON THE ASSESSMENT OF SUITABILITY OF EXECUTIVE DIRECTORS, NON-EXECUTIVE DIRECTORS AND KEY FUNCTION HOLDERS FIT & PROPER CIRCULAR Document No.: 03 / 2023 Publication date: 18.03.2023

Fit & Proper Circular Version: March 2023 2 / 62 CONTENTS 1 Introduction .................................................................................................................................... 5 1.1 Subject matter ........................................................................................................................... 5 1.2 Legal basis and applicable frameworks.................................................................................... 5 1.2.1 BWG.................................................................................................................................. 5 1.2.2 EBA Guidelines................................................................................................................. 7 1.3 Standard Addressees and Scope of Application....................................................................... 7 2 Requirements for Executive Directors and Non-Executive Directors ........................................... 9 2.1 Overview .................................................................................................................................... 9 2.2 Requirements for personal reputation, honesty and independence of mind....................... 11 2.2.1 Preliminary remark........................................................................................................ 11 2.2.2 Reasons for exclusion.................................................................................................... 11 2.2.3 Orderly financial situation and propriety..................................................................... 12 2.2.4 Independence of mind .................................................................................................. 13 2.2.5 Cooling-off period for (former) executive directors ..................................................... 15 2.2.6 Assessment of Personal Reputation............................................................................. 15 2.2.7 Declaration and duty to cooperate............................................................................... 16 2.2.8 Responsibility where a suspicion of money laundering and terrorist financing and other crimes exists......................................................................................................... 17 2.3 Special requirements in terms of the fitness and necessary experience of executive directors ................................................................................................................................... 18 2.3.1 Overview ........................................................................................................................ 18 2.3.2 Knowledge and experience........................................................................................... 18 2.3.3 Necessary Management Experience............................................................................. 22 2.3.4 Review by the FMA of necessary knowledge, skills and expertise............................... 23 2.4 Particular Requirements for the professional qualification of the Chairperson of the Supervisory Board ................................................................................................................... 23 2.4.1 Overview ........................................................................................................................ 23 2.4.2 Knowledge and Experience........................................................................................... 24 2.4.3 Necessary experience.................................................................................................... 24 2.4.4 Reviewing of necessary knowledge, skills and expertise by the FMA.......................... 25 2.5 Particular requirements for non-executive directors............................................................. 25 2.5.1 Overview ........................................................................................................................ 25 2.5.2 Knowledge and necessary experience ......................................................................... 26 2.5.3 Committees ................................................................................................................... 27 2.5.4 ProVING and ReviewING necessary knowledge, skills and expertise by the FMA....... 28 2.5.5 Employee Representatives in Supervisory Bodies....................................................... 28

Fit & Proper Circular Version: March 2023 3 / 62 2.6 Collective Suitability................................................................................................................ 29 2.6.1 General........................................................................................................................... 29 2.6.2 Checking of collective suitability by institutions ......................................................... 30 2.7 Independent members of the management body in its supervisory function ..................... 31 2.7.1 Overview ........................................................................................................................ 31 2.7.2 Independence Criteria................................................................................................... 32 2.7.3 Formally independent members of supervisory board committees .......................... 35 2.8 Sufficient time commitment of executive directors and non-executive directors ............... 35 2.8.1 Qualitative assessment................................................................................................. 35 2.8.2 Limit on directorships ................................................................................................... 36 2.8.3 Privileges........................................................................................................................ 38 2.8.4 Approval of an addition non-executive directorship ................................................... 41 2.8.5 Main profession of executive directors......................................................................... 42 2.8.6 Checking of sufficient time commitment..................................................................... 42 3 Requirements for key function holders ....................................................................................... 44 4 Requirements for the Heads of Internal Control Functions ........................................................ 45 4.1 Overview .................................................................................................................................. 45 4.1.1 Formal requirements..................................................................................................... 45 4.1.2 Assessment of technical suitability .............................................................................. 45 4.1.3 Checking of technical suitability................................................................................... 46 4.1.4 Honesty, Propriety and Independence of Mind ........................................................... 46 4.1.5 Checking, Declaration and Duty to Cooperate............................................................. 46 4.2 Head of the Risk Management Department ........................................................................... 47 4.2.1 Overview ........................................................................................................................ 47 4.2.2 Professional qualification ............................................................................................. 47 4.3 Head of the BWG Compliance Function.................................................................................. 48 4.3.1 Overview ........................................................................................................................ 48 4.3.2 Professional qualification ............................................................................................. 48 4.4 Head of the Internal Audit Function........................................................................................ 49 4.4.1 Professional qualification ............................................................................................. 49 4.4.2 Honesty, Propriety and Independence of Mind ........................................................... 49 5 Onboarding, regular training and education............................................................................... 50 6 Internal Fit & Proper Assessments and Policies........................................................................... 52 6.1 General..................................................................................................................................... 52 6.2 Involvement of the Nomination Committee........................................................................... 53 6.3 Disclosure in relation to Internal Governance........................................................................ 54 7 Notification obligations................................................................................................................ 56

Fit & Proper Circular Version: March 2023 4 / 62 8 Fit & Proper Tests.......................................................................................................................... 57 Annex 1 - Necessary Documentation ................................................................................................... 59

1 INTRODUCTION 1.1 SUBJECT MATTER

1. This FMA Circular is intended as guidance for the assessment of the suitability of executive directors in credit institutions, (mixed) financial holding companies, and investment firms1 , as well as of non-executive directors and key function holders2 in credit institutions, (mixed financial holding companies) and investment firms not considered as being small and non￾interconnected3 and reflects the FMA’s legal perspective with regard to the relevant legal provisions.
2. This circular does not constitute a legal regulation. No rights and obligations extending over and above the provisions of the law can be derived from circulars.4 1.2 LEGAL BASIS AND APPLICABLE FRAMEWORKS 1.2.1 BWG
3. In addition to general conditions, Article 5 para. 1 nos. 6 to 13, Article 28a and Article 30 para. 7a BWG also define personal requirements for the members of the management body in its management function (management body) and the management body in its supervisory function (supervisory body) of credit institutions5 , financial holding companies6 , and mixed financial holding companies7 . The provisions cover among other issues, the personal reputation, honesty, and independence of mind (in particular with regard to illegalities in relation to their professional activities or in their personal sphere), independence, knowledge (having sufficient theoretical and practical knowledge), as well as sufficient requisite experience (either in the banking sector or in a comparable undertaking), sufficient time commitment and the collective suitability of the respective body. 1 Article 3 para. 5 nos. 3 and 6 and Article 7 of the Securities Supervision Act 2018 (WAG 2018), published in Federal Law Gazette I No. 107/2017 as amended. 2 Cf. Chapter 3. 3 Investment firms that do not fulfil the conditions set out in Article 12 of Regulation (EU) 2019/2033 (IFR). 4 Article 69 para. 5 of the Austrian Banking Act (BWG; Bankwesengesetz) as published in Federal Law Gazette No. 532/1993 as amended, states that the FMA is required in the enforcement of its tasks to apply the Guidelines, Recommendations, Standards and other measures issued by the European Banking Authority (EBA); therefore the BWG is interpreted by the FMA in accordance with the meaning of the publications by the EBA. If such publications are substantively amended or supplemented in the future, the FMA’s interpretation of the BWG might also change. 5 as defined in Article 1 para. 1 BWG. 6 as defined in Article 4(1) (20) of Regulation (EU) No 575/2013 ("CRR"); 7 as defined in Article 2(15) of Directive 2002/87/EC or Article 2 no. 15 of the Financial Conglomerates Act (Federal Act on the Supplementary Supervision of Credit Institutions, Insurance Undertakings and Investment Firms within a Financial Conglomerate (FKG; Finanzkonglomerategesetz)) published in Federal Law Gazette I No. 70/2004 as amended.

Fit & Proper Circular Version: March 2023 6 / 62 4. Certain non-executive directors (specifically: the members of the audit committee pursuant to Art. 63a para. 4 BWG, the remuneration committee pursuant to Article 39c para. 3 and the risk committee pursuant to Article 39d para. 3 BWG) must additionally also possess the required specialist and detailed knowledge and experience required for their specific defined area of responsibility. In addition, independence requirements also apply to the members of the audit committee, the remuneration committee and the risk committee (see Chapter 2.7.3). 5. The BWG also requires specialist and experience-based requirements for employees of the internal audit function8 , the risk management department as well as the BWG compliance function9 of credit institutions.10 6. Under Article 77d BWG, the enforcement of Article 5 para. 1 nos. 6 – 13, Article 28a, Article 30 para. 7a, Article 39 paras. 5 and 6 and Article 42 BWG only falls within the FMA’s competences, where the performance of such tasks has not been conferred upon the European Central Bank (ECB) pursuant to Regulation (EU) No 1024/2013 (SSM-R). Article 4(1) point e SSM-R, in which the scope of the ECB’s competences is listed, specifically mentions ensuring compliance with the requirements imposed for credit institutions to have robust governance arrangements in place, including the fit and proper requirements for the persons responsible for the management of credit institutions. Furthermore, the ECB’s competences also include the fit and proper testing of key function holders. In conjunction with Article 6 SSM-R the ECB is directly competentfor the fit and proper assessments of members of the management body and key function holders of “significant institutions” as defined in the SSM-R. Pursuant to Article 4 (3) SSM-R, the ECB is required to apply relevant Union law. Where this exists in the form of Directives transposed into national law, it shall apply the latter.11 This means that the ECB directly applies the fit and proper provisions contained in the BWG within its scope of competence. 8 Staff members of the internal audit function of investment fund management companiesmust according to Article 16 of the Investment Funds Act 2011 (InvFG 2011; Investmentfondsgesetz 2011), published in Federal Law Gazette I No. 77/2011 as amended hold the necessary specialist knowledge and experience in the investment fund industry; see also the FMA Minimum Standards for Internal Auditing published on 02.01.2020 (FMA-MS-IR). 9 Cf. Article 39 para. 6 BWG 10 Regarding the requirements for the staff members of the MiFID Compliance Function as well as the specific fit and proper requirements for the MiFID compliance officer pursuant to Article 29 WAG 2018 in conjunction with Article 22 of Delegated Regulation (EU) 2017/565, we refer to the FMA Circular on Organisational Requirements under the WAG 2018 and Delegated Regulation (EU) 2017/565 (hereinafter the “WAG 2018 Organisational Circular", as published in Circular 01/2021) dated 07.07.2021. Regarding the requirements for the Anti-Money-Laundering Officer pursuant to Art. 23 para. 3 of the Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt-Geldwäschegesetz), we refer to the FMA Circular on Internal Organisation for the prevention of Money Laundering and Terrorist Financing published on 23.02.2022 and the Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt-Geldwäschegesetz), published in Federal Law Gazette I No. 118/2016 as amended. 11 The ECB is however not bound to the administrative practices of national authorities and therefore is also not bound to this Circular. Regarding the ECB’s administrative practices, consult the ECB Guide to fit and proper assessments (version from December 2021) Guide to fit and proper assessments (europa.eu).

Fit & Proper Circular Version: March 2023 7 / 62 1.2.2 EBA GUIDELINES 7. The Joint EBA and ESMA “Guidelines on the assessment of the suitability of members of the management body and key function holders” (EBA/GL/2021/06, “F&P-GL”) determine minimum requirements for the individual and collective assessment of personal reputation, professional suitability and knowledge, time commitment, independence of mind and the independence of persons in management and supervisory functions (directors, non-executive directors, as well as “key function” holders) in credit institutions, financial holding companies and mixed financial holding companies, both in material and formal terms (fitness and propriety criteria and assessment process including the fit and proper test). The F&P-GL are addressed towards the competent supervisory authorities and the supervised credit institutions in equal measure and have applied since 31.12.2021. 12 Further reaching requirements regarding the internal governance of credit institutions are also contained in EBA “Guidelines on Internal Governance” (EBA/GL/2021/05, “IG-GL”), which have also applied since 31.12.2021. 8. Pursuant to Article 16 (3) of the EBA Regulation, competent authorities and financial institutions shall make every effort to comply with the Guidelines issued by EBA. 1.3 STANDARD ADDRESSEES AND SCOPE OF APPLICATION 9. The personal requirements in accordance with Article 5 para. 1 nos. 6 to 9a and 13 BWG shall apply for executive directors; the requirements in accordance with Article 28a paras. 1 and 3 BWG are addressed to the chairperson of the supervisory board and the requirements in accordance with Article 28a para. 5 nos. 1 to 5 BWG are addressed to all members of the supervisory board (or the members of the competent supervisory body under law or the statutes) of credit institutions. 10. Pursuant to Article 30 para 7a BWG, the personal requirements pursuant to Article 5 para. 1 nos. 6 to 9 BWG and Article 28a para. 5 nos. 1 to 4 BWG – shall, taking into account any differences in terms of business model and organisational structure, also be applied accordingly to the executive directors and non-executive directors of (mixed) financial holding companies. 11. In additional, the BWG also sets out personal requirements for the heads of internal control functions. Article 42 paras. 1 and 2 BWG address the head of the internal audit function, while 12 Pursuant to Article 69 para. 5 BWG as well as Article 16(3) of Regulation (EU) No 1093/2013 ("EBA Regulation") the FMA shall take European convergence in respect of supervisory tools and supervisory procedure into account when performing its duties. For this reason, the FMA shall participate in the activities of the EBA and apply the Guidelines, Recommendations, Standards and other measures passed by the EBA. It has not been possible to implement the requirements for the composition of the nomination committees (independent members) due to the explicit statutory amendment required to do so. Consequently, the FMA has submitted a declaration of partial non-compliance to EBA.

Fit & Proper Circular Version: March 2023 8 / 62 Article 39 paras. 5 and 6 BWG respectively define the rules for the heads of the risk management function and the BWG compliance function13 . 12. Pursuant to Article 6 para. 2 no. 13 InvFG 2011 the conditions set out in Article 5 para. 1 nos. 6, 7 and 9 to 14 BWG are also to be observed by the executive directors of investment fund management companies; in accordance with Article 10 para. 6 InvFG 2011 the conditions defined in Article 28a BWG also apply to the non-executive directors of investment fund management companies. 14 13. The F&P-GL addresses all members of the management body in its management or supervisory functions (referred to in the BWG’s diction as “directors” and “supervisory board members” respectively) as well as all key function holders15. The F&P-GL in particular covers the checking of the suitability of the heads of internal control functions (risk management department, internal audit function, BWG compliance function16); the Guidelines apply to credit institutions, financial holding companies, mixed financial holding companies as well as investment firms not considered small and non-interconnected17. The scope of application of the F&P-GL thereby not only refers to the suitability of the relevant persons in management and control functions at the time of their appointment, but also on an ongoing basis, which may necessitate a repeat fit and proper test and further training measures. 14. The F&P-GL as well as the accompanying IG-GL apply for institutions both on an individual basis as well as on a consolidated basis and accordingly taking into account the differences with regard to the business model and organisation, also by financial holding companies as well as mixed financial holding companies, provided that these last two types of entity are part of a group of credit institutions as defined in Article 30 BWG. 15. This circular is therefore addressed to all credit institutions as defined in Article 1 para. 1 BWG, except those listed in Article 3 para. 1 nos. 1 to 9 BWG18, as well as to financial holding companies as defined in Article 4 (1) (20) CRR and mixed financial holding companies as defined in Article 2 no. 15 FKG. It also applies to Austrian credit institutions active in other 13The compliance function pursuant to Article 39 para. 6 BWG is called the “BWG compliance function”. 14 It should be noted that ESMA Guidelines and interpretations have primary relevance for investment fund management companies under the InvFG 2011 in conjunction with the BWG that simultaneously hold an authorisation under the UCITS Directive and real estate investment fund management companies under the ImmoInvFG in conjunction with the BWG that simultaneously hold an approval under the AIFM Directive. 15 e.g. heads of important business segments or areas, persons with overall responsibility for the internal control functions (in particular the internal audit function or risk controlling or risk management department, heads of the MiFID compliance function, heads of BWG compliance functions, anti-money laundering officers) as well as the directors of significant branches as defined in Article 18 BWG and subsidiaries that belong to the group etc.; see also the more detailed information in MN 127 et seq.; regarding the anti-money-laundering officer see the FMA Circular on internal organisation for the prevention of money laundering & terrorist financing, published on 23.02.2022. 16 With regard to the MiFID Compliance Officer, please see the FMA Circular regarding the organisational requirements of the Securities Supervision Act 2018 and Delegated Regulation (EU) 2017/565 (“WAG 2018 Organisational Circular” in the version published as Circular 01/2021) published on 07.07.2021. 17 Investment firms that do not fulfil the conditions set out in Article 12 of Regulation (EU) 2019/2033 (IFR). 18 The circular is addressed to promotional companies (Fördergesellschaften) as defined in Article 3 para. 1 no. 11 BWG regarding the requirements for directors stated in Article 5 para. 1 nos. 6 to 13 BWG.

Fit & Proper Circular Version: March 2023 9 / 62 Member States (Article 2 no. 5 BWG) under the freedom to provide services and/or the freedom of establishment (Article 10 BWG). 16. Furthermore,the circular is also addressed to all wind-down units as defined in Article 2 no. 56 of the Bank Recovery and Resolution Act (BaSAG; Bundesgesetz zur Sanierung- und Abwicklung von Banken) as well as wind-down entities as defined in Article 162 BaSAG, since Article 84 para. 2 BaSAG refers to the provisions of Article 5, Article 28a and Article 42 paras. 1 to 5 BWG. Wind-down entities and wind-down units as defined in BaSAG are however only authorised to perform banking and leasing business, provided that such business serves a portfolio wind￾down purpose. The BWG and other laws in relation to banking supervision therefore only apply to them in a substantially restricted scope. The requirements stated in the circular for executive directors, non-executive directors and the head of the internal audit function in such entities and units are therefore to be read taking into account the restricted scope of activity and the reduced degree of applicability of banking supervision laws. 17. In the interest of ensuring a consistent terminology, the terms “executive director” and “non￾executive director” shall be used to apply to all members of the management body in its management function (management body) or in its supervisory function (supervisory body) respectively, the term “supervisory body” for the competent supervisory body under law or under the entity’s articles of association and the umbrella term “institution” for credit institutions, financial holding companies and mixed financial holding companies pursuant to MN 15; in the event of deviations from such terms, separate references shall be made.19 2 REQUIREMENTS FOR EXECUTIVE DIRECTORS AND NON-EXECUTIVE DIRECTORS 2.1 OVERVIEW 18. To ensure full responsibility is taken in the management board or that monitoring or controlling tasks are performed in an orderly manner in the supervisory board, it is essential that every member of the management body as well as of the supervisory body of a supervised institution – taking into consideration the competences of the respective person – has adequate knowledge with regard to the supervisory rules that are applicable for the respective institution. All members of the management body and the supervisory body shall possess, both individually as well as collectively, the necessary knowledge and experience ("fitness"), which is appropriate in relation to the nature, scope and complexity of business activities as well as the institution's risk profile. 19 To improve readability, gender-neutrality is to be assumed; any masculine formulation also infers a feminine form.

Fit & Proper Circular Version: March 2023 10 / 62 19. In particular expertise-based qualification and necessary experience of executive directors and non-executive directors are initially assessed by the FMA based on the submitted curriculum vitae and other submitted documentation (e.g. proof of having attended training and continuing education courses) and then in a personal "hearing”, the (theoretical and practical) “Fit & Proper Test” (cf. Chapter 8). 20. In addition to their technical suitability, executive directors and non-executive directors shall also have the necessary personal reputation, honesty and independence of mind (“propriety”). This shall not be deemed to be the case, if personal circumstances relating to their general life experience give rise to the assumption, that their prudent and orderly performance of their executive or non-executive directorship could be affected. Conflicts of interest of the executive directors or non-executive directors, in particular relating to their own financial activities, may also constitute such circumstances. This should not be confused with independence, that is expected to apply to a certain number of non-executive directors and committee members, and which is determined in accordance with criteria that are determined within the law. 21. The FMA reviews both the personal reputation and the independence of the members of the management body or the supervisory board primarily based on the submitted documentation (such as an excerpt from the criminal record register, their curriculum vitae, declaration under oath). 22. In particular, justified suspicion of money laundering or terrorist financing in relation to the credit institution, even where it only relates to attempts to do so, or where an increased risk of this exists, shall result in the management and supervisory bodies being subjected to a (new) fit & proper assessment (Article 70 para. 4b closing paragraph BWG) by the FMA. 23. Prudent and proper business management requires, as is also the case with the prudent and proper performance of monitoring and controlling tasks, the sufficient time commitment of the appointed executive director or non-executive director (or of the supervisory body that is otherwise appointed in accordance with the law or the articles of association). As a basic rule, executive directors and non-executive directors shall dedicate sufficient time to the performance of the tasks conferred upon them in the credit institution. By so doing, where they concurrently perform multiple managerial and/or supervisory activities, executive directors and non-executive directors shall take the prevailing circumstances into account on a case-by-case basis as well as the nature, scope and complexity of the transactions as well as the institution's risk profile. These requirements shall apply for the executive directors and non-executive directors of all credit institutions.20 20 The nomination committee that is required to be established in credit institutions of significant relevance as defined in Article 5 para. 4 BWG (see para. 102) shall also, when filling vacant positions in the senior management and the supervisory board, state the associated time commitment required for performing the duty (Article 29 no. 3 BWG).

Fit & Proper Circular Version: March 2023 11 / 62 24. Sufficient time commitment is primarily checked based on a qualified self-assessment including a sworn declaration by the person in question that sufficient time resources exist to permit the orderly and diligent performance of a managerial or supervisory function. 25. Over and above the qualitative assessment described in paras. 23 and 24, there is also a quantitative assessment based on limits on the number of directorships that may be held concurrently by executive directors or non-executive directors of credit institutions “of significant relevance” 21 stipulated in Article 5 para. 1 no. 9a or Article 28a para. 5 no. 5 BWG. 2.2 REQUIREMENTS FOR PERSONAL REPUTATION, HONESTY AND INDEPENDENCE OF MIND 2.2.1 PRELIMINARY REMARK 26. Irrespective of the nature, scope and complexity of the transactions that are conducted by the institution, all persons holding management and control functions shall display personal reputation, honesty and independence of mind at all times. The FMA always uses the same benchmark as follows to assess the personal reputation, honesty and independence of mind22 of executive directors, the chairpersons of supervisory bodies, and (other) members (non-executive directors) of the supervisory body. 2.2.2 REASONS FOR EXCLUSION 27. Firstly, there are reasons for exclusion under commercial law in relation to the function of an executive director or a non-executive director: Article 5 para. 1 no. 6, Article 28a para. 3 no. 1 or Article 28a para. 5 no. 1 BWG in conjunction with Article 13 GewO 1994 relate in particular to convictions for fraudulent bankruptcy, injury of the interests of third-party creditors, preferential treatment of a creditor or for interference with creditor's interests by gross negligence as well as convictions for another punishable offence carrying a custodial penalty of longer than three months or a fine of more than 180 per diem rates. Convictions for the criminal offences listed above preclude the convicted person from activities as an executive director or non-executive director. The personal requirements are also deemed not to exist (any longer), if the (potential) executive director or non-executive director has had their licence to trade removed in accordance with Article 13 para. 6 in conjunction with Article 87 GewO (i.e. because of serious breaches of the legal provisions and the protection of interests associated with the trade in question) or whose licence to trade has been revoked as a result of a verdict passed by a court. 21 See also the more detailed information in paras. 109 et seq. 22 Regarding the suitability requirements for key function holders please see the statements contained in para. 127 ff.

Fit & Proper Circular Version: March 2023 12 / 62 28. Moreover, no insolvency proceedings are allowed to have been initiated against the assets of the executive director or non-executive director, or another legal entity other than a natural person, upon whose business the executive director or non-executive director has or has had a decisive influence. The existence of comparable circumstances in a foreign country shall also constitute a reason for exclusion (Article 5 para. 1 no. 6, Article 28a para. 3 no. 1 or Article 28a para. 5 no. 1 BWG). 2.2.3 ORDERLY FINANCIAL SITUATION AND PROPRIETY 29. Executive directors and non-executive directors shall be required to have orderly financial situations, and no circumstances shall be allowed to exist, from which doubts shall arise about their personal reputation, honesty and independence of mind for conducting banking business or for exercising a supervisory function (Article 5 para. 1 no. 7, Article 28a para. 3 no. 2 BWG or Article 28a para. 5 no. 2 BWG; cf. also Chapter 8 F&P-GL). In this way, the necessary financial soundness, economic independence and personal integrity with regard to the banking business to be conducted, should be guaranteed. 30. An orderly financial situation in any case shall be deemed not to exist – in addition to the cases mentioned in Article 5 para. 1 no. 6, Article 28a para. 3 no. 1 and Article 28a para. 5 no. 1 BWG – where an incapacity to pay exists or where this is at risk of occurring, or in the case of a conviction for a relevant financial crime (see also Chapter 8 of the F&P-GL). 31. Facts supporting doubts about reputation, honesty and independence of mind, may in particular, depending on the nature of banking business conducted, be illegalities in relation to the professional activities or the personal assets of the executive director or the non￾executive director (e.g. convictions for other criminal offences than those covered in Article 5 para. 1 no. 6, Article 28a para. 3 no. 1 or Article 28a para. 5 no. 1 BWG or failures to act; pending criminal proceedings, administrative penalties – especially for breaches of provisions under supervisory law – tax-related offences, but also being found guilty of offences under civil law; see also para. 76 et seq. F&P-GL). Furthermore, other concluded or pending investigations or actions, that have been imposed by the FMA or the ECB, other supervisory authorities or professional associations for failure to observe relevant regulations (especially in relation to regulatory norms in the banking, financial, investment or insurance industries) may also constitute such a circumstance. These include all circumstances which, although they do not constitute the aforementioned activities nonetheless give rise to concerns in relation to propriety regarding the specificities of the banking business conducted; this especially includes circumstances that undermine trust in the security of assets that have been entrusted, the particular due diligence obligations and limitation of risks in accordance to Article 39 BWG or Articles 29 and 30 InvFG 2011 in particular, and which affect the confidence

Fit & Proper Circular Version: March 2023 13 / 62 in the ability to function in the national economic interest as well as confidence in the upholding of legal order as a legal interest.23 32. According to the F&P-GL a member of the management body or supervisory body shall also not be considered to meet the propriety requirement, where their personal or professional conduct gives rise to doubts abouttheir ability to manage the credit institution in a sound and prudent manner. This covers the previous business performance, and shall be assessed on the basis of past fulfilment of liabilities, the financial and commercial performance of a company that is or was under the management, significant influence, significant participation or ownership of the member. In so doing especially insolvency or reorganisation procedures shall be taken into consideration, as well as large investments, exposures and credits, provided they may impact the soundness of the entity. 2.2.4 INDEPENDENCE OF MIND 33. Every executive director and every non-executive director must be in a position to act with independence of mind, which means, in performing their respective function, being able to make a rational, objective and independent assessment and to make a decision taking all relevant facts into consideration. This is reflected both by the individual’s behavioural capabilities, as well as by the absence of conflicts of interest. 34. It is therefore necessary that the respective member displays the necessary personal qualities, to be able to both autonomously and independently assess and critically challenge proposed decisions, as well as being able to ask appropriate questions to the executive directors, and possessing the ability to be able to oppose “group-think” (see also para. 81 F&P-GL). In particular, the respective member’s previous and ongoing conduct shall be taken into account. Executive directors’ or non-executive directors’ conflicts of interest, especially in conjunction with their own economic interests, may constitute circumstances that give rise to justified doubts about the affected person’s orderly financial interests and/or their ability to act with independence of mind of the institution that is to be managed or monitored. The existence of a conflict of interests, the suitable actions for dealing with them24 as well as the effect on the independence of mind of the respective member, and therefore the materiality of the conflict of interest, is to be reviewed on a case￾by-case basis. All actual and potential conflicts of interest are communicated with body, 23 Additional examples of circumstances giving rise to doubts about propriety, may be found in the legal materials regarding Article 5 BWG (see explanatory remarks to draft government bill no. 641 in the Annex to the stenographic protocols of the National Council, 21st Legislative Period, p. 75f). 24 According to Chapters 11 and 12 IG-GL, institutions must implement guidelines for dealing with conflicts of interest both at the level of the credit institution and the level of the staff members (including the management bodies). In addition to the potential situations and constellation should also define suitable processes, measures, documentation obligations and responsibilities for the determination of and avoidance of conflicts of interest. In addition, Article 28 para. 6 BWG sets out documentation obligations for certain transactions with management and related parties, with the scope of documentation obligations being described in paras. 129 to 131 IG-GL.

Fit & Proper Circular Version: March 2023 14 / 62 documented and treated in an orderly manner. This takes the form of a discussion as well as a decision regarding the suitable measures. All actual and potential conflicts of interest, including any (mitigating) measures, are brought to the FMA’s attention in writing25 . 35. In the following cases, as a rule, a potential conflict of interest is to be assumed (cf. para. 83 F&P-GL)26: o economic interests (e.g. shares, other ownership rights, memberships, holdings and other economic interests in commercial customers; intellectual property rights, loans granted to an entity to which the member has a close relationship27);28 o personal or professional relationships with the owners of qualifying holdings; o personal or professional relationships with staff of the institution or entities within the scope of prudential consolidation;26 o other employment and previous employment within the last five years; 29 o personal or professional relationships to external stakeholders (e.g. advisors, service providers, etc.); o shares, holdings, memberships or ownership rights in an entity, that has conflicting interests with the institution; o political influence or political relationships. 36. Personal loans granted under market conditions (i.e. at non-preferential terms) that are secured and serviced in an orderly manner (e.g. a mortgage-based loan) as well as other typical types of personal loans (whether secured or unsecured) granted at market conditions up to a value of EUR 200,000 as well as holdings or other investments of up to 1% as a rule do not trigger material conflicts of interest. This assumption also extends to everyday banking transactions performed under market conditions. A communication to the FMA may also be omitted, where a management transaction under Article 28 BWG is concluded during the appointment period (and therefore once the notification of the appointment has been submitted) and observes all regulations set out in Article 28 BWG including the documentation 25 Informal communication by e-mail to the credit institution’s single point of contact (SPOC) is sufficient. 26 This list is demonstrative rather than taxative in nature. The existence of a conflict of interest must also be assessed on a case-by-case basis. 27 An entity is deemed to have a close relationship to the member, where the member or a person listed in Article 28 para. 1 no. 5 BWG is its beneficial owner. 28 A conflict of interest that compromises the independence of mind may especially exist, if an executive director/non-executive director - or an entity, for whom the person is question is active or has a holding – is a borrower in danger of default of the institution to be managed or monitored. A borrower shall be deemed to be in danger of default, where indications exist (see Article 178 (3) CRR) that the borrower is unable to pay its liabilities without recourse to collateral. Independence of mind is also to be placed in doubt, if a member of the management body or the supervisory body, a close relative of a member, or an entity run by a member has business relationships of such a nature or magnitude to the institution to be managed or to be monitored, that an economic dependency on the institution may arise. Irrespective of that when reviewing whether the performing of certain activities (such as an office in another management body or supervisory body) consists a conflict of interest that affects the independence of mind of the executive director/non-executive director, and whether any group or association interest is taken into account (for example in the case of parent-subsidiary relationships between institutions the exercising of a supervisory activity in the subsidiary by a member of the management body of a parent undertaking frequently does not constitute an inadmissible conflict of interests). 29 An exception exists for employee representatives in the supervisory body pursuant to Article 110 of the Labour Constitution Act (ArbVG).

Fit & Proper Circular Version: March 2023 15 / 62 obligations in accordance with Article 28 para. 6 BWG in conjunction with paras. 129 to 131 of the IG-GL. 2.2.5 COOLING-OFF PERIOD FOR (FORMER) EXECUTIVE DIRECTORS 37. Article 28a para. 1 BWG prescribes a cooling-off period to avoid conflicts of interest arising from an “on-the-fly change” from being an executive director to the chairperson of the supervisory body. Former executive directors may not assume an activity as the chairperson of the supervisory body in the same entity they were previously active at as an executive director before two years have elapsed since they ceased to have the function of an executive director. This applies to all previous executive directors, rather than just the former chairperson of the management body. 38. The material intention of the cooling-off rules relates to the activity as the chairperson of the supervisory body, and is therefore also addressed to their deputies, especially since that have also performed the (same) activity as the chairperson, in the case of the chairperson’s absence. The law also prescribes cooling-off periods for the chairpersons of the supervisory body's remuneration, risk and audit committees, to prevent potential conflicts of interest: Article 39c para. 3, Article 39d para. 3 and Article 63a para. 4 BWG define temporary impediments to being appointed as the chairperson of the committee.30 2.2.6 ASSESSMENT OF PERSONAL REPUTATION 39. When assessing the personal reputation of the (potential) executive director or non-executive director the institution shall, like the FMA, make use of every relevant accessible piece (or source) of information (cf. Annex III Chapter 4 F&P-GL): o Primarily criminal record certificates or relevant files in relation to administrative cases are taken into account, and cumulative effects arising from multiple more minor breaches of the law - in particular breaches of provisions under supervisory law - might have significant ramifications; o in addition, particular attention shall be paid to pending or previous investigative procedures by government (supervisory or regulatory) authorities that relate to the person appointed as an executive director or a non-executive director; o moreover information from credit protection associations, as well as records and observations about prior cooperation with the supervisor(transparency) etc. are also to be included in the assessment; 30 Their deputies may perform their role on a restricted basis provided they are subject to a temporal impediment to appointment.

Fit & Proper Circular Version: March 2023 16 / 62 o procedures relating to the approval, surrendering, revoking, disqualification or other ways of termination of the authorisation to exercise a trade or any form of professional authorisation as well as memberships of a trade association; o having lost a job or a significant trustee relationship (or a position where a comparable degree of trust being transferred); o previous outcomes of suitability assessments conducted by the FMA, the ECB or other competent supervisory authorities as well as other authorities that are not responsible for banking supervision; o with regard to gaining an overall picture, (mitigating) accompanying circumstances, rehabilitation measures or the behaviour of the person in question at the time the harmful act occurred as well in the intervening period since the act was committed shall also be taken into account in the assessment of propriety. 2.2.7 DECLARATION AND DUTY TO COOPERATE 40. The respective institution as well as (on a subsidiary basis) the person appointed as a member of the management body or the supervisory body are duty-bound to cooperate in determining that requirements relating to that person are met. In this regard executive directors or non-executive directors shall act in an honest, transparent and open manner towards the FMA and shall proactively make relevant information accessible. 41. The executive director or the non-executive director shall therefore disclose their personal financial situation to the FMA, where doubts exist in relation to their financial situation and/or their economic independence (from the institution to be managed or overseen), to provide necessary proof of their orderly financial circumstances. 42. Furthermore, the executive director or the non-executive director shall confirm their integrity and independence of mind, and above all that they possess the necessary propriety in terms of the responsibility for the performance of the managerial or the supervisory function by means of a declaration under oath.31 Where past reports or justified reasons in connection with previous business transactions exist that give rise to objections with regard to the personal reputation of an executive director or a non-executive director, particularly strictrequirements shall be set regarding the demonstration of the personal reputation, honesty and independence of mind of the person in question. 43. Executive directors or non-executive directors shall check the correctness of the submitted information and shall inform the institution of any changes that could have a bearing on 31 For foreign executive directors/non-executive directors, confirmation is also required from the banking supervision authority in their home country or (alternatively) of another country, where the person in question is or has been active in the financial sector, to ensure that no reasons exist for exclusion as the executive director/non-executive director of a credit institution (cf. Article 5 para. 1 no. 9 and Article 28a para. 3 no. 4 BWG respectively).

Fit & Proper Circular Version: March 2023 17 / 62 whether personal requirements are fulfilled. The institution shall confirm to the FMA that the submitted information is correct to the best of its knowledge (cf. Article 28a para. 4, Article 73 para. 1 nos. 2, 3 and 8 BWG). 2.2.8 RESPONSIBILITY WHERE A SUSPICION OF MONEY LAUNDERING AND TERRORIST FINANCING AND OTHER CRIMES EXISTS 44. All executive directors and non-executive directors shall be responsible for the duties conferred upon them to the extent that they can be held individually accountable, where they fail to meet their collective responsibility, by in any case being determined not to be fit and proper. They shall possess sufficient understanding and knowledge regarding the structure and governance and control arrangements of the credit institution, its business, risks and risk management strategy (know your structure). Executive directors and non-executive directors must be given sufficient information to be able to actively contribute to decisions being made, and to critically scrutinise them. The fact that a member of the management body for example is not competent for a specific area due to the functional division of tasks within the body, or does not bear sole responsibility for a specific area, does not relieve them of responsibility for the body’s decisions, actions or failure to act. Equally a non-executive director is not relieved of their responsibility for decisions taken by the management body in its supervisory function as a collective body, where the subject matter of the resolution was already discussed in a committee the non-executive director is not a member of. 45. It therefore follows that an executive director or a non-executive director, who holds or held a position in the credit institution at the time at which a justified suspicion of (attempted) money laundering or terrorist financing or an increased risk thereof existed or exists, may be held responsible for this from a supervisory law perspective. 46. Especially in the case of a justified suspicion of a credit institution’s involvement in money laundering pursuant to Article 165 of the Criminal Code (StGB; Strafgesetzbuch) of terrorist financing pursuant to Article 278d StGB or where a justified suspicion exists of an increased risk of money laundering or terrorist financing in relation to a credit institution, the FMA shall examine in accordance with Article 70 para. 4b BWG whether executive directors and non￾executive directors continue to meet the suitability requirements. A justified suspicion of an increased risk of money laundering or terrorist financing in relation to a credit institution shall be assumed in any case, where the credit institution has been determined to have severely breached the Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt￾Geldwäschegesetz) or comparable provisions abroad. When checking whether suitability requirements are still met, the severity and duration of the breach as well as structural or systemic deficiencies that enabled or facilitated the breach will be taken into account within the scope of the examination of the case in hand.

Fit & Proper Circular Version: March 2023 18 / 62 2.3 SPECIAL REQUIREMENTS IN TERMS OF THE FITNESS AND NECESSARY EXPERIENCE OF EXECUTIVE DIRECTORS 2.3.1 OVERVIEW 47. Based on their prior training, executive directors shall be required to have suitable professional qualifications and to possess the necessary experience in relation to the institution’s operations, especially to be able to actively participate on an informed and expert basis in the business activities of an institution and to make decisions (Article 5 para. 1 no. 8 BWG or Article 6 para. 2 no. 10 InvFG 2011 respectively; cf. also Chapter 6 F&P-GL and para. 28 IG-GL). An executive director’s professional qualification requires the person in question has an adequate amount of theoretical and practical knowledge in the banking transactions that are performed (including those that may be allowed to be performed under the scope of the legal licence held) as well as sufficient managerial experience; professional qualification for the managing of a credit institution is assumed to exist, where the person has held a managerial position for at least three years in an entity of a comparable size and type of business – however an activity that has been performed only on a sporadic basis for three years shall not suffice. 2.3.2 KNOWLEDGE AND EXPERIENCE 48. Theoretical banking knowledge is required in the following areas: ■ banking and financial markets, ■ legal requirements and the regulatory framework (cf. MN 49 below), ■ interpretation of a credit institution’s financial information, ■ accounting and bookkeeping, ■ auditing, ■ strategic planning, understanding of the business strategy or the business plan of a credit institution and their being met, ■ risk management (identification, evaluation, monitoring, controlling and mitigation of the main types of risk of a credit institution, including risks and risk factors in the environment, social and governance areas (sustainability risks) as well as IT or ICT risks), ■ Evaluation of the effectiveness of a credit institution’s internal policies and procedures, ensuring an effective governance, internal control system and supervisory body, especially regarding: o the “know your structure” principle: i.e. comprehensive knowledge of the structure (including the institution’s policies and its responsibilities) as well as the institution’s or group of credit institutions’ or affiliation of credit institutions’

Fit & Proper Circular Version: March 2023 19 / 62 potentially arising conflicts of interest as well as those of the institutional protection scheme (IPS), to which the respective institution (in any case) belongs; o the committee structure of the supervisory body: the nature and functioning of the committees prescribed by law for the respective institution; o significant rights and obligations of the management body or the supervisory body; o the interplay between the management body, internal audit function and the bank auditor; or the management body and risk management (and where applicable the risk management department); or the management body, fund management and risk management; and o the role of the management body in relation to the establishment of a functioning BWG compliance function, MiFID compliance function, and in the prevention of money laundering and terrorist financing. Theoretical banking knowledge in the aforementioned areas (cf., also para. 63 of the F&P-GL) are proven by having completed relevant courses of studies and/or by completion of relevant external or (sector-)internal education and training or training courses proven by certificates, diplomas, confirmation of attendance etc. Practical banking knowledge requires having the relevant professional experience, taking into consideration the banking transactions that are to be conducted (see Chapter 6 F&P-GL). 49. In any case the professional qualification of an executive director necessitates having a command (“knowledge and application”) of the following legal requirements and the following regulatory framework: ■ central provisions of Regulation (EU) No 575/2013 (“CRR”) and the relevant Commission Delegated Regulations supplementing the CRR32 and the BWG, especially: o general provisions, o licensing provisions, o regulatory standards (own funds requirements, large exposures limits, liquidity requirements and the accompanying reporting obligations; leverage ratio), disclosure obligations, o ownership provisions and approvals o requirements for the management bodies (both in their management function and their supervisory function) and the internal control functions (risk management, compliance, internal audit), 32 e.g. Delegated Regulation (EU) No. 241/2014 as amended (“CRR-DR on own funds”) and Delegated Regulation (EU) No. 183/2014 as amended (“CRR-DR on credit risk”).

Fit & Proper Circular Version: March 2023 20 / 62 o consolidation (as applicable), o provisions on banking secrecy requirements, o due diligence obligations, o provisions regarding the Supervisory Review and Evaluation Process (SREP), o reporting and notification obligations; ■ EBA BTSes33 and EBA Guidelines34 provided that they apply to supervised institutions; ■ the central provisions contained in the SSM Regulation, the SRM Regulation and the ESA Regulations regarding: o the structure of the European banking supervision and resolution architecture and division of responsibilities between the ECB and NCAs, and the SRB and NRAs, o the duties and the mandate of the ESAs; ■ the central provisions of the Financial Markets Anti-Money Laundering Act (FM￾GwG); ■ the central provisions of the Beneficial Owners Register Act (WiEReG)35; ■ the central provisions of the Deposit Guarantee Schemes and Investor Compensation Act (ESAEG)36; ■ the central provisions of the Consumer Payment Account Act (VZKG) 37 (where applicable to the supervised credit institution); ■ the central provisions of the Payment Services Act 2018 (ZaDiG 2018) 38 (where applicable to the supervised credit institution); ■ the central provisions of the Pfandbriefe Act (PfandBG)39 (where applicable to the supervised credit institution); ■ the central provisions of Bank Recovery and Resolution Act (BaSAG); ■ the central provisions of the respective special laws to the extent that they apply to supervised institutions (e.g. the Building Societies Act (BSpG), the Investment Fund Act 2011 (InvFG 2011), the Real Estate Investment Fund Act (ImmoInvFG), the Alternative Investment Fund Manager Act (AIFMG) or the Company Employee and Self￾33 Since 1 January 2011, EBA has been authorised to draw up directly applicable legally binding regulatory standards and implementing standards (collectively known as Binding Technical Standards (BTS)). 34 Under Art. 8 of the EBA Regulation, since the EBA takes over all existing and pending activities from CEBS, Guidelines, Recommendations and Standards issued by CEBS up until 31 December 2010 also continue to apply after 31 December 2010 and should continue to be applied by the FMA or the Oesterreichische Nationalbank (OeNB) and, where addressed to supervised institutions shall also continue to be applied to them. 35 Beneficial Owners Register Act (WiEReG; Wirtschaftliche Eigentümer Registergesetz), published in Federal Law Gazette I No. 136/2017 as amended. 36 Deposit Guarantee Schemes and Investor Compensation Act (ESAEG; Einlagensicherungs- und Anlegerentschädigungsgesetz) published in Federal Law Gazette I No. 117/2015 as amended. 37 Consumer Payment Accounts Act (VZKG; Verbraucherzahlungskontogesetz), Federal Law Gazette I No. 35/2016 as amended. 38 Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018) published in Federal Law Gazette I No. 17/2018 as amended. 39 Pfandbrief Act (PfandBG; Pfandbriefgesetz), published in Federal Law Gazette I no. 199/2021.

Fit & Proper Circular Version: March 2023 21 / 62 Employment Provisions Act (BMSVG) including in particular delegated Regulation (EU) 2013/231 and delegated Regulation (EU) 2016/438); ■ the central provisions of the Stock Exchange Act 2018 (BörseG 2018) and the Securities Supervision Act 2018 (WAG 2018) in particular including Commission Delegated Regulation (EU) 2017/565 and Regulation (EU) No. 600/2014 (MiFIR40) (dependent on business model and the scope of activities); ■ The material contents of FMA Regulations (especially KI-RMV41 , KIM-V 42), of FMA Circulars and FMA Minimum Standards as well as the FMA Guides in the areas named. ■ Basic knowledge of company law; as well as ■ Knowledge of the articles of association of the institution and the Rules of Procedure of the management or supervisory bodies. 50. The theoretical knowledge of an executive director must be appropriate commensurate to the nature and size of the respective institution both in terms of the intended business; it should be noted in this context that even activities in (even where they are only locally active) special credit institutions regularly require specific knowledge (see e.g. Article 6 para. 2 nos. 10 and 12 InvFG 2011). Irrespective of this, the management of a special credit institution also requires knowledge about the core supervisory laws, in particular the CRR (provided that and to the extent that it is applicable to the respective institution), the BWG (cf. only Article 10 para. 6 InvFG 2011), BaSAG43, BSpG44, InvFG 2011, ImmoInvFG45, AIFMG46 , BMSVG47 and where applicable BörseG 201848 and WAG 2018 and relevant provisions under company law. 51. Any "division of responsibilities" within the management body should in principle be taken into account during the assessment of suitability; however, other executive directors are not absolved from being jointly responsible (which exists on the basis of collective responsibility). Every executive director must therefore at least have basic (legal and economic) knowledge relating to all areas of the institution. 40 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 41 Regulation of the Financial Market Authority (FMA) on the proper capture, management, monitoring and limitation of the types of risk specified in Article 39 para. 2b BWG (Regulation on Credit Institution Risk Management – KI-RMV; Kreditinstitute￾Risikomanagementverordnung). 42 Regulation on Real Estate Financing Measures in Credit Institutions (KIM-V). 43 Bank Recovery and Resolution Act (BaSAG; Bundesgesetz über die Sanierung und Abwicklung von Banken), published in Federal Law Gazette I No. 98/2014 as amended. 44 Building Society Act (BSpG; Bausparkassengesetz), published in Federal Law Gazette No. 532/1993 as amended. 45 Real Estate Investment Fund Act (ImmoInvFG; Immobilien-Investmentfondsgesetz) published in Federal Law Gazette I no. 80/2003 as amended. 46 Alternative Investment Funds Manager Act (AIFMG - Alternative Investmentfonds Manager-Gesetz), published in Federal Law Gazette I no. 135/2013, 47Company Employee and Self-Employment Provisions Act (BMSVG; Betriebliches Mitarbeiter- und Selbständigenvorsorgegesetz) published in Federal Law Gazette I No. 100/2002 as amended. 48 Stock Exchange Act 2018 (BörseG 2018; Börsegesetz 2018), published in Federal Law Gazette I No. 107/2017 as amended.

Fit & Proper Circular Version: March 2023 22 / 62 52. Professional qualification also includes, depending on the entity’s business model and taking into consideration the competences of the person in question, the necessary (foreign) language skills49. Furthermore, a demonstrative list of further skills is contained in Annex II to the F&P-GL, that are to be taken into consideration in the assessment of suitability. 53. Fitness shall not only be required to exist at the time of appointment, but also to continually exist throughout the entire duration of the appointment. Institutions are therefore obliged to make adequate resources available for the corresponding continuing professional development in the form of ongoing training measures, and the non-executive directors shall be personally responsible for ensuring that decisions are always taken based on an up￾to-date state of information (see Chapter 5). 54. If a credit institution is authorised to conduct custody business (Article 1 para. 1 no. 5 BWG) and is appointed as the depositary bank for an investment fund as defined in the InvFG 2011, then it should also be noted that pursuant to Article 41 para. 2 InvFG 2011 (at least) two executive directors of the depository bank are required to possess sufficient experience in relation to the type of capital investment fund for which deposits are to be taken. Furthermore, the rules set forth in Delegated Regulation (EU) 2016/43850 shall also apply. Specific knowledge regarding securities settlement (regarding the investment instruments contained in the assets of the fund) and custody business are thus required, which should be backed up by the necessary proof. A comprehensive knowledge about the duties and obligations of a custodian bank in accordance with the InvFG 2011 must also be held. 2.3.3 NECESSARY MANAGEMENT EXPERIENCE 55. When assessing the management experience obtained in the potential executive director’s previously held positions, the nature, scope and complexity of the entity as well as the duties performed there (duration of activity, the scope of the competence, powers and responsibilities held, specialist knowledge acquired as well as the number of people reporting to them) shall be considered as appropriate (see para. 67 F&P-GL for greater detail). As a rule, necessary management experience shall be deemed to exist, where the affected party was already executive director of a credit institution supervised by the FMA or the national competent authority of a state within the EEA (this also includes the ECB) for a corresponding timeframe. 56. For the legal assumption of technical suitability in accordance with Article 5 para. 1 no. 8 BWG to exist for the intended banking transactions, the entity at which the three years’ 49 Regardless of other foreign language skills that are required, pursuant to Art. 5 para. 1 no. 11 BWG at least one of the executive directors must have a command of the German language. 50 See Chapter 4 of the Delegated Regulation supplementing Directive 2009/65/EC of the European Parliament and of the Council with regard to obligations of depositaries.

Fit & Proper Circular Version: March 2023 23 / 62 management activity was performed must in addition to its size (measured primarily based on total assets, the number of branches or subsidiaries and organisational structure) and the type of business (especially in banking and financing) also be generally comparable in terms of the nature, scale and complexity of business activities. The managerial position must have been associated with a far-reaching internal competence and an external power of representation, and must be suitable based on its significance, performance and in particular in terms of the responsibility associated with it, to provide the required proof that the potential executive director is qualified to now fully manage the respective institution under their own responsibility. 57. Should the conditions for satisfying the legal assumption not be fulfilled, then it is necessary to adequately justify why the person is nevertheless suitable. In so doing it may particularly be taken into consideration the extent to which the other executive directors contribute extensive experience in the various areas, and whether specifically planned trainings will suffice to overcome the specific practical deficiencies. Furthermore,the relevant member's specific skills and characteristics shall also be taken into consideration, provided they contribute towards the addressing of prevailing deficits in terms of collective suitability. 2.3.4 REVIEW BY THE FMA OF NECESSARY KNOWLEDGE, SKILLS AND EXPERTISE 58. Professional qualification and practical vocational experience will be assessed based on the details given in this regard in the curriculum vitae and other information contained in the submitted documentation and documents in relation to vocational experience (see Annex 1 for the details to be submitted in relation to an initial appointment). On the other hand, the assessment of the requirements in relation to knowledge, skills and expertise, in particular theoretical knowledge, occurs during the “Fit & Proper Test” (cf. Chapter 8). Appraisal of the curriculum vitae and submitted supporting documents and documentation collectively form the basis for assessment of technical suitability along with the result of the Fit & Proper Test. 2.4 PARTICULAR REQUIREMENTS FOR THE PROFESSIONAL QUALIFICATION OF THE CHAIRPERSON OF THE SUPERVISORY BOARD 2.4.1 OVERVIEW 59. Article 28a para. 3 no. 3 BWG explicitly requires the chairperson of the supervisory body to possess the professional qualifications and the experience necessary for performing their function (cf. also Chapter 6 of the F&P-GL). Adequate knowledge is especially required in the areas of finance and accounting with regard to banking operations, and to the level and scope that is appropriate as the chairperson of the supervisory body of a credit institution. In order to be "adequate" in legal terms, knowledge of banking activities or banking operations and

Fit & Proper Circular Version: March 2023 24 / 62 relevant financing and accounting must always place the chairperson in a position to be able to make assessments about the business activities of the institution and the associated risks and to evaluate the content and meaning of financial and accounting documentation. 2.4.2 KNOWLEDGE AND EXPERIENCE 60. “Knowledge and experience” consist of theoretical knowledge acquired by means of training and further education and practical knowledge acquired within professional activities and skills that are appropriate for the oversight of the institution in question. This will be presumed on the basis of subject-relevant university degrees and courses or external and internal trainings and relevant proof (e.g. diplomas, certificates of attendance, and references etc.) are required to ensure that the appropriate knowledge was actually gained.51 In addition, they must possess skills necessary for the performance of duties as the chairperson of the management body in its supervisory function (see the demonstrative list contained in Annex II of the F&P-GL). 61. What level of knowledge is “appropriate” or necessary depends under the principle of proportionality on the nature, scope and complexity of the transactions, as well as the risk structure of the credit institution where the function as chairperson of the management body in its supervisory function is to be pursued. 62. The chairperson of the supervisory body must possess the theoretical banking knowledge for the areas listed in MN 48 and a command (“knowledge and application”) of the legal requirements and the regulatory framework consisting of the legal materials stated in MN 49. In particular they must be aware of and understand the specific relevant provisions under corporate and supervisory law regarding the (chairperson) function of a supervisory body (e.g. with regard to large exposures, transactions with management and related parties and other transactions requiring the approval of the management body in its supervisory function; the provisions concerning internal audit function, their reporting obligations towards the chairperson of the management body in its supervisory function or the provisions relevant for bank auditing, and the relevant reporting obligations, as well as, where applicable the regulations relating to committee structures). 2.4.3 NECESSARY EXPERIENCE 63. In contrast to knowledge, where the emphasis is on the skills, education and theoretical knowledge acquired in this way, “necessary experience” relates to the practical knowledge of the chairperson of the supervisory body, such as, in particular the mastery of specific 51 The relevant theoretical and practical knowledge necessary for chairing of the supervisory board may also be acquired by holding the position of a non-executive director for several years in combination with self-study.

Fit & Proper Circular Version: March 2023 25 / 62 processes that allow them to challenge the decisions of the management body constructively and to supervise them effectively. 64. When assessing necessary experience, the focus should be on the relevant practical professional experience, acquired in addition to education and training in terms of "knowledge". In particular, necessary experience shall be assumed, if the chairperson of the supervisory body possesses sufficient managerial or supervisory experience within the banking sector (e.g. previous or current activities as an executive director or having performed another managerial activity within the banking sector). It is also possible for the necessary experience to be gained by having performed managerial activities in an entity outside the financial sector, while taking into consideration the nature, scope and complexity of the transactions and risk structure of the credit institution, in which the position of chairperson of the supervisory body is to be performed. 65. Knowledge shall not only be required to exist at the time of appointment, but also continuously for the entire duration of the appointment. Institutions are therefore obliged to make adequate resources available for the corresponding continuing professional development in the form of ongoing training measures, and the non-executive directors shall be personally responsible for ensuring that decisions are always taken based on an up￾to-date state of information (see Chapter 5). 2.4.4 REVIEWING OF NECESSARY KNOWLEDGE, SKILLS AND EXPERTISE BY THE FMA 66. Professional qualification and practical vocational experience are assessed on the one hand based on the details contained in the curriculum vitae, as well as the other information contained in the submitted documentation and documents about education and training and vocational experience (see point mm.a in the Annex for the details to be submitted in relation to an initial appointment). The assessment of the requirements in relation to knowledge, skills and expertise, especially theoretical knowledge, where applicable, may also occur during a “Fit & Proper Test” (cf. Chapter 8). In such instances, the appraisal of the curriculum vitae and submitted supporting documentation and documents collectively form the basis for assessment of technical suitability along with the result of the Fit & Proper Test. 2.5 PARTICULAR REQUIREMENTS FOR NON-EXECUTIVE DIRECTORS 2.5.1 OVERVIEW 67. Every non-executive director must possess adequate knowledge, skills and experience to be able to understand the credit institution’s business activities including associated risks to such an extent that they are able to constructively challenge, effectively monitor and check the decisions taken by the management body. To collectively be able to perform this

Fit & Proper Circular Version: March 2023 26 / 62 monitoring and controlling function (Article 28a para. 5 no. 3 BWG), every non-executive director must contribute basic (specialist) knowledge and the corresponding experience for all areas, including also for those where the management body in its supervisory function has a shared and collective responsibility (see also paras. 60 and 68 F&P-GL). Basic general individual knowledge52, especially in the areas of banking operations, banking activities and law, is essential to develop a sufficient understanding of interdependencies, to be able to critically and objectively scrutinise executive directors’ decisions and proposals (by executive directors, by the committees of the supervisory body etc.), and therefore to actively participate in the process of arriving at and making a decision53 . 68. The delegation of specific issues and duties to committees does not result in individual members not being required to prove any basic experience, knowledge or skills. This is necessary in light of the background that not only core duties of the management body in its supervisory function54, especially the monitoring of the executive management body55 , may not be delegated to a committee, but also that the remaining members of the management body in its supervisory function are not released from the obligation to review56 the work of the committees and that the management body in its supervisory function in its entirety always bears ultimate responsibility for the resolutions passed by the committees. 2.5.2 KNOWLEDGE AND NECESSARY EXPERIENCE 69. Regarding the increasing complexity of banking activities, that members of an institution's management body in its supervisory function must be in a position at all times to understand the activities conducted by the institution, to assess the risks that they pose and if need be to make changes to the management body in its management function. For this reason, generally all non-executive directors of an institution - independent of the personal reputation required in any case - are required to possess the requisite fitness and propriety (see in particular Article 28a para. 5 no. 3 BWG). 70. All non-executive directors possessing the same level of knowledge and experience as prescribed for executive directors is not decisive for fulfilling these requirements, since their role is not of a managerial nature, but is one that consists of monitoring and controlling. Basic knowledge of the applicable supervisory and regulatory rules for the institution in which they perform a supervisory function shall, however, be required in all cases as well as expert financial knowledge, as a minimum to the extent that the person is capable of contributing 52 Cf. regarding generally valid requirements for a non-executive director Kalss/Schimka in Kalss/Kunz, Handbuch Aufsichtsrat2 (2016) MN 72/2ff, as well as Schimka in Kalss/Kunz, Handbuch Aufsichtsrat2 (2016) MN 17/29. 53 Individual members are not required to be experts in all areas, but should far more be in the position (if necessary following consultation with experts) to evaluate the information submitted to them. 54 Cf. Kalss in Doralt/Nowotny/Kalss, AktG5 Article 92 MN 132. 55 Cf. Kalss in Kalss/Nowotny/Schauer, Österreichisches Gesellschaftsrecht (2008) Rn 3/543. 56 Cf. Schimka in Kalss/Kunz, Handbuch Aufsichtsrat2 (2016) MN 14/29.

Fit & Proper Circular Version: March 2023 27 / 62 towards a collective decision being made by the supervisory body as a whole in relation to the area that has been conferred upon it, namely the monitoring and controlling of the management body in conducting institution-specific banking transactions. 71. With regard to the members of the management body in its supervisory function possessing sufficient knowledge, under the principle of proportionality it applies that such knowledge depends upon the nature, scale and complexity of the activities and the risk structure of the credit institution in which the role as a non-executive director is to be performed, and that various specialist expertise and in-depth knowledge shall only be required for some sub￾areas, especially in the case of nominations to a committee. 72. Non-executive directors shall have basic knowledge in the areas listed in MN 48 as well as in the legal material stated in MN 49. In addition, non-executive directors shall possess knowledge and comprehension of the particularly relevant corporate and supervisory law provisions (e.g. about large exposures, transactions with management and related parties, and other transactions that require approval by the supervisory body); 73. Fitness shall not only be required to exist at the time of appointment, but also continuously for the entire duration of the appointment. Institutions are therefore obliged to make adequate resources available for the corresponding continuing professional development in the form of ongoing training measures, and the non-executive directors shall be personally responsible for ensuring that decisions are always taken based on an up￾to-date state of information (see Chapter 5). 2.5.3 COMMITTEES 74. Where the legal obligation exists to establish (specialist) committees for the supervisory body (nomination committee57, remuneration, risk and audit committee pursuant to Articles 29, 39c, 39d or 63a Abs. 4 BWG respectively), then regarding the respective committee’s composition – irrespective of the applicable special conditions for the corresponding (remuneration or finance respectively) experts – it should be ensured, that the members of the committees, possess adequate in-depth (specific) knowledge as well as experience in the respective area, so that the committee as a whole has the necessary expertise required for the orderly performance of its duties and that an (individual) member is able to fulfil resulting obligations with due care. 75. Taking into consideration the size of the supervisory body, when making appointments to committees it is important to ensure that committees do not consist of the same group of 57 See MN 158ff for detailed information about the nomination committee.

Fit & Proper Circular Version: March 2023 28 / 62 members that already make up another committee and to ensure that one person is not the chairperson of all the committees.58 2.5.4 PROVING AND REVIEWING NECESSARY KNOWLEDGE, SKILLS AND EXPERTISE BY THE FMA 76. Professional qualification and practical vocational experience generally will be assessed based on the details given in this regard in the curriculum vitae as well as the other information contained in the submitted documentation and documents in relation to education and training as well as vocational experience (see Annex 1 for the details to be submitted in relation to an initial appointment). The necessary qualifications and experience are especially assumed, if the potential non-executive director has sufficient managerial and supervisory experience in the banking sector (e.g. previous/current activities as an executive director or as chairperson of the supervisory body of comparable credit institutions in terms of the nature, scope and complexity of business conducted). 77. Where the FMA considers it necessary for assessing the suitability of the persons appointed as non-executive directors, it may obtain an idea about the person in question by means of a hearing (“Fit & Proper Test”) (see also para. 182 F&P-GL). The composition and thematic focus of the questions in this case are individually tailored in accordance with the principle of proportionality, taking into account the nature, scope and complexity of the activities conducted, as well as the risk structure of the credit institution, in which the function in the supervisory body is being performed. 2.5.5 EMPLOYEE REPRESENTATIVES IN SUPERVISORY BODIES 78. The requirements for reputation, the necessary knowledge, skills, experience and sufficient time commitment of members of the supervisory bodies also generally apply to employee representatives in supervisory bodies of institutions, but in this instance are to be assessed in accordance with the Labour Relations Act (ArbVG; Arbeitsverfassungsgesetz). Article 28a para. 5 BWG therefore does not preclude the (central) works council's right to delegate such a representative pursuant to Article 110 ArbVG. Employee representatives are obliged to broaden the relevant expertise during their activity by means of training and educational measures to allow them to perform their monitoring and controlling duties in the management body in its supervisory function in an orderly manner and always be able to reach decisions based on current information. Such education and further training shall be undertaken in accordance with the principle of proportionality and considering (existing) individual knowledge. Onboarding and training courses provided by credit institutions 58 Cf. para. 49 of the IG-GL.

Fit & Proper Circular Version: March 2023 29 / 62 pursuant to Article 28a para. 6 BWG shall also be made available to employee representatives in the supervisory body. 79. A confirmation of suitability by the institution is not mandatory in the notification pursuant to Article 73 para. 1 no. 8 BWG59 about the initial delegation of an employee representative in the supervisory body; instead, it shall be up to the works council, (as the body seconding the representative) to confirm the suitability of the delegated employee representative. The additional documentation to be submitted via the Incoming Platform during the notification of the first delegation to the supervisory body of the relevant credit institution are listed in Annex 1 and are the same as the documentation to be submitted together with the notification in the case of the initial appointment of other non-executive directors (shareholder representatives). 2.6 COLLECTIVE SUITABILITY 2.6.1 GENERAL 80. All members of the management body in both its management function and supervisory function shall individually and also collectively possess the necessary knowledge and experience, which is appropriate in relation to the nature, scope and complexity of business activities as well as the institution's risk profile (cf. MN 18 et seq). 81. When checking the collective suitability, it is necessary to check how the individual member affects collective suitability, as well as the collective suitability of the management body to perform its duties. 82. The knowledge, skills and experience required for effective management or effective monitoring must be reflected by the composition of the management body in its management function as well as in its supervisory function. The following areas in particular should be covered by an adequate number of members, to permit the necessary discussion of the decisions to be taken60: ■ the business model and strategy of the institution and main risks related to it; ■ all of the institution’s material fields of activity; ■ relevant areas of sectoral/financial competence, including financial and capital markets, solvency and models; ■ financial accounting and reporting; ■ risk management, compliance and internal audit; ■ information and communication technology and security (ICT); 59 Or Article 151 no. 3a InvFG 2011 in the case of management companies. 60 See also Chapter 7 F&P-GL.

Fit & Proper Circular Version: March 2023 30 / 62 ■ local, regional and global markets, where applicable; ■ the legal and regulatory environment; ■ managerial skills and experience; ■ the ability to plan strategically; ■ the management of (inter)national groups and risks related to group structures, where applicable. 83. The requirements of diversity and the rules contained in the institution’s internal diversity policy are also to be taken into account in checking collective suitability (cf. MN 154) 84. The management body in its supervisory function must collectively61 possess all necessary specific knowledge, skills, expertise and experience to fulfil its duty pursuant to Article 28a para. 5 no. 3 BWG of comprehensive oversight over management body and the risks to which the institution is exposed.62 2.6.2 CHECKING OF COLLECTIVE SUITABILITY BY INSTITUTIONS 85. The suitability matrix template contained in Annex I of the F&P-GL may be used to assess the collective suitability of the management body in either its management function or its supervisory function, and this template may be adapted in accordance with the criteria contained in Chapter 7 of the F&P-GL. Institutions may however instead develop and use their own methodology for this assessment, however in this case it is essential that the criteria depicted are taken into account accordingly in the assessment, and are adequately covered.63 86. Collective suitability is not only to be checked when appointing new executive directors or non-executive directors, but must be ensured on an ongoing basis. 87. In a notification pursuant to Article 73 para. 1 nos. 3 and 8 and Article 28a para. 4 BWG, the member in question is to be classified regarding the collective suitability of the management body in its management function or in its supervisory function. In cases requested by the FMA on an ad hoc basis,the suitability matrix or any other institution-specific methodology for the assessment of collective suitability must be submitted. 88. The collective suitability is assessed based on the information contained in the suitability assessment of the individual members and by means of the information made available by the institution (using the suitability matrix template or another institution-specific methodology for the assessment of collective suitability) as well as observations during ongoing supervision. In this case, a comparison is conducted about the actual composition of the management body in both its management and supervisory function and the actual collective 61 The necessary individual knowledge of the non-executive directors remains irrespective of this rule (cf. Chapter 2.5). 62 In checking collective suitability, the composition of the management body in its supervisory function is also to be considered regarding whether it contains an adequate number of independent members (see Chapter 2.8). 63 The works council shall not be required to conduct a review of collective suitability in the case of a delegation. However, it may be taken into account in the institution’s assessment, to what extent the delegated employee representatives contribute towards collective suitability.

Fit & Proper Circular Version: March 2023 31 / 62 knowledge, skills and experience against the requirements that seem necessary for the management and monitoring of the specific institution. 2.7 INDEPENDENT MEMBERS OF THE MANAGEMENT BODY IN ITS SUPERVISORY FUNCTION64 2.7.1 OVERVIEW 89. While the requirement of independence of mind is to be observed by all executive directors and non-executive directors at all times, Article 28a para. 5a BWG65 also stipulates a minimum number of independent non-executive directors, with the relevant criteria stipulated in Article 28a para. 5b BWG. Every institution is therefore required to have at least one formally independent member, while every institution of “significant relevance”66 as well as stock￾exchange listed institutions are required to appoint at least two independent non-executive directors67. Employee representatives do not count towards the number of independent non￾executive directors. 90. The intended purpose of formally independent non-executive directors is to ensure effective reciprocal control in decision-making. In particular, this approach should prevent dominance of individual members or groups, while also ensuring a balanced consideration of the interests of all stakeholders. Against this background, it is necessary in decentralised sectors to ensure that at least one member of the supervisory body does not have any sectoral connection68. Furthermore, it is such formally independent members’ particular responsibility, to be aware of the duty of all non-executive directors to stimulate critical discourse regarding important decisions and risk appetite in the institution’s supervisory committees. This ensures that the management body in its supervisory function observes its legal mandate (also under company law) as the institution’s internal supervisory body. To allow these objectives to be effectively implemented and to ensure an adequate flow of information, formally independent members are also represented in the risk committee in institutions of significant relevance. 91. The formally independent members should be aware of their position and duties as well as the associated responsibility and role both in the supervisory body as a whole and in its committees. 64 Under Article 107 para. 99 BWG, the new provisions contained in Article 28a in the version amended in Federal Law Gazette I No. 36/2018 only entered into force on 01.01.2019. Article 103w BWG stated that institutions shall be required to take the rules regarding independence into account from the time of the promulgation of the amendment for changes in personal composition, but that an adequate number of independent members would need to be represented in management bodies in their supervisory functions by 01.07.2019 at the latest. 65 Cf. Chapter. 9.3 of F&P-GL. 66 Cf. MN 109. 67 Austrian institutions that are neither stock exchange-listed, nor of significant relevance, and which are a fully-owned subsidiary of an Austrian institution are excluded from this requirement. 68 A sectoral affiliation cannot yet be assumed, where an insignificant stake is held (see also MN 93).

Fit & Proper Circular Version: March 2023 32 / 62 2.7.2 INDEPENDENCE CRITERIA 92. Any non-executive director, who currently or previously was an executive director within the last five years at the credit institution in question, shall not be considered independent. Similarly, performing the activity for a continuous period of 12 years as executive director or non-executive director at the credit institution in question shall also lead to classification as a non-independent member (directorship criterion). Any activity as executive director (currently or within the last five years) within the group of institutions pursuant to Article 28a para. 5 no. 5 lit. a sublit. aa BWG69 shall also result in a classification as a non￾independent member. 70 The same applies for senior management members as defined in Article 2 no. 1b BWG (either currently or in the last three years) of the institution or the group of institutions71 . 93. Non-executive directors having a material financial or business relationship with the institution also leads to the existence of dependency. Material financial and business relationships in particular include participations in the institution as well as other investments or other interdependencies72 , that constitute a non-insignificant beneficial interest for the member or the institution (Criterion of a material financial or business relationship). The relationship between the value of the relationship and the financial resources of the respective non-executive director on the one hand, and the ratio of the value of the customer relationship to the regulatory own funds of the institution on the other hand are therefore decisive. Everyday banking transactions concluded in line with market conditions and loans concluded at market rates, up to an amount of € 200,000.00 shall not considered as material. From the institution’s perspective, a business relationship shall in any case to be classified material, when its value reaches the equivalent of 1% of the institution’s eligible own funds. Where this percentage is a value of less than € 200,000.00, this amount shall apply. A business relationship may also be considered as being material for non￾monetary reasons, especially where it may impact the contractual partners' reputation, financial development, or image. 94. Material financial or business relationships of a legal person to the institution affect the independence of the legal person’s legal representatives. In this way, the executive director of an undertaking in a material financial and business relationship with the institution is qualified as being a non-independent non-executive director. This arises from the executive director’s obligation under company law to act in the undertaking’s interest. 69 See MN 111. 70 Cf. Article 28a para. 5b nos 1 and 10 BWG. 71 See MN 112. 72 For example, this includes loans, guarantees of any kind, commitment letters, suretyships and arrangements under civil law that represent an obligation to provide mutual assistance.

Fit & Proper Circular Version: March 2023 33 / 62 95. Furthermore, a controlling shareholder pursuant to Article 22 (1) of Directive 2013/34/EU, employees73 or a person who has a material business relationship to the controlling shareholder74 are also considered to be non-independent persons (criterion of the controlling shareholder). 96. Furthermore, employees of the credit institution or an undertaking within the group of institutions 75, which the institution belongs to, are not qualified as being independent. Employee representatives are excluded from these criteria provided they do not perform any executive functions or managerial activities and are not directly responsible and accountable to the management body with regard to day-to-day business (senior management as defined in Article 2 no. 1b BWG) (Criterion of the employee). Employee representatives may be considered as independent non-executive directors where no other circumstances of a detrimental nature to independence exist as defined in Article 28a para. 5b BWG. However, they do not count as such for the purpose of reaching the necessary number of independent members, since they constitute a separate category of non-executive directors. By way of derogation, they do qualify as independent members in the committees, provided no other circumstances exist that preclude independence as defined in Article 28a para. 5b BWG. 97. Anyone who has been the institution’s bank auditor76 or for another member of the group of institutions within the last three years, or who signed the audit opinion during this period of time, shall not be considered to be independent. All advisers – especially attorneys, external auditors, tax accountants and business consultants as well as the owners and external auditors of such consultancy firms and practices – who have been active to a material extent within the last three years for the institution or another member of the group of institutions are also deemed to be non-independent (Criteria of the adviser). A temporary one-off activity (e.g. one-off representation in a legal matter in court) does not already constitute a material extent, but advice must instead be given on multiple occasions (e.g. representation on a regular basis) or in the case a one-off activity of a considerable scale (e.g. advising on or performing restructurings, takeovers). In particular, independence no longer exists where advice is provided in the drawing-up or design of strategies or internal guidelines or regarding the risk appetite. 73 The term Angestellter (employee) is not to be understood as per the definition of the Employees’ Act (Angestelltengesetz) or in Article 36 ArbVG. It covers all persons who are allocated to the controlling shareholder, especially its executive directors. 74 See MN 93 et seq. about material business relationships. 75 See MN 112. 76 Pursuant to Article 61 BWG, the certified external auditors or external auditing companies appointed as external auditors of financial statements as well as auditing bodies (auditors, auditing unit of the Savings Bank Auditing Association) from legally competent auditing organisations are considered to be bank auditors. With regard to external auditing companies, all persons named in relation to the auditing of the respective institution shall not be considered as being independent non-executive directors.

Fit & Proper Circular Version: March 2023 34 / 62 98. In addition, those persons, who are currently or who within the past year were material contractual partners of the institution or another member of the same group of institutions, as well as persons who have a material business relationship to such a contractual partner, are to be qualified as being non-independent (Criteria of the material contractual partner). This provision in particular covered persons in managerial functions of the material contractual party (cf. para. 91 lit. h F&P-GL and the explanatory remarks regarding Article 28a para. 5b BWG in the Supplements to the Stenographic Protocols of the National Council (BlgNR) no. 106 in the 26th Legislative Period). A contractual partner may be classified as material in monetary (e.g. high level of deposits, high level of interest payments, other financial liabilities or substantial bank guarantee contracts) as well as for non-monetary reasons (publicity value or networking). A material contractual partnership may also arise due to sectoral contractual relations77 . 99. Where a non-executive director receives additional payments of a substantial amount or other material benefits in addition to their remuneration for their activity in the management body in its supervisory function from other material financial or business relationships to the institution or to another member of the group of institutions, then they shall also be considered to be non-independent. Payments shall be considered material, when they amount to (at least) 15 % of the non-executive director in question’s total annual gross income. Where the actual equivalent value of another benefit corresponds to (at least) 15 % of the non-executive director in question’s total annual gross income or is to be assumed to be of such significance for the member that independent behaviour of the non-executive director would no longer be assumed, that person shall not be counted towards the number of independent members.78 100. In addition to financial and business connections, independence criteria also cover personal interdependencies. Spouses, domestic partners79, children, adopted children or foster children of executive directors or one of the persons named in MNs 92 to 99 do not qualify as independent members. 101. Article 28a para. 5c BWG stipulates that at least one non-executive director must unconditionally fulfil all independence criteria. Where institutions are required to name further independent members, the independence criteria are to be seen in the assessment of such additional members as a refutable presumption. Where one of the situations described is met this member shall then be considered independent provided that the credit institution is nevertheless able to prove their independence. A detailed presentation is 77 IPS membership contracts also fall under such sectoral relations. 78 Where it relates to an employee representative, their remuneration as an employee shall not be considered as material as defined in Article 28a para. 5b no. 9 BWG. 79 Article 72 para. 2 StGB defines domestic partners as persons living with one another in a domestic relationship; children and grandchildren of one of the domestic partners are treated as relatives of either partner.

Fit & Proper Circular Version: March 2023 35 / 62 necessary regarding the argumentation of the existence of the ability to reach an objective and unbiased judgement and to reach decisions independently while considering the interests of all stakeholders (the rationale stated in MN 90 must be met). 2.7.3 FORMALLY INDEPENDENT MEMBERS OF SUPERVISORY BOARD COMMITTEES 102. At least two independent members must be represented80 in the risk committee, with the chairperson of the risk committee in all institutions required to fulfil the criteria on independence set out in Article 28a para. 5b BWG. Furthermore, Article 39d para. 5 BWG also stipulates in the case of credit institutions classified as systemically important pursuant under Article 23c and Article 23d BWG81 that the majority of the members and the chairperson of the risk committee must be independent. 82 103. At least two independent members83 must be represented in the remuneration committee, with the chairperson of the remuneration committee and the remuneration expert in all institutions fulfilling the independence criteria set out in Article 28a para. 5b BWG (cf. Article 39c para. 3 BWG).84 104. The declaration and duty to cooperate (see MN 40 et seq.) also covers information about independence. 2.8 SUFFICIENT TIME COMMITMENT OF EXECUTIVE DIRECTORS AND NON￾EXECUTIVE DIRECTORS 2.8.1 QUALITATIVE ASSESSMENT 105. An orderly, conscientious and dutiful management of the institution’s business, in addition to the dutiful and orderly performance of monitoring and controlling duties also requires sufficient time commitment of the persons appointed as executive directors (Article 5 para. 1 no. 9a BWG) or non-executive directors (Article 28a para. 5 no. 5 BWG). As a basic rule, executive directors and non-executive directors shall be expected to dedicate sufficient time to perform the tasks conferred upon them in the institution (see also Title III Chapter 4 F&P￾80 Cf. Chapter 5.2 of the IG-GL and Chapter 9.3 of the F&P-GL. The legislator has defined the term “an adequate number” as being “at least two members” in Article 28a para. 5a BWG. 81 Regarding systemically important institutions see Article 7b of the Regulation of the Financial Market Authority (FMA) on the setting and recognition of the countercyclical capital buffer rate, on the setting of the systemic risk buffer as well as on the specific description of the calculation basis pursuant to Art. 23a para. 3 no. 1 BWG and Art. 24 para. 2 BWG (Capital Buffer Regulation – KP-V; Kapitalpuffer-Verordnung), published in Federal Law Gazette II no. 435/2015 as amended. 82 Cf. response to a question raised to parliament no. 136 in the Supplements to the Stenographic Protocols of the National Council (BlgNR), 26th Legislative Period. 83 In line with Article 39c para. 3 BWG, this circular defines the term “sufficient number” used in para. 55 of the EBA Guidelines on sound remuneration policies under Directive 2013/36/EU (EBA/GL/2021/04) as “at least two members”. 84 Para. 55 of the EBA Guidelines on sound remuneration policies under Directive 2013/36/EU (EBA/GL/2021/04). In this context it is worth noting that the FMA’s compliance declaration for these EBA Guidelines (EBA/GL/2021/24) was only one of partial compliance in that it no longer covers the second sentence of para. 55.

Fit & Proper Circular Version: March 2023 36 / 62 GL). Where they perform several executive and/or non-executive activities, executive directors and non-executive directors are required to take the circumstances into account in the specific case in hand as well as considering the nature, scope and complexity of business conducted and the institution’s risk structure.85 106. Furthermore, the calculation must also include additional time commitment based on specific circumstances (for example: a merger, takeover or the acquisition of an undertaking (or parts thereof) or restructurings, but also in the event of member’s lengthier absences) as well as training and courses (see Chapter 5). 107. The following criteria in particular shall be considered within the assessment86: ■ the number of directorships held by the person, held concurrently in financial companies as well as non-financial undertakings as well as directorships of organisations that do not predominantly pursue commercial objectives; ■ the nature, scope and complexity of the activities of the undertaking and the nature of the specific position as well as the member’s responsibilities including the performance of certain functions (e.g. activities as the chairperson or as a committee member); ■ the number of meetings (both meetings of the management body and its committees as well as the management body’s meetings with internal and external persons); ■ the member’s usual place of residence and the travel time required for the role; ■ other external professional or political activities; ■ necessary onboarding and training; ■ any other relevant duties of the member that institutions deem necessary for consideration when assessing a member’s sufficient time commitment; and ■ as applicable any available relevant benchmarking on time commitment, (e.g. the benchmarking provided by the EBA87). 108. This requirement applies for executive directors and non-executive directors (or for members of the competent supervisory board otherwise appointed in accordance with the law or the statutes) for all institutions. 2.8.2 LIMIT ON DIRECTORSHIPS 109. For executive directors and non-executive directors of credit institutions “of significant relevance” Articles 5 para. 1 no. 9a or Article 28a para. 5 no. 5 BWG (the third sentence of the 85 Articles 5 para. 1 no. 9a and Article 28a para. 5 no. 5 BWG respectively use the term “Tätigkeiten” (activities/duties); whereas the term “Mandate” (directorships) is used in the material accompanying the legal text (Explanations in relation to Government Bill (ErlRV) 2438 in the supplements to the stenographic protocols of the National Council (BlgNR) no. 17 for the 24th legislative period (XXIV. GP) as well as in Article 91 (3) CRD IV. In both cases the provisions address the performance of roles within the management body in it managerial or supervisory function. The terms "activities/duties" and "directorships" are therefore used synonymously in this circular. 86 Cf. also para. 43 of the F&P-GL. 87Cf. para. 43 F&P-GL.

Fit & Proper Circular Version: March 2023 37 / 62 respective provision) also define quantitative limits on the number of directorships regarding their activities in executive functions or as non-executive directors in addition to the general requirement of always having sufficient time for the performance of their duties in the institution (‘limit on the number of directorships’). In total, in accordance with this provision, only one activity in an executive function (Article 5 para. 1 no. 9a BWG) may be performed in combination with up to two non-executive directorships or – provided that the person in question does not perform any activity in an executive function – a maximum total of four activities as a non-executive director (Article 28a para. 5 no. 5 BWG). Under Article 5 para. 4 BWG a credit institution shall be considered as being of significant relevance, where, on average, its total assets as of the respective reporting dates of the last three concluded financial years reaches or exceeds Euro 5 billion.88 In any case, the following shall be considered credit institutions of significant relevance: ■ credit institutions that are not "less significant institutions" pursuant to Article 6(4) of Regulation (EU) No. 1024/2013 ("SSM-R"), or in the case of a significant supervised group pursuant to Article 2 no.22 of Regulation (EU) No 468/2014 ("SSM Framework Regulation") only the consolidating credit institution pursuant to Part One of the CRR, or ■ credit institutions classified by the FMA as a globally systemically important institution or as a systemically important institution, or in the case of a group classified as a globally systemically important institution or as a systemically important institution, only the consolidating credit institution pursuant to Part 1 of Regulation (EU) No 575/2013. 110. Someone is active in an “executive function”, if they are empowered under law, articles of association/statutes/memorandum of association to manage the business as well as acting as the organisation’s legal representation. In the case of a companies with a legal form of a limited liability company (GmbH), ordinary partnership (OG) or limited partnership (KG) the director(-shareholder); in the case of an joint stock company (AG), savings bank (Sparkasse), foundation (Stiftung) or an association (Verein) the management body; in the case of a credit cooperative the persons named89 as executive directors entrusted with executive functions in accordance with Article 2 no 1 lit. b BWG; for (other kinds of) cooperative society and a monistic Societas Europaea (SE), both the law and the articles of association shall be applied in assessing the existence of an “executive function” . 88 When determining the total assets, in the case of groups of credit institutions, the financial statement on an individual basis shall be considered authoritative. 89 They may, but are not necessarily required to, belong to the management body; voluntary members of the management body are not considered as executive directors under the BWG definition, and are therefore also not active in an executive capacity in relation to limits on directorships held.

Fit & Proper Circular Version: March 2023 38 / 62 111. Activities as a "non-executive director" are understood as meaning all monitoring activities in supervisory bodies in accordance with laws and statutes (e.g. also in the supervisory body of a savings bank (Sparkassenrat), but not in the advisory board (Beirat) of a cooperative society, joint stock company or foundation), with it being irrelevant whether the appointment was made by election, delegation or by a court. 112. executive functions performed only on a temporary basis, such as e.g. those of liquidator or the court commissioner, as predominantly performed by lawyers or external auditors, shall not be considered for the purpose of the limits of directorships held, but are, however, considered within the overall assessment. 2.8.3 PRIVILEGES 113. When calculating the maximum permissible number of directorships, the listed activities below in an executive function or as member of the supervisory body (hereinafter: activities) only count as one activity in total: ■ Activities within the same group of institutions consisting of the EU parent institution, its subsidiaries and the institution’s own subsidiaries or other undertakings that belong to the same group of credit institutions, provided all of the aforementioned are included in supervision on a consolidated basis or are subject to supplementary supervision pursuant to Article 6 para. 1 FKG (“privilege for groups of institutions” pursuant to Article 5 para. 1 no. 9a lit. a sublit. aa or Article 28a para. 5 no. 5 lit. a sublit. aa BWG)90; ■ Activities within an “other kind of group” consisting of associated undertakings pursuant to Article 189a no. 8 UGB, Article 245a UGB or Article 15 AktG (“privilege for other groups” pursuant to Article 5 para. 1 no. 9a lit. a sublit. bb or Article 28a para. 5 no. 5 lit. a sublit. bb BWG); ■ Activities in member institutions of the same institutional protection scheme (IPS) pursuant to Article 113 (7) CRR (“IPS privilege” pursuant to Article 5 para. 1 no. 9a lit. b or Article 28a para. 5 no. 5 lit. b BWG) – the term “members” also covers the associated organisations that are also consolidated within the respective IPS in addition to credit institutions. The membership of one and the same IPS due to the clear wording of lit. b is a condition for the fiction of only one activity existing; ■ All activities in undertakings within and outside of the financial sector, in which the credit institution holds a qualifying holding pursuant to Article 4 (1) (36) of Regulation (EU) No. 575/2013 (“privilege of participation” pursuant to Article 5 para. 1 no. 9a lit. c or Article 28a para. 5 no. 5 lit. c BWG) count as a further, additional 90 Article 5 para. 1 nos. 9a and Article 28a leg. cit. shall apply to an affiliation of credit institutions pursuant to Article 30a para. 12 BWG subject to the central body being considered as the superordinate institution and the affiliation of credit institutions as a group of credit institutions.

Fit & Proper Circular Version: March 2023 39 / 62 directorship to the directorship held in the institution91. Directorships in undertakings in which qualifying holdings are held by undertakings belonging to the group, shall count as an extra directorship in addition to the directorship arising from the group92 . Consequently, directorships within the members of the group shall be counted as one directorship and those within the qualifying holding as a second additional directorship. 114. Where directorships are held in different groups or institutions, all directorships held within the same IPS count as one directorship. Where applying the IPS privilege leads to a high number of directorships being counted than when applying the group privilege, then the former shall take priority.93 115. For the calculation of upper limits for the number of permissible activities, this means the following: If the activities counted together pursuant to Article 5 para. 1 no. 9a lits. a to c or Article 28a para. 5 no. 5 lits. a to c BWG – in applying the aforementioned calculation rules – (along with activities as non-executive directors) also cover activities in executive functions, such activities shall be counted in total as a single activity in an executive function94. When the activities to be counted together only cover activities as a non-executive director, such activities shall be considered in total as a single activity as a non-executive director95 . 116. If the person in question is active in several associated credit institutions pursuant to Article 5 para. 1 no. 9a lits. a to c or Article 28a para. 5 no. 5 lits. a bis c BWG in an executive function or as a non-executive director (for example in both the parent and subsidiary institutions), then the “bird’s eye view” consideration is decisive: if several different results are reached regarding the directorships to be counted together depending on the perspective from which institution making the notification is considered, the result that (most likely) allows the mandate holder concerned to comply with the statutory provisions applies. 117. When calculating the limits on numbers of directorships, activities in organisations that do not predominantly pursue commercial objectives, are not to be included (Article 5 para. 1 no 9a or Article 28a para. 5 no. 5 BWG fifth sentence respectively). For the interpretation of these exceptions, in the first instance the term “of a commercial nature” in Article 1 para. 1 91 One directorship is therefore to be counted for the activity in the institution and an additional one for all directorships in the entities in which the institution holds qualifying holdings. 92 Cf. para. 52 F&P-GL. 93 Cf. para. 53 F&P-GL. 94 Cf. para. 49 F&P-GL. 95 Article 103q nos. 10 and 15 BWG defines a grandfathering provision for activities as a non-executive director that were already being conducted on 31.12.2013 ("existing directorships"). Existing directorships shall also be counted in calculating directorships, but shall not be required to be ‘reduced’ where the maximum number of permitted directorships is exceeded. Such directorships may also be extended by reappointment, unless doing so leads to the exceeding of the limit on concurrently held directorships, since directorships extended by reappointment after 31.12.2013 count fully from 1.7.2014 (entry into focus on limits on number directorships). The grandfathering clause for existing directorships therefore expires with the first reappointment after 31.12.2013. The grandfathering clause shall not apply for executive directors or non-executive directors of credit institutions about whom on an individual basis based on an assessment by the FMA pursuant to Article 22 para. 3 BWG a systemic risk pursuant to Article 22 para. 2 BWG may be assumed (Article 103q nos. 10 and 15 BWG, second sentence in both cases).

Fit & Proper Circular Version: March 2023 40 / 62 BWG in conjunction with Article 2 para. 1 of the Value Added Tax Act (UStG; Umsatzsteuergesetz) shall be applied; the focus, however, is on whether predominantly commercial objectives are pursued. In particular, such organisations that do not pursue profit-oriented aims, but which instead pursue not-for-profit, charitable or generally ideal acts (and which therefore do not have predominantly commercial objectives) should in particular be excluded from the limits on directorships. 118. Examples of organisations that do not predominantly pursue commercial objectives (in the form of a demonstrative list), would accordingly be: ■ associations under the Associations Act 2002 (VerG 2002; Vereinsgesetz);96 ■ communities for land reform and trustees of a residential estate (Article 5 no. 5 Corporation Tax Act 1988 (KStG 1988; Körperschaftsteuergesetz 1988), provided they do not conduct any operative activities extending beyond the scope of auxiliary (agriculture and forestry) operations or that lease out operations; ■ professional associations empowered to negotiate collective labour agreements as defined in Article 4 para. 2 ArbVG or professional and advocacy groups (Article 5 no. 13 KStG 1988), provided they do not conduct commercial activities (such as operations of a commercial nature); ■ certain agricultural cooperatives as defined in Article 5 no 9 KStG, namely agricultural usage cooperatives, the purpose of which and their actual business operations is restricted to the communal use of farming and forestry plants or equipment by their members (e.g. cooperative societies for breeding, pasturing and machinery), as well as wine-growing cooperatives, whose actual business operations are limited to processing and using of agricultural products produced by their members themselves, provided that processing and usage fall within the scope of agriculture; ■ Corporations, associations of persons or pooled assets for the promotion of not-for￾profit, charitable or religious purposes as defined in Article 34 et seq. of the Austrian Fiscal Code (BAO). ■ statutory not-for-profit organisations (e.g. foundations for not-for-profit purposes as defined in the Federal Act on Foundations and Funds (BStFG) or housing associations in the public interest as defined in the Limited Profit Housing Act (WGG)); ■ certain corporations under public law, provided their operations of a commercial nature are not those listed in Art. 2 KStG or in agricultural or forestry operations; ■ holding companies for participations (holdings for the purpose of managing assets), provided that they are not active in a commercial manner over and above the duty of 96in contrast associations for profit established under the 1852 Patent on Associations (Vereinspatent 1852), mutual insurance associations and pawn-broking institutions are assumed to predominantly pursue commercial aims.

Fit & Proper Circular Version: March 2023 41 / 62 managing their own (participation) assets by trading of participations or providing economically valuable services of an administrative, financial, commercial or technical nature to their subsidiaries, or perform managerial and steering duties for the affiliation of undertakings or in other ways; ■ the uniform deposit guarantee system pursuant to Article 1 para. 1 ESAEG97; ■ (private) foundations, provided that any commercial activity does not extend beyond a purely ancillary activity. 119. Whether an organisation predominantly pursues commercial objectives or not must always be assessed based on the specific circumstances of the individual case in hand as part of an overall assessment. 120. Activities in an executive function at organisations whose shares or voting rights are (fully or majority) directly or indirectly held by the Republic of Austria and for whom the European Commission has approved a resolution or restructuring plan in accordance with the EU rules and decisions on government aid pursuant to Articles 107 to 109 of the Treaty on the Functioning of the European Union (TFEU)98 shall be excluded from the calculation pursuant to the third sentence of Article 5 para. 1 no. 9a BWG (Article 103q no. 10a BWG). Activities as non-executive directors as representatives of the Republic of Austria shall also not be considered when calculating the number of directorships (third and fifth sentence of Article 28a para. 5 no. 5 BWG). 2.8.4 APPROVAL OF AN ADDITION NON-EXECUTIVE DIRECTORSHIP 121. Where the notifying institution makes an application, the FMA may authorise the limits on directorships to be exceeded by ONE non-executive directorship (Article 5 para. 1 no. 9a and Article 28a para. 5 no. 5 BWG; penultimate sentence respectively). It shall only be possible to take up the additional directorship once the FMA has approved it. 122. The circumstances in the specific case in hand must be considered, such as the extent to which the person in question makes use of privileges, exceptions and transitional provisions, as well as the nature, scale and complexity of the activities of the credit institution and its financial situation. In any case the assessment is always focussed on the purpose of the legal limits, to ensure where multiple directorships are held that sufficient time is always available for ensuring the diligent and orderly fulfilment of duties in the credit institution. Therefore, the documentation listed in the Annex in particular must be submitted with the application that prove sufficient time commitment as well as independence of mind99 (especially that conflicts 97 Deposit Guarantee Schemes and Investor Compensation Act (ESAEG; Einlagensicherungs- und Anlegerentschädigungsgesetz). 98 Treaty on the Functioning of the European Union (“TFEU”), consolidated version, issued in OJ EC No. C 326, 26.10.2012, p. 0001-0390. 99 Cf. Chapter 2.2.4.

Fit & Proper Circular Version: March 2023 42 / 62 of interest do not exist). The FMA shall regularly inform the EBA about such approvals (Article 5 para. 1 no. 9a and Article 28a para. 5 no. 5 BWG, final sentence respectively). 2.8.5 MAIN PROFESSION OF EXECUTIVE DIRECTORS 123. To avoid any potential conflicts of interest, and to ensure the necessary time resources of the orderly performance of duties as an executive director, Article 5 para. 1 no 13 BWG stipulates that executive directors shall not be allowed to perform any other main profession outside the financial sector (either outside of banking or outside of insurance undertakings, Pensionskassen, payment institutions, electronic money institutions, investment firms or investment services providers). This prevents the activity as executive director of an institution from being performed on only a part-time basis. In determining the activity is the person's main profession, in addition to the necessary salary for covering everyday needs, it is also necessary to primarily focus on the necessary time commitment. In contrast, it is irrelevant under which legal basis the main profession is performed. 124. Even when no main professional activity exists outside the financial sector, executive directors have in any case to observe the fundamental rule and take into account the circumstances in the specific case in hand and the nature, scope and complexity of the business conducted as well as the institution’s risk structure when performing other activities. 100 2.8.6 CHECKING OF SUFFICIENT TIME COMMITMENT 125. Sufficient time commitment of the (potential) executive directors and non-executive directors is primarily checked on the basis of a qualified self-assessment including a sworn declaration from the person in question, that a sufficient amount of time is available and that sufficient time is able to be dedicated, in order to perform the executive or non￾executive function in an orderly manner and with the necessary diligence. Observance of the limit on number of mandates held for credit institutions of significant relevance is primarily assessed based on the information supplied in the notification of the appointment/naming of the executive directors or non-executive directors (Article 73 para. 1 no. 3, Article 28a para. 4 or Article 73 para. 1 para. 8 BWG) (see information on the Incoming Platform and Annex 1)101 . 126. Credit institutions of significant relevance as defined in Article 5 para. 4 BWG shall check the number of directorships concurrently held by their (re-)appointed executive directors and non-executive directors at the time of their appointment, and shall use appropriate procedures to ensure that statutory limits on concurrent mandates are constantly observed; 100 To ensure orderly business management and representation of institutions in Austria, the BWG also states that at least one executive director must have the centre of his/her vital interests in Austria (§ 5 Abs. 1 Z 10 BWG), so that they are easily contactable for the supervisor (explanatory remarks of the government bill, 1130 BlgNR 18th legislative period 118). 101 There is a separate form on the Incoming Platform for institutions that fall under the direct supervision of the ECB.

Fit & Proper Circular Version: March 2023 43 / 62 they shall notify the FMA without delay about any changes that (may) lead to the suitability requirements stipulated in Article 5 para. 1 no. 9a or Article 28a para. 5 no. 5 BWG ceasing to exist (Article 73 para. 1 no 3 or no. 8 BWG).

Fit & Proper Circular Version: March 2023 44 / 62 3 REQUIREMENTS FOR KEY FUNCTION HOLDERS 127. The F&P GL also contain personal requirements for “key function holders”102, that comprise staff members of an institution, who primarily in light of their position exert material influence on the business activity of the institution, without (formally) being members of the management body in its management or supervisory function (executive director or non￾executive director respectively). Members of the “senior management” as defined in Article 2 no. 1b BWG as a rule perform key functions, since, by definition, they perform managerial duties in an institution or executive duties and are responsible and accountable towards the management body in its management function for day-to-day business.103 128. In addition to the heads of the internal control functions (see MN 130 et seq.), the heads of significant business lines or divisions, the directors of significant branches as defined in Article 18 BWG and subsidiaries that belong to the group also qualify as key function holders. Key function holders are primarily to be identified by the institutions themselves and their suitability assessed in accordance with the bank’s internal guidelines (see Chapter 6) for the appointment and succession of persons with key functions. 129. They must possess the requisite personal reputation and must hold suitable professional qualifications and possess sufficient experience taking adequately into account the nature, scope and complexity of the business of the institution as well as the competences of the relevant position (cf. in particular Chapter 5 F&P GL). This should be taken into consideration, both when they are appointed as well as during ongoing controlling. Key function holders may also be invited to the FMA for “Fit & Proper tests” (cf. para 183 F&P-GL).104 102 Regarding the Anti-Money Laundering Officer (AML officer), please refer to the FMA Circular on internal organisation for the prevention of Money Laundering and Terrorist Financing. Regarding the MiFID Compliance Officer see the FMA’s WAG 2018 Organisational Circular in the version amended in Circular 01/2021, MNs 30 and 41 et seq. 103 The persons who are primarily responsible for internal control functions are also “key function holders”, please see Chapter 4 for the specific rules. 104 See also MN 51 of the FMA’s WAG 2018 Organisational Circular in the version amended in Circular 01/2021.

Fit & Proper Circular Version: March 2023 45 / 62 4 REQUIREMENTS FOR THE HEADS OF INTERNAL CONTROL FUNCTIONS 4.1 OVERVIEW 130. Article 39 paras. 5 and 6 BWG and Article 42 BWG contain regulations for establishing internal control functions in an institution and requirements for the heads of such functions. In addition to the corresponding organisational measures and general requirements for staff members of internal control functions, the heads of the internal control functions shall also be required to have adequate suitability, measured in terms of their honesty, propriety and independence of mind and possessing sufficient theoretical (necessary expertise) and practical (experience in banking) knowledge. Reference is made to the FMA’s WAG 2018 Organisational Circular in the version amended in Circular 01/2021 regarding the MiFiD Compliance Officer in accordance with Article 29 WAG 2018 in conjunction with Article 22 (3) point b of Delegated Regulation (EU) 2017/565 regarding necessary knowledge and expertise. 4.1.1 FORMAL REQUIREMENTS 131. The heads of the internal control functions are to be placed at an appropriate level of seniority, so that their responsibility comes with sufficient authority and the corresponding gravitas, and to ensure direct access to and direct reporting to the executive directors. Furthermore, the internal control functions' independence must also be guaranteed. For this purpose, necessary organisational precautions shall be taken to ensure that the internal control functions are not subordinate to a person responsible for performing activities that the internal control function monitors and controls. Furthermore, staff members of the internal control function shall not be allowed to be perform any operative activities falling in a scope of activity monitored and controlled by the internal control function itself (prohibition of self-control). The institution shall define documented processes for filling positions of heads of the internal control functions. The heads of the internal control function shall not only be required to be adequately qualified at the time of their appointment, but also to ensure that such qualifications are kept up-to-date on an ongoing basis. Access to further training measures is therefore to be ensured. 4.1.2 ASSESSMENT OF TECHNICAL SUITABILITY 132. Special requirements exist for the qualification of the heads of the internal control functions. The required expertise and experience in banking covers the necessary theoretical knowledge acquired by attending relevant education and training and the practical

Fit & Proper Circular Version: March 2023 46 / 62 knowledge acquired during professional activities required for performing the respective internal control function activities. This will be presumed by subject-relevant university degrees and courses or external and internal training measures and relevant proof (e.g. diplomas, certificates of attendance, and references etc.) is required to ensure that the appropriate knowledge was actually acquired. Material requirements for the technical suitability of heads of the internal control functions vary depending on the respective area of competence. Specific requirements are explained in greater detail for the respective internal control function. 133. Regarding the assessment of prior experience in banking, the nature, scope and complexity of the undertaking as well as the duties specifically undertaken (duration of activity, scope of the competence held, powers and responsibilities, expert knowledge acquired) must be taken into account. 4.1.3 CHECKING OF TECHNICAL SUITABILITY 134. Technical suitability and professional experience are generally assessed based on the necessary information in the applicant’s curriculum vitae and other information contained in the submitted documentation and documents regarding education and training and professional experience. In particular, it shall be assumed that the person possesses the necessary fitness and propriety, where the person was previously active in the banking industry in a comparable position not merely on a sporadic basis. 4.1.4 HONESTY, PROPRIETY AND INDEPENDENCE OF MIND 135. Irrespective of the nature, scale and complexity of the activities that the institution performs, the heads of the internal control functions must act with propriety, honesty and independence of mind at all times. The propriety, honesty and independence of mind of heads of the internal control functions shall be measured against the same benchmark as for executive directors (see Article 39 para. 5 last sentence, Article 39 para. 6 no. 3 and Article 42 para. 1 last sentence BWG in conjunction with Article 5 para. 1 nos. 6 and 7 BWG). We refer here to the explanations contained in Chapter 2.3, which apply accordingly for the heads of internal control functions. 4.1.5 CHECKING, DECLARATION AND DUTY TO COOPERATE 136. The information sources listed in MN 39 apply for the assessment of honesty, independence of mind as well as reliability. In addition, heads of internal control functions may also be invited to “Fit & Proper tests” at the FMA’s premises. 137. We refer to MN 40 et seq., which also apply accordingly to the duty to cooperate, disclosure and information requirements of the institution and person in question.

Fit & Proper Circular Version: March 2023 47 / 62 4.2 HEAD OF THE RISK MANAGEMENT DEPARTMENT 4.2.1 OVERVIEW 138. The head of the risk management function is responsible for ensuring that comprehensive and comprehensible information about risks is made available. They shall advise the management body in such a way that the latter understands the institution’s overall risk profile. 139. In institutions of “significant relevance” a separate organisational unit is entrusted with risk management duties that reports directly to the management body, with a dedicated manager to be appointed especially for the role as the head of the risk management department. 140. Where a credit institution requests this, the FMA may authorise that another manager in the institution performs this function, where the nature, scale and complexity of the activities of the institution would not justify the appointment of a person solely for this purpose, and where no conflict of interest105 exists. As a result, it is necessary when apply for such authorisation to state why it is proportionate to combine this position with another position. Furthermore, it is necessary to justify that no conflicts of interest exist and that adequate resources are available. In cases where Chief Risk Officer (CRO) is the Head of the Risk Management Department, there is no obligation to seek approval as defined in Article 39 para. 5 BWG. 4.2.2 PROFESSIONAL QUALIFICATION 141. Heads of the risk management function must be able to scrutinise decisions relating to the institution’s risk exposure, taken by the executive directors. 142. The assessment of expertise takes into account the specific role, responsibility and the specific duties of the risk management department. Knowledge and therefore in-depth knowledge must be proven above all for the orderly performance of the following responsibilities and duties: ■ Knowledge about risk management processes and procedures as well as markets and products and the detection and measuring of the manifestation of risks; ■ Reporting of risks and the risk situation to the executive directors as well as proposing measures to be taken; ■ Being involved in defining the credit institution’s risk strategy and in all important decisions relating to risk management; 105 The risk management department (“second line of defence”) must be strictly separated from the front office areas (“first line of defence”).

Fit & Proper Circular Version: March 2023 48 / 62 ■ Having a complete overview of the extent of existing types of risk and the credit institution’s risk situation. 4.3 HEAD OF THE BWG COMPLIANCE FUNCTION 4.3.1 OVERVIEW 143. The BWG Compliance Function pursuant to Article 39 para. 6 no. 2 BWG's duty, under the management of the person appointed pursuant to Article 39 para. 6 no. 3 BWG, is the constant monitoring and regular assessment of the appropriateness and effectiveness of policies and procedures pursuant to Article 39 para. 6 no. 1 BWG as well as the measures that must be undertaken to correct any deficiencies that arise. Furthermore,the management body is to be advised in this regard.106 144. Pursuant to Article 39 para. 6 no. 2 BWG, credit institutions of “significant relevance” are required to establish a permanent, effective and independently working BWG compliance function reporting directly to the management body. 107 See Chapter V.E. of the FMA Minimum Standards on the BWG Compliance Function regarding the combination of the BWG Compliance Function with other functions108 . 4.3.2 PROFESSIONAL QUALIFICATION 145. The assessment about having specialist knowledge and experience in the banking industry should take place in taking into consideration the specific duties and responsibility of the BWG compliance function as well as their role in the company. A mastery of the relevant laws and regulations (for the respective institution) listed in Article 69 para. 1 BWG required for the performance of responsibilities and duties is expected109. They shall have in-depth theoretical knowledge of the activities of the BWG Compliance Function and the regulations that are applicable to the credit institution. Furthermore, the Head of the Compliance Function must also possess comprehensive practical knowledge of banking, obtained from at least three years' activity in the same entity or in another entity of a comparable business type. 106 See Chapter V of the FMA Minimum Standards on the BWG Compliance Function 02/2022 regarding the organisational embedding and duties of the BWG Compliance Function. 107 See the explanatory remarks on item 106 BglNR from the 26th legislative period about Article 39 paras. 5 and 6 BWG. 108 FMA Minimum Standards on the BWG Compliance Function 02/2022 in the version published on 03.11.2022. 109 See Chapter IV.A of the FMA Minimum Standards on the BWG Compliance Function 02/2022 about the regulations that fall in the scope of competence of the BWG Compliance Function.

Fit & Proper Circular Version: March 2023 49 / 62 4.4 HEAD OF THE INTERNAL AUDIT FUNCTION 4.4.1 PROFESSIONAL QUALIFICATION 146. Special requirements exist regarding the professional qualification of the Head of the Internal Audit Function. In addition to in-depth theoretical knowledge about internal auditing activities, the Head of the Internal Audit Function must also possess comprehensive practical knowledge of banking, obtained, for example, from at least three years activity in the same entity or in another entity of a comparable business type. They shall cover all legal standards in relation to internal governance as well as the formal and material orderliness of accounting.110 Furthermore they shall comply with national and international professional standards, for example the standards issued by the Institute of Internal Auditors (IIA). 4.4.2 HONESTY, PROPRIETY AND INDEPENDENCE OF MIND 147. In addition to the general rules on honesty, propriety and Independence of mind (cf. Chapter 2.2) the BWG also prescribes specific, additional criteria for the honest, proper and independent of mind performance of the activities of the internal audit function. (Cf. MNs 29 to 35 of the FMA Minimum Standards on Internal Auditing111). 110 Cf. MN 36 of FMA Minimum Standards 01/2020 on Internal Auditing. 111 FMA Minimum Standards on Internal Auditing 01/2020, in the version published on 02.01.2020.

Fit & Proper Circular Version: March 2023 50 / 62 5 ONBOARDING, REGULAR TRAINING AND EDUCATION 148. Since the appropriate suitability of the members of the management and supervisory bodies as well as the heads of internal control functions are required to exist112 both upon assuming the activity as well as on a continuous basis, which implies the necessity to hold regular trainings for such persons, credit institutions are obliged, to ensure that appropriate human and financial resources are made available for regular training and to also ensure that financial resources are constantly made available (Article 28a para. 6 BWG). For ensuring that the necessary training measures are conducted, both internal and externalresources may be used for this purpose. Institutions must define objectives for both onboarding and training, as well as suitable policies and procedures for attaining such goals, which may form a component of the policy as a whole for the assessment of suitability (see Chapter 6). Existing relevant industry-specific benchmarks should be focused on in doing so. The results from the EBA benchmarking exercise are to be taken into account in particular with regard to the planning of the training budget. 149. The executive directors and non-executive directors shall also take personal responsibility to always reach decisions based on up-to-date information. There are therefore required to familiarise themselves to changes to the environment of the institution (especially in relation to new legal regulations) on a continual basis, and to continue to obtain education particular in the field of supervisory law. The policies and processes must prescribe a transparent process regarding onboarding or training to be applied for by the executive directors and non-executive directors, and be communicated to them accordingly. 150. The onboarding of the executive directors and non-executive directors in their position should serve to ensure that they understand the structure, business model, risk profile and the governance rules of the institutions as well as their individual role within the system as a whole. Therefore, all material information is required to be communicated to the newly appointed directors within one month of their starting their role and the onboarding process and all necessary training measures to be concluded within six months. 151. The objectives of onboarding and training should in particular be tailored towards the necessary specialist knowledge and skills that are required for the respective position, responsibility as well as participation in the committees of the supervisory body, and should be defined in an internal policy. If shortcomings are identified with regard to knowledge or skills during the suitability assessment, then the necessary trainings must be concluded as quickly as possible: where this is not possible prior to entering office then at latest within a 112With regard to the requirements in relation to the MiFID Compliance Function under the WAG 2018 in conjunction with Delegated Regulation (EU) 2017/565, please consult FMA Circular 01/2021 -the WAG 2018 Organisational Circular, in the version published in January 2021, MNs 40ff.

Fit & Proper Circular Version: March 2023 51 / 62 year of entering office. Credit institutions shall inform the competent authority about the measures that have been identified as being suitable, and inform them about the timetable. 152. The quality, adequacy and observance of the policy and the process must be reviewed and adapted where applicable. Furthermore, in the case of there being changes to the governance structure and strategy, new products, current legislative or market developments or other developments then they must be updated.

Fit & Proper Circular Version: March 2023 52 / 62 6 INTERNAL FIT & PROPER ASSESSMENTS AND POLICIES 6.1 GENERAL 153. Whether (potential) executive directors or non-executive directors are individually and collectively suitable, and the heads of internal control functions and key function holders113 are suitable (reliable, with suitable professional qualifications and sufficiently experienced) is checked by the institutions in accordance with their internal policies for the selection and assessment of executive directors and non-executive directors, or for the assessment of the suitability of key function holders. 114 These internal fit and proper tests are conducted regularly, as applicable (also) during training (measures),115 and documented.116 154. The policies on the assessment of suitability are to be tailored to the governance framework of the institution for operations as a whole as well as the corporate culture and risk appetite, and when being drawn up and revised and, where established, the nomination committee and the internal control functions involved accordingly.117 Where the appointment occurs through the shareholders (at the main general meeting or a general meeting), then the results of the internal assessment of suitability should be made available to them. Furthermore, access is to be provided to the shareholders to the result and the most significant considerations of the internal Fit & Proper procedure (also to procedures with a negative outcome), to permit a review of individual and collective suitability to be conducted. 155. When drawing up and revising the policies for the assessment of suitability, the promotion and implementation of diversity in the management body may also be taken into account, unless a separate diversity policy has been implemented118. In so doing, gender, educational and professional background, age and origin are to be taken into account to ensure that there are a diverse range of opinions and experiences existing within the respective management 113 With regard to the requirements in relation to the AML officer, we refer to the FMA Circular on internal organisation for the prevention of money laundering and terrorist financing. Regarding the requirements regarding the MiFID Compliance Officer pursuant to Article 22 (3) lit. b of Delegated Regulation (EU) 2017/565 we refer to the WAG Organisational Circular - FMA Circular 01/2021, MNs 40 et seq. 114 How and when the credit institution’s assessment should occur and which (corrective) measures are to be taken, in the case that it emerges that a person does not have the necessary characteristics necessary for the positions in question, is defined in Title II of the F&P-GL (especially in paras. 24, 28, 32, 33, 37, 38) as well as Title VII of the F&P-GL. The criteria, based upon which the institutions are required like the supervisory authorities to assess the suitability of the potential executive directors or non-executive directors, can be found in Title III of the F&P-GL; the rules on diversity in Title V must also be taken into consideration. 115 Subject to the condition, that executive directors/non-executive directors regularly attend training courses/seminars on relevant subject matters or participate in ongoing training measures,the institution’s internal reassessments of having the necessary fitness may remain restricted to specific cases in hand (material changes or events that in any case make such a re-assessment necessary). 116 Within group structures the consolidating institution should ensure that the group-wide policies on the assessment of suitability in all subsidiaries are observed pursuant to rules stipulated in Chapter 17 of the F&P-GL; in this case the remarks contained in the FMA Circular regarding the internal organisation for the prevention of money laundering and terrorist financing should be observed. 117 Cf. Chapter. 14 of F&P-GL. 118 See also the disclosure requirements of the diversity strategy in Article 435 (2) CRR.

Fit & Proper Circular Version: March 2023 53 / 62 body119. Institutions of significant relevance as defined in Article 5 para. 4 BWG must state a quantitative target for participation of the under-represented gender, as well as a suitable timeframe for achieving this target. If the diversity target is not reached, then the institutions of significant relevance120 must document the reasons, measures and the time frame for implementing the diversity policy. 156. Together with a notification about the appointment/naming of an executive director, non￾executive director or a head of an internal control function (Article 73 para. 1 no. 3, Article 28a para. 4 or Article 73 para. 1 no. 8, Article 73 para. 1 no. 11, Article 73 para. 1b no. 1, Article 73 para. 1b no. 2 BWG)121 the notifying institution shall submit to the FMA the confirmation, that a positive assessment of suitability of the person in question has been conducted in accordance with the policies and procedures defined for the assessment of suitability of such persons (confirmation of the internal fitness and propriety assessment).122 157. Written policies and processes about the bank’s internal suitability assessment must be checked regularly for their up-to-dateness and updated as necessary, and submitted to the FMA upon request. 6.2 INVOLVEMENT OF THE NOMINATION COMMITTEE 158. The management body in its supervisory function must establish a nomination committee (Article 29 BWG) in credit institutions that are of “significant relevance” as defined in Article 5 para. 4 BWG123. When filling vacancies in the management body (no. 1) and in the management body in its supervisory function (no. 2) as well as on a periodic basis, this committee is required to conduct an assessment of the size, composition and performance of the management body in both its management and supervisory function, or where events indicate a reassessment to be necessary, and as applicable circulate proposed changes to the management body in its supervisory function (Article 29 no. 6 BWG)124. This shall also apply regarding the knowledge, skills and experience of the executive directors and individual non￾executive directors as well as the respective body in collective form (Article 29 no. 7 BWG). 119 Cf. the rules in Title V of the F&P-GL as well as the diversity rules in the supervisory body in Recital 60 of CRD IV. The results of the benchmarking exercise of relevant entities, particularly the EBA Report on the Benchmarking of Diversity Practices (https:// www.eba.europa.eu/documents/10180/1360107/EBA-Op-2016-10+%28Report+on+the+benchmarking+of+diversity+practices%29.pdf) serve as a guide. 120 See MN 109 for a definition of the term “significant relevance”. 121 With regard to the notification of the MiFID Compliance Officer in accordance with Article 22 (3) (b) of Delegated Regulation (EU) 2017/565 pursuant to Article 73 para. 1b No. 4 BWG, we refer to the FMA Circular 01/2021 - the WAG 2018 Organisational Circular; regarding the AML officer, please refer to the FMA Circular on internal organisation for the prevention of money laundering and terrorist financing. 122 In contrast to the confirmation of the assessment of suitability conducted internally in the bank, which should in any case be submitted, the documentation about the results of the bank's internal Fit & Proper assessment are only to be submitted to the FMA if officially requested. 123 See MN 109 for a definition of the term “significant relevance”. 124 See Guideline VII F&P-GL.

Fit & Proper Circular Version: March 2023 54 / 62 To do so, the nomination committee must have all necessary information at its disposal and cooperate with other committees and the internal control functions as need be. 159. The nomination committee must be involved in the drawing up of the bank’s internal Fit & Proper and training policies and processes, and the content of the training programmes agreed upon with the relevant business areas and internal control functions. 160. In credit institutions where a separate nomination committee has not been established, the entire supervisory body shall perform the duties and obligations described in Article 29 BWG, although the reviews listed in Article 29 nos. 6 and 7 BWG must only be conducted once every two years.125 161. During the suitability assessment, the institutions shall at least review the documents listed in Annex I. Furthermore, they shall also access different sources (certificates, letters of recommendation, meetings etc.) to be review the information accordingly. 162. Institutions shall perform ongoing monitoring about the individual or collective suitability of the executive directors and non-executive directors (as well as their committees). Where a reassessment appears to be necessary126, the institution, under the lead of the nomination committee (or the supervisory body as a whole if such a committee is not established), shall conduct a comprehensive review (see para. 155 F&P-GL). Should the change however be necessary due to a specific event and where only parts of the suitability are affected, the review may be restricted to only focus on the relevant areas. 163. If a shortcoming is identified in the internal policies, processes or training plans during the course of a regular or ad hoc review, then the management body shall be informed and suitable measures identified. This also covers identified (potential) conflicts of interest as well as inadequate treatment in the policies for the handling of conflicts of interest. 164. Where such a review identifies that individual or collective suitability of the executive directors or the management body in its supervisory function no longer exists, suitable measures are to be taken (including the removal of the person in question, the appointment of a new member, changes in the staffing of committees) and the FMA informed without delay127 . 6.3 DISCLOSURE IN RELATION TO INTERNAL GOVERNANCE 165. Credit institutions must state in a transparent and comprehensible form on their website, the manner and means by which they comply with the provisions of Article 5 para. 1 nos. 6 to 9a, Article 28a para. 5 nos. 1 to 5, Articles 29, 39b, 39c, Article 64 para. 1 nos. 18 and 19 BWG, and 125 Cf. para. 126 of the F&P-GL. 126 Cf. paras. 28, 32 and 38 of the F&P-GL. 127 See also the statements in Chapter 22 of the F&P-GL regarding corrective measures.

Fit & Proper Circular Version: March 2023 55 / 62 the Annex to Article 39b BWG (Article 65a BWG, “Disclosure concerning Corporate Governance and Remuneration”). 166. Furthermore, credit institutions are obliged in accordance with Article 435 (2) lits. a to e CRR, to disclose certain information regarding their internal governance arrangements, which is explicitly listed in the provisions listed (“governance rules”) and to update this at least once a year. 167. Subordinate credit institutions (as defined in Article 30 para. 1 nos. 1 to 7 BWG) included in the scope of consolidation in accordance with Article 18 CRR, and whose superordinate credit institution pursuant to Article 13 CRR observes disclosure obligations, are exempted at individual level from the disclosure obligations pursuant to Article 435 (2) CRR (cf. Article 6 (3) CRR). The exemption from disclosure obligations under Article 435 (2) CRR on an individual institution basis shall furthermore also apply for: ■ superordinate credit institutions that observe disclosure obligations on a consolidated basis (cf. Article 6 (3) CRR); ■ superordinate credit institutions, which are included in the scope of consolidation of an EU parent institution in accordance with Article 18 CRR, which comply with the disclosure obligations on a consolidated basis (Article 13 (1) first sentence CRR), as well as ■ credit institutions that belong to an affiliation of credit institutions in accordance with Article 30a BWG, provided that the central body complies with disclosure obligations on a consolidated basis (cf. Article 18 (4) in conjunction with Article 10 CRR in conjunction with Article 30a para. 6 BWG).

Fit & Proper Circular Version: March 2023 56 / 62 7 NOTIFICATION OBLIGATIONS 168. Annex 1 lists the documentation to be submitted in relation to notifications about changes in personnel (i.e. appointment/nomination for the first time) of the executive directors (Article 73 para. 1 no. 3 BWG128), the chairperson of the supervisory body (Article 28a para. 4 BWG) or a non-executive director (Article 73 para. 1 no. 8 BWG129), the head of the internal audit function (Article 73 para. 1 no. 11 BWG130), the head of the risk management department (Article 73 para. 1b no. 1 BWG) and the head of the compliance function (Article 73 para. 1b no. 2 BWG)131 via the Incoming Platform132 . 169. Furthermore, any change of suitability conditions is to be notified and the necessary documentation duly supplied pursuant to Article 5 para. 1 nos. 6, 7, 9a, 10 and 13 BWG in the case of existing executive directors (Article 73 para. 1 no. 2 BWG), pursuant to Article 28a paras. 3 and 5 BWG in the case of existing non-executive directors (Article 73 para. 1 no. 8 BWG), pursuant to Article 42 paras. 1 and 2 BWG in the case of existing heads of the internal audit function, pursuant to Article 39 para. 5 BWG in the case of existing heads of the risk management department and pursuant to Article 39 para. 6 no. 3 BWG in the case of existing heads of the BWG compliance function.133 170. Heads of risk management departments and heads of the internal audit function, who were appointed on or after 01.09.2018134 are required to be notified to the FMA with persons already appointed prior to that date not being required to be notified to the FMA135 . 171. Point m subpoint aa in the Annex lists the documentation to be submitted by (mixed) financial holding companies to the FMA together with a notification pursuant to Article 73 para. 1a nos. 1 and 2 BWG about the (initial) appointment of an executive director or a non￾executive director via the Incoming Platform. 172. Article 5 para. 1 nos. 10 to 12 BWG stipulate specific requirements for the management body in its management function. At least one executive director is required to have the centre of 128 Article 151 no. 3 InvFG 2011 applies for investment fund management companies (KAGs); Article 8 para. 1 AIFMG applies for alternative investment fund managers (AIFMs). 129 Article 151 no. 3a InvFG 2011 applies for KAGs. 130 Article 151 no. 9 InvFG 2011 applies for KAGs. 131 With regard to the notification of the MiFID Compliance Officer in accordance with Article 22 (3) (b) of Delegated Regulation (EU) 2017/565 we refer to the FMA Circular 01/2021 - the WAG 2018 Organisational Circular; regarding the AML officer, please refer to the FMA Circular on internal organisation for the prevention of money laundering and terrorist financing. 132 The obligation to make a notification with regard to a reappointment of the same person as an executive director as a non-executive director or the chairperson of the supervisory board, was repealed in the amendment published in Federal Law Gazette I 59/2014 (however, see MN 171). 133 “Change in conditions” in this context means any change in circumstances that leads to the (suitability) requirements that had previously been satisfied are now no longer fully complied with, with the result that suitability no longer exists. 134 Pursuant to Article 107 para. 99 BWG the new notification provisions in Article 73 para. 1 no. 11 BWG and Article 73 para. 1b no. 1 BWG entered into force on 01.09.2018. 135 The (Fit & Proper) suitability of persons must however exist for the entire duration of their appointment and shall be ensured by the institutions.

Fit & Proper Circular Version: March 2023 57 / 62 their vital interests in Austria, at least one executive director must possess a mastery of the German language, and the management body in its management function must consist of at least two members. A notification obligation by institutions towards the FMA results from the provisions of Article 5 para. 1 no. 10 to 12 BWG in conjunction with Article 73 para. 1 nos. 2 to 3 BWG in the case of the removal or withdrawal of executive directors for other reasons. 136 173. Article 28a para. 3 BWG stipulates specific requirements for the chairperson of the management body in its supervisory function. Article 28a para. 4 BWG is to be interpreted in such a way that institutions are required to notify the FMA in the event of the removal of the chairperson of the management body in its supervisory function or their standing down for another reason to guarantee that a credit institution has a suitable chairperson of the management body in its supervisory function at all times. 174. The removal of members of the management body in its supervisory function or their standing down for another reason (apart from the chairperson of the management body in its supervisory function) as well as the Heads of the Internal Audit Function, the BWG Compliance Function and the Risk Management Function are not required to be notified. 8 FIT & PROPER TESTS 175. If an executive director or a chairperson of the management body in its supervisory function of a credit institution is notified for the first time to the FMA, then as a rule as part of the Fit & Proper assessment they shall be required to pass a Fit & Proper test. 176. A Fit & Proper test may be waived, where the legal assumption in Article 5 para. 1 no. 8 final sentence applies (proof of at least three years’ activity in an undertaking of a comparable size and type of business, cf. MN 47). In the case of credit institutions with total assets of less than EUR 1 billion, it is possible to waive the need for a Fit & Proper Test, if the executive director or the chairperson of the management body in its supervisory function is able to prove job￾specific training. 177. Non-executive directors and Heads of the Internal Audit Function under Article 42 BWG, the Risk Management Department under Article 39 para. 5 BWG and the BWG compliance function in accordance with Article 39 para. 6 BWG (heads of internal control functions) shall be invited to a Fit & Proper Test on an ad hoc basis after the initial notification, if, for example, 136 Since comparable requirements are not defined for the chairperson of the management body in its supervisory function or for simple non￾executive directors, there is generally no requirement to notify a removal or withdrawal of such officers. On the other hand, there is an obligation to notify about non-executive directors pursuant to Article 73 para. 1 no. 8 BWG(in particular in the case of the reappointment of members; changes in requirements in the case of members who have already been appointed, with such a change also existing where there is a change in the holder of the position of the chairperson of the management body in its supervisory function).

Fit & Proper Circular Version: March 2023 58 / 62 doubts arise about their technical suitability from the documentation submitted during the notification process. 137 178. Since the suitability requirements stated in this circular are expected to be met at all times by the persons in question during their ongoing period of office, all executive directors, chairpersons of the management body in its supervisory function, non-executive directors and heads of internal control functions may be invited to a Fit & Proper Test by the FMA at any time, especially where doubts arise about whether suitability requirements are met. 179. The invitation to the Fit & Proper Test is sent out in writing as a rule at least six weeks prior to the scheduled test appointment. The invitation shall contain information about which FMA divisions (e.g. the competent division in Department I - Banking Supervision, the division for the Prevention of Money Laundering & Terrorist Financing, the division for Integrated Conduct Supervision of Banks, the Division for Prudential Supervision Asset Management, Prospectuses, and Consumer Information) will be present at the Fit & Proper Test. 180. In the case of Fit & Proper Tests held for executive directors, chairperson of the management body in its supervisory function and non-executive directors, the test is preceded by an informal meeting for example about the strategic plans (or current developments in the case of existing bodies) or the person in question’s objectives for their respective term of office. During the subsequent oral Fit & Proper Test, responses must be given orally. The composition and thematic focus of the questions in the test occurs on an individual basis (e.g. in relation to an executive director’s competence, membership of a committee in the management body in its supervisory function or the area of competence of the head of an internal control function) and in accordance with the principle of proportionality, so that the nature, scale and complexity of the activities, as well as the risk structure of the institution in which the function as executive director is to be performed, are duly considered. General questions are asked in relation to specific areas as a way of checking necessary knowledge in a targeted manner (see MNs 48 and 49 for executive directors, chairpersons of the management body in its supervisory function and non-executive directors, and MNs 141, 145 and 146 for the heads of internal control functions). The result of the Fit & Proper Test will be communicated orally to the body being tested at the end of the test. 181. Where a Fit & Proper Test is failed, there is the possibility to repeat the test. The invitation to attend such a test shall be made at least two weeks prior to the planned assessment. If a Fit & Proper Test is failed for a second time, then the necessary knowledge requirement shall be deemed to not be met. In this case, the FMA disposes of supervisory measures (in particular under Article 70 para. 4b BWG). 137 Any Fit & Proper tests conducted in relation to MiFID Compliance Officers and AML Officers will be conducted in accordance with the provisions of the respective material laws and FMA Circulars (cf. Footnote 131)

Fit & Proper Circular 59 / 62 ANNEX 1 - NECESSARY DOCUMENTATION Notifications about personnel changes of the executive directors (Article 73 para. 1 no. 3 BWG), the chairperson of the management body in its supervisory function (Article 28a para. 4 BWG), of a non-executive director (Article 73 para. 1 no. 8 BWG) or head of an internal control function (Article 73 para. 1 no. 11, para. 1b nos. 1 and 2 BWG)138 of credit institutions or (mixed) financial holding companies must include the following information / documentation (cf. the corresponding information on the Incoming Platform)139: a. Forename and surname of the person to be appointed b. Date of birth c. Place of birth d. Copy of passport / personal identity card e. Police registration form f. Position (executive director, non-executive director (or chairperson of the management body in its supervisory function) or the head of an internal control function) g. Allocation of portfolios/organisation chart h. Decision-making body passing the resolution about the appointment/election/ secondment and date of the resolution i. Minutes containing the passed resolution j. Date on which the position was taken up k. Curriculum vitae stating necessary knowledge and experience in accordance with legal regulations, especially: aa) nationality; bb) a detailed description of general and professional education including successfully completed training; cc) professional experience including details about all organisations for which the person was active, as well as the type and duration for which duties were performed, taking into particular consideration activities that fall within the remit of the position to be filled. In the case of positions, which the person has held within the last 10 years, when describing activities, the person should also include information about the powers conferred upon them, about internal decision￾making powers and the business units they controlled, including the number of employees in the business unit. In the event that voluntary activities were 138 The documents listed in nos. a to k.cc, m.aa. to m.ee, q, r and v are to be submitted with the notification for heads of internal control functions. 139 Significant credit institutions (SIs) are required to submit Fit and Proper notifications about any change in person of the executive director, the chairperson of the supervisory board, a member of the supervisory board or the head of an internal control function via the ECB’s IMAS portal in accordance with the applicable rules contained in the ECB Guide to fit and proper assessments (version from December 2021) attached the documents listed therein.

Fit & Proper Circular 60 / 62 assumed, such as representing the management body, then this should also be mentioned in the curriculum vitae. l. if available, references (including contact details) from their previous and current working environment (e.g. from previous employers); m. a sworn declaration from the person in question and a confirmation from the institution, that the person concerned fulfils the requirements140 , in particular: aa) no reason for exclusion exists as defined in Article 13 paras. 1 to 3, 5 and 6 GewO 1994 as amended; bb) orderly financial circumstances exist; cc) no facts exist, from which doubt emerges regarding personal propriety, honesty and independence of mind required for conducting banking business; dd) no bankruptcy proceedings have been opened against the assets of the person in question or another legal entity other than a natural person, upon the business activities of which the personal in question has or has had a decisive influence, unless a reorganisation plan was agreed upon and fulfilled in the bankruptcy proceedings, and no comparable situations have arisen in a foreign country; ee) neither financial (e.g. loans or share holdings) nor non-financial interests or relationships (e.g. close relationships as defined in Article 72 of the Austrian Criminal Code (StGB; Strafgesetzbuch) to members of the management body, the supervisory body or to key function holders of the institution making the notification, that compromise the prudent and orderly performance of the management function or supervisory function and may place the necessary financial solidity, economic independence and personal repute in doubt (in the event that this declaration cannot be without such reservations, specific information must be given about the nature of existing financial and non-financial interests or relationships); ff) in the case of the chairperson of the supervisory board and their deputies: that they were not appointed as an executive director of the same entity within the last two years prior to their election as the chairperson or deputy chairperson of the supervisory board of the institution making the notification; n. Information about the expected time commitment for the position in question and confirmation that adequate time resources are available and used, in order to 140 In the case of executive directors: conditions set out in Article 5 para. 1 nos. 6 to 11 and 13 BWG (as well as Article 41 para. 2 InvFG 2011 in the case of a custodian bank); in the case of the chairperson of the management body in its supervisory function: the conditions set out in Article 28a para. 1, para. 3 nos. 1, 2, 4 and para. 5 no. 5 BWG; in the case of non-executive directors: the conditions set out in Article 28a para. 5 nos. 1, 2, 4 and 5 BWG; in the case of independent non-executive directors: the conditions set out in Article 28a para. 5B BWG; in the case of further independent non-executive directors: a justification pursuant to Article 28a para. 5C BWG; in the case of Heads of the Risk Management Department: the conditions set out in Article 39 para. 5 in conjunction with Article 5 para. 1 nos. 6 and 7 BWG; in the case of heads of the compliance function: the conditions set out in Article 39 para. 6 no. 3 in conjunction with Article 5 para. 1 nos. 6 and 7 BWG; in the case of heads of the internal audit function: the conditions set out in Article 42 paras. 1 and 2 in conjunction with Article 5 para. 1 nos. 6 and 7 BWG.

Fit & Proper Circular 61 / 62 perform the duties associated with the management body in its management or supervisory function in the institution making the notification in an orderly manner and with the required degree of prudence; Credit institutions of significant relevance (in addition): aa) Disclosure of all duties currently performed by the person in question in a managerial position and/or as member of a supervisory board (in the form of an organigram); and bb) where applicable a plausible justification explaining why a "privilege" and/or an exemption is necessary or where “grandfathering” exists o. Information about the role of the member in question in the collective suitability of the respective body, in particular details to the contribution of the person in question to fulfilling of collective suitability; p. In the case of persons who are not Austrian citizens: Confirmation from the banking supervisor of their home country and/or (subsidiary) of another country, in which the person in question was or has already been active within the financial sector about the lack of grounds for exclusion listed under point m.aa. (where such a confirmation cannot be obtained, then the relevant person must provide evidence to confirm that reasons for exclusion do not exist, and in any case to supply such a declaration); q. A current extract of a judicial record no older than three months old (in the case of foreign citizens, whose permanent residence is not in Austria, a relevant document from their home country or a confirmation from the home country that comparable documents are not issued must be provided) and a declaration about whether criminal proceedings are currently pending; r. Confirmation that a review has been conducted regarding individual and collective suitability: Confirmation by the credit institution making the notification that a positive (internal) review was conducted about the suitability in accordance with the credit institution’s specific internal policies and procedures for assessing the suitability of such persons (= confirmation of the bank’s internal fit and proper test); s. In the case of executive directors, a breakdown of all current professional activities both within and outside the financial sector (banking, insurance undertakings, Pensionskassen, payment institutions, e-money institutions, investment firms and investment service providers) – and where applicable the respective time commitment (calculated per week or at least per month as appropriate); t. In the event of the removal an executive director: the reason for the removal and a declaration about the continuing presence of two executive directors; u. Since at least one of the executive directors must have a command of the German language, then the relevant proof of language skills must be provided in the event of only non-Austrian citizens having been appointed as executive directors;

Fit & Proper Circular 62 / 62 v. In the case of the heads of internal control functions where they will perform and hold another position (e.g. as head of another internal control function), then an explanation is to be included why any combination of functions may be considered appropriate regarding any conflicts of interest or adequate resources for the performance of duties.