Operational Risk Guidelines 2024

REGISTRAR OF FINANCIAL INSTITUTIONS

OPERATIONAL RISK GUIDELINES BANK SUPERVISION DEPARTMENT DECEMBER 2024

Table of Contents PART I - PRELIMINARY .............................................................................................3

1. INTRODUCTION...........................................................................................3
2. MANDATE....................................................................................................3
3. OBJECTIVE .................................................................................................3
4. SCOPE OF APPLICATION .............................................................................3
5. DEFINITIONS...............................................................................................3 PART II - MEASUREMENT APPROACH TO OPERATIONAL RISK................................4
6. MEASUREMENT FRAMEWORK....................................................................4
7. CALCULATION OF OPERATIONAL RISK CAPITAL CHARGE..........................7
8. DISCLOSURE REQUIREMENTS ...................................................................7 APPENDIX I ..............................................................................................................8
9. A Minimum standards for the collection of Loss Data ..................................8
10. B. Exclusion of losses from the Loss Component .........................................9
11. C. Exclusions of divested activities from the Business Indicator.................10
12. D. Inclusion of losses and BI items related to mergers and acquisitions. .....10
13. E. Minimum standards for the use of loss data..........................................10 Appendix II: Definition of Business Indicator Elements............................................12
14. Table 1:- Interest, Lease and Dividends ......................................................12
15. Table 2: Services ........................................................................................13
16. Table 3: Financial.......................................................................................15
17. Schedule I: Template for quarterly reporting of historical internal loss data 16
18. Schedule II: Template for quarterly submission of BI and required disclosure ..................................................................................................................17 Appendix III: Detailed Loss Event Type Classification ..............................................19 Appendix IV: Detailed Loss Business Line Classification..........................................24 Appendix V: Detailed Categories of Alleged Cause....................................................27

PART I - PRELIMINARY

1. INTRODUCTION 1.1 The ever-changing business environment, product complexity, increased quantum of electronic transactions and outsourcing dictates that banks set up a mechanism for ongoing evaluation of their true operational risks. This should be commensurate to their size, sophistication, nature of operations and expected level of capital. 1.2 The Registrar of Financial Institutions (Registrar) developed these guidelines with the purpose of providing guidance for the calculation of the operational risk capital charge.
2. MANDATE These guidelines are issued in pursuant to Section 96 of the Financial Services Act and implement Part III of the Financial Services (Capital Adequacy for Banks) Directive.
3. OBJECTIVE The objectives of these guidelines are to: a) ensure that banks maintain adequate capital to support their operational risk exposure; and b) set out the Registrar’s approach in determining the adequacy of capital to support potential losses arising from operational risk.
4. SCOPE OF APPLICATION These guidelines cover the computation of capital charge for operational risk affecting banking institutions and bank holding companies.
5. DEFINITIONS “Banks” is as defined in the Banking Act “Bank holding company” refers to a body corporate that owns or controls at least two financial institutions one of which is a bank, being its subsidiary or significant minority investment or interest. “Business Lines” refers to profit centres where the revenues are generated from third parties, not allocations from parts the banks (service centres). “Date of Accounting” refers to a date when a loss event results in a loss, reserve or provision against a loss being recognized in a bank’s profit and loss (P&L) account.

“Date of Discovery” refers to the date the bank became aware of the event. “Date of occurrence” refers to the date when the event happened or first began. “Counterparty” refers to the name of the subject involved in the operational risk event. “Event Types” refers to a description of what happened. “Linked Event” refers to a single event which impacts more than one business line. “Marginal Coefficient” refers to a constant determined by the Registrar as a proxy for the industry-wide relationship between the operational risk loss experience and the aggregate level of gross income for the business. “Operational risk” refers to the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk 1 but excludes strategic and reputational risks. “Standardized Measurement Approach” refers to a methodology of assessing operational risk proposed by the Basel Committee on Banking Supervision in 2016 as a replacement for all existing approaches including internal models. PART II - MEASUREMENT APPROACH TO OPERATIONAL RISK 6. MEASUREMENT FRAMEWORK 6.1 All banks shall employ Standardized Measurement Approach (SMA) for the measurement of a bank’s exposure to operational risk. 6.2 The (SMA) methodology is based on three components: a) Business Indicator (BI), which is a financial statement-based proxy for operational risk; b) The Business Indicator Component (BIC), which is calculated by multiplying the BI by a set of regulatory determined marginal coefficients (αi) and; 1 Legal risk includes but is not limited to; exposure to fines, penalties, or punitive damages resulting from supervisory actions as well as private settlements.

c) The Internal Loss Multiplier (ILM), which is a scaling factor that is based on a bank´s average historical losses and the BIC. The guiding principles for collection of historical loss data are summarized in Appendix I. 6.3 The Business Indicator (BI) is a measure of bank´s income and is the sum of the interest, leases and dividend component (ILDC), the services component (SC), and the financial component (FC) computed as an average over the past three years. This is summarized as follows: BI = ILDC + SC + FC Where; a) ILDC is computed as the sum of dividend income and the lower of either net interest income in absolute terms or 2.25 percent of interest earning assets; b) SC is computed as the sum of the higher of either fee income or fee expense and the higher of either other operating income or other operating expense; and

c) FC is computed as the sum of the absolute value of net profit in the Trading book and net profit in the Banking book. The Business Indicator elements are further defined in Appendix II. In the formula for the computation of the BI elements below, the bar above a term indicates that it is calculated as an average over three years: t, t-1 and t-2. The absolute value of net items (e.g., interest income – interest expense) should first be calculated year by year, after which the average of the three years is computed.

---

ILDC = Min [Abs (Interest Income -Interest Expense); 2.25% Interest Earning Assets2 ] + Dividend Income

---

SC = Max [Other Operating Income; Other Operating Expense] + Max [Fee Income; Fee Expense]

---

FC = Abs (Net P&L Trading Book) + Abs (Net P&L Banking Book) 6.4 To calculate the BIC, the BI is multiplied by marginal coefficient (αi) 6.5 A bank shall apply a marginal coefficient that corresponds to its BI range as per the Table below: 2 The interest-earning assets (balance sheet item) are the total gross outstanding loans, advances, interest bearing securities, bank placements and lease assets measured at the end of each financial year.

Bucket BI range (in MWK in billion) BI marginal coefficients (αi) 1 ≤150 12% 2 150 < BI ≤ 500 15% 3 > 500 18% 6.6 The Internal Loss Multiplier. A bank’s internal operational loss experience is introduced into the standardized approach through the Internal Loss Multiplier (ILM). The ILM is a function of the BIC and the loss component. The ILM is calculated as:

Where; a) Loss component (LC) = 15 x average annual operational risk losses incurred over the previous 10 years. b) Note that, the ILM is equal to one (1), where the loss and business indicator components are equal. Where the LC is greater than the BIC, the ILM is greater than one. The implication is that a bank with losses that are high relative to its BIC is required to hold higher capital due to the incorporation of internal losses into the calculation methodology. Conversely, where the LC is lower than the BIC, the ILM is less than one. That is, a bank with losses that are low relative to its BIC is required to hold lower capital. 6.7 Banks are required to use internally generated loss data calculations for regulatory capital computation purposes based on a 10-year observation period. However, at initial implementation, banks with high-quality loss data for a minimum of five-year observation period shall obtain the Registrar’s approval to use this data for purposes of computation of the operational risk capital charge. 6.8 All banks are expected to build high quality loss data based on the qualitative requirements for loss data collection as prescribed in Appendix I

6.9 Banks whose data does not meet the aforementioned data requirements shall apply to the Registrar for approval to use an ILM of one (1) for a period of five (5) years. Thereafter,

banks shall use their internal loss data for the computation of the operational risk capital charge, thus banks shall be required to build high quality data in the approved period. 6.10 Banks shall submit their historical internal loss data to the Registrar in the format prescribed in Schedule I on a monthly basis. The historical loss data shall be submitted through prudential returns. 7. CALCULATION OF OPERATIONAL RISK CAPITAL CHARGE 7.1 The minimum Operational Risk Capital (ORC) is calculated by multiplying the BIC and the ILM. ORC = BIC × ILM 7.2 The ORC is translated into a risk weighted equivalent using the reciprocal of the regulatory minimum Tier I capital adequacy ratio for banks. 8. DISCLOSURE REQUIREMENTS 8.1 Banks shall be required to disclose their annual loss data for the years of the ILM calculation window. Loss data is required to be reported on both a gross basis; and after recoveries and loss exclusions as prescribed in Schedule I. 8.2 Banks shall be required to disclose each of the BI sub-items for each of the three (3) years of the BI component calculation window as prescribed in Schedule II.

APPENDIX I 9. A Minimum standards for the collection of Loss Data A.1 Banks shall build an acceptable loss data set from the available internal data, which should at least include gross loss, reference date and grouped losses in accordance with these guidelines. Banks’ internal policies and procedures shall at minimum be aligned to these guidelines. A.2 For purposes of (A.1) above, Gross loss is a loss before recoveries of any type. Net loss is defined as the loss after considering the impact of recoveries. The Recovery is an independent occurrence, related to the original loss event, separate in time, in which funds or inflows of economic benefits are received from a third party or perpetrators of fraud. A.3 Banks must be able to identify the gross loss amounts, non-insurance recoveries and insurance recoveries for all operational loss events. A.4 Banks should use losses net of recoveries (including insurance recoveries) in the loss dataset. However, recoveries can be used to reduce losses only after the bank receives payment. Receivables do not count as recoveries. Verification of payments received to net losses must be provided to the Registrar upon request. A.5 The following items must be included in the gross loss computation of the loss data set: (i) Direct charges, including impairments and settlements, to the bank’s P&L accounts and write-downs due to the operational risk event; (ii) Costs incurred as a consequence of the event including external expenses with a direct link to the operational risk event (e.g. legal expenses directly related to the event and fees paid to advisors, attorneys or suppliers) and costs of repair or replacement incurred to restore the position that was prevailing before the operational risk event; (iii) Provisions or reserves accounted for in the P&L against the potential operational loss impact; (iv) Losses stemming from operational risk events with a definitive financial impact, which are temporarily booked in transitory and/or suspense accounts and are not yet reflected in the P&L (pending losses)3 . 3 For instance, the impact of some events (e.g. legal events, damage to physical assets) may be known and clearly identifiable before these events are recognized through the establishment of a reserve. Moreover, the way this reserve is established (e.g. the date of discovery) can vary across banks.

(v) Material pending losses should be included in the loss data set within a time period commensurate with the size and age of the pending item; and (vi) Negative economic impacts booked in a financial accounting period, due to operational risk events impacting the cash flows or financial statements of previous financial accounting periods (timing losses4 ). Material “timing losses” should be included in the loss data set when they are due to operational risk events that span more than one financial accounting period and give rise to legal risk. A.6 The following items should be excluded from the gross loss computation of the loss data set: a) Costs of general maintenance contracts on property, plant or equipment; b) Internal or external expenditures to enhance the business after the operational risk losses; upgrades, improvements, risk assessment initiatives and enhancements; and c) Insurance premiums. A.7 Banks shall use the accounting date for building the loss data set. The bank shall use a date no later than the accounting date for including losses related to legal events in the loss data set. For legal loss events, the accounting date is the date when a legal reserve is established for the probable estimated loss in the P&L. A.8 Losses caused by a common operational risk event or by related operational risk events over time, but posted to the accounts over several years, should be allocated to the corresponding years of the loss database, in line with their accounting treatment. 10. B. Exclusion of losses from the Loss Component B.1 A bank may seek the Registrar’s approval to exclude certain operational loss events that are no longer relevant to the bank’s risk profile. However, the exclusion of the loss event must be supported by strong justification and assessed by the bank whether the cause of the loss event will occur in other areas of the bank’s operations. B.2 The total loss amount and number of exclusions must be disclosed according to Schedule I (in Appendix II) with appropriate narratives. 4 Timing losses typically relate to occurrence of operational risk that result in the temporary distortion of an institution’s financial statements (e.g. revenue overstatement, accounting errors and mark-to-market errors). While these events do not represent a true financial impact on the institution (net impact overtime is zero), if the error continues across more than one financial accounting period, it may represent a material misrepresentation of the institution’s financial statements.

B.3 Losses can only be excluded after being included in the bank’s operational risk loss dataset for a minimum period of three (3) years. Losses related to divested activities will not be subject to a minimum operational risk loss dataset retention period. 11. C. Exclusions of divested activities from the Business Indicator C.1 Banks shall request the Registrar’s approval to exclude divested activities from the calculation of the BI. Such exclusions must be disclosed as per Schedule II (Appendix II). 12. D. Inclusion of losses and BI items related to mergers and acquisitions. D.1 Losses and the measurement of the BI must include losses and BI items that result from acquisitions of relevant business and mergers. 13. E. Minimum standards for the use of loss data The general criteria for the use of the LC are as follows: E.1 Internal loss data must be linked to a bank’s current business activities, technological processes and risk management procedures. E.2 Banks must have clearly documented procedures and processes for the identification, collection and treatment of internal loss data. Such procedures and processes must be subject to validation before the use of the loss data within the operational risk capital requirement measurement methodology and to regular independent reviews by internal and/or external audit functions. E.3 Banks shall map their historical internal loss data into the relevant categories as shown in the detailed loss event type classification in Appendix III, business line classification Appendix IV and detailed categorization of alleged cause Appendix V. The bank must document criteria for allocating losses to the specified event types. E.4 A bank’s internal loss data must be comprehensive and capture all material activities and exposures of the bank. All loss events must be reported. However, losses below K500,000.00 shall be reported on an aggregate basis. E.5 Banks must collect information about the reference dates of operational risk events, including the date when the event happened or first began (date of occurrence), where available; the date on which the bank became aware of the event (date of discovery); and the date (or dates) when a loss event results in a loss, reserve or provision against a loss being recognized in the bank’s profit and loss (P&L) accounts (date of accounting).

E.6 Banks must collect information on recoveries of gross loss amounts as well as descriptive information about the drivers or causes of the loss event. The level of detail of any descriptive information should be commensurate with the size of the gross loss amount. E.7 Operational loss events related to credit risk and are accounted for in credit RWAs should not be included in the loss data set. Operational loss events that relate to credit risk but are not accounted for in credit RWAs should be included in the loss data set. E.8 Operational risk losses related to market risk are treated as operational risk for the purposes of calculating minimum regulatory capital and will therefore be subject to the standardized approach for operational risk. E.9 Banks must have processes to independently review the comprehensiveness and accuracy of loss data.

Appendix II: Definition of Business Indicator Elements 14. Table 1:- Interest, Lease and Dividends P&L or balance sheet items Description Typical Sub-Items Interest income Interest income from all financial assets and other interest income (includes interest income from financial and operating leases and profits from leased assets)

1. Interest income from loans and advances, assets available for sale, assets held to maturity, trading assets, financial leases and operational leases;
2. Interest income from hedge accounting derivative;
3. Other interest income; and
4. Profits from leased assets Interest expenses Interest expenses from all financial liabilities and other interest expenses (includes interest expense from financial and operating leases, losses, depreciation and impairment of operating leased assets)
5. Interest expenses from deposits, borrowings, debt securities issued, financial leases, and operating leases;
6. Interest expenses from hedge accounting derivatives;
7. Other interest expenses;
8. Losses from leased assets; and
9. Depreciation and impairment of operating leased assets Interest earning assets (balance Total gross outstanding loans, advances, interest bearing securities, placements

Bank Supervision Department Page 13 sheet item) and lease assets measured at the end of each financial year Dividend income Dividend income from investments in stocks and funds not consolidated in the bank’s financial statements, including dividend income from non-consolidated subsidiaries, associates and joint ventures 15. Table 2: Services P&L or balance sheet items Description Typical sub-items Fee and commission income Income received from providing advice and services. Includes income received by the bank as an outsourcer of financial services Fee and commission income from:

1. Securities (issuance, origination, reception, transmission, execution of orders on behalf of customers);
2. Clearing and settlement;
3. Asset management;
4. Custody;
5. Fiduciary transactions;
6. Payment services;
7. Structured finance;
8. Loan commitments and guarantees given; and
9. Foreign transactions.

Bank Supervision Department Page 14 Fee and commission expenses Expenses paid for receiving advice and services. Includes outsourcing fees paid by the bank for the supply of financial services, but not outsourcing fees paid for the supply of nonfinancial services (e.g. logistical, IT, human resources)

1. Clearing and settlement;
2. Custody;
3. Loan commitments and guarantees received; and
4. Foreign transactions. Other operating income Income from ordinary banking operations not included in other BI items but of similar nature (income from operating leases should be excluded) Gains from non-current assets and disposal groups classified as held for sale not qualifying as discontinued operations (as per applicable IFRS)

Bank Supervision Department Page 15 Other operating expenses Expenses and losses from ordinary banking operations not included in other BI items but of similar nature and from operational loss events (expenses from operating leases should be excluded)

1. Losses from non-current assets and disposal groups classified as held for sale not qualifying as discontinued operations (as per applicable IFRS);
2. Losses incurred as a consequence of operational loss events (e.g. fines, penalties, settlements, replacement cost of damaged assets), which have not been provisioned/reserved for in previous years;
3. Expenses related to establishing provisions/reserves for operational loss events.
4. Table 3: Financial P&L or balance sheet items Description Net profit (loss) on the trading book 1. Net profit/loss on trading assets and trading liabilities (derivatives, debt securities, loans and advances, short positions, other assets and liabilities);
5. Net profit/loss from hedge accounting; and
6. Net profit/loss from exchange differences

Bank Supervision Department Page 16 Net profit (loss) on the banking book 1. Net profit/loss on financial assets and liabilities measured at fair value through profit and loss; 2. Realized gains/losses on financial assets and liabilities not measured at fair value through profit and loss (loans and advances, assets available for sale, assets held to maturity, financial liabilities measured at amortized cost); 3. Net profit/loss from hedge accounting; and 4. Net profit/loss from exchange differences Note: Please note that the following items do not contribute to any of the items of the BI: (i) Income and expenses from insurance or reinsurance businesses; (ii) Premiums paid and reimbursements/payments received from insurance or reinsurance policies purchased; (iii) Administrative expenses, including staff expenses, outsourcing fees paid for the supply of nonfinancial services (e.g. logistical, IT, human resources) and other administrative expenses (e.g. IT, utilities, telephone, travel, office supplies, postage); (iv) Recovery of administrative expenses including recovery of payments on behalf of customers (e.g. taxes debited to customers); (v) Expenses of premises and fixed assets (except when these expenses result from operational loss events); (vi) Depreciation/amortization of tangible and intangible assets (except depreciation related to operating lease assets, which should be included in financial and operating lease expenses); (vii) Provisions/reversal of provisions (e.g. on pensions, commitments and guarantees given) except for provisions related to operational loss events; (viii) Expenses due to share capital repayable on demand; (ix) Impairment/reversal of impairment (e.g. on financial assets, non-financial assets, investments in subsidiaries, joint ventures and associates); (x) Changes in goodwill recognized in profit or loss; and (xi) Corporate income tax (tax based on profits including current tax and deferred). 17. Schedule I: Template for quarterly reporting of historical internal loss data

Bank Supervision Department Page 17 Period (years) T T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 10 years Average Using MWK500,000.00 as minimum threshold Gross loss Total amount of recovered operational losses Total amount of Operational losses net of recoveries Total amount of excluded Operational risk losses Total number of excluded Operational risk losses Total amount of Operational losses net of recoveries and net of excluded losses

Note: (i) Banks must describe large losses from Operational risk, their context and management; (ii) If recoveries are material, banks should make additional disclosures regarding recoveries, including their amounts; and (iii) Banks should disclose other material information that would help inform the Registrar as to its historical losses. 18. Schedule II: Template for quarterly submission of BI and required disclosure

Bank Supervision Department Page 18 BI and its subcomponents Year T - 2 Year T -1 Year T 1 Interest, lease and dividend component Interest and lease income Interest and lease expense Interest earning assets (2.25 percent) Dividend income 2 Services component Fee and commission income Fee and commission expense Other operating income Other operating expense 3 Financial component Net P&L on the trading book Net P&L on the banking book 4 BI 5 Business indicator component (BIC) Disclosure of BI divested activities

6 BI Gross of excluded divested activities 7 Reduction in BI due to excluded divested activities

Bank Supervision Department Page 19 Appendix III: Detailed Loss Event Type Classification Event-Type Category (Level 1) Definition Categories (Level 2) Categories (Level 3) Unauthorized Activities • Exceeding authority when entering into a transaction or approving a transaction • Transactions not reported (intentional); • Intentional Mismarking of position • Rogue Trading Internal Fraud Losses due to acts intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party

Bank Supervision Department Page 20 Internal Theft and Fraud • Theft by a member of staff of Intellectual Property or Tangible Assets • Fraud / credit fraud/worthless deposits • Theft / extortion / embezzlement / robbery • Misappropriation of assets • Malicious destruction of assets • Forgery • Check kiting • Smuggling • Account take-over/impersonation/ etc. • Tax non-compliance / evasion (willful) • Bribes / kickbacks • Insider trading (not on bank’s account) includes “for profit” and “not for profit” System Security Internal – Willful Damage • Intentional damage to systems (hardware or software) by internal staff due to actions carried out or not carried out • Theft of data (includes malicious damage / system security - willful damage internal) External Fraud Losses due to acts of a type intended to defraud, misappropriate property Theft and Fraud • Theft Robbery • Forgery • Check kiting

Bank Supervision Department Page 21 or circumvent the law, by a third party Includes for profit and "not for profits” System Security • Hacking damage, • Theft of information (with monetary loss) This includes hardware and software and malicious damage or system security – willful damage external Employment Practices and Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events Employee Relation • Operational loss arising from Compensation issues • Operational loss arising from benefit issues • Operational loss arising from termination issues • Operational loss arising from organized labor activity Safe Environment • General liability (slips and fall, etc.) • Employee health & safety rules events • Workers compensation Diversity and Discrimination All Discrimination types Clients, Products & Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or Suitability, Disclosure & Fiduciary • Fiduciary breaches / guideline violations • Suitability/disclosure issues (KYC, etc.) • Retail customer disclosure violations • Breach of privacy • Aggressive sales / Mis-selling • Account churning • Misuse of confidential information • Lender liability

Bank Supervision Department Page 22 from the nature or design of a product. Improper Business or Market Practices • Antitrust • Improper trade / market practices • Market manipulation • Insider trading (on bank’s account) • Unlicensed activity • Money laundering / Countering the financing of terrorism and proliferation financing (AML/CFT/PF) • Vendors / Suppliers • Infringement of Intellectual Property or License Agreements e.g. software Product Flaws • Product defects (unauthorized, etc.) • Model errors Selection, Sponsorship & Exposure • Failure to investigate client per guidelines • Exceeding client exposure limits Advisory Activities • Disputes over performance of advisory activities Natural Disasters and Public Safety or Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events. Natural Disasters and other events • Earthquakes • Storms • Acts of God Accidents and public safety • Slip and fall by a member of the public • Pollution by the bank Willful Damage and Terrorism • Vandalism • Terrorism • Certain Criminal Activities not covered elsewhere

Bank Supervision Department Page 23 • War • Civil Disturbance or Riot Technology and Infrastructure Failure or Business disruption and system failures Losses arising from disruption of business or system failures Technology and Infrastructure Failure • Hardware • Software • Telecommunications • Utility outage/ disruptions – power, water Execution, Delivery & Process Management Losses from failed transaction processing or process management, from relations with trade counterparties and vendors Transaction Capture, Execution & Maintenance • Miscommunication • Data entry, maintenance or loading error, • Missed deadline or responsibility • Model / system in correct operation, • Accounting error / entity attribution error, • Other task bad or improper performance, • Delivery failure. • Collateral management failure • Reference Data Maintenance Monitoring and Reporting • Failed mandatory reporting obligation • Inaccurate external report (loss or fine incurred) e.g quarterly fillings Customer Intake and Documentation • Client permissions/disclaimers missing • Legal documents missing / incomplete / not “fit for purpose” / inadequately executed Customer/Client Account Management • Unapproved access given to accounts • Incorrect client records (loss incurred) • Negligent loss or damage of client assets

Bank Supervision Department Page 24 • Appendix IV: Detailed Loss Business Line Classification Business Unit Business Line (Level 1) Business Line (Level 2) Descriptions Investment Banking Corporate Finance • Corporate Finance Non-Municipal/Government Clients - Underwriting, Privatizations, Securitizations, Debt (Govt & High Yield), Equity, Syndications, IPO, Private Placements, Mergers & Acquisitions, Research, • Municipal / Government Underwriting – Bonds and/or Syndicated Loans and/or Cashflow / Asset-Backed Securities, Privatizations & Disposal • Advisory Services Strategic planning in terms of Balance Sheet restructuring – acquisitions / disposals, establishment of subsidiaries for financial optimization, Tax Planning Trading and Sales • Equities Equities, portfolios of equities (including equity indices), cash & derivative products Flow business, market making, position taking, proprietary positions

Bank Supervision Department Page 25 • Global Markets Fixed Income, Foreign Exchange, Money Market, Commodities, Energy, Credit Trading, Own Positions, Brokerage, Repos & Reverse, Funding, Own Debt, Treasury - cash & derivative products Flow business, market making, position taking, proprietary positions • Corporate Investment Cross-Industrial Holdings, items held with the long-term intention of sale • Treasury Funding the bank/group; capital management for the bank/group/subsidiaries Banking Retail Banking Retail Banking Retail Loans, Retail Deposits, Banking Services, Trusts & Estates, Investment Advice Card Services Merchant / Commercial / Corporate Cards, Private Label, Credit & Debit Cards Private Banking Private Banking Private Loans, Private Deposits, Banking Services, Trusts & Estates, Investment Advice Commercial Banking Commercial Banking Project Finance, Real Estate Finance, Export Finance, Trade Finance, Factoring, Leasing, Loans Guarantees, Bills of Exchange, Other Loans, Deposits Clearing Cash Clearing Payments & Collections, Funds Transfer, Cheque Processing, Non-Securities Clearing &

Bank Supervision Department Page 26 Settlement Securities Clearing Securities Clearing & Settlements, including derivatives using Clearing Houses or Central Counterparties. Includes Commodities Clearing House activity Agency Services Custody Services Escrow, Depository Receipts, Securities Lending (Customers), Corporate Actions, Issuer & Paying Agents, Securities Settlement. Corporate Trust and Agency Prime Brokerage Special Financial Services performed on an Agency Basis. Includes activities that were previously (2007) coded under “Custom Services”. Other Asset Management Fund Management Pooled, Segregated, Retail, Institutional, Closed, Open, Discretionary, Non-Discretionary Retail Brokerage Retail Brokerage Various services related to administration and management of estates, trusts, assets, portfolios etc. Corporate Items Corporate Items Limited category for items than can only be categorized at corporate level

Bank Supervision Department Page 27 Appendix V: Detailed Categories of Alleged Cause Alleged Cause Description Examples External Actions by Agents External to the bank • Assault by Criminals / Terrorists: Phishing Attacks, Denial of Service, Various forms of Fraud by individuals or groups, including Mortgage Fraud • Natural Disasters: Floods, Wind, Blizzard, Wild-fire, Storm Surge, Earthquake, Volcanic Eruption • Man-made Disasters: Utility Outage, Strike – Transport, Staff, Pollution • Political / social / cultural environment: Seizure of Assets, Change in acceptable “Norms”, Civil Strife / Riot / War, Special Interest Groups • Action by External Staff: Staff at Outsourcers / Suppliers • Decline: Legal Counsel has advised against providing this information People / Staff Factors related to actions by Staff / Employees or Management of Staff / Employees of the bank or Consolidated companies • Inadequate resources: Skills, Numbers of Staff, Loss of Key Staff • Criminal Activity by Internal or External Staff: Theft / Fraud / Damage to Systems • Management / Control of staff: Insufficient / Incorrect Communication, Insufficient Direct Supervision • Human Error: Non-Deliberate - Mis-Understand, Mis￾Interpret, Mis-Decision, Mis-Action

Bank Supervision Department Page 28 • Unauthorised activity: Deliberate - Mis-Understanding, Mis-Interpretation, Mis-Decision, Mis-Action, or omission of action • Workplace environment: Controls / Displays, Tools, Protective Clothing, Shift Patterns, Workload • Decline: Legal Counsel has advised against providing the information. Governance and Structure Factors related to the Governance and oversight practices of the bank • Remote Business Unit: Business taking place remotely from centre of Business and/or Risk functions • Subsidiary – control and consolidation: No clear delineation between activities conducted by different business units through the same legal entity or by the same business units through multiple legal entities. • Financial reporting: Failures in financial reports, failure to reconcile P/L accounts or daily cash flow, • Organization controls: Losses due to failure in organizational structure: no proper escalation process, not adequately or timely responding to reported problems • Decline: Legal Counsel has advised against providing the information Processes Factors related to the way that the bank is organised and certain broad management processes • Organizational structure: Multiple locations • Process design: Complexity, Transparency, Documentation, 'Fit for Purpose' • Inadequate policy and procedure: Not Used, Missing/Unavailable, Incomprehensible, Incomplete, Outdated • Inadequate segregation of duties: Front & Back Office

Bank Supervision Department Page 29 • Data quality: Incomplete / Incorrect / Wrong Format / Late • Decline: Legal Counsel has advised against providing the information Internal Systems Failure Factors related to inadequacies or failures in internal technology, physical and communication systems • Hardware – inadequate maintenance: Cleaning of printers, keyboards, monitors; photocopiers; periodic diagnostics not done. • Hardware – performance degradation: Reduced Functionality, Capacity • Software – inadequate maintenance: Upgrades, patches, enhancements not done. • Software – performance degradation: Reduced Functionality, Capacity • Regular maintenance, repairs not done for access, lighting, air quality, lifts, etc. • Infrastructure – performance degradation: Reduced performance, availability of access, lighting, air quality, lifts, etc. • Infrastructure – inadequate maintenance: regular maintenance, repairs not done for access, lighting, air quality, lifts etc • Decline: Legal Counsel has advised against providing the information