Technical Standards for Operational Risk Management of Financial Entities

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 1 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

THE COMMITTEE OF STANDARDS OF THE CENTRAL RESERVE BANK OF EL SALVADOR,

CONSIDERING:

I. That in accordance with Article 3, subsection c) of the Law on Supervision and Regulation of the Financial System, it is the responsibility of the Superintendence of the Financial System to proactively monitor the risks of the members of the financial system and the manner in which they manage them, ensuring the prudent maintenance of their solvency and liquidity.

II. That Article 7 of the Law on Supervision and Regulation of the Financial System establishes as part of the members of the financial system the banks constituted in El Salvador, their offices abroad and their subsidiaries; the branches and offices of foreign banks established in the country; insurance companies, their branches abroad and the branches of foreign insurance companies established in the country; cooperative banks, savings and credit societies and federations regulated by the Law on Cooperative Banks and Savings and Credit Societies; the Social Housing Fund and the National Popular Housing Fund; the Agricultural Development Bank, the Mortgage Bank of El Salvador, S.A., the Development Bank of the Republic of El Salvador; and the other entities, institutions and operations indicated by the laws. (1)

III. That Article 35, subsection d) of the Law on Supervision and Regulation of the Financial System, stipulates that the directors, managers and other officials holding positions of direction or administration of the members of the financial system must conduct their business, acts and operations complying with the highest ethical standards of conduct, acting with the due diligence of a good merchant in their own business, being obliged to comply with and ensure that in the institution they direct or work in, the adoption and updating of policies and mechanisms for risk management are fulfilled, being obliged, among other actions, to identify, evaluate, mitigate and disclose them in accordance with international best practices.

IV. That Article 99, subsection a) of the Law on Supervision and Regulation of the Financial System, stipulates that it will be the responsibility of the Committee of Standards to approve technical standards, instructions and provisions that the laws regulating the supervised establish must be issued to facilitate their application, including aspects inherent to risk management by the supervised.

V. That in accordance with international standards, it is necessary to have a solid risk management framework, which allows managing operational risks effectively and efficiently according to the profile, volume of operations, nature of the business, entity resources and best practices, so that

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 2 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

the implementation of prudential measures is promoted for the transparent, efficient and orderly functioning of the market.

THEREFORE,

by virtue of the regulatory powers conferred by Article 99 of the Law on Supervision and Regulation of the Financial System,

AGREES to issue the following:

TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT OF FINANCIAL ENTITIES

CHAPTER I OBJECTIVE AND OBLIGATED SUBJECTS

Objective Art. 1.- These Standards aim to provide minimum guidelines for adequate operational risk management and criteria for the adoption of policies and procedures related to the development of methodologies for risk management, in accordance with the nature, size, risk profile and volume of their operations.

These Standards complement the provisions established in the Technical Standards for Integral Risk Management of Financial Entities (NRP-20), the Technical Standards for Corporate Governance (NRP-17) and the Technical Standards for Integral Risk Management for Investment Banks that the Central Reserve Bank of El Salvador issues for such purposes through its Committee of Standards. (1)

Subjects Art. 2.- The subjects obliged to comply with the provisions established in these Standards are: a) Banks constituted in El Salvador, their offices abroad and their subsidiaries; b) Branches and offices of foreign banks established in the country, insofar as pertinent; c) Insurance companies and their branches abroad; d) Branches of foreign insurance companies established in the country, insofar as pertinent; e) Cooperative banks, savings and credit societies and federations regulated by the Law on Cooperative Banks and Savings and Credit Societies; f) The Mortgage Bank of El Salvador, S.A.; g) The Social Housing Fund and the National Popular Housing Fund, insofar as they do not contradict their creation laws nor what is provided by the Court of Accounts;

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 3 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

h) The Agricultural Development Bank, insofar as it does not contradict its creation law, nor what is provided by the Court of Accounts; i) The Development Bank of the Republic of El Salvador, insofar as it does not contradict its creation law, nor what is provided by the Court of Accounts; j) Legal persons that carry out money sending or receiving operations systematically or substantially, by any means, at the national and international level. It will be understood that money sending or receiving operations are carried out systematically or substantially when such activity is carried out habitually or constitutes an important activity within the business operations of the entity; k) Reciprocal Guarantee Societies and their local guarantors; l) Foreign Currency Exchange Houses; (1) m) Societies that offer complementary services to the financial services of the members of the financial system, particularly those in which they participate as investors; and (1) n) Investment Banks, their offices abroad and their subsidiaries. (1)

Terms Art. 3.- For the purposes of these Standards, the terms indicated below have the following meaning: a) Senior Management: The Executive President, Executive Director, General Manager or whoever acts in their place and the executive positions that report to them. For the case of the Development Bank of the Republic of El Salvador, the President; b) Risk Appetite: The level and types of risks that an entity is willing to assume in relation to its activities, to achieve its strategic objectives and business plans; c) Central Bank: Central Reserve Bank of El Salvador; d) Executive Director: is the one who exercises the highest administrative authority within the entity, and who may also be part of the Board of Directors; frequently referred to as Executive President, General Manager or whoever acts in their place; e) Entity: Subject obliged to comply with the provisions established in these Standards; f) Mass Impact Event: failures or errors in batch processing that result in an impact on clients, whether those of the entity or of other entities to which processing services are provided, such as: incorrect charges applied to a card or account during batch processing. g) Operational Risk Event: It is an event or series of events, of internal or external origin, which include incidents occurred and potential events that could generate economic losses and may or may not affect the income statement; h) Operational Risk Factor: It is the primary cause or origin of an operational risk event, which can be caused by factors such as processes, people, information technology and external events;

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 4 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

i) Board of Directors: Collegiate body or equivalent body in charge of the administration of the entity, with supervision, direction and control functions; for the case of Cooperative Associations, it will be the Board of Directors or as defined in its Creation Law; j) Business Line: It is a specialization of the business that groups processes aimed at generating products and services to serve a target market segment; k) Risk Map: It is a tool that allows presenting a panoramic image of the risks to which the entity is exposed; independent of the form of its presentation, in which the areas/activities/assets (processes) that could be affected during the occurrence of an adverse event are identified and located. It allows seeing the threats and measuring the magnitude of each risk (probability and economic impact). It is a graphical risk management instrument that allows comparing risks by their relative importance, as well as together, allowing the entity to establish acceptable risk levels; l) Risk Profile: Consolidated result of the measurement of the risks to which an entity is exposed; m) Process: It is the set of activities that transform inputs into products or services with value for the user, whether internal or external; n) Batch Processing: method of executing tasks in a repetitive and large volume in terms of the quantity of operations or transactions; o) Inherent Risk: Level of risk inherent to the activity, without taking into account the effect of controls; p) Operational Risk: Possibility of incurring losses due to failures in processes, people, information systems and due to external events; it includes legal risk which consists of the possibility of occurrence of losses due to failures in the execution of contracts or agreements, non-compliance with regulations, as well as external factors such as regulatory changes, judicial processes, among others; q) Residual Risk: Level resulting from risk after applying controls. It is the risk that remains, once the appropriate controls for its treatment have been implemented. In any case, it requires permanent monitoring to observe its evolution; r) Superintendence: Superintendence of the Financial System; and s) Risk Tolerance: Levels of risk-taking acceptable to achieve a specific objective or manage a category of risk. Risk tolerance represents the practical application of risk appetite and, generally, is aligned with risk categories, such as strategy, finance, people or reputation.

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 5 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

CHAPTER II GENERAL PROVISIONS

Provision of services by third parties Art. 4.- Entities must establish appropriate policies and procedures to evaluate, manage and monitor critical services provided by third parties, that is, those that could interrupt the normal development of operations, defined in the policies of each entity. The provision of services must be formalized through signed contracts, which include the scope of the service and clearly define the responsibilities of the provider and the entity. Likewise, they must include a clause that obliges the provider to document the services provided and guarantees the establishment of contingency and service continuity plans. In addition, there must be clauses that facilitate an adequate review of the respective provision of services by the entities themselves or eventually by the Superintendence and other supervisory bodies. Regardless of whether certain services are performed by third parties, the entities subject to these Standards are responsible for ensuring compliance with the provisions applicable to them.

Entities must have a centralized control of all services provided by third parties that must contain at least the name of the provider, the type of service, the contract amount, the counterparty within the entity and its validity. This control must be available to the Superintendence whenever it requires it.

Legal Risk Art. 5.- In addition to what is established in these Standards, for the case of legal risk, entities must establish at least specific policies and controls, so that, prior to the celebration of contracts, legal acts or operations they carry out, the legal validity is analyzed and adequate legal verification is sought. Likewise, these policies and procedures must contain aspects related to the orderly, complete, integral and timely conservation of the information and documentation that supports the entity's operations.

Business Continuity and Information Security Art. 6.- Entities, excluding those described in letters j) and l) of Article 2 of these Standards, must implement a business continuity management system and an information security management system that guarantees the availability, integrity and confidentiality of the information they collect, store, for Risk M

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 6 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

Methodologies for operational risk management Art. 7.- Entities must define the methodology they will use to manage operational risk, which must be adequately documented and implemented throughout the entity consistently, for which they must assign sufficient resources for its implementation, in accordance with the provisions of NRP-20 and the Technical Standards for Integral Risk Management for Investment Banks, which the Central Bank issues for such purposes through its Committee of Standards. (1)

CHAPTER III OPERATIONAL RISK FACTORS AND EVENTS

Risk Factors Art. 8.- Entities must manage the different factors generating operational risk, which are the following: a) Processes: In order to guarantee the optimization of resources and the standardization of activities, entities must have documented, defined and permanently updated processes, which can be grouped into strategic and operational processes. Entities must appropriately manage the risks associated with said processes, emphasizing the failures or weaknesses they present, since these can result in deficient development of operations. b) People: Entities must establish policies, processes and procedures that ensure adequate planning and administration of human capital, which include the hiring, retention and dismissal process of personnel. Likewise, they must establish preventive mechanisms that allow identifying and managing failures, deficiencies, negligence, sabotage, theft, inadequate training, misappropriation of information, among other aspects, associated with personnel directly or indirectly linked to the entity; in order to minimize the possibility of economic losses occurring. By direct linkage it shall be understood that which emanates from an internal employment contract, according to the respective labor legislation. On the other hand, indirect linkage shall be understood as the legal relationship with the entity that emanates from a contract for the provision of specific services, different from that which originates from an internal employment contract. c) Information Technology: Entities must manage risks associated with information technology, among others, those related to failures in security and operational continuity of computer systems, errors in the development and implementation of said systems and their compatibility and integration, as well as the quality of information and adequate investment in technology. d) External Events: Entities must manage risks associated with external events beyond the control of the entity that could alter the normal development of their activities, related to failures in critical services provided by third parties, legal contingencies, the occurrence of natural disasters, attacks and criminal acts, among other factors.

Operational Risk Events Art. 9.- Operational risk events are those situations that affect the normal development of the entity's operations, which include incidents occurred and potential events that could generate economic losses and may or may not affect the income statement, being these the following: a) Internal fraud; b) External fraud; c) Labor relations and workplace safety; d) Clients, products and business practices; e) Damage to material assets; f) Business interruption and system failures; and g) Execution, delivery and process management.

CHAPTER IV OPERATIONAL RISK MANAGEMENT

Organizational Structure Art. 10.- Entities must establish an organizational or functional structure adequate to their business model and appropriately segregated, which clearly delimits functions and responsibilities, as well as the levels of dependence and interrelation that correspond to each of the areas involved in carrying out activities related to operational risk. All these aspects must be contemplated in the respective manual, approved by the Board of Directors of the entity.

Board of Directors Art. 11.- The Board of Directors of the entity is the Body directly responsible for operational risk management, therefore it must: a) Approve the entity's strategies, policies and manuals for operational risk management and ensure that Senior Management effectively implements them;

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 7 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

b) Assign and approve the necessary resources to implement and maintain operational risk management effectively and efficiently; c) Ensure that Internal Audit verifies the existence and compliance of the operational risk management scheme; and d) Designate a person responsible for communicating the occurrence of operational risk events, as required in the second paragraph of Article 21 of these Standards, who may be the same ones delegated for the reporting of events associated with (NRP-24).

Risk Committee Art. 12.- The Risk Committee is in charge of ensuring sound operational risk management of the entity, therefore it must: a) Evaluate, review and propose for approval by the Board of Directors the strategies, policies and manuals for operational risk management; b) Supervise that operational risk management is effective and that operational risk events are consistently identified, measured, evaluated, mitigated and monitored; c) Propose mechanisms for the implementation of corrective actions required in case there are deviations with respect to the operational risk tolerance level; d) Approve operational risk management methodologies; and e) Support the work of the Risk Management Unit in the implementation of operational risk management.

Senior Management Art. 13.- Senior Management is responsible for the implementation of operational risk management, strategies, policies and manuals, authorized by the Board of Directors.

Risk Unit Art. 14.- The Risk Unit is in charge of implementing the operational risk management methodology, therefore it must: a) Design and submit for approval by the Board of Directors, through the Risk Committee, the strategies, policies and manuals for operational risk management; b) Design and submit for approval by the Risk Committee the methodology for operational risk management; c) Support and assist other management units in the implementation of the operational risk methodology; d) Elaborate an opinion on the risk of new products or services, prior to their launch; as well as also in the face of important changes in the operational or computer environment; and

e) Report timely and in a complete and detailed manner the failures in the different factors and operational risk events to the Board of Directors through the Risk Committee.

Internal Audit Art. 15.- Internal Audit must evaluate, at least annually, the compliance of the procedures used for operational risk management and follow up on the compliance of the Risk Unit's work plan, which involves everything provided in these Standards.

Stages of Management Art. 16.- For operational risk management, entities must have a continuous and documented process for: a) Identification: Entities must establish a process for identifying all their operational risk events, grouping them according to what is established in Annex No. 1 of these Standards, in such a way that it allows them to establish their operational risk map. Likewise, in the case of banks, cooperative banks and savings and credit societies, additionally, it is necessary that the identification of events be grouped, according to the business lines q

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 8 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

b) Measurement: Entities must establish a process for measuring operational risk, using the methodologies approved by the Board of Directors, which must be consistent with the nature, size, risk profile and volume of their operations. c) Mitigation: Entities must establish a process for mitigating operational risk, which includes the implementation of controls, policies and procedures to reduce the probability and impact of operational risk events. d) Monitoring: Entities must establish a process for monitoring operational risk, which includes the continuous monitoring of the effectiveness of controls, the identification of new risks and the reporting of operational risk events. e) Reporting: Entities must establish a process for reporting operational risk, which includes the reporting of operational risk events to the Board of Directors, the Risk Committee and the Superintendence.

Risk Appetite and Tolerance Art. 17.- Entities must define their risk appetite and tolerance levels for operational risk, which must be approved by the Board of Directors. The risk appetite is the level and types of risks that an entity is willing to assume in relation to its activities, to achieve its strategic objectives and business plans. The risk tolerance is the level of risk-taking acceptable to achieve a specific objective or manage a category of risk.

Risk Identification and Measurement Art. 18.- Entities must identify and measure operational risk events, using the methodologies approved by the Board of Directors. The identification of operational risk events must be carried out continuously and must include all events that could generate economic losses, whether they have occurred or are potential. The measurement of operational risk must be carried out using quantitative and qualitative methods, and must include the probability and impact of operational risk events.

Risk Mitigation Art. 19.- Entities must mitigate operational risk, using the controls, policies and procedures approved by the Board of Directors. The mitigation of operational risk must include the implementation of controls to reduce the probability and impact of operational risk events. The controls must be designed and implemented in accordance with the nature, size, risk profile and volume of the entity's operations.

Risk Monitoring and Reporting Art. 20.- Entities must monitor operational risk, using the methodologies approved by the Board of Directors. The monitoring of operational risk must be carried out continuously and must include the continuous monitoring of the effectiveness of controls, the identification of new risks and the reporting of operational risk events. The reporting of operational risk must be carried out in accordance with the methodologies approved by the Board of Directors, and must include the reporting of operational risk events to the Board of Directors, the Risk Committee and the Superintendence.

Reporting of Operational Risk Events Art. 21.- Entities must report operational risk events to the Superintendence, in accordance with the provisions of these Standards. The reporting of operational risk events must be carried out timely and in a complete and detailed manner. The reporting of operational risk events must include the following information: a) The date and time of the occurrence of the event; b) The description of the event; c) The cause of the event; d) The impact of the event; e) The actions taken to mitigate the event; f) The lessons learned from the event.

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 9 of 19 CNBCR-09/2023 NRP-42 TECHNICAL STANDARDS FOR OPERATIONAL RISK MANAGEMENT IN FINANCIAL ENTITIES Approval: 09/26/2023 Validity: 10/11/2023

Annex No. 1 Operational Risk Event Classification

1. Internal Fraud 1.1. Unauthorized activities 1.2. Misappropriation of assets 1.3. Tax evasion 1.4. Bribery and corruption

2. External Fraud 2.1. Theft and fraud 2.2. Cybercrime 2.3. Counterfeiting

3. Employment Practices and Workplace Safety 3.1. Discrimination 3.2. Harassment 3.3. Health and safety violations 3.4. Workers' compensation claims

4. Clients, Products and Business Practices 4.1. Mis-selling 4.2. Breach of fiduciary duty 4.3. Unfair practices 4.4. Product defects

5. Damage to Physical Assets 5.1. Natural disasters 5.2. Fire 5.3. Theft 5.4. Vandalism

6. Business Disruption and System Failures 6.1. IT failures 6.2. Power outages 6.3. Telecommunications failures 6.4. Supply chain disruptions

7. Execution, Delivery and Process Management 7.1. Data entry errors 7.2. Documentation errors 7.3. Process failures 7.4. Vendor management failures