Notice No. 10/2021 of June 18 on the Corporate Governance Code for Financial Institutions

PUBLISHED IN THE OFFICIAL GAZETTE, FIRST SERIES, NO. 131, OF JULY 14, 2021 NOTICE NO. 10/2021 of June 18 SUBJECT: FINANCIAL SYSTEM

• Code of Corporate Governance for Financial Institutions Considering the evolution of the Angolan Financial System (SFA), and observing internationally accepted best practices, under Law No. 14/21 of May 19 - General Regime for Financial Institutions Law, which aims to ensure that the regulatory framework responds to current challenges regarding financial stability, particularly concerning the strengthening of the legal framework for the regulation and supervision of institutions operating in the financial sector, making significant amendments to the current legal regime, notably regarding corporate governance of institutions, internal control systems, internal audit, as well as supervision processes by the Banco Nacional de Angola for the solidity and stability of the financial system; There is a need to equip Financial Institutions with corporate governance mechanisms and procedures proportional to their business plan, internal organizational risks, scope, and complexity of activities. It is necessary to regulate Article 71 of Law No. 14/21 of May 19 - General Regime for Financial Institutions Law, which institutionalizes the Code of Corporate Governance for Banking Financial Institutions. Under the combined provisions of paragraph f) of Article 21(1) and paragraph d) of Article 51(1), both of Law No. 16/10 of July 15 - Banco Nacional de Angola Law, and Article 166 of Law No. 14/21 of May 19 - General Regime for Financial Institutions Law. DETERMINE: Chapter I General Provisions Article 1. (Object) This Notice regulates corporate governance and internal control, establishing minimum standards to be observed by Banking Financial Institutions, hereinafter referred to as “Institutions”, without prejudice to other applicable legal and regulatory provisions. Article 2. (Scope)

1. This Notice applies to Banking Financial Institutions under the supervision of the Banco Nacional de Angola, as provided in paragraph 2 of Article 7 of the General Regime for Financial Institutions Law.
2. Also covered by this Notice are Non-Banking Financial Institutions under the supervision of the Banco Nacional de Angola, as provided in paragraph 3 of Article 7 of Law No. 14/21 of May 19, General Regime for Financial Institutions Law, namely: a) Social participation management companies; and, b) Payment system operating companies, in accordance with Article 10 of Law No. 40/20 of December 16, Angolan Payments System Law, and paragraph k) of Article 3 of Law No. 14/21 of May 19, General Regime for Financial Institutions Law. Article 2. (Definitions) Without prejudice to the definitions established in Law No. 14/21 of May 19, General Regime for Financial Institutions Law, for the purposes of this Notice, it is understood that:

CONTINUATION OF NOTICE NO. 10/2021 Page 3 of 56 a) Executive Director: member of the governing body with responsibilities in day-to-day management, without prejudice to the global attributions inherent to their office. b) Independent Director: member of the governing body who exercises their functions independently in accordance with paragraph s) of this article. c) Non-Executive Director: member of the governing body, who must participate in strategic decision-making processes, advise, supervise and evaluate the activity of executive directors, without prejudice to the global attributions inherent to their office. d) Risk Appetite: the aggregated level and types of risk that an institution is willing to assume, defined in advance and within each institution's risk capacity to achieve its strategic objectives and business plan. e) Beneficial Owner: entity with the true economic interest in holding an asset, possessing final control or in carrying out a transaction. f) Audit Committee: unit responsible for supervising the performance of the institution's external auditor. g) Conflict of Interest: situation in which shareholders, members of the governing bodies or employees have their own interests in a relationship between the institution and third parties, from which they expect to obtain benefits. h) Control Deficiency: error in the design or use of policies or internal control system processes with a negative impact on their objectives and principles. i) Parent Company: legal entity that exercises a relationship of control or group over another legal entity, designated as a subsidiary, when they are Financial Institutions under the supervision of the Banco Nacional de Angola. j) Risk Factor: aspect or characteristic, notably of financial products and markets, participants in the business relationship, and existing processes within institutions, with influence on risk.

CONTINUATION OF NOTICE NO. 10/2021 Page 4 of 56 k) Function: integrated set of processes carried out recurrently to achieve certain institutional objectives and which, autonomously, corresponds to a structural unit. l) Control Functions: each of the components of the internal control system, whose responsibility is to monitor compliance with legislation and internal procedures, manage and monitor the risk to which the institution is or may be exposed, carrying out objective and reliable assessments and analyses, as well as reporting its examinations to the management bodies. m) Business Functions: comprise functions directly linked to the main activity or core business of the institution. n) Support Functions: comprise functions supporting the institution's activity, i.e., functions whose day-to-day operations are not directly related to the institution's business, yet assist and complement it. o) Day-to-Day Management: set of decisions taken on a daily and recurrent basis regarding matters concerning the administration of the institution, excluding those related to business strategy definition, organizational and functional structure, disclosure of legally or statutorily required information, and relevant operations based on their amount, associated risk, or special characteristics. p) Middle Management: comprises management functions hierarchically immediately below the administration and direction of the institution, i.e., generally comprising functions that include the first-level heads of institutional structural units. These functions are commonly referred to as “first-line directors” and are responsible for achieving objectives within their areas of responsibility. q) Corporate Governance: set of relationships, policies and processes involving shareholders, governing bodies and employees of the financial institution in coordination with supervisory authorities, external auditors and other financial market agents, aimed at achieving strategic objectives, as well as promoting organizational transparency and conducting control and supervision of institutions, specifying for this purpose the functions assigned to various structural units and the competencies, responsibilities and level of authority of the various participants in institutions. r) Financial Group: set of resident and non-resident companies, possessing the nature of Financial Institutions, with the exception of Financial Institutions linked to insurance and social security activities, in which there is a relationship of control by a parent company supervised by the Banco Nacional de Angola over other companies within the group. s) Independence: capacity to make evaluative judgments and take correct, objective and independent decisions regarding the policies and processes of the financial institution without the influence of daily management and external interests contrary to the financial institution's objectives. A member of the governing body is considered not to meet independence requirements if any of the following situations occur: i. Has or had, in the last twelve months, an executive director position in the institution; ii. Has provided or provided services to the institution in the last twelve months; iii. Holds or represents a holder of a qualified participation in the institution's capital, or participation exceeding 2%, which allows, in the Banco Nacional de Angola's understanding, to exercise significant influence on the institution; iv. Receives a variable remuneration component granted by the institution; v. Holds positions in the governing bodies of another company, without a formal process to investigate possible conflicts of interest; vi. Has a spouse, descendant or ascendant relationship, of first and second degree, with a person covered by at least one of the situations provided for in items i to v of this paragraph; and, vii. Is covered by at least one of the situations referred to in items i, iv and vi, in a company that is in a relationship of control or group with the one where it is a member of the governing body. t) Systemically Important Banking Financial Institutions: Banking Financial Institutions, qualified as such by the Banco Nacional de Angola, through regulation to be published on a periodic basis; u) Governing Body: person or group of persons, elected by shareholders, responsible for representing the company, deliberating on all matters and performing all acts to achieve its corporate purpose. v) Portfolio Responsibility: attribution of specific functions or superintendence of structural units to a member of the governing body, without prejudice to the responsibilities assigned to the governing body. w) Risk Profile: representation of the institution's actual risk exposure. The risk profile is intrinsically linked to business strategy and depends on the type of activities carried out by the institution, as well as the inherent risk. x) Compliance Policy: document with guidelines aimed at ensuring compliance with ethical principles and national and international legal and regulatory requirements that directly or indirectly govern the entire activity of the institution. y) Remuneration Policy: set of policies and processes aimed at establishing criteria, periodicity, responsible parties for performance evaluation, and the form, structure and conditions of remuneration payments; z) Remuneration: set of economic benefits attributed to members of the governing bodies and employees of an institution, as consideration for services rendered, which may be periodic or non-periodic, fixed or variable, monetary or non-monetary, including, notably, salaries, performance bonuses and pension liabilities;

CONTINUATION OF NOTICE NO. 10/2021 Page 7 of 56 aa) Risk: possibility of a future event occurring with negative impact on the institution's net worth, considering, notably, the following categories: i. Credit risk: arising from the default of contractually established financial commitments by a borrower or counterparty in operations; ii. Strategic risk: arising from adverse changes in the business environment, inability to respond to these changes and inadequate strategic management decisions; iii. Liquidity risk: arising from the institution's inability to meet its obligations when they become due; iv. Market risk: arising from adverse movements in bond, stock or commodity prices, including exchange rate and interest rate risk: a. Exchange rate risk: arising from movements in exchange rates, resulting from currency positions originating from the existence of financial instruments denominated in different currencies; b. Interest rate risk: arising from movements in interest rates, resulting from mismatches in amount, maturities or repricing periods of financial instruments with receivable and payable interest. v. Operational risk: arising from the inadequacy of internal processes, people or systems, possibility of occurrence of internal and external frauds, as well as external events. Includes information technology risk and compliance risk. vi. Compliance risk: arising from violations or non-compliance with laws, rules, regulations, contracts, prescribed practices or standards or ethical standards;

CONTINUATION OF NOTICE NO. 10/2021 Page 8 of 56 vii. Information systems risk: arising from the inadequacy of information technologies in terms of processing, integrity, control, availability and continuity, resulting from inadequate strategies or uses; and viii. Reputational risk: adverse perception of the institutions' image by clients, counterparties, shareholders, investors, supervisors and public opinion in general. bb) Segregation of Functions: set of internal control rules and guidelines aimed at decentralizing management, establishing independence between control, business and support functions. cc) Organizational Silos: organizational barriers that hinder and/or prevent timely, objective, concise, effective and complete communication and/or cooperation between various structural units and/or functions. In this sense, the absence of organizational silos promotes, directly and indirectly, a functional organizational structure and, consequently, timely decision-making. dd) Internal Control System: integrated set of policies and processes, permanent and transversal to the entire institution, carried out by the governing body and other employees, aimed at achieving objectives of operational efficiency, risk control, reliability of accounting and management support information, and compliance with legal norms and internal guidelines. ee) Risk Tolerance: maximum “amount” of risk that an institution is capable of assuming, given its capital base, risk management and control capabilities, as well as regulatory restrictions. ff) Transactions with Related Parties: refers to a transfer of resources, services or obligations between the Institution and a related entity, regardless of whether there is a price debt; gg) Business Units: departments or areas of the institution that represent and perform a specific function.

CONTINUATION OF NOTICE NO. 10/2021 Page 9 of 56 Chapter II Corporate Governance Article 4. (Principles) The “Code of Corporate Governance for Institutions” is based on the following principles: a) Encouragement of transparency culture within Banking Financial Institutions; b) Contribution to strengthening institutional integrity, aiming to promote greater confidence, quality and safety of products and services marketed in the financial system; c) Favoring convergent policies within the organizational context; d) Promotion of timely, clear and transparent access to information; e) Promotion of communication between the governing body, supervisory bodies and established committees; f) Acting independently and autonomously, with free access to necessary information for the exercise of functions or attributions; g) Continuous monitoring of the regulatory environment and disclosure of applicable norms for responsible areas to act; and, h) Assessment of compliance with regulation and implementation of process and procedure manuals, as well as other institutional policies concerning the activities of Institutions that mitigate associated risks. Article 5. (Culture and Organizational Structure)

1. The institution's organizational culture must be a constant concern of the governing and supervisory bodies, based on solid foundations and high internal control standards regarding authorization, execution, recording, accounting and control of operations, namely through: a) Observance of high ethical principles and integrity, embodied in codes of conduct and policies that identify and mitigate conflicts of interest;

CONTINUATION OF NOTICE NO. 10/2021 Page 10 of 56 b) Definition and implementation of processes aligned with internal control principles and practices, which determine that there is knowledge of relevant risks and how they can be managed; and, c) Adequate segregation between authorization, execution, recording, accounting and control functions, adapted considering the size, nature and complexity of activity. 2. The organizational culture must be known to all employees, who must contribute to an efficient internal control system, and thus understand their role in the implemented system. 3. The organizational structure, considered from its organic and functional aspects, must: a) Be adequately defined, thereby supporting activity and the implementation of an adequate and effective internal control system; b) Be compatible with strategy, adapted to the volume, nature and complexity of developed activity and provide sufficient human resources in terms of number, knowledge and experience for their assigned tasks; and, c) Be transparent, coherent, objective and perceptible in defining structural units and their respective attributions and competencies, responsibilities and authority, respecting the segregation of functions and establishing precise lines for reporting information. 4. In the case of an institution with limited scope of activity and associated risks, where due to limitations in available human resources total segregation of potentially conflicting functions is unfeasible, alternative control procedures must be implemented to avoid or minimize the risk of conflicts of interest. 5. The organizational structure, including the competencies and responsibilities of each structural unit and/or function, reporting lines and authority, and the degree and scope of cooperation between various departments or functions, must be documented, analyzed and periodically reviewed to ensure permanent adequacy.

CONTINUATION OF NOTICE NO. 10/2021 Page 11 of 56 Article 6. (Corporate Governance)

1. The corporate governance model must be compatible with the institution's size, nature, complexity, structure, risk profile and business model.
2. The governing body is responsible for defining policies, approving and supervising the implementation of the institution's strategic objectives by management, governance structure and organizational culture.
3. The governing and supervisory body or bodies with delegated competencies provided for in Articles 11 to 16 of this Notice must: a) Meet at formally defined intervals, without prejudice to extraordinary meetings determined by relevant events; b) Properly formalize work orders, agendas and other supporting documents for the meetings referred to in paragraph a) of this number, as well as share them timely; c) Briefly and objectively reflect deliberations in minutes, to ensure the justification of decisions taken, as well as reflecting the sense of voting statements, if requested; d) Ensure that all decisions are duly justified; and, e) Make minutes and other documents referred to in paragraph b) of this number known to all members and collect the signatures of all participants in meetings.
4. Institutions may contract independent consulting services to assist entities or bodies with delegated competencies, maintaining responsibility for their assigned functions, considering their integrity levels, competence and potential conflicts of interest.
5. In outsourcing functions, Institutions must ensure exact compliance with the corporate governance objectives and principles set out in this Notice, notably regarding the responsibilities of the governing body.

CONTINUATION OF NOTICE NO. 10/2021 Page 12 of 56 6. The governing body must promote the formalization, dissemination and periodic review of the corporate governance model in force within the institution. 7. The principles established in the preceding paragraphs of this article must be consistently applied within the financial group, with the parent company responsible for implementing a solid corporate governance model, ensuring: a) To its governing bodies a complete, true and updated view of the companies belonging to the financial group and their respective capital, organic and functional structures; and, b) A correct information disclosure policy, in accordance with Articles 22 and 23 of this Notice. Article 7. (Corporate Governance Model)

1. Institutions must define, implement and periodically review their corporate governance model at least once a year, including capital structure, business strategy, risk management policies and processes, units and organic structures and applied policies, namely: a) Remuneration policy; b) Internal control policy; c) Compliance policy; d) Transactions with related parties and conflict of interest prevention policy; e) Transparency and information disclosure policy; f) Code of conduct; and, g) Whistleblowing channel.
2. The governing body is the highest responsible party to shareholders, regulators and other stakeholders.
3. The governing body must develop a corporate governance and risk structure that facilitates supervision and contributes to defining the institution's strategy, risk culture and risk appetite.

CONTINUATION OF NOTICE NO. 10/2021 Page 13 of 56 4. The corporate governance structure must facilitate and enable independent evaluations of the quality, accuracy and effectiveness of the institution's risk management attributions, financial reports and regulatory compliance. 5. Changes to the corporate governance model must be communicated in advance to the Banco Nacional de Angola, requiring a prudential justification of why the institution considers that the new corporate governance model will contribute to healthier and more prudent management, considering its situation. Article 8. (Capital Structure)

1. Institutions...