Reporting of Embezzlement by Employees and Officeholders

Banking Supervision Department Jerusalem, September 18, 2024 Circular No. C-06-2793 Attn: Banking corporations and payment services providers with prudential importance license holders Re: Reporting of Embezzlement by Employees and Officeholders (Proper Conduct of Banking Business Directive 351) Introduction

1. In view of past experience and to attain the purpose of the Directive optimally and instill standard practice in the banking system, it was decided to fine tune several requirements in the Directive and make it clear that the Directive concerns itself with the reporting of embezzlement by employees and officers of a banking corporation, be they substantial embezzlement incidents or other embezzlement incidents, under the definition of “embezzlement” in the Banking Ordinance, 1941 (hereinafter: the Ordinance).
2. Appropriate management of embezzlement risk by banking corporations is immensely important from the macroprudential standpoint and in consumer terms as well. Banking corporations are expected to apply monitoring and control tools to detect and deal with embezzlement incidents quickly and efficiently in order to safeguard the public’s confidence in the banking corporation and to protect customers’ rights.
3. The regulation was not accompanied by publication of a report under the Principles of Regulation Law, 5782-2021, due to significant actions carried out before the law went into effect per decision of the Governor. The regulation will be reviewed post facto as required by the Principles of Regulation Law, 5782- 2021, at the end of a ten-year period after it goes into effect.
4. After consulting with the Advisory Council on Banking Business Affairs and with the approval of the Governor, I have amended the Directive in the manner specified below. Main amendments to the Directive
5. The title of the Directive has been updated to “Reporting of Embezzlement by Employees and Officeholders” in order to express its purpose more incisively. Explanatory remarks It is emphasized that the Directive deals with compulsory reporting of embezzlement incidents only, to make it clear that its purpose is compliance with the requirement of reporting to the Banking Supervision Department under the provisions of Section 8d1 of the Ordinance. Said reporting shall also underpin the

annual report that the Supervisor of Banks is required to present to the Knesset Finance Committee under the provisions of Section 8d2 of the Ordinance. 6. In Section 1(a), the vast importance that the legislature assigns to this matter is emphasized, as is the need the legislature perceived to make it a personal requirement of the CEO of a banking corporation to comply with the reporting requirement. Explanatory remarks Given the risk posed by embezzlement by staff and officers to a banking corporation’s stability and concern about a blow to customer and public trust, the legislature established the requirement of reporting to the Supervisor of Banks. In addition, the Ordinance instructs the Supervisor of Banks to report to the Knesset Finance Committee annually about the extent of embezzlement in the banking system. Due to the importance of the accuracy, credibility, and timing of the reports to the Department, the legislature also gave the CEO of the banking corporation heightened responsibility for the completeness and correctness of said reporting. 7. In Section 2(a), the incidence of the Directive is expanded to include a payment services provider with prudential importance license holder and a corporation as set forth in Sections 11(a)(3a)–11(a)(3b) of the Banking (Licensing) Law. Explanatory remarks The Directive also applies to a payment services provider with prudential importance license holder because the separation of some credit card companies from banking corporations was such that they are no longer considered auxiliary corporations. In addition, the incidence of the Directive is expanded to include subsidiaries of the banking corporation due to the importance of the matter. 8. In Section 2a, a new Definitions section containing the following definitions is added: “Embezzlement”—as defined in Section 8d1 of the Banking Ordinance, 1941; “Substantial embezzlement”—an embezzlement incident that complies with the conditions specified in Section 4 of the Directive; “Employee”—an employee of the banking corporation and also a person employed by the banking corporation either directly or indirectly, including via a third party. Explanatory remarks As stated, the purpose of this Directive is to comply with the requirement of reporting to the Banking Supervision Department about embezzlement incidents by staff and officeholders of a banking corporation as set forth in the Ordinance, which refers, in specifying offenses that are considered “embezzlement,” to one of the offenses listed in Articles A, F, and G of Chapter 11 of the Penal Law,

5737-1977 (in this Ordinance—the Penal Law), all of which in respect of assets of the banking corporation and assets held therein or managed thereby. On the basis of lessons from the past and to prevent misunderstanding that led to over- or under-reporting and vagueness in the wording of the preamble relative to the definition set forth in the Ordinance, it was decided to place the definitions of relevance to the Directive in a dedicated Definitions section and, within this framework, to add a definition of “embezzlement.” Notably, material reports of other incidents that do not correspond to the definition of embezzlement and those to which other reporting directives may apply shall be reported in accordance with the relevant reporting directives set forth by the Banking Supervision Department, such as Proper Conduct of Banking Business Directive 301, “Board of Directors.” In addition, the expression “substantial embezzlement” is redefined to align it with the rewordings in Section 4, and it is clarified that a substantial incident is defined as such by the management of the banking corporation on the basis of quantitative and qualitative features. It should be noted that the quantitative thresholds are irrelevant in substantial embezzlement incidents, on account of which every embezzlement incident must be reported. Likewise, given the dynamism of the employment market and the broadening of employment of banking corporation staff to include those employed by third parties such as personnel companies, it is explained that, for the purposes of this Directive, the definition of an “employee” in the Directive shall apply to their activity as well. 9. In Section 3(a), the sum of NIS 20,000 replaces NIS 15,000 and US$ 20,000 replaces US$ 15,000. In addition, the phrase “a substantial embezzlement incident, even if in a smaller sum than the amounts noted in Section (1)” is added at the end of the section. Explanatory remarks Given the amount of time that passed since the reporting thresholds were first determined, it was decided to update said thresholds. In addition, in Paragraph (2) of Section 3(a), a clause is added explaining that substantial embezzlement incidents may involve smaller sums than the minimum sums specified in the Directive and that they must be reported at once. The addition is meant to prevent vagueness about the minimum threshold sum of substantial embezzlement events. 10. In Section 3(b), the reporting date is revised from that of “the discovery of the incident” to “realization of reasonable concern about the embezzlement incident” and the beginning of Section 3(d) was merged into Section 3(b). Explanatory remarks Given the due importance of high-quality primary reporting of embezzlement incidents, the existence of reasonable concern about compliance with the financial threshold requirement is needed in order to narrow the amount of time that may pass until the investigation of the incident is completed. Additionally, the integration of Subsection (d) into Section (b) also sharpens the difference

between a “substantial embezzlement incident” and one that is not substantial in terms of the urgency of reporting. 11. In Section 3(c), the sentence “A full report of the incident shall be submitted within one week after the examination is completed […]” is replaced with “Supplemental reporting of the embezzlement incident shall be submitted within one week after the examination of the details of the incident is completed […].” Explanatory remarks To prevent misunderstanding, the wording of the section is amended with no revision of the essence of the requirement. A banking corporation must present the Supervisor of Banks with supplemental reporting after it completes its examination of the details of the incident and shortly after it reports the conclusions of the examination to its management, but no later than two months after the existence of reasonable concern about an embezzlement incident becomes known. To eliminate doubt, as of the reporting deadline required in this Section, a banking corporation may have completed its examination of the details of the incident but may not have finished dealing with the incident in full. 12. Section 3(d) is deleted. The beginning of the section is transferred to Subsection (b) and its end, concerning the CyberArk reporting system, is deleted. Explanatory remarks The end of the section is cancelled because the manner of reporting to the Banking Supervision Department is settled in Reporting to the Banking Supervision Department Directive 808, “Reporting of Embezzlement by Staff Members and Officers.” 13. In Section 3(e), the phrase “how the banking corporation handled the incident, including compensation for customers, disciplinary and administrative measures that were adopted, including reporting to enforcement and supervisory authorities, and learning of lessons in relation to internal control” is added. Explanatory remarks The purpose of said supplemental reporting is to conclude the account of the embezzlement incident in full, from the circumstances that allowed it to happen, lessons learned and measures taken pursuant to it, reporting to enforcement and supervisory authorities, and culminating with estimating the damage it caused, in accordance with the details that the banking corporation must report in the format established in Reporting to the Banking Supervision Department Directive 808, “Reportage of Embezzlement by Staff Members and Officers.” 14. Section 3(f) is added, explaining that “If the banking corporation lacks information at the time of the supplemental reporting or if the data reported have undergone material changes, the banking corporation shall submit an updated supplementary report as soon as this is discovered.”

Explanatory remarks Given the likelihood of cases in which, by the reporting deadline specified in Section 3(c), the banking corporation will lack information or a major change will have occurred in the data reported, the banking corporation shall fill in the lacunae and report them as soon as they are discovered. To eliminate doubt, the new data reported shall be attached to the supplemental report previously sent. 15. In Section 4, “Substantial Incidents”, it is emphasized that the embezzlement incidents referenced are distinct from other substantial incidents that shall be reported under other Proper Conduct of Banking Business Directives. Explanatory remarks The expression “substantial embezzlement incidents” is added to the title of the Section in order to create differentiation and to establish more pointedly that the purpose of the Directive and the Section is reportage of substantial embezzlement incidents only and not other substantial incidents. In addition, the definition of a substantial embezzlement incident is fine-tuned in the manner set forth in Section 8 above. 16. In Section 5, the wording is amended in a way that does not affect the essence. Instead of “The report to the Supervisor of Banks is not a substitute for a report pursuant to Proper Conduct of Banking Business Directive 301,” “The report to the Supervisor of Banks...is not a substitute for other reports pursuant to directives of the Banking Supervision Department directives” shall appear. Explanatory remarks The wording of this Section is amended in order to make it clear that the reporting required under this Directive is not a substitute for other reports that the Banking Supervision Department requires. Commencement 17. The amendments to this Directive as set forth in this Circular shall go into effect three months after the circular is published on the Bank of Israel Web site. Update 18. Updated Proper Conduct of Banking Business Directive file pages are attached. Following is the update: Remove page Insert page (9/16) [5] 351-1-2 (09/24) [6] 351-1-3 Respectfully, Daniel Hahiashvili Supervisor of Banks