Regulation on outsourcing the bank's activities and operations approved by Decision of the Executive Board of the National Bank of Moldova no.46 of February 26, 2020

1 Regulation on outsourcing the bank's activities and operations, approved by Decision of the Executive Board of the National Bank of Moldova no.46 of February 26, 2020 DECISION for the approval of the Regulation on the outsourcing of the bank's activities and operations and the modification of some normative acts of the National Bank of Moldova no. 46 of February 26, 2020 REGISTERED: Ministry of Justice of the Republic of Moldova no.1545 as of 05.03.2020 Pursuant to art.5 paragraph (1) letter d), art.11 paragraph (1), art.27 paragraph (1) letter c), art.44 letter a) of the Law no. 548/1995 regarding the National Bank of Moldova (republished in the Official Monitor of the Republic of Moldova, 2015, no.297-300, art.544), with subsequent amendments, and art.82 of the Law no.202 / 2017 on the activity of banks (Official Monitor of the Republic of Moldova, 2017, no.434-439, art.727), with subsequent amendments, the Executive Board of the National Bank of Moldova DECIDES:

1. The Regulation on the outsourcing of the bank's activities and operations is approved (annexed).
2. The Regulation on the outsourcing of the bank's activities and operations is repealed, approved by the Decision of the Board of Directors of the National Bank of Moldova no. 241/2011 (Official Monitor of the Republic of Moldova, 2011, no. 227-232, art. 2099), with subsequent amendments.
3. In point 17 of the Regulation on the external audit of banks, approved by Decision of the Executive Board of the National Bank of Moldova no. 118/2018 (Official Monitor of the Republic of Moldova, 2018, no. 183-194, art. 908), the text “Administration Council of the National Bank of Moldova no. 241 of November 3, 2011" is replaced by the text "Executive Board of the National Bank of Moldova no. 46/2020";
4. In point 68 of the Banking Management Framework Regulation, approved by the Decision of the Executive Board of the National Bank of Moldova no. 322/2018 (Official Monitor of the Republic of Moldova, 2019, no. 1-5, art. 56), the text “Administration Council of the National Bank of Moldova no. 241 of November 3, 2011" is replaced by the text "Executive Board of the National Bank of Moldova no. no. 46/2020";
5. In column number 4, table ORD 3.3D and point 31, the Model for drawing up the Report on miscellaneous information from the Instruction on how to prepare and present by banks the reports for prudential purposes, approved by the Decision of the Administration Council of the National

2 Bank of Moldova no.279 / 2011 (Official Monitor of the Republic of Moldova, 2011, no.216-221, art.2008), the word "permission" is replaced by the words "prior approval". 6. The application and the documents submitted to the National Bank of Moldova for obtaining the prior approval of the National Bank of Moldova regarding the outsourcing of material and unresolved activities at the date of entry into force of this decision shall be examined and resolved in accordance with the provisions of point 1., provided that they are completed by the bank within a maximum of 30 days from the date of entry into force of this decision. The application and the documents shall be examined in accordance with the time limits laid down in Chapter III of the Regulation referred to in point 1, calculated from the date of completion of the set of documents. If the application and the documents are not completed within the specified term, the National Bank of Moldova shall inform the bank about the termination of the administrative procedure. 7. The bank that outsourced activities and operations until the date of entry into force of this decision:

1. is considered to have the prior approval of the National Bank of Moldova - in case of outsourcing of activities of material importance with the permission of the National Bank of Moldova;
2. shall re-perform, in accordance with the provisions of the regulation mentioned in point 1 of this decision, the outsourcing contract and in case of outsourcing the material activity and shall submit to the National Bank of Moldova within 4 months from the date of entry into force of this decisions;
3. shall carry out, in accordance with the provisions of the regulation mentioned in point 1 of this decision, the internal regulations regarding the evaluation, management, control of outsourced activities and operations within 4 months from the date of entry into force of this decision;
4. will ensure, in case of outsourcing ICT of material importance by derogation from sub-points
5. and 3) of this point, compliance with the provisions of the regulation mentioned in point 1 of this decision, within 18 months from the date of entry into force of this decision.

8. This decision shall enter into force upon the expiry of the period of one month from the date of publication in the Official Monitor of the Republic of Moldova. The chairman of the Executive Board Octavian ARMAȘU

3 Approved by Decision of the Executive Board of the National Bank of Moldova no. 46 of February 26, 2020 REGULATION on outsourcing the bank's activities and operations Chapter I GENERAL DISPOSITIONS

1. This Regulation establishes the regulatory framework for the outsourcing of the bank's activities / operations which includes minimum requirements for the evaluation of the supplier by the bank, minimum requirements for the outsourcing contract of the bank's activities / operations, particularities of outsourcing material activities, management of associated risks outsourcing, notification and reporting of outsourcing and conducting external audit of outsourced activities / operations, provisions on chain outsourcing.
2. The definitions and terms used in this regulation have the meanings provided in Law no. 202/2017 on the activity of banks (hereinafter - Law no. 202/2017), Law no.271/2017 on Audits of Financial Statements, in the normative acts developed in their application and in the Regulation on minimum requirements for information systems and communication of banks, approved by the Decision of the Executive Board of the National Bank of Moldova no.47 / 2018. For the purposes of this Regulation, the following abbreviations shall mean:

1. CISA (Certified Information Systems Auditor) – auditor certified in the field of information systems, with certification issued by the Information Systems Audit and Control Association (ISACA), international professional association focused on IT governance;
2. QSA (Qualified Security Assessor) – certification issued by the Payment Card Industry Security Standards Council (PCI SSC);
3. CISSP (Certified Information System Security Professional) – certification issued by the International Information Systems Security Certification Consortium ((ISC)2 ).

3. This Regulation shall apply to banks, legal entities of the Republic of Moldova, branches of banks from other States, which are licensed by the National Bank of Moldova, hereinafter referred to as "banks".
4. Outsourcing will not have as effect the situations provided in art.82 par.6 let. b) of Law no. 202/2017.
5. The outsourcing of activities for attracting deposits or granting loans is carried out under the conditions provided in art. 82 paragraph (2) of Law no. 202/2017.
6. The final responsibility for the proper management of the risks associated with the outsourced activities / operations rests with the bank.
7. The Bank shall have the primary responsibility for assessing the adequacy of the provider to the requirements set out in this Regulation.
8. The Bank is responsible for complying with the provisions of the normative acts related to the outsourcing process, as well as for ensuring the supervision of the outsourced activities / operations.
9. The acquisition by the bank of the following goods and services is not considered an outsourcing:

1. activities that can be carried out, according to the express provisions of the legislation, only by a supplier, including the external audit;
2. market information services, including the provision of data by Bloomberg, Moody's, Standard & Poor's;

4 3) services provided through the global network infrastructures of payment card payment systems, including Visa, Master Card; 4) the services of clearing and settlement systems or other similar structures in order to provide clearing and settlement services between clearing houses, central counterparties (partners) and settlement institutions, on the one hand, and their members, on the other; 5) activities performed through global financial messaging infrastructures that are subject to supervision by the relevant authorities, including the SWIFT system;; 6) correspondent banking services; 7) purchases of goods and services that are not carried out by the bank, including the services of an architect, granting a legal opinion and representation before the courts and administrative bodies, cleaning, gardening and maintenance services of the bank's offices, services medical services, car maintenance services, catering services, automatic product distribution services, administrative services, travel services, registration services, reception, secretarial and telephone exchange operators, purchases of goods (payment cards, payment card readers, office supplies, personal computers, furniture) or utilities (electricity, gas, water, telephone line); 8) activities / operations that do not involve suppliers' access to information about the bank's customers, which constitutes banking secrecy or other confidential information regarding customers and their activities or information about the activities carried out by the bank. 10. The Bank discloses the information regarding the outsourcing of the bank's activities / operations as provided in the regulations regarding the publication by the banks of the Republic of Moldova of the prudential information and the information related to their activities. Chapter II SUPPLIER EVALUATION AND OUTSOURCING CONTRACT 11. The Bank, before concluding the outsourcing contract, evaluates the supplier, except for one bank, a legal entity from the Republic of Moldova, and a branch of the bank from another state, in the context of the business reputation taking into account the provisions of item 12. The supplier is considered to have a good business reputation if there is no negative information regarding the professional competence in carrying out the outsourced activity / operation and its integrity. 12. The bank, when evaluating the supplier according to item 11, will take into account at least the following:

1. the supplier's business model and its position on the market (nature, scale, complexity of its business, financial situation, including main performance indicators, organizational structure and ownership structure of the supplier, and group structure, if any);
2. the results of the evaluations and reviews reflected in the last evaluation report, if the supplier is supervised by a competent authority;
3. internal audit and / or external audit reports for the last year of the supplier before outsourcing the activity / operation of the bank, if any;
4. information on the criminal record and prosecution, sanctions applied to the supplier under tax and customs legislation, as well as on the measures and sanctions applied by any supervisory authority or professional body in the economic field in relation to the supplier;
5. information on the availability of policies related to the confidentiality and security of data held as a result of outsourcing. The method of requesting and evaluating the information, on the basis of which the evaluation of the supplier according to this item will be performed, the form in which it is presented to the bank (declarations on own responsibility, certificates or other documents issued by public authorities or other entities) is established in internal regulations. of the bank.

13. The Bank shall record in writing the results of the assessment referred to in item 11, including the final conclusion on the supplier's compliance with the criteria set out in the Bank's internal

5 regulations regarding the outsourcing of its activities / operations and the requirements of this Regulation. 14. Any outsourcing must be the subject of an outsourcing contract which is concluded in writing and contains at least the following:

1. detailed description of the outsourced activity / operation;
2. quantitative and qualitative requirements specific to the outsourcing activity / operation, allowing the bank to assess and monitor, during the contract, whether its development / performance is appropriate;
3. specifying the place where the outsourced activity / operation takes place, including the obligation of the supplier to inform the bank in case of change of the respective location;
4. clearly defining the rights and obligations of the bank and the supplier, aiming at the good execution of the outsourced activities / operations and ensuring the observance of the prudential requirements during the contract;
5. unilateral termination clauses by the bank allowing the transfer of the activity / operation to another supplier approved by the bank or its reintegration into the bank and which include at least the following situations: a) in case the supplier violates the applicable law, regulations and / or provisions of the outsourcing contract; b) if the bank identifies impediments that negatively influence the performance of the outsourced activity / operation; c) if there are deficiencies in the management and security of confidential, personal or other data or information and / or; d) in case the termination of the contract is prescribed by the National Bank of Moldova;
6. provisions related to the protection of information constituting banking secrecy and other secrets protected by law, including in the field of personal data protection, processing of this information and keeping these secrets by the provider, at least to the same extent as the bank;
7. provisions related to the permanent monitoring and evaluation by the bank of the manner of execution of the contract by the supplier, so that it can promptly take the necessary measures;
8. establishing the obligation on the supplier: a) to make available to the bank any information, whenever necessary, regarding the outsourced activity / operation; b) to allow the full access of the internal audit within the bank to the information processed by the supplier related to the object of the outsourcing contract and the inspection, as well as the audit, without restrictions, of the respective information by the external auditor of the bank; c) to allow the direct access of the persons mentioned in art.751 paragraph (1) of Law no.548 / 1995 regarding the National Bank of Moldova to the information of the supplier, which are processed by the bank, related to the object of the outsourcing contract, as well as the performance by the National Bank of Moldova of field controls (inspections) according to the Regulation on field controls (inspections) at banks, approved by the Decision of the Executive Board of the National Bank of Moldova no. 282/2018; d) to request the prior consent of the bank for chain outsourcing;
9. setting the appropriate contract term and transition period, in case the supplier, after the termination of the outsourcing contract, would continue to provide the outsourced activity / operation;
10. detailed description of the rights and obligations of the parties in case of early termination of the contract, in order to ensure the continuity of the activity / performance of the operation;
11. provisions on ensuring the continuity of the outsourced activity / operation, including as a result of the transfer of rights and obligations arising from the outsourcing contract, in case of application of one or more resolution instruments according to Law no. 232/2016 on banks' recovery and resolution;

6 12) exposing the way of resolving disputes; 13) other provisions regarding the activity of banks that do not contradict the normative acts regarding the activity of banks, competition, prevention and combating money laundering and terrorist financing, the outsourcing process approved by the National Bank of Moldova, as well as the bank's internal policies and procedures. 15. When preparing the outsourcing contract, the bank will take into account the level of monitoring, evaluation, inspection and auditing which will be proportional to the size, risk profile, nature and business model, scope and complexity of the outsourced activity / operation. 16. If the outsourcing contract includes several types of outsourced activities / operations, the bank will set out in the contract the aspects that include all these types. 17. For the purposes of item 14 sub-paragraph 2), when assessing the appropriateness of the outsourced activity / operation by the supplier, the bank may use the information from the reports on the outsourced activity / operation prepared by the internal audit and / or, in the case of outsourcing of the material activity, the reports prepared by the external audit of the bank and / or by the internal audit and / or the external audit of the supplier. 18. The National Bank of Moldova has the right to prescribe the termination of the outsourcing contract in the cases provided for in Article 82 paragraph (9) of Law no. 202/2017. Chapter III PARTICULARITIES OF OUTSOURCING ACTIVITIES OF MATERIAL IMPORTANCE 19. The Bank outsources activities of material importance only after obtaining the prior approval of the National Bank of Moldova, in accordance with the requirements established in this chapter. 20. The Bank shall submit to the National Bank of Moldova an application for the prior approval of the National Bank of Moldova, to which at least the following documents and information shall be attached:

1. the decision regarding the outsourcing of the activity of material importance issued by the management body authorized by law or statute;
2. the results of the supplier's evaluation according to item 13;
3. the economic substantiation of the outsourcing of the material importance activity and the detailed description of the outsourced material activity and of the reasons for which this activity was qualified as one of material importance; the risk analysis and management plan associated with the outsourcing of the material activity, including the measures to be implemented by the bank in order to ensure stability, performance and continuity at the level of the activity in question;
4. the estimated impact on the bank's financial situation and performance following outsourcing;
5. presentation of information about the supplier, including at least: name, headquarters, types of activity, capacity, resources, including human, IT and financial, operating market and its market position, organizational structure, relevant experience data employees responsible for carrying out the material activity outsourced with the annex of the certificate / performance qualifications, if any, the supplier's business model, nature, scope and complexity of its activity, financial statements for at least the last 3 years, indication of the supplier's group membership which also includes specifying whether or not to include it in consolidated group supervision;
6. the draft outsourcing contract;
7. the internal regulations of the bank regarding the activity of outsourced material importance, approved by the management body authorized by the statute or law, which contain at least the following: a) the criteria for selecting the supplier according to the outsourced activity / operation; b) the principles used in the outsourcing process taking into account the specifics of the outsourced activity / operation;

7 c) description of the way of reintegration of the respective activity in the bank's activity, of the risk assessment framework associated with the activity of outsourced material importance and of its evaluation, management and control process, according to items 31 and 32; d) the requirements regarding the adjustment and improvement of the internal control mechanism and the internal audit function, of the internal reporting system, including reporting to the bank's management body on changes in the risk profile related to the outsourced activity / operation, in order to ensure that outsourced material activity does not affect the bank's effective corporate governance; 8) copy, signed by the bank, of the supplier's license or authorization, if any, unless the potential supplier is a bank of the Republic of Moldova or a non-bank payment service provider, licensed according to Law no. 114/2012 with on payment services and electronic money, for carrying out the activity to be outsourced, valid on the date of submission of the application. 21. The determination of the material importance of the outsourced activities is performed according to the provisions established in art. 82 paragraph (3) of Law no. 202/2017. 22. The application, the documents and the information mentioned in item 20 shall be drawn up in Romanian and shall be signed by the person authorized by the bank. 23. If the documents and / or information specified in item 20 are incomplete, the National Bank of Moldova shall notify the bank in writing of this fact within 10 working days from the date of submission of the application. The Bank, within 20 working days from the date of receipt of the letter from the National Bank of Moldova, completes and submits to the National Bank of Moldova the missing documents and / or information. 24. If the bank does not complete the set of documents and information within the term provided in item 23, the National Bank of Moldova shall inform the bank about the termination of the administrative procedure within 3 working days from the expiration of the granted term. 25. Within 30 days from the date of receipt of the complete set of documents in accordance with this chapter, the National Bank of Moldova shall issue prior approval for the outsourcing of material activity or reject the application, informing the bank in writing of its decision. 26. If the documents and information submitted pursuant to this Chapter are insufficient to take a decision on the application for prior approval regarding the outsourcing of the material activity, the National Bank of Moldova is entitled to request the submission of additional documents and information. The National Bank of Moldova may set a longer deadline for issuing the decision provided for in item 25, which shall not exceed 90 days, under the conditions of the Administrative Code, with the information of the bank. 27. The Bank is obliged to present the additional information and documents within the term indicated by the National Bank of Moldova, period during which the term provided in item 25, as the case may be, item 26, is suspended. 28. The prior approval of the National Bank of Moldova on the outsourcing of the material activity is not transferable to another person and is valid only during the outsourcing contract concluded between the bank and the supplier. 29. In case of rejection of the application for obtaining the prior approval of the National Bank of Moldova regarding the outsourcing of the material activity, the grounds on which the application is rejected shall be indicated. The following are considered as grounds for rejecting the request for prior approval of the National Bank of Moldova on the outsourcing of material activity:

1. presentation to the National Bank of Moldova of erroneous information for the decision regarding the issuance of prior approval regarding the outsourcing of the activity of material importance and / or;
2. if the information available to the National Bank of Moldova, including the results of the assessment referred to in item 13 and / or any facts or circumstances known to the National Bank of Moldova raises suspicion that the supplier does not have a good business reputation;
3. failure to present the documents and information provided in item 26, and / or;

8 4) non-compliance of the draft outsourcing contract with the minimum requirements specified in Chapter II; 5) the non-compliance of the bank's activity with the provisions of Law no. 202/2017 and of the normative acts adopted for its execution as a result of the outsourcing of the respective activity; 6) the finding of disproportionality, including the insufficiency of the bank's control measures related to the risks associated with outsourcing or the finding of significant risks disproportionate to the benefits invoked by the bank. Chapter IV MANAGEMENT OF RISKS ASSOCIATED WITH OUTSOURCING 30. The Bank allocates sufficient resources to ensure compliance with the outsourcing requirements set out by the National Bank of Moldova in regulations and takes the necessary measures to ensure the continuity of outsourced activities / operations, such as documenting and monitoring outsourced activities / operations, including chain outsourcing. 31. The Bank, taking into account the principle of proportionality, establishes and ensures the implementation of the outsourcing policy, which will include the development of the main stages of the outsourcing process, defining the principles, responsibilities and processes related to outsourcing, including how to manage risks related to the outsourced activity / operation , at individual level, as appropriate, at consolidated level, through its internal regulations, which include at least the following:

1. establishing the responsibilities of the management body, including its involvement, as the case may be: a) in making decisions regarding the outsourcing of the activity of material importance; b) ensuring the evaluation of the supplier, except for a bank, a legal entity from the Republic of Moldova, and a branch of the bank from another state, at the pre-contractual stage and periodically during the contractual stage based on internal regulations; c) proper monitoring and evaluation of the day-to-day supervision of the bank's activity / operation, including the management of risks associated with outsourcing, financial performance, as well as the organizational structure / structure of the supplier's owners, so that any necessary measures can be taken promptly;
2. involvement of business lines and internal control functions regarding the outsourcing activity / operation;
3. outsourcing planning, which includes at least the following: a) explicitly taking into account, when performing the risk analysis before outsourcing, the potential effects of the outsourcing of the activity / operation on certain important activities within the bank; b) establishing the terms, conditions for carrying out the outsourced activities / operations and the requirements regarding the outsourced activity / operation, including the selection requirements of the supplier, taking into account the fact that it has sufficient resources, skills, competences, appropriate ethical standards or a code of conduct, taking into account the quality of the activity / operation outsourced by it; c) the criteria and processes for identifying activities of material importance; d) procedures for identifying, assessing, monitoring and managing the risks associated with the outsourced activity / operation, including the impact on the bank's financial activity and business continuity, the risks the bank may face as a result of outsourcing, the cost-benefit of the outsourcing project, and on establishing the methods to be used for managing these risks, on a pro rata basis; e) procedures for identifying, evaluating, managing and mitigating potential conflicts of interest within the outsourcing / chain outsourcing process; f) planning the continuity of the outsourced activity; g) the process of approving the outsourcing contracts;

9 4) establishing the conditions and the manner of carrying out the external audit of the outsourced activity / operation; 5) establishing the implementation, monitoring and management of the outsourcing / chain outsourcing process, which will contain at least the following; a) periodic assessment of the business reputation of the supplier, except for a bank, a legal entity from the Republic of Moldova, and a branch of a bank from another state, taking into account the provisions of items 11-13; b) the procedures for notifying and responding to changes in the outsourcing process, as the case may be, outsourcing in the chain, or in the case of the supplier related to its financial position, organizational structures or ownership; c) independent review of compliance with the requirements of its internal regulations; d) outsourcing and recovery processes of outsourced activities / operations; e) in case of outsourcing of material importance, the monitoring of any index that shows that the supplier cannot efficiently perform the outsourced activity / operation in accordance with the normative acts related to the outsourcing process. 6) establishing how to adjust and improve the internal control mechanism and internal audit function, the internal reporting system, including reporting to the bank's management body on changes in the risk profile of the outsourced activity / operation, to ensure that outsourced activity / operation does not affect the bank's ability to conduct effective corporate governance; 7) clearly establishing the responsibilities within the bank for monitoring and administering the requirements set out in sub-paragraph.5) of this item and for documenting, managing and controlling the outsourcing process, as appropriate, chain outsourcing. The documentation will also include the obligation to keep an up-to-date register of all outsourcing contracts at bank level, if applicable, at consolidated level; 8) the disposition, maintenance and periodic testing, at least once a year, of the continuity plan, exit and recovery plans, as a result of exceptional situations identified on the basis of the risk analysis, if the supplier expects to cease carrying out the activity / carrying out the operation before the deadline stated in the outsourcing contract; 9) establishing the manner of preparation and presentation of reports on exposure to risks associated with outsourcing to the governing body empowered by law or statute. 32. The bank's internal regulations must differentiate at least the following:

1. outsourcing the activity of material importance and other outsourced activities / operations;
2. suppliers who hold a license or authorization and those who do not;
3. outsourcing activities / operations within a group and outside the group; andi
4. outsourcing activities / operations to suppliers in the country and in another state.

33. The bank, in case of outsourcing the activities / operations allowed to the bank according to art.14 of Law no.202 / 2017 to a supplier from another state, must ensure that the outsourcing of the activity / operation, insofar as its development requires licensing / authorization / registration by a competent authority in the home state of the provider, is carried out by a provider from another state licensed / authorized / registered to carry out that activity / operation and supervised by a relevant authority in the home state.
34. The bank's internal regulations in the field of outsourcing the activity / operation will determine the important stages of an outsourcing:

1. the decisional stage, consisting in making the decision to outsource the activity / operation or to modify an outsourcing contract / chain outsourcing contract;
2. the pre-contractual stage, consisting in the evaluation of the supplier, except for a bank, legal entity from the Republic of Moldova, and a branch of the bank from another state, by the bank from the perspective of business reputation, including its capacity to carry out the activity outsourced in compliance with the quantitative and qualitative requirements established by the bank,

10 as well as in the elaboration of the draft contract and the specifications regarding the development of the activity / performance of the outsourced operation; 3) the contractual stage, consisting of: a) implementation, monitoring and management of an outsourcing contract which may include monitoring changes in the supplier's situation, such as significant changes in its financial position, organizational or ownership structures, strategies and profitability of its operations, outsourcing in chain of activity / operation, as appropriate; b) periodic evaluation, at least once a year, of the supplier, except for a bank, a legal entity from the Republic of Moldova, and a branch of the bank from another state, according to items 11- 13, in order to evaluate its capacity to and continue to fulfill its outsourcing obligations; c) monitoring the implementation of the outsourcing contract by the compliance and internal audit function; d) establishing the process of exit and / or recovery of outsourced activities / operations; 4) the post-contractual stage, consisting in managing the situations of termination of the contract and interruption of the activity / performance of the outsourced operation by the supplier, which includes at least the establishment of strategies for termination and interruption of the activity / performance of the outsourced operation, the requirement of a plan documented exit and / or recovery for each outsourced material activity, if such an exit / recovery is considered possible taking into account possible interruptions of the outsourced activity / operation or unexpected termination of an outsourcing contract. 35. Periodic internal audit assesses the timeliness and adequacy of internal regulations, including the process of managing the risks associated with outsourcing. 36. The Bank to ensure a complex and efficient approach to the process of planning and ensuring the continuity of risk management activities, in particular operational risk and concentration risk, associated with outsourced activities / operations:

1. ensures the correspondence of the policies regarding the management of the risks related to these activities / operations to the bank's business model;
2. examine at least the plans and procedures for ensuring the continuity of outsourced activities and operations and recovery as a result of exceptional situations identified on the basis of the risk analysis, which is periodically tested at least once a year to ensure their compliance with policies; outsourcing procedures. Chapter V NOTIFICATION AND REPORTING OF OUTSOURCING

37. During the outsourcing of activities of material importance, the Bank shall notify the National Bank of Moldova within 10 working days from the date of finding of one of the situations mentioned in this item about at least the following:

1. changes in the information referred to in items 20 (6), 7) and / or 9), including changes resulting from the supplier's failure to comply with the conditions laid down in this Regulation;
2. the possible reintegration within the bank of the activities of material importance outsourced, with the presentation of the detailed action plan and of the concrete terms;
3. the result of the assessment performed according to item 34 sub-item 3) letter b), based on which the bank concludes that the supplier is no longer suitable to carry out the outsourced activity / operation and / or no longer complies with the requirements of this regulation and / or regulations internal affairs of the bank.
4. any significant developments that could affect the activity of the provider of activities of material importance and / or its ability to fulfill its obligations, any measures taken by the bank in these cases, including change of supplier, changes in the termination of the outsourcing contract.

38. The Bank, within 10 working days after the outsourcing of an activity of material importance, notifies the National Bank of Moldova about this fact, enclosing the copy of the outsourcing contract.

11 39. The Bank reports to the National Bank of Moldova the information on the activities of material importance outsourced in accordance with the requirements of the normative acts of the National Bank of Moldova related to prudential reporting. 40. The Bank shall notify the National Bank of Moldova of any incident, a significant change in the risks associated with the outsourced activity / operation, which represents a situation or effect from the perspective of managing the risks related to the bank's activity that could lead to the interruption of the outsourced activity / operation and to the inability of the bank to comply with the relevant legislation within 5 working days from the detection of the incident. 41. The notifications mentioned in items 37 and 40 shall be drawn up in Romanian and shall be signed by the person authorized by the bank. Chapter VI EXTERNAL AUDIT OF OUTSOURCED ACTIVITIES / OPERATIONS 42. The external audit of the outsourcing activities / operations is performed by an audit company approved by the National Bank of Moldova according to the criteria established in item 44. 43. The Bank performs the external audit annually on the activities of material outsourcing importance. 44. In the annual external audit of activities of material importance outsourced by the bank, the audit firm shall be considered approved by the National Bank of Moldova, if it meets at least the following criteria:

1. has at least 3 years of experience in the field of auditing, of which one year in auditing within public interest entities;
2. the experience of the audit firm includes audit projects similar to the one to be carried out in connection with the outsourced material activity;
3. the audit company, as well as the team of the audit company designated for the audit mission of the outsourced material activity adhere to the best standards and practices in the field of audit and hold certificates attesting to this fact;
4. in case of auditing the activity of outsourced material importance related to the processing of payments with payment cards: a) the audit company has a QSA certificate, in case the supplier is not subject to an annual audit carried out by a QSA-certified audit company, or; b) at least one auditor of the audit team has a CISA or CISSP certificate, in case the supplier is subject to an annual audit carried out by a QSA-certified audit company, and its report is available to the bank and the National Bank of Moldova.
5. in the case of auditing outsourced information and communication technology services / systems (hereinafter - ICT outsourcing) of material importance, at least one auditor has an audit certificate (s) in CISA information systems.

45. In the framework of the annual external audit of material activities outsourced by the bank, the audit firm shall verify and assess at least the following aspects, but not be limited to them:

1. adequacy and implementation of the bank's internal regulations in the field of outsourcing;
2. compliance with the internal regulations of the supplier of the nature of the activities of material importance outsourced;
3. the capacity of the supplier (financial, technological, organizational, etc.) for the qualitative, safe and continuous development of the outsourced activities of material importance;
4. how to manage the risks and incidents related to outsourcing;
5. compliance with the contractual framework of outsourcing.

12 46. The National Bank of Moldova may request the initiation of an external audit of outsourced activities / operations. The National Bank of Moldova submits requirements regarding the manner, form, period, conditions for conducting the verification and evaluation, including the requirements for the audit team, and the deadline for submitting the report of the external auditor of the outsourced activities / operations. 47. In the case of outsourcing of material activities, the National Bank of Moldova may, in issuing the prior approval referred to in item 19, establish specific requirements for the external audit of outsourced activities. 48. The external audit of the outsourced activity / operation may be carried out at the initiative and on behalf of the supplier, provided that the requirements set out in items 42-47 are met, as well as the presentation by the supplier of the external auditor's report of the outsourced activities / operations. Chapter VII CHAIN OUTSOURCING 49. The Bank assesses and manages the risks associated with chain outsourcing. 50. The Bank may consent to a chain outsourcing only if the subcontractor assumes the same obligations as those imposed on the supplier, including the obligations in relation to the National Bank of Moldova. 51. Subcontracting is allowed only with the prior consent of the bank and under the same conditions as the outsourcing of activities / operations to the supplier. 52. The Bank shall review the outsourcing of the outsourced business / operation to ensure that operational and other risks do not increase as a result of inadequate control methods or other deficiencies of the supplier taking over those activities / operations. 53. The Bank shall take appropriate measures regarding the risks associated with the non￾performance or improper performance of subcontracted activities / operations, which have a negative impact on the supplier's ability to comply with its contractual obligations. 54. Outsourcing of materially outsourced activities (chain outsourcing) is not allowed. Chapter VIII OUTSOURCING OF INFORMATION AND COMMUNICATION TECHNOLOGY Section 1. General dispositions 55. This Chapter applies to banks that intend to outsource ICT. 56. In the case of ICT outsourcing, which are activities of material importance to the bank, it shall obtain the prior approval of the National Bank of Moldova in accordance with the requirements set out in items 19-29, as appropriate, and in items 58-60, as the case. 57. The notification, reporting and conduct of the external audit on ICT outsourcing shall be carried out in accordance with the provisions of items 37-41, in the appropriate manner. Section 2. ICT outsourcing contract and managing the risks associated with ICT outsourcing 58. In the case of ICT outsourcing, the bank shall draw up the draft ICT outsourcing contract with the supplier in accordance with the provisions of items 11-18, and shall respectively include at least:

1. the period of prior notification regarding the changes that may occur to the contract;
2. the obligation of the supplier, if necessary, to conclude a compulsory insurance contract related to specific risks;
3. clauses on information security and business continuity, which will contain at least the following: a) the obligation of the supplier to comply with the ICT regulations and the standards of information security and continuity of activity applicable to the bank;

13 b) specific security and continuity requirements submitted by the bank for outsourced ICT that store or contain personal data; c) requirements regarding the assurance of the accessibility, availability, integrity and confidentiality of the bank's data within the supplier's information system; d) the obligation of the supplier to store the bank's data within the computer systems and databases in a manner that allows the identification, export / extraction and deletion of data at the request of the bank; e) requirements towards the provider regarding the recovery time of ICT outsourcing services of material importance provided in case of incidents; f) the obligation of the supplier to develop recovery plans related to the ICT outsourcing services of material importance provided to the bank; g) the obligation of the provider to perform annually the continuity tests of the ICT outsourcing services of material importance with the reporting of the results to the bank. 4) provisions regarding the bank's right of access to ICT and information, which will contain at least the following: a) the obligation of the provider to allow the National Bank of Moldova, or any other entity, or the bank delegates full access to all rooms, equipment and systems used to provide ICT outsourcing services; b) the right of the bank and the supervisory authorities to request and receive from the supplier, without undue delay, audit logs and related backups, as a result of investigations, audit missions or in case of interruption of the relationship with the supplier from any reasons; c) the right of the bank to outsourced ICT audits with the use for this purpose of the control reports of the supplier's supervisory authorities. Where appropriate, where relevant, the bank shall ensure the possibility of conducting penetration tests of ICT outsourcing services provided to the bank by the provider; 5) provisions on ensuring the efficient management of risks, in case of termination of the relationship with the supplier, which will contain at least the following aspects regarding the right to terminate the relationship with the supplier: a) the possibility of terminating the relationship with the supplier at least in the following cases: non-compliance of the supplier with the legal provisions related to the field of ICT, information security, personal data or continuity of activity; identification of impediments capable of affecting the performance or quality of the provision of ICT outsourcing services by the provider; the existence of critical vulnerabilities that may affect the security of information and personal data of the bank's customers, which the provider refuses to remedy or the forecasted time for remediation may have a negative impact on the bank's customers; b) a transition period in case of termination of the relationship with the supplier or transfer to another supplier, with the obligation of the supplier to provide support to the bank; c) the obligation of the provider to create mechanisms that will allow the identification and deletion of all data related to the bank, including those related to the process of providing ICT outsourcing services by the provider, except when the data related to the bank need to be kept for compliance with the requirements of national legislation. 59. The Bank, in addition to the provisions of items 30-36, shall define requirements for ensuring the continuity of ICT, information security, performance and quality of ICT outsourcing and shall assess at least the following:

1. the potential impact of any interruption or disruption in the provision of ICT outsourcing by the provider;
2. the viability of short-term and long-term ICT outsourcing, including related financial costs;
3. the impact of ICT outsourcing on the bank's employees;

14 4) legal and reputational aspects related to the ICT outsourcing process; 5) the impact of ICT outsourcing on the bank's ability to manage ICT and information security risks, to comply with legal and regulatory requirements; 6) the impact of ICT outsourcing on the bank's ability to perform audit missions, including outsourced services; 7) the impact of ICT outsourcing on operational risk; 8) the potential impact of ICT outsourcing on the quality of services provided to the bank's clients; 9) the risk of concentration, including the risk of contracting a dominant or non￾substitutable supplier; 10) the aggregate risk resulting from the outsourcing of several functions of the bank to the same provider; 11) the risk of the bank losing control over ICT outsourcing; 12) if the supplier is subject to supervision by the competent authorities; 13) in the case of cloud system providers (distributed set of systems / data storage whose services are available on request, accessed through a network, for which the exact physical location is not known), the risks associated with the type of cloud used (public / private / hybrid) and the physical location of data storage / processing; 14) portability risk of the technologies used by the supplier; 15) the possibility to expand or reduce the volume of ICT outsourcing without revising the contractual arrangements; 16) the bank's ability to transfer ICT outsourcing to another provider, including estimated costs, time required, difficulties that may arise; 17) the bank's ability to reintegrate outsourced ICT into the bank's activities. 60. In the case of outsourcing ICT abroad, the bank is to identify the country risk associated with the provider concerned. When identifying the country risk associated with that provider, the bank will assess at least the following:

1. complexity of regulations on the provision of ICT outsourcing services, protection of personal data and insolvency;
2. the risk of political instability that could have an impact on the supplier;
3. the climatic and environmental risk where the supplier's equipment is located;
4. cultural and / or linguistic issues regarding the bank's expectations regarding ICT outsourcing services;
5. the time zone in which the supplier is located and the availability of its staff to remedy incidents in a timely manner.

61. In case of ICT outsourcing in the chain, the bank will comply with the provisions of items 49-54, in the appropriate way. Section 3. Control of outsourced ICT activities
62. In order to ensure that it effectively manages the risks associated with the reintegration of outsourced ICT, the Bank shall at least take the following steps to:

1. elaboration of an outsourced ICT reintegration strategy, which will ensure the continuity of the bank's activities, compliance with the requirements of the regulatory framework and avoiding the impact on the quality of customer service in case of disruption of the relationship with the supplier;
2. ensuring that the strategy provided in sub-paragraph 1) of this item will contain at least the following: a) the objectives of the strategy; b) impact analysis and risk analysis related to the process of reintegration of ICT outsourcing;

15 c) identification of technical-organizational, human and financial resources, including the period necessary for the implementation of the strategy; d) allocation of roles and responsibilities for strategy management; e) critical success factors in the reintegration process; f) performance and quality indicators of outsourced services to be monitored by the bank and which will trigger the implementation of the strategy; 3) reviewing, at least once a year, the strategy for the reintegration of outsourced ICT to ensure its viability. 63. The Bank, with the exception of its subsidiaries, to ensure the continuity of business in exceptional cases, for outsourced ICT of material importance, will comply at least with the following aspects:

1. the allocation of sufficient technical resources to ensure, in accordance with the continuity plan, at the bank's headquarters the continuity of outsourced ICT and the ability to recover or adapt quickly to adverse situations or changes in the event of a major incident / exceptional situation at the supplier or the resolution authority of the resolution or liquidation procedure of the bank;
2. possession of human resources that possess sufficient knowledge to ensure the need for reintegration / substitution / continuity in accordance with the bank's continuity plan, of outsourced ICT;
3. development of continuity plans that allow, in optimal time, the full resumption at the bank's headquarters of any ICT of material importance outsourced;
4. organizing, jointly with the supplier, the testing of ICT continuity plans of material importance outsourced with their re-establishment at the bank's headquarters;

64. In order to ensure effective oversight of ICT outsourcing, the Bank shall comply with the provisions of paragraph 35 and at least the following:

1. sufficient allocation of technical, financial, including human, knowledge resources to ensure effective monitoring of ICT outsourcing;
2. continuous monitoring of the performance and quality of ICT outsourcing services provided by the provider to ensure that they comply with the requirements set out in the contract. Performance evaluation can be performed through, but not limited to, the following sources: reports on service delivery by the provider, performance, quality, continuity indicators, independent reviews, certifications, continuity test reports;
3. periodic review and reporting to the bank's management body on changes in the risk profile related to ICT outsourcing.