Supervision of Overseas Branches

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-1 Supervision of Overseas Branches Contents Chapter Page A General Remarks 2 B Board of Directors 5 C Senior Management 8 D Compliance and Management of Anti-Money Laundering and Countering Financing of Terrorism Risks 11 E Internal Audit 13

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-2 A. General Remarks Introduction

1. (a) While banking corporations may diversify their group’s sources of revenue by means of overseas branches—including controlled corporations, branches, and representative offices—this activity also exposes them to unique risks such as control and oversight risks, various statutory compliance risks, legal risks, and reputation risks due to the physical distance, knowledge gaps, different activity environments, and legal or regulatory constraints. (b) Banking corporations that are active abroad must apply supervision on a group basis and have a framework in place for management of the various risks that takes account of all parts of the group, including overseas branches. Such framework should be based on a group-level strategy and a clear definition of risk appetite. Banking corporations must also make sure that their overseas branches operate in compliance with local laws and regulatory directives as well as group standards. (c) Various risks—particularly relating to compliance with anti-money laundering and prohibition of terror financing rules and taxation aspects of relevance to customers—have materialized at the overseas branches in recent years, exposing the overseas branches to heavy fines by the relevant countries’ supervisory authorities. These cases emphasize the level of risk inherent in overseas branches' activity and the importance of effective and optimal supervision by the parent corporation. (d) In 2015, pursuant to the realization of risks at foreign and Israeli banks in activity abroad and with nonresidents in recent years, the Banking Supervision Department (hereinafter, BSD) published a letter on risks originating in customers’ cross-border activity, instructing banking corporation to toughen the requirements and strengthen the processes of risk management vis-à-vis nonresident customers who hold accounts with banks in Israel and their overseas branches. Consequent to these measures, banks and their overseas branches imposed broader requirements on customers who open or manage accounts with them and banks in Israel reduced the scale of nonresident activity and the number of nonresident accounts. The tightening of regulation in Israel and abroad also prompted Israeli banks to downscale their foreign activity considerably by closing overseas branches in various countries.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-3 (e) This Directive includes guidelines relating to banking groups’ activity at overseas branches and its oversight. It augments existing requirements in other Proper Conduct of Banking Business Directives and fine-tunes the guidelines that pertain to corporate governance and compliance. The requirements in this Directive shall apply insofar as they do not contradict the provisions of local statute and regulation. (f) In accordance with the Basel Committee’s core principles of effective banking supervision, the Supervisor of Banks may limit the activities that a banking group may undertake and the location where they may take place, including the closure of overseas branches, if the Supervisor believes that a corporation’s resilience may be impaired because said activities may expose it or the banking group to aberrant risk and/or are not properly conducted; that supervision in the relevant jurisdiction does not comport with the risks inhering to the activity that takes place in said location; or that the Supervisor’s ability to carry out effective group supervision is impaired. Given the current risk environment and past experience, the BSD believes that banking corporations should concentrate their activity at main overseas branches only, in a small number of jurisdictions, and on a size that will allow each banking corporation to allocate appropriate managerial resources, focus its activity, and acquire expertise in the management of risks in said jurisdictions. Applicability 2. (a) This Directive shall apply to banking corporations with the exception of foreign banks and joint service companies. (b) Cancelled. Implementation of the Supervisor’s directives at overseas branches 3. In general, overseas branches shall act in accordance with the provisions of statute and regulation that apply to them and to their customers in the country of their activity. However, since the directives of the Supervisor of Banks in Israel set best standards, the BSD expects banking corporations to act to apply the principles of Supervisor’s directives in subjects of corporate governance, control, and risk management at the overseas branches insofar as they do not contradict the provisions of local statute and regulation.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-4 Definitions 4. “Risk-management framework” “Risk tolerance” “Risk appetite” As these terms are defined in Proper Conduct of Banking Business Directive 310, “Risk Management” (hereinafter: Directive 310). “Audit and control functions” As defined in Proper Conduct of Banking Business Directive 301, “Board of Directors” (hereinafter: Directive 301). “Overseas branches” As defined in Directive 301.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-5 B. Board of Directors 5. In accordance with Directive 301, the Board of Directors is responsible for determining the strategy and risk appetite of the banking group, including as it relates to overseas branches, and for approving the framework within which the various risks, including risks at these branches, are managed. In applying the aforesaid, the the Board of Directors shall act as follows: (a) The strategy of the banking group shall determine, inter alia, the countries in which the group wishes to operate and those in which it does not, in which activities each overseas branch may and may not engage, and the minimum size of a branch that will allow it to maintain adequate resources, on a scale and at the requisite professional level, for the optimal management of activity and optimal and independent management of the range of risks, including management of compliance risks, operational risks, legal risks, and the various financial risks (e.g., credit, market, interest, liquidity). (b) When a banking group determines its strategy for activity at the overseas branches, it shall bear the following considerations inter alia in mind: its motives for establishing an overseas branch or sustaining the activity of an existing branch, the business objectives and the comparative advantage of the overseas branch in its activity environment, the contribution of overseas branches to the group; the risk appetite for the activity of overseas branches and for each branch separately, analysis of country risks; the ability to manage risks inherent in this activity at the banking corporation and at the overseas branch, including the ability to receive relevant and timely information; the quality of corporate governance at the overseas branch, including its management; and accrued experience in the overseas branches’ activity. (c) During the transitional period that will accompany the implementation of the strategy as detailed in Section (a) supra, and insofar as the banking corporation engages in activity at its overseas branches that is inconsistent with this strategy, particularly if the activity is too small in scale to allow adequate resources to be maintained, the Board of Directors shall establish a program for the reduction of activity and closure of said overseas branch, to be implemented no later than December 31, 2020.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-6 Supervision 6. Within the ambit of its duties as listed in Directive 301: (a) The Board of Directors shall verify that the arrays of risk management, control, and audit of the banking corporation, at the level of the parent bank, operate on a group basis and that they are effective in respect of the activity of overseas branches, inter alia, in accordance with the requirements set forth in the various Proper Conduct of Banking Business Directives, particularly the following: Directive 310; Directive 308, “Compliance and the Compliance Function in a Banking Corporation” (hereinafter: Directive 308), Directive 307, “Internal Audit Function” (hereinafter: Directive 307), Directive 411, “Management of Anti-Money Laundering and Countering Financing of Terrorism Risks” (hereinafter: Directive 411), and Directive 361, “Cyber Defense Management.” (b) The Board of Directors shall verify that for each overseas branch, external audits of focal points of risk at the overseas branch, including the audit and control environment of the focal point of risk and the quality of the audit and control functions’ work, are performed, which shall cover the following:

1. The audits are carried out at a frequency commensurate with the activity and risk level of the branch, and are based on the updated and validated delineation and assessment of the focal points of risk at the branch. However, the focal points of high risk at the branch shall be covered least once every 3 years.
2. Said audits shall be undertaken by external examiners who are experts (in local legislation and regulation) and are independent, at an appropriate professional standard and on an appropriate scale, as the management of the banking corporation shall determine.
3. Said audits shall examine if the activity and risk management and the work of the audit and control functions comply with the standards required by the legislation and regulation in the relevant country and with the best standards that the parent company has established for the banking group.
4. The audits shall also include a sample check of individual files.
5. The audit reports shall be presented for discussion by the Board of Directors of the overseas branch and for discussion at the banking corporation in accordance with the guidelines in Section 36(a) of Directive no. 301 regarding an “external audit report”.
6. It is hereby explained for clarity that, except in reference to the provisions of Section 12(d) below, a banking corporation may undertake the external audits in conjunction with the internal audit function. In addition, the

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-7 frequency of the internal audit examination shall be in accordance with the provisions of Directive 307, and see12(d) below as well. (c) The Board of Directors shall verify that management has assigned responsibility for aggregating and analyzing the status of the overseas branches to a certain unit of the banking corporation, as specified in Section 10 below. (d) The Board of Directors shall hold periodic discussions on the overseas branches, at a frequency comensurated with the group activity at the overseas branches and with the branches’ level of risk exposure, and shall do so at least once per year in any case. The Board of Directors shall specify the reports that it shall receive ahead of said periodic discussions. Risk-management committee 7. The Board of Directors committee for risk management shall, at least once per year, discuss the risk strategy of the overseas branches and evaluate their risk. In this discussion: (a) The committee shall address itself, among other things, to the risk appetite, to an overall assessment of risks and of each material risk separately, to existing risks, and to evolving risks from a forward-looking perspective. (b) The chief risk management officer, the risk manager of the overseas branch, and, as necessary, other risk-management and control functions representatives at the banking corporation or the branch, e.g., the compliance officer, the legal adviser, the cyber defense manager, etc., shall be in attendance. (c) The committee shall make use of external experts’ assessments (e.g., review of local legal and regulatory changes and their possible effect on the branch’s risk profile), where necessary.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-8 C. Senior Management Group-level risk management 8. As part of its responsibility for implementing the group level risk management strategy, senior management: (a) shall verify that the formation and implementation of a framework for the management of the various risks at the banking corporation (including credit, market, interest, liquidity, compliance, operating and cyber, legal, and reputation) make appropriate reference to risks at the overseas branches. (b) shall implement an appropriate group level risk management framework as required under Directive 310. Within this generality, the officers at the banking corporation who serve as group functions, such as the risk manager, the chief compliance officer, and the general counsel, shall integrate the overseas branches into their purview of activity in a manner that is comensurate with the branches’ activity and their inherent risks. (c) shall verify that no legal, regulatory, or other barriers exist that would prevent the implementation of the group level risk management framework at the overseas branches. Major weaknesses in receiving information from the overseas branches, including receiving it in a timely manner, shall be acknowledged and dealt with as a risk factor; see also Section 10(f) below. (d) shall make sure that effective processes are in place, both at the overseas branches and at the banking corporation, for managing and monitoring the correction of deficiencies that the various audit and control functions discovered. Effective risk management at the overseas branches 9. Senior management of the banking corporation shall verify the following: (a) Each overseas branch must have in place an effective risk-management framework that corresponds to the changing legal and regulatory environment and complies with the guidelines specified in Directive 310, including organizational culture, determining risk appetite and controlling that the risks are in line with the risk appetite set forth, tools for detection, assessment and measurement of risks, and risk monitoring and reporting. An effective risk￾management framework at an overseas branch shall serve as a defensive system from the standpoint of the banking corporation and shall also be examined by external audits as set forth in Section 6(b) supra.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-9 (b) Each risk management function at each overseas branch must have adequate resources and be staffed by executives and personnel who have relevant professional knowledge, experience, and capabilities. (c) Each overseas branch must have a computerized management information system that allows clear, accurate, relevant, and timely reporting on information to relevant functions at the overseas branch (including the Board of Directors, senior management, and the risk management function) and at the banking corporation. Aggregate and analyzed view on overseas branches 10. Senior management shall place a central headquarters unit in charge of aggregating and analyzing the status of the overseas branches, under guidelines from the Board of Directors as set forth in Section 10 of Directive 301 (hereinafter: the central unit). The central unit shall meet the following requirements: (a) Said unit shall be subordinate to a member of management, or one rank below, or to another senior employee who reports directly to the chief executive officer. (b) Said unit shall be independent, i.e., involved neither in managing the overseas branches nor in making business decisions in regard to them. (c) Said unit shall be responsible for aggregating and analyzing information relating, inter alia, to the overseas branch’s business results and strategic objectives, its exposure to the various risks, and main findings that emerge from internal and external audit reports. Said analysis shall relate to the existing situation but shall also be prospective, taking account of expected changes in the business, economic, legal regulatory environment, etc. The central unit shall cooperate with all relevant functionsbusiness, control, risk-management, and audit—to obtain and analyze the information. (d) Said unit shall present senior management and the Board of Directors, at least once per quarter, with a comprehensive overview covering all overseas branches and referring to each overseas branch separately. Said overview shall bring together the findings of its work and the conclusions derived therefrom. (e) In this overview, said unit shall include information about material gaps between provisions concerning aspects of corporate governance, control, and risk management as they are applied by the overseas branches in accordance with domestic regulation and the principles of the Supervisor of Banks directives in

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-10 these regards, where the principles of the Supervisor’s directives are stricter and were not adopted by the branches, along with an explanation of why they were not implemented. (f) Banking corporations shall have policies and procedures in place that will ensure cooperation and information-sharing between the central unit and those responsible for risk management and control at the banking group and at the overseas branches, including risk managers and compliance officers. The types of information that the central unit needs—its content, its frequency, and the function responsible for the reporting—shall also be defined in procedures. The central unit shall be able to access all information necessary for appropriate coverage of activity and risks at the overseas branches; within this generality, the unit shall be entitled to receive information directly from the overseas branch. If the central unit or other audit and control function at the banking corporation finds it difficult to obtain information from the overseas branches, including in appropriate timeliness, the central unit shall report this to the management and the Board of Directors, attaching an explanation of the implications of not receiving the information or receiving it at a delay.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-11 D. Compliance and Management of Anti-Money Laundering and Countering Financing of Terrorism Risks 11. Directive 308 establishes arrangements that are meant to ensure compliance by the banking corporation with laws and regulations in all jurisdictions where the corporation does business. Given the special importance of the matter, banking corporations shall implement the directive with emphasis on the following matters relating to overseas branches: (a) Include in the group-level compliance policy of a reference to each overseas branch of the banking corporation (including reference to another jurisdiction where statutes and regulation affect the activity of the banking corporation and/or of its branches). If there are gaps between group-level policy and the overseas branch policy , those gaps shall be noted in the group-level policy so that the appropriate forums of the banking corporation may discuss them. (b) Verify that the chief compliance officer and the anti-money laundering and countering financing of terrorism officer (AML/CFT) have knowledge, tools, working methods, and resources commensurated with their responsibilities in respect of the overseas branches, with which they may bridge knowledge gaps that may exist in this respect, e.g., in regard to risks originating in customers’ cross-border activity and taxation aspects of relevance to customers. Where necessary, the chief compliance officer and the AML/CFT officer shall be assisted by external advisors to obtain knowledge that they need for their work vis-à-vis the overseas branches. (c) Verifiy that the overseas branches’ compliance function and the compliance officer have the relevant knowledge and experience, the professional capabilities, and adequate resources to do their jobs and are acting in accordance with accepted and best standards both of the country of operation and of the parent corporation. Also, the banking corporation shall verify the inclusion of all areas of the overseas branch activity in the compliance function’s purview of responsibility, including high-risk areas such as private banking, trading-room activity, and portfolio management. The compliance area and the compliance function at every branch (including management of anti-money laundering and contering financing of terrorism financing risk) shall also be examined by means of external audits as set forth in Section 6(b) supra. (d) Verify the existence of a mechanism that examines signficant changes abroad in compliance directives and public enforcement policy as noted in Section 23(a) of Directive 308.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-12 (e) The chief compliance officer shall report to the Board of Directors or to one of its committees (risk management or audit), at least once per year, about compliance risk management at the overseas branches, including exposures to compliance risks and the efficiency of the compliance system at each overseas branch, and shall also report immediately to the Board of Directors, or to one of its committees, about material compliance failures at the overseas branches. (f) In regard to anti-money laundering and contering financing of terrorism risk management as required under Directive 411, banking corporations shall verify compliance with the directive at the overseas branches themselves. Banking corporations shall also make a specific refrence to overseas branches in all processes of anti-money laundering and countering financing terrorism risk management that take place at the parent corporation level and are compulsory under the directive, e.g., in establishing the risk-management policy, assessing the efficiency of risk management, and reporting to the Board of Directors (or to one of its committees). (g) Extra stringency shall be applied in compliance risk management with respect to transparency requirements in managing customer accounts, particularly: prohibiting the opening and management of numbered accounts, code accounts, or accounts in fictitious names, and the treatment of trust arrangements, off-shore firms, and transactions in which credit is secured by a deposit owned by related parties (“back-to-back”). Banking corporations shall verify, at the level of each overseas branch, that such activities are carried out only after the economic or business motivation of the manner of customer association or performance of activity is examined and understood, including obtaining supportive reference documents, and after the overseas branch takes necessary measures both under the provisions of local laws and regulations and in accordance with the directives of the Supervisor of Banks in Israel in the matter at hand.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Supervision of Overseas Branches Page 306-13 E. Internal Audit 12. The internal audit function shall act in accordance with Directive 307 and shall take the following additional steps: (a) When the internal auditor of the banking corporation is the internal auditor of the overseas branch, the function shall act in accordance with the standards set forth in Directive 307 in respect of internal auditing of the banking corporation, mutatis mutandis in regard to the nature of the branch’s activity, and shall be assisted by external advisors to obtain the information that it needs for said work. (b) It shall verify that audits of the banking corporation’s group-level risk￾management arrays, including the compliance function and the AML/CFT officer, examine their functioning in respect of the overseas branches and that they are being held at a frequency and in a manner commensurate with the types and degrees of risks at the overseas branches. (c) It shall report the audit committee of main findings in audit reports that pertain to overseas branches and also, as promptly as possible, of irregular findings revealed therein. Internal audit shall also present the committee with periodic assessments of the efficiency of the banking corporation’s supervison of the overseas branches as derived from audits that it carried out under Section (b) supra, audits of the central unit in the sense of this term under Section 10 supra, and additional audits. (d) Each overseas branch’s internal-audit function shall be examined independently as set forth in Section 6(b) supra. Said examination shall use the format established in Section 14 of Directive 307 and shall be performed at least as frequently as the minimum set forth in Directive 307. The main findings of said audits shall also be reported to the audit committee of the banking corporation.

---

Updates Circular no. Version Details Date 2561 1 Original circular April 24, 2018 2598 2 Revision December 23, 2019 2669 3 Revision September 30, 2021