Regulation on the Implementation of Corporate Governance Principles for Banks

1 THE REGULATION ON THE IMPLEMENTATION OF THE CORPORATE GOVERNANCE PRINCIPLES FOR BANKS "THE REGULATION ON THE IMPLEMENTATION OF THE CORPORATE GOVERNANCE PRINCIPLES FOR BANKS" (the Regulation) was enforced for the improvement of the corporate governance (CG) of the commercial banks (CBs) of Mongolia in December, 2006 by the Bank of Mongolia (BOM). Afterwards, a guideline (GL) was drafted as a supplementary document of the Regulation to further improve the CBs’ CG. On the other hand, after enforcement of the CG and the GL, it will be necessary to provide an evaluation model (EL) to monitor a progress of CG improvement for CBs and their stakeholders. Thus this EL was developed. Therefore it is recommended that the EL is used as reference to the CG and the GL. The form and content of policies and procedures mentioned on the EL are expected to be consistent with the size and complexity of CBs. Many policies and procedures may be communicated informally in small CBs, while larger CBs would normally require more formal and comprehensive written guidance. It is significance that sound CG is maintained in CBs by suitable ways at each CB. ⅠTRANSPARENCY No. Description class 1 Is the following information disclosed to the public though a web site or an annual report? (1) 1/ Audited financial statements etc.; The audited financial statements, the footnote, and the audit report (2) 2/ Company objectives; In addition to the company objectives, the bank’s code or policy of business conduct and/or ethics, as well as any applicable governance structures and policies (in particular, the content of corporate governance codes or policies and the process of those implementing, as well as a self-assessment by the board) (3) 3/ Names and information in voting shares of bigger shareholders;

2 The major share ownership and voting rights, beneficial owners, major shareholder participation on the board or in senior management positions, shareholder meetings. (4) 4/Information on qualification and experience of board director, board members, and senior management; The board structure (e.g. bylaws, size, membership, selection process, qualifications, other directorships, criteria for independence, material interests in transactions or matters affecting the bank, and committee membership, charters and responsibilities) and senior management structure (e.g. responsibilities, reporting lines, qualifications and experience) If CBs disclose information about the incentive structure of the bank (e.g. remuneration policies, director and executive compensation, bonuses, stock options), the transparency of such CB is evaluated high. (5) 5/Transactions to connected parties such as loans, guarantees, and l/c; The major transactions between the controlling shareholders, the related company, the BOD member etc. and how such transactions are treated based appropriately on Arm's Length Rule (6) 6/Signficant exposures which may prevent bank’s financial standing; Matters regarding CB’s business continuity etc. (7) 7/ Organisational structure. The organizational chart, business lines, subsidiaries and affiliates, management committees Ⅱ SHAREHOLDERS’ STRUCTURE No. Description class 1 A closed bank represented by a family-owed company

3 (1)  Is there any controlling shareholders hinder good governance?  Does every organization including THE BOD in the bank really function for the original role, not nominally?  Are there any cases that rules are not adequately followed while those are prepared?  Do the following cases seem to bring a problem in the closed bank?  Long-term management by the founding family  Excessive autocratic management by the management top  Expansion of the financing to the specific creditor (2)  In the case mentioned above (i.e. 1(1)), do shareholders and the BOD recognize that there may be hidden significant risk? (3)  To mitigate the risk mentioned above (i.e. 1(1)), for example, does the CB invite the independent third person as a member of the BOD and a member of audit committee? And do the shareholders make the management of CB not lead to the inappropriate direction? 2 Is a CB a subsidiary company of the other company? (1)  Is a CB a subsidiary company as a part of a broader group structure?  In this case, does the BOD or the management of the parent company provide a CB adequate strategy and policy to carryout their role in accordance with CG? Also do they consider which structure is the best to carryout sound CG for group companies including the CB? (2)  In the discharging the CG responsibilities of the BOD or the management of the parent company, is parent company’s BOD aware of the material risks and issues that might affect group companies? Also does the parent BOD exercise adequate oversight over the activities of a CB as a subsidiary company? (3)  Even a direction by the parent company, in the case of an inadequate matter from a view point of CG of CB, does the BOD of a CB retain

4 its CG responsibilities for the CB itself, including the soundness of the CB activity and the protection of the interests of depositors? Also does the BOD of a CB ensure that the CB complies with its legal and regulatory obligations? (4)  When a CB is a part of a non-financial group, it is essentially important that a CB recognizes and fulfills the responsibilities that the CB is operated in a safe and sound manner. Does the BOD of both a parent company and a CB recognize that? Ⅲ GOVERNANCE BY THE SHAREHOLDERS No. Description rank 1 The genuine possibilities to shareholders to exercise their rights (1)  Do shareholders have full possibilities to exercise the rights certified by shares and retain conditions to freely trade or transfer their owned shares within legal framework to other parties? (2)  Do shareholders participate in the management of a company through taking part in shareholder meetings and casting votes on issues under discussion?  In order to exercise this right, are the following conditions be met?  Procedures for general shareholders meeting call should give sufficient time for shareholders to prepare for attendances;  Shareholders should have an opportunity to see the list of people, legal entities and officials authorized to participate in the shareholders meetings;  Date, time and place for a meeting should be convenient for shareholders to participate in the meeting;  There should be no hindrance for shareholders with exercising

5 their rights to request call for meeting or place an issue on agenda. (3)  Do shareholders have a right to be involved in dividend distribution process and receive dividends?  In this regard, are the following conditions ensured?  Mechanism of adopting and distributing the amount of dividends shall be clear and transparent to shareholders.  Unless otherwise stated in law, company by-laws and shareholders meeting decision, company net profits shall be determined accurately and proceeds should be distributed in the form of dividends.  Shareholders should be given sufficient information on conditions of dividends distribution and payout procedures.  Financial and other related information forming the basis of a decision on dividends payout should be transparent and clear for shareholders.  There should be no hindrance for shareholders in obtaining their dividends.  Appropriate conditions should be set for distribution of dividends within the timeframe set  In case dividends are not fully distributed within the appropriate timeframe, then shareholders should be given opportunity to receive dividends at their preferred period. (4)  Do shareholders have the right to regularly and timely obtain information regarding the company?  Is the right implemented as follows?  Shareholders should be given the material information required for

6 making a decision on issues on agenda for the purposes of meeting organization.  An annual statement of company activities should fully include the necessary information regarding corporate activities because shareholders are required to provide opinion on such activities for the reported period.  A designated person (e.g. a BOD secretary) should be employed for the purposes of supplying the shareholders with sufficient information of the CB activity. (5)  Are shareholders prohibited to misuse their rights?  Do shareholders not commit acts or non-acts which may harm other shareholders and the CB? 2 The principle of equal treatment for shareholders in a same class. (1)  In order to increase the confidence of shareholders in the CB, are shareholders equally treated?  Is the principle implemented as follows?  When organizing a shareholder meeting, possibilities for participants of the meeting to voice their opinions and raise interested questions should be equally provided.  Shareholders, both domestic and foreign, should be given the right to cast a vote through a nominee or a voting form.  Undisclosed or confidential information which would influence the value of securities or give advantage in securities trading should be prohibited.  Organization of elections of the BOD members and of the executive director should be transparent based on distribution of complete information to shareholders.

7  Company management, executive director and other persons who may become interested parties in certain deals should disclose themselves.  Where a conflict of interests between the CB and a shareholder or between shareholders infringes upon the interests of the CB, all necessary measures should be taken. Ⅳ ACCOUNTABILITIES AND AUTHORITIES OF THE BOARD No. Description rank 1 The BOD members’ awareness (1)  Does each BOD member understand that the BOD is entrusted important responsibilities, authority, duties (i.e. duty of loyalty and duty of care) on all bank management matters by shareholders?  In addition, does each BOD member understand that it is important to make business ethics a top priority, and establish a framework to ensure business ethics practically work?  Does each BOD member carryout his /her duty through useful discussion from a viewpoint of soundness and appropriateness of bank business at the BOD meeting? 2 Independence and objectivity of the BOD member (1)  Are the number and composition of the BOD members an adequate number and appropriate composition of directors who are capable of exercising judgment independent of the views of management, political interests or inappropriate outside interests?  In addition, does the BOD have responsibilities to protect the CB from illegal or inappropriate actions, influences of dominant or controlling shareholders that are detrimental to, or not in the best

8 interest of, the bank and its shareholders? (2)  Does more than at least 1/3 (though advisably 2/3) of the BOD members consist of independent persons?  Do independent members of the BOD fulfill the following criteria?  Was not employed in the executive management of the bank during the last 3 years, and not employed currently  Not affiliated/related to members of the executive team or controlling shareholders.  Not a big customer of the bank, or its key officials/if total transactions made with a particular customer exceeds 10 percent of the total assets of the bank, it should be considered to be a big customer/. 3 The number (1)  Even in the case that there are many the BOD members, is it less than ten peoples? 4 Ability (1)  Do the BOD members have high integrity, enough experience and knowledge to supervise the CB management? (2)  In the case that the CB develops new services and advances to new markets, do BOD members possess enough knowledge and experience, to prevent the senior management from advancing in the wrong direction in relation to bank management, and to prevent their bank from facing a serious risk?  If BOD members recognize that the necessary knowledge/experience for banking business is insufficient, do BOD members acquire such knowledge/experience e.g. through consulting an appropriate adviser from the outside and should maintain the proper ability to supervise the senior management?

9 5 Education of BOD member outside of CB (1)  It is necessary for the BOD member outside of CB to be familiar of business of the CB. Does CB provide necessary training programs or opportunities to discuss with relevant persons (e.g. CEO, BOD member inside of CB, employees)? 6 Election of the BOD member (1)  Is a rule of the electing the BOD members clarified and disclosed?  Does a rule of the electing the BOD members satisfy the criteria regarding independence, objectivity and ability for the BOD members? (2)  Does the carrier of current BOD members satisfy necessary conditions described on the rule of the electing the BOD members? (3)  Is the chairman of the BOD meeting from outside the CB? 7 Calling and holding of the BOD meeting (1)  Are the procedures of calling the BOD meeting clarified?  Is the schedule of the BOD meeting set so that each member recognizes the contents/agenda of the meeting beforehand and each member can attend?  In addition, disclosing each member’s record of attendance at the meetings to the outside is a method recommended to improve the transparency of the BOD. This disclosure of information will show that the meetings of the BOD are held effectively. Does the CB introduce such disclosing way?  Is the BOD meeting held at least semi-annually though every month is recommended? In addition, if necessary, is the BOD meeting held

10 at any time? (2)  Is every important matter taken up as the agenda at the BOD meeting and adequately discussed there?  Does each BOD member carryout the given role as to monitor the management of a CB and to guide the CB business to the appropriate direction through deep discussion at the BOD meeting and to protect the CB from CEO’s dogmatism acting?  Is special attention paid to the deliberation of transactions related to the conflict of interest and of the nomination / reward of the BOD member and senior management? (3)  From a viewpoint of check and balance, by the BOD's rule, is it regulated that the decision of loan exceeding a certain amount is always made by the BOD meeting, not by CEO dogmatically? 8 Minutes of the meetings (1)  Are the minutes of the meetings created and maintained with the signature of all participants?  Are the following items to be discussed at the BOD meeting recorded on the minutes of the meetings with the necessary explanations and evidences?  Status of risk management  Status of compliance  Status of protecting depositors  Occurrence of injustice or troubles  Any decisions made and process of such decisions  Is it ruled that necessary evidences should be maintained for the certain period with the minutes of meetings?

11 (2)  Is it ruled that the members of the audit committee and supervisory board can easily access the minutes of meetings or the other necessary information to monitor the BOD members and the management? 9 Development of business policy and plan (1)  Does the BOD clearly establish the business policy of CB to carryout the final goal?  In addition, does the BOD develop the business plan based on such business policy and announce it within the CB thoroughly?  Even though a final goal, a business policy and a business plan is drafted by the CEO, does the BOD appropriately review those and not entrust the original role given to them?  Does the BOD adequately break down such final goal, business policy, business plan to each section within the CB, then make each section clearly understand those? 10 Legal Check (1)  Does the BOD build a system supplements the abilities that each director lacks? In particular, does the BOD receive an opinion from a lawyer as to whether the rules developed by the CBs have any legal problems or not? 11 Conflict of interests ruling (1)  Is the rule to control transactions related to the conflict of interests, established? For example, there are the following cases regarding the conflict of interests that CBs or the BOD should be careful of.  The case of lending to officers, employees, directors or controlling shareholders  The case of the bank entering into a business relationship with an

12 entity owned by one of the bank’s directors.  The case of the bank entering into a business relationship with a related company where the bank is part of a group company.  In the cases that the BOD members having a conflict of interests are in a situation to influence the decision making process regarding such conflict of interests, for instance, is it prevented that such BOD members have the right to vote on agenda/matters related to such conflict of interest? 12 Arm’s length rule (1)  Is every transaction related to the conflict of interests (unless allowable under an appropriate and disclosed conflicts-of-interest policy) treated under the arm’s length rule? 13 Report to regulatory body (1)  Are serious issues related to the conflict of interests disclosed or reported to the regulatory body (e.g. BOM)? 14 Criteria or Condition for nominees of the senior management (1)  Are a criteria or conditions for nominees of the senior management established?  Is the current senior management satisfied with above criteria or conditions? 15 Disclosure of award to shareholders (1)  Does the BOD disclose amount of award paid for the BOD members and the senior management including CEO to shareholders every year?  16 Monitoring

13 (1)  Is a framework developed, to monitor and evaluate performance of the senior management?  Is such framework appropriate?  Is such monitoring and evaluating worked actually? (2)  Does the BOD not only review merely periodical reports by the senior management but also grasp precisely performance including outcome, compliance and risk management from the reports?  If the BOD judges such reporting is not sufficient, does the BOD request additional report or information?  If necessary, does the BOD request reports from not only the senior management but also other relevant persons including internal auditors, to carryout the original role of the BOD? 17 Compliance (1)  Does every BOD member recognize that compliance is main issue to keep creditability and integrity of CB?  Does the BOD establish the policy of compliance and make all employees understand it? (2)  Does the BOD or the senior management develop internal rules or checklists based on the compliance policy?  Are such rules or checklists reviewed from a viewpoint of legal aspect?  Does the BOD or the senior management identify who or which section is in-charge of compliance? (3)  Are the following items included in the internal rules or checklists for compliance policy?  The role, duties and authority of the in-charge section or person

14  The ability and career required to the in-charge section or person  The guideline regarding collection, analysis and management of compliance information  The guideline regarding monitoring  The guideline regarding legal check of engagement documents etc.  The guideline regarding training  The guideline regarding recording and keeping documents  The guideline regarding deliberation of new products  The guideline regarding report to the BOD and the audit committee (4)  Does the BOD appoint a person at each section or branch, then establish a system that such person adequately communicates with the in-charge section or person of compliance? (5)  Does the BOD make the senior management or the in-charge section/person of compliance prepare a compliance manual?  Does the BOD make every section and employee follow such manual with the in-charge section/person of compliance?  Does the compliance manual include the following points at least?  Explanation of the relative laws and regulations  Procedures should be taken if she/he finds any issues related to compliance (6)  Does the BOD or the senior management adequately monitor compliance status and effectiveness of current compliance framework?  If the BOD or the senior management finds any problem or weakness on the current framework, does the BOD or the senior management

15 immediately analyze the causes and elaborate countermeasures for that? 18 Money laundering (1)  Is the internal rule or checklists regarding money laundering, established?  Are such rules or checklists reviewed from a viewpoint of legal aspect?  Does the BOD make such rules or checklists understood by relevant sections or persons?  Does the BOD or the senior management identify who or which section is in-charge of money laundering?  Are the following items included in the internal rules or checklists regarding money laundering?  The guideline regarding judgment of money laundering or not.  The guideline regarding procedures or actions in the case of finding money laundering (e.g. freezing a bank account, cancelling current engagement, reporting to the authority)  The guideline regarding report to the relevant organization in CB  The guideline regarding recording and keeping documents (2)  Does CB train the relevant section or persons about money laundering and indicate the typical cases?  Does CB identify the doubtful transactions and customers related to the money laundering?  If the number of reporting doubtful transactions related to the money laundering is relatively small with comparison of the other CBs, the criteria for judgment of doubtful transactions may not be appropriate.

16 Does the BOD care about such matter? 19 Award (1)  When the senior management and employees are evaluated, is the status of compliance of CB one of significant evaluation factors?  For instance, when CB gives the award to employees, are a branch and an employee with compliance issues in the past excluded from such award? 20 Internal Control (1)  Does the BOD understand significance to establish adequate and effective internal control system from a view point of compliance, adequate customer protection and risk management very well? Adequate internal control will be determined based on the size of CB, complexity of CB business and risk profile of CB.  Does the BOD establish the internal control policy including the internal audit policy, based on the CB business policy?  Even though such internal control policy is drafted by the CEO, does the BOD appropriately review it and not entrust the original role given to the BOD?  In addition, does the BOD thoroughly announce such internal control policy within the CB? (1)  Does the BOD make the internal audit section or the manager of the section develop the rule of internal audit?  Does the BOD accept the internal control rule after having confirmed such rule was developed based on the internal control policy? (2)  Does the BOD monitor how the senior management establishes adequately the internal control system based on the internal control policy?

17  Does the BOD make the internal audit section evaluate a status of internal control?  In addition, is the result of evaluation reported to the BOD and the senior management? (3)  Does the BOD monitor how the senior management identifies weak points on the internal control and makes countermeasures to strengthen such points, then execute it effectively?  Does the BOD recognize the outline and significance of the risk the CB faces?  Does the BOD keep a good relation with the regulatory bodies (e.g. BOM) and positively request necessary information for the sound bank business to them? 21 External audit (1)  Does CB receive the independent and creditable external audit in accordance with the international audit standard? (2)  Does the BOD cooperate with the external audit so that the external auditors perform following functions?  The external auditor complies with the professional standard.  The external auditor recognizes the role to the CB, i.e. the external auditor should pay appropriate professional cares.  The external audit evaluates the internal control through conducting the financial audit.  At least, the engagement partner should be periodically rotated.  Even though the external auditor entrust the other auditor about some area, the external auditor has responsibilities about such area the other auditor conducts.

18 (3)  Does the BOD receive not only the result of the external audit but also the result of evaluation of the internal control?  Does the BOD have necessary knowledge regarding the internal control to be strengthened? (4)  When CB has branches overseas, does such branch receive an external audit? (5)  Does the BOD make every section within CB cooperate with the external auditor? (6)  Does the BOD confirm periodically the external audit is adequately conducted?  When CB has subsidiary companies, does the BOD make subsidiary companies receive the external audit if necessary? (7)  Does the BOD develop a framework to improve matters pointed out by the external auditor within the certain period?  Does the section pointed out any matters immediately check those and make an improvement plan?  Does the internal audit section properly monitor the improvement progress of such section? 22 Protection of customers (1) Protection of customers (especially depositors) is one of major roles given to CBs, because the insufficient protection of customers will bring reputation risk.  Does the BOD recognize the significance of protection of customers and improvement of customers’ convenience?  Does the BOD understand current situation of protection of customers and take necessary actions to improve it?

19 (2)  Does the BOD establish the policy of protection of customers and make all employees understand it? (3)  Are the following items included in the policy of protection of customers, at least?  The identification of customers (e.g. potential customers included or not?).  The applicable business category should be kept.  How to explain products and provide necessary information to the customers  How to receive the customers’ voices and take appropriate actions for that  How to keep customers’ personal information (4)  Does the BOD periodically receive necessary reports regarding protection of customers and evaluate it?  If necessary, does BOD revise the framework for the protection of the customers? (5)  Does the BOD prepare a rule or a manual based on the policy of protection of customers and make all employees understand it? (6)  Does the BOD clarify the roles, duties and authority the in-charge of protection of customers and appoint an appropriate person with enough knowledge and experiences for that? (7)  Does the BOD identify factors to be reported and approved regarding the protection of customers, and establish a framework that the in-charge of the protection of customers reports such factors periodically or whenever necessary?  In particular, in the case of matters seriously influencing the CB business or customers, is a system that such matters timely are

20 reported to the BOD and the senior management, established? (8)  Does the BOD adequately analyze the current status of the protection of the customers through reviewing reports from the audit committee, internal auditors and external auditors?  As a result of analysis, does the BOD evaluate the current status of the protection of customers and identify issues should be solved? (9)  Does the BOD make an improvement plan for above issues and monitor improving progress? 23 Committees (1)  Are the following committees established?  Risk management committee  Compensation committee  Audit committee  Human resources committee (2)  Is a policy, rules and procedures established for each committee?  Does each policy, rules and procedures clearly indicate at least the following items?  The role of committee  The composition of committee including the number of independent members (3)  Is each policy, rules and procedures approved by the BOD? (4)  Does the BOD assign necessary authority to each committee for the purpose of each committee?  Does the BOD assign suitable persons having necessary knowledge

21 and experiences for each committee? (5)  Are the chairman and members of committees periodically changed? (6)  Is above information disclosed to stakeholders? 24 Risk management committee (1)  Do the members of risk management committee recognize the following matters?  Various risks exists (e.g. managing credit, market, liquidity, operational, compliance, reputation and others).  Where each risk exists in CB business.  Nature of each risk.  Methodology of identifying, evaluating and monitoring risks.  Significance of risk management. (2)  Does the risk management committee evaluate current status of risk management and develop a policy and a way to establish an adequate risk management framework?  For example, does the risk management committee understand limitation and weakness of measuring and analyzing risks?  Does the risk management committee develop a business strategic policy regarding risk management? (e.g. how much risk CB can take).  When developing the policy, does the risk management committee consider balance composition (i.e. assets, liabilities), current equity status, risk level?  In addition, does the committee care about the following matters?  When the volume of revenue is determined with certain risk level, is it clearly decided that which is preferred, to reduce risk as much as

22 possible or to increase revenue even risk increases?  Does CB’s attitude to chase the increase of revenue make awareness of risk management become low?  Is performance evaluated by the short term revenue target rather than the mid-long term one though the mid-long term target should be put priority? (3)  Does the committee establish the rules based on the policy of risk management and make all employees understand it well? (4)  Does the committee confirm the rule from a viewpoint of legal aspect? (5)  Does the risk management committee understand the significance of integrated risk management? The goal of integrated risk management in a CB is to measure and manage risk and capital across a range of diverse business activities. This requires an approach for aggregating risk types (market, credit, and operational) whose distributional shapes vary considerably.  Are all necessary rules for integrated risk management written properly, depending on business volume or risk profile?  For example, are the following items properly written?  The roles and duties of the risk management section  The matters regarding risk identification  The matters regarding setting limitation of risk  Evaluation methods of integrated risk and individual risks  Periodical review of evaluation methods of integrated risk  The matters regarding new products  The matters regarding reporting to the BOD etc.

23 (6)  Does the risk management committee establish the ALM committee or equivalent organization controlling assets, liabilities?  In the case there are no organizations like the ALM committee, does the risk management committee develop the process of risk management in stead of establishing such organization? (7)  When the risk management committee is established in CB, is it independent from market section, sales section? New products (1)  Does the risk management committee ensure a system to review significant matters from a viewpoint of the risk management before commencing new products? (2)  Does the risk management committee clarify criteria and responsible persons to examine whether new products are acceptable or not?  Does the risk management committee notify such guideline to relevant section? (3)  Does the risk management committee establish an appropriate system to identify serious crisis and to promptly take proper countermeasures?  For example, are following actions already taken?  Development of manual against serious crisis.  Development of business continuation plan.  Development of a system to gather necessary information at the facing serious crisis and to take appropriate actions.  Development of countermeasures against rumors seemed to be appeared at serious crisis.

24 (4)  Does the risk management committee gather and analyze information regarding current status of business operation and risk management periodically or at any time?  As a result of above analysis, does the risk management committee examine effectiveness and reliance of following items and request to revise those if necessary?  Business plan  Internal control policy  Business strategic target  Risk management policy  Compliance policy  Customer protection policy etc. (5)  Does the risk management committee identify matters to be reported and approved?  In addition, does the risk management committee make responsible persons report such matters to the committee periodically or at any time? Thus, does the risk management committee ensure a proper reporting system?  Especially, are matters which will seriously impact a CB business reported promptly to the BOD, the relevant committee, and the senior management? (6)  Does the risk management committee make internal audit section identify matters which should be audited with relation to risk management? In addition, does the risk management committee approve audit plan and programs?  For example, in the internal audit plan and programs are the following items included?

25  Status of risk management framework  Status of compliance regarding risk management policy or rules  Adequacy of risk management process from a viewpoint of business volume/characteristics and risk profile  Operation adequacy in consideration of a limitation and a weakness regarding evaluating integrated risk  Relevancy of evaluating integrated risk  Correctness and competency of data used in evaluating integrated risk  Adequacy of stress test scenario  Status of improvement for matters pointed out by internal audit (7)  Does risk management committee consider risks existing in branches, subsidiaries and major suppliers through evaluating integrated risk? (8)  Does the risk management committee receive reports from not only internal/external auditors but also relevant sections in CB, and evaluate effectiveness of current risk management?  Based on above evaluation, does the risk management committee identify weaknesses or issues on current risk management and clarify those causes?  If necessary, does the risk management committee set up investigation committees composed by independent persons to clarify causes? (9)  Based on evaluation and analysis, does the risk management committee prepare improvement plans if necessary, and implement it to timely remedy problems? (10)  Do risk management committee or sections promptly report necessary information for decision making regarding withdrawal or downsizing of the business to the BOD, when risk management committee or

26 sections identify unmanageable risks, for example, material risks outside of range targeted by risk management committee or sections? (11)  Does risk management committee or sections promptly report to the BOD necessary information for decision making regarding risk reduction or change of risk limitation, when magnitude of risk exceeds allowable risk level? 25 Compensation committee (1)  Do each compensation committee members recognize their given roles and duties? (2)  Is compensation policy decided in accordance with a bank culture and long-term business strategy and internal control environment of CB? (3)  When an incentive linked to profit of CB is given to BOD members and senior management, is it decided by objective indexes aiming increase of long-term value of CB?  Also, are ethic and internal control status considered? 26 Audit committee (1)  Does each audit committee member recognize their given duties? The audit committee’s duties may include overseeing the internal audit function; approving or recommending the appointment of external auditors and the scope of external audits and other services; providing the opportunity for auditors to meet and discuss findings apart from management; reviewing with management and external auditors the year-end financial statements; and meeting with regulatory authorities. (2)  For the purpose of ensuring enough objectivity and independency of audit committee, are more than half of audit committee members consisted of independent BOD members clearly understand roles and

27 duties of audit committee regarding risk management and governance? (3)  Do members of audit committee have enough knowledge and experience depending on complex of organization and tasks expected for CB?  For example, is audit committee composed of balanced members as to auditing, accounting and reporting ability? In this case, at least is one of them a financial specialist like CPA or CFO experienced person? (4)  Does audit committee establish a framework to be able to communicate with BOD members or external/internal auditors or compliance responsible persons or subsidiary company's BOD members through periodical reporting system? (5)  Does the audit committee propose the BOD and the shareholders regarding an appointment /a reward / a discharge of external auditor? (6)  Does the audit committee carefully consider the extent of auditing that will effectively monitor the internal control system, after taking into account the internal audit function’s costs and benefits?  Does the audit committee evaluate the findings and ensure that senior management has or will take appropriate action to correct the control deficiencies? (7)  Does the audit committee member conduct necessary surveys about subsidiary company management and internal control to ensure an adequate internal control framework within group companies? (8)  Does audit committee member monitor the BOD member's performance through attending and having a question at the BOD meeting?  In addition, does audit committee member take appropriate actions against the BOD if necessary? (9)  Does the audit committee keep good communication with CEO on

28 condition holding high independence? (10)  Do audit committee members immediately report to the BOD and the committee if some BOD members do illegal acts or seem to do?  If such illegal action seems to damage CB seriously, does the audit committee take promptly appropriate actions to avoid such damage? (11)  Do outside audit committee members carryout their roles as an independent member? (12)  Do the audit committee members use a lawyer or CPA etc. to cover their abilities if necessary? 27 Human resources committee (1)  Does each member of human resources committee recognize their given roles and duties? (2)  Has the human resources committee received necessary information on nominees to the BOD from authorized shareholders?  Does the human resources committee verify the nominee data against CB’s requirements (the law, this code, company charter, requirements set by operational rules of the Board), when the committee receives such information.  In the case that the nominees’ data does not met the CB’s requirements, does the committee notify it to the nominee?  In a nomination is for an independent member, is notification of independence and accuracy of this notification verified?  Based of these information, is proposal for inclusion of a nominee onto a list of candidates submitted to the BOD? (3)  In case of death or inability of a member to attend meetings for long period of time, is this committee responsible for nomination of a

29 replacement until the next general shareholders meeting? (4)  Does human resources committee make evaluation of each member upon end of his/her authority and present it to the shareholders meeting? Does this presentation include information about attendance of meetings? (5)  Is this committee also responsible for nomination, gathering of information of candidates for executive positions, presenting it to the BOD, and making performance appraisal? Ⅵ FUNCTIONS OF SENIOR MANAGEMENT No. Description rank Senior Management Awareness of Senior Management (1)  Does each member of senior management clearly understand policies and procedures established by the BOD?  Does each member of senior management adequately recognize their given roles and duties? Ability (1)  Does each member of senior management have necessary ability to manage in charge field and control it? (2)  Does senior management develop necessary business plan and rules (e.g. rules for compliance) and procedures for CB management? (3)  Does the senior management get approval from the BOD regarding above plan, rules and procedures?

30  After getting the approval, does the senior management execute those? (4)  Does the CEO allocate internal resources to appropriate positions, based on CB's business policy, business plan, internal control policy, strategic goal and risk management policy?  Does the CEO timely use its authority for adequate management? (5)  Does the CEO take appropriate actions to demonstrate compliance policy and customer protection policy? For instance, does the CEO spread propaganda for such policies at the speech of the new year meeting or managers meeting etc.? Compliance (1)  As mentioned in Ⅳ(Accountabilities and Authorities of the Board), does the senior management recognize significance of compliance and develop compliance manual in accordance with compliance policy and rules?  Are the development of compliance manual and the revision of significance of compliance well known in CB? (2)  As mentioned in Ⅳ(Accountabilities and Authorities of the Board), does the senior management appoint in-charge person of compliance or establish in-charge section? (3)  Does the senior management monitor compliance status periodically and if necessary? Or establish a framework to monitor? (4)  if receiving information related to compliance matters, does the senior management make in-charge person/ section of compliance examine its reality?  In the case that such information seems to be true, does in-charge person / section of compliance immediately investigate it more? And if it is illegal does in-charge person / section of compliance promptly report it to the regulatory body?

31  Does the senior management make in-charge person / section of compliance investigate its background and business area will be affected from such illegal matters, and report those to the senior management?  Does the senior management form a team composed of the third parties and make them investigate such matters? (5)  As mentioned in Ⅳ(Accountabilities and Authorities of the Board), does the senior management appoint in-charge person / section of customer protection?  Does the senior management monitor activities of the in-charge person / section? Report to the BOD (1)  Does the senior management establish a framework to timely report significant issues (e.g. it will damage seriously customer’s profit or CB’s profit) to the BOD? (2)  Does the senior management establish a framework to make responsible managers directly report significant issues to the audit committee? Awareness of internal control (1)  Does the senior management understand significance of internal control well? (2)  Does the senior management establish an adequate internal control framework? (3)  To establish the internal control, does the senior management identify where a risk exists and how much such risk will damage a CB business?  Is the risk evaluated by the volume and the probability of damage? (4)  Does the senior management grasp necessary internal control against

32 identified risks? (5)  Does the senior management understand the necessary control should be installed? (6)  Does the senior management ensure the necessary control to be functioned appropriately in a CB? (7)  Does the senior management establish a framework not to let employees be in conflict of interests? For example, carrying out thorough introduction of the pairing system which the other employees always check, or carrying out the rotation regularly, may be ways to avoid conflict of interest issues. (8)  Does the senior management avoid situations mentioned below?  Inappropriately involved in detailed business line decision-making;  Assigned an area to manage without the necessary prerequisite skills or knowledge;  Unwilling or unable to exercise effective control over the activities of apparent “star” employees. This is especially problematic where managers fail to question employees who generate returns that are out of line with reasonable expectations for fear of losing either revenue or the employee. (9)  Does the senior management introduce a whistle-blowing system and spread such system within a bank well?  Does such whistle-blowing system satisfy the following conditions?  Ensuring of appropriate persons or section to be reported  Ensuring that a reporter will not be treated unfair in a bank  Ensuring of steps after receiving a report  Ensuring of steps to avoid reporting for an illegal purpose

33  The above conditions are documented and the contents are well known in a CB  Candidates of the appropriate person/ section to be reported will be not only compliance section or audit committee in a CB but also the third party like lawyers. Ⅶ INTERNAL CONTROL No. Description rank Understanding (1)  The outline of internal control is described under the Committee of Sponsoring Organizations of the Treadway Commission (COSO) report. Do the BOD, management, internal auditors understand the essence of COSO report as mentioned below? Internal control is a process designed to provide reasonable assurance that CB will achieve the following objectives:  Efficient and effective operations, including safeguarding of assets;  Reliable financial reporting;  and compliance with applicable laws and regulations Internal control consists of five components that are a part of the management process:  control environment,  risk assessment,  control activities,  information and communication,  and monitoring activities. The effective functioning of these components, which is brought about by

34 a CB’s board of directors, management, and other personnel, is essential to achieving the internal control objectives. In general, good internal control exists when no one is in a position to make significant errors or perpetrate significant irregularities without timely detection. Therefore, a system of internal control should include those procedures necessary to ensure timely detection of failure of accountability, and such procedures should be performed by competent persons who have no incompatible duties. The following standards are encompassed within the description of internal control: Existence of procedures. Existence of prescribed internal control procedures is necessary but not sufficient for effective internal control. Prescribed procedures that are not actually performed do nothing to establish control. Consequently, the internal auditor must give thoughtful attention not only to the prescribed set of procedures but also to the practices actually followed. This attention can be accomplished through inquiry, observation, testing, or a combination thereof. Competent performance. For internal control to be effective, the required procedures must be performed by competent persons. Evaluation of competence undoubtedly requires some degree of subjective judgment because attributes such as intelligence, knowledge, and attitude are relevant. Thus, the internal auditor should be alert for indications that employees have failed so substantially to perform their duties that a serious question is raised concerning their abilities. Independent performance. If employees who have access to assets also have access to the related accounting records or perform related review operations (or immediately supervise the activities of other employees who maintain the records or perform the review operations), they may be able to both perpetrate and conceal defalcations. Therefore, duties concerned with the custody of assets are incompatible with recordkeeping duties for those assets, and duties concerned with the performance of activities are incompatible with the authorization or review of those activities.

35 Consideration for small banks (1) Each CB is required to have an internal audit function that is appropriate to its size and the nature and scope of its activities. For example, in small banks, management may be sufficiently involved in daily operations to know the purpose and reasonableness of all expense disbursements. That knowledge, coupled with the responsibility for signing checks, may make irregularities by non management personnel unlikely, even if disbursements are otherwise under the control of only one person. Evaluation ways of an internal control (1)  Does senior management, audit committee, internal auditors have enough knowledge regarding ways to evaluate an internal control as the following?  To evaluate internal control, there are several ways. Major ways or tools may be inquiry, observation, flowcharts, narrative description, risk control matrix, walk through, testing.  Basic internal control questionnaires are provided in the banking supervisor’s hand book of BOM.  A sample of a flowchart and a narrative description and a risk control matrix is shown in Annex 1, in the case of loan process.  Walkthrough is a procedure to confirm or revise description indicated on a flowchart, narrative description and risk control matrix.  Testing is a procedure to confirm if internal controls mentioned are really worked. Ⅷ INTERNAL AUDIT No. Description rank

36 The internal audit policy (1)  Is the internal audit policy developed?  Is the internal audit policy including the following factors?  The purpose of the internal audit  The independent of the internal audit section  The duties, authority, and responsibility of the internal audit section  The systems to obtain the necessary information  The enforcement system of the internal audit  The report system of the internal audit section  Is the internal audit policy spread within a bank? The internal audit plan (1)  Is an internal audit plan prepared?  Is an internal audit plan elaborated with consideration of the situation of the compliance, the protection of the customers, and the risk management of the targeted section, in addition to the effectiveness and efficiency through the frequency and the deepness of the internal audit?  Is an internal audit plan based on the control risk assessment?  Does audit plan include a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget?  Does the audit plan include all auditable areas and set priorities based on the rating determined by the risk assessment?  Is the schedule of planned audits approved by the board or its audit committee at any subsequent changes to the plan?  Many organizations develop an audit plan jointly with the external auditors. In this case, does the audit plan clearly indicate what work is being performed by internal and external auditors and what aspects of internal audit work the external auditors are relying on?  Is the schedule of audit cyclic? For example, are high risks audited

37 annually?, moderate risks every two years?, and low risks every three years?  Are the annual audit plan and budgets set by the internal audit manager and approved by the board, audit committee, or senior management? Audit Manual (1)  Does the internal audit department have an audit manual that sets forth the standards of work for field auditors and audit managers to use in their assignments?  Does the audit manual contain the audit unit’s charter and mission, administrative procedures, work paper documentation standards, reporting standards, and review procedures?  Do individual audits conform to the requirements of the audit manual?  Is the manual be up-to date with respect to the audit function’s mission and changes to the professional standards it follows? Audit Program and Related Workpapers (1)  Does the audit program document the audit’s objectives and the procedures that were performed?  Does it indicate who performed the work and who has reviewed it?  Do work papers document the evidence gathered and conclusions drawn by the auditor, as well as the disposition of audit findings?  Do the work papers provide evidence that the audit program adheres to the requirements specified in the audit manual? Control risk assessment (1)  Does a control risk assessment (or risk-assessment methodology) document the internal auditor’s understanding of CB’s significant business activities and their associated risks?  Do these assessments analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk

38 exposure of CB?  Are these assessments updated regularly to reflect changes to the system of internal control or work processes and to incorporate new lines of business? Performance of Individual Audits (1)  Does the internal audit manager oversee the staff assigned to perform the internal audit work and establish policies and procedures to guide them?  Is the internal audit function competently supervised and staffed by people with sufficient expertise and resources to identify the risks inherent in CB’s operations and to assess whether internal controls are effective? Audit Reports (1)  Is the report given to the area’s managers, senior management, audit committee and the BOD?  Does audit report state the purpose of the audit and its scope, conclusions, and recommendations? Competence of Internal Auditors (1) The responsibilities and qualifications of internal auditors vary depending on the size and complexity of a bank’s operations and on the emphasis placed on the internal audit function by the directorate and management. In many banks, the internal audit function is performed by an individual or group of individuals whose sole responsibility is internal auditing. In other banks, particularly small ones, internal audit may be performed on a part-time basis by an officer or employee.  Is the appropriate internal audit department manager having the enough experience and knowledge assigned to the internal audit section?  For example, does an internal audit department manager have the following qualifications?

39  academic credentials comparable to other bank officers who have major responsibilities within the organization,  commitment to a program of continuing education and professional development,  audit experience and organizational and technical skills commensurate with the responsibilities assigned, and  oral and written communication skills.  Is such internal audit department manager given the necessary rights to accomplish the duties as the internal audit department manager of the internal audit section?  Is the internal audit department manager secured the independence of the internal audit section if such internal audit department manager of internal audit section acts the other section besides the internal audit section?  Is the appropriate staffs having the enough experience and knowledge assigned? Are such staffs given the necessary rights to accomplish the duties as the staff of the internal audit section?  Is the internal audit department manager and staffs of the internal audit section received the internal and external training to improve their skills?  Is the continuous training system in the internal audit section established?  Is the independent of an internal audit section secured?  Is the framework secured, to be able to carry out the duties of the internal audit section without any inappropriate interruption from the sections being to be audited?  Is the framework established, to prevent that the internal auditors engage in the duties (e.g. activity itself or making of the financing information) of the sections being to be audited?  Is the framework to be able to audit the area where it is easy to produce the violation of laws and ordinances besides the usual audit objective area?  Does the internal audit section have responsibility about a result and a

40 performance of even an outside expert in the case that CB have to employ such outside experts to strengthen the function of the internal control?  Are the internal auditors authorized, as to an interview and a question against all employees, and the acquisition of necessary documents, if necessary in conformity with the internal audit rule?  Is the framework ensured, to make all employees know well as to the duties, authority, responsibilities of the internal audit section?  Is the internal auditor section installed in the overseas branches, under the control of the internal audit section of the internal audit department manager office, in the case that a risk in the overseas branch is judged to exceed a certain level?  Is the framework that the internal auditor reports a result of audit timely and adequately, secured? Consideration of the size of CB (1) For CBs that are large or have complex operations, the benefits derived from a full-time manager of internal audit or an auditing staff likely outweigh the cost. For small CBs with few employees and less complex operations, however, these costs may outweigh the benefits. Nevertheless, a small CB without an internal auditor can ensure that it maintains an objective internal audit function by implementing a comprehensive set of independent reviews of significant internal controls. The key characteristic of such reviews is that the persons directing and/or performing the review of internal controls are not also responsible for managing or operating those controls. A person who is competent in evaluating a system of internal control should design the review procedures and arrange for their implementation. The person responsible for reviewing the system of internal control should report findings directly to the audit committee. Framework to follow up (1)  Does every department or section pointed out objections by internal auditors timely make an improvement plan as countermeasures for such

41 objections in consideration for its materiality?  Does the internal audit department monitor a progress of such improvement plan and reflect it on the future audit plan? Ⅷ. EXTERNAL AUDIT No. Description rank (1)  Is it ensured that external auditors are in compliance with applicable codes and standards of professional practice?  Is it ensured, in accordance with national standards, the principal auditor to take responsibility for other external audits of financial statements conducted within a group and its global operations, so as to minimize the risk of gaps in the scope or conduct of audit activities and ensure the integrity of financial statements?  Is it engaged that external auditors review the internal control processes related to disclosure of financial statements?  Is it ensured that external auditors understand their duty to the bank to exercise due professional care in the conduct of audits?  Is it considered periodic rotation, at a minimum, of the lead audit partner? (2)  Do external auditors carryout the following duties at least?  1/When performing bank audit, evaluate and conclude all the risks related to bank operations;  2/Verify correctness of all information provided by the bank for audit;  3/Collect information on services and transactions performed by the bank and have a solid understanding on development of financial services;  4/Review implementation of policy and rules of board of directors by senior management;  5/ Ensure if information disclosure to board of directors, shareholders, and regulators was accurate and in time;

42  6/ Review the system established to ensure compliance with regulatory requirements, codes of conduct and the implementation of policies and procedures.