Decision on Minimum Standards for Risk Management in Credit Institutions

Pursuant to Article 44 paragraph 2 item 3 of the Central Bank of Montenegro Law (OGM 40/10, 06/13, 70/17), Article 117 of the Law on Credit Institutions (OGM 72/19, 8/21), the Council of the Central Bank of Montenegro, at its meeting held on 22 December 2021, passed the following DECISION ON MINIMUM STANDARDS FOR RISK MANAGEMENT IN CREDIT INSTITUTIONS I. BASIC PROVISIONS Subject matter Article 1 This Decision governs minimum standards for risk management a credit institution is or might be exposed to in its operations. Risks to which a credit institution is or might be exposed to in its operations Article 2 Risks to which a credit institution is or might be exposed in its operations, within the meaning of Article 1 of this Decision, shall be risks covered by Article 105 paragraph 2 of the Law on Credit Institutions (OGM 72/19, 8/21) - (hereinafter: the Law) excluding risks which management is identified in the separate regulation of the Central Bank of Montenegro. Meaning of terms Article 3 Terms used in this Decision shall have the following meaning:

1. risk profile means the measurement or the assessment of all risks to which a credit institution is or might be exposed in its operations;
2. risk culture means norms, attitudes and behaviours related to risk awareness, risk assumption and risk management, and the controls that shape the decisions on risks;
3. risk appetite means the level and types of risk a credit institution is willing to assume within its defined risk capacity to achieve its strategic objectives;
4. risk containment means the overall strategic objectives, methods, criteria and procedures to assume, avoid, mitigate or transfer the identified risk;
5. stress testing means an assessment of the impact of particular events and processes, including microeconomic and macroeconomic scenarios, on the overall capital position of a credit institution or funding sources and liquidity by means of a

projection of capital sources and capital requirements of a credit institution or the impact of shocks on the credit institution's overall liquidity position, including the determination of capital requirements; 6) reputational risk means a risk of loss of trust in the integrity of a credit institution caused by adverse public opinion on the credit institution's business practices, regardless of whether there are any grounds for such a public opinion or not; 7) country risk means the risk that:

• the central government, central bank and/or entities treated as the central government will not be able to settle their liabilities to local creditors and/or to foreign creditors; and
• counterparty having its head office or habitual residence outside Montenegro due to economic and political factors specific for the country in which a counterparty has its head office or habitual residence will not be able to settle its liabilities.

8. model risk means the risk of loss a credit institution may incur, as a consequence of decisions that could be principally based on the output of internal models, due to errors in the development, implementation or use of such models;
9. strategic risk means the risk of loss caused by adverse business decisions, lack of responsiveness to changes in the economic environment, etc.;
10. information system (IS) means a comprehensive set of technological infrastructure (hardware and software assets), organisation, people and procedures for generating, collection, processing, storage, transmission, representation, use, modification of data processing and other procedures for data processing;
11. information system resources mean software, hardware and information assets, people and processes;
12. software assets (IS software components) mean all types of application and system software, databases, software development tools, utility programmes and other software; 13)hardware assets (IS hardware components) mean computers and computer equipment, communication equipment, data storage media and other technical equipment supporting the information system operations; 14)information assets means data in databases, data files, program code, configuration of hardware assets, technical and user documentation, reports, strategies, policies, procedures, other internal acts and the like; 15)information technology (IT) means a combination of hardware and software assets that enables automated generation, collection, processing, storage, transmission, presentation and/or use of information;
13. IT system means information technology governed as a part of the mechanisms or interconnected network that provides support to the credit institution’s operations;
14. IT service means any service the IT system provides to internal or external information system users;
15. IT project means any project or its part in which the IT systems or services are changing, replacing, put out of use or implementing. IT project includes also those projects that are an integral part of wider IT project programmes or transformation of operations related project programmes; 19)information system users means all persons authorised to develop, maintain and/or user information system (employees in a credit institution, employees in

service provider accessing the information system of a credit institution, clients of a credit institution accessing the credit institution’s information system through electronic interactive communication channels, etc,); 20)information system risk means the possibility of negative effects on the financial result and capital of a credit institution, achievement of its business objectives, operation in accordance with regulations due to inadequate information system management or other system weaknesses which negatively affect the system functionality or security; 21) incident means one or more unplanned events that jeopardise or will likely jeopardise the information system security or functionality of a credit institution; 22) information security means a state where only authorised users (confidentiality) have access to accurate and complete information (integrity) when they need it (availability); 23)confidentiality of information means that the information is not disclosed or available to unauthorised persons; 24)integrity of information means that information i.e. data has not been subject to unauthorised or unforeseen alterations; 25)availability of information means that an authorised person may access to information and use it in a timely manner; 26)reliability of information system means that the information system is functioning consistently and expectedly and gives expected, accurate results; 27) gap risk means the risk that arises from term structure of interest rate sensitive instruments which arises from the timing of interments' rate changes, and it includes the changes in term structure of interest rates that occur consistently across the yield curve (parallel risk) or differentially by period (non-parallel risk); 28) basis risk means the risk that arises from the impact of relative changes in interest rates for financial instruments that have similar tenors but are priced using different interest rate indices, and it arises from imperfect correlation in the adjustment of the rates earned and paid on different instruments with otherwise similar rate change characteristics; 29)option risk means the risk that arises from options, where the credit institution or its customer can alter the level and timing of their cash flows, or it is the risk that arises from interest rate sensitive contracts where the holder will almost certainly exercise the option if it is in their financial interest to do so and it is the risk that arises from the flexibility embedded implicitly or within the terms of financial contracts such that changes in interest rates may affect the change in the behaviour of the client. II. RISK MANAGEMENT RULES Risk management system Article 4 (1) Risk management system, within the meaning of this Decision, means the overall organisational structure, rules, processes, procedures, systems and resources for identifying, measuring, assessing, containing, monitoring and reporting on risk exposure or overall risk management, and it shall imply the establishment of an adequate corporate

governance, risk culture and setting up strategy, policy and other internal acts for managing risks. (2) For the purpose of establishing risk management system, a credit institution shall:

1. identify employees to be involved in the risk management system;
2. establish and properly document risk management process that includes the identification and alignment of risk profile with risk appetite;
3. establish, monitor and maintain internal exposure limits in line with the risk appetite or proportionate to the financial strength, strategic objectives and level of capital of a credit institution;
4. establish, on an ongoing basis, risks to which it is or might be exposed to in its operations, and analyse causes to those risk exposures;
5. regularly measure or assess and control the risks to which it is exposed in its operations;
6. clearly determine the criteria and procedures for treating or the method for managing risks – assumption, mitigation or transfer of risk to third party, taking into account the existing and desirable risk profile and risk appetite, as well as to document in an adequate manner reasons for the selected treatment or the risk management method;
7. run periodical stress testing;
8. establish the system of regular monitoring and reporting to the competent bodies in the credit institution on exposures to risks and on the stress testing results. (3) A credit institution shall adequately monitor risks which were transferred to a third party, in particular, concentration risk that may arise on this basis. (4) For the purposes of paragraph (2) item 4) of this Article, a credit institution shall ensure that the transactions with connected persons are monitored to properly identify and assess the underlying risks. (5) For the purposes of paragraph (2) items 5) and 6) of this Article, a credit institution shall take also into account the effects of potential impact of significant macroeconomic trends and data on the exposure to risks and individual portfolios. (6) Information referred to in paragraph (2) item 8) of this Article shall in particular include information on exposure to individual risks and key risk indicators, including information on risk profile and its changes, data on significant losses, information on measures and activities intended to be taken or have been taken to treat risks, information on excess of defined internal exposure limits and other exceptions from the activities in line with internal acts, as well as exemptions from identified risk appetite and information on positive and negative changes in business indicators that refer or may refer to the change in risk exposure. (7) A credit institution shall ensure the application of sound risk management system in the credit institution through a risk control function which is responsible for further identifying, monitoring, analysing, measuring, managing and reporting risks forming the

second line of defence, independent from the business lines of the credit institution it controls, and which, as the first line of defence, take risks and are responsible for their operational management directly and on a daily basis, and which shall have appropriate processes and controls in place that aim to ensure that the risks assumed are identified, analysed, measured, monitored, managed and reported. Risk management strategy Article 5 (1) Risk management strategy shall be one or several internal acts that include objectives and fundamental principles of risk assumption and management and risk appetite, which should be adequately expressed through internal exposure limits. (2) When determining the risk appetite, a credit institution shall take into account, quantitative information or model results or assessment of risk exposure, as well as adequate qualitative information, such as for instance expert judgement and critical analysis. (3) A credit institution shall regularly alight its risk management strategy with general strategy, taking into account developments in market in which the credit institution operates and changes within the credit institution (e.g. changes in the assets and earnings structure, the increase of business complexity, risk profile changes, geographic expansion, mergers, acquisitions and introduction of new products and business lines). Risk management policies Article 6 (1) The risk management policies shall make one or several internal acts which include, in particular, the following:

1. a determination of the risk appetite as regards specific risks;

2. clearly-defined powers and responsibilities to manage risks within a credit institution;

3. a methodology for the identification and measurement or assessment of the risks to which a credit institution is or might be exposed, including a stress testing methodology;

4. internal limits and controls and other risk containment and monitoring procedures;

5. procedures and measures in the event of non-compliance with the adopted policies and procedures, including potential future or actual excess of internal limits;

6. procedures and measures for crisis situations; and

7. where applicable, risk management within the group. (2) For the purposes of paragraph (1) item 5) of this Article, measures to be taken shall at least include the following:

8. identifying reasons of the occurrence of deviation from adopted policies and procedures, i.e. excess of internal limits;

9. assessing the level of potential or actual excess of internal limit;

10. escalation to adequate levels;

11. monitoring of the outcome resulting from the excess of limits;

12. keeping records on deviation from policies and procedures and internal limits exceeding; (3) The policies referred to in paragraph (1) of this Article shall be clearly defined and documented and accessible to all employees of a credit institution involved in the risk assumption and management process. (4) A credit institution shall review and, if necessary, update the policies referred to in paragraph (1) of this Article at least on an annual basis and at each significant change in risk exposure and it shall ensure that they are applied at the level of the whole credit institution. New products and significant changes Article 7 (1) A credit institution shall, within its risk management framework, by performing risk control function in accordance with the provisions of regulations governing the governance system in the credit institution, also cover risks arising from the introduction of new products or services, significant changes in the existing products and services, including significant changes in processes (e.g. new outsourcing) and systems (e.g. changes in information system) connected with those products and services, extraordinary transactions that may occur as a result of the aforesaid, as well as the entrance to new markets and trading in new instruments.. (2) Significant changes or extraordinary transactions referred to in paragraph (1) of this Article shall in particular refer to the following:

13. mergers and acquisitions of credit institutions, including possible consequences in case of insufficient due diligence that has not identified all risks and obligations arising from the merger or acquisition;

14. establishment of new subsidiary undertakings or special purpose entities;

15. new products;

16. changes in the risk management system and procedures; and

17. changes in the organisational structure of the credit institution. (3) A credit institution shall prescribe in its internal acts the criteria and procedures relating to the introduction of new products or services referred to in paragraph (1) of this Article and within them in particular:

18. define what it considers to be a new product or service and analyse their significant change;

19. establish the processes and procedures for the introduction of new products or services;

20. define the powers and responsibilities for the approval and verification of new products.

(4) Prior to introducing new products or services, a credit institution shall carry out analysis of the risk arising therefrom, and in particular:

1. describe the new product;
2. analyse the impact of the new product on its existing and future risk exposure, and capital adequacy and profitability;
3. ensure the required technical, organisational and human resources;
4. provide an objective assessment of all the risks arising from new activities, using different scenarios;
5. make an assessment whether the introduction of a new product or service leads to potential weaknesses in risk management and internal controls;
6. assess the ability of the credit institution to efficiently manage new risks;
7. define the procedures to be used to manage the risks related to new products; and
8. comply with the accounting, tax and legal requirements, including those of the Central Bank. Stress testing Article 8 (1) A credit institution shall carry out, within its risk management, stress testing at the level of significant risk to which it is exposed, at portfolio level and at the level of the whole credit institution or, if applicable, at the level of group of credit institutions. (2) A credit institution shall include in particular the following in its policies and procedures governing stress testing:
9. various forms of stress testing and their objectives;
10. frequency of stress testing exercises, and at least on quarterly basis;
11. transparent and consistent lines of responsibilities and activities;
12. when carrying out stress testing on a consolidated basis, a list of entities included in stress testing, as well as the scope of stress testing to be carried out at the level of individual entities;
13. data infrastructure to be used in stress testing;
14. a description of stress testing methodology, including the description of internal models if used;
15. assumptions to be taken into consideration in stress testing, as well as measures to be implemented based on stress test results; and
16. the method of reporting to the management on the stress test results. (3) The risk control function shall regularly review stress testing results, periodically review adequacy of defined assumptions and scenarios and, if needed, carry out such stress testing independently from other organisational parts carrying out stress testing, and it shall report the management board of the credit institution on the results obtained. (4) A parent credit institution in Montenegro shall carry out stress testing on a consolidated basis and the requirements referred to in this Decision relating to the performance of stress tests in individual credit institutions shall also apply to consolidated basis.

(5) A credit institution shall perform stress testing using the sensitivity analysis, scenario analysis as well as reverse stress testing, taking into consideration the economic cycle stage of the economy, and it shall ensure that this testing is not based solely on historical experiences but hypothetical scenarios and external sources of data needs to be included, and stress testing should include various intensities of effects and at least one scenario must include significant economic recession. (6) A credit institution shall ensure that the stress testing is supported by appropriate data infrastructure that is based on an efficient risk aggregation and risk reporting. (7) A credit institution shall take into account stress testing results while:

1. reviewing strategic planning;

2. reviewing the risk appetite;

3. reconsidering the funding policy;

4. reviewing internal limits;

5. use of risk mitigation techniques;

6. reviewing capital and liquidity adequacy; and

7. reviewing or developing activities related to contingency planning. (8) A credit institution shall assess the appropriateness of stress testing regularly, and at least on an annual basis, as well as at each significant change in risk exposure and it shall cover the following:

8. frequency of stress testing exercises and their compliance with objectives;

9. the need for development work;

10. the adequacy of informing relevant employees, bodies and committees in credit institution;

11. the quality of used data and other information; and

12. documentation of stress testing results. (9) A credit institution shall document in an appropriate manner the process of performing stress testing and it shall regularly update such documentation. (10) A credit institution shall ensure that the stress testing process is included in the internal audit action plan. Competences of senior management for risk management Article 9 Senior management shall perform the following activities within the risk management:

13. implement risk assumption and risk management strategy and policies;

14. establish and maintaining the risk management process;

15. establish procedures and compile instructions and guidelines for carrying out the credit institution's business activities which result in risk exposures;

16. maintain the efficiency of internal controls embedded in the risk management system; and

17. establish adequate procedures to assess the impact of the introduction of new products and their significant changes on the credit institution's risk exposure. III. CREDIT RISK MANAGEMENT AND MANAGEMENT OF RISKS RELATED TO CREDIT RISK 3.1. Credit risk and counterparty risk Organisational requirements Article 10 (1) A credit institution shall ensure that risk control function and risk support function are clearly separated, operationally and organisationally. (2) The decision-making process on the granting of credit exposures shall include:

18. the establishment of criteria, policies and procedures for the granting of new exposures and restructuring of the existing exposures;

19. the establishment of rules on the granting at the level of individual debtors and collateral providers and at the level of the group of connected persons with the debtors and collateral providers, depending on the exposure amount and risk;

20. identifying powers and responsibilities of the competent bodies within the credit institution for granting of exposures depending on the exposure amount and risk;

21. engaging risk control function in the process of making decisions on granting materially significant exposures through the provision of independent information, analyses and expert judgement on risk exposures, and advice on proposals for risk taking made by business lines and reporting to the management board, supervisory board or relevant working body of the supervisory board as to whether these decisions are consistent with the credit institution’s risk appetite and risk management strategy, whereby business units, management and supervisory boards of the credit institution or relevant working body of the supervisory board are responsible for the granting process;

22. the possibility that credit exposures that are materially insignificant may be granted by a person responsible for contracting transactions, and in which case the credit institution shall establish the criteria for those exposures and decision-making rules for granting including their classification based on similar characteristics, and the rules governing their monitoring on an aggregate basis. (3) A credit institution shall establish decision-making rules for granting of credit exposures which apply when person responsible for risk control function or other person authorised to make an independent credit risk assessment has expressed a negative opinion on such decision.

(4) A credit institution shall ensure that the activities of contracting transactions are not performed within the same organisational unit that performs activities relating to the valuation of assets, classification of assets and calculation of loan loss provisions. Credit process Article 11 A credit process shall in particular include the following:

1. a credit exposure granting process;
2. a credit risk exposure monitoring process;
3. a credit risk exposure analysis;
4. an early warning system;
5. the management of non-performing loans;
6. the management of restructured loans;
7. the process of classifying and valuing on-balance and off-balance sheet items in the manner specified in a separate regulation of the Central bank; and
8. the keeping of records on credit exposures. Credit exposure granting process Article 12 (1) Before granting a credit exposure, during the contractual relationship on the basis of which a credit exposure has occurred and during each significant subsequent increase in the value of credit exposure, a credit institution shall assess the creditworthiness of the debtor and regularity in settling its liabilities to the credit institution and other creditors. (2) Before granting a credit exposure, a credit institution shall, in addition to the creditworthiness of a debtor, assess quality, marketability, availability, value and validity of collateral, and where the collateral value to a great extent depends on the creditworthiness of a third-party collateral provider, it shall assess the creditworthiness of such collateral provider. (3) The assessment of creditworthiness of the debtor shall be carried out in accordance with the criteria set out by the credit institution in its internal act taking into account the requirements laid down in the regulation of the Central Bank governing the classification of assets of credit institutions. (4) When analysing credit exposure, a credit institution shall primarily take into account creditworthiness of the debtor and treat, as a rule, the collateral received for individual exposure as the secondary source of collection. (5) A credit institution shall adopt a policy on eligible collateral and the methodology for assessing collateral value taking into account the minimum requirements referred to in the regulation of the Central Bank governing the asset classification of credit institutions.

Credit risk exposure monitoring process Article 13 (1) The credit risk exposure monitoring process shall include an assessment of the creditworthiness of the debtor and of the group of persons connected with the debtor as well as an assessment of the collateral quality during the contractual relationship on the basis of which the credit exposure has occurred. (2) During the contractual relationship on the basis of which the credit exposure has occurred, a credit institution shall monitor the operation of the debtor, as well as the quality, marketability, availability, value and validity of collateral. (3 A credit institution shall ensure the monitoring of debtor's compliance with contractual terms and conditions and, when the loans have been granted for designated purposes, the monitoring of whether the funds placed have been used exclusively for these purposes. (4) A credit institution shall ensure that monitoring of individual exposures is established in the manner as to enable a timely implementation of adequate measures to mitigate credit risk if the creditworthiness of the debtor or collateral provider deteriorates. (5) A credit institution shall adopt procedures prescribing the collection and monitoring of all relevant information which might point to an increase in the risk of the credit exposures and collateral, for the purpose of risk reassessment and reporting to all authorised persons included in the credit risk management process. Credit risk exposure analysis Article 14 (1) A credit institution shall establish a system for an ongoing analysis of the structure and quality of the overall portfolio of exposures to credit risk which shall include an analysis of concentration risk inherent in the portfolio and an assessment of future trends of the structure and quality of entire credit risk exposure portfolio, and recognise new risks that may arise from the exposure portfolio, as well as increase in the level of risk due to changes in the operating circumstances and conditions. (2) A credit institution shall take into account the analysis referred to in paragraph (1) of this Article, when defining the strategies and policies for taking or managing credit risk. (3) A credit institution shall monitor and analyse entire portfolio of exposures to credit risk in such a manner as to provide for timely implementation of adequate measures to mitigate credit risk.

Early warning system Article 15 (1) A credit institution shall carry out the following:

1. establish an early warning system providing for a timely identification of exposures carrying an increased credit risk; and
2. keep records on exposures carrying an increased credit risk. (2) An early warning system referred to in paragraph (1) item 1) of this Article should be based on either internal or external ratings or indicators, and it should enable recognition of exposures carrying an increased credit risk at early stages of credit quality deterioration on individual basis, as well as at the level of exposures carrying common characteristics of credit risk. Management of non-performing loans Article 16 (1) A credit institution shall establish an adequate framework for managing non￾performing loans that will include in particular the following:
3. the method for identifying, measuring, monitoring and overseeing non-performing loans, as well as measures for avoiding the occurrence of non-performing loans in the credit institution's assets;
4. time-bound and value-set objectives for treating non-performing loans and exposures in the enforced collection process;
5. the objectives of credit institution related to non-performing loans in short-term, medium-term and long-term period;
6. the implementation of operational plan for treating non-performing loans; and
7. full integration of strategy for treating non-performing loans into managerial processes of credit institutions, including regular monitoring and adequate oversight of these activities. (2) A credit institution shall analyse the impact of the non-performing loans on own funds, profitability, liquidity and other operating indicators of the credit institution. (3) When establishing objectives referred to in paragraph (1) item 3) of this Article, a credit institution shall take into account different methods of managing non-performing loans, such as:
8. monitoring and forbearance of non-performing loans;
9. active non-performing loan reductions;
10. change of exposure type or settlement of credit exposure by acquiring the property of the debtor; and
11. various legal options such as opening of bankruptcy proceedings or out of court settlement. (4) A credit institution carrying an increased level of non-performing loans shall establish an organisational unit which shall be responsible for monitoring and treating non-

performing loans, and it shall be independent from the unit responsible for negotiating transactions. (5) A credit institution shall establish in its internal acts the following:

1. policies, methods and frequency of valuation of collateral in the form of immovable property and physical collateral other than immovable property for non-performing loans, oversight and control of such valuation, as well as the criteria for collateral valuers; and

2. the criteria, processes and decision-making levels for full or partial accounting write-off of receivables from debtors arising from non-performing loans and decision-making levels of taking legal actions required to call and realise the collateral. Management of restructured loans Article 17 (1) A credit institution shall adopt and apply an internal act for managing restructured loans which shall at least cover the following:

3. procedures for granting forbearance measures, the manner of making decisions on forbearance measures, including persons and functions included in that procedure, whereby a credit institution shall consider measures that would enable viable collection of loans and avoid enforced collection cases;

4. a description of available forbearance measures, depending on the reasons why loans have been identified as non-performing loans; and

5. information requirements for assessing the viability of forbearance measures, monitoring procedures and oversight of the forbearance measures. (2) Before adopting a decision of loan restructuring, a credit institution shall assess the economic justification of loan restructuring to a single debtor or a group of debtors having similar economic features, and in case of economic justification, it shall establish appropriate restructuring plan and monitor its implementation and effects. (3) When determining economic justification referred to in paragraph (2) of this Article, a credit institution shall obtain:

6. a detailed analysis of the reasons that led to difficulties in the operation of the debtor, or, if applicable, group of debtors;

7. a plan for the operational, financial and ownership restructuring of the debtor, if applicable, and

8. cash flow projection for the period established in the restructuring plan. (4) On the basis of the information referred to in paragraph (3) of this Article, a credit institution shall make:

9. an assessment of the feasibility of a plan for the operational, financial and ownership restructuring of the debtor, if applicable;

10. an analysis of possible methods of credit exposure restructuring and the rationale for the chosen method;

11. a new repayment plan for the loan which shall be the basis for monitoring the implementation of the credit exposure restructuring plan. (5) Before approving the forbearance measure, a credit institution shall assess credit capacity of the debtor or, if applicable, group of debtors. (6) Following the approval of the forbearance measure, a credit institution shall monitor the implementation of the entire restructuring plan and of cash flows of the debtor or, if applicable, group of debtors having similar economic features, on an ongoing basis and at a minimum on a quarterly basis. (7) For managing non-performing loans referred to in Article 16 of this Decision and restructured loans referred to in paragraphs (1) to (6) of this Article, a credit institution shall apply guidelines referred to in Annex 1 of this Decision that makes an integral part thereof. Content and keeping of credit files Article 18 (1) For the purpose of credit risk management, a credit institution shall keep a credit file of a debtor that shall contain in particular:

12. Basic data on the debtor (for natural person – name, last name and address, for legal person – name and head office, number of employees, ownership structure, data on members of the management body) and connectedness of the debtor with other persons if the debtor is a part of the group of connected persons;

13. loan agreement and/or agreement on other credit exposures;

14. data on main debtors and creditors of each debtor to which the exposure of credit institution in significant on an individual basis;

15. financial statements of the debtor for the previous three years, if applicable;

16. analysis and assessment of the financial position of the debtor, including debtor's internal rating;

17. for individually significant exposures, where the evidence on the reduction of financial assets of the debtor exists, the analysis and assessment of future cash flows of the debtor against its liabilities;

18. the proposal for approving credit exposure, opinion of a professional service and the decision of the body of credit institution responsible for its approval;

19. analytical record card of balance sheet and off balance sheet items concerning individual debtor of a credit institution;

20. documents on collateral;

21. documents on the enforced collection undertaken, including records of lawsuits that the credit institution has initiated to collect its claims;

22. records of lawsuits pending potentially against the credit institution with regard to that credit exposure;

23. documents related to the treatment of the restructured credit exposures; and

24. other documents related to information on financial position of the debtor.

(2) A credit institution shall establish the procedure for keeping credit files and identify responsible persons that will take care on the completeness and integrity of the documentation. (3) A credit institution shall, in addition to the requirement to keep documents governed by other regulations, keep the documents referred to in paragraph (1) of this Article as well as other documents and records that make the content of the credit file, during the business relationship or until the finalisation of lawsuits in the cases where they were initiated on this. Sale of receivables Article 19 (1) A credit institution which sold a credit or other receivables in the amount that exceeds materiality threshold referred to in paragraph (2) of this Article shall notify the Central Bank of their sale and it shall submit in particular the following together with the notification:

1. agreement on the sale of receivables;
2. information on reasons for the sale of receivables;
3. data on the quality of the receivables in the moment of their sale;
4. data on the quality of collateral underlying those receivables, if applicable;
5. information on credit capacity of the debtor to which a credit institution has had the sold receivable
6. information on the pricing method;
7. assessment of effects of sale on the financial position and credit institution’s performance indicators. (2) The materiality threshold referred to in paragraph (1) of this Article shall be the following amount, whichever is lower:
8. EUR 500,000; or
9. 10% of tier 1 capital of credit institution. Treatment of personal data Article 20 A credit institution shall treat in accordance with the law the data collected, processed, kept, submitted and used during the assessment of creditworthiness of the debtor and monitoring of the regularity in the payment of its obligations.

3.2. Risks related to credit risk Concentration risk Article 21 (1) A credit institution shall in particular establish, by way of the policy adopted in accordance with Article 108 paragraph (2) of the Law, concentration associated with the following:

1. individual persons and groups of connected persons;
2. group of exposures connected by common risk factors, such as the same economic sector, geographic region or activities, or the application of risk mitigation techniques; and
3. overall credit portfolio. (2) A credit institution shall adopt adequate methodologies to monitor and mitigate concentration risk, which shall at a minimum include the following:
4. an active management of credit exposures portfolio diversification;
5. a determination of concentration limits; and
6. credit risk transfer or mitigation. Country risk Article 22 A credit institution that has been exposed to country risk shall establish:
7. policies and procedures for country risk management; and
8. assessment of feasibility of contracts which have provided a basis for individual exposures to a debtor form another country and of the possibility of liquidating the collateral under the laws of the country in question in a specific period. Currency- induced credit risk and interest rate-induced credit risk Article 23 (1) A credit institution shall cover an additional exposure in its credit risk management:
9. risk of loss which arises from exposures indexed to variable interest rate (hereinafter: interest rate -induced credit risk);
10. risk of loss which arises from exposures denominated in foreign currency or indexed to foreign currency (hereinafter: currency-induced credit risk). (2) A credit institution shall, within the process of granting credit exposures denominated in the currency other than EUR or indexed to the currency other than EUR and/or credit exposures tied to variable interest rate, define the criteria for assessing the creditworthiness of debtors which at a minimum include the assessment of significant increase of debt repayment amount in the case of significant negative oscillations of underlying variable indicators.

(3) A credit institution shall take into account results of the assessment referred to in paragraph (2) of this Article in the process of establishing creditworthiness of the debtor. (4) Where a credit institution uses hedges against the risk referred to in paragraph (1) of this Article, it shall establish the methods for hedging of credit exposures in its internal methodologies. (5) A credit institution shall ensure that the credit risk management referred to in paragraph (1) of this Article provides at a minimum the following:

1. identification of debtors that expose it to risks referred to in paragraph (1) of this Article,

2. calculation of impairment and provisions for exposures subject to risks referred to in paragraph (1) of this Article in the case of foreign exchange rate or interest rates changes, and

3. connection of credit exposures and underlying hedging instruments used by a credit institution, if applicable. (6) A credit institution shall carry out stress testing for risks referred to in paragraph (1) of this Article and take into account the connection between the foreign exchange rate and or interest rate developments and the increase in the repayment of credit exposures measures by the ratio of total payments per credit exposures and income or profit of the debtor. IV. MARKET RISK MANAGEMENT Organisational requirements for market risk Article 24 A credit institution shall ensure that the front office function is clearly separated, operationally and organisationally, from the risk control function and the treasury back office function. Transaction contracting Article 25 (1) A credit institution shall ensure that the contracting parties reach an agreement on all the essential elements of a transaction prior to its conclusion. (2) A credit institution shall ensure that transactions are arranged in line with market conditions. (3) By way of derogation from paragraph (2) of this Article, a credit institution may contract transactions which are not in line with market conditions if:

4. a transaction has been contracted based on a clearly defined and justified client request, with the agreed deviation from market conditions clearly specified in the documentation accompanying the transaction; and

5. each transaction which has not been contracted in line with market conditions must be accompanied by a clearly specified description of the deviation from market conditions and the reasons for it. (4) A credit institution shall prescribe in its internal acts the procedure of reporting to the management board and senior management on all significant transactions which have not been contracted in line with market conditions. (5) A credit institution shall ensure that trading is conducted only in its business premises. (6) Where transactions are contracted by telephone, a credit institution shall ensure that all telephone conversations of the employees authorised to contract transactions are recorded, in accordance with the law. (7) A credit institution shall ensure that each contractual transaction is accompanied by written documentation containing all essential elements of the contractual transaction and other relevant information, and the certificate for the contractual transaction and the accompanying documentation are to be forwarded to the treasury back office function in the shortest possible period. (8) The transactions concluded after the working hours of the treasury back office function must be specifically marked and included in the daily trading position. (9) A credit institution shall ensure that the employees authorised to contract transactions enter transaction data into the information system using their own identification marks, and the time of data entry and employee identification mark must be automatically generated. Transaction recording and control Article 26 (1) A credit institution shall ensure that each contractual transaction is adequately recorded and immediately included into internal reports on contractual transactions. (2) A credit institution shall verify whether the certificates for contractual transactions received from the counterparty are timely and complete, and it shall immediately notify the counterparty on untimely received or incomplete transaction certificates. (3) A credit institution shall establish the regular control of the transaction contracting process, including the control of:

6. the completeness of documentation on a contractual transaction and its timely forwarding to the treasury back office function;

7. the consistency of contractual transaction data with contractual transaction certificates, electronic trading systems certificates and other sources;

8. whether contractual transactions are in line with market conditions;

9. the deviations from internal trading rules; and

10. the consistency of the front office function transaction records with those of other independent organisational units. Market risk exposure analysis Article 27 (1) When analysing its market risk exposure, a credit institution shall at a minimum take into account the following:

11. all credit institution activities sensitive to changes in market factors, also taking into account trading book and non-trading book positions;

12. the development and liquidity of relevant financial markets and market price volatility of financial instruments;

13. actual and projected mismatches and open positions arising from credit institution activities;

14. risk concentration in the trading book;

15. correlations between market prices of various financial instruments;

16. correlations with other risks to which the credit institution is exposed, e.g. credit risk and liquidity risk;

17. complex financial instruments, (e.g. OTC derivatives or instruments valued using mark-to-model techniques),

18. embedded options; and

19. profit and capital simulations under various scenarios, including the maximum loss quantification under extreme market conditions. (2) When analysing its interest rate risk exposure, a credit institution shall, in addition to the elements referred to in paragraph (1) of this Article, take into account various aspects of interest rate risk, including, at a minimum, the risk arising from:

20. changes in the yield curve and the correlations between various yield curves which are relevant for credit institution activities; and

21. the possible execution of embedded interest rate options. (3) When analysing its foreign exchange risk exposure, a credit institution shall, in addition to the elements referred to in paragraph (1) of this Article, at a minimum take into account the following:

22. the impact of adverse exchange rate fluctuations on the value of the open foreign exchange position; and

23. changes in carrying values of the credit institution's foreign currency positions arising from changes in the exchange rates. (4) A credit institution shall regularly assess the effects of profit and capital simulations in relation to its actual performance and the simulations shall relate to the following:

24. interest and interest-sensitive income and expense as well as the economic value of on-balance and off-balance sheet items under various interest rate scenarios;

25. foreign exchange and foreign exchange-sensitive income and expense as well as the economic value of on-balance and off-balance sheet items under various exchange rate scenarios; and

26. other market factors and market-sensitive income and expense as well as the economic value of on-balance and off-balance sheet items under various market scenarios. Market risk monitoring Article 28 (1) The monitoring of risks arising from trading activities shall comprise daily monitoring of data on:

27. trading positions;

28. utilisation and excesses of the limits; and

29. trading results. (2) When determining limits for restricting losses, a credit institution shall take into account the capital and income levels and the structure of the limits must be based on an assessment of the level of risk and the maximum permitted losses. (3) A credit institution shall ensure that the limits referred to in paragraph (2) of this Article are adjusted on a regular basis in accordance with stress testing results and they must comprise each contractual transaction. (4) A credit institution shall establish an authorisation system for the transactions exceeding the established limits and a system of explaining the reasons for exceeding the established limits. (5) A credit institution shall establish a system of reporting to the senior management and, if it deems necessary, to the management board, on all excesses of the established limits, and in the case of the excess of limits, those should be recognised immediately and included in the daily report on limits. (6) The system of monitoring the utilisation and excesses of the limits must comprise the control of contractual transactions' alignment with the established limits; the control of the authorization system for transactions exceeding the established limits and the control of the system of explaining the reasons for exceeding the established limits. (7) The reports providing a basis for a credit institution's monitoring of data on contractual transactions and limits are also to include a breakdown of open positions by transaction type, risk type, organisational unit or portfolio, as well as a breakdown of the established limits and their utilisation levels.

(8) A credit institution shall monitor the excesses of the limits referred to in paragraph (6) of this Article on a daily basis, during and at the end of the working hours, and the reports providing a basis for a credit institution's monitoring of data on trading results are to include current and cumulative results on a monthly and annual basis broken down by areas of trading. V. OPERATIONAL RISK MANAGEMENT 5.1. Operational risk Operational risk management Article 29 (1) A credit institution shall, within its operational risk management, at a minimum include the following:

1. the existing or potential risk of loss for a credit institution occurring due to inappropriate provision of financial services including the cases of intent or negligence (hereinafter: risk of unconscientious business);

2. information system risk;

3. model risk;

4. business changes, including new products, activities, processes and systems;

5. risk arising from project management;

6. legal risk;

7. external events,

8. operational risk arising from outsourcing; and

9. significant inherent risks in the existing products, activities, processes and systems. (2) For the purposes of identifying and measuring or assessing operational risk, a credit institution shall take into account the following:

10. all relevant internal and external factors,

11. events that have resulted in losses; and

12. risk to which a credit institution is exposed that may be considered operational risk but which has not resulted in losses. (3) A credit institution shall measure or assess exposures to the identified operational risk taking into account the probability and frequency of risk occurrence and the potential impact thereof on the credit institution. Identifying and analysing operational risk Article 30 (1) For the purposes of operational risk management, a credit institution shall:

13. determine the principles of identifying and classifying operational risk events or operational risk sources;

14. identify significant operational risk for credit institution and loss arising from operational risk. (2) A credit institution shall immediately carry out a detailed analysis of significant losses which it has identified that are connected with operational risk. (3) A credit institution shall immediately implement adequate measures for losses referred to in paragraph (2) of this Article for the purpose of their reduction and/or containment. Monitoring and reporting on operational risk exposures Article 31 A credit institution shall, at a minimum, include the following in the regular monitoring and reporting on operational risk exposures:

15. the type of loss or risk;

16. the causes and sources of the events or risks;

17. the scope and significance of the events or risks; and

18. measures which are to be or have been implemented to reduce and limit the consequences of the events or to contain risk. 5.2. Information system risk Organisational requirements for information system risk Article 32 (1) A credit institution shall, in accordance with the Law, ensure adequate and transparent organisational structure with clearly defined powers and responsibilities, including for management bodies and their working bodies in the manner that ensures efficient and safe information system management (IT operations, IT development, information security, etc.), information system risks (hereinafter: IS risks) and business continuity in order to avoid conflict of interest, ensure efficient communication and cooperation with regard to the performance of these activities and establish clear and well-documented decision-making process. (2)The credit institution shall ensure that the appropriate number of persons with the necessary professional qualifications and competencies is continuously available to perform the activities referred to in paragraph (1) of this Article and to implement the information system development strategy referred to in Article 34 of this Decision. (3) A credit institution shall prescribe the content, frequency and method of reporting to the competent bodies of the credit institution on significant facts related to the performance of activities referred to in paragraph (1) of this Article. (4) Organisational parts of a credit institution that perform operational activities and activities in which IS risks arise, and in particular the organisational part or parts in charge

of performing IT operations, shall be responsible for establishing appropriate processes and controls which reduce these risks to an acceptable level in accordance with the adopted IS risk appetite, and they shall ensure that services and systems they deliver and activities they perform are in compliance with internal and external requirements. (5) A credit institution shall designate the organisational unit and/or persons directly responsible for coordinating, monitoring and overseeing the application of IS risk management rules, i.e. ensuring that these risks are identified, measured, assessed, controlled, monitored and reported. (6) A credit institution shall ensure the independence and objectivity of the organisational part and/or persons referred to in paragraph (6) of this Article, i.e. that such organisational part and/or persons do not perform operational activities in which risk arises (which are monitored and overseen); and in particular those activities performed by the organisational part of the credit institution in charge of IT operations. (7) The organisational part and/or the persons referred to in paragraph (6) of this Article shall report in a timely manner to the competent bodies of the credit institution on regular and extraordinary activities related to IS risk management. Use of third party providers Article 33 (1) A credit institution shall ensure adequate management of IS risks which arise or might arise from the business relationship with third party providing a service or an IS-related product to the credit institution, regardless of whether such business relationship represents an outsourcing arrangement, whereby this business relationship also implies implementation of measures laid down in this Decision for reducing risks. (2) A credit institution shall, before entering into the business relationship referred to in paragraph (1) of this Article, conclude a contract with third party taking into account that the content and the scope of contractual provisions are defined in accordance with the complexity and the volume of activities outsourced and IS risk appetite of the credit institution. (3) The contract referred to in paragraph (2) of this Article shall at least contain the provisions with regard to the following:

1. information security measures, such as cyber security requirements, credit institution’s data encryption and data life cycle, network security, data location centres, any requirements regarding continuity of service provision, overseeing of system security and the like;
2. operational and security incident handling procedures including escalation and reporting. (4) A credit institution shall monitor the quality and security of performance of operations subject to the contract referred to in paragraph (2) of this Article and the fulfilment of the

contracted level of service. Information security development strategy Article 34 (1) A credit institution shall adopt the strategy of development of information system for a period that is not shorter than three years and this strategy shall be harmonised with general strategy. Information system development strategy should at least:

1. describe the way in which the information system should be developed through a review of the current and desired state, including changes related to IT systems, IT architecture, organisational and operational structure and the use of third party services;

2. define clear objectives regarding information security, with an emphasis on IT systems, IT services, employees and processes;

3. describe the manner in which the credit institution will dedicate itself to the management of the information system in order to preserve business continuity. (2) A credit institution shall elaborate in more detail the strategy referred to in paragraph (1) of this Article by adopting annual operational action plans that contain measures for the realisation of the objectives defined in the information system development strategy. (3) Annual operational action plans referred to in paragraph (2) of this Article should as a minimum contain a description of activities and projects, contractors, responsible persons, budget and deadlines for executing planned activities. (4) A credit institution shall ensure that the allocated budget appropriate to fulfil the strategy referred to in paragraph (1) of this Article. (5) A credit institution shall establish a process of continuous measurement and overseeing of an effective implementation of strategy referred to in paragraph (1) of this Article. Internal acts for IS risk management Article 35 A credit institution shall define in its internal acts rules for managing IS risks, which at least should include:

4. IS risk appetite in accordance with the credit institution's risk appetite;

5. methods and indicators (threats, vulnerability, probability, impact, etc.) for identifying and measuring i.e. assessing IS risks to which a credit institution is exposed;

6. procedures for defining measures to control risks, including introduction of new and/or modification of the existing controls with a view to mitigating risks;

7. procedures for monitoring the implementation of measures referred to in item 3) of this Article and their effectiveness, as well as the number of identified operational and security incidents and actions taken to correct the measures;

8. the obligation to identify and measure i.e. assess risks of the relevant part of the information system resulting from any major changes in information system, service and/or management of information system, prior to passing a decision on realisation of such changes;

9. the obligation to identify and measure i.e. assess risks of the relevant part of the information system after any significant operational or security incident;

10. timeframe for carrying out regular, comprehensive IS risk identification and assessment, and at least once a year;

11. the manner and frequency of preparing and delivering reports to the competent bodies of the credit institution on any significant facts regarding activities on IS risk management and exposure of credit institution to these risks;

12. powers and responsibilities for IS risk management for all levels of work and decision-making process in order to avoid conflict of interest. Mapping of business functions, processes, IT services and systems Article 36 (1) A credit institution shall identify and regularly update mapping of its business functions and processes executed within those functions, which:

13. describes interdependencies of various functions and processes;

14. contains an overview of information assets which a certain function and/or process uses or creates;

15. describes information inflow and outflow between various functions and processes. (2) A credit institution shall identify and regularly update mapping of connectivity between business functions and processes referred to in paragraph (1) of this Article and IT systems, IT services, employees and external service providers supporting and/or enabling the functioning of these functions and processes. Identifying the importance of information system resources Article 37 (1) A credit institution shall classify and document business functions, processes, information assets, IT systems, IT services, employees and external service providers referred to in Article 36 of this Decision in terms of their importance i.e. criticality. (2) When identifying importance i.e. criticality of resources referred to in paragraph (1) of this Article, a credit institution shall at least consider confidentiality, integrity and availability requirements. (3) A credit institution shall clearly define assignments and responsibilities for resources referred to in paragraph (1) of this Article and for identifying their classification. (4) The importance of resources referred to in paragraph (1) of this Article shall be considered and reviewed when IS risk assessment is performed.

Defining corrective measures Article 38 (1) Based on risk assessment results, a credit institution shall, in accordance with IS risk appetite, determine which measures are required to reduce IS risks to an acceptable level, as well as to identify whether changes in the existing business processes, control measures, IT systems and/or IT services are required. (2) A credit institution shall assess time required to carry out changes referred to in paragraph (1) of this Article and define, if needed, interim measures to mitigate risks that will apply until the projected changes are carried out. Ensuring quality of data Article 39 (1) A credit institution shall ensure that is information system provides timely, reliable and complete data that are significant for making business decisions, efficient performance of business activities and risk management, i.e. for safe and sound operations of credit institution. (2) A credit institution shall, in accordance with the nature, size and complexity of its operations, based on risk assessment, automate the processing of data referred to in paragraph (1) of this Article using information technology, where possible and reasonable, whereat manual processing of such data must be justified, documented and limited to an acceptable level. (3) Information system software components used for data processing referred to in paragraph (1) of this Article should have adequate controls for validating input data during the data processing and output data with a view to preventing inaccuracies and inconsistencies in such data. (4) A credit institution shall determine whether inadequate information technology is the cause of possible deviations and irregularities that may occur during the processing of data referred to in paragraph (1) of this Article, and establish procedures to address these deviations and irregularities and eliminate the reasons that led to their occurrence. (5) Data processing, within the meaning of this Article, shall be entire chain of data collection, recording and processing up to their selection, sorting and filtering based on certain criteria and presentation in the reports. Information security policy Article 40 (1) A credit institution shall adopt and implement information security policy which represents a key document that defines general principles and rules to protect

confidentiality, integrity and availability of data and information of credit institution and its clients and which in particular identifies:

1. objective and scope of the policy;
2. principles for information security management;
3. description of main roles, general and special responsibilities regarding information security management. (2) A credit institution shall define in the policy referred to in paragraph (1) of this Article responsibilities of all employees, contractors and service providers regarding data protection, as well as measures that a credit institution may take against them when information system security is disrupted. (3) A credit institution shall introduce persons referred to in paragraph (2) of this Article with the information security policy. (4) A credit institution shall ensure, in its information security policy, confidentiality, integrity and availability of logical and physical resources of information system, in accordance with their criticality, as well as sensitive data regardless of whether they are at rest, in transit or in use. (5) A credit institution shall continuously comply its information security policy with changes in information system and its environment in cases when the information system security is disrupted and based on the risk assessment results. (6) Based on the information security policy, a credit institution shall, in its internal acts, prescribe and implement detail rules pertaining all aspects of the information security that refer to:
4. organisation and governance in accordance with Article 32 of this Decision and regulations governing internal audit in credit institutions;
5. logical security;
6. physical security;
7. IT operations security;
8. information security monitoring;
9. information security reviews, assessment and testing;
10. information security training and awareness. Logical security Article 41 (1) A credit institution shall, in its internal acts, define and implement rules for logical access control (identity and access management) that ensure at least the following:
11. access to information system is performed on need-to-know basis, including remote access;
12. information system users are granted minimum access rights based on their defined business requirements to perform uninterruptedly their duties;
13. assigned access rights enable adequate segregation of duties, i.e. users are not

assigned with the combination of access rights that enables them to circumvent controls; 4) information system users are assigned, where possible, personalised user accounts that can be easy identified, whereby one user uses one account so that the activities carried out in the information system might be clearly connected with the user and the responsibility might be clearly identified; 5) the use of privileged access is strictly controlled by limiting and closely monitoring activities at the account with elevated system access entitlements (such as system administrator accounts); privileged remote access is approved only on the need￾to-know basis using reliable solution for strong authentication (such as two-factor authentication); 6) activities of users, and in particular all activities by privileged users are recorded in system and operational logs and they are developed, monitored and stored in accordance with the identified criticality of information system resources referred to in Article 37 of this Decision for the purpose of timely detecting unauthorised access and activities on information system, reconstruction of events and identification of responsibilities; 7) access rights are granted, withdrawn or modified in a timely manner, in accordance with the predefined approval workflow, which includes persons that are identified as persons responsible for resources to be accessed in accordance with Article 37 paragraph (3) of this Decision; 8) in the case of termination of employment, access rights should be promptly withdrawn; 9) access rights should be reviewed at least once a year to ensure that users do not possess excessive privileges and that access rights are withdrawn when no longer required; 10)authentication methods are enforced that are sufficiently robust to adequately and efficiently ensure that access control policies and procedures are complied with; 11)authentication method is commensurate with the criticality of the IT systems, services and information being accessed which, at a minimum, include complex passwords or stronger authentication methods, based on risk assessment; 12)electronic access by applications to data and IT systems are limited to a minimum required to provide relevant IT service. (2) Remote access, within the meaning of this Article, means the access that enables access rights to information system resources from a remote location by using telecommunication infrastructure which is not fully controlled or supervised by the credit institution. (3) Privileged access, within the meaning of this Article, means access to information system resources which enables users to have substantially more rights and to override logical controls (e.g. administrator of system software, network, databases, application software, etc.). (4) Authentication, within the meaning of this Article, means the verification of the identity of the user, system or process by a system.

(5) A credit institution shall document in more detail the type, content, storing period, security method, frequency of analysis and the method of supervision of operational and system logs being developed in accordance with paragraph (1) of this Article. Physical security Article 42 (1) A credit institution shall, in its internal acts, define and implement the physical security controls with the aim to protect its premises, data centres and sensitive areas from unauthorised access and from environmental hazards (static electricity, high temperature, fire, flood, etc.). (2) Physical access to IT systems must be monitored and permitted to only appropriately trained authorised persons, in accordance with their tasks and responsibilities, and physical access to IT systems must be regularly reviewed to ensure, without delay, that unnecessary access rights are promptly revoked when not required. (3) Adequate measures to protect for environmental hazards must be established to commensurate with the importance of the buildings and premises and the criticality of the operations or IT systems located in these buildings. (4) A credit institution shall review periodically the correctness of physical measures implemented in accordance with this Article. IT operations security Article 43 (1) A credit institution shall, in its internal acts, define and apply rules to prevent the occurrence of security issues in IT systems and IT services and minimise their adverse impacts on IT service delivery, and these rules shall include at a minimum the following:

1. identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software components (including firmware and software provided by financial institutions to their internal and external users) are up to date, by deploying critical security patches or by implementing compensating controls;
2. implementation of secure configuration baselines of all network components;
3. implementation of network segmentation, data loss prevention systems and the encryption of network traffic in accordance with the data classification;
4. implementation of protection of endpoints including servers, workstations and mobile devices;
5. the evaluation whether endpoints meet the security standards defined by them before they are granted access to the corporate network;
6. ensuring that mechanisms are in place to verify the integrity of software, firmware and data;
7. encryption of data at rest and in transit in accordance with the data classification.

(2) A credit institution shall, on an ongoing basis, determine whether changes in the existing operational environment influence the existing security measures or require adoption of additional measures to mitigate related risks appropriately. (3)Changes referred to in paragraph (2) of this Article must be carried out in accordance with the formally defined change management process in accordance with Article 55 of this Decision. (4)A credit institution shall establish and develop IT systems and services that is compliant with the impact analysis results referred to in paragraph (1) of this Article, which shall ensure duplication of certain critical components in order to prevent interruptions caused by events affecting those components. Security monitoring Article 44 (1) A credit institution shall, in its internal acts, define and implement rules for monitoring information security and detecting unusual events that may impact credit institution's information security and rules for responding to these events appropriately. (2) As a part of continuous monitoring, a credit institution shall implement effective measures for detecting physical and logical intrusion as well as breaches of confidentiality, integrity and availability of information. (3) The continuous monitoring of information security process includes:

1. relevant internal and external factors, including business and IT functions;
2. transactions to detect misuse of access by employees, third parties or other entities;
3. potential internal and external threats. (4) A credit institution shall establish and continuously implement controls for detecting events such as undesirable information leakages, presence of malicious software and use of software containing publicly known vulnerabilities. (5) An organisational part and/or persons responsible for monitoring credit institution's information security shall constantly monitor security and operational threats that could materially affect the ability of credit institution to provide services, and monitor technological and security developments to ensure that they are aware of potential risks. (6) An organisational part and/or persons responsible for monitoring credit institution's information security shall report in a timely manner to competent bodies of a credit institution of regular and extraordinary activities with regard to monitoring information security and in particular of detected events that affected or may affect credit institution's information security.

Information security testing Article 45 (1) A credit institution shall, in its internal acts, define and implement rules for information security testing that validates and robustness and effectiveness of their information security measures. (2) A credit institution shall, in its rules for information security testing referred to in paragraph (1) of this Article, ensure that tests:

1. are carried out by persons who are not involved in the development of the information security measures and who have sufficient knowledge, skills and expertise in testing of those measures;
2. include, in accordance with the risk assessment, threat-led penetration testing and scanning of IT systems to detect vulnerabilities. (3) A credit institution shall periodically repeat tests of information security measures and at least on an annual basis for all critical IT systems, or at least once in three years for non-critical IT systems. (4) A credit institution shall perform extraordinary tests of information security measures when:
3. infrastructure and significant processes and software change;
4. the changes occur due to significant operational or security incidents;
5. new or significant changes of the existing critical applications are introduced that are available on Internet. (5) A credit institution shall, in accordance with the testing results referred to in this Article, adjust information security measures, and in case of critical IT systems, it shall do it without delay. Information security training and awareness Article 46 (1) A credit institution shall, in accordance with current trends, pass, carry out and regularly review the information security awareness programme. (2) A credit institution shall provide, in accordance with the programme referred to in paragraph (1) of this Article, periodically and at least annually training to all employees and other natural persons engaged in a credit institution to ensure that they are trained to perform their duties and responsibilities in accordance with information security policy and rules with the aim to reducing human errors, thefts, frauds, misuses or losses and be aware how to address information security-related risks.

IT operations' internal acts and documents Article 47 (1) A credit institution shall manage its IT operations based on formally defined processes that are described in clear, complete and detailed procedures. (2) A credit institution shall maintain and regularly update the list of software and hardware components of information system that contains basic information on their configuration and enables prompt identification of components, their locations, security classification and ownership. (3) A credit institution shall regularly maintain documentation which describes interdependencies and links between different software and hardware components of information systems to enable proper configuration and change management and prompt response to security and operational incidents including cyber-attacks. (4) A credit institution shall regularly maintain records on all external connection points through which third persons may have unauthorised access to internal part of information system of a credit institution, and on all devices which has access to Internet. Hardware and software asset management Article 48 (1) A credit institution shall manage hardware and software assets during its life, form its purchase or development to withdrawal from use to ensure that is constantly meets business and risk management requirements. (2) A credit institution shall, in managing assets referred to in paragraph (1) of this Article, ensure appropriate maintenance of hardware and software assets in accordance with the manufacturer's recommendations, and mitigate risks arising from the outdated assets or from the use of assets that has no longer manufacturer's support. (3) A credit institution shall establish and develop IT systems and services in the manner that is compliant with business impact analysis results referred to in Article 57 of this Decision, which shall ensure duplication of certain critical components in order to prevent interruptions caused by events affecting those components. System and operational logs Article 49 (1) A credit institution shall develop, monitor and ensure keeping of system and operational logs from critical IT systems in order to detect, analyse and correct errors. (2) A credit institution shall document in more detail the type, content, storing period, security method, frequency of analysis and the method of supervision of operational and system logs being developed in accordance with paragraph (1) of this Article.

Performance and capacity planning and monitoring Article 50 A credit institution shall establish process for planning and monitoring the performance and capacities of IT systems to prevent, detect and respond to important performance issues of these systems and their capacity shortages in a timely manner. Data backup Article 51 (1) A credit institution shall establish the process for managing data backups which includes the process of developing, storing and testing data backups and restoration from backups to ensure availability of data if needed. (2) The process referred to in paragraph (1) of this Article must be established in accordance with the requirements with regard to recovery or restoration procedures and established criticality of business processes, IT systems and services and implemented risk assessment. (3) Data backups must be regularly updated, secured and appropriately stored on one or more safe locations, of which at least one must be sufficiently remote from the primary site so they are not exposed to the same risks. (4) A credit institution shall identify in its internal act the type, volume, the manner and frequency development, testing and storing of data in a remote location, storing period for backups and the manner of keeping records thereof. Incident and problem management Article 52 (1) A credit institution shall establish an incident and problem management process to minimise the impact of adverse events and enable prompt and efficient response in the case of disruption of security and functionality of information system. (2) A credit institution shall determine criteria and thresholds for classifying events as operational or security incidents as set out in this Decision, as well as early warning indicators that will serve as alerts to enable early detection of these incidents. (3) The incident and problem management process should establish:

1. the procedures to identify, track, log, categorise and classify incidents based on priorities in accordance with adverse impact they have or might have on operations;
2. the roles and responsibilities for different incident scenarios and categories of incidents;
3. procedures of prompt response on incidents to mitigate adverse impacts related

to incidents and to ensure that the service becomes operational and secure in a timely manner; 4) procedures for identifying, analysing and solving root causes behind one or more incidents to prevent their recurrence; 5) effective internal communication plans, including communication with regard to incident notification and escalation to higher level of management, and security￾related customer complaints, to ensure that:

• incidents with potentially high adverse impact on critical IT systems and services are reported to the relevant senior management and IS/IT senior management;
• the supervisory and management board are informed on an ad hoc basis in the event of significant incidents and, at least, informed of the impact, the response and the additional controls to be defined as a result of the incidents;

6. efficient external communication procedures for critical business functions and processes in order to:

• collaborate with relevant stakeholders to effectively respond to and recover from the incident;
• provide timely information to clients and other parties in accordance with regulations. (4) In the case of the occurrence of significant incident within the information system including part of outsourced information system, a credit institution shall:

1. notify, without delay, the Central Bank, providing the description of that incident, assessment of its impact and planned response to that incident;
2. inform the Central Bank, in a timely manner, of all relevant new information that has significant impact on the change of initial description of the incident, assessment of its impact and/or response to that incident;
3. provide the Central Bank, upon solving the incident, with the final information on the incident, including information on identified consequences and activities taken. IT project management Article 53 (1) A credit institution shall establish the IT project governance process that adequately supports the implementation of information system development strategy referred to in Article 34 of this Decision. (2) A credit institution shall establish and implement an IT project management policy to include at least:
4. project objectives;
5. roles and responsibilities;
6. a project risk assessment;
7. a project plan, timeframe and steps;
8. key milestones;
9. change management requirements.

(3) Roles and responsibilities referred to in paragraph (2) item 2) of this Article should be defined so that information security requirements are analysed and approved by a function that is indented from IT system development function. (4) A credit institution shall, in its internal acts related to IS risk management referred to in Article 35 of this Decision, appropriately include risks related to IT projects. (5) A credit institution shall manage risks arising from the IT project portfolio in an adequate manner (project management), taking into account, in particular, risks that may arise from interdependencies of different projects and dependencies of different projects from the same resources and/or expertise. (6) A credit institution shall ensure that all business areas and functions affected by the IT project are represented in the project team and that the project team has the knowledge required to ensure secure and successful project implementation. (7) A credit institution shall establish reporting to competent bodies of credit institution of regular and ad hoc activities regarding IT project management, on individual or aggregate basis, depending on the importance and size of IT project and, in particular, of launching of the project, its implementation status and associated risks. IT system acquisition and development Article 54 (1) A credit institution shall, in its internal acts using risk-based approach, define and implement rules governing the IT system acquisition, development and maintenance, which at least ensure that:

1. before any acquisition or development of IT systems, the functional and non￾functional requirements, including information security requirements, are clearly defined and approved by relevant persons;
2. measures are in place to mitigate the risk of unintentional alteration or intentional manipulation of the IT systems during development and implementation in the production environment;
3. acquired and developed IT systems are tested and approved by applying adequate methodology prior to their first use. (2) In its methodology for testing and approving IT systems, a credit institution shall ensure that:
4. criticality of business processes and other relevant resources of information system has been taken into consideration during the testing process;
5. testing process confirms the reliability of net IT system or that such system functions as intended;
6. testing is performed in the testing environment that adequately reflects the production environment;
7. the implementation of information security measures is tested to identify potential

security weaknesses, violations and incidents. (3) A credit institution shall separate in an adequate manner development, testing and production environments to ensure segregation of duties, adequate development and testing. (4) A credit institution shall restrict the use of production data in development, testing and other non-production environments and ensure the integrity and confidentiality of those data on all systems. (5) Access right to production data shall be assigned only to authorised users, regardless of the environment of such data. (6) A credit institution shall implement measures to protect the integrity of the source codes of IT systems that are developed in-house. (7) A credit institution shall document the development, implementation, operation and/or configuration of IT systems to reduce any unnecessary risk of dependency on the subject matter experts. (8) The documentation referred to in paragraph (7) of this Article should be comprehensive, accurate and regularly updated and, where applicable, it should contain at least user documentation, technical system documentation and operating procedures. (9) In accordance with risk assessment, the provisions of this Article shall also apply to software solutions developed or managed by internal end users outside IT organisational unit of the credit institution, such as end user computing applications. (10) A credit institution shall maintain records of these applications that meet the characteristics listed in paragraph (9) of this Article if they support critical business functions and processes. Change management Article 55 (1) A credit institution shall establish and implement an IT hardware and software components' change management process to ensure that all changes to information systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner and establish restoration plans in order to avoid that changes lead to unexpected and unwanted behaviour of this system, i.e. disrupt its security or functionality. (2) A credit institution shall ensure that changes of hardware and software components, during emergencies, which must be introduced as soon as possible, are implemented following procedures that provide adequate safeguards.

5.3. Business continuity Business continuity management Article 56 A credit institution shall establish business continuity management process to ensure the business continuity and limit losses in the event of severe business disruption or discontinuation. Business impact analysis Article 57 (1) As a part of business continuity management process referred to in Article 57 of this Decision, a credit institution shall periodically analyse its exposure to severe business disruptions and discontinuations and assess their potential impacts, qualitatively and quantitatively, using available internal and external data and scenario analysis. (2) A credit institution shall, during business impact analysis referred to in paragraph (1) of this Article, consider identified classification and interdependency of business functions, processes, information assets, IT systems, IT services, employees and third parties referred to in Articles 36 and 37 of this Decision. (3) Based on business impact analysis referred to in paragraph (1) of this Article, a credit institution shall formally identify:

1. critical business activities, processes, IT systems and services, including outsourced activities;
2. level of services a credit institution is required to maintain or timely restore;
3. recovery time objective (RTO), which indicate the maximum time within which business process and IT systems must be restored after an incident;
4. recovery point objective (RPO), which indicate the maximum time period during which it is acceptable for data to be lost in the event of an incident. Business continuity plan and contingency plan Article 58 (1) Management board of a credit institution shall define business continuity plan and contingency plan adopted in accordance with the Law based on the business impact analysis referred to in Article 57 of this Decision. (2) When defining plans referred to in paragraph (1) of this Article, a credit institution shall coordinate such activities with all relevant internal and external stakeholders and consider dependences from third parties and services they provide. (3) When defining plans referred to in paragraph (1) of this Article, a credit institution shall consider risks that might have an adverse impact on its objectives with regard to the

protection, and if needed, restoration of confidentiality, integrity and availability of its business functions, supporting processes, IT systems, IT services and information assets. (4) Plans referred to in paragraph (1) of this Article must be designed to enable credit institution to react appropriately to potential failure scenarios and to recover the operations of its critical business activities after disruptions within a recovery time objective and a recovery point objective. (5) Plans referred to in paragraph (1) of this Article must contain a list of priorities to be used in case of recovery of several business activities. (6) A credit institution shall, in its plans referred to in paragraph (1) of this Article, consider a range of different scenarios, including extreme but plausible scenarios, to which it might be exposer, including a cyber-attack scenario, and it should describe how the continuity of IT systems and services, as well as the credit institution’s information security, are ensured. Information system disaster recovery plan Article 59 (1) Management board of a credit institution shall, considering short-term and long-term recovery objectives, develop and adopt information system disaster recovery plan(s) based on business impact analysis referred to in Article 57 of this Decision and scenarios referred to in Article 58 paragraph (6) of this Decision. (2) Information system disaster recovery plan referred to in paragraph (1) of this Decision shall include at least:

1. conditions to be met to implement the plan;
2. a detailed description of procedures that ensure recovery and availability of at least critical IT systems and services in accordance with developed requirements;
3. a list of priorities to be met if the recovery of more IT systems and/or services is needed;
4. data on teams to be responsible for recovery of individual IT systems or services and team members, including their clearly defined duties and responsibilities;
5. data on the information system recovery location;
6. data on key service providers. Testing, updating and availability of plans Article 60 (1) Management board of a credit institution shall regularly test the plans referred to in Articles 58 and 59 of this Decision and compile reports thereof, where the appropriateness of plans for critical business activities, processes, IT systems and services shall be verified at least annually based on severe but plausible scenarios.

(2) A credit institution shall, during testing process referred to in paragraph (1) of this Article, establish whether it can successfully transfer to alternative method of performing critical business activities from the disaster recovery environment, maintain such mode for a sufficiently representative period of time and restore normal functioning afterwards. (3) A credit institution shall regularly revise and update plans referred to in Articles 58 and 59 of this Decision in accordance with lessons learned from previous incidents, testing results, new identified risks and threats, changed objectives and recovery priorities, business changes, including changes in products, activities, processes and systems, changes in environment and business strategy. (4) For the purpose of effective implementation of plans referred to in Articles 58 and 59 of this Decision, a credit institution shall ensure that all employees are introduced with their roles and responsibilities in case of contingencies and that these plans are readily available to them in contingencies. Contingency reporting and communication Article 61 (1) A credit institution shall report to competent bodies of the credit institution on activities regarding all relevant facts arising from business continuity management and, in particular, on testing of plans referred to in Articles 58 and 59 of this Decision, analysis of deficiencies identified during the testing process and significant changes in business continuity management. (2) In the event of disruption of business or emergency, a credit institution shall have measures in place so that all relevant internal and external stakeholders are informed thereof and it shall maintain communication with them. (3) When the circumstances requiring implementation of plans referred to in Articles 58 and 59 of this Decision occur, a credit institution shall notify the Central Bank, without delay, of significant facts and circumstances thereof. VI. MANAGEMENT OF THE INTEREST RATE RISK ARISING FROM NON-TRADING BOOK ACTIVITIES Management of IRRBB Article 62 (1) A credit institution shall manage risks arising from its interest rate exposures from non￾trading book activities (hereinafter: IRRBB), which affect its earnings and economic value. (3) For the purposes of paragraph (1) of this Article, a credit institution shall, taking into consideration fundamental aspects of the level and structural characteristics of interest rates that may appear simultaneously and whose effects of changes reflect on yield curve

by changing the price/value or earnings/costs of interest rate-sensitive assets, liabilities and off-balance sheet items in a way that may adversely affect the financial condition, use holistic approach to manage all of the following sub-types of IRRBB:

1. gap risk or risk resulting from the term structure of interest rate sensitive instruments that arises from differences in the timing of their rate changes, covering changes to the term structure of interest rates occurring consistently across the yield curve (parallel risk) and/or differentially by period (non-parallel risk);
2. basis risk or risk arising from the impact of relative changes in interest rates on interest rate sensitive instruments that have similar tenors but are priced using different interest rate indices and that risk arises from the imperfect correlation in the adjustment of the rates earned and paid on different interest rate sensitive instruments with otherwise similar rate change characteristics;
3. option risk or risk arising from options (embedded and explicit), where the institution or its customer can alter the level and timing of their cash flows, namely the risk arising from interest rate sensitive instruments where the holder will almost certainly exercise the option if it is in their financial interest to do so (embedded or explicit automatic options) and the risk arising from flexibility embedded implicitly or within the terms of interest rate sensitive instruments, such that changes in interest rates may affect a change in the behaviour of the client. (3) A credit institution shall identify its existing and prospective exposures to IRRBB in a proportionate manner, depending on the level, complexity and riskiness of the non-trading book positions it faces, or an increasing risk profile, taking into account its business model, its strategies and business environment it operates in or intends to operate in. (4) When calculating the impact of interest rate movements from the earnings perspective, a credit institution shall, in addition to the effects on interest income and expenses, consider also the effects of the market value changes of instruments either shown in other comprehensive income (profit and loss account) or directly in equity, and take into account the increase or reduction in earnings and capital over short-term and medium-term horizons resulting from interest rate movements. (5) The change in earnings referred to in paragraph (3) of this Article shall be the difference between expected earnings under a base scenario and expected earnings under an alternative scenario that includes either more adverse shock or stress scenario from a going-concern perspective. Overall strategy for management of the IRRBB Article 63 (1) A credit institution shall include in the interest rate sensitive instruments at a minimum the following:
4. non-performing loans,
5. interest rate derivatives; and
6. other off-balance sheet items, such as loan commitments sensitive to interest rate.

(2) Interest rate sensitive instruments referred to in paragraph (1) of this Article means assets, liabilities and off-balance sheet items in the non-trading book, excluding assets deducted from CET1 capital of credit institution. (3) Non-performing loans referred to in paragraph (1) item 1) of this Article means exposures which are, in line with the regulation governing the classification of assets and calculation of loss provisions of credit institutions, identified as non-performing loans. (4) A credit institution shall monitor and assess exposures based on asset items positions in the non-trading book that are affected by the credit spread risk from non-trading book activities, if such a risk is relevant for risk profile of the credit institution. (5) Asset item positions, within the meaning of paragraph (4) of this Article, shall include asset items carried at fair value, unless the credit institution has an evidence that such risk exists also in other asset items of the non-trading book. (6) Contrary to three sub-types of IRRBB referred to in paragraph (2) of this Article, a credit spread risk from non-trading book activities (CSRBB) referred to in paragraph (4) of this Article means the risk driven by changes in the market perception about the credit quality of groups of different credit–risky instruments (either because of changes to expected default levels or because of changes to market liquidity), whereat changes to market perceptions can amplify the risks already arising from yield curve risk, and CSRBB is therefore defined as any kind of asset/liability spread risk of credit-risky instruments which is not explained by IRRBB, nor by the expected credit/jump-to-default risk. (7) A parent credit institution in Montenegro shall ensure that the internal governance systems and IRRB management processes are consistent and well integrated on a consolidated basis. Risk appetite for IRRBB Article 64 (1) A credit institution shall define risk appetite for IRRBB as acceptable impact of fluctuating interest rates on both earnings and economic value. (2) A credit institution with significant exposures to three main sub-types of IRRBB i.e. gap risk, basis risk or option risk, shall define its risk appetite in relation to each of these material sub-types of IRRBB, and establish limits for each of sub-types of risk. (3) A credit institution shall, within the defined risk appetite, establish powers and responsibilities for managing IRRBB, as well as instruments, the hedging method and level of risk taking of IRRBB.

(4) When defining its risk appetite, a credit institution shall take account of earnings risks that may arise as a consequence of accounting treatment of transactions in the non￾trading book. (5) The risk to earnings referred to in paragraph (2) of this Article shall not be limited only to interest income and expenses, but it must take into account separately the effects of changes in interest rates on the market value of instruments that, depending on accounting treatment are reflected either through profit or loss account or directly in equity. (6) A credit institution shall take into account the earnings impact related to embedded optionalities in fair value instruments under ongoing interest rate shocks and stress scenarios, and the potential impact on profit and loss accounts of hedging interest rate derivatives if their effectiveness was hampered by interest rate changes. Limits Article 65 (1) A credit institution shall implement limits that target maintaining IRRBB exposures consistent with its risk appetite and with its overall approach for measuring IRRBB, in particular the following:

1. policy limits that are appropriate to the nature, size, complexity and capital adequacy of the credit institution and its ability to measure and manage its risks;

2. limits that clearly articulate the acceptable amount of IRRBB should be applied on a consolidated basis and, as appropriate, at the level of individual affiliates,

3. management reporting systems and, if needed, management board reporting in case of exceeding limits on positions that are or might be exceeded;

4. reporting of risk measures to the management board at least on quarterly basis. (2) A credit institution shall establish and monitor risk hedging and control mark-to-market risks in instruments that are accounted for at market value. IRRBB policies and procedures Article 66 (1) The system for identifying and managing the IRRBB should ensure that:

5. procedures for updating scenarios for the measurement and assessment of IRRBB are set up;

6. the measurement approach and the corresponding assumptions for measuring and assessing IRRBB, including the allocation of internal capital to IRRBB risks, are appropriate and proportional;

7. the assumptions of the models used are regularly reviewed and, if necessary, amended;

8. standards for the evaluation of positions and the measuring of performance are defined;

9. appropriate documentation and control over permissible hedging strategies and hedging instruments exist; and

10. the lines of authority and responsibility for managing IRRBB exposures are defined. (2) The policies should be well reasoned, robust and documented and should address all IRRBB components that are important to the institution’s individual circumstances. Without prejudice to the proportionality principle, the IRRBB policies should include the following:

11. the application of the boundary between ‘non-trading book’ and ‘trading book’, and internal risk transfers between the banking book and the trading book should be properly documented and monitored within the broader monitoring of the IRRBB originated by interest rate derivatives instruments;

12. the more detailed definition of economic value and its consistency with the method used to value assets and liabilities (e.g. based on the discounted value of future cash flows, and on the discounted value of future earnings) adopted for internal use;

13. the more detailed definition of earnings risk and its consistency with the credit institution’s approach to developing financial plans and financial forecasts adopted for internal use;

14. the size and the form of the different interest rate shocks to be used for internal IRRBB calculations;

15. the use of conditional or unconditional cash flow modelling approaches;

16. the treatment of ‘pipeline transactions’ (including any related hedging);

17. the aggregation of multicurrency interest rate exposures;

18. the measurement and management of basis risk resulting from different interest rate indexes;

19. whether or not non-interest-bearing asset and liabilities items of the non-trading book (including capital and reserves) are included in calculations measuring IRRBB for the ICAAP; 10)the behavioural treatment of current and savings accounts; 11)the measurement of IRRBB arising from behavioural and automatic options in assets or liabilities, including convexity effects and non-linear payoff profiles; 12)the degree of granularity employed in measurement calculations (e.g. use of time buckets); and 13)the internal definition of commercial margins and adequate methodology for internal treatment of commercial margins. (3) Conditional cash flow modelling referred to in paragraph (2) item 5) of this Article means cash flow modelling under the assumption that the timing and amount of cash flows is dependent on the specific interest rate scenario, i.e. it is assumed that the timing of cash flows of options, of instruments with embedded or explicit options and of instruments of which the maturity depends on clients' behaviour is modelled depending on the interest rate scenario.

(4) Unconditional cash flow modelling referred to in paragraph (2) item 5) of this Article means cash flow modelling under the assumption that the timing and amount of cash flows is independent of the specific interest rate scenario. (5) A credit institution shall revise all IRRBB policies at least once a year and update them, if needed. Internal controls Article 67 (1) A credit institution shall ensure regular reviews and evaluations of the internal controls system and procedures for managing IRRBB risks by persons or organisational unit that is independent from the operations whose review is performed. (2) Internal audit shall establish regular review of the procedures for identifying, measuring, monitoring and controlling IRRBB. Information system and applications for managing IRRBB Article 68 (1) For the purposes of IRRBB management, a credit institution shall establish timely and reliable information systems and applications for:

1. carrying out, processing and recording of business events;
2. identifying, measuring and aggregating exposures to IRRBB; and
3. generating the reports. (2) The systems referred to in paragraph (1) of this Article should:
4. be capable of fully and clearly recording all transactions, taking into account their IRRBB characteristics;
5. offer sufficient flexibility to accommodate a reasonable range of shock and stress scenarios and any additional scenarios;
6. enable the institution to measure, assess and monitor the contribution of individual transactions to their overall exposure;
7. be able to compute economic value measures;
8. be able to compute earnings-based measures for IRRBB, as well as other measures of IRRBB based on the interest rate shock and stress scenarios; and
9. incorporate constraints required by the Central Bank on internal risk parameter assumptions;
10. gather detailed information on repricing date of a given transaction, interest rate type or index, any options (including early repayment or redemption) and the fees relating to the exercise of these options. (3) Economic value measures referred to in paragraph (2) item 4) of this Article means measures of changes in the net present value of the interest rate sensitive instruments over their remaining life resulting from interest rate movements and which reflect the

changes in value over the remaining life of the interest rate sensitive instruments, i.e. until all positions have run off. (4) Earnings measures referred to in paragraph (2) item 5) of this Article means measures of changes in expected future profitability within a given time horizon resulting from interest rate movements. (5) A credit institution shall establish adequate organisational controls of IT systems to prevent the corruption of data used by IRRBB computer systems and applications and to control changes to the coding used in those applications, so as to ensure, in particular:

1. the reliability of data used as input, and the integrity of processing systems for IRRBB models;
2. that the likelihood of errors occurring in the IT system, including those occurring during data processing and aggregation, is minimised; and
3. that adequate measures are taken if market disruptions or slumps occur. (6) A credit institution shall implement appropriate processes that ensure that the data entered into the IT system is correct and establish appropriate mechanisms to verify the correctness of the aggregation process and the reliability of model results. (7) A credit institution shall identify potential reasons for discrepancies and irregularities that may arise at the time of data processing, and shall have procedures in place to handle those discrepancies and irregularities, including procedures for the mutual reconciliation of positions to enable these discrepancies and irregularities to be eliminated. (8) A parent credit institution in Montenegro shall set up appropriate processes to ensure that the inputs used to feed models measuring the IRRBB across the group is consistent with the data used for financial planning. Internal reporting Article 69 (1) A credit institution shall ensure that the internal risk reporting systems provide timely, accurate and comprehensive information about their exposures to IRRBB. (2) Internal reports shall be submitted to the management board and senior management at least on quarterly basis. (5)The reports referred to in paragraph (2) of this Article shall include in particular:
4. summaries of the aggregate IRRBB exposures, including information on exposures to gap, basis and option risk, including explanations of all significant positions in assets, liabilities, cash flows, and strategies that are driving the level and direction of IRRBB;
5. compliance with policies and limits;
6. key modelling assumptions, such as characteristics of non-maturity deposits (hereinafter: NMD), prepayments on fixed rate loans, early withdrawals of fixed

term deposits, drawing of commitments, currency aggregation and treatment of commercial margins; 4) details of the impact of key modelling assumptions on the measurement of IRRBB in terms of both economic value measures and earnings measures, including changes in assumptions under various interest rate scenarios; 5) details of the impact of interest rate derivatives on the measurement of IRRBB; in terms of both economic value measures and earnings measures; 6) details of the impact of fair value instruments, including Level 3 assets and liabilities, as defined in International Financial Reporting Standard 13 – Fair Value Measurement (IFRS 13), on the measurement of IRRBB in terms of both economic value measures and earnings measures; 7) results of stress tests as referred to in Article 74 of this Decision, the shocks as referred to in Article 73 of this Decision, the supervisor outlier test as referred in article 78 of this Decision and assessments of sensitivity to key assumptions and parameters; and 8) summaries of the reviews of IRRBB policies, procedures and adequacy of the measurement systems, including in particular any findings of internal and external auditors. (4) The reports referred to in paragraph (2) of this Article shall include also the results of the model reviews and auditors as well as comparisons of the past risk estimates with actual results to inform potential modelling shortcomings, such as:

1. assessment of modelled prepayment losses against historical realised losses; and

2. identification of portfolios that may be subject to significant mark-to-mark movements. Model governance for IRRBB Article 70 (1) A credit institution shall ensure that the validation of IRRBB measurement methods and the assessment of corresponding model risk are included in governance processes and policies independent from their development. (2) The validation policy should include:

3. persons and/or organisational units responsible for the development, validation, documentation, implementation and use of models; and

4. the model oversight responsibilities and policies, in particular for the development of initial and ongoing validation procedures, evaluation of results, approval, version, control, exception, escalation, modification and decommission processes. (6)The validation process should include:

5. evaluation of conceptual and methodological soundness, including developmental evidence;

6. ongoing model monitoring, including process verification and benchmarking;

7. outcomes analysis, including back-testing of key internal parameters (e.g. stability of deposits, loan prepayment rates, early redemptions of deposits, pricing of instruments); and

8. thorough assessment of any expert opinions and judgements used in internal models. (4) A credit institution may outsource the development and/or validation of models for IRRBB management. (5) A credit institution may use third-party IRRBB models to manage and control IRRBB provided that these models are adequately customised to properly reflect the specific characteristics of the credit institution and it shall ensure appropriate documentation on the use of third-party model. (6) A credit institution shall include model inputs or assumptions in the validation process and document and explain model specification choices as part of the validation process. IRRBB measurement Article 71 (1) A credit institution shall implement robust internal measurement systems that capture all components and sources of IRRBB which are relevant for the credit institution's business model. (2) A credit institution shall measure and monitor its exposure to IRRBB in terms of potential changes to both economic value and earnings, in particular:

9. the overall impact of key modelling assumptions on the measurement of IRRBB in terms of both economic value measures and earnings measures; and

10. the IRRBB of their banking book interest rate derivatives where relevant for the business model. (3) A credit institution may exclude from economic value measures commercial margins and other spread components, whereat it shall use:

11. a transparent methodology for identifying the risk-free rate at inception of each instrument; and

12. a methodology that is applied consistently across all interest rate sensitive instruments and all business units. (4) When calculating earnings measures, a credit institution shall include commercial margins. (5) A credit institution shall include non-performing exposures (net of provisions) as interest rate sensitive instruments reflecting expected cash flows and their timing.

(6) When measuring its exposure to IRRBB, a credit institution shall use its own assumptions and calculation methods, and it cannot rely on purely on the calculation and outcomes of the supervisory outlier tests as referred to in Article 78 of this Decision. (7) A credit institution shall fully integrate the supervisory outlier tests into the internal framework for the management of IRRBB and use them as complementary tools for measuring exposure to IRRBB. Methods for measuring IRRBB Article 72 (1) A credit institution shall identify and measure all components of IRRBB as referred to in Article 66 paragraph (2) of this Decision. (2) For measuring and monitoring of IRRBB, a credit institution shall use at least one earnings-based measure and at least one economic value measurement method that, in combination, capture all components of IRRBB. (3) Credit institutions with complex or sophisticated business models shall use multiple measurement methods. Interest rate shock scenarios for ongoing measurement Article 73 (1) A credit institution shall, at least quarterly, measure its exposure to IRRBB in terms of changes in economic value and earnings under various interest rate shock scenarios for potential changes in the level and shape of the interest rate yield curves, and to changes in the relationship between different interest rates (i.e. basis risk). (2) A credit institution shall carry out measurements referred to in paragraph (1) of this Article more frequently in times of increased interest rate volatility or increased IRRBB levels. (3) For the purpose of measurement referred to in paragraph (1) of this Article, a credit institution may, considering the proportionality principle, apply a conditional or unconditional cash flow modelling approach. (4) A credit institution shall assess exposures in each currency in which it has positions in instrument sensitive to interest rates, and for the material currency exposures, the interest rate shock scenarios should be currency-specific and consistent with the underlying economic characteristics. (5) When selecting interest rate shock scenarios, a credit institution shall consider the following:

1. interest rate shock scenarios should be commensurate with the nature, scale and complexity of the activities of the credit institution, as well as its risk profile, taking

into account sudden and gradual parallel and non-parallel shifts and changes in the yield curves, and these scenarios should be based on the historical movements and behaviour of interest rates, as well as simulations of future interest rates; 2) interest rate scenarios should reflect changes in the relationships between key market rates in order to address basis risk; 3) interest rate shock scenarios referred to in Article 52 paragraph (3) of this Decision and any additional interest rate shock scenarios required by the Central Bank. (6) A credit institution shall also consider negative interest rate scenarios and the possibility of asymmetrical effects of negative interest rates on their interest rate sensitive instruments. (7) A credit institution shall feed the results of shock scenarios into the decision-making at appropriate management levels, which includes the strategic or business decisions, the allocation of internal capital, and risk management decisions, as well as when establishing and reviewing the policies and limits for IRRBB. IRRBB interest rate stress scenarios Article 74 (1) A credit institution shall perform IRRBB stress testing at least annually and more frequently in times of increased interest rate volatility and increased IRRBB levels. (2) A credit institution shall perform reverse stress tests in order to:

1. identify interest rate scenarios that could severely threaten capital and earnings; and
2. reveal vulnerabilities arising from its hedging strategies and the potential behavioural reactions of its customers. (3) In testing vulnerabilities under stressed conditions, a credit institution shall use larger and more extreme shifts in yield curve and changes in interest rates than those used for the purpose of ongoing management, including at least the following:
3. substantial changes in the relationships between key market rates (basis risk);
4. sudden and substantial shifts in the yield curve (both parallel and non-parallel);
5. breakdowns of key assumptions about the behaviour of asset and liability items;
6. changes in key interest rate correlation assumptions;
7. significant changes to current market and macro conditions and to the competitive and economic environment, and their possible development; and
8. specific scenarios that relate to the individual business model and profile of the credit institution. (4) A credit institution shall feed the results of stress scenarios into the decision-making at the appropriate management level, which includes strategic or business decisions, the allocation of internal capital, and risk management decisions, and also when establishing and reviewing the policies and limits for the IRRBB.

Measurement assumptions Article 75 (1) When measuring IRRBB, a credit institution shall fully understand and document key behavioural and modelling assumptions, which should be aligned with business strategies and be at least annually. (2) A credit institution shall, in relation to both economic value and earnings-based measures of IRRBB, take into account assumptions made for the purpose of risk quantification in relation to at least the following areas:

1. the exercise of interest rate options (automatic or behavioural) by both the credit institution and its customer under specific interest shock and stress scenarios;

2. the treatment of balances and interest flows arising from NMDs;

3. the treatment of fixed term deposits with risk of early redemption;

4. the treatment of fixed rate loans and fixed rate loan commitments;

5. the treatment of equity in internal economic value measures;

6. the implications of accounting practices for the measurement of IRRBB, and in particular hedge-accounting effectiveness. (3) A credit institution shall review significant measurement assumptions at least annually, and more frequently during rapidly changing market conditions. Behavioural assumptions for customer’s accounts with embedded customer optionality Article 76 (1) In assessing the implications of optionality, a credit institution shall take into account:

7. the potential impact on current and future loan prepayment speeds arising from the interest rate scenario, underlying economic environment and contractual features and the various dimensions influencing the embedded behavioural options;

8. the elasticity of adjustment of product rates to changes in market interest rates.

9. the migration of balances between product types as a result of changes in their features, terms and conditions. (2) A credit institution shall make regular assessments of the key assumptions for the treatment of on- and off-balance sheet items that have embedded options in its interest rate risk framework, whereat it shall:

10. identify all material products and items subject to embedded options that could affect either the interest rate charged or the behavioural repricing date (as opposed to contractual maturity date) of the relevant balances;

11. have appropriate pricing and risk mitigation strategies (e.g. use of derivatives) to manage the impact of optionality within the risk appetite, which may include early redemption penalties chargeable to the customer as an offset to the potential break costs (where permitted);

12. ensure that modelling of key behavioural assumptions is justifiable in relation to the underlying historical data, and based on prudent hypotheses;

13. be able to demonstrate that they have accurate modelling (back-tested against experience);

14. maintain appropriate documentation of assumptions in their policies and procedures, and have a process for keeping them under review;

15. understand the sensitivity of the risk measurement outputs to these assumptions, including undertaking stress testing of the assumptions and taking the results of such tests into account in internal capital allocation decisions; and

16. perform regular internal validation of these assumptions to verify their stability over time and to adjust them if necessary. Behavioural assumptions for customer accounts without specific repricing dates Article 77 In making behavioural assumptions about accounts without specific repricing dates for the purposes of interest rate risk management, a credit institution shall:

17. be able to identify ‘core’ balances, i.e. deposits that are stable and unlikely to reprice even under significant changes in interest rate environment, and/or other deposits whose limited elasticity to interest rate changes could be modelled by banks;

18. enable that modelling assumptions for these deposits reflect depositor characteristics (e.g. retail/wholesale) and account characteristics (e.g. transactional/non-transactional), in the manner that:

• retail transactional deposits include non-interest-bearing and other retail accounts whose remuneration component is not relevant in the client’s decision to hold money in the account;
• retail non-transactional deposits include retail accounts (including regulated ones) whose remuneration component is relevant in the client’s decision to hold money in the account.
• wholesale deposits include accounts from corporate and other wholesale clients, excluding interbank accounts or other fully price-sensitive ones;

3. assess the potential migration between deposits without specific repricing dates and other deposits that could modify, under different interest rate scenarios, key behavioural modelling assumptions;

4. consider potential constraints on the repricing of retail deposits in low or negative interest rate environments;

5. ensure that assumptions about the decay of core and other modelled balances are prudent and appropriate in balancing the benefits to earnings against the additional economic value risk entailed in locking in a future interest rate return on the assets financed by these balances, and the potential forgone revenue under a rising interest rate environment.

6. not exclusively rely on statistical or quantitative methods to determine the behavioural repricing dates and the cash flow profile of NMDs;

7. have appropriate documentation of these assumptions in their policies and procedures, and a process for keeping them under review.

8. understand the impact of the assumptions on its own chosen risk measurement outputs and internal capital allocation decisions, including by periodically calculating sensitivity analyses on key parameters (e.g. percentage and maturity of core balances on accounts and pass-through rate) and the measures using contractual terms rather than behavioural assumptions to isolate the impact of assumptions on both economic value and earnings.

9. undertake stress testing to understand the sensitivity of the chosen risk measures to changes in key assumptions, taking the results of such tests into account in internal capital allocation decisions. Supervisory outlier test Article 78 (1) A credit institution shall regularly, at least quarterly, calculate the impact on their economic value of equity (EVE) of a sudden parallel +/-200 basis points shift of the yield curve. (2) Economic value of equity (EVE) measures means a specific form of EV measures where equity is excluded from the cash flows. (3) A credit institution shall calculate regularly, at least quarterly, applying the scenarios established by the Central Bank, the impact on its EVE of the following interest rate shocks:

10. parallel shock up;

11. parallel shock down;

12. steepener shock (short rates down and long rates up);

13. flattener shock (short rates up and long rates down);

14. short rates shock up; and

15. (short rates shock down. (4) The reporting on the supervisory outlier test shall be performed in accordance with the decision governing the reporting to the Central Bank. VII. MANAGING OTHER RISKS Securitisation and residual risks and other risks Article 79 (1) In addition to the requirements specified in Articles 107 and 110 of the Law, the provisions of Articles 4, 5, 6, 8 and 9 of this Decision shall apply mutatis mutandis on the securitisation and residual risks as well as all other risks arising from operations.

(2) Policies and procedures for managing residual risk the credit institution adopts in accordance with the Law may be incorporated in the credit institution's policy of credit risk management. VIII. FINAL PROVISIONS Repealed regulations Article 80 As from the commencement date of the application of this Decision, the Decision on Minimum Standards for Credit Risk Management in Banks (OGM 22/12, 55/12, 57/13, 44/17, 82/17, 86/18, 42/19), Decision on Minimum Standards for Market Risk Management in Banks (OGM 60/08), Decision on Minimum Standards for Operational Risk Management in Banks (OGM 24/09), Decision on minimum standards for interest rate risk management not originating from bank's trading activities (OGM 60/08), and Decision on Methodology for Country Risk Measurement in Banks (OGM 60/08, 51/13) shall be repealed. (2) As from the commencement date of the application of this Decision, the Decision on Minimum Standards for Risk Management in Credit Institutions (OGM 128/20) shall also be repealed. Entry into force and application Article 81 (1) This Decision shall enter into force on the day following that of its publication in the Official Gazette of Montenegro, and it shall apply from the date of application of the Law on Credit Institutions (OGM 72/19, 8/21). (2) By way of derogation from paragraph (1) of this Article, the provision of Article 78 of this Decision shall apply from 1 January 2023. THE COUNCIL OF THE CENTRAL BANK OF MONTENEGRO CHAIRMAN Decision number: 0101-8692-3/2021 G O V E R N O R, Podgorica, 22 December 2021 Radoje Žugić, m.p.

ANNEX 1 GUIDELINES ON MANAGEMENT OF NON-PERFORMING AND FORBORNE EXPOSURES I. SUBJECT MATTER, SCOPE AND DEFINITIONS

1. These guidelines specify sound risk management practices for credit institutions for managing non-performing exposures (NPLs), forborne exposures (FBEs) and foreclosed assets.
2. A credit institution with a gross NPL ratio equal to or greater than 5% on consolidated, sub- consolidated or solo level should apply chapters II and III of these guidelines to the entities that have NPL ratios exceeding the set threshold.
3. Where a credit institution has a gross NPL ratio below the 5% level but has a high share or material amount of NPLs in an individual portfolio or individual portfolios with a specific concentration of NPLs in a geographical region, an economic sector or a group of connected clients, it shall apply chapters II and III at the level of these portfolios.
4. Where signs of deteriorating assets quality has been determined, a credit institution whose gross NPL ratio is below the threshold specified in item 2 of these guidelines shall apply provisions of these guidelines. For the purposes of identifying whether the deterioration of asset quality has been occurred, a credit institution shall consider the following elements and their interaction: a) increased inflows of NPLs; b) a high or increased level of FBEs; c) a high or increased level of foreclosed assets; d) low coverage ratios; e) breached early warning indicators; f) an elevated Texas ratio; g) the quality and appropriateness of workout activity.
5. A credit institution shall apply these guidelines in the manner that is appropriate to its size and internal organisation, and the nature, scope and complexity of its activities.
6. Terms and definitions applied in this guidelines shall have the following meaning:

1. Cure period – a 12-month period since the date defined in Article 36 paragraph (2) of the Decision on the criteria and the manner of classification

of assets and calculation of provisions for potential loan losses of a credit institution; 2) EBITDA - earnings before interest, taxes, depreciation and amortisation; 3) Forbearance measures - concessions by a credit institution towards an obligor that is experiencing or is likely to experience difficulties in meeting its financial commitments. A concession may entail a loss for the lender and shall refer to either of the following actions:

• a modification of the terms and conditions of a debt obligation, where such modification would not have been granted had the obligor not experienced difficulties in meeting its financial commitments;
• a total or partial refinancing of a debt obligation, where such refinancing would not have been granted had the obligor not experienced difficulties in meeting its financial commitments;

4. Forborne exposures - exposures in respect to which forbearance measures have been applied;
5. Foreclosed assets - assets obtained by taking possession of collateral and which remain recognised on the balance sheet. Foreclosed assets can be obtained through judicial procedures, through bilateral agreement with the borrower or through other types of collateral transfer from the borrower to the credit institution. Foreclosed assets may include financial and non-financial assets and should include all collateral obtained irrespective of accounting classification;
6. Immovable property - immovable property as defined in Article 228 of the Decision on Capital Adequacy;
7. Liquidation cost - liquidation costs are defined as the cash outflows incurred during collateral execution and the sales process and include:

• all applicable legal costs;
• selling costs, taxes and other expenses;
• any additional maintenance costs to be incurred by the credit institution in relation to the repossession and disposal of the collateral;
• any cash inflows up to the date of liquidation;

8. Movable property - movable property as defined in Article 230 of the Decision on Capital Adequacy;
9. NPL ratio (NPL %) - the gross NPLs and advances divided by the gross total loans and advances; 10)NPL framework - policies, processes, controls and systems for risk management of NPLs; 11)Portfolio - a group of exposures with similar credit risk characteristics; 12)Probation period - one year period after the expiry of cure period after the forbearance measures were extended; 13)Risk appetite framework - the overall approach, including policies, processes, controls and systems, through which risk appetite is established, communicated and monitored. It includes a risk appetite statement, risk limits and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the risk appetite framework. It should consider material risks to the credit institution, as well as to its reputation with

depositors, investors and customers. Risk appetite framework aligns with the bank’s strategy; 14)Texas ratio - Texas ratio: a ratio comparing the stock of NPLs with a credit institution’s equity. NPLs (gross carrying amount) over equity and accumulated impairments. II. NPL STRATEGY 7. A credit institution shall have in place an adequate framework to identify, measure, manage, monitor and mitigate NPLs, including through workout activities. 8. In the development and implementation of its NPL strategy a credit institution shall take into account relevant consumer protection considerations and requirements, and ensure fair treatment of consumers. 2.1. Developing NPL strategy 9. A credit institution should establish an NPL strategy to target a time-bound reduction of NPLs over a realistic but sufficiently ambitious time horizon (NPL reduction targets). 10. The NPL strategy should lay out the credit institution’s approach and objectives regarding effective management to maximise recoveries and ultimately a reduction in NPL stocks in a clear, credible and feasible manner for each relevant portfolio. 11. When developing and implementing the NPL strategy for retail portfolios, a credit institution should consider provisions aimed at protecting consumers. 12. The following steps should form the core building blocks of the development and implementation of the NPL strategy:

1. assessment of the operating environment and external conditions (see chapter 2.2 of these Guidelines);
2. development of the NPL strategy over short-, medium- and long-term time horizons (see chapter 2.3 of these Guidelines);
3. implementation of the operational plan (see chapter 2.4 of these Guidelines);
4. fully embedding the NPL strategy into the management processes of the credit institution, including regular review and independent monitoring (see chapter 2.5 of these Guidelines).

13. When a credit institution develops its NPL strategy, it should also consider policies that aim to ensure the fair treatment of borrowers.

2.2. Assessing the operating environment 14. In the formulation and execution of an appropriate NPL strategy, a credit institution shall complete an assessment of the following elements:

1. internal capabilities to effectively manage and reduce NPLs;
2. external conditions and operating environment;
3. the capital implications of the NPL strategy. 2.2.1 Internal capabilities/self-assessment

15. A credit institution should perform a comprehensive self-assessment to evaluate the actual situation and the procedures to be taken internally to address any gaps in the internal capabilities to manage NPLs.
16. A credit institution shall fully understand and assess:

1. the magnitude and drivers of their NPLs:

• the size and evolution of NPL portfolios at an appropriate level of granularity, which requires an appropriate grouping of the exposures, as outlined in part 3.2.3 of these Guidelines;
• the drivers of NPL inflows and outflows, by portfolio where relevant;
• other potential correlations and causations.

2. the outcomes of NPL actions taken by the credit institution in the past:

• the types and nature of actions implemented, including forbearance activities;
• the effectiveness of those activities and related drivers.

3. their operational capacities (processes, tools, data quality, IT/automation, employees/expertise, decision-making, internal policies and any other relevant area for the implementation of the strategy) in relation to the various procedures involved in the process, including but not limited to:

• early identification of NPLs;
• forbearance activities;
• impairments and write-offs;
• collateral valuations;
• recovery, legal process and foreclosure;
• management of foreclosed assets, where relevant;
• reporting and monitoring of NPLs and of the effectiveness of NPL workout solutions.

17. A credit institution shall perform a comprehensive self-assessment covering at least the items listed in item 16 of these guidelines on an annual basis to determine strengths, significant gaps and areas of improvement required to reach NPL reduction targets.
18. A credit institution should consider seeking expert views on their operational capabilities to manage NPLs from the credit institution’s risk management and control functions or from external sources on a periodic basis.

2.2.2 External conditions and operating environment 19. A credit institution should assess and consider the current and likely future external operating conditions and environment when establishing the NPL strategy and associated NPL reduction targets. 20. The following list of external factors, where appropriate, should be taken into account by credit institutions when setting the NPL strategy:

1. the macroeconomic conditions, including the dynamics of the real estate market or other relevant sectors, taking into account sector concentrations in NPL portfolios;
2. market expectations with regard to acceptable NPL levels and coverage, including but not limited to:

• the views of rating agencies and market analysts;
• and available research; and
• the interests of borrowers.

3. NPL investor demand, including trends in and the dynamics of the domestic and international NPL markets for portfolio sales;
4. the maturity of the NPL servicing industry and the availability and coverage of specialised services;
5. the regulatory, legal and judicial framework. A credit institution should have a good understanding of the legal proceedings related to NPL workout for different types of assets and different jurisdictions. In particular, a credit institution should assess the average duration of such proceedings, the average financial outcomes, the rankings of different types of exposures and related implications for outcomes, the influence of the types and rankings of collateral and guarantees on the outcomes, the impact of consumer protection issues on legal decisions, and the average total costs associated with legal proceedings. Legal provisions aimed at protecting consumers, in particular for residential mortgage exposures, should also be considered by the credit institution when setting the NPL strategy;
6. the national tax implications of impairments and NPL write-offs. 2.2.3 Capital implications of the NPL strategy

21. A credit institution should be able to calculate a detailed assessment of the impact of the planned strategy from capital, risk exposure amount, profit or loss, and impairment perspectives for each of the reduction drivers, and they should assess whether the bank has identified a strategic process to resolve any shortfalls under different economic scenarios. The assessment criteria, underlying assumptions and implications should be aligned with the risk appetite framework as well as with the internal capital adequacy assessment process (ICAAP).

22. A credit institution should include suitable actions in their capital planning to ensure that the level of available capital will enable a sustainable reduction of NPLs on the balance sheet. 2.3 Development of the NPL strategy

23. The NPL strategy should encompass, at a minimum, time-bound quantitative NPL targets and foreclosed assets targets, supported, where appropriate, by a corresponding comprehensive operational plan.

24. The development of the NPL strategy should be informed by a self-assessment process and an analysis of the strategic options for the implementation of the NPL strategy.

25. The NPL strategy and operational plan should be defined and approved by the management body and reviewed at least annually. 2.3.1 Strategy implementation options

26. A credit institution should consider including a combination of strategies and options in the NPL strategy to achieve their objectives over the short, medium and long term.

27. In order to successfully operationalise the NPL strategy, a credit institution should consider at least the following non-mutually exclusive implementation options for different portfolios and under different conditions:

1. Hold/forbearance strategy: suitable workout strategy and forbearance options. The hold strategy option is strongly linked to the credit institution’s operating model, forbearance and borrower assessment expertise, operational NPL management capabilities, outsourcing of servicing and write-off policies;
2. Active portfolio reductions: sales, securitisation or, in the case of NPLs that are deemed unrecoverable, write-offs. This option is strongly linked to adequacy of impairments, collateral valuations, quality of exposure data and investors’ demand for NPLs;
3. Change of type of exposure or collateral, including foreclosure, debt to equity swapping, debt to asset swapping or collateral substitution;
4. Legal options: including insolvency proceedings or out-of-court solutions.

28. A credit institution should identify medium- and long-term strategy options for NPL reductions that may not be achievable immediately, for example due to a lack of immediate NPL investor demand, which might change in the medium to long term. The operational plan may therefore need to allow for such changes and require preparations for them, for example by enhancing the quality of NPL data in order to be ready for future investor transactions.

29. When a credit institution concludes that none of the above options will lead to a sufficient NPL reduction in the medium to long term for certain portfolios or individual exposures, this should be clearly reflected in a timely impairment and write-off approach.

30. A credit institution aiming to engage in complex processes, such as NPL risk transfer and securitisation transactions, should conduct robust risk analysis and have adequate risk control processes in place. 2.3.2 Targets

31. Before commencing the short- to medium-term target-setting process, a credit institution should establish a view of reasonable long-term NPL levels, both at portfolio level and at aggregate level. A credit institution should take into account historic or international benchmarks in order to define reasonable long-term NPL levels.

32. A credit institution should include, at a minimum, clearly defined realistic yet ambitious quantitative targets in their NPL strategy, including for foreclosed assets, where relevant. These targets should lead to a concrete reduction, gross and net of impairments, in NPLs, at least in the medium term. While expectations about changes in macroeconomic conditions, when based on solid external forecasts, can play a role in determining target levels, they should not be the sole driver of the NPL reduction targets established.

33. A credit institution should establish targets as followings:

1. by time horizons (short-term (indicative one year), medium-term (indicative three years) and possibly long-term);
2. by main portfolios (e.g. retail mortgage, retail consumer, retail, small and medium-sized enterprises (SMEs), corporate, large corporate, commercial real estate);
3. by implementation options (e.g. cash recoveries from a hold strategy, collateral repossessions, recoveries from legal proceedings, revenues from sales of NPLs or write- offs).

34. The NPL targets for credit institutions should at a minimum include a projected absolute or relative NPL reduction, both gross and net of impairments, not only on an overall basis but also for the main NPL portfolios. Where foreclosed assets are material, a foreclosed assets strategy should be defined or, at least, foreclosed assets reduction targets should be included in the NPL strategy.
35. The NPL targets should be aligned with the more granular operational targets. Further monitoring indicators can be implemented as additional targets, if deemed appropriate.

2.3.3 Operational plan 36. A credit institution should align the NPL objectives with more specific operational objectives and it may, if deemed appropriate, introduce additional indicators as additional objectives. 37. The NPL strategy of the credit institution should be supported by an operational plan, which should be defined, approved and reviewed by the management body. 38. The operational plan should clearly define how the credit institution will operationally implement its NPL strategy over a time horizon of at least one to three years (depending on the type of operational measures required). 39. The NPL operational plan should contain at least:

1. clear time-bound objectives and goals;
2. activities to be carried out on a portfolio basis;
3. governance arrangements and structures, including responsibilities and reporting mechanisms for activities and outcomes;
4. quality standards to ensure successful outcomes;
5. employee and resource requirements;
6. required technical infrastructure and an enhancement plan;
7. granular and consolidated budget requirements for the implementation of the NPL strategy;
8. plans for communication with internal and external stakeholders (e.g. with regard to sales, servicing, efficiency initiatives).

40. The operational plan should have a specific focus on internal factors that could present impediments to the successful delivery of the NPL strategy. 2.4 Implementing the operational plan
41. The implementation of the NPL strategy operational plan should rely on suitable policies and procedures, clear ownership and appropriate governance structures, including escalation procedures, and the operational plan should incorporate wide￾ranging change management measures in order to embed the NPL workout framework as a key element in the corporate culture. 2.5 Embedding the NPL strategy
42. A credit institution should embed the NPL strategy in processes at all levels of the organisation, including strategic and operational levels.
43. A credit institution should emphasise to all relevant employees the key components of the NPL strategy in line with the approach taken to the credit institution’s overall

strategy and in particular the risk management strategy. This is especially important if the implementation of the NPL strategy will involve wide-ranging changes to business procedures. 44. A credit institution should provide clearly define and document the roles, responsibilities and formal reporting lines for the implementation of the NPL strategy and operational plan. 45. A credit institution should provide employees and management involved in NPL workout activities with clear individual (or team) goals and incentives geared towards reaching the targets agreed in the NPL strategy and operational plan. Related remuneration policies, career development objectives and performance monitoring frameworks should take the NPL targets into account in order to ensure the full engagement of employees and management with NPL reduction and should also have regard to the fair treatment of consumers. The incentive scheme for employees and managers in the loan origination/business units should also take into account the feedback from the workout activities and the quality of the credit institution’s exposures in order to disincentivise excessive risk taking. 46. All relevant components of the NPL strategy should be fully aligned with and integrated into the business plan and budget of the credit institution, including all the relevant costs associated with the implementation of the operational plan, and also potential losses stemming from NPL workout activities. 47. The NPL strategy should be fully embedded in the risk management framework. In that context, special attention should be paid to:

1. internal capital adequacy assessment process (ICAAP): all relevant components of the NPL strategy should be fully aligned with and integrated into the ICAAP. A credit institution should prepare quantitative and qualitative assessments of NPL developments under base and stressed conditions including the impact on capital planning.
2. risk aversion framework (RAF): RAF and NPL strategies are closely interlinked. In this regard, there should be clearly defined RAF metrics and limits, approved by the management body, that are in alignment with the core elements and targets forming part of the NPL strategy.
3. Recovery plan: where NPL-related indicator levels and actions form part of the recovery plan, A credit institution should ensure that they are in alignment with the NPL strategy targets and operational plan.

48. A credit institution should ensure a high level of monitoring and oversight by the risk management functions in respect of the formulation and implementation of the NPL strategy and operational plan.

III. NPL GOVERNANCE AND OPERATIONS 49. In order for credit institution to be able to address its NPL issues in an efficient and sustainable manner, an appropriate governance structure and operational set-up should be in place. 50. In the implementation of its NPL governance and operations, a credit institution should take into account relevant consumer protection considerations and requirements, and ensure fair treatment of consumers. 3.1 Steering and decision-making 51. The overarching strategy of a credit institution and its implementation should cover the NPL strategy and operational plan, which should therefore be set, approved and reviewed by the management body. In particular, the management body should:

1. approve annually and regularly review the NPL strategy and operational plan in line with the overall risk strategy;
2. oversee the implementation of the NPL strategy;
3. define quantitative and qualitative management objectives and incentives for NPL workout activities;
4. monitor on a quarterly basis progress made in comparison with the targets defined in the NPL strategy and operational plan;
5. define adequate approval processes for NPL workout decisions (for large NPLs, these should involve the approval of the management body);
6. approve NPL-related policies (including those listed in Part D of these guidelines) and processes, review them at least annually and proceed with any necessary amendments, ensuring that the policies and processes are completely understood by the employees;
7. ensure sufficient internal controls on NPL management processes, with a special focus on activities linked to NPL classifications, impairments, write-offs, collateral valuations and the sustainability of forbearance solutions;
8. have sufficient knowledge, experience and expertise with regard to the management of NPLs.

52. A credit institution should establish and document clearly defined, efficient and consistent decision-making procedures, with adequate second line of defence involvement at all times. 3.2 NPL operating model 3.2.1 NPL workout units
53. A credit institution should establish dedicated NPL workout units (NPL WUs) that are independent from loan origination activities. This separation of duties approach should encompass not only client relationship activities (e.g. negotiation of

forbearance solutions with clients) but also the decision-making process. In this context, credit institution should consider implementing dedicated decision- making bodies related to NPL workout (e.g. an NPL committee). 54. Where overlaps with the decision-making bodies, managers or experts involved in the loan origination process are unavoidable, the institutional framework and internal controls should ensure that any potential conflicts of interest are sufficiently mitigated. 55. A credit institution should have arrangements in place to ensure that regular feedback between loan origination units and NPL WUs is established. 56. When designing an appropriate NPL WU structure, a credit institution should take into account the specificities of their main NPL portfolios, including the type of exposure (retail, SME, corporate) and the type of collateral. 57. A credit institution should consider designing automated processes for NPL WUs for homogeneous retail NPL portfolios. For corporate NPL portfolios, where relevant, and depending on the sectoral concentration of the NPLs, A credit institution should consider a relationship management approach with sectoral specialisation of NPL WU employees. For sole traders and micro-enterprises, a combination of automated elements and a relationship management approach should be considered. 58. Smaller and less complex credit institution may have in place dedicated workout functions proportionate to their size, nature, complexity and risk profile and should ensure that the design of such functions prevents and eliminates conflict of interest in the management of NPLs. 59. For proportionality purposes, smaller and less complex credit institution, as an alternative to establishing dedicated decision-making bodies related to NPL workout, may cover the necessary requirements in their existing credit or risk committees, as long as conflicts of interest are sufficiently mitigated. 3.2.2 Alignment with the NPL life cycle 60. NPL WUs should be set up to ensure that NPL workout activities and borrower engagements are tailored to the phases of the NPL life cycle.1 61. A credit institution should set up different NPL WUs for the different phases of the NPL life cycle and also for different portfolios, if appropriate. All applicable workout stages should receive adequate focus and should be equipped with sufficiently specialised employees.

1 This also encompasses assets not classified as non-performing exposures – such as early arrears (≤ 90 days), forborne exposures and foreclosed assets – that play an essential role in the NPL workout process.

62. A credit institution should consider the following phases in the NPL life cycle, taking into account also the specificities of the products and the nature of the arrears:

1. Early arrears (up to 90 days past due)2 : during this phase, the focus should be on initial engagement with the borrower for early recoveries and on collecting information to enable a detailed assessment of the borrower’s circumstances (e.g. financial position, status of loan documentation, status of collateral, level of cooperation, etc.). The type of exposure and collateral should ultimately determine the most suitable workout strategy, which may involve forbearance measures with a short-term time horizon, to be applied when necessary (including during this initial period, where appropriate), with the aim of stabilising the financial position of the borrower before establishing a suitable workout strategy. In addition, the credit institution should, where appropriate, seek options to improve its position while taking into account the rights and interests of consumers (e.g. by signing new loan documents, perfecting outstanding collateral, minimising cash leakage, taking additional collateral if available). A dedicated arrears management policy should contain guidance on the overall NPL workout procedures and responsibilities, including handover triggers.
2. Late arrears over 90 days past due / forbearance: a credit institution should implement and formalise forbearance arrangements with borrowers in this phase. Forbearance arrangements should be put into place only where the credit institution is satisfied that the borrower can afford to make the repayments. A forbearance arrangement should be monitored for at least one year, given the increased risk, before it can eventually be transferred out of the NPL WUs if no further NPL triggers are observed.
3. Liquidation / debt recovery / legal cases / foreclosure: if no viable forbearance solution has been found due to the borrower’s financial circumstances or cooperation level, a credit institution should perform a cost–benefit analysis of different liquidation options, including in-court and out-of-court procedures, having regard also to the interests of the borrower. Based on this analysis, a credit institution should speedily proceed with the chosen liquidation option, supported by legal and business liquidation expertise. A credit institution that is engaged in extensive use of external experts should ensure that sufficient internal control mechanisms are in place to ensure an effective and efficient liquidation process. NPLs that have been categories as such for a long period of time should be given special attention in this regard. A dedicated debt recovery policy should contain guidance on liquidation procedures.

63. Managing foreclosed assets (or other assets stemming from NPLs): collateral repossession generally commences after other attempts by the credit institution to collect the outstanding amounts have failed. The credit institution should have a policy in place that describes the recovery process for foreclosed assets, covering in particular the procedures of repossession, valuation of the collateral and realisation of various types of collateral through appropriate means.

2 Unlikely to pay exposures could be part of either early arrears or NPL WUs, depending on their complexity.

3.2.3 Grouping exposures 64. A credit institution shall group exposures based on identified shared credit risk characteristics. Homogeneous portfolios should be built up in order to tailor treatments specifically to NPLs. A credit institution should consider designing customised processes for each portfolio, with a dedicated expert team taking ownership of each. NPL portfolios should be analysed with a high degree of granularity, resulting in clearly defined borrower sub-portfolios. For these analyses, a credit institution should develop appropriate management information systems and sufficiently high data quality. 65. A list of potential selection criteria for grouping retail NPLs into portfolios is contained in Part A of these guidelines. 66. For corporate NPL portfolios, grouping by asset class or sector (e.g. commercial real estate, land and development, shipping, trading businesses) should be considered a key driver for NPL WU specialisation. These portfolios should then be further divided in line with the NPL strategy and the level of financial difficulty to ensure that workout activities are sufficiently focused. 3.2.4 Human resources 67. A credit institution should have in place an appropriate organisational structure relative to their business model and taking into account their risks, including risks stemming from NPLs. A credit institution therefore should devote an appropriate and proportionate amount of management attention and resources to the workout of NPLs and to internal controls on related processes. 68. Based on the findings of the credit institution’s NPL self-assessment on capabilities, as referred to in part 2.2.1 of these Guidelines, a credit institution should regularly review the adequacy of their internal and external NPL workout resources and address any human resourcing gaps in a timely fashion. 69. As workout activities may place significant demands on resources, a credit institution should consider if it is appropriate to choose to use fixed-term contracts, internal/external outsourcing or joint ventures for NPL workout activities. However, the final responsibility for these activities remains with the credit institution. In the event that outsourcing is used, a credit institution should ensure that such outsourcing is arranged in accordance with the applicable legislation or regulatory requirements. 70. In case of outsourcing NPL workout activities, a credit institution shall act in line with the regulations governing outsourcing.

71. A credit institution should build up the relevant expertise required for the defined NPL operating model, including the NPL WUs and internal control functions.
72. Employees allocated to key NPL workout tasks should have specific NPL expertise and experience.
73. A credit institution should implement adequate and dedicated NPL training, including on consumer protection, and should design employee development plans to build in-house expertise using available talent.
74. Where it is not possible or efficient to build in-house expertise and infrastructure, the NPL WUs should have easy access to qualified independent external resources (e.g. property appraisers, legal advisors, business planners, industry experts) or to dedicated NPL servicing companies.
75. A credit institution, in alignment with the overall NPL strategy and operational plan, should implement an appraisal system tailored to the requirements of the NPL WUs. The appraisal system should be mainly linked to the quantitative elements of the credit institution’s NPL targets but may also include qualitative elements (level of technical abilities relating to the analysis of financial information and data received, structuring of proposals, quality of recommendations or monitoring of restructured cases, as well as effective negotiation skills). The performance of the NPL WU employees should be regularly monitored and measured against these targets either on an individual basis or at team level, as appropriate.
76. The performance measurement framework for the management body and relevant managers should include specific indicators linked to the targets defined in the credit institution’s NPL strategy and operational plan. The weights given to these indicators within the overall performance measurement framework should be proportionate to the severity of the NPL issues faced by the credit institution.
77. Addressing early warnings signals and indicators should be encouraged by a credit institution through the remuneration policy and incentives framework in order to ensure that pre- arrears are efficiently addressed and NPL inflows thus effectively reduced. 3.2.5 Technical resources
78. In terms of adequate technical infrastructure, a credit institution should ensure that all NPL- related data are centrally stored in robust and secure IT systems and that they are complete and up to date throughout the NPL workout process.
79. An adequate technical infrastructure should enable NPL WUs to:

1. Access all relevant data and documentation, including:

• current NPL and early arrears (≤ 90 days) borrower information, including automated notifications;
• exposure, collateral and guarantee information linked to the borrower or connected clients;
• monitoring tools with the IT capabilities to track forbearance performance and effectiveness;
• status of workout activities and borrower interaction, as well as details on forbearance measures agreed;
• foreclosed assets, where relevant;
• tracked cash flow of the loan and collateral;
• sources of underlying information and complete underlying documentation;
• where relevant, access to central credit registers, land registers and other external data sources.

2. Efficiently process and monitor NPL workout activities, including:

• automated workflows throughout the entire NPL life cycle;
• an automated monitoring process for loan status, ensuring correct flagging of NPLs and forborne exposures;
• incorporated warning signals;
• automated quantitative reporting throughout the NPL workout life cycle as a basis for the analyses to be provided to NPL WU management, the management body and other relevant managers, as well as the Central Bank;
• performance analyses of workout activities by NPL WUs, sub-teams and experts (e.g. cure/success rate, rollover information, effectiveness of restructuring options offered, cash collection rate, vintage analyses of cure rates, promises kept rate at call centre, etc.);
• evolution monitoring of portfolios, sub-portfolios, cohorts and individual borrowers.

3. Define, analyse and measure NPLs and related borrowers:

• recognise NPLs and measure impairments;
• perform suitable NPL portfolio analyses and store outcomes for each borrower;
• support the assessment of the borrower’s personal data, financial position and repayment ability, at least for non-complex borrowers;
• conduct calculations of (i) the net present value and (ii) the impact on the capital position of the credit institution for each restructuring option and/or any likely restructuring plan under any relevant legislation (e.g. foreclosure law, insolvency law) for each borrower.

80. The adequacy of the technical infrastructure, including data quality, should be assessed by an independent internal or external audit function on a regular basis.

3.3 Control framework 81. The management body should be responsible for establishing and monitoring the adequacy and effectiveness of the internal control framework. In particular, effective and efficient internal control processes should be implemented for the NPL workout framework in order to ensure full alignment between the NPL strategy and operational plan on the one hand and the credit institution’s overall business strategy, including the NPL strategy and operational plan, and risk appetite on the other hand. 82. Internal control functions should regularly review written reports on NPL management highlighting major identified deficiencies, and for each new identified major deficiency, the relevant risks involved, an impact assessment, recommendations and corrective measures to be taken. 83. The heads of internal control functions should regularly report to the management body to raise concerns and warn, where appropriate, when specific developments affect or may affect the credit institution. 84. The management body should follow up on the findings of the internal control functions in a timely and effective manner and require adequate remedial actions, whereat a formal follow-up procedure on findings and corrective measures taken should be put in place. 85. The internal control framework should involve all three lines of defence. The roles of the different functions involved should be assigned and documented clearly to avoid gaps or overlaps. Key outcomes of second- and third-line activities as well as defined mitigating actions and progress on those needs should be reported to the management body regularly. 86. In the implementation of the control framework, larger and more complex credit institutions should apply all three lines of defence; the second line of defence does not have to be NPL specific and may be performed by the credit risk (control) function. 87. In the implementation of the control framework, smaller and less complex credit institutions do not necessarily have to have three fully fledged NPL-specific lines of defence, but they have to ensure that any conflict of interest is sufficiently mitigated. 3.3.1 First line of defence controls 88. A credit institution should ensure that the first line of defence is embedded into the procedures and processes of the operational units, mainly the NPL WUs that actually own and manage the credit institution’s risks in the specific context of NPL workout.

89. In order to ensure that adequate control mechanisms are implemented, a credit institution should have internal policies in place on the NPL workout framework. The managers of the operational units are responsible for ensuring that these internal policies are implemented, including through their incorporation into IT procedures. Part D of these guidelines sets out key elements of NPL framework-related policies that should be implemented in credit institutions. 3.3.2 Second line of defence controls
90. Second line of defence functions should perform controls on a continuous basis to check that NPL management in the first line of defence is operating as intended. To adequately perform their control tasks, second-line functions require a strong degree of independence from functions performing business activities, including the NPL WUs, and should have sufficient resources. They should have an adequate number of qualified employees. The qualifications of employees should be reassessed on an ongoing basis, and employees should receive training as necessary.
91. The second line of defence controls the implementation of risk management measures by the NPL WUs and should have a special focus on:

1. monitoring and measuring of NPL-related risks on a granular and aggregate basis, including in relation to internal/regulatory capital adequacy;
2. reviewing the performance of the overall NPL operating model, as well as its elements (e.g. NPL WU management/employees, outsourcing/servicing arrangements, NPL reduction targets and early warning mechanisms);
3. assuring quality across NPL loan processing, monitoring/reporting (internal and external), forbearance, impairments, write-offs, collateral valuation and NPL reporting (in order to fulfil this role, second-line functions should have sufficient power to intervene ex ante on the implementation of individual workout solutions);
4. reviewing the alignment of NPL-related processes with internal policy and public guidance, most notably related to NPL classification, provisioning, write-offs, collateral valuations, forbearance and early warning mechanisms.

92. Risk control function should also provide guidance on the process of designing and reviewing NPL-related policies and procedures and on the controls being established across NPL WUs. 3.3.3 Third line of defence controls
93. The third line of defence, the independent internal audit function, should have sufficient NPL workout expertise to perform its periodic control activities on the

efficiency and effectiveness of the NPL framework, including the first- and second￾line controls. 94. With regard to the NPL framework, the internal audit function should, at least, perform regular assessments to monitor adherence to internal NPL-related policies (see Part D of these guidelines) and to this guidance, which should also include random and unannounced inspections and credit file reviews. 95. In determining the frequency, scope and scale of the controls to be carried out, a credit institution should take into account the level of NPLs and whether significant irregularities and weaknesses have been identified by recent audits. 96. Based on the results of its controls, the internal audit function should make recommendations to the management body, bringing possible improvements to their attention. 3.4 Monitoring of NPLs and NPL workout activities 97. The monitoring systems should be based on the NPL targets approved in the NPL strategy and related operational plan, which are subsequently cascaded down to the operational targets of the NPL WUs, with feedback loops to pricing of credit risk and provisioning. A related framework of NPL-related key performance indicators (KPIs) should be developed to allow the management body and other relevant managers to measure progress. 98. A credit institution should define and monitor NPL-related KPIs. The NPL-related KPIs, should include, but not necessarily be limited to (see also Part B of these guidelines):

1. NPL metrics;
2. borrower engagement and cash collection;
3. forbearance activities;
4. liquidation activities;
5. other (e.g. NPL-related profit and loss items, foreclosed assets, outsourcing activities). 3.4.1 NPL metrics

99. A credit institution should closely monitor the relative and absolute levels of NPLs and FBEs, as well as foreclosed assets (or other assets stemming from NPL activities) and early arrears less than 90 days, in their books.
100. A credit institution should carry out such monitoring activities at transaction/borrower level, and portfolio or sub-portfolio levels, as appropriate, considering aspects such

as business line, borrower segment, geographical area, products, concentration risk, level of collateralisation and type of collateral provided, and debt-service ability. 101. A credit institution should monitor the level of impairments of NPLs in order to provide the management body with comprehensive information on coverage. The analysis should include data on the aggregate level as well as the levels for different NPL portfolios. The selection of NPL portfolios should consider aspects such as type of exposure, including secured/unsecured, type of collateral and guarantees, geographical area, number of years since NPL classification, time to recovery, and the use of the going and gone concern approach. Coverage movements should also be monitored and reductions clearly explained. 102. A credit institution should benchmark indicators related to the NPL ratio and coverage against the available indicators of peers in order to provide the management body with a clear picture of the competitive position and potential shortcomings. 103. A credit institution should monitor their deviations from the budget, in order for the management body to understand the drivers of significant deviations from the plan. 104. Key figures on NPL inflows and outflows should be included in periodic reporting to the management body, including transfers from/to NPLs, non-performing FBEs, NPLs under probation, performing FBEs and early arrears (≤ 90 days past due). 105. A credit institution should consider if it would be useful to establish migration matrices to track the flow of exposures into and out of non-performing classification. 106. A credit institution should estimate the migration rates and the quality of the performing exposures month by month, so that actions can be prioritised and taken promptly to inhibit deterioration of portfolio quality. Migration matrices can be further broken down by exposure type (retail mortgage, consumer, real estate), by business unit or by other sub-portfolio to identify whether the driver of the flows can be attributed to a specific sub-portfolio. 107. In its monitoring activities, a credit institution should use internal information (e.g. from internal score systems) and external information (e.g. from rating agencies, credit bureaus, specialised sector research or macroeconomic indicators for specific geographical areas) and should refer to a particular point in time or observation period. Part C of these guidelines includes examples of such internal and external information. 3.4.2 Borrower engagement and cash collection 108. Once NPL WUs have been established, key operational performance metrics should be implemented to assess the units’ or employees’ efficiency relative to average

performance and/or standard benchmark indicators. If no such indicators exist or are available, key operational performance should be monitored by measuring the effective results against the targets set in the credit institution’s NPL operational plan. 3.4.3 Forbearance activities 109. To resolve or limit the impact of NPLs, A credit institution should explore the possibilities with regard to granting forbearance measures. 110. A credit institution should monitor two aspects of the forbearance activities, efficiency and effectiveness. 111. The main objective of forbearance measures should be the return of the borrower to a sustainable performing repayment status, taking into account the amount due and minimising expected losses. This objectives should take into account the importance of ensuring the fair treatment of consumers and compliance with any consumer protection requirements that may be applicable. The credit institution should monitor the quality of the forbearance activities to make sure that they are not used to delay impairments or an assessment that the exposure is uncollectable. The monitoring should cover forbearance activities in relation to both performing and non-performing exposures. 3.4.4 Liquidation activities 112. If no sustainable restructuring solution can be reached, a credit institution should still resolve the NPL. Resolution may involve initiating legal procedures, foreclosing assets, debt to asset/equity swap, disposal of credit facilities by sale, transferal to an asset management company or securitisation. 113. Liquidation activities should be monitored by the credit institution to help inform strategies and policies. 114. A credit institution should monitor disposals and monitor realised sales/transfer prices against net carrying amounts. 115. A credit institution should monitor the volumes and recovery rates of legal and foreclosure cases. Performance in this regard should be measured against set targets, in terms of number of months/years and loss to the institution. In monitoring the actual loss rate, a credit institution is expected to build historical time series for each loan portfolio to back up the assumptions used for impairment review purposes and stress test exercises.

116. For exposures covered by collateral or another type of guarantee, a credit institution should monitor the time period needed to liquidate the collateral or to enforce a guarantee. A credit institution should also monitor potential forced sale haircuts upon liquidation and developments in certain markets (e.g. property markets) to obtain an outlook on potential recovery rates.
117. Monitoring the recovery rates from foreclosure and other legal proceedings should help a credit institution to reliably assess whether the decision to foreclose will provide a higher net present value than pursuing a forbearance option. The data regarding the recovery rates from foreclosures should be monitored on an ongoing basis and feed into potential amendments to a credit institution’ strategies for handling their debt recovery/legal portfolios.
118. A credit institution should also monitor the average duration of legal procedures recently completed and the average amounts recovered (including related recovery costs) from these completed procedures.
119. A credit institution should carefully monitor cases where the debt is swapped with an asset or equity of the borrower, at least by using volume indicators by type of assets, and ensure compliance with any limits set by the relevant national regulations on holdings. The use of this approach as a forbearance measure should be backed by a proper business plan and limited to assets in relation to which the institution has sufficient expertise and the market realistically allows the determined value to be extracted from the asset in the short to medium term. The credit institution should also make sure that the valuation of the assets is carried out by qualified and experienced appraisers. 3.4.5 Other monitoring items
120. A credit institution should monitor and report to their management bodies the amount of interest income stemming from NPLs. In addition, a distinction should be made between the interest payments on NPLs actually received and those not actually received. The evolution of loss allowances and the related drivers should also be monitored.
121. If foreclosure is a part of a credit institution’s NPL strategy, it should also monitor the volume, ageing, coverage and flows of foreclosed assets (or other assets stemming from NPLs) at a sufficient level of granularity to take into account material types of assets. The performance of the foreclosed assets vis-a-vis the predefined business plan should be monitored and reported to the management body and other relevant managers on an aggregate level.

IV. FORBEARANCE 122. Forbearance measures should aim to return the borrower to a sustainable performing repayment status, taking into account the amount due and minimising expected losses. 123. When deciding on which steps or forbearance measures to take, a credit institution should take into account the interests of consumers and comply with consumer protection requirements. 124. A credit institution should monitor the efficiency and effectiveness of forbearance activities. 4.1 Forbearance measures and their viability 125. A credit institution should consider using a combination of different forbearance measures, including both short-term and long-term time horizons in line with the nature and maturity of the credit facilities. A credit institution should consider the list of possible forbearance measures in Part E of these guidelines. 126. A credit institution should use forbearance measures with time horizons shorter than two years (one year in the case of project finance and the construction of commercial property) where such measures do not address the resolution of outstanding arrears, unless such measures are combined with forbearance measures that are longer than two years. 127. A credit institution should consider forbearance measures with time horizons not greater than two years (and, where appropriate, for other forbearance measures) when the borrower meets the following criteria:

1. The borrower has experienced an identifiable event that has caused temporary liquidity constraints. Evidence of such an event should be demonstrated in a formal manner with clear evidence showing that the borrower’s income will recover fully or mostly in the short term, or on the basis of the credit institution concluding that a long-term forbearance solution was not possible due to temporary financial uncertainty of a general or borrower- specific nature. The form of evidence to be provided for this purpose should be proportionate to the nature, maturity and value of the credit facility in question.
2. The borrower had been fulfilling contractual obligations prior to the event.
3. The borrower has clearly demonstrated willingness to cooperate with the credit institution.

128. The contractual terms for any forbearance measure should ensure that the credit institution has the right to review the agreed forbearance measures if the situation of the borrower improves and more favourable conditions for the credit institution

(with regard to the forbearance or the original contractual conditions) can therefore be enforced; to this end, the contract should indicate the specific changes to the forbearance measure to be applied as a consequence of specific improvements in the situation of the borrower. A credit institution should also consider including strict consequences, such as a requirement for additional collateral, in the contractual terms for borrowers who fail to comply with the forbearance agreement. 4.1.1 Viable versus non-viable forbearance 129. A credit institution should distinguish between viable forbearance measures contributing to reducing the borrower’s exposure and non-viable forbearance measures. 130. A credit institution should consider the following factors when assessing the viability of forbearance measures:

1. The credit institution can demonstrate (based on objectively verifiable evidence) that the borrower can afford the forbearance solution, i.e. full repayment is expected;
2. The resolution of outstanding arrears is fully or mostly addressed and a significant reduction in the borrower’s balance in the medium to long term is expected;
3. In cases where previous forbearance measures have been granted, including any previous forbearance measures considered in the long run, the credit institution should ensure that additional internal controls are implemented to ensure that this subsequent forbearance treatment meets the viability criteria outlined below. These controls should include, at a minimum that such cases are explicitly brought to the attention of the risk control function ex ante. Furthermore, the explicit approval of the relevant senior decision-making body should be sought;
4. Forbearance measures with a short-term time horizon are applied temporarily and the credit institution is able to demonstrate, based on objectively verifiable evidence, that the borrower has the ability to repay the original or modified amount on a full principal and interest basis commencing from the expiry date of the short-term temporary arrangement;
5. The measure does not result in multiple consecutive forbearance measures having been granted to the same exposure.

131. The assessment of viability should be based on the financial characteristics of the borrower and the forbearance measure to be granted at that time. The viability assessment should take place irrespective of the source of forbearance. Different sources for forbearance measures are, inter alia, the borrower using a forbearance clause embedded in a contract, bilateral negotiation of forbearance between a borrower and a credit institution and a public forbearance scheme extended to all borrowers in a specific situation.

4.2 Sound forbearance processes 4.2.1 Forbearance policy 132. A credit institution should develop a policy on their forbearance activities. The policy should cover at least:

1. the process and procedures for granting forbearance measures, including responsibilities and decision-making;
2. a description of available forbearance measures, including those embedded in contracts;
3. information requirements for assessing the viability of forbearance measures;
4. documentation of forbearance measures granted;
5. the process and metrics for monitoring the efficiency and effectiveness of forbearance measures.

133. A credit institution should regularly review their forbearance policies and options based on the collective monitoring of the performance of different forbearance measures, including the examination of potential causes and instances of re￾defaults. 4.2.2 Efficiency and effectiveness of forbearance activities
134. A credit institution should monitor the quality of forbearance activities to make sure that they are not used to delay an assessment that the exposure is uncollectable. The monitoring should cover forbearance activities relating to both performing and non-performing exposures and differentiate between types of forbearance measures and portfolios.
135. A credit institution should measure the efficiency of the process for granting forbearance measures and monitor the duration of the decision-making process and the volumes of forbearance measures at each stage of the granting process.
136. A credit institution should monitor effectiveness of forbearance measures granted. This monitoring should measure the degree of success of the forbearance measure and whether the modified contractual obligations of the borrower are met and the exposure is performing. The following metrics by portfolio and by type of forbearance measure should be used:

1. Forbearance cure rate and rate of exposure being reclassified as non￾performing: a credit institution should conduct a vintage analysis and monitor the behaviour of FBEs from the date of modification to determine the cure rate. This analysis should be conducted separately for cured exposures with and without forbearance measures.

2. Cash collection rate: a credit institution should monitor cash collected from FBEs.

3. Write-off: where granting a forbearance measure leads to a partial write-off, a credit institution should record and monitor these exposures against an approved loss budget. The net present value loss associated with the decision to write off an unrecoverable exposure should be monitored against the cure rate.

137. A credit institution should monitor indicators relating to forbearance activities using a meaningful breakdown, which could include the type and duration of arrears, the type of exposure, the probability of recovery, the size of the exposures or the total amount of exposures to the same borrower or group of connected clients, and the number of forbearance solutions applied in the past. 4.2.3 Assessing the borrower’s repayment capacity
138. Before granting any forbearance measures, a credit institution should assess the borrower’s repayment capacity. This should include an adequate assessment of the borrower’s financial situation, based on sufficient information and taking into account relevant factors such as the debt-servicing capacity and overall indebtedness of the borrower or the property/project. 4.2.4 Standardised forbearance products and decision trees
139. A credit institution should have adequate policies and procedures in place with a range of sustainable and effective solutions for the borrower when granting forbearance. The grouping of exposures into portfolios should be reflected in these policies and procedures, to enable a credit institution to adopt different forbearance measures for different segments of borrowers and tailor measures to them.
140. A credit institution should consider developing decision trees and standardised forbearance measures for portfolios of homogeneous borrowers with less complex exposures. Decision trees may help in determining and implementing appropriate and sustainable forbearance strategies for specific portfolios of borrowers in a consistent manner based on approved criteria. 4.2.5 Comparison with other NPL workout options
141. A credit institution should use a net present value approach to determine the most suitable and sustainable workout option for borrowers’ varied circumstances, having regard to the fair treatment of the consumer, and should compare the net present value of the envisaged forbearance measure with the net present value of repossession and other available liquidation options. The parameters used in the calculation, such as the assumed liquidation time horizon, discount rate, cost of capital and liquidation cost, should be based on observed empirical data.

4.2.6 Forbearance targets and monitoring 142. Forbearance contracts and documentation should include a well-defined borrower target schedule, detailing all necessary targets to be achieved by the borrower in order to repay the exposure over the course of the contract term. These milestones/targets should be credible, be appropriately conservative and take account of any potential deterioration in the borrower’s financial situation. The performance of the forborne borrower, including the borrower’s compliance with all agreed targets, should be closely monitored by the NPL WU responsible for granting the forbearance, at least for the duration of the probation period. V. NPL RECOGNITION 143. This chapter sets out the key elements of governance and operations in relation to NPL recognition. 5.1 Past due criterion 144. A credit institution should recognise exposures as being past due in accordance with Article 197 of the Decision on Capital Adequacy of Credit Institutions. 5.2 Indications of unlikeliness to pay 145. A credit institution should recognise exposures as unlikely to pay and identify indications of unlikeliness to pay in accordance with Article 197 of the Decision on Capital Adequacy of Credit Institutions. 146. A credit institution should monitor the repayment capacity of borrowers. In the case of corporate borrowers, this should be assessed at least annually and at key reporting dates at which financial data are available. A credit institution should collect the latest financial information from corporate borrowers in a timely fashion. The non-provision or the unreasonably late provision of information may be seen as a negative sign with regard to the borrower’s creditworthiness. In the case of non￾corporate borrowers, a credit institution should monitor payment performance and any signs of financial difficulties that may have an impact on repayment capacity. For borrowers on a watch list or with a weak rating, more frequent review processes should be in place, depending on the materiality, the portfolio and the borrower’s financial standing. The regular assessment of the borrower’s repayment capabilities should also apply to bullet loans, because these loans represent a higher level of risk than a loan subject to regular amortisation and also because continuous payment by the borrower of the interest amounts due is not sufficient reason to assume that the final bullet repayment of the loan will take place.

5.3 Forbearance and performing status 5.3.1 Forbearance 147. For the purpose of implementing forbearance measures, a credit institution should be able to identify signs of possible future financial difficulties at an early stage. In order to do so, the assessment of the financial situation of the borrower should not be limited to exposures with apparent signs of financial difficulties. An assessment of financial difficulties should also be conducted for exposures with regard to which the borrower does not have apparent financial difficulties but in relation to which market conditions have changed significantly in a way that could impact the borrower’s ability to repay (e.g. bullet loans the repayment of which will depend on the sale of immovable property or foreign currency loans). 148. The assessment of any financial difficulties on the part of a borrower should be based on the situation of the borrower only, disregarding collateral or any guarantees provided by third parties. When assessing the financial difficulties of the borrower, A credit institution should consider at least the following rebuttable circumstances:

1. borrower/facility more than 30 days past due during the three months prior to its modification or refinancing;
2. increase in probability of default (PD) of credit institution’s internal rating class during the three months prior to its modification or refinancing;
3. presence on a watch list during the three months prior to its modification or refinancing.

149. Exposures should not be identified as forborne when concessions are made to borrowers who are not in financial difficulties. A credit institution should distinguish, based on a detailed financial assessment, between renegotiations or rollovers granted to borrowers not in financial difficulties and forbearance measures.
150. Granting new conditions such as a new interest rate more favourable than the rate borrowers with a similar risk profile could obtain may be considered an indication of such a concession when the credit institution determines that the reason for the new rate is the financial difficulties of the borrower. The provision of more favourable new conditions than those practised by the market should not be considered a prerequisite for the identification of concessions and therefore forbearance. When a borrower is in financial difficulties, a change in conditions in line with what other borrowers with a similar risk profile could get from the credit institution should qualify as a concession, including when borrowers are included in public forbearance schemes that are offered by the credit institution.
151. Borrowers may request modifications in the contractual conditions of their loans without facing or being about to face difficulties in meeting their financial

commitments. A credit institution should perform an assessment of the borrower’s financial situation when such modifications to contractual conditions have an impact on payment performance. 5.3.2 Classification of FBEs as non-performing 152. When granting forbearance measures to performing exposures, a credit institution should assess whether these measures lead to a need to reclassify the exposure as non-performing. Granting forbearance measures to NPLs does not clear their non-performing status: the exposures should continue to be identified as non￾performing for at least one year of the cure period after the granting of the forbearance measures. 153. When assessing if FBEs should be classified as non-performing, a credit institution should assess if exposures:

1. are supported by inadequate payment plans (either initial or subsequent payment plans, as applicable) that encompass, inter alia, a repeated failure to comply with the payment plan, changes to the payment plan to avoid breaches or the payment plan’s resting on expectations that are not supported by macroeconomic forecasts or by credible assumptions on the repayment capability or willingness of the borrower;
2. include contract terms that delay the time for the regular repayment instalments on the transaction, in such a way that its assessment for a proper classification is hindered, such as when grace periods of more than two years for the repayment of the principal are granted;
3. include de-recognised amounts that exceed the accumulated credit risk losses for NPLs with a similar risk profile. 5.3.3 Cure/exit from non-performing status

154. A credit institution should reclassify NPLs, including FBEs into performing in accordance with Articles 35 to 37 of the Decision on the criteria and the manner of classification of assets and calculation of provisions for potential loan losses of a credit institution.
155. A credit institution should perform a financial analysis of the borrower to establish the absence of concerns regarding the borrower’s ability to pay its credit obligations.
156. A credit institution’ policies for the reclassification of non-performing FBEs should specify practices for dispelling concerns regarding the borrower’s ability to comply with the post- forbearance conditions. These policies should establish criteria in terms of payments made during the cure period of at least one year and define the borrower’s ability to comply with post- forbearance conditions (to the extent that full repayment of the debt is likely) without being reliant on the realisation of collateral

at least by demonstrating payments of a not insignificant amount of principal. These policies should require payments of both principal and interest. 157. In addition, where a borrower has other exposures to a credit institution that are not the subject of a forbearance measure, the credit institution should consider the impact and the performance of these exposures in its assessment of the borrower’s ability to comply with post-forbearance conditions. The consideration of arrears should not change the level of application of non-performing status. Only exposures to which forbearance measures have been applied should be identified as FBEs. 158. The existence of contract terms that extend the repayment period, such as grace periods for the principal, should confirm the classification of these FBEs as non￾performing. The fact that the one-year cure period has elapsed should not automatically lead to reclassification to performing unless regular payments have been made over these 12 months and an assessment of unlikeliness to pay has been concluded with no indication of unlikeliness to pay. 5.3.4 Identification of exposures as performing FBEs 159. Once FBEs are classified as performing, either because they have met the conditions for being reclassified from the non-performing category or because the granting of forbearance measures did not lead to the classification of the exposure as non-performing, they should continue to be identified as forborne until all the conditions for the discontinuation of the classification of exposures as forborne have been met. 160. A credit institution’ policies for identifying performing FBEs should specify practices for dispelling concerns regarding the borrower’s financial difficulties. A credit institution’ policies should require the borrower to have settled, by means of regular payments, an amount equal to all the amounts (principal and interest) that were previously past due or de-recognised at the time of the concession, or to otherwise demonstrate its ability to comply with the post- forbearance conditions under alternative objective criteria that include a repayment of principal. 161. A credit institution shall classify performing FBEs that have been reclassified out of the non-performing category to the non-performing category. The same should apply when these exposures become more than 30 days past due. 5.4 Consistent application of definition of non-performing 162. A credit institution should adopt adequate mechanisms and procedures for the harmonised implementation of the definition of default referred to in Article 197 of the Decision on Capital Adequacy of Credit Institutions in all subsidiaries and

branches. This will ensure that the identification of NPLs is consistent at entity and banking group levels. 163. A credit institution’s policies should ensure consistent treatment of individual clients and groups of connected clients as defined in the Law and Annex 1 of the Decision on large exposures of credit institutions. 164. In view of possible contagion, q credit institution should, whenever feasible, apply a group perspective when assessing the status of a borrower’s exposure as non￾performing, unless it is affected by isolated disputes that are unrelated to the solvency of the counterparty. 165. A credit institution should keep a register of all classification criteria. VI. NPL IMPAIRMENT AND WRITE-OFFS 166. A credit institution should estimate loss allowances for NPLs and FBEs subject to impairment. 167. This chapter sets out the key elements of governance and operations in relation to NPL impairment measurement and write-offs. 6.1 NPL write-offs 168. A credit institution shall recognise uncollectability in the appropriate period through loss allowances or write-offs. When the credit institution has no reasonable expectation of recovering contractual cash flow of the exposure it should lead to a partial or full write-off of the exposure (IFRS 9.B3.2.16.r). 169. A write-off may be done before legal actions against the borrower to recover the debt have been concluded in full. A write-off should not be considered to mean that the credit institution has forfeited the legal right to recover the debt; a credit institution’s decision to forfeit the legal claim on the debt is debt forgiveness. 170. Write-offs constitute a de-recognition event (IFRS 9.5.4.4). If cash or other assets are eventually collected, these collections should be directly recognised as income in the statement of profit or loss. 171. A credit institution should maintain detailed records of all NPL write-offs performed on a portfolio-level basis.

6.2 NPL impairment and write-offs 172. A credit institution should include in their internal policies guidance on the timeliness of impairments and write-offs, acknowledging external circumstances and factors such as ongoing judicial procedures. 173. In particular for exposures or parts of exposures that are not covered by collateral, a credit institution should consider suitable maximum periods for full impairment, coverage and write-off. 174. For parts of exposures covered by collateral, the establishment of a minimum impairment level should take the type of collateral into account. 175. A credit institution should apply empirical evidence when calibrating the impairment and write-off periods. 176. When assessing the recoverability of NPLs and in determining internal NPL write￾off approaches, a credit institution should pay particular attention to the cohorts listed below, as they may have higher levels of permanent uncollectability.

1. exposures with prolonged arrears: different thresholds may be appropriate for different portfolios. A credit institution should assess the recoverability of NPLs if the borrower has been in arrears for a prolonged period of time. If, following this assessment, it is concluded that there is no reasonable expectation of recovering an exposure or part of an exposure, a full or partial write-off should be performed;
2. exposures under an insolvency procedure: where the collateralisation of the exposure is low, legal expenses often absorb a significant portion of the proceeds from the bankruptcy procedure, and therefore estimated recoveries can be expected to be very low;
3. a partial write-off may be justified when there is evidence that the borrower is unable to repay the amount of the exposure in full, meaning that there is a reasonable expectation of recovering a part of the exposure. 6.3 Impairment and write-off procedures

177. A credit institution should adopt, document and adhere to sound policies, procedures and controls for assessing and measuring loss allowances and write-off on NPLs.

178. A credit institution should back-test their loss allowance estimations against actual losses.

179. The policy on write-offs should include indicators used to assess expectations of recovery and detailed information on those exposures that have been written off but are still subject to enforcement activity.

180. A credit institution’s internal audit function should verify the methodologies used to identify NPL impairments and write-offs. VII. COLLATERAL VALUATION OF IMMOVABLE AND MOVABLE PROPERTY

181. This chapter sets out the key elements for collateral valuation of immovable and movable property pledged for NPLs. 7.1 Governance, procedures and controls 7.1.1 General policy and procedures

182. A credit institution should have in place a written policy and procedures governing the valuation of property collateral. The policy and procedures should be fully aligned with the credit institution’s RAF.

183. The policy and procedures should cover the valuation of all immovable and movable property collateral irrespective of its eligibility for prudential purposes in accordance with the requirements of Articles 228 and 230 of the Decision on Capital Adequacy of Credit Institutions.

184. The policy and procedures should be approved by the management body and should be reviewed at least on an annual basis. 7.1.2 Monitoring and controls

185. A credit institution should monitor and review the valuations performed by internal or external appraisers on a regular basis as set out in this chapter of the guidelines.

186. A credit institution should develop and implement a robust internal quality assurance policy and procedures for valuations conducted internally and externally, considering the following:

1. the quality assurance process should be carried out by a function that is independent from the function conducting the initial valuation, loan processing, loan monitoring and the underwriting process;

2. the independence of the external appraiser selection process should be tested on a regular basis as part of the quality assurance process;

3. an appropriate, similar sample of internal and external valuations should be compared with market observations on a regular basis;

4. back-testing of both internal and external valuations should be carried out on a regular basis;

5. the quality assurance process should be based on an appropriate sample size.

187. The internal audit function should regularly review the consistency and quality of the valuation policy and procedures, the independence of the appraiser selection process and the appropriateness of the valuations carried out by both external and internal appraisers. 7.1.3 Individual valuation of immovable property and use of indexation
188. A credit institution should monitor the value of immovable property collateral on a frequent basis and at a minimum as specified in Article 228 of the Decision on Capital Adequacy of Credit Institutions.
189. Indexation or similar methods may be used to monitor the value of a collateral and identify the collaterals requiring revaluation. This should be in line with the institution’s policy and provided that the collateral to be assessed is susceptible to accurate assessment by such methods.
190. Indices used to carry out this indexation may be internal or external as long as they are:

1. reviewed regularly, with the results of this review being documented and readily available, and with the review cycle and governance requirements being clearly defined in a policy document approved by the management body;
2. sufficiently granular, with the methodology being adequate and appropriate for the type of collateral in question;
3. based on a sufficient time series of observed empirical evidence of actual property transactions.

191. Valuations and revaluations of immovable property collateral should be performed on an individual and a property-specific basis. Valuations and revaluations of immovable property collateral should not be carried out using a statistical model as the sole means of undertaking the review of the property valuation. 7.1.4 Appraisers

192. All valuations of immovable property, including updated valuations, should be performed by an independent and qualified appraiser, internal or external, who possesses the necessary qualifications, ability and experience to execute a valuation, as specified in Article 228 paragraph (1) item 2) and Article 249 of the Decision on Capital Adequacy of Credit Institutions.

193. When establishing cooperation with external independent and qualified appraisers, a credit institution should define the criteria for their selection in accordance with items 194 to 198 of these guidelines and assess their performance on an ongoing basis and make a decision with which appraiser it should continue the cooperation.

194. A credit institution should ensure that engaged external appraisers have adequate and valid professional indemnity insurance.

195. The credit institution should ensure that each qualified appraiser:

1. is professionally competent and has at least the minimum educational level that meets any requirements for carrying out valuations of assets pursuant to the applicable regulations;
2. has appropriate technical skills and experience to perform the assignment;
3. is familiar with, and able to demonstrate ability to comply with, any laws, regulations and property valuation standards that apply to the appraiser and the assignment;
4. has the necessary knowledge of the subject of the valuation, the relevant property market and the purpose of the valuation.

196. Engaged external appraisers should contain expertise in various areas of the property sector appropriate to the lending business of the credit institution and the location of lending.
197. In order to mitigate any conflict of interest sufficiently, a credit institution should ensure that all internal and external appraisers who are going to carry out the actual appraisal of a given property and their first-degree relatives meet the following requirements:

1. they are not involved in the loan processing, loan decision or credit underwriting process;
2. they are not guided or influenced by the borrower’s creditworthiness;
3. they do not have an actual or potential, current or prospective conflict of interest regarding the result of the valuation;
4. they do not have an interest in the property;
5. they are not a connected person to either the buyer or the seller of the property;
6. they provide an impartial, clear, transparent and objective valuation report;
7. the fee they receive is not linked to the result of the valuation.

198. A credit institution should ensure adequate rotation of appraisers, i.e. two sequential individual valuations of the immovable property by the same appraiser should result in the rotation of the appraiser, resulting in the appointment of either a different internal appraiser or a different external appraisal provider.

7.2 Frequency of valuations 199. For prudential purposes, a credit institution should update valuations of all secured exposures in accordance with the requirements of Article 228 paragraph (3) and Article 230 item 3) of the Decision on Capital Adequacy of Credit Institutions. 200. The group of collaterals that are subject to individual valuations and revaluations on a regular basis should be updated at the time when the exposure is classified as non- performing and at least annually while it continues to be classified as such. A credit institution should make sure that, for the collateral subject to indexation or other similar methods, the indexation is updated at least annually. 201. For properties with an updated individual valuation that has taken place within the past 12 months (in line with all the applicable principles and requirements as set out in this chapter), the property value may be indexed up to the period of the impairment review. 202. A credit institution should carry out more frequent monitoring where the market is subject to significant negative changes and/or where there are signs of significant decline in the value of the individual collateral. 203. A credit institution should define criteria in their collateral valuation policy and procedures for determining if a significant decline in collateral value has taken place. Where possible, these will include quantitative thresholds for each type of collateral, based on the observed empirical data and any relevant qualitative credit institution experience, bearing in mind relevant factors such as market price trends or the opinion of independent appraisers. 204. A credit institution should have appropriate processes and systems in place to flag outdated valuations and to trigger valuation reports. 7.3. Valuation methodology 7.3.1 General considerations 205. A credit institution should have defined collateral valuation approaches for each collateral product type; these should be adequate and appropriate for the type of collateral in question. 206. All immovable property collateral should be valued on the basis of market value or mortgage lending value, as specified under Article 249 of the Decision on Capital Adequacy of Credit Institutions. 207. Movable property should be valued at its market value.

208. For movable property, a credit institution should, in accordance with the requirements of Article 218 paragraph (8) of the Decision on Capital Adequacy of Credit Institutions, periodically assess the liquidity of the property. If there is material volatility in the market prices, the credit institution should demonstrate that the valuation of the collateral is sufficiently conservative.
209. For movable property, a credit institution should, in accordance with the requirements of Article 230 of the Decision on Capital Adequacy of Credit Institutions, conduct a sufficient legal review confirming the enforceability of the collateral, including an assessment of the legal right to enforce and liquidate the collateral in the event of default, within a reasonable timeframe.
210. A credit institution should not use overall valuations based only on the discounted replacement cost. For income-generating properties, a market-comparable or discounted cash flow approach can be used.
211. Property collateral should be valued in accordance with applicable international, European and national standards. 7.3.2 Expected future cash flow
212. A credit institution should estimate discounted cash flow in a prudential manner and in line with applicable accounting standards.
213. Calculation of discounted cash flow should take into account cases where:

• the operating cash flow of the borrower continues and can be used to repay the financial debt, and collateral may be exercised to the extent that it does not influence operating cash flow; and
• the operating cash flow of the borrower ceases and collateral is exercised.

214. When the estimation is based on the assumption that the operating cash flow of the borrower will continue, including cash flow being received from the collateral, updated and reliable information on cash flow is required.

215. When the estimation is based on the assumption that the operating cash flow of the borrower will cease, the future sale proceeds from collateral execution should be adjusted to take into account the appropriate liquidation costs and market price discount.

216. In addition to the above liquidation costs, a market price discount, if appropriate, should be applied to the updated valuation as outlined below.

217. The property price at the time of liquidation should take into account current and expected market conditions.

218. Time-to-sale considerations in connection with the disposal of mortgaged properties should also be included, based on debt enforcement practices and experiences from judicial proceedings at national level and on empirical evidence, and back-tested accordingly. These considerations should include any operational costs or capital expenditures to be incurred before the time of sale.

219. The execution of collateral may include both consensual and non-consensual (forced) liquidation strategies.

220. The liquidation cost discount should reflect the manner of collateral execution, i.e. whether it is consensual or non-consensual.

221. The market price discount should reflect the liquidity of the market and the liquidation strategy. It should not reflect fire sale conditions unless the anticipated liquidation strategy actually involves a fire sale.

222. A credit institution should apply adequate market price discounts for the purposes of IFRS 9, for the calculation of regulatory capital and for risk control purposes. A market price discount may be close to zero only for highly liquid and non-distressed collateral types that are not affected by any significant correlation risks.

223. A credit institution should develop their own liquidation cost and market price discount assumptions based on observed empirical evidence. If insufficient empirical evidence is available, discount assumptions should be based on, at a minimum, liquidity, passage of time, and the quality/ageing of the appraisal.

224. If a credit institution faces the situation of a frozen property market and only a small number of properties have been sold or the sales history has to be considered insufficient, a more conservative market price discount should apply. 7.4 Further considerations on estimating cash flow from property collateral liquidation

225. In estimating cash flow from property collateral liquidation, a credit institution should use appropriate and credible assumptions. In addition, a credit institution should pay attention to the requirements for valuing cash flow under IFRS 13 on fair value measurements.

226. In particular, credit institutions should comply with the following requirements:

1. they must determine the assumed time of disposal taking into account current and expected market conditions as well as the underlying national legal framework regarding the disposal of mortgaged properties;
2. they must ensure that the property price used to determine the estimated market value of property collateral at the point of liquidation is not based on macroeconomic projections/assumptions that are more optimistic than the

projections produced by the relevant authorities and organisations such as International Monetary Fund (IMF) and the European System of Central Banks (ESCB)/ the European Systemic Risk Board (ESRB), and therefore does not assume an improvement on the current market conditions; 3) they must ensure that income from property collateral is not assumed to increase from the current levels unless there is an existing contractual arrangement for such an increase. Moreover, current income from property should be adjusted when calculating cash flow in order to reflect the expected economic conditions. A credit institution should consider whether it is appropriate to project a flat income in a recessionary environment in which vacant properties are increasing and/or demand for transportation is decreasing, putting downwards pressure on income; 4) a hold strategy on property collateral is not acceptable. A hold strategy is defined as holding the asset at above market value assuming that the asset will be sold after the market recovers. 227. When using the value of collateral in assessing the recoverable amount of the exposure, at least the following should be documented:

1. how the value was determined, including the use of appraisals, valuation assumptions and calculations;
2. the supporting rationale for adjustments to appraised values, if any;
3. the determination of selling costs, if applicable;
4. the assumed timeline to recover;
5. the expertise and independence of the appraiser.

228. When the observable market price is used to assess the recoverable amount of the exposure, the amount, source and date of the observable market price should also be documented.

229. A credit institution should be able to substantiate the assumptions used when assessing the recoverable amount by providing to the competent authority, if requested, details on the property market value, the market price discount, legal and selling expenses applied, and the term used for the time to liquidation.

230. A credit institution should be able to fully justify their assumptions, both qualitatively and quantitatively, and explain the drivers of their expectations, taking past and current experience into account. 7.5 Back-testing

231. A credit institution should demonstrate via sound back-testing that the assumptions used when assessing the recoverable amount were reasonable and grounded in observed experience. In this context, A credit institution should regularly back-test their valuation history (last valuation before the exposure was classified as non￾performing) against their sales history (net sales price of collateral).

232. Depending on the size and business model of the credit institution, it should differentiate by collateral type, valuation model/approach, type of sale (voluntary/forced) and region for its back-testing process. The back-testing results should be used to determine haircuts on collateral valuations supporting exposures remaining on the balance sheet.

233. Alternatively, a credit institution using the advanced internal ratings based (A-IRB) approach may use secured loss given default (LGD) to determine haircuts. 7.6 IT database requirements in respect of collateral

234. A credit institution should have databases of transactions to enable the proper assessment, monitoring and control of credit risk, to respond to requests from management and supervisors, and to enable the provision of information in periodic reports and other timely and comprehensive documentation. In particular, databases should comply with the following requirements:

1. sufficient depth and breadth, in that they cover all the significant risk factors;
2. accuracy, integrity, reliability and timeliness of data;
3. consistency – they should be based on common sources of information and uniform definitions of the concepts used for credit risk control;
4. traceability, such that the source of information can be identified.

235. These databases should include all the relevant information on properties and other collateral for the credit institution’s transactions and on the links between collateral and specific transactions. 7.7 Valuation of foreclosed assets
236. A credit institution should strongly consider classifying foreclosed assets as non￾current assets held for sale under IFRS 5. This accounting treatment implies that the asset must be available for immediate sale in its present condition (IFRS 5.7), that the management body should approve an individual plan to sell the asset within a short timeframe (normally one year) and that an active sales policy should be pursued (IFRS 5.8); thus, it favours recoveries.
237. Foreclosed assets received should be valued at the lower of:

1. the amount of the financial assets applied, treating the asset foreclosed or received in payment of debt as collateral;
2. the fair value of the repossessed asset, less selling costs.

238. When fair value is not obtained by reference to an active market but is based on a valuation technique (either level 2 or level 3), some adjustments are necessary, in particular as a result of two factors:

1. the condition or location of the assets. Risk and uncertainty regarding the asset should be incorporated in the fair value estimation;
2. the volume or level of activity of the markets in relation to these assets. The credit institution’s previous experience of the entity in realisations and of the differences between amounts arrived at using the valuation technique and the final amounts obtained in realisations should be incorporated into the calculation. The assumptions made in order to measure this adjustment may be documented, and should be available to the Central Bank on request. Illiquidity discounts may be considered.

239. When a credit institution’s foreclosed assets are still under construction and it is decided to complete construction before selling the asset, they should demonstrate the merits of such a strategy and the cost should not exceed the fair value less costs to complete and sell the asset taking into account an appropriate illiquidity discount as described above.
240. When a foreclosed asset has exceeded the average holding period for similar assets for which active sales policies are in place, a credit institution should revise the illiquidity discount applied in the valuation process described above, increase it accordingly. In these circumstances, the credit institution should refrain from recognising write-backs/reversals of existing accumulated impairment on the asset, as its prolonged presence on the balance sheet provides evidence that the credit institution is unable to sell the asset at an increased valuation.
241. The frequency of valuation of foreclosed assets and the applicable procedures should follow the treatment of immovable property as set out in chapters 7.1.2 and 7.2 of these guidelines.

Part A Sample criteria for grouping retail NPLs

1. Natural or legal person:

1. retail borrower
2. sole trader
3. small business or group of professionals
4. SME (overlaps with corporates).

2. Arrears bucket / days past due (dpd) (the higher the level of arrears the narrower the range of possible solutions):

1. early arrears (> 1 dpd and ≤ 90 dpd);
2. late arrears (> 90 dpd and < 180 dpd);
3. debt recovery unit (> 180 dpd, including also legal cases (borrowers in relation to whom legal actions have taken place or are in progress)).

3. Re-restructured cases (restructured loans with arrears, indicative of persistent repayment problems and/or failure of restructuring solution offered):

1. number of previous restructurings.

4. Exposure balance:

1. high value
2. low value
3. multiple exposures.

5. Level of risk (based on credit institution’s assessment / behaviour scoring / internal behaviour data / transaction history / credit rating).Clients with better payment histories are more likely to respond positively to restructuring offers:

1. very high
2. high
3. medium
4. low.

6. Based on borrower’s behaviour:

1. seasonal repayments
2. cooperative versus non-cooperative.

7. Purpose of credit facility (by product):

1. principal private residence loan

2. secondary home/holiday home loan

3. investment property loan/buy-to-let loan

4. personal loan

5. overdraft account

6. leased asset

7. credit card

8. sole trader, micro-enterprise or SME loan:

• for the set-up of the business (premises; infrastructure or machinery renovations)
• working capital.

8. Loan currency.
9. Loan interest rate (interest rate reduction consideration for loans burdened by high interest rates, if possible).
10. Borrower outlook (borrower’s age, health, employment type and history, employment prospects, professional skills, industry).
11. Country of residence / incorporation:

1. residents;
2. non-residents.

12. Location of the underlying collateral:

1. rural versus urban,
2. prime location, city centre, outskirts, etc.

13. Type of underlying collateral:

1. land:

• building plot
• agricultural land

2. building:

• house
• shop
• factory.

14. Based on the loan-to-value (LTV) ratio:

1. for low LTV loans, sale of underlying collateral may be the preferred option, unlike for high LTV loans.

15. Hardship cases (e.g. health problems, separation, divorce).
16. Borrower’s creditworthiness assessment:

1. can afford loan repayment versus cannot afford it;
2. income less expenditure versus reasonable living expenses versus loan instalment.

Part B Benchmarks for NPL monitoring metrics B.1. NPL metrics

1. NPL level and flows

• NPL stock ∕ total volume of NPLs
• NPE stock + foreclosed assets + performing forborne/total volume of exposures

• foreclosed assets

• Quarterly flow of NPLs (+/-) ∕ total NPL stock
• Quarterly flow of NPEs (+/-) ∕ total NPE stock
• Quarterly flow from performing exposure (PE) to NPL
• Quarterly flow from performing FBE to NPL
• Quarterly flow from NPL to PE
• Quarterly flow from NPL to performing FBE
• Quarterly flow from performing FBE to PE
• Quarterly flow from PE to performing FBE

2. Impairments

• Quarterly increase in stock of loss allowances
• Quarterly level of reversal of impairments
• Quarterly change in stock of loss allowances (+/-) ∕ total NPL stock
• Accumulated total provisions/total NPL stock
• By cohort (e.g. number of years since NPL classification, secured/unsecured)

3. Loss budget

• total loss as a result of forbearance activity;
• total loss versus budget B.2. Collection activities

1. Employees activity

• Number of borrower engagements per quarter versus plan
• Number of borrower engagements leading to forbearance agreement
• Number of borrower engagements leading to cash recovery
• Quarterly cash recovery from NPEs ∕ total NPE stock
• Quarterly cash recovery from interest on NPEs ∕ total NPE stock

2. Cash recovery

• Quarterly cash recovery from capital and fees on NPEs ∕ total NPE stock

• Quarterly cash recovery from property-related liquidations, also as a percentage of total NPE stock

• Quarterly cash recovery from non-property-related liquidations, also as a percentage of total NPE stock

• Quarterly cash recovery from sales of NPEs, also as a percentage of total NPE stock

• Quarterly cash recovery from NPEs, also as a percentage of total NPE stock B.3. Forbearance activities

1. Debt forgiveness

• Quarterly debt forgiveness
• Quarterly debt forgiveness ∕ specific assigned provisions
• Quarterly debt forgiveness ∕ total NPE stock

2. Accounting write-offs

• Quarterly accounting write-offs (full and partial)
• Quarterly accounting write-offs (full and partial) ∕ individually assessed stock of loss allowances
• Quarterly accounting write-offs (full and partial) ∕ total NPE stock

3. Forbearance activity

• Value of NPEs currently in forbearance
• Value of recently agreed forbearance solutions by characteristics (e.g. payment holiday > 12 months)
• Value of loans currently in forbearance ∕ total NPE stock
• Value of PEs currently in forbearance
• Quarterly non-performing FBEs ∕ total NPE stock
• Total non-performing FBEs ∕ total NPE stock
• Value of non-performing FBEs currently experiencing financial difficulties

4. Re-default rate

• Cure rate
• Cash collection rate
• Re-default rate on non-performing FBEs
• Re-default rate on performing FBEs

5. Debt/asset swap

• Quarterly debt to equity swaps, also as a percentage of total NPE stock
• Quarterly debt to asset swaps, also as a percentage of total NPE stock

6. Legal activities

• Value and number of loans currently in legal activity

• Value and number of assets recently foreclosed

• Quarterly value and number of loans newly entering legal activity

• Quarterly value and number of loans exiting legal activity

• Average duration of legal procedures recently closed

• Average amounts recovered from legal procedures recently closed (including total costs)

• Loss rate on loans exiting legal activity B.4 Profits and loss (P&L) items stemming from NPEs

1. Interest from NPEs

• Interest payments recognised on NPEs in the P&L
• Percentage of recognised interest payments from NPEs actually received

Part C Other monitoring metrics C.1. Borrower-level information from external sources

1. External sources

• Debt and collateral increase in other credit institutions
• Past due or other non-performing classifications in other credit institutions
• Guarantor default
• Debt in private central register (if any)
• Legal proceedings
• Bankruptcy
• Changes in company structure (e.g. merger, capital reduction)
• External rating assigned and trend therein
• Other negative information regarding major borrowers/counterparties of the borrower/suppliers C.2. Borrower-level information from internal sources

1. Business undertakings

• Negative trend in internal rating
• Unpaid cheques
• Significant change in liquidity profile
• Liabilities (leverage) (e.g. equity/total < 5% or < 10%)
• Number of days past due
• Number of months with any overdraft/overdraft exceeded
• Profit before taxes/revenue (e.g. ratio < –1%)
• Continued losses
• Continued excess in commercial paper discount
• Negative own funds
• Payment delays
• Decrease in turnover
• Reduction in credit lines related to trade receivables (e.g. year-on-year variation, 3 million average/1 year average)
• Unexpected reduction in undrawn credit lines (e.g. undrawn amount/total credit line)

2. Natural persons

• Negative trend in behavioural scoring

• Negative trend in PD and/or internal rating

• Mortgage loan instalment > x credit balance

• Mortgage and consumer credit days past due

• Decrease in the credit balance > 95% in the last 6 months

• Average total credit balance < 0.05% of total debt balance

• Forborne

• Related historic loss rates

• Decrease in payroll in the past 3 months

• Unemployment

• Early arrears (e.g. 5–30 days past due, depending on portfolio/borrower types)

• Reduction in bank transfers in current accounts

• Increase in loan instalment over the payroll ratio

• Number of months with any overdraft exceeded

• Negative trend in behavioural scoring

• Negative trend in PD and/or internal rating C.3. Portfolio-level information a. Portfolio distribution

• Size distribution and concentration level

• Top x (e.g. 10) groups of connected clients and related risk indicators

• Asset class distribution

• Breakdown by industry, sector, collateral type, country, maturity, etc.

2. Risk parameters

• PD/LGD evolution (overall and per portfolio)
• PD/LGD forecasts and projections
• Overall expected losses
• Default exposure

3. Stock of loss allowances

• Stocks and flows of loss allowances (overall and per portfolio)
• Volumes of and trends in significant risk provisions at individual level

4. NPE/forbearance status/foreclosure

• NPE volume by category (> 90 days past due, loss allowances, etc.)
• Forbearance volume and grouping of exposures (restructuring, workout, forced prolongation, other modifications, deferrals, > 90days past due, loan loss provisions)
• Foreclosed assets on total exposures
• NPE ratio without foreclosed assets
• NPE ratio with foreclosed assets
• NPE coverage (loss allowances, collateral, other guarantees) C.4. Specific type of borrower/sector

1. Legal activities

• Value and number of loans currently in legal activity
• Value and number of assets recently foreclosed
• Quarterly value and number of loans newly entering legal activity
• Quarterly value and number of loans exiting legal activity
• Average duration of legal procedures recently closed
• Average amounts recovered from legal procedures recently closed (including total costs)
• Loss rate on loans exiting legal activity

Part D Common NPL-related policies A credit institution should develop, regularly review and monitor operations in accordance with its policies relatedto the NPL management framework. A credit institution should establish the following policies, taking into account the principle of proportionality, aiming to achieve the implementation of the strategy of the credit institution (including its NPL strategy and operational plan where relevant). D.1. Arrears management policy This policy should set out the credit institution’s NPL operating model (see chapter 3.2 of these guidelines), including at least the following elements:

1. the structure and responsibilities of the NPE WUs, with clear handover triggers and a link tothe grouping of exposures (see chapter 3.2.3 of these guidelines);
2. the procedure to be followed by the functions involved, to include at a minimum:

• the procedure and handover criteria to be followed for each stage of arrears, earlyarrears and late arrears;
• the procedure to be followed where a borrower is classified as non-cooperating and/or non-viable, and the criteria for the borrower to be classified as such;
• the communication with the borrower at each procedure, which should be aligned withthe legislative framework of the country of operation (e.g. code of conduct);
• monitoring tools and methods to be applied;

3. the human and technical resource requirements;
4. the reports to be produced internally for monitoring purposes and for regular updates tothe management body. D.2. Forbearance policy The forbearance policy described in chapter 4.2.1 of these guidelines should set out at least:
5. the necessary financial and non-financial documentation to be requested and provided by the different types of borrowers in order for the responsible credit officer to demonstrate repayment capacity on a principal and interest basis;
6. the minimum key financial repayment capacity metrics and ratios to be applied by the credit officer, detailed on a portfolio-/product-/sector-specific basis, in order to fully assess the borrower’s repayment capacity; sector-specific guidelines for establishing key financialmetrics and ratios on a sector-specific basis (SMEs and corporates);
7. the process for determining and implementing the most appropriate forbearance solutionfor a borrower:

• for retail customers, decision trees are to be used. For non-retail borrowers, if a decision tree approach is notappropriate, then the policy should provide clear

instructions to the credit officer on how to assess the suitability of a forbearance treatment;

• in the case of borrowers for whom no solution can be reached (non-viable and/or non-cooperating borrowers), a time-bound process and procedure should be established for the transfer of these borrowers to the NPL WUs responsible for liquidation.

4. a toolkit of forbearance measures with short-term and long-term time horizons, as outlinedin chapter 4 of these guidelines;
5. clear instructions to the credit officer regarding the requirements for revaluation of collateral in line with chapter 7 of these guidelines;
6. the decision-making process, approval levels and procedures for each type of forbearancemeasure and size of exposure;
7. the process and procedure for the monitoring of the forbearance solutions granted and borrower performance following the completion of a restructuring, including frequency of the review of the borrower, the re-default definition, the process for reassessment and requirements for reporting of re-defaults;
8. the pricing policy for each forbearance measure and type of borrower. D.3. Debt recovery/enforcement policy The NPL WUs responsible for debt recovery should take the most appropriate actions in a timely manner to effectively reduce NPLs over a defined time horizon. The debt recovery policy, in accordance with the NPL strategy, should address, at a minimum:
9. The range of available options for each collateral type. Indicatively, the following could be considered (not in any particular order):

• voluntary asset sale (borrower re-engages and agrees to sell the asset);
• forced asset sale via receivers/court proceedings (assets are not held on the balance sheet of the credit institution);
• foreclosure of asset (assets are held on the balance sheet of the credit institution);
• debt collection (internal or external);
• debt to asset/equity swap;
• sale of loan/loan portfolio to a third party.

2. the procedure to be followed to select the most appropriate recovery option and the teamof internal and external experts to be involved in taking the decision;
3. the recovery option should take into account the existence of collateral, type of legal documentation, type of borrower, local market conditions and macroeconomic outlook, thelegislative framework in place, and potential historical recovery rates for each option versusthe costs involved for each option;
4. a clear definition of non-cooperating borrowers or a link to related policies including such a definition;
5. a clearly defined approval process for each stage of the debt recovery process for the different recovery options available to the credit institution;
6. the role of risk control and internal audit departments in the procedure and in the monitoring process.

With respect to the liquidation of collateral, the following should be defined in the policy:

1. the valuation approach to be followed in respect of the asset (in line with chapter 7.7 of these guidelines) including the liquidation costs to be applied. The liquidation costs should be in line with requirements set out in chapter 7.4 of these guidelines;
2. involvement of internal or external experts;
3. limits

• to the amount of assets that can be held by the credit institution at any point of time, taking into account the large exposure limits specified in the CRD and industryconcentration risk, for example in the real estate sector;
• to the amount of repossessed or foreclosed assets that can be acquired by thecredit institution within a certain time period;

4. the procedure to be followed post repossession or foreclosure to develop and implement a sale strategy, and the unit within the credit institution responsible for undertaking the management of the assets concerned (this may also be defined in a separate foreclosed/repossessed asset policy). A credit institution should consider the interaction with other creditors for NPL borrowers with multiple creditors, usually corporate borrowers. Therefore, a credit institution should put in place a clear procedure for negotiating and interacting with other financial institutions (or other third parties) to whom the borrower is indebted. D.4. Collateral policies Given the importance of credit risk mitigation in the NPL workout process, credit institutions shoulddevelop clear and consistent collateral policies, including policies for foreclosed assets. These policies should comprehensively cover the management, valuation and reporting of all collateral types. Given the complexity and specialisation of some types of collateral, credit institutions shouldseek external expertise in drafting and reviewing these policies. A credit institution should ensure aconsistent approach to managing and valuing similar collateral across the portfolio, as per chapter 7. D.5. NPL monitoring policy A credit institution should establish a dedicated policy d specifying, inter alia:
5. the types of actions required in response to the different types of findings;
6. escalation procedures;
7. key elements, frequency and recipients of the reporting;
8. handover criteria/a link to NPL procedures. D.6. Outsourcing/NPL servicing policy A credit institution should establish a dedicated policy for the outsourcing of services to third parties if this is relevant. This needs to include the required procedures for the selection of outsourcing partners, the required legal contract content and the decision￾making process for outsourcing agreements, as well as the monitoring of those agreements.

Part E Possible forbearance measures A credit institution may implement the following forbearance measures:

1. Interest only;
2. Reduced payments;
3. Grace period/payment moratorium;
4. Arrears/interestcapitalisation;
5. Interest rate reduction;
6. Extension of maturity/term;
7. Additional collateral;
8. Sale by agreement/assisted sale
9. Rescheduled payments; 10)Conversion of currency; 11)Other alteration of contract conditions/covenants;
10. Refinancing / new credit facilities; 13)Debt consolidation 14)Partial or total debt forgiveness. E.1. Interest only During a defined short-term period, only interest is paid on credit facilities and no principal repayment is made. The principal amount thus remains unchanged and the terms for the repayment structure are reassessed at the end of the interest-only period, subject to the assessed repayment ability. This measure should be considered viable only if the credit institution can demonstrate (based on reasonable documented financial information) that the financial difficulties experienced by the borrower are of a temporary nature and that after the defined interest￾only period the borrower will be able to service the loan at least to the extent of the previous repayment ability. The measure should generally not exceed a period of 24 months and, in the case of construction of commercial property and project finance, 12 months. Once the defined period of this forbearance measure is over, a credit institution should reassess the borrower’s debt-servicing capacity in order to proceed with a revised repayment schedule that is able to account for the unpaid capital element during this interest-only period. In most cases, this measure will be offered in combination with other measures of a longer-term nature to compensate for the temporary lower repayments (e.g. extension of maturity).

E.2. Reduced payments Decrease in the amount of repayment instalments over a defined short-term period in order to accommodate the borrower’s affected cash flow situation, before continuing with the repayments on the basis of projected repayment ability. The interest remains to be paid in full. This measure should be considered viable only if the credit institution can demonstrate (based on reasonable documented financial information) that the financial difficulties experienced by the borrower are of a temporary nature and that after the defined interest￾only period the borrower will be able to service the loan at least to the extent of the previous repayment ability. If the amount of the payment reduction is moderate and all other conditions mentioned above are met, this measure could be applied for a period longer than 24 months. E.3. Grace period/payment moratorium An agreement allowing the borrower a defined delay in fulfilling the repayment obligations, usually with regard to the principal and interest. This measure is considered viable if the conditions referred to in part E.1 paragraph 2 of these guidelines are met. E.4. Arrears/interest capitalisation Forbearance of arrears and/or accrued interest arrears by the addition of those unpaid amounts to the outstanding principal balance for repayment under a sustainable rescheduled programme. The measure should be granted/considered viable only where the institution has assessed that the borrower’s verified income/expenditure levels (based on reasonable documented financial information) and the proposed revised repayments are sufficient to enable the borrower to service the revised loan repayment on a principal and interest basis for the duration of the revised repayment schedule, and where the institution has formally sought confirmation that the borrower understands and accepts the capitalisation conditions. Arrears capitalisation should be provided only selectively in cases where the recovery of historical arrears or payments due under the contract is not possible and capitalisation is the only option realistically available. A credit institution should generally avoid offering this measure to a borrower more than once, and the measure should be applied only to arrears that do not exceed a predefined size relative to the overall principal (which should be defined in the credit institution’s forbearance policy).

The institution should assess the percentage of arrears being capitalised compared with the principal and interest repayments as adequate and appropriate for the borrower. E.5. Interest rate reduction Permanent (or temporary) reduction in interest rate (fixed or variable) to a fair and sustainable rate. Exposures with high interest rates are one of the common causes of financial distress. The financial difficulties of a borrower may partly derive from the fact that the interest rates are excessively high compared with the income of the borrower or from the fact that the evolution of interest rates, as opposed to a fixed rate, has resulted in the borrower receiving finance at an exorbitant cost, compared with prevailing market conditions. In such cases, an interest rate reduction could be considered. If affordability can be achieved only at below-risk or below-cost rates, this should be clearly flagged. This measure could be applied also as a short-term measure. E.6. Extension of maturity/term Extension of the maturity of the loan (i.e. of the last contractual loan instalment date), which allows a reduction in instalment amounts by spreading the repayments over a longer period. If the borrower is subject to a compulsory retirement age, term extension should be considered viable only where the institution has assessed and can demonstrate that the borrower can, through a pension or other sources of verified income, service the revised loan repayments on an affordable basis. Term extension should be considered viable only where it is in line with the life cycle of existing collaterals or proper substitution of the existing collaterals occurs. E.7. Additional collateral Additional liens on unencumbered assets are obtained as additional collateral from the borrower in order to compensate for the higher risk exposure and as part of the restructuring process. This measure is not a viable standalone forbearance measure as it does not in itself resolve the presence of arrears on a loan. It usually aims to improve or cure LTV ratio covenants. Additional collateral may take many forms, such as a pledge on a cash deposit, assignment of receivables or a new/additional mortgage on immovable property.

A credit institution should value second and third liens on assets as well as personal guarantees with care. E.8. Sale by agreement/assisted sale The credit institution and the borrower agree to voluntarily dispose of the secured asset(s) to partially or fully repay the debt. Credit institutions should restructure any residual debt post the assisted sale with an appropriate repayment schedule in line with the borrower’s reassessed repayment ability. For forbearance measures that may require the sale of the property at the end of the term, credit institutions should conservatively consider the future approach to any shortfall that could remain after the sale of the property and address it as early as possible. For exposures that are repaid by repossession of collateral at a predefined moment, the repossession does not constitute a forbearance measure unless it is exercised ahead of the predefined moment due to financial difficulties. E.9. Rescheduled payments The existing contractual repayment schedule is adjusted to a new sustainable repayment programme based on a credible, current and forecasted assessment of the borrower’s cash flow Different repayment options may include:

1. Partial repayment: when a payment is made against the exposure, for example from a sale of assets that is lower than the outstanding balance. This option is applied to significantly reduce the exposure at risk and to enable a sustainable repayment programme for the remaining outstanding amount. This option should be preferred to the bullet and step-up options described below.
2. Balloon or bullet payments: when the rescheduled repayment ensures a large payment of the principal at a later date before loan maturity. This option should be used/considered viable only in exceptional circumstances and when the institution can duly demonstrate future cash flow availability by the borrower to meet the balloon or bullet payment.
3. Step-up payments: credit institutions should consider a solution including this option viable only when they can ensure, and are able to demonstrate, that there is good reason to expect that future increases in payments can be met by the borrower. E.10. Conversion of currency When the currency of the exposure is aligned with the currency of the cash flow.

Credit institutions should explain fully to borrowers the risks of foreign exchange and should also refer to currency conversion insurance. E.11. Other alteration of contract conditions/covenants When the credit institution discharges the borrower of covenants or conditions included in a loan agreement not listed above. E.12. Refinancing/new credit facilities Providing new financing arrangements in order to support the recovery of a distressed borrower. This is usually not a viable standalone forbearance measure; it should be combined with other forbearance measures addressing existing arrears. It should be applied only in exceptional cases. New credit facilities may be granted that may entail the pledging of additional collateral. In the case of inter-creditor arrangements, the introduction of covenants may be necessary to compensate for the additional risk incurred by the credit institution. This measure may be more suitable for corporate exposures; a thorough assessment of the borrower’s ability to pay should be performed, including sufficient involvement of independent sectoral experts to judge the viability of business plans and cash flow projections provided. This measure should be considered viable only when the thorough affordability assessment demonstrates repayment capacity in full. E.13. Debt consolidation Combining multiple exposures into a single exposure or a limited number of exposures. This is usually not a viable standalone forbearance measure; it should be combined with other forbearance measures addressing existing arrears. This measure is particularly beneficial in situations where combining collateral and secured cash flow provides greater overall collateral coverage for the entire debt, for example, by minimising cash leaks or by facilitating reallocation of cash flow surplus between exposures. E.14. Partial or total debt forgiveness The credit institution forfeits the right to legally recover part or the whole of the amount of the debt outstanding from the borrower. This measure should be used where the credit institution agrees to a ‘reduced payment in full and final settlement’ whereby the credit institution will forgive all of the remaining

debt if the borrower repays the reduced amount of the principal balance within an agreed timeframe. Credit institution should apply debt forgiveness options carefully, since the possibility of forgiveness can give rise to moral hazard and thus might encourage ‘strategic defaults’. Therefore, a credit institution should define specific forgiveness policies and procedures to ensure strong controls are in place.