Assessment of Suitability Requirements

FINANSSTILSYNET Postboks 1187 Sentrum 0107 Oslo Circular Assessment of Suitability Requirements CIRCULAR: 3/2023 DATE: 27.11.2023 THE CIRCULAR APPLIES TO: Banks Credit institutions Financing companies Payment institutions E-money institutions Insurance companies Insurance mediation companies Pension companies Holding companies in financial groups Securities companies Management companies for securities funds Licensed managers of alternative investment funds Regulated markets Central counterparties Custodians Securities registers Real estate agents Real estate agency companies Debt collection license holders Debt collection companies Auditors Accountants Debt information companies Authorized providers of business services Providers of exchange and safekeeping services Reporting agents

Assessment of Suitability Requirements 2 | Finanstilsynet Contents 1 Introduction 3 2 The Circle of Persons 3 2.1 Board Members 4 2.2 Managing Director 4 2.3 Others to be Assessed for Suitability 4 2.4 Agents, Brokers, etc. 5 2.5 Key Functions in Financial Companies 5 2.6 Personal Licenses 6 3 Companies' Assessments of Suitability 6 4 Notification to Finanstilsynet 6 4.1 License Applications 7 4.2 Subsequent Changes 7 4.3 Guidelines and Routines 7 4.4 Police Certificate 8 5 Requirements for Experience and Professional Qualifications 8 5.1 Board Members 8 5.2 Company Management 9 5.3 Insurance Mediators, etc. 10 5.4 Personal Licenses 10 6 Good Conduct Requirements, etc. 11 6.1 Criminal Offenses 11 6.2 Penalty Fees and Supervisory Measures 11 6.3 Financial Matters 12 6.4 Tax Matters 12 6.5 Time Aspect 12 7 Appendix 13 7.1 Application Forms in Altinn 13 7.2 Overview of Legal Provisions for Suitability Requirements 13

Assessment of Suitability Requirements Finanstilsynet | 3 1 Introduction For virtually all businesses under the supervision of Finanstilsynet, there are requirements that board members and the managing director must be suitable. These requirements are intended to contribute to the business being managed or led being operated in a sound manner. Which persons are subject to suitability requirements is described in more detail in section 2. Suitability requirements relate to among other things • education • experience • financial matters • conduct The core of the suitability requirements is that the person in question must have the necessary competence to perform the position or office, and that the person has not been convicted of a criminal offense or exhibited behavior that gives reason to assume that the position or office will not be handled in a sound manner. The requirement for experience and professional qualifications is described in more detail in section 5. The conduct requirement is described in more detail in section 6. An overview of the legal provisions for suitability requirements for the various businesses is attached to the circular. The circular does not address statutory suitability requirements for owners, for example, shareholders with significant ownership stakes in companies, or beneficial owners. Relevant recommendations from EBA (the European Banking Authority), EIOPA (the European Insurance and Occupational Pensions Authority), and ESMA (the European Securities and Markets Authority) related to suitability assessments are published on Finanstilsynet's website. The circular covers the practice and understanding of the suitability requirements set in sectoral legislation. Sectoral regulations may be more detailed, and the circular does not provide an exhaustive description of the suitability requirements and the content of the suitability assessment. 2 The Circle of Persons The suitability requirements apply to board members (including alternate members), managing directors, de facto managers, and certain others, such as insurance mediators, branch managers, agents, and managers of the custodian function. For financial companies and reporting agents, the suitability requirements also apply to persons who are to be considered as holding key functions.

Assessment of Suitability Requirements 4 | Finanstilsynet 2.1 Board Members All board members and alternate members must be assessed for suitability, including any board members elected by employees and shareholding-elected board members in management companies. Employee representatives on the board must in principle meet the same suitability requirements as other board members. However, the special role these individuals have in the board must be given weight in the assessment of which requirements must be met, beyond the good conduct requirement. For a group consisting of a savings bank and a mutual insurance company, the suitability requirements will apply to board members in both the group board and the business boards in the operating companies. In audit companies, a majority of both the members and alternate members must be approved auditors, including meeting the suitability requirements. 2.2 Managing Director The suitability requirements apply to the person who is to be registered as the managing director in the Business Register. If there is provision for having multiple managing directors or a board of directors as the management (cf. the Financial Companies Act § 8-13), the suitability requirements must be met by all managing directors or members of the board of directors. In group structures consisting of a savings bank and a mutual insurance company, the group CEO must oversee the daily management of the business in the group. The group CEO will be subject to the suitability requirements applicable to the relevant businesses. 2.3 Others to be Assessed for Suitability Under sectoral legislation, there are also suitability requirements for de facto managers. In principle, it will be up to the companies to determine which persons are to be considered de facto managers. The following factors will be of significance among others: • Is there a clearly defined management group? • Which persons are assigned duties as managers according to the risk management regulation? • To whom is reporting made? • What is the person's job description and powers of attorney? • Does the person lead a central part of the business? For securities companies, managers of alternative investment funds, management companies for securities funds, and market operators for regulated markets, Finanstilsynet assumes that all managers of licensed business, such as investment advice, individual and collective portfolio management, etc., are to be considered de facto managers. Managers of other parts of the business, such as analysis and settlement functions, are normally not covered by the suitability provisions. Managers of alternative investment funds must also appoint a de facto manager for the risk management function.

Assessment of Suitability Requirements Finanstilsynet | 5 The manager of custodians for securities funds and alternative investment funds must also be assessed for suitability. In audit companies and accounting companies, the suitability requirements also apply to the person responsible for the company's quality management (quality management responsible person), and to the person the company appoints as responsible for a task (task responsible person). In real estate agency companies and branches of real estate agency companies, only the professional responsible person must be assessed for suitability in addition to the company's managing director. Debt collection companies must have a de facto manager with a debt collection license. If the de facto manager is not the managing director, the de facto manager must also be assessed for suitability. There are suitability requirements for managers of the following branches: • foreign branch of a Norwegian bank, credit institution, insurance company, pension company, payment institution, e-money institution, or reporting agent • domestic and foreign branch of a Norwegian securities company • domestic and foreign branch of a Norwegian management company and manager of alternative investment funds • domestic branch of a real estate agency company 2.4 Agents, Brokers, etc. There are suitability requirements for • agents for payment institutions, e-money institutions, and reporting agents • associated agents for securities companies and management companies • insurance mediators (insurance brokers, insurance agents, and accessory insurance agents) In insurance mediation companies with few employees, Finanstilsynet assumes that all employees, including the managing director, perform insurance mediation services, and therefore must be assessed for suitability. 2.5 Key Functions in Financial Companies In financial companies, all persons in key functions must be assessed for suitability. A function in this context is a task that can be performed by an organizational unit, or by a single person. Persons with key functions include employees with decision-making authority at a high level and persons with control functions. The concept of key functions includes among other things the risk management function, internal audit, actuarial function, and compliance function (compliance with requirements established in or pursuant to law). It is the company itself that must identify the persons covered by the concept of key functions. The company must ensure that these persons continuously meet the suitability requirements. Managers of key functions are covered by the reporting obligation to Finanstilsynet.

Assessment of Suitability Requirements 6 | Finanstilsynet 2.6 Personal Licenses There are suitability requirements for persons with the following personal licenses: • debt collection license • approval as a state-authorized auditor • approval as a state-authorized accountant • real estate agent certificate • lawyer's permit (real estate agency) • broker's permit (real estate agency – under transitional arrangements) 3 Companies' Assessments of Suitability The companies' assessment of an individual's suitability must be concrete with regard to the person having the necessary qualifications for the specific business the company operates, and the function and tasks the person is to perform. The assessment must further be justified regarding the person's conduct and fitness. The assessment must also cover other requirements for fitness that follow from sectoral legislation, for example, requirements related to business limitations. In the assessment of which qualification requirements should be set for a board member's competence, it is also weighed that the board members together meet the competence requirements. The assessment of the board's total competence must be made concrete against the business the company operates, and it must take into account the last evaluation of the board's work. 4 Notification to Finanstilsynet The companies must ensure that notification for the persons who are to be assessed for suitability by Finanstilsynet is sent to Finanstilsynet. The companies must have concluded that the person satisfies the requirements before sending the notification. Banks, insurance companies, securities companies, securities depositories, and market operators for regulated markets must attach their justified assessment that the suitability requirements are met when giving notification of changes in the board's composition and changes in the managing director. For changes in the de facto management and the management of key functions, Finanstilsynet expects these assessments to be available upon request. When the board's composition changes, banks, insurance companies, securities companies, securities depositories, and market operators for regulated markets must also attach the updated assessment of the board's total competence in the notification to Finanstilsynet. Insurance agent companies and accessory insurance agent companies are not required to send notification of suitability assessment. The insurance company with which the agent has entered into a mediation agreement must send confirmation that the conditions for registration are met (Altinn form KRT-1187). Audit companies and accounting companies should only send notification for suitability assessment to

Assessment of Suitability Requirements Finanstilsynet | 7 Finanstilsynet when Finanstilsynet requests it, and the companies' suitability assessments will be followed up in ongoing supervision. 4.1 License Applications Applications from companies An application from a company for permission to conduct licensed business, or to register its business with Finanstilsynet, cannot be granted if the suitability requirements are not met. If Finanstilsynet concludes that a person does not meet the suitability requirements, the company will be made aware of this and given the opportunity to replace this person. Applications for personal licenses If the applicant does not meet the suitability requirements, the application will be rejected. 4.2 Subsequent Changes The company must ensure that the law's requirements for suitability are met at all times. Finanstilsynet will control that the obligations are complied with by the company. Persons with personal licenses must also meet the suitability requirements at all times. In changes to the circle of persons to be assessed for suitability, for example, when persons are replaced, or when the circle to be assessed is expanded, the company must send notification of the change to Finanstilsynet. If a replacement is due to a person no longer meeting the suitability requirements, the notification must contain an explanation of the matter. Based on the notifications, Finanstilsynet conducts a suitability assessment and gives feedback to the company. 4.3 Guidelines and Routines The companies must establish routines for suitability assessments that contribute to ensuring that legal requirements are met. Such routines must among other things clarify • which functions in the company are covered by the suitability requirements, and which are to be reported to Finanstilsynet, • that an ongoing assessment is made of the persons holding these functions, and which situations should trigger a new assessment, • who is responsible for making the assessments, • what information is to be obtained, and • that the assessments can be documented afterwards.

Assessment of Suitability Requirements 8 | Finanstilsynet 4.4 Police Certificate Persons who are to be assessed for suitability must submit a copy of a police certificate. Finanstilsynet may in specific cases make exceptions from the requirement to submit a police certificate in connection with changes in position or office that require a new suitability assessment. When a police certificate is obtained, the purpose must be stated, and the relevant legal provision must be given. The police certificate may not be older than three months when received by Finanstilsynet. The certificate must be in Norwegian, Swedish, Danish, or English, or an authorized translation into English. The Police Register Act has rules for what an ordinary police certificate should contain. Normally, matters that occurred more than ten years ago are not shown. Certain matters, such as fines, are not shown if they occurred more than two years ago. For board members and managing/professional management in real estate agency companies or debt collection companies, or for personal permits related to such business, the above time limitation does not apply. Which criminal offenses should be shown in the police certificates for these persons follows from the Real Estate Agency Regulation § 2-7 and the Debt Collection Act § 5 sixth paragraph. For accessory insurance agent companies, submission of a police certificate applies only to the managing director and other persons in the de facto management who are responsible for the accessory insurance mediation business. For persons from countries where no police certificate is issued, an extract from the criminal register or similar document, a declaration from the relevant public authority or notary in the home country must be obtained. 5 Requirements for Experience and Professional Qualifications The requirement for experience and professional qualifications must be assessed concretely against the role the person is to have and the business the company operates. The same applies to requirements for the board's total competence, see section 5.1. For providers of business services and providers of exchange or safekeeping services of virtual currency, there are no special requirements for experience. 5.1 Board Members In the assessment of which requirements should be set for each board member's competence, it will be weighed that the board members together meet the competence requirements. It is not required that all board members possess specialized knowledge about all parts of the company's business. Limitations on the number of board positions The assessment of board members' suitability will also include an assessment of the person's capacity.

Assessment of Suitability Requirements Finanstilsynet | 9 For members of the board or management in financial companies (which for more than twelve months have had a total managed capital of over 200 billion NOK), securities companies, and market operators for regulated markets that are to be considered significant based on size and the nature, scope, and complexity of the business, it is not permitted to have more than one position as managing director combined with two board positions, or alternatively four board positions in commercial companies, cf. the Financial Companies Regulation § 9-2 and the Securities Trading Act § 9-10. Securities companies, management companies for securities funds, managers of alternative investment funds, and custodians In these companies, at least one board member must be external. By external is meant that the person in principle has no connection to the company in the form of being employed or an owner. The external member may also not have such connection to other companies in the same group as the company. The external board member must satisfy the law's requirements for qualifications and professional experience, possibly together with other external board members. It is not sufficient that the board's experience in the securities area is maintained by board members who are either employees of the company or owners. Securities Depository In securities depositories, at least one-third of the board members, but no fewer than two, must be independent. By independent is meant that the person in principle has no connection to the company in the form of being employed or an owner. The person must also not have business connections or other circumstances that mean the person may have a conflict of interest with the company. Credit Institution with Permission to Provide Investment Services In these companies, at least one of the board members must have qualifications and experience from the securities market. Real Estate Agency Companies In these companies, at least one board member must have the qualifications required to be the responsible broker or real estate agent assistant. 5.2 Company Management Securities companies, managers of alternative investment funds, and management companies for securities funds The de facto manager in these companies must normally have relevant work experience from the business area the person is to lead. The experience should have been acquired in two of the last five years. Persons who are to be leaders for the areas of individual or collective portfolio management must in principle have operational experience from one of these areas within two of the last five years. Particularly relevant education can compensate somewhat for any lack of operational experience, but will not be sufficient alone. The same requirement applies to de facto managers of investment service business in credit institutions with permission to provide investment services. The requirements set for the managing director depend on whether the company has de facto manager(s) in addition. If the managing director's role involves an administrative management position and the company has other persons who are de facto managers for the various licensed services, fewer requirements are set for the managing director's qualifications and professional experience within the securities area.

Assessment of Suitability Requirements 10 | Finanstilsynet Insurance Mediation The management in such companies must have general knowledge about the business. This also includes knowledge of the framework legislation, including requirements for risk management and internal control. The management in smaller companies must meet the qualification requirements that apply to insurance brokers or insurance agents, see section 5.3. Real Estate Agency Companies Professional responsible persons in real estate agency companies must either have a real estate agent certificate, a lawyer's license, or a special lawyer's permit. Debt Collection Business The de facto manager of debt collection business must have a personal debt collection license. To obtain the license, the person must prove to have at least three years of practical experience with the collection of monetary claims within the last ten years. 5.3 Insurance Mediators, etc. Insurance brokers and insurance agents are in principle considered to meet the requirement for necessary knowledge and competence when the mediator is authorized as an insurance broker or insurance advisor, or has relevant experience from one to five years, depending on the degree of education. Acquired practice must not have ended more than five years before the application for permission is submitted or insurance agent business is registered. An accessory insurance agent is in principle considered to have necessary knowledge and competence when the person has completed satisfactory training approved by the insurance company the agent is affiliated with. The requirement for necessary knowledge and competence means that in any case, a concrete assessment of qualifications against which insurance products are mediated and the individual's work tasks must be made. When the mediation includes advice on risky underlying investments in life insurance with open investment choice, the mediators must have knowledge that enables them to control that the information from issuers and fund managers about expected risk and return is correct and complete, and to make quantitative calculations of how a proposed investment affects risk and return in the total portfolio. 5.4 Personal Licenses Qualification requirements for personal licenses in the real estate agency area are regulated in the Real Estate Agency Act and Chapter 4 of the Real Estate Agency Regulation. Requirements for education and practice for approval as a state-authorized auditor are regulated in the Auditor Act §§ 3-2 and 3-3. Requirements for education and practice for approval as a state-authorized accountant follow from the Accountant Act §§ 3-1 and 3-2. Requirements for practice for personal debt collection license are established in the Debt Collection Act § 5.

Assessment of Suitability Requirements Finanstilsynet | 11 6 Good Conduct Requirements, etc. The decision of whether the good conduct requirement is met will be based on a concrete, overall assessment. 6.1 Criminal Offenses Convictions and fines for criminal offenses are assessed based on the nature of the matter. Generally, criminal offenses related to financial matters and document forgery will be of greater significance than other matters. A person who is subject to bankruptcy quarantine will not be considered suitable. It may also have significance for a suitability assessment if the person has been subject to bankruptcy quarantine, under bankruptcy proceedings, or has held a central position in a company that has been under bankruptcy proceedings. Violations of road traffic legislation are not given weight. Finanstilsynet is generally reluctant to weigh matters that have not been finally assessed by the courts, or where the case has been concluded without a condemning judgment or accepted fine. If an indictment, prosecution, or non-prosecution has been issued, it may however be conceivable that situations where the matter underlying the indictment, etc. must be weighed. This applies especially in suspicion of violation of the regulations Finanstilsynet administers. If a company is fined or given a fine, it may have significance in the suitability assessment of persons in the company's management. 6.2 Penalty Fees and Supervisory Measures Administrative fees imposed for violations of provisions within Finanstilsynet's area of administration will have significance for the suitability assessment. Attention will be paid to the specific act that triggered the fee, and the relevant person's role in the violation. Blameworthy behavior in connection with business within the financial sector is also weighed. For example, a person who has led a business within Finanstilsynet's area of responsibility, and who has had their license withdrawn, will normally not be considered suitable. The same applies to persons who have had their personal license revoked. However, there will always be a concrete assessment of the extent to which the person can be blamed. Finanstilsynet will take into account matters revealed through supervisory work, regardless of whether it has resulted in withdrawal of a license. If it is clear that a person does not have