Regulation on Credit Institution Risk Management (KI-RMV)

All English translation of the authentic German text is unofficial and serves merely information purposes. The official wording in German can be found in the Austrian Federal Law Gazette (Bundesgesetzblatt; BGBl.). All translations have been prepared with great care, but linguistic compromises had to be made. The reader should also bear in mind that some provisions of these laws will remain unclear without certain background knowledge of the Austrian legal and political system. Please note that these laws may be amended in the future and check occasionally for updates. Regulation of the Financial Market Authority (FMA) on the proper capture, management, monitoring and limitation of the types of risk specified in Article 39 para. 2b BWG (KI-RMV; Kreditinstitute-Risikomanagementverordnung) KI-RMV; Regulation on Credit Institution Risk Management Consolidated version including amendments up to and including Federal Law Gazette II No. 316/2024 Based on Article 39 para. 4 of the Banking Act (BWG; Bankwesengesetz), Federal Law Gazette No. 532/1993, last amended by the federal act in Federal Law Gazette I No.112/2024, the following shall be determined by regulation with the consent of the Federal Minister of Finance: Version: 17.01.2025

KI-RMV; Regulation on Credit Institution Risk Management . 2 / 9 SECTION 1 GENERAL PROVISIONS PURPOSE Article 1. This Regulation shall serve to transpose Directive 2013/36/EU into Austrian law. It defines the minimum requirements for the purpose of properly capturing, managing, monitoring and limiting the types of risk specified in Article 39 para. 2b BWG. SCOPE OF APPLICATION Article 2. (1) This Regulation shall be applied to credit institutions as specified in Article 1 para. 1 BWG inasmuch as these have not been exempted from compliance with Article 39 para. 4 BWG on an individual basis pursuant to Article 3 BWG or Article 30a para. 6 BWG in conjunction with Article 10 of Regulation (EU) No 575/2013 or pursuant to Article 10 para. 6 of the Investment Fund Act 2011 (InvFG 2011; Investmentfondsgesetz 2011) or provided they do not conduct corporate provision fund business pursuant to Article 1 para. 1 no. 21 BWG. (2) Groups of credit institutions as specified in Article 30 BWG, institutional protection schemes as referred to in Article 113(7) of Regulation (EU) No 575/2013, as well as the central body of an affiliation of credit institutions pursuant to Article 30a BWG shall comply with the requirements of this Regulation on a consolidated basis. (3) Article 12 (liquidity risk) shall apply equally to the central institution of a liquidity association as specified in Article 27a BWG. In this context, central institutions shall include any and all risks resulting from the joint cash-clearing operation system in their liquidity risk management. (4) (repealed in Amendment published in Federal Law Gazette II no. 431/2021) GENERAL PRINCIPLES REGARDING RISK MANAGEMENT Article 3. (1) Credit institutions shall take into account the minimum requirements defined in Section 2 (Provisions on single types of risk) for the capture, assessment, management, monitoring and limitation of risks arising from banking transactions and banking operations pursuant to Article 39 para. 2 BWG in an appropriate manner. To this end, credit institutions shall consider the nature, scope and complexity of the banking transactions conducted, as well as the current European practices such as in particular guidelines and recommendations of the European Supervisory Authorities (ESAs) and recommendations and warnings issued by the European Systemic Risk Board (ESRB). (2) Credit institutions must have in place transparent segregations of duties and responsibilities within their organisational structure with a view to preventing conflicts of interest or competence. (3) Credit institutions must have in place coherent risk strategies and systems of limits that are documented in writing and clearly derived from the credit institution’s overall business strategy.

KI-RMV; Regulation on Credit Institution Risk Management . 3 / 9 (4) The procedures for capturing, assessing, managing and monitoring risks arising from banking transactions and banking operations shall be evaluated and updated on a regular basis. In particular when capturing the risks, credit institutions shall ensure that the data used is consistent and valid. (5) Credit institutions must have in place internal processes that are effective, transparent and designed in a comprehensible manner. (6) Credit institutions shall document any measures taken within the scope of the procedures for capturing, assessing, managing and monitoring risks arising from banking transactions and banking operations in an appropriate and comprehensible manner. (7) The procedures for capturing, assessing, managing and monitoring risks arising from banking transactions and banking operations shall also cover the specific risk emanating from the respective individual business model. In this context, any impact resulting from diversification strategies shall also be considered. The risks emanating from the individual business model shall be documented in an appropriate and comprehensible manner. (8) Credit institutions shall consider the results of internal stress tests when capturing, assessing, managing and monitoring risks arising from banking transactions and banking operations. DEFINITION OF TERMS Article 4. The following definitions shall apply to this Regulation:

1. Credit risk: the risk of partial or complete default in relation to contractually agreed payments;
2. Counterparty credit risk: counterparty credit risk (CCR) as referred to in point 1 of Article 272 of Regulation (EU) No 575/2013;
3. Credit risk mitigation: credit risk mitigation as referred to in Article 4(1)(57) of Regulation (EU) No 575/2013;
4. Residual risk from credit risk mitigation techniques: the risk that the implemented credit risk mitigation techniques, recognised for banking supervision purposes, are less effective than expected;
5. Concentration risk: the risk of potentially adverse effects that might result from concentrations or interactions of similar or different risk factors or risk types, such as for example the risk arising from loans to the same client, the same group of connected clients, or to clients from the same region or industry or clients with the same services and commodities, the risk arising from the use of credit risk mitigation techniques and the particular risk arising from indirect large exposures;
6. Securitisation: securitisation as referred to in Article 4(1)(61) of Regulation (EU) No 575/2013;
7. Securitisation risk: the risk resulting from securitisation transactions in which the credit institution acts as investor, originator or sponsor; this also covers reputational risks that arise in the case of complex structures or products;
8. Market risk: a. the specific and general position risk in interest-rate instruments, b. the specific and general position risk in net asset values,

KI-RMV; Regulation on Credit Institution Risk Management . 4 / 9 c. the risk arising from stock-index futures, d. the risk arising from units in investment funds, e. the other risks associated with options, f. the commodities risk, and g. the risk arising from foreign exchange positions and gold positions; 9. (repealed in Amendment published in Federal Law Gazette II no. 431/2021) 10. Operational risk: the operational risk as referred to in Article 4(1)(52) of Regulation (EU) No 575/2013; 11. Leverage: leverage as referred to in Article 4(1)(93) of Regulation (EU) No 575/2013; 12. Risk of excessive leverage: the risk of excessive leverage as referred to in Article 4(1)(94) of Regulation (EU) No 575/2013. SECTION 2 PROVISIONS ON SINGLE TYPES OF RISK CREDIT AND COUNTERPARTY RISK Article 5. (1) Credit institutions shall ensure that credit-granting is based on sound and well-defined criteria. The procedures for approving, amending, renewing and refinancing credits shall be comprehensible and documented in writing. (2) Credit institutions must have in place internal methodologies that enable them to assess the credit risk of exposures to individual obligors, securities or securitisation positions and credit risk both at the portfolio level and the level of groups of connected clients. In particular, internal methodologies shall not rely solely or mechanistically on external credit ratings. Where own funds requirements are based on a rating by an External Credit Assessment Institution (ECAI) or on the fact that no rating exists for a risk position, this shall not exempt credit institutions from the obligation to additionally consider other relevant information for assessing their allocation of internal capital. (3) Credit institutions shall implement effective systems:

1. for the ongoing administration and monitoring of the various credit risk-bearing portfolios and exposures;
2. for identifying and managing problem credits;
3. for making adequate value adjustments and provisions. (4) Credit institutions shall diversify their credit portfolios in an appropriate manner, taking account of their overall credit strategy and particularly their target markets.

KI-RMV; Regulation on Credit Institution Risk Management . 5 / 9 RESIDUAL RISK FROM CREDIT RISK MITIGATION TECHNIQUES Article 6. Credit institutions shall address and control the risk that the recognised credit risk mitigation techniques used might prove less effective than expected by means of written policies and procedures. CONCENTRATION RISK Article 7. Credit institutions shall by means of written policies and procedures address and control the following concentration risks in particular:

1. the concentration risk arising from exposures to each counterparty, including central counterparties and groups of connected counterparties;
2. the concentration risk arising from exposures to counterparties that belong to the same economic sector or geographic region or that pursue the same activity or sell the same commodity;
3. the concentration risk arising from the application of credit risk mitigation techniques;
4. the concentration risk arising from large indirect credit exposures;
5. the concentration risk associated with the investment of assets, from funding sources and maturities concentration; and
6. the concentration risk arising from risk factor correlations. SECURITISATION RISK Article 8. (1) Credit institutions shall address and control the securitisation risk by means of appropriate policies and procedures. Credit institutions shall ensure that the economic substance of the securitisation is fully reflected in the risk assessment and management decisions. (2) Credit institutions that are originators of revolving securitisation transactions involving early amortisation provisions must have in place liquidity plans that address the implications of both scheduled and early amortisation. MARKET RISK Article 9. (1) Credit institutions must have in place policies and processes for the identification, measurement and management of all material sources and effects of market risks. (2) Where the short position falls due before the long position, credit institutions shall provide for measures against the risk of a shortage of liquidity. (3) Credit institutions shall ensure that the internal capital shall be adequate for material market risks that are not subject to an own funds requirement. (4) Credit institutions, which have, in calculating own funds requirements for position risk in accordance with Part Three, Title IV, Chapter 2 of Regulation (EU) No 575/2013, netted off their positions in one or more of the equities constituting a stock-index against one or more positions in the stock-index future or other stock-index product shall have adequate internal capital to cover the basis risk of loss caused by the future’s or other product’s value not moving fully in line with that of

KI-RMV; Regulation on Credit Institution Risk Management . 6 / 9 its constituent equities. Credit institutions shall also have adequate internal capital where they hold opposite positions in stock-index futures which are not identical in respect of either their maturity or their composition. (5) Credit institutions that use the treatment in Article 345 of Regulation (EU) No 575/2013 shall ensure that they hold sufficient internal capital against the risk of loss which exists between the time of the initial commitment and the following working day. Article 10. (repealed in Amendment published in Federal Law Gazette II no. 431/2021) OPERATIONAL RISK Article 11. (1) Credit institutions shall evaluate and manage the exposure to operational risk, including model risk and risk associated with outsourcing, and cover low-frequency high-severity events by means of suitable policies and procedures. Credit institutions shall stipulate in writing what constitutes operational risk for the purposes of those policies and procedures. Substantial claims shall be analysed with regard to their cause and the results documented. (2) Credit institutions must have appropriate contingency and business continuity policies and plans in place, including ICT business continuity policies and plans and ICT response and recovery plans pursuant to Article 11 of Regulation (EU) 2022/2554 in relation to the technology that they use for the transmission of information, and must ensure that they plans and policies pursuant to Article 11 of Regulation (EU) 2022/2554 are established, managed and tested, so that in the event of a serious interruption of operations that institutions are able to remain operational, and for being able to limit losses as a result of such an interruption. LIQUIDITY RISK Article 12. (1) Credit institutions must have in place suitable strategies, policies, processes and systems for the identification, measurement, management, monitoring and limitation of liquidity risk over an appropriate set of time horizons, including intra-day, so as to ensure that they maintain adequate levels of liquidity buffers. These strategies, policies, processes and systems shall be tailored to business lines, currencies, branches and legal entities. (2) The strategies, policies, processes and systems referred to in para. 1 shall include adequate allocation mechanisms of liquidity costs, benefits and risks. (3) The strategies, policies, processes and systems referred to in para. 1 shall be proportionate to the complexity, risk profile and scope of operation of the institution, adequately correspond to the risk tolerance set by the management body, and reflect the credit institution’s importance in each Member State in which it carries out business. The management body shall brief all of the institution’s relevant business lines on the risk tolerance. (4) Credit institutions shall continually ensure, taking into account the nature, scope and complexity of their activities, that their liquidity risk profiles are appropriate and that their respective risk profile

KI-RMV; Regulation on Credit Institution Risk Management . 7 / 9 is as required for a well-functioning and robust financial system without exceeding what is required and thereby generating inappropriate systemic risks (Article 2 no. 41 BWG). (5) Credit institutions must have in place methodologies for the identification, measurement, management and monitoring of funding positions. These methodologies shall include the current and projected material cash-flows in and arising from assets, liabilities, off-balance-sheet items, including contingent liabilities and the possible impact of reputational risk. (6) Credit institutions shall distinguish between pledged and unencumbered assets that are available at all times, in particular during emergency situations. Credit institutions shall consider any risks arising from asset encumbrance and establish processes that reflect in particular the extent, development and type of encumbrance. Credit institutions shall take into account the legal entity in which assets reside and the country where assets are legally recorded either in a register or in an account, as well as assets’ eligibility. Credit institutions shall monitor how these assets can be mobilised in a timely manner. (7) Credit institutions shall have regard to existing legal, regulatory and operational limitations to potential transfers of liquidity and unencumbered assets amongst units or legal entities, both within and outside the EEA. (8) Credit institutions shall make various arrangements to mitigate liquidity risk, including a system of limits and liquidity buffers in order to be able to withstand a range of different stress events. They must make arrangements to ensure an adequately diversified funding structure and access to funding sources. These arrangements shall be reviewed regularly. (9) Credit institutions shall set up stress tests for liquidity positions and risk mitigants. These stress tests shall also include off-balance sheet items and other contingent liabilities, including those of Securitisation Special Purpose Entities (SSPEs) and other special purpose entities (SPEs) in relation to which the credit institution acts as sponsor or provides material liquidity support. The assumptions underlying decisions concerning the funding position shall be reviewed regularly, at least annually. (10) Credit institutions shall consider the potential impact of institution-specific, market-wide and combined stress tests. Different time horizons and varying degrees of stress conditions shall be considered. (11) Credit institutions shall, if necessary, adjust their strategies, internal policies and limit systems for liquidity risk, based on the results of the stress tests referred to in para. 9. (12) Credit institutions shall develop effective contingency plans which take into account the results of the stress tests referred to in para. 9. The contingency plans shall include specific implementation measures in order to address possible liquidity shortfalls, including in relation to branches established in another Member State, in the event of a liquidity crisis. The plans shall include quantitative assessments with regard to the inflows and outflows of liquid funds to be expected in a stress event. These plans shall be reviewed regularly, at least annually, and also adjusted, if necessary, on the basis of the results of the stress tests referred to in para. 9. Credit institutions shall implement and test the necessary operational steps in a precautionary manner to ensure that their

KI-RMV; Regulation on Credit Institution Risk Management . 8 / 9 contingency plans can be implemented immediately in the event of a crisis. The management body shall be briefed on the review of the plans and on any updates. The management body shall approve the contingency plans, any updates and any related adjustments to the internal policies and procedures. RISK OF EXCESSIVE LEVERAGE Article 13. (1) Credit institutions shall have policies and processes in place for the identification, management and monitoring of the risk of excessive leverage. (2) Indicators for the risk of excessive leverage shall at any rate be the leverage ratio determined in accordance with Article 429 of Regulation (EU) No 575/2013 and mismatches between assets and obligations. Credit institutions shall be able to withstand a range of different stress events with respect to the risk of excessive leverage. (3) Credit institutions shall address the risk of excessive leverage in a precautionary manner by taking due account of potential increases in the risk of excessive leverage caused by reductions of the institution’s own funds through expected or realised losses, depending on the applicable accounting rules. REFERENCES Article 14. References made in this Regulation to the following Federal Acts or legal acts of the European Union relate, unless specified otherwise, refer to the following versions of those acts:

1. Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC, OJ L 176, 27.06.2013, p. 338, in the version of the Directive (EU) 2024/1619, OJ L 2024/1619, 19.06.2024;
2. The Austrian Banking Act (BWG; Bankwesengesetz), published in Federal Law Gazette No. 532/1993, in the version of the Federal Act amended in Federal Law Gazette I No. 112/2024;
3. Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012, OJ L 176, 27.6.2013, p. 1, as amended by the Regulation (EU) 2024/1623, OJ L 2024/1623, 19.06.2024;
4. The Investment Funds Act 2011 (InvFG 2011; Investmentfondsgesetz 2011), published in Federal Law Gazette I no. 77/2011, in the version of the Federal Act amended in Federal Law Gazette I No. 113/2024;
5. Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No. 909/2014 and (EU) 2016/1011, OJ L 333, 27.12.2022, p. 1, in its original version.

KI-RMV; Regulation on Credit Institution Risk Management . 9 / 9 SECTION 3 FINAL PROVISIONS ENTRY INTO FORCE Article 15. (1) This Regulation shall enter into force on 1 January 2014. (2) Article 2 para. 1, Article 3 para. 1, Article 5 paras. 1 and 2, Article 6, Article 10, Article 12 para. 1 and Article 14 para. 1 as amended by Federal Law Gazette II No. 235/2014 shall enter into force on 1 October 2014. (3) Article 1, Article 2 para. 1, Article 4 no. 2, Article 11 para. 1 first sentence and Article 14 including heading in the version of the Regulation amended in Federal Law Gazette II No. 431/2021 shall enter into force on the day after publication. Article 2 para. 4, Article 4 no. 9 and Article 10 including heading shall be repealed upon expiry of the day of publication of the amendment of the Regulation in Federal Law Gazette II No. 431/2021. (4) Article 2 para. 1, Article 11 para. 2 and Article 14 in the version amended by Federal Law Gazette II No. 316/2024 shall enter into force on 17 January 2025.