Decree of NBS No 4/2015 on Risk Management and Market Interest Rates

1 of 15 4 Decree of Národná banka Slovenska of 31 March 2015 on additional types of risk, on details of the risk management function of banks and branches of foreign banks and on the definition of a sudden and unexpected change in market interest rates In accordance with Article 27(14)(a) and (d) and Article 33(3) of Act No 483/2001 on banks and on amendments to certain laws, as amended (hereinafter “the Act”), Národná banka Slovenska stipulates as follows: Article 1 For the purposes of this Decree, the following definitions shall apply: (a) 'competent department' means an organisational unit of a bank or a foreign bank branch (each hereinafter referred to as a “bank”), a risk management committee or audit committee pursuant to Article 27(3) of the Act, or a bank’s staff member performing duties within the risk management process; (b) 'relevant staff member' means a bank’s staff member whose activity has, or may have, a specific impact on the bank’s risk exposure, or who participates in the risk management process; (c) 'risk identification' means the identification of factors affecting potential losses related to a bank’s transactions, activities, processes or systems; (d) 'risk measurement' means the calculation or estimation of a risk value using the selected technique and procedure, including, as a rule, stress testing and back-testing; (e) 'risk monitoring' means the comparing of measured risk values with values set by the bank, typically in the form of limits, and continuous monitoring of compliance with set limits; (f) 'risk mitigation' means those transactions or activities of a bank that reduce the amount of its risk exposure; (g) 'back-testing' means the process of comparing risk values measured by the bank with actual losses resulting from this risk; (h) 'stress testing' mean the process of identifying extreme but plausible events that could have a particularly adverse impact on the financial health of banks, and the appropriate quantification of this impact; stress testing generally includes the designing of stress scenarios and the evaluation of their impact on costs and on income or profit; (i) 'main currency' means the currency in which the bank has balance sheet positions of significant volume or off-balance sheet trading positions; (j) 'residual risk' means the risk that recognised credit risk mitigation techniques used by a bank are less effective than expected; (k) 'concentration risk' means the risk arising from the concentration of a bank’s transactions with a person, a group of closely linked entities, a sovereign, or counterparties from a particular geographical area or economic sector, or the risk arising from credit risk mitigation techniques; (l) 'securitisation risk' means the risk arising from securitisation transactions in relation to which a bank is investor, originator or sponsor;1 (m) 'asset encumbrance risk' means the risk arising from heightened asset encumbrance resulting from the pledging of assets as collateral in a bank’s funding operations, as well as the risk

1 Article 4(1) points 13 and 14 of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.06.2013), as amended.

2 of 15 related to other types of transactions requiring the provision of collateral, including the risk related to collateral management; (n) 'business line' means a group of a bank’s activities that are similar in terms of the nature and character of the transactions undertaken. Article 2 (1) The risk management function shall include: (a) making essential preparations for risk management, in particular:

1. developing a risk management strategy in accordance with Article 4;
2. ensuring the organisation of risk management in accordance with Article 5, in such a way that is proportionate to the scale and complexity of the bank’s activities and allows implementation of the approved risk management strategy;
3. establishing an information system in accordance with Article 7;
4. establishing an appropriate system for the execution of transactions and producing internal regulations in accordance with Article 8;
5. establishing a system for the implementation of new types of transactions in accordance with Article 9; (b) identifying, measuring, monitoring and mitigating risks, in particular the specification of:
6. risk identification techniques;
7. risk measurement techniques which are proportionate to the scale and complexity of the bank’s activities;
8. techniques for setting limits and monitoring risks;
9. transactions, activities and procedures for risk mitigation; (c) establishing an appropriate internal control system in accordance with Article 10; (d) establishing an internal capital adequacy assessment process in accordance with Article 27(7) of the Act. (2) The liquidity risk management function shall be governed by a separate regulation.2 (3) Foreign bank branches shall not be subject to the provisions of paragraph 1 provided that the respective foreign banks demonstrate compliance with them. Article 3 (1) A sudden and unexpected change in market interest rates shall mean an upward or downward shift in the yield curve of at least 200 basis points. (2) A yield curve shall mean a chart showing yields to maturity of financial instruments on the respective transaction date, as a function of the residual maturity, and providing information on the maturity structure of interest rates.

2. Decree No 18/2008 of Národná banka Slovenska on the liquidity of banks and branches of foreign banks and the liquidity risk management process of banks and branches of foreign banks and on the amendment of Decree No 11/2007 of Národná banka Slovenska on the submission of statements, reports and other disclosures by banks, branches of foreign banks, investment firms, and branches of foreign investment firms for supervision and statistical purposes (Notification no 423/2008 Coll.), as amended.

3 of 15 Article 4 (1) A bank’s risk management strategy shall mean a document or set of documents, approved and reviewed by the bank’s statutory body, which sets out the main objectives and principles that the bank follows in the process of risk management; it shall specify in particular: (a) the detailed risk definitions used by the bank; (b) the bank’s long-term objectives in regard to risk exposure, including:

1. the acceptable level of risk;
2. the expected consequences resulting from exposure to the acceptable level of risk; (c) the principles used to select techniques for identifying, measuring, monitoring and mitigating risks in all the bank’s material types of transactions, activities, processes and systems; (d) types of limits that the bank will use for credit risk management and the principles for selecting and setting additional limits; (e) the amount of internal capital allocated to risk coverage and principles for determining the appropriate amount of internal capital; (f) principles for conducting new types of transaction; (g) principles for the organisation of risk management. (2) A bank’s credit risk management strategy shall specify in particular: (a) the bank’s objectives in regard to credit risk management; (b) the acceptable level of credit risk; (c) the acceptable level of risk concentration; (d) the acceptable risk exposure to persons mentioned in Article 35(4) and (5) of the Act; (e) the types of transactions and activities that expose the bank to credit risk; (f) the bank’s objectives in regard to lending, including:
3. the types of loans that the bank intends to provide;
4. the bank’s main criteria for lending;
5. target economic sectors, geographical areas and groups of clients;
6. expectations for loan quality;
7. expectations for loan volumes;
8. expectations for income on loans and the acceptable level of risk vis-à-vis loan income; (g) techniques for measuring, monitoring and mitigating credit risk; (h) types of limits that the bank will use in credit risk management and principles for selecting and setting additional limits; (i) the division of responsibilities within credit risk management. (3) A bank’s market risk management strategy shall specify in particular: (a) the bank’s objectives in regard to market risk management; (b) the acceptable level of market risk and the main components of market risk; (c) types of transactions and activities that expose the bank to market risk; (d) techniques for measuring, monitoring and mitigating market risk; (e) principles and techniques for the valuation of trading positions; (f) types of limits that the bank will use in market risk management and principles for selecting and setting additional limits; (g) the division of responsibilities within market risk management; (h) rules for assigning trading positions to the trading book and the banking book, including a list of trading book transactions that the bank treats as standard trading positions. (4) A bank’s operational risk management strategy shall specify in particular: (a) the bank’s objectives in regard to operational risk management; (b) the principles for determining and classifying operational risk events in accordance with the definition of operational risk;

4 of 15 (c) material sources of operational risk to which the bank is exposed; (d) techniques for identifying, estimating, monitoring and mitigating operational risk; (e) the division of responsibilities within operational risk management. Article 5 (1) The organisation of risk management shall entail in particular: (a) ensuring implementation of the risk management strategy; (b) establishing an organisational structure that enables implementation of the approved risk management strategy; (c) involving relevant staff members and competent departments in the risk management process; (d) ensuring that the activities and responsibilities of the competent departments are separated at both the organisational and personnel level, in order as far as possible to prevent conflicts of interest, and in particular that commercial activities are separated from settlement-related activities and from risk management activities concerning specific risks (especially credit risk and market risk); (e) ensuring sufficient resources, in particular financial resources, for the implementation of the approved risk management strategy, sufficient numbers of qualified staff members, and cover for these staff members; (f) ensuring consistency between the incentivisation of staff members, remuneration of staff members, and the risk management strategy; (g) establishing appropriate information flows in accordance with Article 6; (h) establishing, reviewing and periodically testing the risk management procedure for information system failure; (i) keeping relevant staff members appropriately informed about the bank’s approved risk management strategy. (2) The separation of commercial activities from risk management activities under paragraph 1(d) shall be implemented up to the highest management level. (3) For the purposes of separating activities at the organisational and personnel levels, 'commercial activities' shall mean transactions and activities that expose the bank to risk. (4) For the purposes of credit risk management, activities in relation to: (a) settlements shall be performed separately within the bank and shall include in particular:

1. checking the elements of executed transactions;
2. checking compliance with the terms for drawing funds;
3. receiving loans or ensuring the financial settlement of transactions other than loans;
4. producing accounting documents and recording transactions;
5. drafting and keeping contractual documentation;
6. monitoring compliance with contractual terms; (b) credit risk management shall be performed separately within the bank and shall include in particular:
7. approving limits for transactions that expose the bank to credit risk, and checking compliance with these limits;
8. evaluating the financial position of the client or other counterparty;
9. approving credit risk management techniques and procedures;
10. classifying and valuing assets, liabilities and collateral;
11. proposing how to provision for identified credit risk and estimated losses;
12. recovering outstanding claims;
13. identifying, measuring, monitoring and mitigating credit risk;

5 of 15 8. processing and providing information on credit risk as required by the management and for decision-making. (5) For the purposes of managing market risk arising from trading in money market instruments and capital market instruments, activities in relation to: (a) settlements shall be performed separately within the bank and shall include in particular:

1. checking the elements of executed transactions;
2. sending and receiving confirmations of executed transactions;
3. ensuring the financial and securities settlement of transactions;
4. producing accounting documents and recording transactions; (b) market risk management shall be performed separately within the bank and shall include in particular:
5. approving limits for transactions that expose the bank to credit risk, and checking compliance with these limits;
6. approving market risk management techniques and procedures;
7. approving techniques, procedures and models for valuing trading positions that involve market risk;
8. valuing trading positions that involve market risk;
9. identifying, measuring, monitoring and mitigating market risk;
10. processing and providing information on market risk as required by the management and for decision-making.

(6) For the purposes of operational risk management, the performance of internal control and internal audit activities within the bank shall be separate from operational risk management activities and shall include in particular: (a) approving operational risk management techniques and procedures; (b) identifying, estimating and monitoring operational risk; (c) classifying operational risk events; (d) taking measures to mitigate operational risk; (e) processing and providing information on operational risk as required by the management and for decision-making. Article 6 Appropriate information flows for risk management shall entail in particular: (a) the provision of regular and ad hoc information to the statutory body and competent departments on the level of the bank’s risk exposure – the information being of such periodicity, currency and granularity that allows efficient management of risks that significantly affect the financial health of the bank – in order in particular that:

1. risk levels and trends may be assessed;
2. risks and expected returns may be compared;
3. the compliance of risk levels with set limits may be verified;
4. the bank’s financial capacity to cover the risk exposure in accordance with the approved strategy may be assessed;
5. the validity, appropriateness and fulfilment of assumptions used in risk measurement may be assessed;
6. the outcomes of stress testing and back-testing may be assessed; (b) ensuring that all the bank’s relevant staff members have access to current and reliable information required for the risk management; (c) ensuring communication between the bank’s relevant staff members and competent departments;

6 of 15 (d) the statutory body periodically evaluating information on risk levels and subsequently informing relevant staff members and competent departments of changes in the risk management process. Article 7 (1) For the purposes of risk management, banks shall establish an information system proportionate to the scale and complexity of their activities; it shall enable in particular: (a) at different levels of aggregation:

1. information on risk to be collected;
2. different risks or risk groups to be measured;
3. actual risk levels to be compared with set limits;
4. actual risk levels to be checked for consistency with expected risk levels; (b) trading positions to be correctly valued; (c) appropriate flows of risk management-related information to be provided to the bank’s relevant staff members. (2) 'Different levels of aggregation' shall mean the amalgamation of data according to selected criteria, in particular risk type, geographical area, currency, organisational unit, portfolio, transaction type, and counterparty. Article 8 (1) For the purposes of risk management, banks shall have in place an appropriate system for executing transactions and performing activities in line with the approved risk management strategy and with the adopted techniques for identifying, measuring, monitoring and mitigating risks. (2) The system for executing transactions and performing activities and the procedure for identifying, measuring, monitoring and mitigating risks shall form part of the bank’s internal regulations under Article 27(2) of the Act and be in accordance with the approved risk management strategy. Article 9 For the purposes of risk management, banks shall establish a procedure for approving new types of transaction and incorporating them into their risk management function; this shall include in particular: (a) a description of the new type of transaction and of the activities related to it; (b) identification of the transaction’s risk factors; (c) an analysis of the impacts of the transaction on the bank; (d) the implementation of procedures to be used for the measuring, monitoring and audit of risks related to the transaction; (e) an evaluation of each competent department’s preparedness for the implementation of the transaction; (f) the inclusion of the transaction in the information system. Article 10 (1) An appropriate internal control system for risk management shall entail in particular: (a) the establishment of an audit environment appropriate for the activities performed in the bank, in particular:

7 of 15

1. control activities and mechanisms performed by the board of directors of the bank or by the senior management of the foreign bank branch;
2. control activities performed by other managerial staff members;
3. control activities performed by other staff members of the bank as part of their duties and responsibilities; (b) the functionality of the risk management function being periodically audited by the bank’s internal control and audit department, and evaluation of the efficiency of the internal control system. (2) Where deficiencies are identified in the area of risk management, the internal control system shall ensure that: (a) the bank’s competent departments and managerial staff members responsible for the management of specific risk types are informed about the deficiencies; (b) appropriate remedial measures are adopted and implemented; (c) necessary adjustments to the risk management function are made promptly. Article 11 (1) For the purposes of credit risk management, an appropriate system for executing transactions shall be established and shall entail in particular: (a) in respect of lending:
4. specifying the countries and currencies, geographical areas, economic sectors, and counterparties deemed eligible for credit transactions;
5. introducing, and ensuring compliance with, rules for approving credit transactions, with particular regard to rules for: 2a. assessing the purpose of the transaction; 2b. assessing the financial position of the client both before the transaction and during the credit relationship; 2c. assessing the economic sector in which the client operates and the client’s position within that sector; 2d. assessing the quality, adequacy and recoverability of the collateral; 2e. assessing the source of repayment; 2f. defining the terms and conditions of the transaction and for repaying the claim resulting from the transaction; 2g. amending the terms and conditions of the transaction after it has been executed; 2h. the client’s submission of documents, according to the type of transaction and type of counterparty; 2i. executing transactions with persons that have a special relationship with the bank, and for identifying such relationships; 2j. executing transactions with closely linked clients, and for identifying such groups;
6. establishing procedures for changing, renewing and refinancing loans; (b) in respect of such trading in money market instruments and capital market instruments, and securitisation positions, that involve credit risk:
7. specifying the types of financial instruments deemed eligible for trading;
8. introducing rules for executing transactions, concerning in particular: 2a. the maximum nominal values of transactions, according to type, which may be executed by relevant staff members, or other restrictions on staff members’ activities related to the conduct of these transactions; 2b. the procedure for amending or cancelling a transaction after it has been executed; 2c. the designation of persons authorised to exempt staff members from the limits and procedures referred to in points 2a and 2b, the specification of the terms under which

8 of 15 these persons may grant such exemptions, and the specification of cases in which a staff member may request such exemption; 3. a requirement that the negotiation and execution of each transaction be documented by a written or audio record; 4. a requirement that records mentioned in point 3 be stored elsewhere than at the organisational unit that executed the transactions, so as to prevent unauthorised handling, while the period of storage shall last at least until the bank's obligations and claims arising under the transaction have expired. (2) For the purposes of credit risk management, the bank’s internal regulations pursuant to Article 27(2) of the Act and in accordance with the approved strategy for credit risk management shall also specify: (a) competences for executing and approving different types of transaction that involve credit risk, for approving limits, and for authorising exemptions from approved limits, as well as the procedure to be followed where limits are exceeded; (b) how cooperation and information flows are to be arranged between organisational units performing business activities, settlement-related activities, and credit risk management activities; (c) the administrative procedure for transactions involving credit risk, and rules for generating resources to cover the identified risk; (d) the minimum scope of the information to be included in dossiers on transactions involving credit risk; (e) the procedure for recovering outstanding claims; (f) the procedure for appraising collateral; (g) requirements for the provision of periodic and detailed information on credit risk to the bank’s statutory body and other relevant staff members; (h) control activities in regard to the execution of transactions and performance of activities which expose the bank to risk. (3) The credit risk measurement system implemented in banks shall be proportionate to the scale and complexity of the bank’s activities and it shall in particular: (a) ensure measurement of credit risk in all transactions and activities in which credit risk is identified; (b) record all transactions in a due and timely manner; (c) enable the identification of all material sources of credit risk in the bank’s assets and liabilities; (d) assess the impact of changes in risk factors on the bank’s costs and income as well as on the value of the bank’s assets and liabilities; (e) enable the measurement of credit risk by the method selected in accordance with the bank’s strategy; (f) enable the measurement of credit risk in specific transactions, groups of closely linked entities, the bank’s different portfolios, economic sectors, geographical areas, and countries and currencies; (g) enable credit risk to be measured in such a way that its values can be compared with the limits set for all commercial departments. (4) When selecting credit risk measurement techniques, the following in particular shall be taken into account: (a) the type of transaction and its terms and conditions; (b) the overall amount of the transaction to be repaid; (c) how and to what extent the transaction is to be secured until repayment; (d) the financial position of the debtor or other counterparty until repayment of the transaction; (e) an external credit rating, if available.

9 of 15 (5) For the purposes of credit risk monitoring, banks shall in particular: (a) set limits and monitor trading positions according to the:

1. type of transaction;
2. counterparty, at the level of each debtor and each loan;
3. group of closely linked entities;
4. economic sector;
5. geographical area and country;
6. currency; (b) ensure that the bank’s internal limits comply with all prudential limits and restrictions; (c) establish a system for continuous monitoring of compliance with set limits; (d) establish rules and procedures to be followed where limits are breached and when authorising exemptions from set limits; (e) provide information on credit risk levels and breaches of limits to the competent departments; (f) designate the bank’s relevant staff members responsible for monitoring the quality and protection of each loan; (g) monitor each transaction within the bank’s overall portfolio so as to enable the identification and notification of any distressed loans or other transactions undertaken by the bank, with particular regard to:
7. information on the current financial situation of the debtor or counterparty;
8. monitoring of the debtor or counterparty’s compliance with their obligations, and any arrears in the contractual repayments;
9. the current valuation of the collateral;
10. timely classification and valuation of distressed loans and other transactions; (h) monitor developments in the overall composition and quality of the bank’s portfolios in proportion to the scale and complexity of the bank’s activities. (6) For the purposes of credit risk mitigation, banks shall in particular: (a) establish rules for the eligibility of different types of collateral and hedges; (b) establish procedures for the periodic valuation of collateral; (c) establish procedures to ensure the current and future recoverability of claims; (d) establish procedures for the identification of risks arising in credit risk mitigation, especially:
11. market risk related to the valuation of collateral;
12. operational risk related to the enforcement of collateral;
13. credit risk related to the guarantor;
14. legal risk related to incorrect or incomplete documentation in respect of the collateral; (e) periodically assess the effectiveness of collateral and hedges and, consequent on the results of such assessment, adjust the use of collateral or hedges; (f) keep relevant staff members regularly informed about the assessment results for the effectiveness of collateral and hedges. Article 12 (1) The establishment of an appropriate system for executing transactions in money market instruments and capital market instruments which involve credit risk shall entail in particular: (a) specifying the types of financial instruments that may be traded; (b) introducing rules for executing transactions, concerning in particular:
15. the maximum nominal values of transactions, according to type, which may be executed by relevant staff members, or other restrictions on staff members’ activities related to the conduct of these transactions;
16. the procedure for amending or cancelling a transaction after it has been executed;

10 of 15 3. the designation of persons authorised to exempt staff members from the limits and procedures referred to in points 1 and 2, the specification of the terms under which these persons may grant such exemptions, and the specification of cases in which a staff member may request such exemption; (c) a requirement that the negotiation and execution of each transaction be documented by a written or audio record; (d) a requirement that records mentioned in point (c) be stored elsewhere than at the organisational unit that executed the transactions, so as to prevent unauthorised handling, while the period of storage shall last at least until the bank's obligations and claims arising under the transaction have expired (2) For the purposes of market risk management, the bank’s internal regulations pursuant to Article 27(2) of the Act and in accordance with the approved strategy for market risk management shall also specify: (a) competences for executing and approving transactions involving market risk; (b) rules for assigning transactions to the banking book and the trading book and the scope of action related to internal transactions recorded in the banking book or trading book; (c) the procedure and competences for the settlement of transactions in financial instruments; (d) the procedure for monitoring prices as part of the execution of a transaction and for comparing transaction prices with market prices; (e) how cooperation and information flows are to be arranged between organisational units performing commercial activities, settlement-related activities, and market risk management activities; (f) the procedure for back-testing and stress testing; (g) how to calculate the risk-weighted exposures used by the bank for market risk, in respect of those market risk components that may be calculated in an alternative way; (h) requirements for the provision of periodic and detailed information on market risk to the bank’s statutory body and other relevant staff members; (i) control activities in regard to the execution of transactions and performance of activities which expose the bank to risk. (3) The market risk measurement system implemented in banks shall be proportionate to the scale and complexity of the bank’s activities, and it shall in particular (a) record all transactions in a due and timely manner; (b) enable the capturing of all material sources of market risk in the bank’s assets and liabilities; (c) assess the impact of changes in market risk factors on the bank’s costs and income as well as on the value of the bank’s assets and liabilities; (d) enable market risk to be measured by the method selected in accordance with the bank’s strategy; (e) enable trading positions to be correctly valued; (f) enable the aggregation of trading positions based on selected criteria, such that the aggregation does not materially distort the level of the bank’s risk exposure; (g) enable the total value of market risk to be measured and to be compared with set limits; (h) enable the assumptions and parameters of market risk measurement to be appropriately documented; (i) enable the measurement of interest rate risk in each main currency; (j) enable identification of the principal sources of interest rate risk, in particular:

1. mismatches between the maturities or revaluations of assets, liabilities and off-balance sheet items;
2. insufficient correlation between interest payments paid and received for various financial instruments with otherwise similar maturities and revaluations;
3. changes related to a shift in the slope or shape of the yield curve;

11 of 15 4. the presence of embedded options in assets, liabilities and off-balance sheet items such that may alter the expected cash flows of financial instruments. (4) For the purposes of market risk measurement, banks shall in particular: (a) perform back-testing on a periodic basis; (b) review techniques and procedures for measuring market risk based on the basis of back-testing outcomes; (c) perform stress testing on a periodic basis; (d) periodically check the validity of stress scenarios in the light of changed conditions in the market or in the bank; (e) perform additional stress testing in response to any exceptional events that could have a specific impact on the bank’s risk exposure; (f) review the limits set for market risk on the basis of stress test outcomes; (g) keep relevant staff members informed about the outcomes of stress-testing and back testing. (5) For the purposes of market risk monitoring, banks shall in particular: (a) set limits on market risk exposure and on the components of market risk, and they may, according to the scale of their activities, set additional limits, in particular for different portfolios, types of transaction or internal organisational units; (b) ensure that the bank’s internal limits comply with all prudential limits and restrictions; (c) monitor trading positions that expose the bank to market risk, according in particular to:

1. the type of financial instrument;
2. counterparty or geographical area;
3. currency; (d) establish a system for continuous monitoring of compliance with set limits; (e) establish rules and procedures to be followed where limits are breached and when authorising exemptions from set limits; (f) provide information on market risk levels and breaches of limits to the competent departments. (6) For the purposes of market risk mitigation, banks shall in particular: (a) specify the hedges and protection activities used for market risk mitigation;33) (b) specify how and in what way the selected hedges and protection activities are to be applied; (c) periodically assess the effectiveness of hedges and protection activities and, consequent on the results of such assessment, make changes in the application or types of hedges or protection activities; (d) keep relevant staff members regularly informed about the assessment results for the effectiveness of hedges and protection activities. Article 13 (1) Banks shall ensure the identification of operational risk in all: (a) the types of transactions they execute; (b) the processes they apply; (c) the information systems they use. (2) For the purposes of operational risk management, the identification of operational risk shall include: (a) defining operational risk events monitored by the bank; (b) classifying operational risk events into groups specified by the bank in accordance with the bank’s strategy.

3 Articles 326 to 350 of Regulation (EU) No 575/2013.

12 of 15 (3) For the purposes of operational risk mitigation, the bank’s internal regulations pursuant to Article 27(2) of the Act and in accordance with the approved strategy for operational risk management shall also require: (a) the elaboration of procedures for identifying sources of operational risk in transactions, key activities, processes and systems; (b) the breakdown and classification of operational risk events; (c) the inclusion of operational risk monitoring and assessment in the day-to-day activities of the bank; (d) the elaboration of a procedure for applying operational risk mitigation, in particular for low￾frequency operational risk events that could cause significant financial losses to the bank; (e) the elaboration of principles and a procedure for managing risk related to outsourcing; (f) the elaboration of plans for contingencies and for ensuring the continuous performance of the bank's commercial activities; (g) regular testing and reviewing of contingency plans in order to ensure their consistency with the bank’s updated commercial strategy; (h) the specification of how cooperation and information exchange are to be arranged between the organisational units in which operational risk arises and the organisational unit assessing operational risk in the bank as a whole. (4) For the purposes of operational risk management, banks shall have in place an operational risk assessment system proportionate to the scale and complexity of their activities and it shall in particular: (a) enable regular monitoring for operational risk losses; (b) enable the capturing of all material sources of operational risk in transactions and activities which expose the bank to risk; (c) provide early warning of any increased risk of future losses, based on numerical indicators determined by the bank. (5) The level of operational risk shall be estimated in particular by: (a) assessing processes and activities that expose the bank to risk vis-à-vis the set of defined operational risk events monitored by the bank;; (b) mapping the operational risk originating in the bank’s different business lines; (c) monitoring operational risk indicators, such as the number of failed transactions, staff turnover, and the frequency and incidence of errors; (d) monitoring operational risk, for example, based on monitoring of historic losses caused by operational risk events. (6) For the purposes of operational risk monitoring, banks shall in particular: (a) specify operational risk indicators intended to provide early warning of any increase in the risk of potential losses; (b) monitor operational risk events and assess losses resulting from these events; (c) inform the competent departments about the level of operational risk according to the selected system of operational risk assessment and about material operational risk events. (7) For the purposes of operational risk mitigation, banks shall in particular: (a) specify procedures for selecting the bank’s approach to identified risks, especially the following approaches:

1. risk mitigation, such as insurance;
2. risk assumption;
3. reducing the scope of activities that expose the bank to risk;

13 of 15 4. ceasing certain activities that expose the bank to risk; (b) periodically assess the bank’s approaches to identified risks and, consequent on the results of such assessment, make changes in the use of particular approaches; (c) keep relevant staff members regularly informed about the assessment results for the bank’s approach to operation risk; (d) ensure secure, reliable and smooth operation of the information system, especially by:

1. producing an information system security policy that defines objectives for the bank’s information system security, as well as core principles and procedures for achieving them, and by ensuring compliance with this policy;
2. developing an information security infrastructure comprising special-purpose managing bodies and working groups, their task being to maintain and ensure an effective level of security in the bank’s information system, data and information;
3. analysing and periodically assessing information system risk;
4. protecting the information system against unauthorised access and damage, and by protecting the bank’s premises where data and information processing equipment are kept and where the actual data and information are stored;
5. ensuring efficient, safe, reliable and smooth operation of information processing equipment;
6. managing personnel access to the bank’s data and information, to the equipment used for their processing, and to network services;
7. identifying and evaluating unauthorised activities in the bank’s information system;
8. ensuring continuity of the information system’s functionality and operation in the event of serious failures and accidents; for this purpose, banks shall develop plans for restoring and backing-up their information system. Article 14 (1) The strategy for managing risk related to the bank’s asset encumbrance should be consistent with the bank’s business model and macroeconomic situation and shall specify in particular (a) the bank’s objectives in regard to the management of asset encumbrance risk; (b) material sources of asset encumbrance risk to which the bank is exposed; (c) techniques for identifying, measuring, monitoring, and mitigating asset encumbrance risk; (d) the division of responsibilities for the management of asset encumbrance risk. (2) The system for measuring asset encumbrance risk should be consistent with, in particular, the extent to which resources are obtained through secured funding and to which other types of asset-encumbering transactions are undertaken, and it should enable the measurement of: (a) the amount of assets, according to type, provided as collateral, and developments in this amount; (b) the amount of resources obtained through secured funding and other types of transactions that increase asset encumbrance, in particular through margin requirements for derivative transactions, and developments in this amount. (3) For the purposes of managing asset encumbrance risk, the internal regulations of the bank pursuant to Article 27(2) of the Act and in accordance with the approved strategy for the management of asset encumbrance risk shall also specify contingency plans and plans for ensuring the continuous performance of the bank’s commercial activities. These plans shall take into account in particular the increase in asset encumbrance that could potentially arise from exceptional adverse developments involving the depreciation of assets pledged as collateral, margin calls, and downgrading of the bank’s credit rating, provided that such stress scenarios are relevant to the bank.

14 of 15 (4) For the purposes of measuring asset encumbrance risk, banks shall in particular: (a) periodically monitor the amount and credit quality of unencumbered assets that may be pledged as collateral in secured funding operations or to meet margin calls, and developments in these factors; (b) estimate increases in the amount of encumbered assets, according to the type of transaction requiring asset encumbrance and with respect to the stress scenarios referred to in paragraph 3, and monitor developments in these amounts. (5) For the purposes of paragraph 4(a), banks shall establish and regularly review the methodology for specifying encumberable assets. This methodology may use a list of assets eligible for use in secured funding operations conducted with Národná banka Slovenska and the European Central Bank. Article 15 (1) The system for managing option risk, sovereign risk, concentration risk, settlement risk, legal risk, counterparty risk, securitisation risk, interest rate risk, interest rate risk arising from non￾trading book activities, equity risk, foreign exchange risk, commodity risk, specific risk related to debt instruments, specific risk related to capital instruments, general risk related to debt instruments, global risk related to capital instruments, residual risk, and excessive leverage risk shall as appropriate be subject to the provisions of Article 2(1). (2) If any risks to which a bank is exposed arise solely by virtue of its position within a consolidated group, the management of such risks shall as appropriate be subject to the provisions of Article 2(1). Article 16 This Decree transposes the legally binding acts of the European Union listed in the Annex. Article 17 This Decree repeals Decree No 13/2010 of Národná banka Slovenska on additional types of risk, on details of the risk management function of banks and branches of foreign banks, and on the definition of a sudden and unexpected change in market interest rates (Notification No 367/2010 Coll.). Article 18 This Decree shall enter into force on 1 July 2015. Jozef Makúch Governor

15 of 15 Issuing unit: Regulation Department Banking and Payment Services Regulation Section Tel.: + 421 2 5787 3301 Fax: + 421 2 5787 1118

16 of 15 Annex to Decree No 4/2015 List of transposed legally binding acts of the European Union Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013) as amended by Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 (OJ L 60, 28.2.2014) and Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 (OJ L 173, 12.6.2014).