Regulation 51/2024 on Operational Risk Management for Banks, Payment and Electronic Money Institutions

R E P U B L I C O F ALB ANI A BANK OF ALBANIA SUPERVISORY COUNCIL DECISION No. 51, dated 6.11.2024 ON THE APPROVAL OF REGULATION “ON THE OPERATIONAL RISK MANAGEMENT BY BANKS, PAYMENT INSTITUTIONS AND ELECTRONIC MONEY INSTITUTIONS” Based on and for the implementation of article 12, letter “a” and article 43, letter “c” of the law no. 8269, dated 23.12.1997 “On the Bank of Albania,” as amended; article 57, paragraph 4, article 58, paragraph 1, letter “c” and article 126 of the law no. 9662, dated 18.12.2006 “On banks in the Republic of Albania”, as amended; and article 88, paragraph 3 of the law no. 55/2020, dated 30.4.2020 “On payment services”; having regard to the proposal from the Supervision Department, the Supervisory Council of the Bank of Albania, DECIDED:

1. To approve the regulation “On the operational risk management by banks, payment institutions and electronic money institutions”, as per the attached text to this decision.
2. The entities subject to the regulation shall be responsible for the implementation of this decision.
3. The Supervision Department at the Bank of Albania shall be responsible for monitoring the implementation of this decision.
4. The Governor's Office and the Research Department shall be responsible for the publication of this Decision, in the Official Journal of the Republic of Albania and in the Official Bulletin of the Bank of Albania, respectively. This decision shall enter into force 15 days after its publication in the Official Journal.

SECRETARY CHAIR

ELVIS ÇIBUKU GENT SEJKO

CHAPTER I GENERAL PROVISIONS Article 1 Object The object of this regulation is to define the minimum requirements and rules for the management of operational risk in banking and/or financial activities by the entities subjects to this regulation. Article 2 Subjects

1. The entities subject to this regulation are banks and branches of foreign banks, payment institutions and electronic money institutions, licensed by the Bank of Albania for conducting banking and financial activities in the Republic of Albania, which will be referred to below in this regulation, with the term as “entities” in this regulation.

2. The Bank of Albania, based on its supervisory assessments regarding the volume and complexity of activities, or the level of exposure to operational risk, may decide to include, in addition to the entities listed in paragraph 1 of this article, to include as subject of this regulation certain non-bank financial institutions or savings and loan associations that are actually subject to regulation no. 3, dated 19.1.2011 “On the operational risk management by non-bank financial institutions, savings and loan associations and their Unions”, as amended.

3. In cases foreseen in paragraph 2 of this article, the Bank of Albania shall notify the non￾bank financial institution or the savings and loan association, as well as determine the time frame within which the entity must ensure compliance with the requirements of this regulation. Article 3 Legal basis This regulation is issued based on and for the implementation of: a) article 12, letter “a” and article 43, letter “c” of law no. 8269, dated 23.12.1997 “On the Bank of Albania”, as amended; b) article 57, paragraph 4, article 58, paragraph 1, letter “c” and article 126 of law no. 9662, dated 18.12.2006 “On banks in the Republic of Albania”, which hereinafter in this regulation will be referred to as the law “On banks”; c) article 88, paragraph 3 of law no. 55/2020, dated 30.4.2020 “On payment services”, which hereinafter in this regulation will be referred to as the law “On payment services”. Article 4 Definitions

4. The terms used in this regulation shall have the same meaning as the terms defined in the law “On banks” and the law “On payment services”, as well as in other sub-legal acts of the Bank of Albania.

5. In addition to what is foreseen in paragraph 1 of this article, for the purposes of implementing this regulation, the following terms have the this meaning: a) “operational risk” – is the possibility that an entity may incur financial losses due to inadequacy or failures of internal processes and systems, human errors, or external events. Operational risk includes legal risk, but excludes reputational and strategic risk. For the purposes of the internal operational risk framework, the entity may define more specific definitions of this risk, provided they minimally include the elements of the definition of this regulation; b) “legal risk” – is the possibility that an entity may incur financial losses due to non￾compliance with or improper implementation of legal and/or contractual obligations, including other legal procedures that may negatively affect the financial result; c) “strategic risk” – is the possibility that the achievement of the entity's strategic objectives may be jeopardized, ultimately resulting in financial losses, due to changes in the business environment and inappropriate business decisions, improper implementation of decisions, or failure to react to changes in the business environment; d) “reputational risk” – is the possibility that an entity may incur financial losses caused by negative perceptions from clients, counterparties, shareholders, investors, debt holders, markets, other stakeholders, regulators, etc., which may negatively impact the entity's ability to continue operating/functioning, create new business relationships, or maintain continuous access to funding sources (e.g., through interbank, capital, and debt markets, or the general public); e) “conduct risk” – is the possibility that an entity may incur financial losses due to improper provision of financial services, including cases of inappropriate or intentional behavior towards clients or due to negligence; f) “model risk” – is the possibility that an entity may incur financial losses due to decisions made based primarily on the results of internal models, caused by errors in the development, implementation, or use of these models; g) “inherent risk” – is the risk to which the entity is exposed, regardless of control environments; h) “residual risk” – is the risk to which the entity is exposed after implementing risk mitigation techniques and interacting with control systems; i) “operational risk framework (system)” – is the entirety of policies, procedures, rules, structures, and mechanisms used by the entity to manage operational risk; j) “outsourcing” – is an agreement of any form between the entity and a third party (service provider), according to which the third party (service provider) carries out a process, service, or function that otherwise would be carried out by the entity itself; k) “operational risk appetite/tolerance” – the risk appetite in the context of operational risk, is inherent in the entity's activity, and its acceptance does not yield direct benefits but only has a negative financial effect. Operational risk tolerance represents the maximum acceptable loss against this risk; l) “operational risk event database” – is a registry in which operational risk events are collected, analyzed, maintained, and from which operational risk events are exported/extracted. The operational risk event database contains information on operational risk exposure, losses, and the effectiveness of the entity's control functions. This registry contains at least data on the event date, gross losses, amount recovered, net loss (after recovery), processes/products related to the loss, business line related to the loss, loss type, causal factors, etc.; m) “early warning indicators” – are indicators that help in the early identification of issues that could increase exposure to operational risk. These indicators cover all of the entity's

activities, according to priority/importance, and may include performance indicators, risk indicators, and/or control indicators. These indicators are associated with appropriate monitoring limits and escalation measures in order to mitigate risks and serve as part of the entity's infrastructure in determining the risk appetite; n) “risk mapping and self-assessment” – is a mechanism used by the entity, which evaluates work processes in its activities, divided according to the responsibility (ownership) of the process, against the measure of their exposure to risk and the types of risks, adequacy and type of control systems applied for each process, residual risk, and potential financial loss resulting from the materialization of risk; o) “boundary event” – are events arising from operational risk incidents but resulting in losses related to credit risk (credit risk boundary event) or market risk (market risk boundary event); p) “effective loss” – are losses with a negative economic effect related to operational risk events, which generally do not fall under the categories listed in letters “q” to “y” of this paragraph; q) “specific provisions” – are provisions arising from operational risk events that have a high probability to materialize in a loss. These provisions are linked to events like internal/external fraud as part of credit activities; judicial processes in the context of employment practices and workplace safety, or clients, products, and business practices; damages to physical assets. These are calculated as the difference between potential loss and, as applicable, the net collateral value, or confirmed insurance disbursements, if these exist; r) “pending losses” – are losses arising from operational risk events, with a negative financial effect, temporarily recorded in suspense accounts and not yet reflected in the income statement; s) “near misses” – are related to operational risk events that do not result in financial losses. These are events that could have produced a negative effect on the income statement but did not, due to last-minute control or random factors; t) “timing losses” – are losses arising from operational risk events, with negative financial effects on cash flow statements or income statements of previous periods; u) “restitution” – are payments to third parties, who have incurred financial losses due to benefits gained by the entity in breach of contractual terms. Any amount recognized for compensation not occurring within the fiscal year should be considered as a timing loss; v) “rapidly recovered losses” – are related to operational risk events resulting in losses that are fully recovered within five business days from the event's occurrence; x) “operational profits/income” – are related to operational risk events that could have caused losses, but resulted in profits/income due to the materialization of a favorable circumstance; y) “opportunity cost/unrealized income” – are unrealized income caused by the materialization of operational risk events. 3. The terms used in this regulation “steering council” and “directorate” which refer to the legal organizational structure of banks, do not condition or limit the application of this regulation's requirements for other entities covered by this regulation. In the case of other entities, which are not organized as banks, these terms shall refer to the relevant bodies of the entity performing the analogous functions of a “steering council” and “directorate”, depending on their legal organization.

CHAPTER II OPERATIONAL RISK GOVERNANCE Article 5 Operational risk management framework (system)

1. The operational risk management framework (system) is the entirety of the policies, procedures, rules, structures, and mechanisms of the entity that serve for managing operational risk.
2. The entity establishes and develops the operational risk management framework (system), in accordance with the nature, volume and complexity of its banking and/or financial activities.
3. The operational risk management framework (system) aims to ensure the identification and assessment, measurement, control and mitigation, continuous monitoring, as well as periodic reporting to the internal management structures of operational risk. Article 6 Organizational structure for operational risk management
4. The entity establishes an appropriate organizational structure for the operational risk management, clearly defining the competencies and responsibilities of the governing bodies, as well as all structures/units involved in operational risk management, according to the three lines of defense model.
5. In particular, the entity ensures that the operational risk management structure/unit, as part of the second line of defense and an essential part of the operational risk management framework (system), is clearly separated, both organizationally and operationally, from the business lines and other supporting operational functions.
6. The operational risk management structure/unit, depending on the choices made by the governing structures of the entity and the principle of proportionality, may be part of the general risk management structure or an independent unit outside this structure.
7. The structure/unit referred to in paragraph 3 of this article, in any case functions as a second line of defense and shall report directly to the steering council, directorate, or other structures/committees specified as appropriate for operational risk management purposes. Article 7 Steering council
8. The steering council, without prejudice to the definitions of its responsibilities and role established in the legal and regulatory framework, is responsible for: a) establishing a risk management culture and ensuring that the entity has appropriate processes in place to understand the nature of the operational risks arising from strategies and the entity's current and planned activities; b) ensuring that operational risk management processes are subject to comprehensive and dynamic monitoring/supervision and are fully integrated or coordinated with the entity's overall risk management system; c) approving policies for operational risk management and overseeing their implementation; d) establishing an effective and appropriate management structure for the implementation of the entity's internal regulatory acts for operational risk management;

e) ensuring that the operational risk management framework (system) is subject of independent review/control by the internal control unit. For this purpose, the steering council defines clear lines/divisions for the tasks and responsibilities that assist in establishing appropriate internal control functions for operational risk. Controls should be reviewed, monitored, and tested regularly to ensure ongoing effectiveness. The control environment must ensure independence and proper segregation of duties between operational risk management functions, business units, and supporting functions; f) periodically reviewing and assessing the effectiveness of the operational risk management framework (system) and approving it, to ensure that the entities identify and manage operational risks arising from external market changes and other environmental factors, as well as operational risks associated with new products, activities, processes, or systems, including changes in risk profile and entity priorities. The review process should aim to evaluate and select best practices for operational risk management, suitable for the entity's activities, systems, and processes; g) approving and periodically reviewing the operational risk appetite/tolerance statement, in accordance with the entity's strategy, financial results, as well as the types and levels of risk the entity is willing to accept. 2. The steering council ensures that the operational risk management framework (system) is subject to an effective and comprehensive internal control process by independent, qualified, and responsible personnel. Article 8 Directorate

1. The directorate, in the function of operational risk management, is responsible for implementing the policies, processes, and systems for managing operational risk in all services/products, activities, processes and systems significant to the entity, in accordance with the operational risk appetite/tolerance statement.
2. The directorate, in the function of operational risk management, is responsible for: a) implementing the internal regulatory acts for operational risk management of the entity, approved by the steering council; b) defining responsibilities and developing reporting lines to encourage and maintain accountability, as well as ensuring the appropriate financial and human resources for effective operational risk management, in accordance with the operational risk appetite/tolerance statement; c) clearly communicating to employees at all levels about the operational risk management framework (system) applied by the entity; d) ensuring that the banking and/or financial activities of the entity are conducted by qualified personnel, with the necessary experience and technical skills; e) ensuring that the personnel responsible for monitoring the implementation of the operational risk management framework (system) and its compliance with the entity’s risk policy are independent of the units they oversee.

Article 9 Lines of defense

1. The entity manages operational risk by implementing the three lines of defense model, where: a) the first line includes business units and operational/support functions; b) the second line includes the independent function responsible for operational risk management and the compliance function/unit; and c) the third line includes the independent control function.

2. The entity applies the three lines of defense model depending on its nature, size, complexity and risk profile.

3. The entity ensures that each of the lines of defense: a) has sufficient financial and human resources and appropriate tools; b) has clearly defined duties and responsibilities; c) is continuously and adequately trained; d) promotes a healthy risk management culture across the organization (entity); e) communicates with the other lines of defense for the implementation of the operational risk management framework (system).

4. In cases where a business unit includes functions from both the first and second lines of defense, the entity documents and distinguishes the responsibilities of these functions according to the lines of defense, emphasizing the independence of the second line of defense from business units.

5. For the purpose of operational risk management, the first line of defense includes the management of the entity’s business units and operational/support functions. First line of defense employees are responsible for the identification and ongoing management of inherent risks in the products, activities, processes and systems, for which they are responsible in daily operations.

6. For the purposes of paragraph 5 of this article, the responsibilities of the first line of defense include: a) identifying and assessing the materiality of inherent operational risks in their business units through the use of control systems, whether manual or automated, in accordance with internal procedures and the segregation of duties principle; b) implementing appropriate control systems, in cooperation with other control structures and the operational risk management function, to mitigate inherent operational risk, as well as evaluating and reporting the effectiveness of these controls, through operational risk management mechanisms; c) identifying, monitoring, and reporting operational risk events, in accordance with the operational risk management framework (system); d) reporting residual operational risks that have not been mitigated by controls, control deficiencies and inadequacies of processes; e) appropriate training to ensure the identification and assessment of operational risks, as well as reporting in cases where business units have lack of resources, mechanisms, or training that enable the identification and assessment of operational risks.

7. For the purpose of managing operational risk, the second line of defense includes functions independent from the business units for managing operational risk, as part of the risk management framework (system). This line is responsible for continuous and periodic monitoring and development of the operational risk management framework (system), as well as reporting operational risk-related issues to the directorate and the steering council.

8. For the purposes of paragraph 7 of this article, the responsibilities of the second line of defense include, at a minimum: a) developing an independent opinion from the other business units regarding: i. identified material operational risk events, ii. designation/definition and effectiveness of key controls, and iii. operational risk tolerance; b) ensuring and documenting the proper implementation by the first line of defense of responsibilities, mechanisms and reporting systems for operational risk management; c) developing and maintaining policies, standards, methodologies, and guidelines for managing and measuring operational risk; d) reviewing and contributing to monitoring and reporting of the operational risk profile; e) designing and developing employee training on operational risk matters and promoting awareness of risks/encouraging a risk culture.

9. For the purpose of operational risk management, the third line of defense includes the internal control unit. This line provides assurance to the steering council on the adequacy of the operational risk management framework (system), by independently reviewing and reporting to the steering council on a regular basis, based on a risk-based approach. Employees of the internal control unit should not be involved in the development, implementation or operation of operational risk management processes from the other two lines of defense. This structure independently assesses the effectiveness of processes created in the first and second lines of defense and ensures the proper functioning of these processes.

10. For the purposes of paragraph 9 of this article, the responsibilities of the third line of defense include: a) reviewing the designation and implementation of the operational risk management framework (system), as well as the associated governance processes from the first and second lines of defense (including the independence of the second line of defense); b) reviewing the assessment processes, to ensure that they are independent and implemented in accordance with the entity’s regulatory framework; c) ensuring that the models/mechanisms used for measurement by the entity are sufficiently strong and stable to ensure high integrity of input data, assumptions, processes and methodologies used, as well as to result in operational risk assessments that reliably reflect the entity’s operational risk profile; d) ensuring that business unit managers respond quickly, accurately and adequately to raised issues, as well as regularly reporting to the steering council or its committees on unresolved or resolved operational risk matters; e) conducting a comprehensive assessment of the adequacy and suitability of the operational risk management framework (system) and the associated governance processes of the entity. Beyond controlling compliance with existing policies and

procedures, the third line of defense independently evaluates whether the operational risk management framework (system) meets the needs and objectives of the entity, and whether it complies with legal and statutory provisions, contractual agreements, internal rules of the entity, and the code of ethics. Article 10 Operational risk management policy

1. The entity develops a policy for the management of operational risk, which is effectively communicated throughout the entire entity, especially to the structures of the first and second lines of defense involved in operational risk management.
2. The operational risk management policy shall be reviewed regularly, at least once a year, and be approved by the steering council.
3. The operational risk management policy includes at least the following elements: a) the purpose of the operational risk management policy; b) the legal and regulatory framework for operational risk and compliance with this framework; c) definition of terms used by the entity in the operational risk management policy; d) objectives related to identifying, assessing, controlling and mitigating the operational risks of the entity; e) elements of the operational risk management framework (system), which include: i. governance, ii. risk culture and awareness, iii. reporting/collection of operational risk events, iv. mapping and self-assessment of risks and controls in place, v. scenario analysis, vi. early warning indicators, vii. measurement and modeling, viii. reporting, ix. risk appetite and tolerance; f) the supporting regulatory framework for implementing the policy, consisting of procedures, guidelines, and manuals of the entity. Article 11 Identification and assessment of operational risk
4. The entity identifies and assesses operational risk in all services/products, activities, processes and significat systems.
5. The entity, before launching new services/products, carrying out different activities or processes, and/or creating new systems, and before and during the outsourcing of services/functions from third parties that potentially carry risk for the entity, ensures the implementation of sufficient and appropriate procedures for the preliminary assessment of operational risk that may be associated with them.
6. The entity effectively identifies and assesses operational risk by considering the business environments and existing controls.
7. The entity evaluates the impact of operational risk events, by referring to the operational risk appetite/tolerance statement, which is approved and reviewed annually by the steering council.

Article 12 Measurement of operational risk

1. The entity measures its exposure to operational risk through the information and data collected derived from the implementation of operational risk management mechanisms, such as: a) historical data from the entity's database of operational risk events; b) external data obtained from open sources or industry databases; c) results from the entity's self-assessment of risks; d) results of scenario analysis; e) early warning indicators.
2. As for the provisions of paragraph 1 of this article, the entity shall ensure the completeness and accuracy of input data, the conditions for processing information, and the periodic evaluation of results.
3. By measuring operational risk, the entity determines its risk profile for the purpose of efficiently using human and technical resources for managing these risks.
4. The measurement of operational risk in terms of capital requirements is addressed in accordance with the respective regulations in force issued by the Bank of Albania. Article 13 Operational risk monitoring
5. The entity develops a periodic monitoring process for its operational risk profile and key exposures to this risk.
6. The entity includes in the periodic monitoring proces, also the services provided by third parties (outsourced), which carry risks for the entity, by monitoring the quality of the services offered and the fulfillment of contractual obligations.
7. To ensure an effective and continuous monitoring process for operational risk, the entity shall: a) establish appropriate indicators that provide early warning of an increase in operational risk, which could lead to future losses; b) set thresholds for these indicators, where possible, to create an effective monitoring process that helps identify critical and significant risks to the entity, enabling timely monitoring and prevention from materializing of these risks; c) determine the frequency of the monitoring process, taking into account the level of risk and the nature of changes in its operating environment; d) ensure that the monitoring results are included in regular reports to the steering council, directorate, and representatives of business lines affected by the identified issues in the report. Article 14 Control and mitigation of operational risk
8. The entity must establish an appropriate control environment, consisting of a comprehensive and adequate internal regulatory framework, strong and comprehensive processes and systems, proper internal controls, as well as strategies for mitigating and/or transferring risk.
9. The entity, in function of controlling and mitigating operational risk shall:

a) design systems of procedures and control processes to ensure the implementation of internal policies for operational risk management; b) ensure that internal practices/processes are suitable for controlling operational risk and include at least: i. clear determination of authorities/processes for approval and task separation, ii. close monitoring of compliance with established limits or risk thresholds, iii. adoption of protective measures for the use of the entity's data and assets, including the use of insurance contracts to transfer risk outside the entity, iv. ensuring that the personnel is qualified and possesses the appropriate expertise, v. identifying business lines or products where profits appear to exceed reasonable expectations, vi. relinquish of business lines, activities, and products with high potential for exposure and loss due to operational risk, associated with a high probability of occurrence; c) utilize tools or programs to reduce exposure to events with low probability, but potentially with significant financial impact; d) pay special attention to activities and/or the creation of new products, especially when they are not aligned with the entity's business plan; e) focus on entering unfamiliar markets and/or undertaking business activities geographically distant from the entity's headquarters; f) show proper care regarding the increased automation of services, which must be coordinated with enhanced security in information and technology management; g) establish policies and practices for managing operational risks arising from the outsourcing of the entity's processes, services, or functions to third parties. 3. The entity ensures appropriate response and management of operational risk events, based on the framework of risk tolerance. The management of operational risk events should fall into one of the following categories: a) accepting the impact of the event, for events with negligible risk and impact, materializing at a low frequency and resulting in minor impact/loss (expected loss); b) mitigating the impact of the event through control and preventive systems, for events with acceptable risk, materializing at a high frequency but resulting in minor impact/loss (expected loss); c) mitigating the impact of the event through transfer/use of insurance contracts, for events with high risk, materializing at a low frequency but resulting in significant impact/loss; d) relinquish of certain activities that generate events with high risk, materializing at a high frequency and resulting in significant impact/loss. Article 15 Operational risk reporting

1. The independent operational risk management function ensures periodic and ad-hoc reporting, as needed, for the directorate/risk management committee, the board of directors, and representatives of business lines affected by the issues raised in the report.
2. Operational risk reports typically include information on: a) the entity’s operational risk events; b) significant external/market events; c) follow-up on decisions made; d) results of risk self-assessments;

e) results of early warning indicators; f) capital allocated for covering operational risk; g) issues requiring decision-making or escalation; h) the entity’s operational risk profile. 3. For the purposes of this regulation, exept for internal reporting, the entity shall submit quarterly reports to the Bank of Albania, the early warning indicators data as per annex no. 1 and operational risk events as per annex no. 3 of this regulation, with information registered/collected during the reporting period. 4. Additionally, the entity submits ad-hoc reports to the Bank of Albania, non-periodically and outside the normal reportings for operational risk events assessed as critical1 by the entity itself, based on its internal risk tolerance matrix, regardless of whether the financial impact has materialized and in any case, those operational risk events with a gross loss exceeding 2% of the entity’s regulatory capital must be reported, including the cause of the loss and corrective measures taken to prevent recurrence. 5. The classification of an event as critical must be carried out within a reasonable timeframe after its discovery, but no later than 24 hours. If more time is needed for classification, the entity must explain the reasons in the initial report submitted to the Bank of Albania. Reporting of critical events to the Bank of Albania occurs in three stages, as follows: a) initial report – shall be submitted within 4 hours from the moment the event is classified as critical. In this report the entity includes general information and outlines the key characteristics of the event and its expected consequences, based on available information; b) interim report – shall be submitted in any case within 3 business days from the date of submission of the initial report and it provides a more detailed description of the event and its consequences. The entity submits the interim report to the Bank of Albania when its regular (usual) activity has been restored and business has returned to normal, informing the Bank of Albania of this circumstance, also in the case where regular (usual) activity has not been restored; c) final report – shall be submitted within 20 business days after business operations are considered to have returned to normal. The entity shall include in the final report, the full information on actual data on the impact of the event, replacing any previous estimates, as well as information on the root cause, if known, and a summary of the measures implemented or planned to prevent recurrence in the future. 6. If the entity’s normal operations has been restored within 4 hours of classifying the event as critical and the entity can provide all information required in the final report within this timeframe, it may submit a single report to the Bank of Albania, consolidating the information from the initial, interim, and final reports. 7. Without prejudice to the requirements of this regulation, for events (incidents) assessed as critical (major) related to payment services, the entity must comply with the applicable regulatory framework for reporting major incidents.

1 The assessment of the criticality of operational risk events is conducted based on the frequency and impact matrix derived from the risk mapping and self-assessment exercise of existing risks and controls, as referred to in article 22 of this regulation.

Article 16 Business continuity plan

1. The entity develops business continuity plans aimed at ensuring the uninterrupted operation of activities and mitigating losses related to operational risk.
2. The entity ensures that business continuity plans are an integral part of the operational risk management and/or other risks management frameworks (systems).
3. The entity, for drafting and approval of these plans, determines: a) key activities; b) scenarios/events that may cause disruptions to key processes and/or activities; c) alternative solutions to maintain the continuity of key activities; d) actions and their sequence to restore the normal functioning of operations, particularly ensuring the integrity of electronic system data and restoring these systems to operational status; e) communication strategies in cases of serious issues and/or business interruptions.
4. The entity periodically reviews and updates its business continuity plans, to ensure their alignment with its current operations, risks, and business strategy.
5. The entity, for detailed requirements of the business continuity plan, refers to the relevant regulations in force issued by the Bank of Albania. Article 17 Stress tests
6. In accordance with the regulatory framework in force for stress testing in banks, as part of the process of designing and conducting stress tests for operational risk, the bank develops and implements a program for operational risk stress testing as an integral part of the overall stress testing program for key risks.
7. The bank clearly defines the roles of various structures in the design and implementation of operational risk stress tests, ensuring effective and timely reporting of results, proper documentation of the process, and the adoption of corrective necessary measures as needed. Article 18 Mechanisms for operational risk management
8. The entity, for managing operational risk, relies on the following key mechanisms, which are considered the pillars of operational risk management: a) identification and reporting of operational risk events; b) database of operational risk events; c) early warning indicators; d) risk and control self-assessment and mapping; and e) scenario analysis.
9. In accordance with its size and complexity, the entity uses appropriate and sufficient information systems to ensure the proper execution and functionality of the processes outlined in paragraph 1 of this article.

Article 19 Identification and reporting of operational risk events

1. The entity establishes an internal regulatory framework or procedure for managing operational risk events, defining all steps in the event management cycle, timelines, and the roles of the structures involved in this process.
2. Once identified, operational risk events are processed and reported on a case by case basis by the entity’s structure that identifies them, in accordance with the minimum requirements defined in the standardized form in annex no. 16 of this regulation. Depending on the size and complexity of the entity and its technological infrastructure, data are either recorded directly in the entity’s operational risk event database or registered by the operational risk management unit.
3. The reporting of operational risk events, depending on the process organization, is carried out by any employee of the entity who identifies the event or through an operational risk officer designated for each structure of the entity. Article 20 Operational risk event database
4. The entity establishes an internal regulatory framework/methodology for managing the operational risk event database, defining its purpose, steps, timelines, and the roles of the structures involved in this process.
5. The entity implements appropriate mechanisms to ensure the use of a high-quality database for operational risk events, supported by information systems.
6. The operational risk event database of the entity must meet the following requirements: a) the data on operational risk events must be comprehensive to include all activities of the entity; b) for collecting data related to operational risk events, the entity defines appropriate minimum quantitative thresholds; c) the operational risk event database of the entity must include at least: i. the event identification number, ii. the event description, iii. the reporting unit of the event, iv. the event occurrence date (dd/mm/yyyy), v. the event identification date (dd/mm/yyyy), vi. the event reporting date (dd/mm/yyyy), vii. the event booking date (dd/mm/yyyy), viii. gross/initial loss value (in ALL), ix. recovered value and recovery date, x. classification of each event based on the type, business line, financial effect, cause, and information on boundary events; d) the entity must be able to identify operational risk losses caused by events related to credit risk and market risk (boundary events) and record them in the operational risk event database with appropriate notes2 . e) the entity must be able to categorize operational risk events based on at least the following financial effects: i. effective financial losses,

2 Examples of boundary events are presented in annex no. 17 of the regulation.

ii. specific provisions for operational risk, iii. pending losses, iv. near misses (unmaterialized losses), v. timing losses, vi. compensation (restitution), vii. rapidly recovered losses, viii. operational profits/income, ix. opportunity costs/missed income; f) the entity must be able to categorize each event based on its cause. The categorization by cause, divided into two levels of detail, is presented in annex no. 5 of this regulation; g) the entity must be able to map/categorize each event by type and business line, according to annexes no. 6–14 of this regulation. Event classification must be conducted using objective and documented criteria. Article 21 Early warning indicators

1. The entity shall establish an internal regulatory framework/methodology/procedure for the development and management of early warning indicators, defining the purpose, steps, timelines, and roles of the structures involved in this process.
2. The entity shall use early warning indicators that serve to identify, at an early stage, issues that may increase exposure to operational risk.
3. Early warning indicators shall cover all activities of the entity based on priority/importance and may include performance indicators, risk indicators, and/or control indicators.
4. Early warning indicators should generally be measurable, comparable over time, and transparent.
5. Depending on the complexity and size of the entity, it shall develop its internal indicators, which include the indicators listed in annex no. 1 of this regulation, or use only the indicators specified in that annex.
6. Early warning indicators shall be identified and reviewed continuously. The risk self￾assessment process also serves to identify appropriate indicators, where risks are identified for which monitoring indicators should be established.
7. Each early warning indicator shall be accompanied by at least the following data: a) the name of the indicator; b) the description of the indicator; c) the objective of the indicator and the risk it monitors; d) the calculation method; e) the responsible structure (owner) and the activity to which the indicator applies; f) the reporting frequency; g) the monitoring threshold (red, orange, green, or high, medium, low).
8. Breaching of thresholds shall be followed by monitoring and further measures aimed at mitigating risks.

Article 22 Mapping and self-assessment of risks and controls in place

1. The entity shall develop an appropriate methodology for risk mapping for processes/sub￾processes/activities across all business lines and their operational and support functions, where are clearly defined the steps, roles, and responsibilities of the structures involved in this proces, aiming to monitor processes and functions with inherent risks, prevent their materialization, and assess the adequacy and efficiency of existing controls.
2. Risk mapping and self-assessment shall be conducted at least once a year. This process shall take into account all material changes in organizational structure, activities, systems, and the regulatory framework that have occurred during the review period, confirming the validity of prior assessments unaffected by these changes while ensuring the inclusion of new assessments influenced by them.
3. Mapping and self-assessment of risks and controls in place shall be carried out in four steps as follows: a) process inventory – Risk mapping involves dividing each activity into processes and sub-processes. Each process/sub-process shall include at least the following information: i. the name of the process/sub-process, its purpose, and the type of activity it belongs to, ii. the responsible structure (owner) of the process/sub-process, iii. the frequency of the process/sub-process, iv. the maximum allowable time for non-execution of the process/sub-process; b) risk mapping – Each process/sub-process identified in the inventory shall be identified with a risk event, in accordance with annexes no. 6-13 of this regulation, and associated with a unique code; c) risk assessment – For each process/sub-process, a risk assessment shall be performed with the aim of identifying weaknesses and determine the approach for risk management based on the following scenarios: i. acknowledgment and acceptance of risk, ii. risk prevention by reducing the frequency of its materialization, iii. risk mitigation by reducing its impact, iv. risk transfer to a third party, v. non-acceptance of risk; d) control level – Each process/sub-process identified in the process inventory as part of risk mapping and assessment, shall be subject to various controls at the first and second lines of defense level, varying in form and frequency. Each control shall include at least the following elements: i. a description of the control, ii. the type of control (authorization, reconciliation, system access, system configuration, physical access, etc.), iii. the responsible structure (owner) for implementing the control, iv. the frequency of control execution.
4. The risk assessment foreseen in paragraph 3, letter “c” of this article shall consist of at least an evaluation of:

a) the expected annual loss; b) the maximum possible loss under a stressed scenario; c) the frequency of the maximum possible loss under a stressed scenario; d) non-financial impact (reputational loss, according to the classes defined in the methodology); e) control quality (according to the classes defined in the methodology). 5. The controls specified in letter “d” of paragraph 3 of this article for each process/sub￾process shall be subject to a formalized reporting process. Reports and control results shall include at least the following information: a) the control result based on a methodologically scaled assessment (e.g., green/yellow/orange/red); b) the result value, if applicable (e.g., 100%, zero difference, days delayed, yes/no, etc.); c) a clear and concise comment on the performed control; d) supporting documentation for the control result, aiding in the potential development of a corrective action plan. 6. The effectiveness of controls and the quality of their execution shall be subject to continuous control processes to ensure that the entity operates safely and in compliance with its internal regulatory framework and the legal and regulatory framework of the Bank of Albania. 7. The independent operational risk management structure shall plan and oversee the implementation of the mapping and self-assessment of risks and controls process, with the support of the entity’s governing bodies. 8. The process of risks and controls mapping and self-assessment shall be carried out by the responsible structures (owners) of the processes/sub-processes in collaboration with the independent operational risk management structure. 9. Each process/sub-process undergoes a final risk assessment, classified into different risk levels based on an internal methodology developed by the entity. In the final risk level assessment, the entity shall consider at least the combination of the following elements: a) the level of expected losses; b) the degree of non-financial impact; c) the quality of controls. 10. Processes/sub-processes assessed as high-risk (critical), according to the entity’s internal methodology, shall be subject to continuous monitoring. They are subject of additional and effective controls by the responsible process structure (owner) in collaboration with the operational risk management unit. The entity shall ensure the implementation and effectiveness of controls through coordinated reporting frequencies. Article 23 Scenario analysis

1. The entity shall use scenario analysis to assess its exposure to risks, particularly those with a high financial impact and a low probability of occurrence. Through scenario analysis, the entity obtains valuable information regarding the causes and consequences of materializing significant events, with results that can be utilized in the business continuity plan and operational resilience testing.

2. Scenario analysis is based on subjective assessments, which are developed through meetings between the structure responsible for operational risk management and various experts within the entity's activities.

3. Typically, scenario analyses use data and information from the following sources: a) the entity’s operational risk event database; b) external market information; c) the risks self-assessment process; d) the internal control system; e) early warning indicators; f) root-cause analysis; g) process analysis. CHAPTER III MISCELLANEOUS Article 24 Supervisory and punitive measures The Bank of Albania, in case of non-compliance with the requirements of this regulation, shall apply the supervisory and/or punitive measures provided for in the law “On banks” and the law “On payment services”. Article 25 Entry into force

4. This regulation shall enter into force on March 1, 2025.

5. Entities shall take the necessary measures to comply with the requirements of this regulation until March 1, 2025. Article 26 Final provision The annexes attached to this regulation form an integral part thereof. CHAIRMAN OF THE SUPERVISORY COUNCIL Gent SEJKO

ANNEXES For the reporting of early warning indicators to the Bank of Albania, the entity shall complete annex no. 1, following the instructions provided in annex no. 2 of this regulation. Annex no. 1 Early warning indicators No. Indicator Value Comments 1 Number of new legal cases Number 2 Cost of legal cases Value (ALL) 3 New customers complaints Number 4 Open customers complaints Number 5 Number of fines from authorities Number 6 Value of fines from authorities Value (ALL) 7 Staff turnover Percent (%) 8 Core system failures/interruptions (hours:minutes:seconds) 9 Number of hacking attempts/cyber incidents Level 1 of detail Level 2 of detail Number Malware Ransomware Trojan horse Virus Worm Spyware/Adware Mobile malware Social Engineering Phishing Spear Phishing Pretexting Cyber squatting Insider/Third Party Provider Event and/or Misuses of access rights Accidental misuse of access rights Intentional misuse of access rights by service provider Intentional misuse of access rights by insider Policy violation (Insider/ TPP) Unauthorised access intentional Brute force attack Malicious script injection and/or OS commanding SQL Injection Other exploited vulnerability Information exposure Denial of Service Attack DoS attack DDoS attack Other Cyber Security Event Defacement Brand Abuse on Mass and Social Media Libel of persons on Mass and Social Media Vulnerability Scan 10 Number of successful attempts for hacking incidents/cyber incidents

Level 1 of detail Level 2 of detail Number Malware Ransomware Trojan horse Virus Worm Spyware/Adware Mobile malware Social Engineering Phishing Spear Phishing Pretexting Cyber squatting Insider/Third Party Provider Event and/or Misuses of access rights Accidental misuse of access rights Intentional misuse of access rights by service provider Intentional misuse of access rights by insider Policy violation (Insider/ TPP) Unauthorised access intentional Brute force attack Malicious script injection and/or OS commanding SQL Injection Other exploited vulnerability Information exposure Denial of Service Attack DoS attack DDoS attack Other Cyber Security Event Defacement Brand Abuse on Mass and Social Media Libel of persons on Mass and Social Media Vulnerability Scan 11 ATM availability (uptime ratio) Percent (%) 12 Cards under investigation Number 13 Internal control recommendations not met within the deadline Number 14 Procedures, policies, and regulations not updated Percent (%) 15 Projects not closed within the deadline specified by institution Percent (%) 16 Number of cases identified as fraud Number 17 Breach of internal cash holding limits at branches Number 18 Number of incorrect outgoing transfers Number 19 Number of registered mortgage collaterals whose insurance coverage has expired Number 20 New problem loans Percent (%) 21 Critical outsourcing without performing an annual risk assessment of information security and business continuity Number 22 Number of incidents when clients funds coverage falls below 100%* Number 23 Maximum value of unprotected clients funds (safeguarding) according to legal and regulatory requirements* Value (ALL) *Requirement applicable only to payment institutions and electronic money institutions.

Annex no. 2 Instructions for completing early warning indicators No. Indicator Description 1 Number of new legal cases The number of new legal cases opened during the reporting period, in which the entity is involved and which contain elements of operational risk. Other legal cases, which do not contain elements of operational risk, are excluded. 2 Cost of legal cases The expected loss value estimated by the entity in relation to the legal issues of indicator no. 1. The costs of other legal issues, which do not contain elements of operational risk, are excluded. 3 New customers complaints Number of complaints filed against the entity by customers or third parties during the quarter, received through all communication channels made available by the entity (formal letter, email, social networks, etc.). All complaints received during the quarter are included, whether they were closed, rejected or open at the end of the reporting period (quarter). 4 Open customers complaints The number of complaints filed against the entity by customers, customer groups or the public which are still open at the end of the reporting period (quarter). 5 Number of fines from authorities The number of fines imposed on the entity by various authorities during the quarter, which are related to banking and/or financial activity. 6 The value of fines from authorities The value of the fines imposed by various authorities during the quarter, which are related to banking and/or financial activity. 7 Staff turnover The percentage of staff turnover during the reporting period. This includes both full-time and part-time employees. Q=L/(P)*100, (P)=(P0+P1)/2 where: Q-staff turnover; L- number of employees dismissed during the reporting period; (P) - the average number of employees during the reporting period; P0 – the number of employees at the beginning of the reporting period; P1- the number of employees at the end of the reporting period. 8 Core system failures/interruptions Duration of unplanned interruptions of the entity's core system during the quarter, expressed in the format (hours:minutes:seconds). 9 Number of hacking attempts/cyber incidents Level 2 of detail Description Ransomware A type of malware that restricts access to an infected device and demands payment to remove the restriction Trojan horse A type of malware that hides its operation within another program, appearing useful and harmless. Virus A type of malware capable of copying itself and spreading to other computers. Viruses can be used to steal information, damage computers, steal money, or serve ads. Worm A program that replicates and destroys data and files on a computer. Unlike a virus, it does not need to attach to other executable programs to spread. Spyware/Adware A type of malware that automatically generates advertisements. Adware can be linked with spyware to track user activity and steal information.

Mobile malware Malicious software that targets mobile devices or enables wireless technology, causing device blocking, data loss, or information theft. Phishing Attempting to steal sensitive information such as usernames, passwords, and credit card details by pretending to be a trustworthy entity in electronic communications (e.g., via email). Spear Phishing Direct attempts/attacks aimed at deceiving specific individuals or companies. Pretexting Creating and using a fabricated scenario (pretext) to involve a specific user in a way that increases the chances of revealing information or performing impossible actions under normal circumstances. Cyber squatting A speculative registration of an internet domain name that corresponds to someone else's brand, service, or product name. Accidental misuse of access rights An accidental/unintentional violation of access rights within a system, potentially leading to data leakage and/or data corruption. Intentional misuse of access rights by service provider Intentional abuse of access rights by the service provider. Intentional misuse of access rights by insider Intentional abuse of access rights by insiders. Policy violation (Insider/TPP) Violation of policy by insiders or third-party providers. Brute force attack Force attack. Malicious script injection and/or OS commanding Injecting a harmful script and/or commanding the operating system (OS) with malicious intent. SQL Injection SQL Injection. Other exploited vulnerability An exposed software weakness used to gain unauthorized access to information systems. Information exposure Information exposure. DoS attack An attack designed to disable, shut down, or disrupt a network, website, or service. DDoS attack A DoS attack where the source of the attack involves multiple IP addresses. Defacement An attack on a website that alters its visual appearance. Brand Abuse on Mass and Social Media An event where attackers register fake profiles on social media using a company's or executives' name. Libel of persons on Mass and Social Media An event where attackers spread false or defamatory information on social media with the intent to damage the reputation of individuals (e.g., executives) and the company. Vulnerability Scan A technique used to identify security weaknesses in a computer system (sometimes the vulnerability scanning activity itself can cause service disruption or downtime). 10 The number of successful attempts for hacking incidents/cyber incidents. According to the explanation provided in indicator no. 9. 11 ATM availability (uptime ratio) Percentage of ATMs availability. The average fuctionality/availability percentage of ATMs during the reporting period should be reported, regardless of whether the measurement frequency may vary between entities. Indicative example: If an ATM is operational for 23 hours out of 24 hours per day, the availability coefficient will be (23/24)*100 = 95.83%. The same logic applies for quarterly reporting. For the purposes of this indicator, the availability of all ATMs of the entity will be calculated for the reporting period (quarter). 12 Cards under investigation The number of cards which are under an investigation justified by the entity, due to fraud-related reasons during the quarter (all types of cards). Lost, stolen, or reprinted cards for other reasons (e.g., reprints due to damage) are not included.

13 Internal control recommendations not met within the deadline Internal audit unit recomandations which have passed the final completion/fulfillment deadline during the reporting period. 14 Procedures, policies, and regulations not updated The number of procedures not reviewed within the deadline defined in the bank's internal policies, relative to the total number of procedures and regulations (in %). 15 Projects not closed within the deadline specified by institution Number of projects that have exceeded their deadline, compared to the total number of ongoing projects (in %). The numerator includes the number of projects which have exceeded their deadline due to delays, inefficiency or lack of projects monitoring etc. and whose actual cost exceeds the annual budget >20%. Note: In the reporting will be included also those projects that the entity considers to have a direct impact on the control systems and their effectiveness, even if the financial impact may be < 20%. 16 Number of cases identified as fraud The number of cases identified as fraud by the entity during the reporting period. Fraud cases involving cards are excluded from this indicator. 17 Breach of internal cash holding limits at branches The number of identified cases of limit breaches at the end of the day for cash holding limits in branches during the reporting period. 18 Number of incorrect outgoing transfers The total number of outgoing transfers (domestic and international) reversed, or reprocessed due to errors made during the reporting period. The reporting shall include all cases processed incorrectly by the entity, excluding cases where the error originates from the client. 19 Number of registered mortgage collaterals whose insurance coverage has expired The number of mortgage collaterals for individuals and businesses whose insurance coverage has expired and are mandatory to be insured. 20 New problem loans The number of new problem loans relative to the total number of new loans disbursed during the reporting period (in %). The numerator includes new problem loans for which no more than 90 days have passed since the payment date. 21 Critical outsourcing without performing an annual risk assessment of information security and business continuity The number of third-party service providers (outsourcing) assessed as critical by the entity, for whom the annual assessment of information security and business continuity has not been performed, as of the closing date of the reporting period. 22 Number of incidents when clientsfunds coverage falls below 100%* The number of events where clients’ funds coverage falls below 100%. The calculation of this indicator for the purposes of this reporting is performed on a daily basis during the reporting period. 23 Maximum value of unprotected clients funds (safeguarding) according to legal and regulatory requirements* The maximum value of clients funds unprotected (safeguarding) according to legal and regulatory requirements, i.e., the highest value of unprotected funds recorded during the reporting period. *Requirement applicable only to payment institutions and electronic money institutions.

For operational risk events reporting to the Bank of Albania, the entity fills out the register according to annex no. 3, following the instructions of annex no. 4 and at the same time implementing the provisions of paragraph 3 of article 20 of the regulation. For events that have lasted for more than one reporting period and therefore have been reported in previous periods, the entity uses the same identification number in the relevant cell of the register and presents the information about the event for the reporting period. Completion of all annex fields is mandatory for each recorded event, except for the field “recovery date” and “recovered value”, which will be completed when information is available. The comments field is recommended, but it is not mandatory to be filled. The completion of the recovery date and recovery value fields must be accompanied by the mandatory completion of the fields “event identification number” and “event description”. Annex no. 3 Operational risk event register Identifi cation number Descri ption Repo rting unit Occur rence date (d.m.y ) Identifi cation date (d.m.y) Book ing date (d.m. y) Event type (Level 1) Event type (Level 2) Event type (Level 3) Busi ness line (Lev el 1) Busi ness line (Lev el 2) Financ ial effect Cause (Level 1) Cause (Leve l 2) Gross/ Initial loss value (ALL) Reco very date Reco vere d value Boun dary event Com ment s

Annex no. 4 Instructions for completing the operational risk event register Column Instructions for completion Identification number The event identification number used by the entity in the internal register of operational risk events must be filled in. Description A description of each event recorded in this register is completed. The subject should not include information that is subject to the law “On the protection of personal data”. Reporting unit The name of the unit that reported the event must be filled in. Occurrence date (d.m.y) The occurrence date or the starting date of the event must be filled in for those events that have had a prolonged effect over time. Identification date (d.m.y) The date of event identification by the entity's employees must be filled in. Booking date (d.m.y) The date on which the event was recorded in the entity's financial statements must be filled in. Event type (Level 1) The classification of the event type according to level 1 of the detailing, as presented in annex no. 6 of this regulation. Event type (Level 2) The classification of the event type according to level 2 of the detailing, as presented in annexes no. 7-13 of this regulation Event type (Level 3) The classification of the event type according to level 3 of the detailing, as provided in annexes no. 7-13 of this regulation. The entity, following the instructions according to the internal regulatory framework, may also use other divisions for the third level of event types. Business line (Level 1) The classification of the event according to the business line described at level 1 of detailing, as presented in annex no.14 of this regulation. Business line (Level 2) The classification of the event according to the business line described at level 2 of detailing, as presented in annex no. 14 of this regulation. The entity, following the instructions according to the internal regulatory framework, may also use other divisions for the second level of the business line. Financial effect The financial effect is filled in with one of the options provided in annex no. 15 of the regulation. Other financial effects provided in article 20, paragraph 3, letter “e” of the regulation, shall apply only for the internal purposes of the entity. Cause (Level 1) One of the options from the “Cause of the event, as per level 1” column of annex no. 5 of this regulation must be filled in. Cause (Level 2) One of the options from the “Cause of the event, as per level 2” column of annex no. 5 of this regulation must be filled in. Gross/Initial loss value (ALL) The initial/gross loss of each event occurring in this register must be filled in. The absolute/positive value is recorded, and negative values should never be entered. Recovery date The date on which the recovery value has been accounted must be filled in. Recovered value Any value recovered from the initial loss must be filled in. The recovered value is recorded in this cell and does not affect the value recorded in the gross/initial loss cell. Boundary event It is filled in with one of the words: “NO” or “Credit risk” or “Market risk”. Clarification: the note “credit risk” or “market risk” is filled in only when the operational event comes from events related to credit or market risk (boundary events). In any other case, “NO” will be recorded. Comments Any relevant comments about the event must be filled in.

Annex no. 5 Event classification by cause, level 1 and 2 of detailing Cause of the event, as per level 1 Cause of the event, as per level 2 People/employees Accidental causes (people) Lack of adequate training/competency Insufficient level of human resources Ineffective roles and responsibilities Miscommunication Ineffective culture Malice Process failure Procedure/process designation failure Procedure/process implementation failure Mismanagement of projects/changes Governance failure External factors Natural disaster Malice Terrorism/external attacks (excluding cyber￾attacks) Environment (excluding natural disasters) Geopolitical/economic/social instability Regulatory and legislative environment Systems Functionality issues Performance/capacity issues Lack of maintenance/unsupported legacy Unavailability Inadequate testing/development Release/deployment issues Misconfiguration Inadequate data storage/retention and destruction management Exploitation of IT security vulnerability Technology-related Planning issues

Annex no. 6 Classification of the event by type, as per level 1 Code Division by level 1 Description EL 1 Internal fraud Internal fraud is related with engaging in unauthorized activities, theft and/or fraud involving at least one employee of the entity. EL 2 External fraud External fraud refers to fraud and/or theft committed by a third party outside the entity. EL 3 Employment practices and workplace safety This category refers to events related to employee relations, workplace safety, as well as diversity/discrimination. EL 4 Clients, products and business practices In this category, operational losses arise as a result of a failure to fulfill a client obligation, or from the nature and design of the product. EL 5 Damage to physical assets This category refers to events related to the loss or damage of assets due to natural disasters or other events. EL 6 Business disruption and system failures This category refers to losses resulting from business interruptions or system failures. EL 7 Execution, delivery, and process management This category includes risk events related to transaction processing or the management of processes and relationships with third parties.

Annex no. 7 Event classification by type, as per level 2 and 3 Event type: (EL1) Internal fraud Code Division by level 2 Code Division by level 3 EL1. 1 Unauthorized actions EA1.1.1 Transactions not reported (intentional) EA1.1.2 Abuse of duty, unauthorized activities EA1.1.3 Mismarking of position (intentional) EL1. 2 Internal theft and fraud EA1.2.1 Fraud/credit fraud/deposits fraud EA1.2.2 Theft/extortion/embezzlement/robbery EA1.2.3 Misappropriation of assets EA1.2.4 Malicious destruction of assets EA1.2.5 Forgery EA1.2.6 Check fraud EA1.2.7 Corruption EA1.2.8 Account takeover/impersonation EA1.2.9 Tax noncompliance/evasion EA1.2.10 Bribes/kickbacks or failure to comply with the rules in cases of benefits (gifts and invitations given and received) EA1.2.11 Insider trading (not on firm’s account)

Annex no. 8 Event classification by type, as per level 2 and 3 Event type: (EL2) External fraud Code Division by level 2 Code Division by level 3 EL2.1 External theft and fraud EA2.1.1 Theft/robbery EA2.1.2 Forgery EA2.1.3 Check fraud EL2.2 Systems security EA2.2.1 Hacking damage EA2.2.2 Theft and disclosure of confidential information

Annex no. 9 Event classification by type, as per level 2 and 3 Event type: (EL3) Employment practices and workplace safety Code Division by level 2 Code Division by level 3 EL3.1 Employee relations EA3.1.1 Issues related to work compensation, benefits and termination EA3.1.2 Organized labor activity EL3.2 Safe environment EA3.2.1 General liability/responsibility related to workplace safety EA3.2.2 Employee health and safety rules problems EA3.2.3 Workers’ compensation EL3.3 Diversity and discrimination EA3.3.1 All discrimination types

Annex no. 10 Event classification by type, as per level 2 and 3 Event type: (EL4) Customers, products, and business practices Code Division by level 2 Code Division by level 3 EL4.1 Suitability, disclosure and fiduciary EA4.1.1 Fiduciary breaches, rules violations EA4.1.2 Issues related to suitability and disclosure of clients’ data, etc. EA4.1.3 Customer disclosure violations EA4.1.4 Breach of privacy EA4.1.5 Aggressive sales EA4.1.6 Account churning EA4.1.7 Misuse of confidential information EA4.1.8 Lender liability EL4.2 Improper business or market practices EA4.2.1 Antitrust EA4.2.2 Improper trade/market practices EA4.2.3 Market manipulation EA4.2.4 Insider trading EA4.2.5 Unlicensed activity EA4.2.6 Money laundering EL4.3 Product flaws EA4.3.1 Product defects EA4.3.2 Model errors EL4.4 Selection, sponsorship and exposure EA4.4.1 Failure to investigate client per guidelines/regulations/lack of knowing the client EA4.4.2 Exceeding client exposure limits EL4.5 Advisory activities EA4.5.1 Disputes over performance of advisory activities

Annex no. 11 Event classification by type, as per level 2 and 3 Event type: (EL5) Physical damage to assets Code Division by level 2 Code Division by level 3 EL5.1 Disasters and other events EA5.1.1 Natural disaster losses EA5.1.2 Human losses from external sources (terrorism, vandalism, etc.)

Annex no. 12 Event classification by type, as per level 2 and 3 Event type: (EL6) Business interruption and system failures Code Division by level 2 Code Division by level 3 EL6.1 Systems EA6.1.1 Hardware EA6.1.2 Software EA6.1.3 Telecommunications EA6.1.4 Utility outage/disruptions (energy, transport...)

Annex no. 13 Event classification by type, as per level 2 and 3 Event type: (EL7) Execution, delivery, and process management Code Division by level 2 Code Division by level 3 EL7.1 Transaction recognition, execution and maintenance EA7.1.1 Miscommunication EA7.1.2 Data entry, maintenance, or loading error EA7.1.3 Missed deadline or responsibility EA7.1.4 Model/system misoperation EA7.1.5 Accounting error EA7.1.6 Other task misperformance EA7.1.7 Delivery failure EA7.1.8 Collateral management failure EA7.1.9 Reference data maintenance EL7.2 Monitoring and reporting EA7.2.1 Failed to comply with reporting requirements (financial or regulatory reporting) EA7.2.2 Inaccurate external report (loss incurred) EL7.3 Clients registration and documentation EA7.3.1 Client permissions/disclaimers missing EA7.3.2 Legal documents missing/incomplete EL7.4 Clients account management EA7.4.1 Unapproved access given to accounts EA7.4.2 Incorrect client records EA7.4.3 Negligent loss or damage of client assets EL7.5 Trade counterparties EA7.5.1 Nonclient counterparty misperformance EA7.5.2 Miscellaneous nonclient counterparty disputes EL7.6 Vendors and suppliers EA7.6.1 Vendors and suppliers disputes

Annex no. 14 Event classification by business line, as per level 1 and 2 Code Division by level 1 Code Division by level 2 BL1 Corporate finance BL1.1 Corporate finance BL1.2 Municipal/ government finance BL1.3 Merchant banking BL1.4 Advisory services BL2 Trading and sales BL2.1 Sales BL2.2 Market-making BL2.3 Proprietary positions BL2.4 Treasury BL3 Retail banking BL3.1 Retail banking BL3.2 Private banking BL3.3 Card services BL4 Commercial banking BL4.1 Commercial banking BL5 Payment and settlement BL5.1 External clients BL6 Agency services BL6.1 Safekeeping of financial instruments BL6.2 Administration and custody of financial instruments BL7 Asset management BL7.1 Fund management BL7.2 Other types of fund management BL8 Retail brokerage BL8.1 Retail brokerage Note: The entity must define specific criteria within the internal regulatory framework for categorizing events according to business lines. These criteria should be reviewed and adjusted for new activities and/or any changes in the business and risks undertaken by the entity. The principles for business lines categorized according to annex no. 14 of this regulation are: a) all activities must be fully categorized/ included in the business lines specified in annex no. 14; b) any activity that cannot easily be categorized within the business lines but constitutes an auxiliary function for an activity included within these lines should be included in the business line it supports. The entity must establish objective criteria for categorizing activities when the auxiliary activity supports more than one business line; c) if an activity cannot be categorized into a specific business line, the entity must use one of the business lines, as is done with auxiliary activities; d) categorization of activities by business lines, for operational risk purposes, must align with the categories used for classifying assets according to credit risk and market risks; e) the process of categorizing activities by business lines should be subject to independent review by internal control.

Annex no. 15 Classification of event according to effect Code Financial effect ET1 Effective loss ET2 Provisions ET3 Pending losses* ET4 Near misses* ET5 Timing losses* ET6 Compensation* *These events will be reported to the Bank of Albania only if they are assessed as critical by the subject itself. Regarding the section “Timing losës”, at the Bank of Albania shall be reported only those events assessed as critical and that have affected/impacted the income statements for two or more years.

Annex no. 16 Example of operational risk events form for reporting by the employees of the entity Name of employee reporting the incident Structure of the employee reporting the incident Event description Event occurence Date of event occurence Date of event identification Booking date Event discoved method (by control, customers, informed by employees, others, specifying) Root cause of the event Gross loss value Potential recovery value Recovery method (insurance, client, counterparty, other, specifying) Recovered value Recovery date Net loss value Financial effect (effective losses, unrealized losses, etc.) Type of event (according to annexes no. 6-13) Business line (according to annex no. 14) Corrective measures

Annex no. 17 Below are presented some boundary events examples related to credit and market risk:

1. Internal fraud through the falsification of borrower data (personal data, borrower status, solvency, etc.);
2. Approval of loans for non-existent persons;
3. Identity theft of the client;
4. Intentional overvaluation of collateral by external experts;
5. Inability to collect bad debts due to the lack of proper filing of documentation/contracts;
6. Unsecured collateral;
7. Deliberate breach of treasury limits;
8. Errors during treasury activities (purchase of wrong securities, selling instead of buying, etc.).