A Banking Corporation’s Activities as a Broker-Dealer

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -1 A Banking Corporation’s Activities as a Broker-Dealer Chapter A: General 2 Introduction 2 Application 3 Definition of terms 4 Chapter B: Corporate Governance 5 The board of directors 5 Senior management 6 Risk management 7 Internal audits 8 Chapter C: Professional Qualifications and Conflict of Interest 8 Qualifications and suitability of directors and employees 8 Prohibition on delegating authority 9 Conflicts of interest 9 Code of conduct 10 Chapter D: Operations Appropriate for the Client 10 Aligning operations with client profile 10 Conveying information to a client (before signing an agreement) 12 Agreement with a client 12 Chapter E: Executing Transactions 13 General 13 Receiving orders from a client 13 Best execution of client trades 14 Restrictions on transactions with clients against the bank’s own account 15 Execution of transactions through a third party 15 Transactions for eligible clients 16 Automatic trading systems (algo trading) 16 Chapter F: Information Systems 17 Information systems 17 Chapter G: Reporting and Documentation of Transactions 17 Reporting to clients after executing a transaction 17 Internal reporting 18 Documentation and document retention 18 Chapter H: Controls 19 Controls on the operations and on unusual activities 19 Chapter I: Application and Transition Provisions 21 Application and transition provisions 21 Revocation of directives 21

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -2 Chapter A: General Introduction

1. This Directive serves as a comprehensive regulatory framework for one of the intermediation functions of the banking corporations—receiving and transferring orders to execute securities transactions for clients, either as brokers or by trading for their own account (broker-dealer activities).
2. This regulatory framework is designed to ensure a fair market of high standards and transparency of execution, which will help protect investors and consequently reinforce investors’ trust in the capital market and the banking system. Protection is needed due to several factors, including the structural asymmetries of knowledge and expertise between banking corporations and their clients and concerns of potential conflicts of interest stemming from banking corporations’ engagement in a broad range of financial activities. Some clients are sophisticated clients who do not require the degree of protection afforded by this framework. Therefore, the Directive distinguishes between retail clients and eligible clients, with respect to whom the banks are exempt of certain obligations when they operate as broker-dealers.
3. When rendering banking services, a banking corporation must conduct itself properly toward the client: This is part of a bank’s fiduciary duties and duties of caution toward its clients. A banking corporation’s conduct toward a client that is inconsistent with these duties constitutes a conduct risk for the banking corporation, and may adversely affect the banking corporation’s reputation and cause the materialization of additional risks and financial damage to the banking corporation and its clients. To reduce its conduct risk, the banking corporation must ensure that it has a proper organizational culture, which includes fair and transparent treatment of its clients.
4. When acting as a broker-dealer, a banking corporation is required to implement principles of proper corporate governance, risk management, controls, and internal auditing, also when transactions are executed by a dealing room, in order to identify the risks entailed in its activities, and manage and mitigate these risks according to its risk strategy and risk tolerance. Such processes must be implemented carefully and cautiously in its securities and foreign currency activities, making special adjustments according to the scope and complexity of the operations and the exposure to various operational risks, including information systems risk, legal risks, risk of fraud and embezzlement, compliance risk, conduct risk, reputational risk, and model risk.
5. This Directive focuses on the banking corporation’s activities involving its clients and activities on its own behalf for itself in the capital market, including transactions executed in dealing rooms, and including when the banking corporation gives its clients direct electronic access to a regulated market.

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -3 6. Implementation of the regulatory framework outlined in this Directive complements the Proper Conduct of Banking Business Directives that regulate the banking corporations’ conduct in the areas of corporate governance, risk management, compliance, and other areas, and the laws and rules that regulate banks’ conduct toward its clients , specifically due disclosure, reporting requirements, and Bank Supervision Department guidelines regarding custodian services. This Directive is based on accepted international standards including the requirements set forth in MiFID II, which came into effect in 2018, and the document published in 2010 by the CEBS entitled “Guidelines on the Management of Operational Risks in Market-Related Activities.” 7. When implementing these directives and adopting interpretations, the Bank Supervision Department suggests that bank boards and managements refer to the principles of the FX Global Code, which are designed to promote stable and fair markets where participants can trade safely at competitive prices according to information available in the market and according to accepted international rules of conduct, as well as other international guidelines. Application 8. (a) This Directive will apply to all the following corporations (in this Directive, each a “banking corporation”): (1) a banking corporation and an auxiliary corporation; (2) a corporation, as stated in Section 11(a)(3a), as defined in the Banking (Licensing) Law, 5741-1981 (“the Banking (Licensing) Law”). (b) Operations according to an underwriting obligation, as this term is defined in the Securities Law, 5728-1968 (“the Securities Law”), or distribution operations within the meaning of this term in the definition of “distributor” in the Securities Law, including distribution of securities that are not subject to a requirement to issue a prospectus for eligible clients , in return for a distribution fee, shall not be considered broker-dealer activities; (c) Execution of foreign currency transactions for clients, excluding spot transactions, shall be considered a broker-dealer activities; (d) A foreign bank that complies with MiFID regulation or the Dodd-Frank Act with respect to the operations of its branch in Israel, and is subject to the supervision of the regulator in its country of origin shall be exempt from the requirement to implement this Broker-Dealer Directive, subject to a comfort letter issued by the parent company.

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -4 Definition of terms 9. “Stock exchange” As this term is defined in Section 50A of the Securities Law; “External broker” A broker through which the banking corporation executes transactions on the stock exchange or a regulated market; “Financial entity” As this term is defined in the Bank of Israel Law, 5770- 2010, including a company whose purpose is to issue index products, as this term is defined in the Regulation of Investment Advice, Investment Marketing, and Portfolio Investment Management Law, 5755-1995, and a corporation that was incorporated outside Israel whose operations are similar in nature to those of a corporation listed in this definition; “Dealing room” A room in which trading activities (broker-dealer activities) involving securities and foreign currency are executed on the financial and capital market. This room is also known as the “front office.” “Mid-office” and “back office” Control activities to monitor the various risks entailed in the trading activities and their supporting operational activities, and execution and confirmation of transactions and adjustments to transaction data, including any unit that performs similar activities irrespective of its name or organizational status; “Client” As this term is defined in the Banking (Service to the Customer) Law, 5741-1981; “Eligible client” As this term is defined in the Regulation of Investment Advice, Investment Marketing, and Investment Portfolio Management Law, 5755-1995; and governments, public entities that manage public debt, central banks, international and supranational institutions such as the World Bank, the IMF, ECB, EIB and other similar international organizations. “Professional client” An eligible client that is not a financial entity, that elects to have applied to it the protections afforded by this Directive, and specifically with respect to the principle of best execution, as set forth in Section 28; “Securities trading system” As this term is defined in Section 44LA of the Securities Law; “Securities” As this term is defined in Section 52 of the Securities Law;

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -5 “Dealer” An employee who performs trading activities in a dealing room; “Operational risk” As this term is defined in the Proper Conduct of Banking Business Directive No. 350 on “Operational Risk Management,” including fraud, embezzlement, and reputational risk; “Employee” An employee of a banking corporation, and whoever is employed by the banking corporation, whether directly or through a company; “Transaction” A transaction involving securities; “Control and support function” Any unit that performs control and support activities irrespective of its name or organizational status, including functions that are engaged in dealing room controls and operations (mid-office, back office, clearing unit), risk management, legal advisory, compliance, internal audits, and primary accounting. “Broker-dealer activities” Engagement in any of the following: Brokerage activities—receiving and transferring orders to execute transactions for clients, or otherwise executing transaction orders for clients; Dealer activities—the purchase of securities for one’s own account or the sale of securities from one’s own account for the purpose of executing clients' orders; “Relative” As this term is defined in the Banking (Service to the Customer) Law, 5741-1981; “Regulated market” As this term is defined in the Securities Law; “Risk appetite” and “risk tolerance” As these terms are defined in Proper Conduct of Banking Business Directive No. 310 on “Risk Management.” Chapter B: Corporate Governance The board of directors 10. The board of directors of the banking corporation shall discuss and approve a policy for the banking corporation’s broker-dealer activities (“the Operations”), with emphasis on trading activities in the dealing room and promoting an organizational culture that is oriented to reduce the operational risks entailed in such activities. The policy may be drafted as a separate document or may be incorporated in other relevant policy documents, and shall include the issues set forth in this Directive, including:

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -6 (a) Organizational structure, appropriate work processes and procedures for executing transactions, including short sales and securities lending, offsetting of purchases against sales or aggregation of purchases and sales, between clients as well as between clients and the banking corporation that is executing trades for its own account, in all stages of trading, and controls of the transactions in a manner that will ensure, among other things, the fairness, prohibition against client discrimination, continuity of the Operations, their reliability and availability, and their required information security; (b) Risk tolerance; (c) Primary restrictions on operations for each type of exposure and each banking group unit; (d) Best execution, as set forth in Section 28, including management of a list of potential primary regulated markets for each type of financial instrument; (e) Identification and prevention of potential conflicts of interest that may arise in the course of the Operations, as set forth in Section 16 of this Directive; (f) Periodic mapping of the various risks, including operational risks, entailed in the various trading activities, the services, and the products offered to clients, and their adjustment to the defined target audiences that include eligible clients, professional clients, and other clients; (g) Allocation of appropriate resources, including employees with suitable knowledge and experience; (h) Determining a remuneration policy for the employees involved in the Operations, which takes into account achievement of compliance targets, fairness, and avoidance of conflict of interest concerns, and is aligned with the banking corporation’s risk appetite; (i) Determination of the type, content, and frequency of the reports to be submitted to it on broker-dealer operations. Senior management 11. Senior management is responsible for the effective management of the banking corporation’s broker-dealer operations, which includes responsibility for: (a) developing a policy, as set forth in Section 10, to be brought to the approval of the board, and verifying that the approved policy is implemented. (b) verifying the adoption of an appropriate risk management framework, with emphasis on the management of compliance risks, conduct risks, and other operational risks entailed in the corporation’s operations, both as a broker and as a dealer for its own account, which includes procedures, processes, and mechanisms for identifying and monitoring the risks entailed in the

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -7 corporation’s operations to manage and mitigate these risks, in line with the nature of the services and the activities that the corporation performs, and in line with the strategy and risk appetite defined for each. (c) defining, for each audit and control function, as these are defined in the Proper Conduct of Banking Business Directive No. 301 “Board of Directors,” its areas of responsibility, authority and required resources, and its potential access to information systems, in order to permit them to effectively challenge the activities, including defining periodic assessments of risks and the methods used to manage them. (d) verifying that the organizational structure supports an appropriate separation of powers between the business units and the control and support functions in the first line of defense, including defining separate authorities for each dealer or group of dealers, where necessary, and examining the need for physical separation, specifically in dealing rooms. (e) establish procedures for policy implementation, which shall also include: (1)the types of activities, products, and procedures for executing transactions (including transactions that are not determined on market terms, such as transactions determined on historical prices); (2)defining a transaction approval hierarchy; (3)restrictions on operations and hours of operation; (4) performing adjustments and settlement; (5) details of controls in each type of activity; (6)regular training sessions; (7)periodic and immediate reports to the board of directors, business entities, and control factors; (f) establish procedures for handling events that caused a banking corporation to deviate from its risk tolerance or that have specific features, including events that occurred as a result of actual or suspected acts of fraud or embezzlement, and regulating the reporting of such events to the appropriate managerial rank. (g) establish procedures for executing orders of employees of the banking corporation for themselves or in their name, or for their relatives, in order to prevent a conflict of interests or use of inside information or use of other privileged information to which the employee was exposed in the course of their work.

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -8 (h) verifying that targets determined for employees engaged in the banking corporation’s operations as a dealer for its own account are consistent with the bank’s risk appetite. Risk management 12. The second line of defense, which includes the risk management function and the compliance function, shall include at least the following issues in their supervision and control of the banking corporation’s broker-dealer activities, and specifically its activities in the dealing rooms: (a) ongoing control of the operations and its profitability, including control of incidents in which individuals exceed their authority, control of transactions involving unapproved products, and transactions that exceed approved credit facilities; (b) examining the effectiveness of the controls and the control factors in the first line of defense; (c) receiving independent reports and challenging the reports and the data; (d) identifying risks that stem from fraud, embezzlement, and unethical conduct, and embedding a procedure to map these risks as an integral part of the risk management framework, in a manner consistent with the operational risk assessment methodology; (e) analyzing the sources of the operational risks in trading activities, including in dealing rooms, and identifying and monitoring them at the appropriate timing and frequency; (f) additional obligations, as set forth in Proper Conduct of Banking Business Directive no. 308 “Compliance and the Compliance Functions in a Banking Corporation,” no. 301 “Risk Management,” and no. 350 “Operational Risk Management.” Internal audits 13. The third line of defense — the internal audit system — shall also include broker￾dealer activities in its work plans, in a four-year cycle or more frequently, with special emphasis on dealing room operations, taking into consideration the level of risk and complexity of the operations, according to Proper Conduct of Banking Business Directive no. 307 “Internal Audit Function,” and specifically: (a) shall examine the efficiency and reliability of the defined set of reports; (b) shall examine unusual operating events and the banking corporation’s drawing conclusions process; (c) shall examine complaints from entities in and outside the banking corporation on issues related to irregular conduct in the trading activities;

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -9 (d) shall verify that a minimum period of uninterrupted absence for dealers is required, including a prohibition on a dealer’s access to trading systems during their period of absence, and the appointment of another employee to perform their duties in their absence, as stated in Proper Conduct of Banking Business Directive no. 360 on “Rotation and Uninterrupted Vacation.” Chapter C: Professional Qualifications and Conflicts of Interest Qualifications and suitability of directors and employees 14. (a) The board of directors, senior management, and employees of the control and support function are required to have professional understanding commensurate with their position, and capabilities and powers in order to challenge the trading and settlement operations effectively (including with respect to their actual and potential operational risks, and with respect to the dealers’ activities). (b) A banking corporation shall verify that all employees who perform broker￾dealer operations (including dealers in the dealing rooms and employees of the control function) meet the qualifications and conditions of suitability for their position. (c) To maintain the qualifications of the employees involved in the operations, the banking corporation shall ensure that those employees receive ongoing professional training according to procedures to be determined on this issue. Training will cover aspects of organizational culture, professional conduct, and prevention of fraud and embezzlement in trading activities, among other topics. Prohibition on delegating authority 15. A banking corporation shall conduct broker-dealer operations through an employee of the banking corporation or through services rendered by an entity that is not an employee of the banking corporation, provided this does not limit the banking corporation’s liability toward its clients for any operation or transaction. Conflicts of interest 16. (a) Procedures to prevent conflicts of interest shall include: (1) Identification of circumstances in which there is a conflict of interest between the banking corporation, including its controlling shareholders, managers, and employees, and its clients, or between one client and another, where such situations that may be caused by

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -10 incentives granted by a party related to the operations or caused by the remuneration policy of the banking corporation itself. (2) Identification of circumstances that might lead to said conflicts of interest, including circumstances in which a conflict of interest may arise as a result of the business activities of other corporations in the banking group. (3) Procedures to prevent improper use by employees or other parties of the information regarding clients’ securities orders and activities that accumulates in the possession of various parties in the banking corporation. (4) A procedure to monitor and control the potential risks that arise from changes in employees’ positions, with emphasis on the employees of the front office, the middle office, or the relevant support information systems, especially if the transition is to a position related to the same product or segment of operations. (5) A description of the organizational structure and the procedures that were determined. (b) In the event that the organizational structure or the procedures that were determined to prevent circumstances in which conflicts of interest arise are insufficient to ensure, at an appropriate degree of reasonableness, that no clients may be adversely affected by the conflict of interest, the banking corporation must disclose this fact to the client, including the steps taken to mitigate the risk, before executing transactions for the client. The disclosure shall be made in writing and shall include information that is sufficient to allow the client to make a decision regarding the service that will be affected by the conflict of interest. Code of conduct 17. (a) A banking corporation that operates as a broker-dealer shall act fairly, transparently, and professionally toward its clients. (b) All information that is conveyed to clients as part of the broker-dealer operations shall be fair, clear, and not misleading. (c) The banking corporation shall develop and implement a specific code of conduct for broker-dealers, similarly to the code of conduct required by Proper Conduct of Banking Business no. 350 “Operational Risk Management,” that will also address the unique aspects of trading activities and the relationships between the dealers and their counterparties (for example, noncontractual payments and benefits, if any exist). (d) No banking corporation, employee of the banking corporation or a party operating for or on the behalf of the banking corporation shall accept any

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -11 benefit, either directly or indirectly, in connection with a service rendered to a client by a party related to the operations or rendered by third parties, unless explicitly permitted by law; A banking corporation may accept a consideration from the client for ancillary costs and charges with respect to the execution of the transaction, as set forth in Section 19(c). (e) A banking corporation employee may not receive a power of attorney from a client to execute securities transactions unless the client is a relative, subject to restrictions to be determined by the banking corporation, as set forth in Section 11(g). (f) A banking corporation shall hold its clients’ securities separately from its own. Chapter D: Operations appropriate for the client Aligning operations with client profile 18. (a) Before a banking corporation allows a client to execute securities transactions, the banking corporation shall assess whether the activity is appropriate for the client in terms of the client's understanding of the risks and prospects entailed in their operations, and the extent of the client's knowledge or experience, based on the information conveyed by the client. The scope and nature of the assessment shall be determined according to the nature and complexity of the securities in which the client will be trading. If the banking corporation finds that the client is not suited for trading in the securities in which they wish to trade, the banking corporation shall caution the client, alerting them to their lack of suitability. The warning may be given in a standard format. (b) Notwithstanding subsection (a): (1) For a banking corporation that operates as a broker, it is sufficient to conduct an assessment of the appropriateness of operations for a client only with respect to complex financial instruments and to warn the client if the banking corporation finds that the client's knowledge or experience are not suited for operations involving said instruments. The warning may be given in a standard format. (2) A banking corporation may determine a standard warning to be issued to all its clients who trade in complex financial instruments or in securities that, according to the banking corporation’s determination, require special expertise. Notwithstanding the above, the banking corporation may consider removing the warning from eligible clients or professional clients, as relevant.

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -12 (c) The assessment may change over the years of the banking corporation’s relationship with a client if the banking corporation receives new information about the client or if a new security is involved. (d) In the event that the client elects not to give the banking corporation information about their knowledge or experience, or elects to provide incomplete information, the banking corporation shall warn the client that it is unable to determine whether trading in a certain security is appropriate for them. The warning may be given in a standard format. (e) The banking corporation shall decide whether to allow a client who received a warning, as described in subsections (a), (b), or (c), to trade in said securities or financial instruments. If the banking corporation decides to allow a client who so elects to do so to proceed to execute a transaction despite the warning, the banking corporation shall document the warning and consider whether to require the client to sign a confirmation that the client was so warned. (f) The banking corporation shall document the details of the procedure to assess the client appropriateness with the transaction, if performed, and the warnings and notices that were given to the client in this matter. For the purpose of this section, a “complex financial instrument” is a derivative financial instrument, including options, future contracts, forward contracts, and swap contracts. A banking corporation may expand this definition to include additional securities. Conveying information to the client (before signing an agreement) 19. Before signing an agreement to execute securities transactions, a banking corporation shall give its clients comprehensive information in writing on the following topics, so that the clients may understand the nature and the risks entailed in such operations. The information may be given in a standard format. The information shall include: (a) a general description of the types of securities, including the risks entailed in those securities; (b) a description of the policy on executing clients’ orders, including the best execution policy. The description shall include the regulated markets on which the banking corporation trades in the various types of securities, the factors that affect the selection of the regulated market, such as prices, commissions, speed and quality of the execution and settlement in those markets; (c) ancillary costs and charges.

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -13 Agreement with a client 20. (a) A banking corporation shall conduct itself with its clients according to a written agreement that shall include the parties’ rights and obligations, including the identity of the party that is entitled to convey orders to the banking corporation, restrictions on the operations, and other conditions under which the operations shall be performed. (b) Before signing an agreement, a banking corporation shall inform an eligible client that is not a financial entity that it has the option of having the banking corporation apply the protections that this Directive affords. A client who exercises this option shall be classified as a professional client. The agreement shall note whether the client is an eligible client or a professional client and shall list the requirements from which the banking corporation is exempt according to Section 31 of the Directive. (c) The banking corporation shall send a notice to the client of any change in their classification. (d) The agreement shall note that no action was taken to assess the client’s appropriateness with the operations, if the client reported on the agreement execution date that said client intended to give orders for regulated markets only with respect to financial instruments that are not complex financial instruments, and in which the banking corporation acts as a broker in the transaction. (e) A banking corporation whose execution policy allows the execution of clients’ orders in nonregulated markets shall inform the client of this and receive the client's explicit consent before executing an order for the client in a nonregulated market. Chapter E: Executing Transactions General 21. The banking corporation’s procedures shall include reference to the following matters: (a) transactions that a dealer is allowed to initiate and close; (b) the cases in which transactions may be initiated and closed in a dealing room outside the dealing room’s official hours of operation; (c) trading outside the physical confines of the banking corporation, and the employees who have the authority to do so, the types of permitted trades, the involvement of the control function, and the required documentation.

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -14 22. Trading activities shall be backed by appropriate agreements, and when a standard framework agreement is being used with a counterparty, the agreement will, as far as possible, include enforceable clauses pertaining to settlement netting and closeout netting. 23. Furthermore, the banking corporation shall, as far as possible, ensure that schemes exist for the novation or tear-up of agreements in order to reduce a specific position and reduce the banking corporation’s exposure to operational risk and counterparty risk without significantly changing its market risk position. 24. A banking corporation that allows late trades shall verify that the relevant control and support functions are concurrently active in a format that is appropriate for the approved operations and in line with the risk assessment. 25. The assignment of a single dealer (including a desk manager) to a desk with significant activity should be limited as far as possible. 26. Manual procedures in trading and executing deals shall be avoided, with the exception of cases defined in advance (with respect to the type of transactions, the scope, the entity authorized to execute them, etc.). Receiving orders from a client (a) Clients’ securities trading orders may also be given through the communication channels listed in Proper Conduct of Banking Business no. 367 “E-Banking,” subject to the identification and authentication requirements of said Directive, provided that the banking corporation meets the documentation requirements stated in Section 46 of this Directive. (b) A banking corporation shall define procedures to handle clients’ orders immediately and in a cautious manner and fairly, with respect to orders of other clients or with respect to transactions that the banking corporation is executing for itself. These procedures shall determine, among other things, that: (1) The order shall include all relevant information, including precise time of receipt, estimated time of execution, amount of the trading order, and any time, price, or loss limit or limit on the execution of the order to a specific stage of trading. (2) A client's order (that can be executed in a securities trading system) shall be transferred for execution immediately upon its receipt by the banking corporation, subject to the trading limits, including the hours of operation and the client's limits as stated in subsection (1) above, unless otherwise agreed upon with the client, or if the order meets the conditions of subsection (4) below. (3) Similar client orders shall be executed in the order they were received by the banking corporation.

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -15 (4) It may reasonably be possible to deviate from the rapid execution of a client's order with respect to certain types of transactions and situations that the banking corporation defined in advance, in order to obtain more favorable terms for the client, provided that the client consented to this in advance. (5) A banking corporation that executes aggregated orders of various clients shall verify that the allocation is made fairly and does not discriminate among clients, even when the order is only partially executed. (c) If the banking corporation learns that the execution of a client's orders entails a material problem, due to a problem in the trading systems managed by the banking corporation or in those managed by entities that are external to the banking corporation, such that the problem affects the execution of the client's order in a manner that significantly deviates from the banking corporation’s execution policy, the banking corporation shall inform the client as soon as possible. Best execution of client order 28 (a) A banking corporation shall use all reasonable means to provide clients with the most favorable execution of their order, considering, among other factors, the following features of the transaction: size, price, costs, speed of execution, likelihood of execution and settlement in potential regulated markets or outside the regulated markets in which the banking corporation operates, as stated in Section 19(b). The banking corporation may be unable to obtain the most favorable execution for each and every client order but it is required to document that ongoing controls are in operation to verify that the execution procedure is oriented to best execution and to indicate whether a revision of the execution policy is required. (b) Notwithstanding the provisions of subsection (a), when a client gives a specific trading order, the banking corporation shall execute the transaction according to the client's order, and according to the client order execution policy, as stated in Section 19(b), even when the trade is executed outside a regulated market. Such orders may be given within the agreement signed with the clients as stated in Section 20. (c) A banking corporation shall notify its clients in advance of any significant changes in its execution policy of which they had been informed, as stated in Section 19(b). (d) Best execution with respect to over-the-counter (OTC) products implies that when a banking corporation executes a client’s order or when it decides to trade in OTC products, including tailor-made products, it is required to examine the fairness of the price and trade that is offered to the client by

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -16 collecting market data in order to estimate the product price, and, where possible, by comparing the price to the prices of similar products. This examination shall be adjusted to the nature of the financial instrument, the monetary scope, and other trading features. These processes shall be anchored in the banking corporation’s policy and procedures, and the banking corporation shall verify that appropriate pricing systems exist and shall examine the methodology in order to ensure that examinations of price fairness are consistent. Restrictions on transactions with clients against the bank’s own account 29. A banking corporation shall not execute, outside a stock exchange or outside a regulated market, a transaction involving securities traded on a regulated market in or outside Israel between its own account (nostro) and a client's account, excluding the following: (a) for the purpose of correcting an error; (b) a sale of at least 2 percent of the means of control in a corporation; (c) a trade between the banking corporation and the Bank of Israel; (d) trades that, pursuant to Section 44DD, are not subject to the provisions of Chapter G3 of the Securities Law in the matter of trading platforms for one’s own account. Execution of transactions through a third party 30. (a) A banking corporation that enters into an agreement with an external broker that operates on its behalf in or outside Israel shall define rules for selecting and reviewing external brokers, which shall include the broker’s ability to provide a fair and appropriate standard of service, the broker’s financial strength, division of the legal liability between the external broker and the banking corporation, and the banking corporation’s control and supervision of the broker’s performance. (b) A banking corporation that permits a client to give buy and sell orders directly to an external broker that operates on behalf of the banking corporation in or outside Israel, shall define procedures that require the client and the broker to sign written agreements. These agreements shall include the terms of the agreement, including any restriction on the amount of the trades, and a requirement to specify for each trade that the order is given by the client directly to the broker. (c) The banking corporation shall carefully ensure that it receives a written report of the results of the trades executed by the external brokers operating on its behalf. The banking corporation shall define appropriate control arrangements that allow it to compare the orders to the actual trades executed, both by external brokers and by internal traders, to the extent that the execution orders are accessible by

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -17 the banking corporation. Furthermore, the banking corporation shall verify the existence of a valid license or other official permit that attests to the external broker’s permit to operate on the relevant stock exchange or regulated market. Transactions for eligible clients 31. A banking corporation shall be exempt from the requirement to implement Sections 18 (Aligning operations with client profile), 19 (Conveying information to a client [before signing an agreement]), 28 (Best execution of client orders) and 41 (Reporting to clients after executing a transaction) with respect to eligible clients. Automatic trading systems (algo-trading) 32. A banking corporation that gives its clients direct electronic access to a regulated market shall operate as follows: (a) The banking corporation shall ensure implementation of effective controls over the clients' operations in the regulated market, to verify that they do not expose the banking corporation to risks; (b) The banking corporation shall verify that the clients are operating in the regulated market within the restrictions defined in advance for each trading amount and credit amount; (c) The banking corporation shall ensure the maintenance of an updated list of the clients who received such access. 33. A banking corporation that serves as a general clearing member for others shall define relevant conditions and requirements to reduce the potential risks to the banking corporation or to trading that may arise as a result of these activities, and shall ensure implementation of effective controls to verify that clients who receive such clearing services comply with these conditions and requirements. Chapter F: Information Systems Information systems 34. The banking corporation shall integrate appropriate trading-related information systems in order to ensure a high degree of protection against the materialization of risks, such as operational risks and cyber risks. 35. The banking corporation shall define access permissions and an infrastructure that provides appropriate protection against unauthorized modifications to the information used in post-trading processes (e.g., through physical or logical separation between the infrastructure used for trading and the infrastructure used for post-trading processes). 36. In addition to the provisions of Proper Conduct of Banking Business no. 357 “Information Technology Management,” the banking corporation is required to

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -18 define a policy on access to its trading-related information systems, which shall be updated periodically according to, among other factors, changes that the banking corporation makes to the information systems that it uses. 37. Appropriate increased controls, including scope limits that correspond to different levels of control, shall be applied to systems that automatically execute trades for the banking corporation and are classified as critical systems according to Proper Conduct of Banking Business Directive no. 361 “Cyber Defense Management.” 38. The degree of security applied to these systems must be reviewed and monitored in an ongoing manner to prevent unauthorized access to the corporation’s infrastructure so as to avert the disclosure of confidential information to third parties and the creation of fictitious documents or fictitious positions in the books. 39. The banking corporation shall perform capacity and performance tests of the trading system in an ongoing manner and under stress tests. 40. In addition to the provisions of Proper Conduct of Banking Business Directive no. 355 “Business Continuity Management,” the banking corporation shall define the procedures and systems that are necessary to maintain business continuity and the continuity of trading, including a recovery strategy for the event of a system failure. Chapter G: Reporting and Documentation of Transactions Reporting to client after executing a transaction 41 (a). To a client connected to its systems through digital means, a banking corporation shall display information regarding the execution of the order (including a transaction executed according to the client's standing order) shortly after the banking corporation receives details of the executed order; and to a client who is not connected by digital means, the banking corporation shall send, within ten days of the trade execution date, a written notice that includes the information regarding the execution of the order. The information shall also include the following details, insofar as these details are in the banking corporation’s possession: (1) the name of the banking corporation; (2) the name of the client and an additional identifying detail; (3) the date and time the trade was executed; (4) the type of transaction; (5) the name of the regulated market;

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -19 (6) details of the financial instrument, including its name, amount, and price; (7) fees related to the execution of the trade. (b) At least once a year, a banking corporation shall send the client a periodic report of the transactions executed for them. These reports shall also include details of securities balances and the costs related to the execution of the transactions. Internal reporting 42. A banking corporation shall verify that its internal reports are of a high standard, are consistent and are suitable for the needs of its various managerial ranks and control units according to their uses and needs. The reports shall rely, as far as possible, on information sources other than the party that initiated and executed the trades. 43. The reports shall include explanations of any discrepancies found between the profitability figures according to internal reports and the profitability figures reported to the public. 44. The trading-related reporting systems shall issue appropriate alerts and warnings to the board of directors, the senior management, and the control and risk management functions when suspicious activities are discovered or when material events occur. 45. The banking corporation shall verify that the following transactions are reported to the appropriate parties in the organizational hierarchy: irregular and unusual trades, deviations in approval and alignment processes in recording, processing, settling trades, cancellations, corrections, late trades, and off-market rates. Documentation and document retention 46. (a) (1) A banking corporation shall record in a document each action related to a trade performed within its operations as a broker-dealer, shortly after it occurs, including execution orders and buy and sell orders; execution of transactions of a client or of any entity in the banking corporation that is involved in the execution of the clients' execution order; all relevant positions, cash flows, and calculations related to a specific transaction (e.g., positions in the trading portfolio, profit and loss, and contingent or conditional cash flows); and a record of the trade and everything related to it in the banking corporation’s books — all in order to allow full and precise reconstruction of the trade including a control path beginning from the issue of the execution order, and reconstruction of the trade’s impact on the accounts that the banking corporation manages (“trade-related document”).

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -20 (2) A banking corporation shall retain documentation of each trade￾related document for a period of at least seven years from the date the banking corporation received the document or from the trade execution date, the later of these two dates. For the purpose of this section, “document” also includes a record or recording of telephone orders, electronic messages, or computer scans; (b) The banking corporation shall take reasonable measures to record or document relevant telephone calls or other electronic communications made through a device that the banking corporation gave the employee, including when trading takes place outside the physical confines of the banking corporation or when the conversations do not result in a trade. The documentation of calls that did not lead to a trade shall be retained for a reasonable period. (c) The banking corporation shall take reasonable measures to prevent employees from using their personal phones or other personal means of electronic communication to which the banking corporation cannot apply means to document trade-related actions (whether the trades are to the banking corporation’s own account or whether the trade involves the execution of a client's order). Chapter H: Controls Controls on the operations and on unusual activities 47. A banking corporation shall develop automated monitoring and control tools to identify suspicious activities, embezzlement and fraud, including trading deviations, deviations from credit facilities, matched trades, problematic patterns of conduct or communications, etc., that will allow management to respond to fraud, embezzlement or suspicious activity within a reasonable period, especially where sensitive processes and products are involved. 48. A banking corporation shall identify potential sources of embezzlement, fraud and unethical conduct and shall define measures to prevent them, also taking into consideration the potential for trading manipulations. The banking corporation shall define the frequency of the controls (daily, intraday, monthly, etc.), taking into consideration the extent and type of risks to which its trading activities are subject. The banking corporation shall verify that the controls are performed regularly and are documented. 49. In its analysis of potential sources of embezzlement and fraud, the banking corporation shall address at least all of the following:

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -21 (a) the use of scenarios to identify the corporation’s potential exposure to embezzlement or fraud incidents or unethical conduct of various degrees of severity in the corporation, and the corporation’s ability to discover and manage such incidents committed by entities in or outside the corporation; (b) definition and identification of deviations in clients' activities, clients' accounts, and dealers’ activities; (c) monitoring of new accounts to identify, among other things, fictitious accounts that are opened to conduct unauthorized activities; (d) continuously examine and analyze embezzlement and fraud incidents and incidents of unethical conduct, including events that occurred in corresponding organizations in and outside Israel, learn the lessons from those incidents, and take steps to reduce the likelihood of their occurrence or recurrence in the banking corporation. 50. Monitoring through alerts or whistle blowing may help identify unusual trading patterns and assist in the investigation of events discovered by the internal control function. These processes may also include an elevation in the responsivity of the internal alert reporting mechanism and definition of procedures to check communications from external entities such as brokers, clearing house members, as this term is defined in Section 44LA of the Securities Law, and custodians who provide custodial services for client assets. 51. The banking corporation shall report to the appropriate control function any unusual event and operational risk event that was discovered in OTC trades that originate from inside or outside the banking corporation. 52. A banking corporation shall ensure the existence of an appropriate control framework that takes into account the ties between dealers and their counterparties. 53. A banking corporation shall verify that the collateral reconciliation processes are being carried out properly and that any change matches the relevant positions in the books. 54. A banking corporation shall conduct, and integrate into its daily and monthly examinations of profit and loss, an analysis of significant unusual activities related to profit and loss in order to examine whether they were caused by operational risk incidents, and specifically shall monitor unusual activities such as cancellations, amendments, late trades, and off-market trades. 55. A banking corporation shall perform an analysis of all the major positions in profit and loss, and the major profit and loss amounts (from day one), including those that were canceled or amended.

Supervisor of Banks: Proper Conduct of Banking Business (03/24) A Banking Corporation’s Activity as Broker-Dealer pg. 461 -22 56. The banking corporation shall carefully control the denoted values of trades or positions because it is not necessarily possible to identity operational risks and counterparty risks from net amounts. Chapter I: Application and Transition Provisions Application and transition provisions 57. This Directive comes into effect on August 1, 2025. Revocation of directives 58. Proper Conduct of Banking Business Directive No. 461 on “A Banking Corporation’s Dealings in Securities on Its Customers’ Account” shall be revoked when this Directive comes into effect. 59. Proper Conduct of Banking Business Directive No. 419 on “Document Retention” shall be revoked when this Directive comes into effect.

---

Circular 06 number Version Details Date 2751 1 Original directive July 19, 2023 2776 2 Revision March 3, 2024