Instruction No. 13/2022 of 22 November

---

INSTRUCTION NO. 13/2022 of 22 November SUBJECT: FINANCIAL SYSTEM

• Report on Corporate Governance and Internal Control

Given the need to regulate the rules and procedures for reporting information on corporate governance and internal control to the Bank of Angola, as provided in paragraph 7 of Article 46 of Notice No. 01/2022, dated 28 January, on the Corporate Governance Code for Banking Financial Institutions; Under the provisions of Article 166 of Law No. 14/21, dated 19 May, General Regime for Financial Institutions Law, combined with paragraph f) of number 1 of Article 31 and number 1 of Article 98, both of Law No. 24/21, dated 18 October, Bank of Angola Law. DETERMINES:

Object This Instruction establishes the structure and minimum content that Banking Financial Institutions must include when preparing their annual report on corporate governance and internal control.

Scope 2.1 This Instruction applies to Banking Financial Institutions supervised by the Bank of Angola, as provided in number 2 of Article 7 of Law No. 14/21, dated 19 May, General Regime for Financial Institutions Law.

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 2 of 22 2.2 The provisions of this Instruction also cover Non-Banking Financial Institutions supervised by the Bank of Angola, namely: a) Management companies for social holdings as provided in Article 229 of Law No. 14/21, dated 19 May, General Regime for Financial Institutions Law; and, b) Payment system operating companies, under Article 10 of Law No. 40/20, dated 16 December, Angolan Payments System Law and paragraph k) of number 3 of Article 7 of Law No. 14/21, dated 19 May, General Regime for Financial Institutions Law.

Report on Corporate Governance and Internal Control on an Individual Basis 3.1 The corporate governance and internal control report must include, at a minimum, the following matters: 3.1.1 Corporate Governance 3.1.2 Introduction a) Identification of the company; and, b) Declaration by the management body regarding the sufficiency of internal control policies and processes at the individual level, as well as the accuracy of the information contained in this report, with reference to the draft template in Annex I of this Instruction. 3.1.3 Strategy a) Concise description of the strategy, main business objectives, operational, accounting and control support areas, as well as the forecast contribution of each area to results and overall revenue; and, b) Information on the level of common equity tier 1 (current and forecast) and its sufficiency to cover risks, with identification of relevant categories.

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 3 of 22 3.1.4 Internal Organization a) Organogram with all structural units, number of employees in each and respective manager; b) Description of the composition and functioning mode of the entity or body constituted by shareholders, to which competences regarding remuneration of corporate bodies have been delegated; c) Description of the composition, competences and functioning mode of the management body, including the involvement of non-executive and independent directors; d) Description of the composition, competences and functioning mode of the executive committee, including the distribution of portfolios; e) Description, where applicable, of the composition, competences and functioning mode of entities or bodies to which competences for monitoring internal control systems, risk management, appointment, evaluation and remuneration of employees have been delegated; f) Description of the functions of each structural unit with separation between business, operational support, accounting and control areas; and, g) Description of policies and processes within corporate governance and internal control, namely: i. Segregation of functions; ii. Accounting; iii. Conflicts of interest; iv. Transactions with related parties; v. Remuneration (corporate bodies and employees); vi. Ethical principles (code of conduct); vii. Transparency and disclosure of information; viii. Compliance;

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 4 of 22 ix. Reporting of irregularities (whistleblowing channel); x. Outsourcing; and, xi. Information and communication systems, including the description: a. Strategy for systems and their alignment with the institution's overall strategy; b. Processes and applications used, notably in risk collection, processing and disclosure; c. Access control; d. Competences and responsibilities of each stakeholder; e. Information security and privacy; and, f. Information continuity and recovery in case of contingency/disaster. 3.2 Risk Management System 3.2.1 Description of key functions' duties: a) Risk management; and, b) Compliance. 3.2.2 Description of risk management policies and processes: a) Identification; b) Assessment; c) Monitoring; d) Control (limits and compliance monitoring); and, e. Performance of stress tests or crisis simulations. 3.3 Internal Audit a) Description of internal audit function duties; b) Annual audit action plan; c) Indication of the last audit performed for each area in the organogram; and,

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 5 of 22 d) Description of follow-up actions regarding deficiencies detected in audit actions, with explicit mention of results obtained. 3.4 Internal Control System Deficiencies: 3.4.1 Identification of internal control system deficiencies, including: a) Their description; b) Date of detection; c) Organizational unit or functional area that detected them; d) Organizational unit or functional area to which they relate; e) Information on internal control in previous reports; f) Associated risk level, according to grading criteria in Annex III of this Instruction; g) Planned plan for correcting deficiencies, including actions to be taken and respective deadlines; and, h) Level of involvement of key functions in risk management, compliance and internal audit. 3.5 Supervisory Body Opinion, duly dated and signed, regarding: a) Accuracy and adequacy of the report; and b) Sufficiency of current policies and processes in corporate governance and internal control matters. 3.6 External Auditor Opinion, duly dated and signed, regarding the accuracy and adequacy of the report.

Report on Corporate Governance and Internal Control for the Financial Group The management body of the parent company must prepare and submit to the Bank of Angola an annual report on corporate governance and internal control for the financial group, covering at a minimum the following matters: 4.1 Introduction a) Identification of the financial group's parent company; and, b) Declaration by the management body regarding the sufficiency of internal control policies and processes at the group level, as well as the accuracy of information in this report, with reference to the draft template in Annex II of this Instruction. 4.2 Strategy Concise description of the group's strategy and each company's contribution to global objectives, notably for revenue formation and results. 4.3 Corporate Organization a) Group structure with identification of each company's business nature; b) Description of the management body's functioning mode regarding subsidiary monitoring;

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 6 of 22 c) Policies and processes regarding transactions between financial group companies; and, d) Description of policies and processes developed by the parent company for application at the financial group level: i. Remuneration; ii. Conflicts of interest; iii. Internal audit; iv. Compliance; v. Risk management; and, vi. Others (including outsourcing).

4.4 Internal Control System Deficiencies: a) Identification of subsidiaries' internal control deficiencies with relevant activity that are not legally required to submit a report, as provided in point 4.3 of this Instruction, including justification for cases where subsidiaries' previously mentioned activity is considered not relevant for internal control purposes; and, b) For the purpose of the preceding paragraph, the structure provided in point 3.4 of this Instruction shall be used. 4.5 Supervisory Body Opinion, duly dated and signed, regarding: a) Accuracy and adequacy of the report; and b) Sufficiency of current policies and processes in corporate governance and internal control matters. 4.6 External Auditor Opinion, duly dated and signed, regarding the accuracy and adequacy of the report.

Questionnaire The reports provided for in this Instruction must be accompanied by the corresponding questionnaire, with relevant observations, as set out in Annex IV of this Instruction.

Sanctions Non-compliance with the mandatory norms established in this Instruction constitutes an infraction punishable under Law No. 14/21, dated 19 May, General Regime for Financial Institutions Law.

Doubts and Omissions Doubts and omissions resulting from the interpretation and application of this Instruction are resolved by the Bank of Angola.

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 8 of 22 Entry into Force This Instruction enters into force on the date of its publication.

PUBLISHED: Luanda, 22 November 2022. THE GOVERNOR JOSÉ DE LIMA MASSANO

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 9 of 10 ANNEX I DRAFT DECLARATION ON AN INDIVIDUAL BASIS The Board of Directors declares that, to the best of its knowledge, the policies and processes established within the internal control system comply with the principles set out in Article 26 and the permanent achievement of objectives set out in Article 27, both of Notice No. 01/2022, dated 28 January. It further declares that, under the provisions set out in paragraph b) of subpoint 3.1.2 of number 3 of Instruction No. 13/2022, dated 22 November, the information contained in the report to which this Declaration refers is true and appropriate. __________, __ de ________de 20 Signatures of the Board of Directors members

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 10 of 10 ANNEX II DRAFT DECLARATION ON A CONSOLIDATED BASIS The Board of Directors declares that, to the best of its knowledge, the policies and processes established within the financial group's internal control are consistent and comply with the principles set out in Article 26 and the permanent achievement of objectives set out in Article 27, both of Notice No. 01/2022, dated 28 January. It further declares that, under the provisions set out in paragraph b) of subpoint 3.1.2 of number 3 of Instruction No. 13/2022, dated 22 November, the information contained in the report to which this Declaration refers is true and appropriate. ________, __ de _________de 20 Signatures of the Board of Directors members

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 11 of 22 ANNEX III RISK LEVELS

1. High Risk Level Serious aspect or situation that may impact: § Significant financial losses for the Banking Financial Institution; § Significant impact on the reputation of the Banking Financial Institution, prejudicing its ability to continue operating; § Liquidity problems of the Banking Financial Institution; § Violation of the strategy or ethical and deontological values of the Banking Financial Institution; § Relevant non-compliance with regulations issued by the Bank of Angola, applicable to the Banking Financial Institution's activity.
2. Medium Risk Level Aspect or situation that may impact: § Financial losses for the Banking Financial Institution; § Impact on the reputation of the Banking Financial Institution; § Non-compliance with regulations issued by the Bank of Angola, applicable to the Banking Financial Institution's activity; § Loss of control over a process or application of a policy, with repercussions on the efficiency of the Banking Financial Institution's activity.
3. Low Risk Level Aspect or situation whose solution contributes to increasing the efficiency of the Banking Financial Institution's activity, not classified as high or medium risk level.

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 12 of 22 ANNEX IV QUESTIONNAIRE ON CORPORATE GOVERNANCE AND INTERNAL CONTROL Notes:

1. When completing this questionnaire, Banking Financial Institutions must answer all questions unequivocally, except where the question expressly indicates the option of no response as not applicable, based on previous answers.
2. Questions covered by Chapter G "Financial Groups" must only be answered by the financial group's parent company.
3. When completing this questionnaire, Banking Financial Institutions must include observations regarding the answer given to previous questions.

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 13 of 22 Chapter Questions Yes No Observations

1. Have shareholders formally implemented an entity or body to which they delegated competences regarding remuneration policy for members of the General Assembly Board and Corporate Bodies?
2. Does this entity or body meet at formally defined periodicities, without prejudice to extraordinary meetings determined by relevant events?
3. Does this entity or body adequately formalize work orders, agendas and other supporting documents for its meetings and reflect, concisely and objectively, decisions in minutes?
4. Does this entity or body make minutes and other supporting documents known to all members and collect signatures from all participants in meetings?
5. Are criteria, parameters and calculation methods for remuneration policy of members of the General Assembly Board and Management and Supervisory Bodies, as well as performance evaluation of executive Management Body members, communicated to shareholders at annual general meetings approving accounts?
6. Does the Management Body define, formalize and periodically review (at least annually) the corporate governance model of the Banking Financial Institution? 2. Does the Management Body meet at formally defined periodicities?
7. Does the Management Body adequately formalize work orders, agendas and other supporting documents for its meetings and reflect, concisely and objectively, decisions in minutes?
8. Does the Management Body make minutes and other supporting documents known to all members and collect signatures from all participants in meetings?
9. Does the Management Body institute a duly formalized functioning regulation covering assigned responsibilities, rules for meeting periodicity, convening, prior availability of debate topics, presiding over proceedings, formalizing decisions in minutes and archiving supporting documents, including accounting or management information?
10. Does the independent member(s) of the Management Body prepare a report on function performance, reported to the Management Body and annually to the Bank of Angola?
11. Does the Management Body define, formalize, implement and periodically review (at least annually) the organizational and functional structure?
12. Does the Management Body define, formalize, implement and periodically review (at least annually), relations, policies and processes of authority, delegation of competences, communication and information reporting?
13. Does the Management Body define, formalize, implement and periodically review (at least annually), risk management and compliance policies?
14. Does the Management Body define, formalize, implement and periodically review (at least annually), employee remuneration policies?
15. Does the Management Body define, formalize, implement and periodically review (at least annually), a set of effective policies and processes ensuring transparency and easy understanding of the Banking Financial Institution's corporate governance model by shareholders, corporate body members and employees? A. Shareholders and delegation of competences on remuneration of Corporate Bodies and General Assembly Board
16. It is incumbent upon shareholders to define, implement and review remuneration policy for members of the General Assembly Board and Corporate Bodies, deliberating in the General Assembly or delegating these competences to one or more shareholders.
17. The Management Body must be constituted by a sufficient number of members, considering the institution's size, nature and economic situation, with availability to exercise the function, possessing relevant professional or business experience, preferably obtained in the financial system, high ethical and integrity standards, understanding of global responsibilities of the body to which they belong and those assigned to each member, deep knowledge of developed activity and risks assumed by the institution where they exercise functions, and ability to read and analyze information provided, of accounting or management origin. B. Management Body

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 14 of 22

1. The Management Body formally implements an executive committee.
2. The executive committee meets at formally defined periodicities, without prejudice to extraordinary meetings determined by relevant events.
3. The executive committee adequately formalizes work orders, agendas and other supporting documents for its meetings and reflects, concisely and objectively, decisions in minutes.
4. The executive committee makes minutes and other supporting documents known to all members and collects signatures from all participants in meetings.
5. The executive committee instituted a duly formalized functioning regulation covering assigned responsibilities, rules for meeting periodicity, convening, prior availability of debate topics, presiding over proceedings, formalizing decisions in minutes and archiving supporting documents, including accounting or management information.
6. The executive committee distributes portfolios among its members, respecting segregation rules between business, support and control functions.
7. The Management Body defines an internal control system and determines its correct formalization (validates and approves its policies and processes).
8. The Management Body has mechanisms in operation to monitor timely execution of its guidelines.
9. The Management Body periodically reviews (at least annually) the effectiveness and efficacy of the internal control system.
10. Deficiencies in the internal control system, when detected and materially relevant, are timely discussed in a Management Body meeting.
11. The organizational structure is defined and each structural unit's duties are established and formalized.
12. Adequate communication lines exist between various functions and organizational units, duly formalized.
13. Segregation between authorization, execution, recording, accounting and control functions is formally instituted and in practice.
14. Codes of conduct are formally instituted.
15. Policies and processes identifying and mitigating conflicts of interest are formally instituted.
16. Policies and processes for identification and assessment of transactions with related parties are formally defined.
17. Transactions with related parties are carried out under conditions identical to those practiced with unrelated parties.
18. Financial statements are prepared timely considering internal and external information needs.
19. Verification of accounting procedures is included in the internal audit program.
20. There are sufficient human and material resources relative to the Banking Financial Institution's objectives (global and specific).
21. Policies for recruitment, evaluation, promotion, compensation and training of employees are formally instituted.
22. The Management Body must ensure that transactions with related parties are carried out under conditions identical to those practiced with unrelated parties.
23. The Management Body must ensure preparation of financial statements according to policies and processes ensuring their timeliness and reliability.
24. The Management Body must ensure existence of sufficient human and material resources to achieve Banking Financial Institution objectives and consistent policies for recruitment, evaluation, promotion, compensation and human resource training. D. Management Body Responsibilities
25. The Management Body is responsible for defining, implementing and periodically reviewing the internal control system.
26. The Management Body must ensure transparency of organizational structure and existence of coherent and effective communication lines and responsibility assignment, to support activity development and ensure prudent management and control of operations.
27. The Management Body must ensure existence of internal control policies and processes promoting high ethical and professional values. C. Executive Committee 1. The executive committee, constituted by all executive directors, is elected in the General Assembly or appointed by the Management Body, according to the articles of association, and with conformity, elected or appointed its president. The executive committee is responsible for daily routine management.

CONTINUATION OF INSTRUCTION NO. 13/2022 Page 15 of 22

1. The Supervisory Body meets at formally defined periodicities, without prejudice to extraordinary meetings determined by relevant events.
2. The Supervisory Body adequately formalizes work orders, agendas and other supporting documents for its meetings and reflects, concisely and objectively, decisions in minutes.
3. The Supervisory Body makes minutes and other documents known to all members and collects signatures from all participants in meetings.