Regulation on Internal Governance Arrangements, the Management Body and the Internal Capital Adequacy Assessment Process for Banks and Savings Banks

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 1  Official Gazette of the RS, No. 115/21 of 16 July 2021 (in force from 17 July 2021)  Official Gazette of the RS, No. 011/25 of 21 February 2025 - amendments (in force from 8 March 2025)

---

Pursuant to point 1 of Article 65 and Article 155 of the Banking Act (Official Gazette of the Republic of Slovenia, No. 92/21, 123/21 – ZBNIP and 2/25 – odl. US; hereinafter ZBan-3) and the first paragraph of Article 31 of the Bank of Slovenia Act (Official Gazette of the Republic of Slovenia, no. 72/06 – official consolidated text, 59/11 and 55/17) issued by the Governing Board of the Bank of Slovenia REGULATION on Internal Governance Arrangements, the Management body and the Internal Capital Adequacy Assessment Process for Banks and Savings banks

1. GENERAL PROVISIONS 1.1. Subject of regulation, application of regulations and definition of terms Article 1 (content of regulation) (1) This regulation sets out the requirements with regard to:
2. internal governance arrangements, including detailed rules with regard to risk management and the remuneration policies and practices of a bank or savings bank (hereinafter: bank);
3. rules for the functioning of a Management body and its committees, including the conduct of its members in accordance with the relevant standards of professional diligence, highest ethical standards, and the prevention of conflicts of interest;
4. the internal capital adequacy assessment process;
5. the detailed content of reports in connection with internal governance arrangements and the methods and deadlines for submitting such reports to the Bank of Slovenia. (2) Wherever this regulation makes reference to the provisions of other regulations, these provisions shall apply in their wording applicable at the time in question. Article 2 (application of regulations) This regulation transposes Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC, with changes into the law of the Republic of Slovenia. Article 3 (definition of terms) (1) The terms used in this regulation shall have the same meanings as in the ZBan-3 and Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176 of 27 June 2013, p 1; hereinafter: Regulation (EU) No 575/2013), with changes, and in regulations issued on their basis.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 2 (2) The other terms used in this regulation shall have the following meanings:

1. “corporate governance arrangements” are the set of relationships and relations established and realised between a bank, its Management body and its owners that are based on the powers and responsibilities of these entities and considering the interests of the bank’s other stakeholders and the de facto consistency between the short-term and long-term interests of these stakeholders, which to the greatest possible extent have an impact on the determination and realisation of the bank’s business objectives, strategies and policies and on the bank’s internal governance arrangements referred to in Article 148 of the ZBan-3;
2. “standards of professional diligence and ethical standards” are rules, recommendations and good business practices that inter alia contribute to the realisation of high standards of corporate culture at a bank, and consequently to the mitigation of the bank’s various risks, including the mitigation of operational risk and reputation risk;
3. a “conflict of interest at the level of the bank” is a situation in which there is or could be a threat to the interest of a bank as set out by the bank’s adopted objectives, strategies and policies referred to in the first paragraph of Article 4 of this regulation, in particular owing to circumstances deriving from the bank’s relationships, products and activities, including relationships between:

• various clients of the bank,
• the bank and its clients, shareholders, employees, significant suppliers, business partners and other entities in the group;

4. a “conflict of interest at the level of members of the Management body” is a situation in which the private interest of a member of the Management body has or could have an impact on the impartial and objective execution of tasks or decision-making by the member in question in relation to the bank’s interests. The private interest of a member of the Management body means his/her interest in an undue material or non-material advantage for himself/herself, for an immediate family member or for a person who has interests in common with the member in question that are evidenced in action in concert between the member in question and the aforementioned person. A conflict of interest at the level of members of the Management body also includes any significant business contact;
5. a “significant business contact” is any contractual or other business relationship that meets the following criteria:

• an agreement has been concluded between a member of the Management body or a member of his/her immediate family and the bank or its subsidiary on the supply or goods or the provision of services, including financial and consulting services, on the basis of which the member of the Management body or his/her immediate family member is subject to special treatment that is not in accordance with the adopted business policy or customary practice of the bank or its subsidiary,
• a member of the Management body or a member of his/her immediate family is, as the user of banking or other services provided by the bank or its subsidiary, subject to treatment that is not in accordance with the adopted business policy or customary practice of the bank or its subsidiary,
• a member of the Management body or a member of his/her immediate family transacts privately with or is a member of an organisation that receives contributions in the form of donations, sponsorships or other assistance from the bank, when the aggregate amount of the contributions exceeds EUR 1,000 on an annual basis,
• a member of the senior management or a member of his/her immediate family is, as the user of banking or other services provided by the bank or its subsidiary, subject to treatment that is not in accordance with the adopted business policy or customary practice of the bank or its subsidiary;

6. an “indirect significant business contact” is a situation involving a significant business contact set out in the previous point in which the member of the Management body or a member of his/her immediate family is simultaneously a business partner of, a holder of a qualifying holding in, or a person authorised to manage the operations and act as the statutory representative of an entity, including a sole trader or the procurator of the entity, that has a business relationship with the bank;
7. the “risk profile” is the assessment of the overall exposure to risks to which a bank is or could be exposed in its operations at a specific moment, including interactions and concentration risk

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 3 (hereinafter: the bank’s risks). This assessment may take account of exposure to risks before or after the application of risk management measures; 8. the “risk appetite” is the overall level of risk accepted in advance, including the levels of individual types of risk, that the bank is willing to take up for the purpose of realising its business objectives, strategies, policies and plans, having regard for the bank’s risk bearing capacity, its strategies and policies for the take-up and management of risks, and its capital, liquidity and remuneration policies; 9. “risk limits” are the adopted quantitative restrictions and measures based on which a bank manages the take-up of risks and their concentration across products, investments, business lines, entities in the group or other risk management criteria, and that allow the bank to allocate risks across business lines and types of risk and that the bank sets with regard to its risk appetite, various stress scenarios and other criteria; 10. “risk bearing capacity” is the largest overall risk level that a bank is able to take up, having regard for its available capital, liquidity, risk management and control measures, stress test results and other restrictions on the take-up of risks; 11. the “risk management culture” is a bank’s level of standards and values implemented, considering the risk awareness of the members of the Management body and other employees that via their actions and attitudes to the bank’s risk and the proposals for internal control functions is reflected in their decision with regard to the take-up and management of risks at the level of the bank’s daily activities and has an impact on the implementation of the adopted risk appetite; 12, “credit risk” is the risk of a loss as a result of a counterparty’s inability to settle contractual liabilities by the originally agreed deadline, excluding the realisation of credit protection; 13. “concentration risk” is the risk of excessive direct and/or indirect exposure arising from the credit risk of a bank or banking group vis-à-vis an individual client, a group of connected clients or clients linked by common risk factors; 14. “compliance risk” is the risk of legal or regulatory sanctions, significant financial losses or a loss of reputation as a result of a bank’s operations failing to comply with the relevant regulations and standards of good practice; 15. “market risks” are the risk of a loss as a result of adverse movements in market prices; 16. “liquidity risk” is the risk of a loss including:

• the risk of providing sources of liquidity, as the risk of a loss occurring when a bank is unable to settle all of its maturing liabilities, or when a bank must obtain sources of liquidity at costs significantly higher than average market costs due to its inability to provide sufficient funds to settle its liabilities at maturity,
• market liquidity risk, where positions (in an instrument) cannot be sold or replaced in a short time without significantly affecting market price, either because of inadequate market depth or because of market imbalances;

17. “strategic risk” is the risk of loss as a result of incorrect business decisions by the Management body, a failure to implement the decisions taken, and weak responsiveness on the part of the Management body to changes in the business environment;
18. “capital risk” is the risk of a loss as a result of the inadequate composition of capital with regard to the nature and scope of a bank’s operations or to the difficulties that the bank faces in obtaining fresh capital, particularly in the event of the need for a rapid increase in capital or in the event of adverse business conditions;
19. “profitability risk” is the risk of a loss as a result of the inadequate composition or diversification of income or a bank’s inability to ensure a sufficient and sustainable level of profitability;
20. the “internal capital requirements” is an estimate of the capital, needed for covering the bank’s risks;
21. the “internal capital assessment” is the capital calculated on the basis of the internal definition of a bank’s capital components;
22. a “stress test” entails the use of various quantitative and qualitative techniques for testing a bank’s robustness to severe but plausible developments set out by the bank on the basis of various combinations of changes in risk factors (stress test scenarios);

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 4 23. “sensitivity analysis” is a technique that is less complicated technique of a stress test and that merely includes an assessment of the impact of a change in a single precisely determined risk factor on a bank’s financial position, whereby the cause of the shock is not defined. 1.2.Bank measures to comply with requirements of this regulation Article 4 (relationship between bank’s business strategy and risk strategy) (1) For the purpose of implementing effective corporate governance arrangements referred to in point 1 of the second paragraph of Article 3 of this regulation, the Management body shall ensure that a bank’s business objectives, strategies and policies are appropriately connected with the risk strategies and policies referred to in Articles 5 and 6 of this regulation. (2) When the business objectives, strategies and policies referred to in the first paragraph of this article pursue a strategy of high risk appetite, the Management body shall, having regard for the nature, scale and complexity of the risks inherent in the bank’s business model and the activities pursued by the bank, ensure effective internal governance arrangements commensurate therewith. (3) A risk strategy that is not based on commensurately effective internal governance arrangements may be reflected in the bank’s strategic risk, and in the excessive take-up of risks. Article 5 (risk strategies) A bank shall put in place and implement effective and comprehensive strategies for taking up and managing risks set out in the first and second paragraphs of Article 19 of this regulation (hereinafter: risk strategies) that take account of the bank’s business strategy and its long-term interests, including the protection of the interests of the bank’s unsecured creditors. The risk strategies shall define the bank’s objectives and general approach to taking up and managing risks, including a definition of the risk appetite, taking account of factors in the bank’s internal and external environment and the bank’s risk attributes. Article 6 (risk policies) (1) A bank shall put in place and implement policies for taking up and managing risks set out in the first and second paragraphs of Article 19 of this regulation (hereinafter: risk policies) that set out the implementation of the risk strategies referred to in Article 5 of this regulation. (2) The risk policies referred to in the first paragraph of this article shall provide a detailed definition of the functions, systems, processes, procedures, methodologies and rules of the bank’s internal governance arrangements, including the corresponding powers and responsibilities, and the reporting flows at all levels of the bank’s hierarchical and organisational structure. Article 7 (responsibilities of Management body and senior management with regard to risk strategies and policies) (1) On the basis of its knowledge and understanding of a bank’s risks, in respect of the strategies and policies referred to in Articles 5 and 6 of this regulation the Management body shall:

1. define and adopt them;
2. regularly (at least once a year) review their adequacy, including ensuring that they are updated in relation to the impact of factors in the bank’s internal and external environment;

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 5 3. conduct supervision of their proper implementation in accordance with regulations, standards and the bank’s bylaws, and the requirements of the Bank of Slovenia and other competent supervisory authorities. (2) The senior management shall formulate and update the risk strategies and policies on the basis of guidance from the management board, and shall ensure their proper implementation at the level of the bank’s daily activities, regularly briefing the management board with regard to the adequacy of their implementation. 2. BANK’S INTERNAL GOVERNANCE ARRANGEMENTS, INCLUDING DETAILED RISK MANAGEMENT RULES AND REMUNERATION POLICY AND PRACTICES 2.1 General requirements with regard to bank’s internal governance arrangements Article 8 (corporate culture and code of practice and ethics) (1) The Management body shall, for the purpose of implementing the stable internal governance arrangements referred to in Article 148 of the ZBan-3 and on the basis of its own example, set a standard for the bank’s corporate culture that:

1. is based on the bank’s corporate values, based on which the conduct expected of members of the Management body and other employees is in accordance with due professional diligence and ethics, the rules for the prevention of conflicts of interest, and regulations, standards and the bank’s bylaws;
2. promotes a risk management culture that is in accordance with the adopted risk appetite, risk limits and risk bearing capacity;
3. sets out measures for cases of a failure to uphold or a breach of the bank’s corporate values and the established standards of the risk management culture. (2) The bank shall, for the purpose of attaining a high corporate culture, put in place and implement a code of conduct for members of the Management body and other employees (hereinafter: code of conduct). The code of conduct shall define acceptable and unacceptable behaviour of employees at all of the bank’s hierarchical and organisational levels, including the bank’s committees, commissions and advisory bodies, and shall set out a policy of zero tolerance on the part of the bank to actions by individuals that could have an adverse impact on the bank’s reputation, or that are inadmissible from a legal, moral or ethical perspective. (3) The bank shall provide for regular reviews of the implementation of the code of conduct by the persons referred to in the first paragraph of this article, and shall set out a function or a commission that takes a position on suspected breaches of the code of conduct. The Management body shall be informed of the findings of these reviews. 2.2 Organisational structure 2.2.1 Attributes of organisational structure Article 9 (general requirements) (1) The organisational structure referred to in point 1 of the first paragraph of Article 148 of the ZBan-3 is deemed clear if it ensures:

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 6

1. precisely defined, transparent, consistent and established internal relationships between powers and responsibilities at all hierarchical and organisational levels that uphold the rules for the prevention of conflicts of interest at the level of the bank or at the level of the members of the Management body;
2. established transparent reporting flows between hierarchical and organisational levels;
3. effective communication and involvement at and between all hierarchical and organisational levels for the purposes of:

• an effective, transparent and documented process of taking business decisions and decisions with regard to the bank’s risk management, and
• access on the part of the bank’s employees to information that is material to the proper exercise of their powers and responsibilities. (2) In the event of any changes to the organisational structure, the Management body shall provide for an assessment of the impact of the changes on the stability of the internal governance arrangements, and on the bank’s capital and liquidity. The risk committee shall be informed of the assessment of the impact of the changes on the stability of the internal governance arrangements, and on the bank’s capital and liquidity. Article 10 (prevention of conflicts of interest) (1) A bank shall ensure that the risk policies referred to in Article 6 of this regulation include policies for identifying and preventing or managing conflicts of interest at the level of the bank or at the level of members of the Management body (hereinafter: conflicts of interest policy). (2) The conflicts of interest policy shall define the manner in which conflicts of interest are identified and managed, including practical examples of conflicts of interest and measures in the event of the failure to uphold the policy. (3) The conflicts of interest policy at the level of the group shall include the bank’s approach to identifying and preventing or managing conflicts of interest in the group, including those deriving from intra-group transactions. 2.2.2 Senior management and other employees Article 11 (responsibility of senior management) The senior management shall exercise its responsibilities in relation to the bank’s day to day operations in a manner commensurate with the objectives, strategies and policies referred to in Article 4 of this regulation, considering the accepted risk appetite and risk limits, the risk bearing capacity and the incentives deriving from the remuneration policies and practices for this category of the bank’s employees. The senior management’s internal organisation and procedures of acting and decision￾making shall be transparent and based on the precisely defined, consistent and established powers and responsibilities of individual functions of the senior management, including the requisite reporting to the management board on matters that are necessary to the exercise of the management board’s responsibility for the bank’s operations and risk management referred to in the second paragraph of Article 156 of the ZBan-3. Article 12 (supervision of senior management) The management board shall ensure the effective supervision on the basis of:

1. defined performance criteria for the actions of the senior management;

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 7 2. appropriate measures in the event of the failure to meet the performance criteria for the actions of the senior management or the failure considering of the bank’s corporate values and the risk management culture. Article 13 (employees and HR policy) (1) A bank shall ensure that the risk policies referred to in the first paragraph of Article 6 of this regulation include an appropriate HR policy, inter alia for the purpose of ensuring a sufficient number of qualified employees with regard to the bank’s operational needs, the scale and complexity of the risks inherent in the bank’s business model, and the bank’s risk profile. (2) In the event of major changes being planned in the number of employees (e.g. a long-term reduction in the number of employees for reason of austerity measures or other measures) in individual key business lines, functions, processes, products or models (hereinafter: work area), the bank shall provide for analysis of the impact of these changes on the bank’s operations. In the impact analysis, in addition to the staffing reduction in terms of actual number, the bank shall take account of the significance of their knowledge, experience and skills to the individual work area or to the bank. Before any decision on such a reduction in the number of employees, the management board shall be briefed on the impact analysis and, where appropriate, shall provide for appropriate risk management measures referred to in Article 23 of this regulation, including the requisite adjustments to the risk strategies and policies referred to in the first paragraph of Article 4 of this regulation. Article 14 (key function holders and process of assessing their suitability) (1) A bank shall ensure that key function holders have suitable replacements and a succession plan for the purpose of managing operational risk deriving from a lengthy absence or the possibility of the unexpected termination of the employment relationship by a key function holder. (2) For the purpose of assessing the suitability of key function holders, the bank shall define its key function holders. 2.2.2 Group level Article 15 (risk objectives, strategies and policies of parent bank) (1) A bank that has the position of a parent bank shall, for the purpose of effectively exercising the responsibilities of the Management body in connection with the operations and supervision of the group, put in place and implement the objectives, strategies and policies referred to in the first paragraph of Article 4 of this regulation at group level and the group’s corporate values. These objectives, strategies and policies shall take account of the regulations and requirements of the competent and supervisory bodies of subsidiaries and the independence of the governing bodies of subsidiaries in taking decisions that are in accordance with the interests of the subsidiaries. (2) The group’s risk policies shall include the explicit obligation of the bank’s subsidiaries to uphold all the relevant instructions of the parent bank with regard to the implementation of the objectives, strategies and policies of the group referred to in the first paragraph of this article, having regard for the nature, scale and complexity of the risks inherent in the subsidiary’s business model and the activities that it pursues. Article 16 (risk objectives, strategies and policies of subsidiary bank)

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 8 In implementing the group’s business objectives, strategies and policies and the instructions of the parent bank, a bank that has the position of a subsidiary shall ensure that its operations comply with regulations, standards and bylaws and with the requirements of the Bank of Slovenia and other competent supervisory authorities. To this end the bank that has the position of a subsidiary shall put in place and implement risk strategies and policies that inter alia set out:

1. the extent to which the Management body is responsible for the appropriate observance of the group’s business objectives, strategies and policies, and the parent bank’s instructions;
2. the Management body’s responsibility for ensuring that the group’s business objectives, strategies and policies and the instructions of the parent bank do not contravene the applicable regulations, standards and the bank’s bylaws or the requirements of the Bank of Slovenia and other competent supervisory authorities. 2.3 Risk management 2.3.1 Risk take-up Article 17 (risk appetite and Management body’s concise risk statement) (1) A bank shall ensure that its take-up of risks at any moment is in accordance with the adopted risk appetite referred to point 8 of the second paragraph of Article 3 of this regulation. The bank’s approach to the realisation of the risk appetite shall be integral, shall take account of the interests of the bank’s owners and other stakeholders, and shall be based on the bank’s policies, processes and internal controls and the corresponding responsibilities of the risk management function and the compliance function. (2) The Management body shall explain the bank’s approach to the realisation of the risk appetite referred to in the first paragraph of this article on the basis of the concise risk statement referred to in point (f) of the first paragraph of Article 435 of Regulation (EU) No 575/2013. This statement shall include:
3. a definition of the highest overall level of risk and the levels and types of individual significant risks referred to in the first and second paragraphs of Article 19 of this regulation that the bank, for the purpose of implementing its business objectives, strategies and policies, and having regard for its risk bearing capacity, is ready to take up or is to avoid, both in normal operating conditions and in stress conditions;
4. a definition of quantitative risk management criteria, including risk limits and other risk management measures, and an explanation with regard to the impact of these criteria on the bank’s earnings, capital, liquidity and other performance indicators;
5. the bank’s descriptive views with regard to its readiness and incentives for the take-up or management of hard-to-measure risks, including the approach to the management of operational risk, reputation risk, prevention of money laundering and other unethical business practices (qualitative risk management measures);
6. an explanation with regard to the constraints and other aspects of operations that the bank takes into account in the implementation of its business objectives, strategies and policies. (3) The bank shall, for the purpose of the consistent application of the Management body’s concise risk statement in the bank’s everyday operations, provide the requisite information to the bank’s employees with regard to the definitions and the importance of the consistent realisation of the adopted risk appetite and the methods for taking it into account in the bank’s daily business decisions. Article 18 (risk bearing capacity)

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 9 (1) A bank shall ensure that its take-up of significant risks at any moment is within the framework of the risk bearing capacity referred to in point 10 of the second paragraph of Article 3 of this regulation. (2) The bank shall put in place a methodology for assessing the risk bearing capacity at any moment, which takes account of:

1. all significant risks that the bank takes up within the framework of its operations, including interactions and risk concentrations;
2. the available measures for managing the identified and assessed risks; e. the bank’s capital and liquidity;
3. other restrictions, including any restrictions deriving from the bank’s bylaws, regulations and standards, or the requirements of the Bank of Slovenia and other competent and supervisory authorities. Where specific risks or other factors are not taken into account in the assessment of the risk bearing capacity, the bank shall explain what the risks and factors are, citing the reasons why they have not been taken into account. (3) The bank shall regularly asses the risk bearing capacity, including during any significant change in exposure to taken-up risks. The assessment of risk bearing capacity shall be documented. The bank shall review the adequacy of the methodology for assessing risk bearing capacity at least once a year, including the proposals for its potential updating. Article 19 (bank’s risk) (1) The risks that a bank takes up within the framework of its operations may include credit risk and counterparty risk, concentration risk within the framework of credit risk, market risks, interest rate risk, liquidity risk, operational risk (including legal risk), compliance risk, model risk, reputation risk, strategic risk, capital risk, profitability risk, risk of excessive leverage, and securitisation risk. (1) The risks that a bank takes up within the framework of its operations may include credit risk and counterparty risk, concentration risk within the framework of credit risk, market risks, interest rate risk, liquidity risk, operational risk (including legal risk, model risk, and ICT risk), compliance risk, reputation risk, strategic risk, capital risk, profitability risk, risk of excessive leverage, and securitisation risk. (2) The bank shall ensure that at any moment it is capable of managing all of its other significant risks on a consolidated, sub-consolidated and individual basis. Significant risks shall be identified early, treated comprehensively, monitored within the framework of the bank’s daily activities and presented in timely fashion to the Management body, the senior management, the internal audit department and, if any, the compliance department. Effective risk management reduces the probability of unexpected losses, and consequently prevents reputation risk deriving from such losses. (3) In addition to the general requirements in connection with risk management set out by this regulation, the bank shall additionally meet the requirements with regard to the treatment of the following risks:
4. credit risk;
5. liquidity risk;
6. operational risk;
7. market risks and
8. interest rate risk from non-trading book activities. The requirements referred to in points 1 to 4 of the first subparagraph of this paragraph are discussed in detail in Appendices 1 to 4 of this regulation.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 10 2.3.2 Risk management Article 20 (general provisions on risk management processes) (1) The risk management processes referred to in point 2 of the first paragraph of Article 148 of the ZBan-3 are deemed effective if they facilitate the production of high-quality assessments, analysis, reports, proposals of measures and other results of these processes, including an internal assessment of risk-based capital requirements and an internal capital assessment, based on which the management board is able to take business decisions that are in accordance with the adopted risk appetite, and other measures in connection with the realisation of stable internal governance arrangements at the bank. (2) The bank shall provide for systematic planning of the development of the risk management processes referred to in the first paragraph of this article, for the purpose of their effective tailoring to any changes in the bank’s risk profile, the risks of the external environment and best risk management practice. Article 21 (identification and assessment or measurement of risks) (1) The process of identifying risks shall ensure that all the significant risks referred to in the first and second paragraphs of Article 19 of this regulation are taken into account. The identification of significant risks shall include:

1. comprehensive risk analysis, including risks that could have an adverse impact on the bank’s earnings, liquidity and share value;
2. consideration of risk concentrations and the potential risks inherent in the complexity of the bank’s legal and organisational structure;
3. analysis of trends for the purpose of identifying new or emerging risks as a result of changes in the bank’s business conditions. (2) The process of the ordinary and, where appropriate, extraordinary assessment or measurement of the identified risks referred to in the first paragraph of this article shall be based on:
4. established and documented processes for the assessment or measurement of losses that are in accordance with the bank’s methodologies for the calculation of minimum own funds requirements;
5. the use of an appropriate toolkit of scenarios with regard to causes of risk and risk interactions;
6. the use of appropriate and reliable databases. (3) In the process of the identification and assessment of significant risks, a bank shall ensure the involvement of all relevant organisational units, including the bank’s commercial divisions. Article 22 (stress tests) (1) A bank shall provide for a comprehensive approach to the implementation of stress tests and sensitivity analysis (hereinafter: stress tests) that includes:
7. the identification of the most significant causes of risk, and the preparation of appropriate stress scenarios;
8. the application of the results of stress tests for the purpose of:

• identifying risks and the development of the bank’s exposure to these risks,
• reviewing the adequacy of assessments or measurements of risks;

3. compiling a toolkit of potential risk management measures referred to in the first paragraph of Article 23 of this regulation in the event of adverse operating conditions for the bank (e.g. the preparation of business continuity plans).

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 11 (2) The bank shall take account of the results of stress tests in the process of reviewing and planning the bank’s risk appetite, risk limits and risk bearing capacity, planning the bank’s capital and liquidity, and making an internal assessment of capital adequacy and sustainable liquidity. The Management body, the risk committee, the relevant senior management and the internal audit department shall be briefed on the results of stress tests. The management board shall confirm the results of stress tests on each occasion. (3) The management board shall review and approve the stress scenarios referred to in the first paragraph of this article on each occasion, and shall brief the risk committee accordingly. Article 23 (risk management) (1) The process of managing taken-up risks shall ensure the definition and implementation of potential risk management measures including:

1. the transfer or diversification of risks (e.g. via insurance) or the avoidance of risks (e.g. via the withdrawal of a product or business line);
2. risk limitation (e.g. via risk limits);
3. the temporary acceptance or take-up of risks that exceed the adopted risk limits, because their mitigation over the relevant period is not possible;
4. the acceptance or take-up of risks that cannot be mitigated to the level of the adopted risk limits or cannot be adequately insured against. (2) The bank shall ensure that the measures referred to in point 3 of the first paragraph of this article are applied in exceptional cases only, and on the basis of an appropriate approval by the management board, which shall be briefed on the effects of such measures regularly. (3) The risk management function shall propose the measures referred to in the first paragraph of this article for identified and assessed or measured risks, and shall guide and monitor their implementation. In the event of a decision by the management board with regard to the acceptance of significant risks referred to in points 3 and 4 of the first paragraph of this article, in conjunction with the organisational units that are taking up the risks the risk management function shall provide for the regular monitoring and reporting of the risks for the purpose of managing these risks within the agreed risk limits or in accordance with the management board’s decisions. Article 24 (risk monitoring and communication about risks) (1) The process of monitoring risks shall ensure systematic communication about risks at all of the bank’s hierarchical and organisational levels, including reporting on risks to the Management body, the senior management and the internal control functions. (2) Effective risk monitoring ensures that the take-up of risks is in accordance with the risk limits put in place. To this end the bank shall put in place:
5. a system that facilitates the identification of breaches of risk limits in an appropriate time with regard to the nature and type of the risks;
6. procedures for handling breaches of risk limits and for determining the causes of the breaches, including the corresponding measures;
7. procedures for informing the Management body, the risk committee, the senior management and the risk management function with regard to breaches of risk limits. Article 25 (regular and ad hoc reports on risks)

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 12 (1) The reporting on risks referred to in the first paragraph of Article 24 of this regulation shall be based on a transparent reporting system that includes regular and ad hoc reports on risks. (2) The regular reports on risks referred to in the first paragraph of this article shall facilitate the monitoring of effective decisions with regard to measures to manage and control risks, and the monitoring of the results of such measures. These reports shall provide for a clear overview of the risk profile, particularly on the basis of information about:

1. the consideration of risk appetite across different business lines, and breaches of risk limits;
2. the bank’s significant risks and the assessments thereof;
3. the results of stress tests. (3) The ad hoc reports on risks referred to in the first paragraph of this article shall facilitate the earliest possible reporting of extraordinary information on the occurrence of a significant risk that requires immediate attention or action on the part of the management board or the senior management. The management board shall brief the supervisory board on such risks without delay. (4) In connection with the compilation of reports on risks the bank shall provide for an appropriate level of automation in the process of preparing individual reports that ensures their compliance with the actual situation. In the event of manual interventions in the content of a report, the bank shall provide for appropriate internal controls (e.g. an audit trail, the four eyes principle). Article 26 (adequacy of reports on risks) (1) The scope and detail of reports on risks shall take account of the needs of the target users of the reports, as follows:
4. the bank’s Management body and senior management shall receive comprehensive information about all significant issues in connection with the bank’s operations and its risks;
5. the internal audit department, the risk management function and the bank’s other managers shall receive relevant information about key issues in connection with the bank’s operations and its risks. Information is deemed relevant if is presented in a manner that transparently summarises the significant content of an issue with regard to its priority. (2) Reports on risks shall be:
6. understandable; reports are deemed understandable if they contain clear and accurate information about risks;
7. sufficient; reports are deemed sufficient if they include all significant risks and together provide for a comprehensive overview of the bank’s risk profile;
8. useful; reports are deemed useful if they constitute a basis for the adoption of appropriate measures;
9. comparable and compatible; reports are deemed comparable and compatible if their form is as standardised as possible with regard to the information that they contain;
10. timely; reports are deemed timely if they facilitate the taking of decisions in an appropriate time with regard to the nature and type of the risks. 2.3.3 Management of risks inherent in new products and use of external contractors Article 27 (risks of new products and external contractors) (1) A bank shall ensure that the risks inherent in the introduction of new products are also included in the risk management processes referred to in Article 20 of this regulation.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 13 (2) Should the bank use external contractors in the pursuit of its processes, services or activities, the risk management processes referred to in the first paragraph of this article shall also include the risks inherent in the use of external contractors. For the purposes of this regulation, the term “external contractor” shall apply to persons that, on the basis of an outsourcing agreement between the bank and the external contractor, performs, in whole or in part, a process, service or activity that would otherwise be undertaken by the bank itself. Article 28 (policy for approval of new products) For the purpose of managing the risks inherent in the introduction of new products, a bank shall put in place and implement a policy for the approval of new products. This policy shall include:

1. a definition of what the bank deems a new product and of other circumstances that have a material impact on the bank’s risks (e.g. significant changes in existing products, new services, new systems and models, new business lines, entry into new markets, new large-scale and complex transactions or transactions requiring the use of a larger number of employees);
2. the factors and principal issues that the bank must take into account or discuss before the introduction of a new product, including:

• whether the new product complies with regulations, standards and the bank’s bylaws,
• the impact of the introduction of the new product on the bank’s risk profile, capital and earnings,
• whether the availability of the bank’s human and financial resources is sufficient for the purpose of the introduction and implementation of the new product;

3. the powers and responsibilities in the testing, introduction and implementation of the new product. Article 29 (policy for use of external contractors) (1) For the purpose of managing the risks inherent in the use of external contractors, a bank shall put in place and implement a policy for the use of external contractors. This policy shall include:
4. a definition of what is deemed an external contractor by the bank;
5. details of the bank’s approach to the use of external contractors and to quality assurance in their services;
6. the basic principles and guidelines with regard to the management of the risks inherent in the use of external contractors;
7. details of the approach to ensuring business continuity in connection with the activities outsourced to external contractors;
8. the toolkit of measures in the event of the unexpected termination of the contractual relationship with external contractors. (2) The bank shall ensure that the use of external contractors does not prejudice:
9. the pursuit of its business activities;
10. the risk management referred to in the first paragraph of Article 23 of this regulation, and
11. the internal control mechanisms referred to in the first paragraph of Article 31 of this regulation. (3) The bank shall put in place a documented plan for the use of external contractors, including a detailed definition of:
12. the manner of the management of the risks inherent in the use of external contractors;
13. reports on the risks inherent in the use of external contractors;
14. the responsibility for monitoring the compliance of external contractors’ actions with regulations, standards and the bank’s bylaws. (4) The bank shall ensure that the contractual rights and obligations of the bank and the external contractors are precisely defined and understandable. The bank’s contractual rights shall include the

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 14 possibility of the early termination of the contractual relationship with external contractors at the bank’s request. The contractual obligations of external contractors shall include:

1. protection of the bank’s data;
2. compliance of external contractors’ actions with regulations and standards;
3. full access on the part of authorised persons or functions of the bank to all the premises and data of external contractors related to the provision of the services in question, and the right to view the premises and data. (5) An external contractor shall provide the agreed level of service on the basis of a service level agreement. The service level agreement shall contain quantitative and/or qualitative criteria based on which the bank and the external contractor can assess the level of service. Should the level of service fail to comply with the service level agreement, the bank shall take appropriate measures. Article 30 (approval of new product and use of external contractor) (1) The introduction of any new product or the use of an external contractor shall be subject to the bank’s approval, having regard for a risk assessment drawn up by the relevant organisational unit in conjunction with the risk management function, or another internal control function where appropriate. In the event that the risk assessment makes it evident that the impact of the new product or the use of the external contractor would be material, the introduction or use shall be subject to the approval of the management board. (2) The risk assessment referred to in the first paragraph of this article shall be comprehensive and impartial, and shall be based on relevant risk scenarios, having regard for:
4. any deficiencies in the risk management process and in internal controls in respect of the effective management of the corresponding risks;
5. the adequacy of the methodologies and skills of the risk management function, the compliance department if any, the information technology function and the business lines in respect of the appropriate assessment and management of the corresponding risks;
6. the impact of the introduction of the new product or the use of the external contractor on the risk bearing capacity. (3) Should it be evident from the assessment that adequate risk management referred to in the first paragraph of Article of 23 of this regulation is not ensured, the bank shall defer the introduction of the new product or the use of the external contractor until the establishment of adequate risk management processes, and shall inform the management board accordingly where appropriate. 2.4 Internal control mechanisms Article 31 (internal controls and internal control functions) (1) The suitability of internal control mechanisms referred to in point 3 of the first paragraph of Article 148 of the ZBan-3 shall be determined by the independence, quality and validity of:
7. the rules for and controls of the implementation of the bank’s organisational procedures, business procedures and work procedures (hereinafter: internal controls);
8. the internal control functions and departments (hereinafter: internal control functions). (2) The internal controls referred to in point 1 of the first paragraph of this article are deemed suitable if they provide for systematic control of all of the bank’s significant risks that is exercised on the basis of the bank’s policies, processes and measures.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 15 (3) The internal control functions referred to in point 2 of the first paragraph of this article are deemed suitable if they provide for an independent and objective assessment of effectiveness and compliance with regard to the bank’s internal governance arrangements on the basis of the review and assessment of the adequacy of risk strategies and policies, the bank’s risk management processes, procedures and methodologies, and reporting on risks. 2.4.1 Internal controls Article 32 (general) (1) Internal controls shall be put in place at all levels of the bank’s organisational structure, including the levels of commercial, control and support functions, and at the level of each of the bank’s financial services. The bank shall ensure the implementation of internal controls within the framework of the bank’s day-to-day processes, procedures and activities. (2) Employees shall be made to understand the purpose and importance of internal controls in the bank’s operations, and the importance of their contribution to the effective implementation thereof. Article 33 (internal control rules and procedures) (1) A bank shall ensure the implementation of internal controls primarily on the basis of documented rules and procedures for:

1. ensuring the compliance of the bank’s operations with regulations, standards and bylaws, and the requirements of the Bank of Slovenia and other competent supervisory authorities;
2. monitoring the compliance of business transactions and investments with the adopted risk limits;
3. supervising the proper implementation of the prescribed work procedures in connection with operational and organisational activities on the part of employees;
4. verifying the correctness of internal and external reports;
5. securing the bank’s assets;
6. developing and safeguarding the security of the bank’s information systems and information. In the event of deficiencies, irregularities or breaches identified in the processes of the implementation of internal controls (e.g. breaches of risk limits or work procedures), the bank shall provide for the requisite procedures to discuss the findings, and for the corresponding measures in cases of an intentional breach of the bank’s rules. (2) The process of ensuring the compliance of the bank’s operations referred to in point 1 of the first paragraph of this article shall take account of the bank’s compliance policy referred to in Article 42 of this regulation. The internal controls shall ensure the proper implementation of the bank’s approach to the management of compliance risk in all of its transactions and all the activities of the bank’s employees. (3) The business transactions referred to in point 2 of the first paragraph of this article shall take account of the risk appetite and the established risk limits. The internal controls shall ensure the proper implementation of business transactions, and the approval of business transactions that exceptionally transgress the risk limits on the part of the competent employees. (4) Work procedures in connection with the implementation of procedures in operational and organisational activities on the part of employees referred to in point 3 of the first paragraph of this article shall be set out by means of appropriate instructions, rulebooks and other bylaws of the bank that include rules with regard to powers and responsibilities, the allocation of tasks, decision-making in the implementation of procedures (hereinafter: instructions) and descriptions of operational

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 16 processes. For the purpose of preventing the incorrect implementation of work procedures, the internal controls shall ensure the requisite segregation of powers and responsibilities in the implementation of work procedures, including the establishment of information firewalls, functional and organisational separation between the bank’s relevant functions, the implementation of the four eyes principle, and the mutual vetting and implementation of the rule of a left signatory and a right signatory for important documents. (5) The internal and external reports referred to in point 4 of the first paragraph of this article shall contain the requisite information for the purpose of taking business decisions and decisions in connection with risk monitoring and management, including the corresponding measures. The internal controls shall, on the basis of physical and logical controls, ensure the identification of any deficiencies and errors in reports, and other irregularities in the compilation of reports. (6) The securing of the bank’s assets and information referred to in point 5 of the first paragraph of this article shall be based on the requisite restriction of access on the part of unauthorised persons to the bank’s movable and immovable assets, including access to information systems and the protection of confidential information. To this end the internal controls shall provide for physical barriers, logical and physical controls, the use of a security service or the requisite security technology, and other measures. (7) The internal controls in respect of information systems referred to in point 6 of the first paragraph of this article shall include:

1. in the implementation of the information systems development strategy: determination of compliance with business processes, the quality of project planning, the involvement of the requisite personnel, and awareness of the pertinent issue at various management levels;
2. in the safeguarding of the security of information systems: logical and physical controls of access to information systems;
3. with regard to hardware: determination of its adequacy with regard to the requirements of the pertinent business processes, internal and technical standards, and the regularity of its maintenance. Hardware means physical computer and communications equipment;
4. with regard to software: determination of its compliance and use in business processes in the sense of meeting users’ requirements and the segregation of the functions of the development, maintenance and use of software. Software means the computer programs, procedures and rules that ensure that hardware operates as planned. (8) The bank may also implement internal controls by means of other activities and measures that are carried out by employees at their own discretion at the level of the bank’s individual business activities, processes and procedures, for the purpose of preventing actions and activities on the part of employees that are not in accordance with their powers, including actions associated with fraud. 2.4.2 Internal control functions and information security management function Article 34 (general) (1) The internal control functions shall include:
5. the internal audit department referred to in the first paragraph of Article 161 of the ZBan-3;
6. the risk management function referred to in in the first paragraph of Article 158 of the ZBan-3;
7. the compliance function or service referred to in Article 166 of the ZBan-3. (2) A bank shall also put in place an information security management function, and shall designate a head of this function. The information security management function shall have a position comparable to that of the functions referred to in the first paragraph of this article, particularly from the perspective of ensuring the independence, powers and responsibilities of this function.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 17 2.4.2.1 Internal audit department Article 35 (effectiveness and independence of internal audit department) (1) The internal audit department shall provide the Management body, the audit committee and the senior management with an independent assessment with regard to the quality and effectiveness of the internal governance arrangements, including the bank’s risk management systems and processes and internal controls (hereinafter: internal audit department’s independent assessment). The internal audit department shall support and assist the Management body in safeguarding the bank’s long-term interests and protecting its reputation. (2) For the purpose of realising the independence of action of the internal audit department, the management board shall ensure that the internal audit department:

1. implements and coordinates internal auditing tasks at its own initiative, in all the bank’s areas, activities, processes and functions, including the risk management function and compliance department, without the internal audit department’s employees being exposed to any attempts at undue influence or pressure on the part of a member of the Management body or a member of the senior management for the purpose of prejudicing the independence of action of the internal audit department;
2. does not participate directly in the determination, development, establishment and implementation of the internal controls referred to in Article 34 of this regulation;
3. has the right of access to all of the bank’s premises, employees, information and data. (3) For the purpose of realising the effectiveness of the internal audit department, the management board shall ensure:
4. the consistent and timely treatment of all reports, findings and proposed measures submitted by the internal audit department, and shall require the senior management to arrange for the requisite rectification of the identified breaches and irregularities in accordance with the agreed deadlines. An explanation of any failure to observe the recommendations of the internal audit department and any delay in the rectification of identified irregularities relative to the agreed deadlines shall be provided in writing to the internal audit department by the recipient of the recommendations;
5. the timely briefing of the internal audit department with regard to all significant decisions (e.g. the introduction of new products, the significant use of external contractors, a change in information technology) and the bank’s significant risks. The internal audit department shall take account of this information in its risk assessment for the purposes of the annual work plan. (4) For the purpose of realising the independence of action of the internal audit department, the supervisory board shall monitor the effectiveness and efficiency of the execution of the internal auditing tasks of the internal audit department on the basis of:
6. discussion of the internal audit reports referred to in the fourth and fifth paragraphs of Article 164 of the ZBan-3;
7. regular meetings (e.g. on a quarterly basis) between the chairperson of the supervisory board or the chairperson of the audit committee and the head of the internal audit department. These meetings shall take place without the presence of members of the management board, their nominees and other members of the senior management. (5) The bank shall grant the head of the internal audit department access to the minutes of sessions of the supervisory board. Article 36 (employees at internal audit department)

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 18 (1) A bank shall ensure that the number and qualifications of the employees of the internal audit department are commensurate with the nature, scale and complexity of the risks inherent in the bank’s business model. The employees shall have the requisite knowledge, experience and skills to perform their tasks, including reviews of specific areas and activities of the bank. (2) Internal auditors that perform internal auditing tasks at the bank shall make a written declaration at least once a year of any conflicts of interest in connection with the performance of internal auditing tasks. (3) The bank shall put in place and implement a training programme for employees of the internal audit department with regard to the areas and complexity of their tasks. Article 37 (notification of management board and supervisory board) A bank shall ensure that in the cases referred to in the first and second paragraphs of Article 165 of the ZBan-3 the internal audit department notifies the management board or the supervisory board independently and without hindrance. Without hindrance means that the internal audit department reports to the management board or the supervisory board without any requirements or pressures from a member of the Management body or the senior management for the inappropriate adjustment or omission of information. To this end the bank shall ensure that the manner of notification of the management board and the supervisory board is determined by the internal audit department, and not by the management board or the supervisory board. Independent notification means that in the cited cases the internal audit department is able to notify the supervisory board without the prior mandatory submission of information to the management board for signing or approval. 2.4.2.2 Risk management function Article 38 (risk management function) (1) The purpose, importance and tasks of the risk management function shall be defined in a bylaw adopted by the management board, on which the supervisory board is briefed. (2) Persons who perform tasks of the risk management function referred to in the fourth paragraph of Article 158 of the ZBan-3 may not perform any other tasks in which a conflict of interest could arise. Article 39 (appointment of head of risk management function) A bank shall notify the supervisory board of the appointment of the head of the risk management function. Article 40 (participation in drafting of strategy) The risk management function shall participate in the drafting of the bank’s risk management strategy and in all important decisions with regard to risk management referred to in point 2 of the fourth paragraph of Article 158 of the ZBan-3 on the basis of the production of:

1. analysis of the bank’s risks, which the Management body takes into account in the determination of the risk appetite;

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 19 2. an assessment of the adequacy of the proposed risk management strategy with regard to the realism and consistency of the business objectives of organisational units, including the requisite opinion for the Management body, before the adoption of its decision with regard to the risk management strategy; 3. proposals of risk limits for the bank’s organisational units. Article 41 (direct access to supervisory board) (1) A bank shall provide for the regular participation of the head of the risk management function at sessions of the supervisory board in the parts relating to the issue of risks, and at sessions of the risk committee. At these sessions the head of the risk management function shall present impartial analysis of the bank’s risks, and shall represent the positions of the risk management function that are in accordance with the risk appetite. The bank shall grant the head of the risk management function access to the minutes of sessions of the supervisory board in the parts consisting of the agenda items related to the area of work of this function. (2) The bank shall ensure that in the cases referred to in the sixth and seventh paragraphs of Article 158 of the ZBan-3 the head of the risk management function notifies the management board or the chairperson of the supervisory board (or the chairperson of the audit committee) independently and without hindrance. Without hindrance means that the head of the risk management function notifies the management board or the chairperson of the supervisory board (or the chairperson of the risk committee) without any requirements or pressures from a member of the Management body or the senior management for the inappropriate adjustment or omission of information. To this end the bank shall ensure that the manner of notification of the management board and the supervisory board is determined by the risk management function, and not by the management board or the supervisory board. Independent notification means that in the cited cases the head of the risk management function is able to notify the chairperson of the supervisory board or the chairperson of the risk committee without the prior submission of the notification in question to the management board for signing or approval. 2.4.2.3 Compliance function Article 42 (compliance policy) A bank shall put in place and implement a compliance policy. This policy shall in particular set out:

1. the bank’s approach to the management of compliance risk set out by the management board, and the basic principle for realising the bank’s compliance;
2. the general standards for ensuring compliance for all employees, and detailed rules for ensuring compliance for individual groups of employees;
3. an explanation of the most important procedures for identifying and managing compliance risk at various levels of the bank’s organisational structure. Article 43 (compliance function or department) (1) The management board shall ensure that the compliance department referred to in Article 166 of the ZBan-3 has the requisite authorisations and influence to perform that function, and sufficient human and financial resources for the effective identification of compliance risk. The compliance department shall be headed by a person in an appropriate hierarchical position at the bank (e.g. a senior manager).

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 20 (2) Persons who perform tasks of the compliance department referred to in the second paragraph of Article 166 of the ZBan-3, including the head of the compliance department, may not perform any other activities or tasks at the bank that fall within the scope of activities that the compliance department is monitoring and supervising, or where a conflict of interest could arise. (3) For the purpose of the realisation of the independent identification of compliance risk at the bank, the management board shall ensure that the compliance department implements and coordinates these tasks at its own initiative, including investigations of any breaches of the compliance policy referred to in the first paragraph of Article 42 of this regulation, without the compliance department’s employees being exposed to any attempts at undue influence or pressure on the part of a member of the Management body or a member of the senior management for the purpose of prejudicing the independence of action of the compliance department. (4) For the purpose of realising the effectiveness of the compliance department, the management board shall ensure the consistent and timely treatment of all reports, findings and proposed measures submitted by the compliance department, and shall require the senior management to arrange for the requisite rectification of the identified irregularities in accordance with the agreed deadlines. An explanation of any failure to observe the recommendations of the compliance department and any delay in the rectification of identified irregularities relative to the agreed deadlines shall be provided in writing by the recipient of the recommendations. (5) For the purpose of the proper performance of the compliance function, the provisions of this regulation applying to the compliance department shall apply mutatis mutandis to banks where a compliance department is not independently organised. Article 44 (compliance department’s tasks) The compliance department shall primarily perform the following tasks in connection with the identification and monitoring of compliance risk:

1. conducting an independent investigation of any breaches of compliance policy, including on the basis of bilateral communications with any of the bank’s employees;
2. analysing compliance risk for the purpose of active participation in the review of whether the introduction of new products complies with regulations, standards and the bank’s bylaws;
3. putting in place regular and ad hoc reporting on compliance risk to the Management body and, where appropriate, to the risk management function and the internal audit department;
4. advising the management board and the senior management with regard to compliance, including the development of regulations and standards in this area;
5. training employees with regard to compliance risk;
6. producing guidelines for employees with regard to the requisite compliance (e.g. codes, instructions, manuals);
7. acting as a contact address for queries from employees in connection with compliance risk. Article 45 (head of compliance department) A bank shall notify the supervisory board of the appointment or dismissal of the head of the compliance department. Article 46 (direct access to supervisory board) (1) A bank shall provide for the regular participation of the head of the compliance department at sessions of the supervisory board in the parts relating to the compliance risk, and at sessions of the relevant supervisory board committees. At these sessions the head of the compliance department shall provide analysis, assessments and other information with regard to compliance risk, and shall

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 21 represent the positions of the compliance department that are in accordance with the compliance policy. The bank shall grant the head of the compliance department access to the minutes of sessions of the supervisory board in the parts consisting of the agenda items related to the area of work of this department. (2) The bank shall ensure that the compliance function reports its findings referred to in the third paragraph of Article 166 of the ZBan-3 to the management board, to the supervisory board and, where appropriate, to the risk management function independently and without hindrance. Without hindrance means that the compliance department reports to the aforementioned bodies and functions without any requirements or pressures from a member of the Management body or the senior management for the inappropriate adjustment or omission of information. To this end the bank shall ensure that the manner of the aforementioned reporting to the management board and the supervisory board is determined by the compliance function, and not by the management board or the supervisory board. Independent notification means that the compliance department is able to report to the supervisory board without the prior submission of the notification in question to the management board for signing or approval. 2.4.2.4 Information security management function Article 47 (information security management policy) A bank shall put in place and implement an appropriate information security management policy that defines the following at least: (a) the bank’s objectives in and approach to ensuring the security of information systems and information, including the basic principles of the realisation of information security; (b) the principles and procedures for safeguarding the confidentiality, integrity and availability of information, and the allocation of responsibilities with regard to the security of information technology, the information stored in the bank’s information systems, and the corresponding documentation. The “confidentiality” of information means that information is disclosed solely to authorised persons, the “integrity” of information means that information is flawless and complete, and the “availability” of information means that authorised users are guaranteed access to information when necessary; (c) the general standards of information security for all employees, and detailed rules for ensuring information security for individual groups of employees; (d) an explanation of the most important procedures for identifying and managing information security risks at various levels of the bank’s organisational structure. Article 48 (purpose and powers of information security management function) (1) The information security management function shall monitor and control information security procedures for the purpose of preventing unauthorised access to information in storage, during processing or during transfer, and changes thereto, including the management of related risks and the production of analysis of these risks on each occasion for the purposes of the ICAAP. (2) The management board shall ensure that the information security management function has: (a) the requisite powers to effectively perform its work; (b) sufficient human and financial resources for: i. implementing the information security policy, ii. effectively managing information security risks, iii. training and educating the bank’s employees in information security, and iv. training and educating the bank’s employees in information security management. (3) For the purpose of ensuring the effectiveness of the information security management function, the management board shall ensure the consistent and timely processing of all reports, findings and proposed measures submitted by the aforementioned function, and shall require the senior

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 22 management to arrange for the rectification of the identified irregularities in accordance with the agreed deadlines. An explanation of any failure to observe the recommendations of the information security management function and any delay in the rectification of identified irregularities relative to the agreed deadlines shall be provided in writing by the recipient of the recommendations. Article 49 (tasks of information security management function) (1) The tasks of the information security management function shall include:

1. regularly analysing information risks, assessing risks, and providing assessments of compliance with applicable regulations and standards;
2. managing security incidents or potential security incidents in collaboration with other functions at the bank where appropriate (e.g. identifying, assessing, monitoring and reporting security incidents);
3. supervising the implementation of measures to improve the state of information security;
4. regularly reviewing and updating the information security policy and ensuring compliance with this policy;
5. making regular and ad hoc reports to the management body on non-compliance, security incidents, risks, new threats in connection with information security, and the implementation of measures to improve information security;
6. advising the management board and senior management with regard to information security management, including the development of regulations and standards in this area;
7. training employees with regard to information security; and
8. producing guidelines for employees with regard to the requisite information security management (e.g. instructions, manuals). (2) The risks identified in the area of information security shall be included in reports on operational risks. In the case of significant risks, they shall be appropriately addressed within the framework of each ICAAP. Article 50 (head of information security management function) (1) The information security management function shall be headed by a person with the requisite knowledge, experience and authorisations. (2) Persons who perform tasks of information security management may not perform any operational tasks that fall under activities that are to be monitored and controlled by the aforementioned function. (3) A bank shall notify its supervisory board of the appointment or dismissal of the head of the information security management function. Article 51 (direct access to supervisory board and management board) (1) A bank shall provide for the regular participation of the head of the information security management function at sessions of the supervisory board in the parts relating to information security risks. At these sessions the head of the information security management function shall provide analysis, assessments and other information with regard to information security risks, and shall represent the positions of the information security management function that are in accordance with the bank’s information security policy. (2) The bank shall ensure that the information security management function reports its findings to the management board and to the supervisory board independently and without hindrance. Without

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 23 hindrance means that the information security management function reports to the aforementioned bodies and functions without any requirements or pressures from a member of the management body or the senior management for the inappropriate adjustment or omission of information. To this end the bank shall ensure that the manner of the aforementioned reporting to the management board and the supervisory board is determined by the information security management function, and not by the management board or the supervisory board. Independent reporting means that the information security management function is able to report to the supervisory board without the prior submission of the report in question to the management board for signing or approval. 2.5 Remuneration policy and practices Article 52 (processes and procedures) (1) The remuneration policy and practices referred to in point 4 of the first paragraph of Article 148 shall be deemed adequate if they take account of the importance of financial incentives for persons referred to in the second paragraph of Article 189 of the ZBan-3 (hereinafter: employees), including the following basic principles for defining remuneration policy and practices:

1. taking account of restrictions with regard to remuneration;
2. taking account of the impact of the variable component of remuneration on the bank’s financial position;
3. setting an appropriate ratio between the fixed and variable components of remuneration;
4. assessing employee performance for the purpose of aligning remuneration with risks; (2) The bank shall pay variable remuneration in a manner in accordance with the requirements set out in Articles 189 to 191 of the ZBan-3. Article 53 (restrictions with regard to remuneration) (1) A bank shall ensure that its remuneration policy does not provide for fringe benefits arising from the predefined, contractually agreed variable component of remuneration, except under the following conditions:
5. approval of the fringe benefits is only possible for a new hire;
6. the use of the fringe benefits is restricted solely to the first year of employment. (2) The bank shall ensure that remuneration from fees or compensation in connection with contracts from previous employment is in accordance with the bank’s long-term interests, including the rules with regard to employee performance and the rules with regard to the withholding, deferral or reimbursement of funds. Article 54 (consideration of impact of variable component of remuneration on bank’s financial position) A bank shall ensure that the variable remuneration policy does not reduce its ability to recapitalise as required. Article 55 (appropriate ratio between fixed and variable components of remuneration) A bank shall ensure that the ratio between the fixed and variable components of remuneration for various employee categories is appropriately balanced. The balance between the fixed and variable

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 24 components of remuneration is deemed appropriate if the total amount of remuneration is not highly dependent on the variable component of remuneration which, at the same time, represents an effective way to encourage employees to achieve or exceed planned work results. The fixed component of remuneration shall represent a sufficiently high proportion of total remuneration to allow the bank to implement a fully flexible policy on the variable component of remuneration, including the possibility to pay no variable component. Article 56 (assessment of employee performance for purpose of variable component of remuneration) (1) A bank shall assess the performance of employees over a multi-year period, and shall ensure that:

1. the assessment at any particular time takes account of the employee’s long-term performance;
2. the payment of the variable component of remuneration is spread over a period that takes account of the bank’s business cycle and the bank’s risks. (2) In assessing employee performance as the basis for calculating the variable component of remuneration or total variable remuneration, the bank shall take account of the following:
3. alignments for all types of the bank’s risks, and
4. the costs of capital and liquidity needs. (3) The bank shall also take account of the alignments for all types of the bank’s risks in the final allocation of the variable component of remuneration across the bank’s organisational units. Article 57 (additional rules with regard to remuneration of members of management board and supervisory board) The supervisory board shall decide on the remuneration of members of the management board, taking account of the bank’s remuneration policy referred to in the first paragraph of Article 189 of the ZBan-3 in so doing.
5. FUNCTIONING OF MANAGEMENT BODY AND ITS COMMITTEES, CONDUCT OF ITS MEMBERS IN ACCORDANCE WITH RELEVANT STANDARDS OF PROFESSIONAL DILIGENCE AND ETHICAL STANDARDS, AND PREVENTION OF CONFLICTS OF INTEREST 3.1 (standards of professional diligence and ethical standards at bank level) Article 58 (realisation of corporate values) (1) In their conduct members of the Management body shall uphold the adopted corporate values referred to in point 1 of the first paragraph of Article 8 of this regulation, and shall meet the highest standards of professional diligence and ethical standards, including the prevention of circumstances that entail or could lead to any kind of conflict of interest. (2) Through their everyday example members of the Management body shall promote a high culture of risk management referred to in point 2 of the first paragraph of Article 8 of this regulation that gives the highest priority to the fair, prudent and honest pursuit of the bank’s business activities.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 25 3.2 Fundamental rules of professional diligence and ethics Article 59 (duty of care and duty of loyalty) (1) For the purpose of upholding the standards of professional diligence and ethical standards, members of the Management body shall exercise their duty of care and duty of loyalty as of the moment that they assume their functions. The duty of care is the duty of a member of the Management body to act as prudently when taking decisions in connection with the bank as the responsible person would act when taking decisions in his/her own affairs, taking account of all available information in so doing. The duty of loyalty is the duty of a member of the Management body to always act in good faith and in accordance with the bank’s interests when exercising his/her powers and responsibilities, and in so doing never to act in his/her private interests, the interests of a third party, or the interests of a group of other individuals to the detriment of the bank or its shareholders. (2) The duties referred to in the first paragraph of this article shall be exercised by members of the Management body primarily by means of participation in the form of constructive criticism in the discussion of the bank’s most important affairs for the purpose of ceaselessly pursuing the bank’s best interests. In so doing:

1. members of the supervisory board should be actively involved in the supervision of the actions of the management board and the bank’s operations, on the basis of knowledge and understanding of the bank’s operations and financial data, and the bank’s objectives, strategies and policies referred to in the first paragraph of Article 4 of this regulation, and having regard for the regulations, standards and requirements of the Bank of Slovenia;
2. members of the management board should be actively involved in the bank’s operations and the bank’s risk management, on the basis of conduct in accordance with the bank’s objectives, strategies and policies. (3) Members of the supervisory board shall appropriately demonstrate the knowledge and understanding of the areas referred to in point 1 of the second paragraph of this article at sessions of the supervisory board, sessions of the supervisory board’s committees on which they sit, and at meetings with the Bank of Slovenia (hereinafter: meetings). The knowledge and understanding of these areas is deemed appropriate if the member of the supervisory board is actively involved in the meetings and participates in discussions by expressing his/her independent views and arguments. This conduct on the part of members of the supervisory board shall also be evident from the audio recordings referred to in point 2 of the fourth paragraph of Article 60 of this regulation. (4) Any member of the supervisory board who on any grounds whatsoever is prevented from performing his/her function of supervising the actions of the management board or from exercising his/her powers (e.g. conflicts of interest on the part of the member in question, undue pressures on his/her independent decision-making, long-term passivity and inaction on the part of other members of the supervisory board) and who has exercised all mechanisms provided for by applicable regulations, shall inform the Bank of Slovenia of this situation. Article 60 (responsible conduct) (1) A bank shall provide for the clear, documented definition of the responsibilities of individual members of the Management body in connection with the performance of their functions, including the corresponding powers, duties, expectations, tasks and work procedures. (2) Members of the Management body shall perform their functions responsibly, cooperating closely in so doing for the purpose of realising the bank’s best interest. Members of the Management

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 26 body shall strive to achieve consensus when taking decisions of greatest importance to the bank that could have a material impact on its operational, financial or legal position. (3) Responsible conduct on the part of the president of the management board and the other members of the management board shall include their duty of documented decision-making and approval of important business decisions and decisions in connection with risk management that are within the scope of the powers of the management board, without formally or informally transferring this responsibility to lower hierarchical levels. (4) For the purpose of monitoring the realisation of responsible conduct on the part of members of the Management body, the bank shall provide for:

1. minutes of sessions of the management board, the supervisory board and their committees;
2. an audio recording of sessions of the supervisory board;
3. minutes of sessions and meetings of other committees and commissions on which members of the Management body sit. The documents referred to in point 2 of the previous paragraph shall be stored for 15 years. Article 61 (knowledge, experience and independent judgement in decision-making) (1) Members of the Management body shall have the requisite knowledge and experience, including personal integrity, to independently exercise their judgement on a basis of constructive criticism in taking decisions in the bank’s best interest. In so doing members of the Management body shall take account of all available information and other relevant factors that could have an impact on the decisions. (2) The knowledge and experience of a member of the Management body referred to in the first paragraph of this article is deemed requisite if it includes:
4. knowledge of the area of banking and financial services, or other relevant areas (e.g. economics, law, administration and financial regulations, mathematics, statistics);
5. experience acquired in past business-related activity, particularly in the areas of:

• financial markets,
• banking legislation and regulations,
• strategic planning, and the understanding and implementation of a bank’s business strategy or business plan,
• risk management,
• assessment of the effectiveness of a bank’s internal governance arrangements and establishment of effective internal control mechanisms,
• interpretation of a bank’s financial data. (3) The second paragraph of this article notwithstanding, the level and nature of the knowledge and experience required of members of the management board may differ from the level and nature of the knowledge and experience required of members of the supervisory board. Accordingly:

1. members of the management board shall above all have sufficient working experience acquired in an executive position for an appropriate period;
2. members of the supervisory board shall above all have sufficient experience for the purpose of ensuring their judgement on a basis of constructive criticism of the management board’s decisions and the effective supervision of the management board, the effective realisation of their role in adopting policies and decisions within the scope of the powers of the supervisory board referred to in the first paragraph of Article 157 of the ZBan-3, and the effective participation in the supervisory board committees referred to in Article 51 of the ZBan-3. (4) Members of the Management body shall strive in all circumstances for decisions to be taken independently and on the basis of expert arguments in the bank’s best interest, and in accordance with

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 27 the ethical standards of management, and on this basis shall assess any opinions or instructions of those who elected, proposed or appointed them. These circumstances shall also include any opinions or instructions of the Management body of the parent undertaking for a member of the Management body of a subsidiary with regard to the implementation of the bank’s business objectives, risk profile, strategies and policies, and risk appetite. (5) Notwithstanding the provision on independent decision-making set out in the preceding paragraph, members of the management board shall fully, exhaustively, accurately and promptly inform the president and other members of the management board of all significant developments and the progress of specific operations in the areas for which they are responsible. (6) Should an individual member of the management board believe that a majority decision taken by the management board with regard to a specific issue contravenes the bank’s objectives, strategies and policies, and that it breaches his/her duties set out in the third paragraph of Article 47 of the ZBan￾3, he/she shall express this dissent via a note and explanation in the minutes of the session of the management board or the other decision-making body of which he/she is a member. (7) The member of the supervisory board in question shall notify the other members of the supervisory board of the receipt of an opinion or instructions referred to in the fourth paragraph of this article. All members of the supervisory board shall have the same rights and obligations, irrespective of who elected, proposed or appointed them. (8) Should an individual member of the supervisory board believe that a majority decision taken by the supervisory board contravenes the bank’s business objectives or risk management objectives, he/she shall express this dissent via a note and explanation in the minutes of the session of the supervisory board. Article 62 (independent conduct) (1) In performing their functions members of the Management body shall act and decide independently, in the bank’s best interest. To this end members of the Management body may not act in a manner such that their economic, personal or other links with the bank or another entity in the group, including its governing bodies, unduly influence their impartial, professional, objective, fair and comprehensive personal judgement in performing the function of a member of the Management body. (2) Members of the Management body shall immediately inform the supervisory board of any link between a member of the Management body and the bank or another entity in the group that could prejudice their independent decision-making in the bank’s best interest. 3.2 Conflict of interest at level of members of Management body Article 63 (general) (1) The Management body shall take account of all circumstances in the assessment of conflicts of interest at the level of members of the Management body referred to in point 4 of the second paragraph of Article 3 of this regulation, in particular personal, business or other circumstances that are directly related to a member of the Management body or to other legal and natural persons with private interests in common with those of the member of the Management body in question.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 28 (2) In exercising their tasks and decision-making, members of the Management body shall avoid circumstances and conduct that entail or could lead to a conflict of interest referred to in points 3 and 4 of the second paragraph of Article 3 of this regulation. In their actions and decision-making, members of the management board shall primarily consider the interests of the bank, subordinating any other personal interests to those of the bank, and may not exploit the bank’s business opportunities for their own account, for the account of members of their family, or for the account of persons with whom they have private interests in common. In their actions and decision-making, members of the supervisory board shall primarily consider the interests of the bank, subordinating any other personal interests or the individual interests of shareholders, the management board, the public or other persons to those of the bank. Article 64 (rules and procedures in connection with conflicts of interest) (1) For the purpose of transparent decision-making at sessions of the Management body and at sessions of committees and commissions on which they sit, members of the Management body shall in particular take account of the following precautionary measures to avoid conflicts of interest:

1. for the purpose of avoiding a conflict of interest that could impact their judgement, members of the Management body shall, at their own initiative or when called upon by the president of the management board or the chairperson of the supervisory board, declare whether there is a suspected conflict of interest in a matter that is the subject of a vote, and shall provide a corresponding explanation;
2. when there is a suspected conflict of interest, the member of the Management body shall recuse himself/herself in the matter that is the subject of a vote, and shall leave the premises where the session is taking place for the duration of the voting;
3. the Management body shall ensure that the explanation and declaration of a member of the Management body recusing himself/herself on grounds of a conflict of interest referred to in point 2 of this paragraph is included in the minutes of the session of the Management body or the session of the bank’s committee or commission. (2) For the purpose of the transparent performance of their functions, members of the management board shall immediately inform the president of the management board of all circumstances that could lead to a conflict of interest in their actions (hereinafter: circumstances of a conflict of interest). For the purpose of the transparent performance of their functions, members of the supervisory board shall immediately inform the chairperson of the supervisory board of all circumstances of a conflict of interest. In the event of circumstances of a conflict of interest in respect of the president of the management board, he/she shall inform the chairperson of the supervisory board, the provisions of this article applying mutatis mutandis. In the event of circumstances of a conflict of interest in respect of the chairperson of the supervisory board, he/she shall inform the supervisory board, the provisions of this article applying mutatis mutandis. (3) In the event of being informed of the circumstances of a conflict of interest by a member of the Management body, the president of the management board or the chairperson of the supervisory board shall, on the basis of his/her own assessment of the existence of the circumstances of a conflict of interest, take appropriate documented measures to eliminate the circumstances or to put monitoring of the circumstances in place. In cases of complex circumstances of a conflict of interest, instead of taking the aforementioned measures the president of the Management body may inform the supervisory board, which in this case shall assess the existence of the circumstances of a conflict of interest at the earliest possible juncture, and shall take appropriate measures to eliminate the circumstances or to put monitoring of the circumstances in place. These measures shall include:
4. the application of the precautionary measures referred to in the first paragraph of this article to avoid the circumstances of a conflict of interest in voting at sessions of the Management body and at sessions of committees and commissions on which the member in question sits;

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 29 2. the immediate cessation of the disputed conduct by the member of the Management body, and the transfer to the bank of any advantage gained from the specific transaction; 3. where the bank has incurred damage of any kind in the transaction, the reimbursement of the damage to the bank by the member of the Management body from his/her own funds; 4. removal from the function of a member of the Management body, if he/she fails to or refuses to eliminate the circumstances of a conflict of interest on any grounds. (4) Should it be proven that the member of the Management body failed to inform the president of the management board or the chairperson of the supervisory board of the circumstances of a conflict of interest that he/she knew of, and at the same time failed to immediately rectify the consequences of such conduct, or should the member of the Management body fail to uphold the precautionary measures referred to in the first paragraph of this article, the supervisory board shall be informed accordingly. In this event the supervisory board shall dismiss the member of the management board from his/her function, or propose the dismissal of the member of the supervisory board to the general meeting immediately upon the disputed position being established. 3.3 Process of assessing suitability of members of Management body Article 65 (general) (1) The process of assessing the suitability of members of the Management body referred to in the first paragraph of Article 37 of the ZBan-3 (hereinafter: suitability assessment process) shall include the circumstances of the re-appointment of a member of the Management body (re-election) and the circumstances when a member of the Management body takes over another area of management or supervision within the framework of an existing term of office. In these cases the bank shall solely verify whether the member in question is still suitable for performing his/her function (a partial assessment of suitability), having regard for the aforementioned circumstances. (2) The suitability assessment process shall take account of the difference between the complexity of performing the function of the president of the management board or the chairperson of the supervisory board, including a member of the supervisory board who performs the function of the chairperson of a supervisory board committee, and the complexity of performing the function of a member of the management board or the supervisory board. (3) The bank shall document each assessment of the suitability of an individual member of the Management body, including the initial assessment of suitability as a member of the Management body. Article 66 (employee contribution to suitability assessment) (1) Having regard for the second paragraph of Article 37 of the ZBan-3, for the purpose of enforcing and demonstrating good practice in corporate governance, a bank may make it possible for other employees designated by the bank or the body responsible for the selection and appointment of employee representatives to the bank's supervisory board, to formulate the bank’s position with regard to suitability as a member of the Management body. Such employees may for example be from the banking group, the risk management function, the compliance function, the HR department or other expert departments and functions. (2) The bank shall ensure that employees referred to in the first paragraph of this article have timely access to all the relevant information of significance to the formulation of the bank’s position with regard to suitability as a member of the Management body. This information shall in particular include:

1. the person’s CV according to a relevant standard (e.g. a Europass standard CV);

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 30 2. documents and other evidence, including documentary proof of the person’s formal qualifications, for the purpose of assessing the fulfilment of criteria in connection with the knowledge, skills and experience for managing a bank’s operations referred to in point 1 of the second paragraph of Article 61 of this regulation; 3. documents and other evidence of the fulfilment of the criteria in connection with reputation; 4. other relevant documents and evidence. Article 67 (adequacy of suitability assessment) (1) A bank shall ensure that its assessment at any particular moment of the suitability of a candidate of the Management body (hereinafter: suitability assessment) contains a review of the circumstances taken into account by the bank or the body responsible for the selection and appointment of employee representatives to the bank's supervisory board, in its assessment of the person’s suitability (the bank’s own findings and the facts submitted by the person in question) and the bank’s or the body responsible for the selection and appointment of employee representatives to the bank's supervisory board assessment of the fulfilment of the bank’s requirements with regard to the function that is the subject of the candidacy or appointment. (2) Should the suitability assessment submitted to the Bank of Slovenia by the bank for the purpose of conducting the process of assessing suitability as a member of the Management body by the Bank of Slovenia be deficient or sparse, and as such should it not allow for a proper assessment of the suitability of the person in question, the Bank of Slovenia may require its supplementation on the basis of appropriate arguments. 3.4 Functioning of supervisory board committees Article 68 (use of external advisors) Having regard for the knowledge, skills and experience that a member of the supervisory board should have, for the purposes of performing the tasks of the individual supervisory board committees referred to in Articles 52, 53 and 54 of the ZBan-3 and other regulations, the supervisory board shall ensure that the use of external advisors referred to in the sixth paragraph of Article 51 of the ZBan-3 or external experts referred to in the third paragraph of Article 157 of the ZBan-3 is justified solely for the purpose of accessing additional, particularly specific, knowledge for the purpose of the functioning of the committees. The possibility of using external advisors shall not relieve the members of the supervisory board of their duties in respect of the expert knowledge, experience and independent judgement referred to in Article 61 of this regulation, or the knowledge and independent judgement that members of the supervisory board should have for the purpose of acting on supervisory board committees. 3.5 Functioning of supervisory board Article 69 (convening of sessions of supervisory board) (1) The chairperson of the supervisory board shall ensure that the supervisory board meets in session at least once a quarter. Should this not be ensured by the chairperson of the supervisory board, other members of the supervisory board shall convene the session in accordance with the law governing companies. (2) The chairperson of the supervisory board shall maintain regular contact with the president of the management board, shall request explanations from him/her of significant business events of

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 31 which he/she has knowledge, and of the bank’s risks inherent in these events, and shall as necessary convene an extraordinary session of the supervisory board. Article 70 (effectiveness of supervisory board’s work) (1) The effectiveness of the supervisory board’s work is to a great extent dependent on how well it is informed and its access to significant information. Members of the management board shall be responsible for ensuring that the supervisory board has timely and comprehensive information. The management board shall regularly, comprehensively and in a timely fashion inform the supervisory board of significant matters relating to the bank’s operations, risk profile, strategies and policies, and any deviations from the adopted objectives. The supervisory board is entitled and obliged to request from the management board additional explanations and reports with regard to any ambiguities in connection with the operations of the bank and its subsidiaries. (2) The chairperson of the supervisory board shall coordinate the work of the supervisory board and shall chair its sessions. The chairperson shall encourage the other members of the supervisory board to effectively and actively perform their functions. The other members of the supervisory board shall ensure that they have enough time to carry out their tasks, and are obliged to further educate and improve themselves as necessary throughout their term of office in areas of importance to the efficient, high-quality execution of their duties. The chairperson of the supervisory board shall adopt a plan in conjunction with the president of the management board for the training of members of the supervisory board and for the introduction of new members. Article 71 (appointment and dismissal of members of management board) (1) When appointing and dismissing members of the management board, having regard for the policy for selecting and appointing suitable candidates for membership of the Management body referred to in the second paragraph of Article 35 of the ZBan-3, the supervisory board shall strive to carefully select candidates in a timely fashion to ensure the continuity of the management board’s work. (2) The management board shall also participate in the selection of its members. The chairperson of the supervisory board shall call on the management board or its president to propose suitable candidates in timely fashion prior to the end of their term of office. Article 72 (selection of new members of supervisory board) (1) Prior to a decision on the election of members of the supervisory board, the proposer shall present the candidates to the general meeting as appropriate, including:

1. argumentation that the candidate selection process took account of the bank’s policy with regard to the selection of suitable candidates referred to in the second paragraph of Article 35 of the ZBan-3;
2. an assessment of suitability as a member of the supervisory board, and any proposed measures by the bank;
3. any conflicts of interest that exist or could arise in relation to the bank as the result of their appointment. (2) The preceding paragraph shall not apply in the event that the proposer is the body responsible for the selection and appointment of employee representatives to the bank's supervisory board. 3.6 Diligence of members of supervisory board in implementation of Article 50 of ZBan-3

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 32 Article 73 (consent for management board with regard to definition of bank’s business policy) (1) The supervisory board shall grant the management board its consent with regard to the definition of the bank’s business policy referred to in point 1 of Article 50 of the ZBan-3, primarily on the basis of an assessment of whether the business policy provides for the implementation of the objectives, strategies and policies referred to in the first paragraph of Article 4 of this regulation, and the bank’s best long-term financial interests, having regard for:

1. the adopted risk appetite;
2. the risk bearing capacity;
3. the bank’s business model and the activities pursued by the bank;
4. zero tolerance on the part of the supervisory board for a business policy that encourages and realises unfair business practices, including conduct risk and reputation risk;
5. other relevant factors. (2) For the purpose of granting its consent to the management board with regard to the definition of the bank’s business policy, in the assessment of the adequacy of the business policy the supervisory board shall primarily take account of its own importance and role in promoting a high culture of risk management. Article 74 (consent for management board with regard to definition of bank’s financial plan) The supervisory board shall grant the management board its consent with regard to the definition of the bank’s financial plan referred to in point 2 of Article 50 of the ZBan-3, primarily on the basis of an assessment of whether the bank’s financial plan is acceptable and feasible with regard to the bank’s business objectives, strategy and policy, the adopted risk appetite, and the bank’s risk bearing capacity. Article 75 (consent for management board with regard to definition of organisation of internal control system) The supervisory board shall grant the management board its consent with regard to the definition of the organisation of the internal control system referred to in point 3 of Article 50 of the ZBan-3, primarily on the basis of an assessment of:
6. whether the internal controls referred to in point 1 of the first paragraph of Article 31 of this regulation provide for the systematic supervision of all of the bank’s significant risks on the basis of their implementation at all levels of the bank’s organisational structure, and their execution within the framework of the bank’s everyday processes, procedures and activities;
7. whether the internal control functions referred to in point 2 of the first paragraph of Article 31 of this regulation provide for an independent and objective assessment for the proper compliant implementation of the bank’s internal governance arrangements. Article 76 (consent for the management board with regard to definition of internal audit department’s framework annual work programme) The supervisory board shall grant the management board its consent with regard to the definition of the internal audit department’s framework annual work programme referred to in point 4 of Article 50 of the ZBan-3, primarily on the basis of an assessment of whether the internal audit department’s annual work plan has been designed to take account of the bank’s risks. Article 77 (supervision of suitability of procedures and effectiveness of work of internal audit department)

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 33 (1) The supervisory board shall realise the supervision of the suitability of the procedures and the effectiveness of the work of the internal audit department referred to in point 5 of Article 50 of the ZBan-3 primarily on the basis of an assessment of whether the internal audit department is providing an independent assessment to the supervisory board with regard to the quality and effectiveness of the internal governance arrangements, including the bank’s risk management systems and processes and internal controls. (2) In the assessment referred to in the first paragraph of this article, the supervisory board shall in particular consider whether:

1. the internal audit department is independent in exercising its internal auditing tasks;
2. the internal audit department is exercising its internal auditing tasks at its own initiative;
3. the internal audit department has unfettered access to all of the bank’s premises, employees, information and data;
4. the internal audit department is realising its annual work programme, including the provision of the requisite analysis, reports, opinions and information with regard to audit findings;
5. the frequency of internal audits is appropriate with regard to the importance of the area in question, having regard for the corresponding risks and their impact on the bank’s profit or loss;
6. in exercising their internal auditing tasks the internal audit department’s employees do not enter into a position of a potential conflict of interest;
7. the bank is providing the internal audit department with the requisite human and financial resources for exercising its tasks and for engaging and training the internal audit department’s employees, with regard to the areas and complexity of their tasks. Article 78 (consent for appointment and dismissal of head of internal audit department) (1) The supervisory board shall grant the management board its consent for the appointment, including re-appointment and dismissal, of the head of the internal audit department referred to in point 6 of Article 50 of the ZBan-3, primarily on the basis of an assessment of:
8. the adequacy of the candidate for head of the internal audit department, and
9. whether the grounds for dismissal of the head of internal audit department are justifiable. (2) In the assessment of the adequacy of the candidate for head of the internal audit department referred to in point 1 of the previous paragraph, the supervisory board shall consider the following in particular:
10. the knowledge, skills and experience required for the effective performance of internal auditing tasks;
11. the personal attributes and integrity of the candidate for head of the internal audit department that allow him/her to uphold the mission of the internal audit department to the greatest extent;
12. an assessment of the suitability of the candidate for head of the internal audit department drawn up by the bank. (3) In the assessment of whether the grounds for dismissal of the candidate for head of the internal audit department referred to in point 2 of the first paragraph of this article are justifiable, the supervisory board shall consider the following in particular:
13. the written clarifications of the management board and the written clarifications of the head of the internal audit department with regard to the cited grounds for dismissal;
14. the submitted material evidence constituting the grounds for dismissal of the head of the internal audit department;
15. regulations and the bank’s HR policy governing the termination of the employment contract and the dismissal of employees;
16. other relevant evidence and clarifications. Article 79

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 34 (adoption and supervision of basic principles of remuneration policy) (1) The supervisory board shall adopt and monitor the implementation of the basic principles of remuneration policy referred to in point 7 of Article 50 of the ZBan-3, primarily on the basis of an assessment of whether the bank’s remuneration policy complies with:

1. regulations governing the area of remuneration at banks, in particular the requirements set out in:

• Articles 189 to 191 of the ZBan-3 and the requirements set out in Section 2.5 of this regulation;
• Commission Delegated Regulation (EU) 2021/923 of 25 March 2021 supplementing Directive 2013/36/EU of the European Parliament and of the Council with regard to regulatory technical standards setting out the criteria to define managerial responsibility, control functions, material business units and a significant impact on a material business unit’s risk profile, and setting out criteria for identifying staff members or categories of staff whose professional activities have an impact on the institution’s risk profile that is comparably as material as that of staff members or categories of staff referred to in Article 92(3) of that Directive (OJ L 203, 9.6.2021, p. 1);
• Commission Delegated Regulation (EU) No 527/2014 of 12 March 2014 supplementing Directive (EU) No 2013/36/EU of the European Parliament and of the Council with regard to regulatory technical standards specifying the classes of instruments that adequately reflect the credit quality of an institution as a going concern and are appropriate to be used for the purposes of variable remuneration (OJ L 148, 20.5.2014, p. 21);

2. the bank’s corporate values, business strategy and risk strategy, risk appetite, and long-term interests deriving from these strategies and policies. (2) In the assessment of the compliance of the general principles of the bank’s remuneration policy with the bank’s values, strategies and interests referred to in point 2 of the previous paragraph, the supervisory board shall in particular consider whether the remuneration policy is compatible with and encourages prudent and effective risk management, whereby it does not encourage risk exposure that is not in accordance with the risk appetite. The supervisory board shall also realise such an assessment in the event of the excessively high or low remuneration of members of the Management body and other persons referred to in the second paragraph of Article 189 of the ZBan-3, including an assessment of the corresponding risks. 3.6.1 Decisions on other matters set out by ZBan-3 Article 80 (consent for dismissal of head of risk management function) (1) The supervisory board shall grant consent to the management board for the dismissal of the head of the risk management function referred to in the fifth paragraph of Article 158 of the ZBan-3, on the basis of an assessment of whether the grounds for his/her dismissal are justifiable. (2) In the assessment of whether the grounds for the dismissal of the head of the risk management function are justifiable, the supervisory board shall in particular consider:
3. the written clarifications of the management board and the written clarifications of the head of the risk management function with regard to the cited grounds for dismissal;
4. the submitted material evidence constituting the grounds for dismissal of the head of the risk management function;
5. regulations and the bank’s HR policy;
6. other relevant evidence and clarifications. Article 81 (consent for plan of risk management activities)

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 35 The supervisory board shall grant the management board its consent for the action plan for managing risks referred to in the third paragraph of Article 168 of the ZBan-3, primarily on the basis of an assessment of whether the plan provides for the implementation of the risk strategies and policies referred to in Articles 5 and 6 of this regulation.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 36 4. INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS Article 82 (general) For the purpose of continually assessing and ensuring the requisite amounts, types and distribution of adequate capital that it assesses as necessary coverage with regard to the characteristics and extent of the bank’s risks referred to in Article 151 of the ZBan-3, a bank shall put in place an internal capital adequacy assessment process (hereinafter: ICAAP) to ensure the consistent application of:

1. the risk management processes referred to in the first paragraph of Article 20 of this regulation;
2. the results of the ICAAP in the determination of the risk strategies referred to in Article 5 of this regulation and in capital planning. 4.1.ICAAP as integral part of risk management processes Article 83 (general) (1) A bank shall ensure that the ICAAP is an integral part of the risk management processes referred to in the first paragraph of Article 20 of this regulation. To this end, in the implementation of the ICAAP and the corresponding calculations of the internal assessment of risk-based capital requirements and the internal capital assessment, the bank shall apply the same systems, processes, methodologies, data and definitions of risks as those applied in the identification, assessment or measurement, management, monitoring and controlling of risks. (2) The management board shall ensure that the results of the ICAAP, including the internal assessment of risk-based capital requirements and the internal capital assessment, are taken into account in:
3. the adoption of the bank’s business decisions;
4. the definition and adoption of risk strategies, the risk appetite and the risk bearing capacity, and in the bank’s long-term capital planning. 4.1.1. Operational and organisational structure of implementation of ICAAP Article 84 (Management body’s responsibility for approval of ICAAP) (1) For the purpose of the proper application and results of the ICAAP in the adoption and supervision of business decisions and risk strategies, the Management body shall approve the adequacy of the ICAAP at least once a year, including the internal assessment of risk-based capital requirements and the internal capital assessment on each occasion and the corresponding measures (hereinafter: results of the ICAAP). In so doing:
5. the management board shall approve the adequacy of the ICAAP and its results on the basis of detailed knowledge of the objectives, processes, procedures and methodologies of the ICAAP;
6. the supervisory board shall approve the adequacy of the ICAAP and its results on the basis of ensuring general awareness of the concept and objectives of the ICAAP, including an understanding of the importance of its results and the corresponding measures. With each approval of the adequacy of the ICAAP, the Management body confirms that the ICAAP is taking account of the risk strategies. (2) For the purpose of the effective adoption and monitoring of the implementation of business decisions and risk strategies referred to in the previous paragraph, the bank shall ensure that the

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 37 Management body is regularly briefed on which of the bank’s risks are addressed in the ICAAP, including the corresponding internal assessments of risk-based capital requirements. Article 85 (planning and implementation of ICAAP) (1) A bank shall ensure the inclusion of the ICAAP in the processes of planning the bank’s operations for the upcoming planning period. (2) The bank shall provide for adequate powers and responsibilities of the bank’s organisational units and functions for the implementation, monitoring, review and adoption of operational decisions for the purpose of the implementation of the ICAAP, including the calculation of the bank’s internal assessment of risk-based capital requirements and internal capital assessment. The powers and responsibilities are deemed adequate if they are set out in accordance with the following requirements:

1. the bank’s functions that develop methodologies in connection with risk management and calculate the internal assessment of risk-based capital requirements should be functionally and organisationally separate from the business units and other organisational units that take up risks, including the management board;
2. the business units and other organisational units that take up risks in the ICAAP should participate in the ICAAP under the leadership of the risk management function, which ensures the proper balance of interests between the bank’s take-up of risks and its risk management. (3) The bank shall ensure sufficient HR and financial conditions for the purpose of the implementation of the ICAAP, including the use of appropriate information technology. (4) The bank shall ensure that the ICAAP is regularly updated with regard to changes in the bank’s internal and external environments or changes in the objectives, strategies and policies referred to in the first paragraph of Article 4 of this regulation. 4.2.Application of results of ICAAP to setting of risk strategies and capital planning Article 86 (inclusion of identified risks in ICAAP) (1) A bank shall ensure that the ICAAP covers all of the bank’s identified significant risks, including risks inherent in the introduction of new products and the use of external contractors, on a consolidated, sub-consolidated and individual basis. (2) The first paragraph of this article notwithstanding, for the purpose of including specific risks referred to in the first paragraph of this article in the ICAAP, instead of using quantitative methodologies for the calculation of the internal assessment of risk-based capital requirements for the aforementioned risks the bank may use the corresponding risk management measures referred to in the first paragraph of Article 23 of this regulation or the internal control mechanisms referred to in the first paragraph of Article 31 of this regulation. In this case the bank shall ensure high quality in the use of the aforementioned measures, supporting them with argumentation. (3) The bank shall provide for a review of the adequacy and comprehensiveness of the inclusion of identified risks in the ICAAP at least once a year, and during any significant change in risk exposure. Article 87 (risk measurement and use of economic capital models) (1) For the purpose of calculating the internal assessment of risk-based capital requirements, a bank shall ensure the use of comprehensive data in risk measurement. Data is deemed comprehensive

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 38 if it covers all the risks inherent in the bank’s business model, activities and products on a consolidated, sub-consolidated and individual basis. The bank shall ensure the regular review of the comprehensiveness of the data and the coordination of the data used with information from the balance sheet and other relevant data deriving from the bank’s financial reports. (2) A bank that uses advanced risk measurement techniques in its risk measurement (hereinafter: economic capital model) shall to this end ensure that the economic capital model, including the data used, is tailored to the bank’s business model, activities, products, and other internal and external circumstances. The validation (confirmation of the adequacy) of the economic capital model shall be provided for by an independent organisational unit. (3) In its risk measurement referred to in the first paragraph of this article, the bank shall ensure that any consideration of the effects of risk management measures in the calculation of the internal assessment of risk-based capital requirements does not act to reduce the internal assessment of risk￾based capital requirements such that the reduction in the internal assessment of risk-based capital requirements could be disproportionate to the actual effect of the risk management measures. Article 88 (internal assessment of risk-based capital requirements) A bank shall calculate an internal assessment of risk-based capital requirements on the basis of its own methodology, including the combination of internal assessments of risk-based capital requirements for individual risks, or another appropriate methodology. 4.3.Internal capital assessment Article 89 (objectives for maintenance of risk bearing capacity) (1) On the basis of appropriate objectives for the maintenance of risk bearing capacity, a bank shall provide for the definition of the relevant capital components included in the internal capital assessment for the purpose of the ICAAP. The objectives for the maintenance of risk bearing capacity are deemed appropriate if they include the bank’s approach to ensuring capital adequacy under the following scenarios at least:

1. the bank as a going concern;
2. an emergency (but plausible) situation in the bank’s operations. (2) The bank shall provide for the regular assessment (at least once a year) of the adequacy of capital components referred to in the first paragraph of this article, including the consideration of any planned changes with regard to these components. Article 90 (capital planning) For the purpose of stably ensuring capital adequacy, a bank shall provide for adequate capital planning for a period of at least three years that takes account of the bank’s approach to the distribution of any dividends and the possibility of recapitalisation. The capital planning shall be based on realistic assumptions, having regard for the business strategy and the risk strategy referred to in the first paragraph of Article 4 of this regulation, and any restrictions deriving from regulations and standards and from the requirements of the Bank of Slovenia and other competent supervisory authorities.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 39 Article 91 (analysis of risk bearing capacity) (1) A bank shall ensure that the internal capital assessment is aligned with its risk bearing capacity at all times. To this end the bank shall provide for analysis of its risk bearing capacity, including on the basis of the scenarios for the maintenance of risk bearing capacity referred to in the first paragraph of Article 89 of this regulation. (2) The scenario for the maintenance of risk bearing capacity at the bank as a going concern referred to in point 1 of the first paragraph of Article 89 of this regulation shall take account of the appropriate protection of the interests of shareholders, the Management body and the bank’s other employees. The protection of these interests is deemed appropriate if access to the capital provides for protection against developments that could endanger the bank’s continuation as a going concern. For the purpose of this scenario the bank shall ensure at all times that the internal assessment of risk-based capital requirements is at least at the level of the own funds requirements calculated in accordance with the rules of Regulation (EU) No 575/2013. (3) The scenario for the maintenance of risk bearing capacity in an emergency but plausible situation in the bank’s operations referred to in point 2 of the first paragraph of Article 89 of this regulation shall take account of the appropriate protection of the interests of the bank’s investors. The protection of these interests is deemed appropriate if the bank’s capital is sufficient to repay the bank’s creditors. (4) The bank may also define scenarios for the maintenance of risk bearing capacity for the purpose of covering other, less significant risks that are frequently realised. (5) The bank shall monitor the consideration and any breaches of the risk bearing capacity under the scenarios for the maintenance of risk bearing capacity put in place. Article 92 (use of stress tests) (1) For the purpose of the calculation of the internal assessment of risk-based capital requirements, a bank shall conduct the stress tests referred to in Article 22 of this regulation at least once a year, according to stress scenarios that assume changes in market conditions, having regard for all the relevant entities in the group. To identify the changes in market conditions that could have an adverse impact on the bank’s future capital adequacy, the stress tests shall also take account of the state of the current business cycle in connection with a general deterioration in the economic situation as a result of a decline in economic activity (recession) and a specific deterioration in the economic sectors that the bank supports financially. (2) The bank shall ensure that the results of the stress tests referred to in the first paragraph of this article are taken into account in the capital planning process referred to in Article 90 of this regulation, and in the definition of measures in connection with the risk strategies and policies referred to in Articles 5 and 6 of this regulation, including with regard to the risk profile and the business continuity plans. Article 93 (capital allocation process) (1) A bank shall provide for an appropriate process for allocating capital across business lines and entities in the group, on the basis of the internal assessment of risk-based capital requirements referred to in Article 88 of this regulation and the analysis of risk bearing capacity referred to in Article 91 of this regulation. The capital allocation process is deemed appropriate if it links the bank’s business strategy with its risk strategy.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 40 (2) The bank shall provide for an assessment of capital adequacy and capital allocation at least once a year and during any significant change in risk exposure. 5. DOCUMENTATION Article 94 (general) (1) A bank shall provide for the systematic storage of important documentation in connection with the bank’s operations, its risk management, including the implementation of internal controls, and the internal reporting of the bank’s risks (hereinafter: documentation). The documentation shall in particular include:

1. the bank’s bylaws, with regard to the chronology of their updating (e.g. strategies, policies, codes of conduct, instructions);
2. relevant documents in connection with the activities of organisational units (e.g. adopted decisions, analysis, measures, financial results);
3. a detailed description of the ICAAP and its results (e.g. scope of application, objectives, methodologies, assessments, procedures, calculations, measures);
4. findings and measures from the implementation of the internal control process, including reports of internal control functions;
5. measures to eliminate or to put in place monitoring of circumstances of a conflict of interest;
6. minutes of sessions of the Management body and its committees and commissions, audio recordings of sessions of the supervisory board;
7. assessments of the suitability of members of the Management body and key function holders;
8. relevant documentation in connection with the group’s operations. (2) The bank shall ensure that the documentation referred to in the first paragraph of this article is secure, comprehensive, understandable and up-to-date, having regard for applicable regulations and the bank’s bylaws with regard to the storage of documentation.
9. DETAILED CONTENT OF REPORTS IN CONNECTION WITH INTERNAL GOVERNANCE ARRANGEMENTS, AND METHODS AND DEADLINES FOR SUBMITTING SUCH REPORTS TO BANK OF SLOVENIA. Article 95 (general) (1) A bank shall notify the Bank of Slovenia of significant information that has or could have an impact on the assessment of suitability as a member of the management board or the fulfilment of the required conditions for membership of the management board pursuant to Article 40 of the ZBan-3, and shall submit all the relevant documentation within five business days of the aforementioned circumstances arising or a justifiable suspicion arising that the prescribed conditions are not being fulfilled. (2) The bank shall notify the Bank of Slovenia of an assessment of the suitability of a member of the Management body that it has compiled in circumstances owing to which it is necessary to conduct the reassessment of suitability as a member of the Management body referred to in the first paragraph of Article 37 of the ZBan-3 within five business days of the compilation of the assessment. (3) The management board shall notify the Bank of Slovenia of the circumstances referred to in the fourth paragraph of Article 156 of the ZBan-3 within five business days of the notification being sent to the supervisory board.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 41 (4) The internal audit department shall notify the Bank of Slovenia of the findings referred to in the first and second paragraphs of Article 165 of the ZBan-3 within five business days of the notification being sent to the management board or the supervisory board. (5) The bank shall notify the Bank of Slovenia of the appointment or dismissal of the head of the internal audit department, the head of the risk management function, the head of the compliance function or the head of the information security management function, submitting all relevant documentation, within five business days of the appointment or dismissal. 7. FINAL PROVISIONS Article 96 (cessation of application of regulations) On the day that this regulation enters into force, the Regulation on risk management and the implementation of the internal capital adequacy assessment process for banks and savings banks (Official Gazette of the Republic of Slovenia, Nos. 73/15, 49/16, 68/17, 33/18, 81/18, 45/19 in 92/21 – ZBan-3). Article 93 (entry into force) This regulation shall enter into force next day after its publication in the Official Gazette of the Republic of Slovenia. Ljubljana, 13 July 2021 Boštjan Vasle President, Governing Board of the Bank of Slovenia Regulation amending the Regulation on internal governance arrangements, the management body and the internal capital adequacy assessment process for banks and savings banks (Official Gazette of the Republic of Slovenia, 011/25) also includes the following final provision: »Article 4 (1) This regulation shall enter into force on the fifteenth day after its publication in the Official Gazette of the Republic of Slovenia. (2) Notwithstanding the previous paragraph, Articles 2 and 3 of this Regulation shall apply from the date of entry into force of the regulatory technical standards adopted pursuant to the paragraph 9 of Article 317 of the Regulation (EU) No 575/2013.«.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 42 APPENDICES: Additional requirements with regard to risk management Appendix 1: Credit risk Appendix 2: Liquidity risk Appendix 3: Operational risk Appendix 4: Market risks

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 43 Appendix 1: Credit risk This appendix defines the additional requirements and the fundamental principles that banks take into account in putting in place a suitable environment for credit risk management: (1) The management body is responsible for adopting and regularly reviewing (at least once a year) the strategy for taking up and managing credit risk (hereinafter: the strategy) and major policies setting out the methodologies, procedures and tools for managing credit risk, and for overseeing their implementation and updating. (2) The strategy shall reflect the bank’s propensity to take up credit risk. It shall include the bank’s guidelines with regard to increasing or reducing the exposure level and taking up risk across individual types of loan, sectors, geographical regions, currencies and maturities. The strategy shall also include a selection of target markets (client segments) and other general attributes of the credit portfolio. The strategy shall take account of economic cycles and the resulting changes in the structure and quality of the credit portfolio. (3) The senior management is responsible for implementing the adopted strategy, by putting in place processes to identify, measure or assess, monitor and control credit risk for all banking activities, both for individual loans and for the credit portfolio as a whole. (4) A clear organisational structure shall be put in place at the bank that reflects the bank’s strategy and provides for employees in the area of credit risk to be quickly and effectively informed about the strategy and policies adopted. Employees involved in credit processes shall have a good awareness of the bank’s approach to credit approval and management, and shall act in accordance with the strategy and policies adopted. (5) Credit policies shall provide a detailed definition of the principal terms of lending, and other lending criteria (e.g. acceptable purposes of lending, limits on the client’s credit assessment, maximum lending maturity, minimum collateral value and quality). They shall include clearly defined credit processes (approval of credit exposures, assignment of exposures to rating grades, management of credit protection, creation of value adjustments and provisions, early warning process, treatment of problem exposures, monitoring of credit risk and reporting on credit risk) that also set out the way in which decisions are made, and the powers and responsibilities of persons involved in these processes. (6) The credit policy, which represents the framework for lending and guidance for the bank’s lending activity, shall provide a detailed definition of the target markets, the portfolio structure, price and non-price terms, the structure for setting limits, the method of credit approval and loan management (power of approval), permissible deviations and exceptions in processes, and reporting of exceptions. The credit policy shall be set out clearly, shall be based on banking principles of prudence, and shall comply with applicable legislation. (7) A bank that offers clients non-standard or special credit arrangements (e.g. project financing, real estate financing) shall adopt special credit policies for financing of this type that requires modified procedures and controls. Specialists in individual forms of financing shall be included in the credit process. (8) The bank shall ensure clear functional and organisational separation between the commercial operations unit and the risk management unit and between the commercial operations unit and the back-office department, including managerial levels.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 44 Appendix 2: Liquidity risk

1. Subject of regulation (1) This appendix defines the additional requirements with regard to liquidity risk management referred to in Articles 178, 179 and 180 of the ZBan-3 for the purpose of a bank being able at any moment to meet its obligations in timely fashion by ensuring:
2. an adequate level of liquidity buffers, and
3. stable funding structure. (2) The additional minimum requirements referred to in the previous paragraph include requirements in connection with:
4. the organisation of liquidity risk management;
5. the management of intraday liquidity;
6. the management of collateral assets and asset encumbrance;
7. the allocation of costs, benefits and risks in the provision of liquidity;
8. the mitigation of liquidity risk; and
9. measures to prevent and eliminate the causes of liquidity shortfalls.
10. Organisation of liquidity risk management (1) The policy and procedures for liquidity risk management shall appropriately include entities in the group, the business lines and the currencies of the transactions that a bank executes, for the purpose of identifying the sources of liquidity risk and evaluating the bank’s exposure to liquidity risk. Notwithstanding the organisational structure and the level of centralisation of liquidity risk management, the parent bank shall be responsible for liquidity risk management at group level:
11. on the basis of knowledge of the liquidity position of entities in the group, and the liquidity flows within the group and in relation to other entities; and
12. having regard for legal, regulatory or operational restrictions in connection with the transfer of liquidity. (2) In demarcating the powers and tasks of employees, the bank shall take account of various time horizons, including intraday, owing to the differences and specifics of liquidity risk management over these time horizons.
13. Management of intraday liquidity (1) Having regard for the attributes of the payments settlement system, a bank shall actively manage intraday liquidity to ensure the timely settlement of maturing liabilities during the normal course of operations and under stress conditions. (2) The management of intraday liquidity shall form part of comprehensive liquidity risk management, and shall in particular include:
14. the continual monitoring and control of intraday liquidity on the basis of a daily projection of inflows and outflows, including monitoring of the possibility of unexpected liquidity needs in an emergency liquidity situation;
15. the provision of funding to meet intraday liquidity needs, even in the event of unexpected disruptions and on the basis of assets that are available for encumbrance;
16. a clear demarcation of employees’ powers and duties;
17. the definition of backup procedures to reduce the possibility of operational difficulties in the execution of everyday activities.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 45 4. Management of collateral assets and asset encumbrance (1) A bank shall define its approach to asset encumbrance and shall put in place procedures for the identification, monitoring and management of risks in connection with collateral assets and asset encumbrance. In so doing the bank shall take account of:

1. the specifics and business model of the institution at which the assets reside;
2. the country in which the transactions are being executed, or where the assets are recorded (in official registers or in a bank account);
3. the specifics of the funding markets;
4. the macroeconomic situation. (2) The bank shall determine the eligibility of collateral assets and the possibility of their timely availability. To this end the bank shall:
5. define eligible types of collateral asset, on the basis of which additional liquidity can be obtained over different time horizons;
6. estimate the need for collateral assets over different time horizons, and determine the level of eligible collateral assets that are free of encumbrance and available even in stress conditions, whereby the pool of eligible collateral for Eurosystem claims shall be determined separately;
7. take account of existing legislative and other legally binding, operational and other limitations in connection with the use or transfer of unencumbered assets between entities in a banking group, both within and outside the European Economic Area. (3) The bank shall put in place an appropriate system for monitoring asset encumbrance and notifying the Management body and the senior management of:
8. the level, evolution and types of asset encumbrance and related sources of encumbrance, such as secured funding or other transactions;
9. the amount, evolution and credit quality of unencumbered but encumberable assets, specifying the threshold for encumbrance;
10. the amount, evolution and types of additional encumbrance resulting from stress scenarios.
11. Allocation of costs, benefits and risks in provision of liquidity (1) A bank shall put in place a methodology for allocating costs, benefits and risks in the provision of liquidity (hereinafter: allocation methodology) for all significant asset and liability items and off￾balance-sheet items. In putting in place the allocation methodology the bank shall take account of:
12. direct costs, including funding costs and asset transfer costs;
13. indirect costs, including costs of liquidity buffers including the opportunity cost of maintaining lower-yielding assets;
14. the behavioural component of products, which reflects the stability of funding. (2) The allocation methodology shall include appropriate incentives with regard to the contribution made to liquidity risk by individual business lines, shall provide consideration for the business lines providing liquidity, and shall appropriately charge the business lines requiring liquidity. The bank shall use the results of the allocation methodology in determining prices of banking products, determining the performance of individual business lines and products, and managing the bank’s balance sheet. (3) On the basis of the allocation methodology the bank shall put in place an appropriate system of internal transfer prices based on a selected internal yield curve, when this is appropriate with regard to the nature, scale and complexity of the risks inherent in the bank’s business model and the activities that it pursues.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 46 6. Mitigation of liquidity risk A bank shall define its liquidity risk mitigation methods, including:

1. a liquidity buffer;
2. a system of internal limits;
3. diversification of funding;
4. netting agreements. 6.1 Liquidity buffer (1) A bank shall maintain, at an appropriate level, a liquidity buffer in the form of cash and other highly liquid assets for covering additional liquidity needs over a predetermined short-term period of emergency liquidity conditions (the survival period), when the ordinary sources of liquidity are not available or cannot provide sufficient liquidity, without requiring a change in its business model. (2) In determining the size and composition of the liquidity buffer, the bank shall take account of:
5. the severity and attributes of the stress scenarios as defined in the second paragraph of Section 7.1;
6. the defined survival period;
7. the attributes of the liquid assets making up the liquidity buffer. (3) In assessing the liquidity of assets, the bank shall take account of the possibility of obtaining liquidity in the short term on the basis of such assets. In this assessment, the classification of the assets for financial reporting purposes or for the purposes of calculating capital adequacy is not of key importance. (4) The bank shall determine the appropriate level of the liquidity buffer on the basis of stress scenarios based on a survival period of at least one month. Within this period the bank shall define a period of the most severe liquidity conditions at least one week, for which it shall ensure a liquidity buffer in the form of cash and highly liquid assets that are simultaneously eligible collateral for Eurosystem claims. The liquidity buffer for the remainder of the time horizon of less severe conditions may include a wider range of liquid assets, based on which the bank should be able to obtain liquidity over the short term. In determining the appropriate level of the liquidity buffer, the bank shall apply haircuts to the market value of the assets that reflect the different levels of liquidity of the various categories of liquid assets. (5) The bank shall ensure the diversified composition of the liquidity buffer across various categories and within the same category of liquid assets, and the currency matching of the liquidity buffer and liquidity needs. In so doing the bank shall ensure that the assets making up the liquidity buffer are unencumbered and available at any moment, including in emergency liquidity conditions, without any legislative or other legally binding limitations or operational limitations. The bank shall carefully examine and take account of the aforementioned restrictions in particular in the case of a banking group, where decisions with regard to the location and size of the liquidity buffer should reflect the attributes of the banking group, particularly from the perspective of its composition, the transactions that entities in the group execute, and the organisation of liquidity risk management. 6.2 System of internal limits (1) On the basis of internal criteria and market data, and having regard for the risk appetite referred to in point 8 of the second paragraph of Article 3 of this regulation, a bank shall put in place a system of internal limits that facilitates the monitoring, management and control of liquidity risk. Within the framework of the system of internal limits the bank shall define:

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 47

1. the risk limits referred to in point 9 of the second paragraph of Article 3 of this regulation, whereby it shall take account of all significant factors of liquidity risk, including liquidity gaps, currency mismatching, sources of funding, off-balance-sheet liabilities, the composition and attributes of the banking group, and intraday liquidity;
2. qualitative and quantitative early warning indicators for the identification of negative trends that increase the bank’s exposure to liquidity risk. (2) The bank shall ensure that in defining the limits and early warning indicators it takes appropriate account of the findings on the basis of the liquidity management scenarios referred to in Section 7.1. (3) The bank shall put in place procedures for taking measures and notifying the management board and the senior management in the event of the limits being transgressed or the early warning indicators being met. 6.3 Diversification of funding A bank shall implement a prudent long-term funding plan that provides for a clear overview of the risks inherent in the maturity transformation of funding. To ensure a diverse funding structure and access to funding, the bank shall define potential concentrations of funding and shall put in place procedures for their monitoring. In so doing the bank shall take account of concentrations in connection with:
3. the entities providing funding;
4. the manner of funding (unsecured, secured);
5. the markets and products that are the source of funding;
6. the geographical location, currency and maturity of funding. 6.4 Netting agreements As a result of the establishment of a single claim or a single liability on the basis of the mutual claims and liabilities that are subject to netting, netting agreements act to reduce liquidity needs and consequently to mitigate liquidity risk. In assessing the impact of netting agreements on the mitigation of liquidity risk, a bank shall take account of all legal and operational factors in connection with such agreements.
7. Measures to prevent or eliminate causes of liquidity shortfalls A bank shall define measures to prevent or eliminate the causes of liquidity shortfalls, including a definition of:
8. various liquidity management scenarios;
9. a liquidity recovery plan for dealing with any liquidity shortfalls. 7.1 Liquidity management scenarios (1) A bank shall take account of various liquidity management scenarios on the basis of the normal course of operations (baseline scenario) and emergency liquidity conditions (stress scenarios). These scenarios shall also take account of the effect of off-balance sheet items and other contingent liabilities, including liabilities from relations with securitisation special purpose entities and other special purpose entities where the bank acts as sponsor or provides material liquidity support.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 48 (2) The stress scenarios shall be based on various levels of severity and different lengths for the period of emergency liquidity conditions, and shall encompass:

1. a scenario tailored to the bank’s own liquidity position (the idiosyncratic scenario), which inter alia assumes a deterioration in the external credit assessment, the loss of renewable major sources of liquidity (e.g. institutional investors, large enterprises) without the provision of collateral by the bank, and a decline in retail deposits;
2. a scenario conditioned by the situation on the market (a market scenario), which inter alia assumes a decline in the liquidity of assets and a deterioration in the terms for obtaining liquidity on the market;
3. scenarios based on a combination of the two scenarios referred to in points 1 and 2 of this paragraph. 7.2 Liquidity recovery plan (1) A bank shall take account of the findings on the basis of the liquidity management scenarios set out in Section 7.1 in the preparation of a liquidity recovery plan, which shall set out effective strategies for preventing and eliminating the causes of liquidity shortfalls, including appropriate measures for bridging and limiting the impact of liquidity shortfalls and restoring the bank’s normal liquidity position. (2) In testing the liquidity recovery plan the bank shall focus in particular on the elimination of legal and operational limitations to the effective action of the plan, and on the preparation of other entities outside the bank that are included in the implementation of the plan. (3) The liquidity recovery plan shall include the following at least:
4. early warning procedures for identifying liquidity shortfalls with a toolkit of liquidity indicators and other indicators by means of which the bank promptly recognises potential liquidity difficulties, and a list of situations when the action in cases of liquidity shortfalls is applied;
5. a definition of available and potential sources of liquidity, on both asset and liability sides, by means of which the bank can meet additional liquidity needs;
6. a description of the possibility of accessing available or potential sources of liquidity, and a toolkit of procedures ensuring access to reserve sources of liquidity or sources not used in the bank’s normal operation as a going concern. These measures also include the availability of eligible collateral for central bank claims (as necessary, also in the currency of another Member State or a third country to which the bank is exposed, and when this is required for operations in the Member State or third country in question);
7. a strategy for addressing asset encumbrance in stress conditions including a downgrade in the bank’s credit assessment, the devaluation of pledged assets, and increases in margin requirements;
8. clearly defined powers and duties of employees for action in the event of liquidity shortfalls, including a description of the reporting procedures at each managerial level and procedures for ensuring the timely flow of information;
9. the preparation of special reporting with data, indicators and other information that are key to taking action in the event of liquidity shortfalls, and to providing information within the bank;
10. details of the manner of notification of the Bank of Slovenia with regard to the causes of threats to liquidity and the planned activities for their elimination;
11. a description of the procedures for dealing with the bank’s other stakeholders, such as counterparties in transactions, auditors, and the media.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 49 Appendix 3: Operational risk

1. Subject of regulation This appendix defines the additional requirements with regard to operational risk management to be met by a bank in connection with:
2. policies and processes of operational risk management, including model risk referred to in Article 181 of the ZBan-3;
3. business continuity plans referred to in Article 182 of the ZBan-3.
4. Policies and processes of operational risk management 2.1 Internal definition of operational risk (1) The policies and processes of operational risk management shall ensure that the factors of operational risk referred to in Article 181 of the ZBan-3 (hereinafter: the bank’s internal definition of operational risk) take account of the definition of operational risk set out in point (52) of the first paragraph of Article 4 of Regulation (EU) No 575/2013. A bank shall ensure that the definition of these factors, including rare developments that generate significant consequences for the bank (hereinafter: significant operational risk loss), reflects:
5. the Management body’s awareness of the significance of operational risk to the bank; and
6. the characteristics of the bank’s business, and its operational risk profile. A significant operational risk loss is a loss that has significant consequences for the bank’s financial position. (2) Having regard for the internal definition of operational risk, the bank shall determine and define categories of operational risk by business lines and types of loss event referred to in Article 324 of Regulation (EU) No 575/2013 (hereinafter: operational risk categories), including criteria for allocating the bank’s data on operational risk to these categories. The bank’s data on operational risk shall include loss events and events that could almost have resulted in loss (hereinafter: loss events). (2) The bank shall collect and manage data on operational risk events as defined in point 1 of Article 311a of Regulation (EU) No 575/2013. In addition to this data, the bank shall also collect data on events that almost caused loss. 2.2 Collection of data on loss events (1) For the purpose of identifying and assessing operational risk, a bank shall provide for the collection of data on loss events into a loss events database that is provided with the appropriate technological support (hereinafter: loss events database), including criteria for the collection of this data. These criteria shall include a definition of:
7. data on the loss event, including the gross loss amount, the date of occurrence and the date of entry of the loss event, any reimbursements on the gross loss amount, descriptive information on the factors or causes of the loss event, and the categorisation of the loss event;
8. the lower limit of a loss for the purpose of inclusion in the loss events database. 2.2 Collection of data on operational risk events (1) For the purpose of effectively identifying and assessing operational risk, irrespective of the level of the business indicator referred to in Article 314 of Regulation (EU) No 575/2013, a bank shall provide for the collection of data on operational risk events into a loss events database that is provided with the appropriate technological support. In so doing the bank shall take account of the data collection and governance requirements set out in Chapter 2 of Title III of Part Three of Regulation

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 50 (EU) No 575/2013, and in the technical standards adopted pursuant to Article 317(9) of Regulation (EU) No 575/2013, including the definition of the required loss data set and the taxonomy of loss events. The bank may apply its own definition of the lower limit of losses for the purpose of inclusion in the loss events database. (2) Having regard for the rules of custody, entry and revision of data in the loss events database, the bank shall ensure that each of its employees has the option of reporting a loss event to the loss events database. (3) The bank shall ensure the regular alignment of data on loss events from the loss events database with accounting data with regard to the bank’s operational risk losses. 2.3 Significant operational risk loss (1) A bank shall ensure that the risk policies referred to in Article 6 of this regulation include a policy for addressing loss events that could be reflected in a significant operational risk loss (hereinafter: significant loss). The policy shall include measures to prevent loss events of this type, and to rectify their consequences. (2) The bank shall provide for immediate analysis of the causes of a significant loss. The Management body, the senior management and the heads of the internal control functions shall be informed of a significant operational risk loss. 3. Business continuity plan (1) A bank shall establish and implement business continuity plans and contingency plans for operations in severely disrupted business conditions. The business continuity plan shall include procedures to ensure business continuity in important processes and systems. The contingency plan is an integral part of the business continuity plan, and sets out the technical and organisational measures for restoring operations and mitigating the consequences of disruptions to business. (2) In the event of severe disruptions to business, the business continuity plan shall ensure that auxiliary capacities for the continuity of business activities are available at the earliest possible juncture. In the event of severe disruptions to business, the contingency plan shall ensure the restoration of the normal functioning of the bank’s disrupted activities within an appropriate time horizon. (3) The business continuity plans and contingency plans shall inter alia set out:

1. the powers and responsibilities with regard to the initial response to developments that are reflected in severe disruptions or interruptions to essential systems and processes;
2. the powers and responsibilities with regard to the implementation of activities to restore essential systems and processes;
3. the timeframes for the recovery of essential systems and processes;
4. the key employees and procedures for ensuring the continuity of essential systems and processes;
5. the communication flows used in severely disrupted business conditions. (4) The bank shall ensure that the responsible employees are briefed on business continuity plans and contingency plans. (5) The bank shall ensure the regular testing of business continuity plans and contingency plans, at least once a year.
6. Reporting on operational risk

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 51 (1) A bank shall report on a quarterly basis to the Bank of Slovenia on operational risk loss events for each category and type of loss event referred to in the second paragraph of Section 2.1 of Appendix 3 of this regulation, by the remittance date for quarterly information set out in Article 3 of the ITS for supervisory reporting. (2) The bank shall immediately notify the Bank of Slovenia of a significant loss referred to in Section 2.3 of Appendix 3 of this regulation, submitting all relevant documentation.

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 52 Appendix 4: Market risks

1. Subject of regulation This appendix defines the additional requirements with regard to market risk management, which relate to the organisational requirements with regard to market risks.
2. Organisational requirements with regard to market risks (1) A bank shall ensure clear functional and organisational separation of the trading unit from the back-office department and from the unit providing custody services (hereinafter: the back-office department), including managerial levels. The functional separation of the trading unit from the back￾office department shall include the putting in place of appropriate security and work procedures, and rules for accessing information technology, and the physical separation of the premises of the two units. The reporting to the management board and the senior management by the trading unit and the back-office department shall be separate. (2) The bank shall ensure the functional separation of staff at the trading unit with regard to trading transactions for the account of clients, and trading for own account. 2.1 Trading unit (1) A bank shall ensure that before any transaction is concluded all significant elements of the transaction are agreed, including the corresponding terms of the transaction. Transactions that are not in line with market conditions shall not be executed as a rule. Notwithstanding the foregoing, the bank may allow the conclusion of such a transaction when the following conditions are met:
3. the transaction is based on the client’s explicit and justifiable requirement, whereby the agreed deviation from market conditions should be clearly evident from the documentation of the transaction;
4. a description of the deviations from market conditions is evident from the trade capture report; the bank shall notify the client accordingly; The management board and the responsible senior management shall be notified of significant transactions that are not in line with market conditions. (2) Trading outside of business premises shall be allowed solely on the basis of internal trading rules, which shall include a definition of the authorised traders for executing transactions outside of the business premises, the subject and size of the transactions, and the method of confirmation of the transactions and the corresponding reporting. The trader shall report to the bank, without delay in an appropriate written or electronic form, on a transaction concluded outside the business premises. (3) The bank shall ensure that at any time traders have at their disposal comprehensive information on:
5. the value of the portfolio that they manage, and the daily changes in the value of the portfolio as a result of changes in market conditions and positions; and
6. the utilisation of risk limits. (4) Conversations with traders relating to trade transactions shall be recorded. (5) After the conclusion of each transaction the bank shall ensure the production of a trade capture report that includes all the significant information about the transaction. The trade capture report and the other documents of the transaction shall be submitted to the back-office department in the shortest possible time. Transactions that are concluded after the close of the business day of the back-office department shall be included in the daily trading position and specially marked. In this case the trade

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE 53 capture report and other documents of the transaction shall be submitted as soon as possible to an organisational unit that is independent of the trading unit. (6) The trader shall specially mark transactions concluded after the close of the business day of the back-office department and shall include them in the daily trading position. A record of these transactions shall be delivered to the responsible person from the back-office department without delay. (7) The bank shall ensure that the trader enters data on the transaction in the information system solely under the trader’s own identification number. The time of entry in the information system and the identification number shall be determined automatically. 2.2 Back-office department (1) On the basis of the documentation of the trading unit, a bank shall provide for a process for sending and receiving confirmations of concluded transactions and the further processing of transactions, including:

1. the execution of material and/or cash settlement (preparation of payment orders and securities transfer orders at depository banks or custodians, and their release via an appropriate settlement system);
2. preparation of the book-keeping document and recording of the transaction in the record of the bank’s positions;
3. a review of changes or cancellations of data on concluded transactions, and treatment of differences in data on concluded transactions. (2) The bank shall ensure that each concluded transaction is confirmed in writing without delay or within an appropriate time, is appropriately recorded, and is included in the relevant daily internal reports of concluded transactions. (3) The bank shall ensure that incoming confirmations of concluded transactions by the counterparty are vetted as up-to-date and complete. Incoming confirmations of concluded transactions by the counterparty shall be routed directly to the back-office department. The counterparty shall be notified without delay of any missing or incomplete confirmations of a concluded transaction. (4) The bank shall provide for regular monitoring of the process of concluding transactions of the trading unit, including vetting of:
4. the completeness of the documentation of the concluded transaction, and its timely submission to the back-office department;
5. the compliance of the data on the concluded transaction with the data on the confirmation, extracts from electronic trading systems and other sources;
6. the consideration of limits put in place to limit losses;
7. the compliance of concluded transactions with market business conditions;
8. deviations from internal trading rules;
9. the alignment of records of transactions between the trading unit and the departments that are independent of the trading unit. (5) Changes or cancellations of data on concluded transactions shall be reviewed by a department that is independent of the trading unit. Differences in data on concluded transactions identified in the process of back-office processing shall be addressed without delay by a department that is independent of the trading unit.