Corporate Governance Directions for Licensed Banks

CENTRAL BANK OF SRI LANKA 30 September 2024 BANKING ACT DIRECTIONS No. 05 of 2024 1 [Limited Sharing] BANKING ACT DIRECTIONS ON CORPORATE GOVERNANCE FOR LICENSED BANKS The Central Bank of Sri Lanka, with a view to strengthening the corporate governance processes and practices of the licensed commercial banks and licensed specialised banks in Sri Lanka (hereinafter referred to as licensed banks), hereby issues these Directions to licensed banks enhancing the overall stability of the banking sector and the financial system as a whole. Corporate Governance processes and practices shall be deemed to be the management framework that facilitates the conduct of the banking business in a responsible and accountable manner in order to promote the safety and soundness of the individual banks, thereby leading to the stability of the overall banking sector.

1. Empowerment 1.1 In terms of Section 46(1) of the Banking Act, No. 30 of 1988, as amended (Banking Act), to ensure the soundness of the banking system, the Central Bank of Sri Lanka is empowered to issue Directions to licensed commercial banks regarding the manner in which any aspect of the business of such banks is to be conducted. 1.2 In terms of Section 76J(1) of the Banking Act, to ensure the soundness of the banking system, the Central Bank of Sri Lanka is empowered to issue Directions to licensed specialised banks or to any category of licensed specialised banks, regarding the manner in which any aspect of the business of such banks is to be conducted.
2. Scope of Application 2.1 These Directions shall be applicable to all licensed banks.
3. Regulatory Requirements 3.1 Licensed banks shall comply with the regulatory requirements given in Schedules I - IV hereto.

1

SCHEDULE I REGULATORY REQUIREMENTS ON CORPORATE GOVERNANCE FOR LICENSED BANKS

2 Regulatory Requirements on Corporate Governance for Licensed Banks

1. Ultimate Responsibility and Accountability of the Board The Board shall be ultimately responsible and accountable to oversee the management of affairs and the governance framework of the bank, business strategy, financial soundness, and risk management and to ensure that the business of such bank is carried out in compliance with all applicable laws and regulations and is consistent with safe and sound banking practices. Directors shall make objective decisions in the interest of bank’s depositors, creditors, shareholders, and other stakeholders. Any decision taken by the directors shall be presumed to be a decision taken by the Board of directors (Board) collectively, except for a director who expressly dissents for any such decision. 1.1 Responsibilities of the Board The Board shall exercise “duty of care” and “duty of loyalty” to the bank with a view to strengthening the safety and soundness of the bank by ensuring the implementation of the following: a) Approve and oversee the bank’s strategic objectives and corporate values in terms of bank's long-term goals and ensure that these are properly communicated throughout the bank; b) Approve the overall business strategy of the bank, including the overall risk policy and risk management procedures and mechanisms with measurable goals, at least for the next three years; c) Inculcate a strong risk governance culture by; (i) identifying the principal risks and ensuring implementation of appropriate systems to manage risks prudently, (ii) establishing well-defined organizational responsibilities for the three lines of defence of the bank, viz., a. the business lines, b. the risk management function and the compliance function which are independent from the first and third lines of defence, and, c. the internal audit function which is independent from the first and second lines of defence.

3 (iii) ensuring that the risk management, compliance, and internal audit functions are properly positioned, sufficiently staffed and resourced to carry out the responsibilities independently, objectively and effectively. The responsibilities of risk management, compliance and internal audit functions are provided in Schedule II, III and IV, respectively; (iv) defining the risk appetite of the bank aligning with the bank’s strategic, capital, and financial plans, which is articulated through a Risk Appetite Statement, and, (v) outlining the actions to be taken when stated risk appetite limits are breached, including disciplinary actions for excessive risk taking, escalation procedures and notifications to the Board of directors. d) Establish a policy to ensure that the Board is not dominated or significantly influenced by a director or a group of directors in a manner that is detrimental or prejudicial to the interests of the depositors, creditors, and the bank as a whole; e) Approve implementation of a policy of communication with all stakeholders, including regulators, depositors, creditors, shareholders, and borrowers; f) Review the adequacy and the integrity of the bank’s internal control systems and management information systems; g) Ensure implementation of effective control systems for managing the related party exposures and avoiding any conflicts of interest that may arise from related party transactions; h) Approve and oversee the business continuity and disaster recovery plans to ensure financial stability, operational resilience and preserve critical operations and services including core-banking systems during any disruptive event; i) Oversee the approach to remuneration, including monitoring and reviewing remuneration and ensure alignment of remuneration with bank’s risk culture and risk appetite;

4 j) Identify and designate key management personnel, who are in a position to; (i) significantly influence over policies, (ii) direct activities, and, (iii) exercise control over business activities, operations, and risk management. k) Define the areas of authority and key responsibilities for the Board of directors themselves and for the Chief Executive Officer (CEO) and the key management personnel; l) Ensure that there is appropriate oversight of the affairs of the bank by CEO and key management personnel, who is consistent with the Board's strategies and policies; m) Periodically assess the effectiveness of the Board of directors’ own governance practices, including: (i) the selection, nomination and election of directors, CEO, and key management personnel; (ii) the management of conflicts of interests: and, (iii) identification of weaknesses and implementation of improvements where necessary; n) Approve the criteria for self-assessment to be undertaken by each director annually and maintain records of such assessments. o) Ensure that the bank has an appropriate succession plan forCEO and the key management personnel as explained in Direction 6.4 i); p) Meet regularly, on a needs basis, with CEO and the key management personnel to review policies, establish communication lines and monitor progress towards corporate objectives; q) Keep abreast of material changes in the regulatory environment and ensure that the bank maintains an effective relationship with regulators; r) Exercise due diligence in the hiring and oversight of external auditors; s) Conduct itself in a professional and an ethical manner and shall not receive any undue financial or non-financial benefits including

5 incentives, gifts or funds from the employees, customers, suppliers, shareholders or any other stakeholder of the bank; t) Inculcate a sound corporate culture which reinforces norms for professional, ethical and prudent behaviour throughout the bank. Approve and oversee the implementation of a Code of Conduct based on corporate values providing clear guidelines on professionally and ethically acceptable behaviours of directors and employees addressing inter alia the issues on confidentiality of data, conflicts of interest, procedures for dealing with financial and non-financial benefits and gifts, integrity in reporting, and the fair treatment to customers; u) Ensure timely rectification of the supervisory concerns raised by the regulator/s and for this purpose, the assistance of the relevant sub￾committees shall be sought; v) Approve a whistleblowing policy with a view to encouraging employees to communicate confidentially the legitimate concerns regarding illegal, unethical or questionable practices without the risk of reprisal. The policy shall be reviewed at least on an annual basis. The whistleblowing policy shall clearly specify: (i) the persons to whom the concerns can be escalated within the bank; (ii) procedures for investigating legitimate material concerns raised by the employees; (iii) procedures to ensure protection and anonymity of the employees who raise concerns due to any detrimental treatment or reprisals; and, (iv) alternative avenues for whistleblowing to regulators. w) Promote sustainability through appropriate environmental, social and governance considerations in the bank's business strategies and ensure that policies are in place to assist businesses that are greener, climate-friendly and socially inclusive.

6 1.2 Appointing Chairperson and CEO The Board shall appoint the Chairperson and CEO and define and approve the functions and responsibilities of the Chairperson and CEO in line with Direction 5 of these Directions. 1.3 Board Meetings The Board shall meet at approximately monthly intervals and Board meetings shall be held at least twelve times a year. Such regular Board meetings shall normally involve active deliberation of a majority of directors entitled to be present. Obtaining the Board’s consent through the circulation of written resolutions/papers shall be avoided as far as possible. The Board approvals obtained through circulation shall be ratified at the Board meeting held immediately following the circulation. The Board may convene and/or a Board member may attend the Board meetings virtually subject to ensuring active involvement of the relevant directors and attending Board meetings physically at least on a half yearly basis. 1.4 Board Procedures a) The Board shall ensure that arrangements are in place to enable all directors to include matters and proposals in the agenda for regular Board meetings where such matters and proposals relate to the promotion of banking business, risk management and conduct of employees of the bank. b) The Board procedures shall ensure that notice of at least 7 days is given of a regular Board meeting to provide all directors an opportunity to attend. For all other Board meetings, reasonable notice may be given. c) The Board procedures shall ensure that a director who has not attended at least two-thirds of the meetings in the period of 12 months immediately preceding or has not attended the immediately preceding three consecutive meetings held, shall cease to be a director. Participation at the Board meetings through an alternate director shall, however, be acceptable as attendance.

7 1.5 Appointing a Company Secretary a) The Board shall appoint a company secretary who satisfies the provisions of Section 43 of the Banking Act, whose primary responsibilities shall be to handle the secretariat services to the Board and shareholder meetings and to carry out other functions specified in the statutes and such other written laws for the time being in force. b) All directors shall have access to advice and services of the company secretary with a view to ensuring that Board procedures and all applicable laws, rules and regulations are followed. c) The company secretary shall implement the recommendations made by the Nomination and Governance Committee on training, capacity building and professional development programs for the directors. d) The company secretary shall maintain the minutes of Board meetings together with the recordings of meetings and such minutes shall be open for inspection at any reasonable time, on reasonable notice by any director or the regulator. 1.6 Maintenance of Board Meeting Minutes Minutes of Board meetings shall be recorded in sufficient detail so that it is possible to gather from the minutes as to whether the Board acted with due care and prudence in performing its duties. The minutes shall also serve as a reference for regulatory and supervisory authorities to assess the depth of deliberations at the Board meetings. Therefore, the minutes of a Board meeting shall clearly contain or refer to the following: a) a summary of data and information and justifications/rationale used by the Board in its deliberations; b) the matters considered by the Board; c) the fact-finding discussions reflecting the issues of contention or dissent which may illustrate whether the Board was carrying out its duties with due care and prudence; d) the testimonies and confirmations of relevant key management personnel which indicate compliance with the Board’s strategies

8 and policies and adherence to relevant laws and regulations appropriately; e) the Board’s knowledge and understanding of the risks to which the bank is exposed to, and an overview of the risk management measures adopted; and, f) the Board resolutions and decisions. 1.7 Obtaining Independent Professional Advice There shall be a procedure agreed by the Board to enable directors, upon reasonable request, to seek independent professional advice in appropriate circumstances, at the bank’s expense. The Board shall resolve to provide separate independent professional advice to directors to assist the relevant director or directors to effectively discharge the duties. 1.8 Managing Conflicts of Interest a) Directors shall avoid conflicts of interest, or the potential conflicts of interest, in the activities with, and commitments to, other organisations, related parties and other stakeholders. b) A director shall abstain from participating in any discussion in relation to a matter in which he/she or any of his/her close relation or a concern in which he/she has substantial interest, is interested, nor shall receive the access to the information pertaining thereto, including accessing such information both physically and/or electronically. c) Directors shall ensure that the relationships between the directors amongst themselves as well as between the directors, CEO and key management personnel are at a level that does not result in excessive familiarity, undue influence or coercion. d) The Board shall approve and oversee the implementation of a policy to identify and manage conflicts of interests, which shall include: (i) a Board member’s duty to promptly disclose any matter that may result, or has already resulted, in a conflict of interest; (ii) a Board member’s duty to avoid, to the extent possible, activities that could create conflicts of interest or the potential conflicts of interest including political affiliations;

9 (iii) situations where conflicts may arise when serving as a Board member; (iv) a Board member’s responsibility to abstain from participating in discussions on any Board decisions in relation to which he/she or any of his/her close relations or a concern in which he/she has substantial interest, is interested; and, (v) the measures to be taken in the event of any non-compliance with the policy. 1.9 Requirement to inform on inability to meet obligations The Board shall, if it considers that the bank is, or is likely to be, unable to meet its obligations or about to become insolvent or is about to suspend payments due to depositors and other creditors, forthwith informthe Director ofBank Supervision ofthe situation ofthe bank prior to taking any decision or action. 1.10 Compliance with Prudential Requirements The Board shall ensure that the bank is capitalized at levels as required by the Central Bank of Sri Lanka in terms of the capital adequacy ratio and other prudential requirements imposed by the Central Bank of Sri Lanka from time to time. 1.11 Annual Corporate Governance Report The Board shall publish in the bank’s Annual Report, an Annual Corporate Governance Report setting out the compliance with these Directions. 2. Board’s Composition The Board’s composition shall ensure a healthy mix of knowledge, qualifications, skills, experience in relevant disciplines, gender and have varied backgrounds to promote diversity of views commensurate with the size, scale, diversity and complexity of operations of the bank. The qualifications and experience shall be in banking, finance, economics, accounting, business administration, information technology, risk management, law or any other relevant discipline as may be determined by the Central Bank of Sri Lanka. 2.1 Procedure for Appointing Directors a) There shall be a formal and transparent procedure for the appointment of new directors to the Board. There shall also be Board approved procedures in place for the orderly succession of

10 appointments to the Board. b) A director or an employee of a bank shall not be appointed, elected or nominated as a director of another bank except where such bank is a subsidiary company or an associate company of the first mentioned bank. 2.2 Number of Directors a) The number of directors on the Board shall not be less than 7 and not more than 13. The number of directors shall be commensurate with the size, scale, diversity and complexity of operations of the bank. b) The Board shall have at least one female representative by 31.12.2025 and the Boards with more than 10 members shall have at least two female representatives by 31.12.2026. 2.3 Executive Directors A member of the key management personnel of the bank may be appointed, elected or nominated as a director of the bank (hereinafter referred to as an “executive director”) provided that the number of executive directorsshall not exceed one-third of the number of directors of the Board. In such an event, one of the executive directors shall be CEO of the bank. 2.4 Non-Executive Directors Non-executive directors shall be suitable professionals with credible track record of good conduct and integrity and have necessary knowledge, skills and experience to bring an independent judgment to effectively address issues of strategy, performance and resources and to contribute towards the sustainability of the bank. 2.5 Independent Directors a) At least half of the total number of directors shall be independent non-executive directors. Licensed banks shall comply with this Direction by 01.01.2027. b) A non-executive director shall not be considered independent if he/she: (i) has direct and indirect voting and/or non-voting shareholdings of more than 1 per cent of the bank;

11 (ii) currently has or had during the period of two years immediately preceding his/her appointment as director, any business transactions with the bank as described in Direction 7.2, exceeding 10 per cent of the regulatory capital of the bank; (iii) has been employed by the bank during the two-year period immediately preceding the appointment as director; (iv) currently has or had during the period of two years immediately preceding his/her appointment as director, a material business relationship with the bank; (v) has a close relation who is a director or CEO or a member of the key management personnel or a material shareholder of the bank. For this purpose, a “close relation” shall mean the spouse or a dependent child; (vi) represents a specific stakeholder of the bank; (vii) is an employee or a director or a material shareholder or has a material business relationship in a company or business organization; a. which currently has a transaction with the bank as defined in Direction 7.2 of these Directions, exceeding 10 per cent of the regulatory capital of the bank, or b. in which any of the other directors of the bank are employed or are directors or are material shareholders except for the appointments recommended by the financial sector authorities, or, c. in which any of the other directors of the bank have a transaction as defined in Direction 7.2, exceeding 10 per cent of regulatory capital in the bank. (viii) currently is or has been during the period of one year immediately preceding his/her appointment as director, serving as a consultant/ advisor or principal consultant/advisor in the case of a firm providing consultancy to the bank; and,

12 (ix) currently is or has been during the period of one year immediately preceding his/her appointment as director, an engagement partner of a firm providing audit services to the bank. The requirements of Direction 2.5 b) with extended compliance dates are provided in Schedule V. c) The independent non-executive directors shall be expressly identified in all corporate communications that disclose the names of directors of the bank. 2.6 Representation through Alternate Directors a) Representation through an alternate director is allowed only in exceptional circumstances as approved by the Board for a maximum period of one year from the date of such appointment with prior approval of the Director of Bank Supervision under the provisions of Section 42 of the Banking Act. b) In the event an alternate director is appointed to represent an independent director, the person so appointed shall also meet the criteria that applies to the independent director. c) An existing director of the bank cannot be appointed as an alternate director to another existing director of the bank. d) An individual appointed as an alternate director to one of the directors cannot be appointed as an alternate director to another director in the same Board. 2.7 Quorum for the Board Meetings At least half of the Board members shall constitute the quorum for the Board meetings. A meeting of the Board shall not be duly constituted, although the number of directors required to constitute the quorum at such meeting is present, unless more than one third of the number of directors present at such meeting are independent non-executive directors. Licensed banks shall comply with this Direction by 01.01.2026. 3. Suitability of Directors A person who serves or wishes to serve as a director of a licensed bank shall comply with the following requirements.

13 3.1 Criteria to Assess Fitness and Propriety The provisions of Section 42 and Section 76H of the Banking Act shall apply to determine the fitness and propriety of a person who serves or wishes to serve as a director of a licensed bank. Non-compliance with any criteria set out therein shall disqualify a person to be appointed, elected or nominated as a director or to continue as a director. The prior approval of the Director of Bank Supervision shall be obtained for the fitness and propriety of each person to be appointed, elected or nominated as a director of a licensed bank in terms of Section 42 and Section 76H of the Banking Act. 3.2 Additional Requirements for Suitability of Directors a) The age of a person who serves as a director shall not exceed 70 years. b) The total period of service of a director other than a director who holds the position of CEO or key management personnel position shall not exceed nine years. c) A person shall not hold office as a director of more than 20 companies/entities/institutions inclusive of subsidiaries or associate companies of the bank. d) Directors shall have sufficient time to carry out the responsibilities as a director of the bank. 3.3 Cooling-Off Period A director or CEO of a licensed bank operating in Sri Lanka shall not be appointed as a director or CEO of another licensed bank operating in Sri Lanka before the expiry of a period of six months from the date of cessation of his/her office at the licensed bank in Sri Lanka. Any variation thereto in exceptional situations such as where expertise of retiring bankers may be required when reconstituting Boards of licensed banks which need restructuring, shall be subject to the prior approval of the Central Bank of Sri Lanka. 4. Delegation of Functions The Board shall comply with the following requirements in delegating its functions.

14 4.1 Division of Responsibilities There shall be a clear division of the responsibilities at the Board level and the key management level to ensure a greater balance of power and authority, so that powers are not concentrated in any individual. 4.2 Specific Matters for Board Decisions The Board shall have a formal schedule of matters specifically reserved for its decisions to ensure that the direction and control of the bank is firmly under its authority. 4.3 Restrictions to Delegate The Board shall not delegate any matters to a Board committee, CEO, executive directors or key management personnel, to an extent that such delegation would significantly hinder or reduce the ability of the Board as a whole to discharge its functions. 4.4 Review of Delegation Process The Board shall review the delegation processes in place on a periodic basis to ensure that they remain relevant to the needs of the bank. 5. The Chairperson and CEO There are two key aspects of management of every bank, viz., (a) the overall governance by the Board, and (b) the day-to-day management of the bank’s business by CEO, in line with Board approved strategic objectives, corporate values, overall risk policy and risk management procedures. 5.1 Division of Responsibilities between Chairperson and CEO The roles of Chairperson and CEO shall be separate and shall not be performed by the same individual. The division of responsibilities between Chairperson and CEO shall be clearly established and set out in writing. 5.2 Suitability of the Chairperson a) The Chairperson shall be an independent non-executive director. In the event the Chairperson becomes non-independent after the initial appointment, as an interim arrangement, the Board shall designate an independent director as the Senior Director for a period not exceeding six months with suitably documented terms of reference. The designation of the Senior Director shall be disclosed in the bank’s Annual Report. b) Where a non-independent director is currently serving as the Chairperson, such director may continue to serve as the Chairperson

15 for a further period not beyond 31.12.2027, subject to applicable laws and regulations including Direction 3. c) A Chairperson appointed after the effective date of this Direction shall be an independent non-executive director. 5.3 Responsibilities of the Chairperson The Chairperson shall: a) provide leadership to the Board and ensure the Board works effectively and duly discharges its responsibilities; b) ensure that all key and appropriate issues are discussed by the Board in a timely manner; c) approve the agenda for each Board meeting, considering where appropriate, any matters proposed by the other directors for inclusion in the agenda. The Chairperson may delegate the preparation of agenda to the company secretary; d) ensure that all directors are properly briefed on issues arising at Board meetings and also ensure that directors receive adequate information in a timely manner; e) encourage all directors to make a full and active contribution to the Board’s affairs and take the lead to ensure that the Board acts in the best interests of the bank; f) facilitate the effective contribution of non-executive directors in particular and ensure constructive discussions between executive and non-executive directors; g) encourage all directors to make critical and constructive discussions at the Board meetings and ensure that dissenting views can be freely expressed and discussed within the decision-making process; h) not engage in activities involving direct supervision of key management personnel, other employees or any other executive duties whatsoever; and, i) ensure that appropriate steps are taken to maintain effective communication with shareholders and that the views of shareholders are communicated to the Board.

16 5.4 Conduct of CEO a) CEO shall function as the apex executive-in-charge of the day-to￾day management of the bank’s operations and business and shall not hold any other executive functions. b) CEO shall not be appointed or nominated as an employee or a director of another licensed bank or any other company/institution/entity except as a non-executive director of a subsidiary or an associate company of the licensed bank. c) In the event CEO is appointed as a non-executive director of a subsidiary or an associate company of the licensed bank, he/she shall ensure that such duties do not affect the effective discharge of responsibilities as CEO. 5.5 Suitability of CEO The person appointed as CEO shall be a fit and proper person to hold such position in terms of Section 44A and Section 76H of the Banking Act, and shall possess sufficient authority, stature, knowledge, competencies, and expertise in the core banking functions given the size, scale, diversity and complexity of operations of the bank. 6. Board Committees Each licensed bank shall have at least five Board committees as set out in Directions 6.2 – 6.6 of these Directions. 6.1 Requirements for the Board Committees a) Each committee shall report directly to the Board. b) Board shall set out the authority of each committee, and in particular, whether the committee has the authority to act on behalf of the Board or simply has the authority to examine a particular issue and report back to the Board with recommendations. c) Each committee shall have a Board approved Terms of Reference. d) All committees shall appoint a secretary to inter alia arrange the meetings and maintain minutes, records in sufficient detail, under the supervision of the Chairperson of the committee. The minutes of all committees shall be submitted to the Board. e) The quorum of each committee shall consist of at least half of the committee members. f) The Board shall present a report on the performance of each committee, on the duties and roles at the annual general meeting.

17 6.2 Audit Committee a) The Chairperson of the Committee shall be an independent director and is not the chair of the Board or any other Board committee and shall possess qualifications and experience in finance, accounting and/or auditing, with a membership of a recognized professional accounting body. b) All members of the Committee shall be non-executive directors, with a majority of independent directors. The members shall possess a collective balance of skills and expert knowledge in finance, accounting and auditing commensurate with size, scale, diversity and complexity of operations of the bank. c) A majority of the members of the Committee shall not be constituted by the members of the Integrated Risk Management Committee and vice-versa. d) The Committee shall make recommendations on matters in connection with: (i) the appointment of the external auditor for audit services to be provided in compliance with the relevant statutes; (ii) the implementation of the Central Bank guidelines issued to external auditors from time to time; (iii) the application of the relevant accounting standards; and (iv) the service period, audit fee and any resignation or dismissal of the external auditor, provided that the engagement of the external auditor shall not exceed six years and shall change the particular engagement partner once in every three years. e) The Committee shall review and monitor the external auditor’s independence, integrity, objectivity and the effectiveness of the audit processes in accordance with applicable standards and best practices. f) The Committee shall develop and implement a policy on the engagement of an external auditor to provide non-audit services that are permitted under the Guidelines issued by the Central Bank of Sri Lanka to External Auditors. The Committee shall ensure that

18 the provision by an external auditor of non-audit services does not impair the external auditor’s independence or objectivity. When assessing the external auditor’s independence or objectivity in relation to the provision of non-audit services, the Committee shall consider: (i) whether the skills and experience of the audit firm make it a suitable provider of the non-audit services; (ii) whether there are safeguards in place to ensure that there is no threat to the objectivity and/or independence in the conduct of the audit resulting from the provision of such services by the external auditor; and, (iii) whether the nature of the non-audit services, the fee levels individually and in aggregate relative to the audit firm, pose any threat to the objectivity and/or independence of the external auditor. g) The Committee shall, before the audit commences, discuss and finalise with the external auditor, the nature and scope of the audit, including: (i) an assessment of the bank’s compliance with the relevant Directions in relation to corporate governance and the management’s internal control over financial reporting; (ii) the preparation of the financial statements for external purposes in accordance with relevant accounting principles and reporting obligations; and (iii) the co-ordination between firms where more than one audit firm is involved. h) The Committee shall review the accounting policies/systems and the internal control framework with a view to ensuring greater transparency and integrity of the bank’s financial reporting process and the adequacy of accounting and other internal controls. i) The Committee shall review the financial information of the bank, in order to monitor the integrity of the financial statements of the

19 bank, its annual report, accounts and quarterly reports prepared for disclosure, and the significant financial reporting judgements contained therein. In reviewing the bank’s annual report and accounts and quarterly reports before submission to the Board, the committee shall focus particularly on: (i) major judgmental areas; (ii) any changes in accounting policies and practices; (iii) significant adjustments arising from the audit; (iv) the going concern assumption; and (v) the compliance with relevant accounting standards and other legal requirements. j) The Committee shall discuss issues, problems and reservations arising from the interim and final audits, and any matters the external auditor may wish to discuss including those matters that may need to be discussed in the absence of CEO and key management personnel, if necessary. k) The Committee shall review the external auditor’s management letter and the management’s response thereto. l) The Committee shall take the following steps with regard to the internal audit function of the bank: (i) Review the adequacy of the scope, functions and resources of the internal audit department, and satisfy itself that the department has the necessary authority to carry out its work; (ii) Review the internal audit programme and results of the internal audit process and, where necessary, ensure that appropriate actions are taken on the recommendations of the internal audit department; (iii) Review any appraisal or assessment of the performance of the Chief Internal Auditor (CIA) and senior staff members of the internal audit department; (iv) Recommend any appointment or termination of CIA, senior

20 staff members and outsourced service providers to the internal audit function; (v) Ensure that the committee is apprised of resignations of senior staff members of the internal audit department including CIA and any outsourced service providers, and to provide an opportunity to the resigning senior staff members and outsourced service providers to submit reasons for resigning; and, (vi) Ensure that the internal audit function is independent of the activities it audits and that it is performed with impartiality, proficiency and due professional care. m) The Committee shall consider the major findings of internal investigations and management’s responses thereto. n) Other Board members, CEO, CIA, the Chief Financial Officer (CFO), the Chief Risk Officer (CRO), the Chief Compliance Officer (CCO), any other key management personnel and a representative of the external auditors may attend meetings upon the invitation of the Committee for the relevant agenda item. However, at least twice a year, the Committee shall meet with the external auditors without the executive directors being present. o) The Committee shall have: (i) explicit authority to investigate into any matter within its terms of reference; (ii) the resources which it needs to do so; (iii) full access to information; and (iv) authority to obtain external professional advice and to invite outsiders with relevant experience to attend, if necessary. p) The Committee shall meet regularly, with due notice of issues to be discussed and shall record its conclusions in discharging its duties and responsibilities. q) The secretary of the Committee (who may be the company secretary or CIA) shall record and keep detailed minutes of the Committee meetings. r) The Committee shall:

21 (i) ensure effective implementation of the Board approved whistleblowing policy; and, (ii) ensure that proper arrangements are in place for the fair and independent investigation of such matters and for appropriate follow-up action. s) The Committee shall act as the key representative body for overseeing the bank’s relations with the external auditor. The requirements of Direction 6.2 with extended compliance dates are provided in Schedule V. 6.3 Human Resources and Remuneration Committee The Committee shall: a) be chaired by a director who is not the chair of the Board and preferably independent; b) preferably be constituted with a majority of independent directors; c) require CEO to be present at the meetings upon invitation, except when matters relating to CEO are being discussed; d) determine the remuneration policy in relation to salaries, allowances, special payments/benefits made at termination or retirement, and other financial and non-financial benefits made to directors, CEO and the key management personnel; e) set goals and targets for the directors, CEO and the key management personnel; f) evaluate the performance of CEO and the key management personnel against the set targets and goals periodically and determine the basis for revising remuneration, benefits and other payments of performance-based incentives; g) ensure that the prior written approval of the shareholders is obtained for any special payments/ financial and non-financial benefits to be made to the directors, CEO and key management personnel at the termination of employment or at the retirement. In the case of licensed banks where the Government of Sri Lanka holds fifty per cent or more of issued capital carrying voting rights of the bank, such prior approval shall be obtained from the Secretary to the

22 Treasury; h) coordinate with the Integrated Risk Management Committee to ensure that the compensation made to directors, CEO and key management personnel is within the risk appetite limits of the bank; and, i) establish a policy on claw-back arrangements for performance￾based payments made to CEO and key management personnel of the licensed bank under the circumstances of inter alia fraud and misappropriation of funds, to the extent of the financial loss caused to the licensed bank. Such policy shall articulate the process to be followed by the licensed bank prior to giving effect to the claw back arrangements ensuring procedural propriety, fair hearing and transparency. The claw-back procedure of the licensed bank shall be incorporated into the employment contracts of CEO and key management personnel and a similar arrangement shall be implemented for the existing CEO and key management personnel. The requirements of Direction 6.3 with extended compliance dates are provided in Schedule V. 6.4 Nomination and Governance Committee: The Committee shall: a) be chaired by an independent director who is not the chair of the Board and shall be constituted with a majority of independent directors. CEO may be present at meetings by invitation except when matters relating to CEO are being discussed; b) implement a formal and transparent procedure to identify, nominate and recommend new directors, CEO and the key management personnel; c) ensure the directors, CEO and the key management personnel are fit and proper persons to hold office as specified in the criteria given in Directions 3 and 8.2 and as set out in the applicable laws and regulations; d) obtain the views of the Integrated Risk Management Committee in selecting CRO and CCO and that of the Audit Committee in

23 selecting CIA; e) consider and recommend (or not recommend) the re-election of current directors, through periodic evaluation of the performance and contribution made by the director concerned towards the overall discharge of the Board’s responsibilities; f) quarterly evaluate the status of independence of the independent non-executive directors in terms of the Direction 2.5 b) and whether such directors have any conflicts of interest that may impede the ability to perform duties independently and notify the changes to the independent status (if any) to the Director of Bank Supervision; g) set the criteria such as qualifications, experience and key attributes required for eligibility to be considered for appointment or promotion to the post of CEO and the key management positions; h) consider and recommend from time to time, the requirements of additional/new expertise to the Board and the succession arrangements for retiring directors; i) ensure that the bank has a robust succession plan for CEO and the key management personnel with an effective and transparent process to: (i) identify qualified and competent persons (internal/external) to fulfil the positions of CEO and key management personnel for succession in short, medium and long term given the size, scale, diversity and complexity of operations of the bank; (ii) groom the selected successors for the respective positions by identifying and mitigating the skill/knowledge gaps for the respective area; and, (iii) review the succession plan at least on an annual basis. j) ensure that the directors are updated on the applicable laws, regulations, macroeconomic policies, latest technological developments and emerging financial sector and market developments relevant to the banking industry on a continuous basis; k) identify the training needs of the directors and make

24 recommendations to the Board relating to training, capacity building and professional development programs for the directors on a regular basis; l) review the structure, size, qualifications and composition of the Board and Board committees to ensure effective discharge of duties and responsibilities; and, m) ensure that the overall corporate governance framework and policies of the bank are reviewed, updated and effectively implemented considering all applicable laws and regulations and industry/international best practices. The requirements of Direction 6.4 with extended compliance dates are provided in Schedule V. 6.5 Integrated Risk Management Committee The Committee shall: a) be chaired by an independent director who is not the chair of the Board or any other Board committee; b) consist of at least three non-executive directors with a majority of independent directors. The Committee members shall have sound collective experience in risk management issues and practices in relation to banking and/or financial services; c) A majority of the members of the Committee shall not be constituted by the members of the Audit Committee and vice-versa; d) require CEO, CRO, CCO and key management personnel supervising broad risk categories, i.e., credit, market, liquidity, operational and strategic risks to attend the meetings on needs basis; e) work with key management personnel very closely and make decisions on behalf of the Board within the framework of the authority and responsibility assigned to the Committee; f) establish an independent risk management function responsible for integrated risk management of the bank; g) assess all risks, i.e., credit, market, liquidity, operational, information security and strategic risks to the bank on a monthly basis through appropriate risk indicators and management

25 information. In the case of subsidiary companies and associate companies, risk management shall be conducted, both on solo and consolidated basis; h) advise and report to the Board on the bank’s exposures against the risk appetite; i) oversee the functioning of CRO. The Committee shall receive regular reports and communication from CRO and other relevant functions with respect to the risk profile, exposures against the established risk appetite limits and limit breaches; j) oversee the strategies implemented by CEO and the key management personnel for capital and liquidity management and management of all relevant risks of the bank, such as credit, market, operational, information security and strategic risks, to ensure consistency with the stated risk appetite; k) review the adequacy and effectiveness of all management level committees that are related to risk taking activities, such as the credit committee and the asset-liability committee to address specific risks and to manage those risks within quantitative and qualitative risk limits as specified by the Committee; l) take prompt corrective action to mitigate the effects of specific risks where such risks are at levels beyond the prudent levels decided by the Committee on the basis of the bank’s policies and regulatory and supervisory requirements; m) meet at least quarterly to assess all aspects of risk management including updated business continuity plans; n) take prompt corrective actions against the Officers responsible for failure to identify specific risks as recommended by the Committee; o) submit a risk assessment report within a week of each meeting to the Board seeking the Board’s views, concurrence and/or specific directions; p) establish a compliance function to assess the bank’s compliance with laws, regulations, regulatory guidelines and approved policies on all areas of business operations. A dedicated compliance officer

26 selected from key management personnel shall carry out the compliance function and report to the Committee periodically; q) establish an effective communication and coordination mechanism with the Audit Committee to facilitate exchange of information to ensure effective management of all risks, including emerging risks, and any adjustments needed to the integrated risk management framework of the bank; and, r) without prejudice to the tasks of the Human Resources and Remuneration Committee, examine whether the incentives provided to the employees take into consideration the levels of risk, capital, liquidity and earnings of the bank. The requirements of Direction 6.5 with extended compliance dates are provided in Schedule V. 6.6 Related Party Transactions Review Committee The Committee shall: a) be chaired by an independent director who is not the chair of the Board; b) consist of at least three non-executive directors with a majority of independent directors. CEO and relevant key management personnel may attend the meetings on need basis only for the relevant agenda items; c) ensure that a clear policy, procedures and processes are in place for identifying, monitoring and reporting related party transactions on an on-going basis in line with applicable laws and regulations; d) review the related party transactions of the bank including the transactions defined in Direction. 7.2, particularly with the persons who shall be considered as “related parties”, as defined in Direction 7.1, with a view to avoiding any conflicts of interest that may arise from such transactions; e) quarterly report to the Board, the details of related parties, related party transactions and economic consequences of the related party transactions; f) ensure that a director abstains from participating in discussions on any Board decision on transactions in relation to the director or any

27 of his/her close relation or a concern in which the director has substantial interest; and, g) ensure that the bank does not engage in transactions with related parties as defined in Direction 7.1 in a manner that would grant such parties “more favourable treatment” than that accorded to other constituents of the bank carrying on the same business. In this context, “more favourable treatment” shall mean: (i) granting of “total net accommodation” to related parties, exceeding a prudent percentage of the bank’s regulatory capital, as determined by the Board. For purposes of this sub￾direction; a. “Accommodation” shall mean accommodation as defined in the Banking Act Directions on Maximum Amount of Accommodation/ Large Exposures. b. The “total net accommodation” shall be computed by deducting from the total accommodation, the cash collateral and investments made by such related parties in the bank’s share capital and debt instruments with a maturity of 5 years or more. (ii) charging of a lower rate of interest than the bank’s best lending rate or paying more than the bank’s deposit rate for a comparable transaction with an unrelated comparable counterparty; (iii) providing of preferential treatment, such as favourable terms, covering trade losses and/or waiving fees/commissions, which extend beyond the terms granted in the normal course of business undertaken with unrelated parties; (iv) providing services to or receiving services from a related party without an evaluation procedure; and (v) maintaining reporting lines and information flows that may lead to sharing potentially proprietary, confidential or otherwise sensitive information with related parties, except as required for the performance of legitimate duties and functions.

28 Listed licensed banks and unlisted licensed banks shall comply with Direction 6.6 by 01.01.2025 and 01.01.2027, respectively. 7. Related Party Transactions The following requirements shall apply to related party transactions of licensed banks. 7.1 Related Parties The categories of persons considered as “related parties” for the purpose of this Direction are as follows. a) a director of a licensed bank; b) close relations of such director; c) a concern in which a director of a licensed bank has a substantial interest, being an interest acquired either before or after the appointment as a director of such licensed bank; d) a concern in which a close relation of a director of a licensed bank has a substantial interest; e) a chief executive officer or an officer performing executive functions of a licensed bank in respect of any accommodation granted other than an accommodation granted to such officer under a scheme applicable to the employees of such licensed bank; f) a shareholder of a licensed bank having material interest, whether individual or a concern; g) a subsidiary or an associate company of the licensed bank; h) a holding company of the licensed bank including its subsidiaries, excluding the parent bank and subsidiaries of a bank incorporated outside Sri Lanka; i) a director of a subsidiary or an associate company of the licensed bank; j) a director of a holding company of the licensed bank and its subsidiaries; k) a close relation of a person specified in Direction 7.1 (e) and (f) above; l) a concern, whose director or partner is a director of such bank; m) a concern in which a material shareholder of a licensed bank has substantial interest; and,

29 n) a concern in which a close relation of an individual material shareholder has substantial interest. 7.2 Type of Related Party Transactions The type of transactions with related parties that shall be covered by this Direction shall include the following. a) The grant of any type of accommodation, as defined in the Banking Act Directions on Maximum Amount of Accommodation/ Large Exposures of Licensed Banks. b) The creation of any liabilities of the bank in the form of deposits, borrowings and investments. c) The provision of any services of a financial or non-financial nature provided to the bank or received from the bank. d) The creation or maintenance of reporting lines and information flows between the bank and any related parties which may lead to the sharing of potentially proprietary, confidential or otherwise sensitive information that may give benefits to such related parties. 7.3 Applicability of Banking Act Provisions Licensed banks shall ensure compliance with the provisions of Section 47 and Section 76K of the Banking Act, with respect to accommodation granted to any of its related parties defined in Direction 7.1 as applicable, except for any accommodation granted to a CEO or a member of the key management personnel under a scheme applicable to the employees of the bank. 7.4 Accommodation Granted to Directors and Connected Parties Where any accommodation has been granted by a licensed bank to a person or to a close relation of a person or to any concern in which the person has a substantial interest, and such person is subsequently appointed as a director of the bank, and if: a) the necessary security as approved by the Central Bank of Sri Lanka is not provided, within one year from the date of appointment of such person as a director; and, b) any amount due on account of such accommodation, together with interest, if any, is not settled within the period specified at the time of grant of accommodation or at the expiry of a period of eighteen months from the date of appointment of the director, whichever is earlier, in the event such security is not provided by the period as

30 provided in a) above; such director shall be deemed to have vacated the office of director. This Direction, however, shall not apply to a director who at the time of the grant of the accommodation was an employee of the bank and the accommodation was granted under a scheme applicable to all employees of such bank. 7.5 Accommodation granted to Employees A bank shall not grant any accommodation or “more favourable treatment” relating to the waiver of fees and/or commission to any employee or a close relation of such employee or to any concern in which the employee or close relation has a substantial interest other than on the basis of a scheme applicable to the employees of such bank or when secured by security as may be approved by the Central Bank of Sri Lanka in respect of accommodation granted as per Sections 47(3) and (5) of the Banking Act. 7.6 Writing-off of Accommodation to Related Parties No accommodation granted by a licensed bank to related parties given in Direction 7.1, nor any part of such accommodation, nor any interest due thereon shall be written-off without the prior approval of the Central Bank of Sri Lanka and any writing-off without such approval shall be void and of no effect. 8. Senior Management The senior management shall mean CEO and the key management personnel of the licensed bank for the purpose of this Direction. 8.1 Board Oversight on Senior Management The overall responsibility of the Board shall not be construed as an obligation to undertake the inspection of day-to-day activities, but shall rather be understood as an obligation to oversee and ensure that the senior management members are carrying out the day-to-day activities in a safe and sound manner in accordance with the Board approved strategies and policies. Accordingly, the Board shall: a) define the areas of authority and responsibilities of the senior management; b) ensure that the actions of senior management are consistent with the business strategy and policies approved by the Board;

31 c) meet regularly, on needs basis, with the senior management to review the progress towards achieving corporate objectives; d) question and critically review explanations and information provided by the senior management; e) assess whether collective knowledge and expertise of the senior management remain appropriate given the size, scale, diversity and complexity of operations of the bank; and, f) hold the senior management members accountable for the actions. 8.2 Criteria to Assess the Fitness and Propriety of Senior Management In terms of Section 44A and Section 76H of the Banking Act, the senior management of licensed banks as determined by the Central Bank of Sri Lanka shall be fit and proper persons to hold such respective positions and the provisions of Sections 42(2) of the Banking Act shall apply in determining whether the members of the senior management are fit and proper persons. 8.3 Responsibilities of Senior Management Senior management members shall: a) contribute substantially to a licensed bank’s sound corporate governance framework through personal conduct; b) devote sufficient professional time to discharge his/her duties at the licensed bank. In the event a senior management member is appointed as a non-executive director of a subsidiary or an associate company of the licensed bank, he/she shall ensure that such duties do not affect the effective discharge of responsibilities to the bank; c) implement business strategies, risk management systems, risk and compliance culture, processes and controls for managing both financial and non-financial risks under the directions given by the Board; d) recognize and respect the independent duties of the risk management, compliance and internal audit functions and shall not interfere in the exercise of such duties; e) receive access to regular training to maintain and enhance competencies and keep abreast of developments relevant to the respective areas of responsibility;

32 f) be responsible for delegating duties to staff and overseeing such delegated duties; g) establish a management structure that promotes accountability and transparency throughout the bank; h) ensure that appropriate remedial or disciplinary action is taken if breaches are identified; i) regularly provide the Board and the Board sub-committees as applicable with the information of material matters including but not limited to; (i) changes in business strategy, risk strategy/risk appetite, (ii) the bank’s performance and financial condition, (iii) breaches of risk limits or compliance rules, (iv) internal control failures, and, (v) legal or regulatory concerns. j) notify the Director of Bank Supervision upon becoming aware of any material information that may negatively affect the fitness and propriety of a Board member or another senior management member. 9. Disclosures Licensed banks shall comply with the following requirements with respect to disclosure of information. 9.1 Board Responsibilities on Disclosures The Board shall ensure adequate and timely public disclosures of relevant information including but not limited to key performance indicators, capital adequacy, liquidity, business concentrations, related party transactions, corporate governance, financial statements, etc., are made with a view to facilitating enhanced market discipline and transparency commensurate with the size, scale, diversity and complexity of operations of the bank. The Board shall ensure that annual audited financial statements and quarterly financial statements are prepared and published in accordance with the formats prescribed by the supervisory and regulatory authorities and applicable accounting standards.

33 9.2 Minimum Disclosures to be made in the Annual Report The Board shall ensure that the following minimum disclosures are made in the Annual Report. a) A statement to the effect that the annual audited financial statements have been prepared in line with applicable accounting standards and regulatory requirements, inclusive of specific disclosures. b) A report by the Board on the bank’s internal control mechanism which confirms the financial reporting system has been designed to provide reasonable assurance regarding the reliability of financial reporting, and the preparation of financial statements for external purposes has been done in accordance with relevant accounting principles and regulatory requirements. c) The external auditor’s certification on the effectiveness of the internal control mechanism referred to in b) above. The Assurance Report issued by the Auditors under “Sri Lanka Standard on Assurance Engagements SLSAE 3050 – Assurance Reports for Banks on Directors’ Statements on Internal Control” may be used as a substitute disclosure in this regard. d) Details of directors, including names, transactions with the bank and the total fees/remuneration paid by the bank. e) Total net accommodation granted to each category of related parties. The net accommodation granted to each category of related parties shall also be disclosed as a percentage of the bank’s regulatory capital. f) The aggregate values of remuneration paid by the bank to its CEO and the key management personnel and the aggregate values of the transactions of the bank with its CEO and key management personnel, set out by broad categories such as remuneration paid, accommodation granted, and deposits or investments made in the bank. g) Details of Board committees including (i) details of the key activities of each Board committee during the year; (ii) the number of meetings of each committee held in the year; and (iii) attendance of each individual director at such meetings.

34 h) The following shall be disclosed in the Annual Corporate Governance Report: (i) the external auditor’s certification of the compliance with these Directions, clearly demonstrating the compliance status of the licensed bank with each sub-direction; (ii) the composition of the Board, by category of directors, including the names of the Chairperson, executive directors, non-executive directors and independent non-executive directors; and, (iii) the identity of the Chairperson and CEO and the nature of any relationship including financial, business, family or other material/ relevant relationship(s), if any, among the Chairperson, CEO and the members of the Board. i) A report setting out details of the compliance with prudential requirements, regulations, laws and internal controls and measures taken to rectify any material non-compliances. j) A statement of the regulatory and supervisory concerns on lapses in the bank’s risk management, or non-compliance with these Directions that have been communicated by the Director of Bank Supervision, or administrative fines imposed by the Central Bank of Sri Lanka, if so directed by the Central Bank of Sri Lanka to be disclosed to the public, together with the measures taken by the bank to address such concerns. k) The aggregate value of total non-statutory special payments/ financial or non-financial benefits made to directors, CEOs and key management personnel at the termination of employment or at the retirement during the respective financial year.

35 9.3 Disclosures to be made on Resignation, Removal or Vacation of Office of Directors If a director resigns or is removed or is deemed to have vacated the office of director due to regulatory non-compliances and/or as decided by the Board, the Board shall disclose the director’s resignation or removal or the status of being deemed vacated the office and the reasons for same in the official website of the licensed bank, including but not limited to information relating to the relevant director’s disagreement with the bank, if any. 10. Banks Incorporated Outside Sri Lanka Banks incorporated outside Sri Lanka shall comply with the following requirements. 10.1Applicability of the Directions These Directions shall apply to the banks incorporated outside Sri Lanka to the extent that it is not inconsistent with the regulations and laws applicable in such bank’s country of incorporation. Accordingly, the banks incorporated outside Sri Lanka shall comply with the requirements of these Directions as applicable, based on the existing governance frameworks/structures that are laid down by the Head Office or the Regional Office. 10.2Submission of Information The banks incorporated outside Sri Lanka shall submit the following information to the Director of Bank Supervision on an annual basis. a) Information required by Direction 9.2 except Direction 9.2 d), g) and h) together with the annual audited financial statements. The Reports referred to in Directions 9.2 b) and i) shall be prepared by the Head Office or the Regional Office supervising Sri Lankan operations. b) The following details within one month after the closure of the financial year: (i) a list of all management level committees functioned during the financial year together with the meeting dates and the key subject matters discussed at each meeting; (ii) copies of Terms of Reference for all management committees approved by the relevant authority;

36 (iii) composition of each committee: Names and designations of the members; and, (iv) details of functional reporting lines of the branch to the Head Office and/or the Regional Office that were in effect during the year. c) A copy of the parent bank’s annual corporate governance report within five months after the closure of its financial year. 11. Conflict with Articles of Association In the event of a conflict between any of the provisions of these Directions and the Articles of Association (or Internal Rules) pertaining to any bank, the provisions of these Directions shall prevail. In the event the Articles of Association of an individual bank set a more stringent standard than that specified in this Direction, such provisions in the Articles of Association may be followed.

37 12. Interpretations 1.1 “Duty of care” shall mean the duty of a director of a licensed bank to act and take decisions with skill, care, prudence and due diligence in the performance of his duties of such bank. 1.2 “Duty of loyalty” shall mean the duty of the Board of directors to act in good faith in the interest of the bank, for the purpose of these Directions. 1.3 “Key management personnel” shall mean the Officers performing executive functions as referred to in the Banking Act Determination No. 01 of 2019 on Assessment of Fitness and Propriety of Chief Executive Officer and Officers Performing Executive Functions in Licensed Banks. 1.4 “Material business relationship” shall mean a relationship resulting in income/noncash benefits equivalent to 20 per cent of the director’s annual income and any income/noncash benefits received by such director which are applicable on a uniform basis to all non￾executive directors on the Board shall not be considered for this purpose. 1.5 “Board of directors in the case of a bank incorporated outside Sri Lanka” shall mean the Head Office or the Regional Office of such licensed bank that supervises the respective branch or a management committee, for which the powers on overseeing the management have been delegated by such Head Office or the Regional Office, as the case may be, to act as the Board of directors of such branch. 1.6 “Regulatory capital” shall mean the total capital reported in the latest computation of the Total Capital in terms of the Banking Act Direction No. 01 of 2016 on Capital Requirements under Basel III, as at the end of the preceding financial year or immediately preceding quarter, subject to certification by the external auditor. 1.7 “Financial sector authority” shall be as defined in the Central Bank of Sri Lanka Act, No. 16 of 2023.

38 Schedule II Responsibilities of the Risk Management Function Every licensed bank shall establish an independent risk management function as per the requirements of this Schedule in addition to the Banking Act Directions No. 07 of 2011 on Integrated Risk Management Framework for Licensed Banks

1. The Integrated Risk Management Committee shall establish an effective independent risk management function which shall be a part of the second line of defence, under the direction of a Chief Risk Officer (CRO).
2. CRO shall be a member of the key management personnel, and in the case of Domestic Systemically Important Banks (D-SIBs), he/she shall be in the immediate layer below the level of CEO in the organizational structure.
3. CRO shall possess sufficient stature, independence, knowledge, skills and expertise in risk management and shall be fit and proper to hold such position in terms of the Section 44A and Section 76H of the Banking Act.
4. CRO shall be independent from the other executive functions of the bank and shall not have management or financial responsibility related to any operational business lines or revenue generating functions.
5. The Chief Operating Officer, Chief Compliance Officer, Chief Financial Officer, Chief Internal Auditor, or any other key management personnel shall not serve as CRO.
6. Appointment, dismissal and other changes to CRO position shall be recommended by the Integrated Risk Management Committee to the Board.
7. The primary responsibilities of CRO shall include but not limited to: 7.1 implement the Board approved integrated risk management framework which covers (i) risk management policies, processes and procedures (ii) material risk exposures and the sources of such risks (iii) mechanisms of identifying, assessing, monitoring and reporting of such risks (iv) reviewing of bank's exposures against the risk appetite framework and risk limits (v) quantitative and qualitative risk analysis methods including stress testing and (vi) effective risk control and prudential risk mitigation methods in terms of the Banking Act Directions No. 07 of 2011 on Integrated Risk Management Framework for Licensed Banks;

39 7.2 actively engage in assessing material risks individually and in aggregate and measuring the bank’s exposure against risk appetite limits; 7.3 establish an early warning or trigger system for breaches of the bank’s risk appetite limits; 7.4 implement necessary measures to strengthen the staff skills and to enhance the risk management systems, policies, processes and reports on an on-going basis to ensure that the bank’s risk management capabilities are sufficiently robust and effective to meet the strategic objectives of the bank; 7.5 regularly report and communicate to the Integrated Risk Management Committee on the risk profile, current state of the risk culture, exposures against the established risk appetite limits and limit breaches in a timely and accurate manner to take informed decisions; 7.6 support the Board in its oversight of the development of the bank’s risk appetite framework including the risk limit structure; 7.7 outline actions to be taken when the approved risk appetite limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and notifications to the Board; and, 7.8 participate in key decision-making processes of the bank, e.g., strategic planning, capital and liquidity planning, new products and services, etc. 8. The risk management function shall be independent of any responsibilities related to the first line of defence, the compliance function and the third line of defence and shall not be involved in revenue generation. However, the risk management function shall ensure effective coordination and communication with business and operational units and the internal audit function of the bank to facilitate exchange of information for effective risk management. 9. The risk management function shall have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge and the command of risk disciplines.

40 Schedule III Responsibilities of the Compliance Function Every licensed bank shall establish an independent compliance function as per the requirements of this Schedule in addition to the Circular dated 14.09.1998 on Appointment of Compliance Officers.

1. The Integrated Risk Management Committee shall establish an effective independent compliance function as a part of the second line of defence and approve the bank’s policies and processes for identifying, assessing, monitoring, reporting and advising on compliance risk, providing sufficient authority, stature, independence, resources and access to the Board.
2. The Board through the Integrated Risk Management Committee shall establish a compliance policy that inter alia contains the basic principles of compliance and the main processes by which compliance risks are to be identified and managed through all levels of the bank.
3. The compliance function shall be responsible for ensuring that the bank operates with integrity in compliance with applicable laws and regulations.
4. The compliance function shall proactively assess compliance risk faced by various activities undertaken by the first line of defence together with ensuring remediation on gaps observed during the assessment.
5. The compliance function shall be independent of any responsibilities related to the first line of defence, the risk management function and the third line of defence.
6. The compliance function shall have full and unconditional access to bank's records, physical properties, management information systems and minutes of all consultative/decision making bodies.
7. A dedicated person with sufficient authority, stature, independence, relevant knowledge, skills and expertise selected from key management personnel shall be designated as the Chief Compliance Officer (CCO) and in the case of DSIBs, he/she shall be in the immediate layer below the level of CEO in the organizational structure.
8. CCO shall be fit and proper to hold such position in terms of the Section 44A and Section 76H of the Banking Act.
9. Appointment, dismissal and other changes to CCO position shall be recommended by the Integrated Risk Management Committee to the Board.

41 10. The Chief Operating Officer, CRO, Chief Financial Officer, Chief Internal Auditor, or any other key management personnel shall not serve as CCO. 11. CCO shall have the overall responsibility for identification, management, mitigation of bank's compliance risk and supervising activities of other compliance function staff. 12. CCO shall have the ability to interpret and articulate compliance risk in an understandable manner as well as to effectively engage the Board, Integrated Risk Management Committee and key management personnel in constructive dialogue on key compliance risk issues. 13. CCO shall regularly report to the Integrated Risk Management Committee on the bank’s compliance with applicable laws, rules and regulations, level of compliance risk, the quality and effectiveness of the bank’s internal controls put in place to manage compliance risk and the latest developments in the area of compliance. Such reporting shall be without any management filtering or intervention. 14. CCO shall function as a contact point within the bank for compliance queries from staff members and provide guidance to staff on the appropriate implementation of applicable laws and regulations.

42 Schedule IV Responsibilities of the Internal Audit Function Every licensed bank shall establish an independent internal audit function as per the requirements of this Schedule.

1. The internal audit function shall provide independent assurance to the Board of directors, CEO and key management personnel on the quality and effectiveness of the bank’s internal controls, risk management and governance systems and processes.
2. The internal audit function shall have a clear mandate, be accountable to the Board and the Audit Committee and be independent of the audited activities.
3. The internal audit function shall have sufficient standing, knowledge, skills, resources and authority within the bank to enable the internal auditors to carry out the assignments effectively and objectively commensurate with the size, scale, diversity and complexity of operations of the bank.
4. A dedicated person with sufficient authority, stature, independence, relevant knowledge, skills and expertise selected from key management personnel shall be designated as the Chief Internal Auditor (CIA), and in the case of D-SIBs, he/she shall be in the immediate layer below the level of CEO in the organizational structure.
5. CIA shall be fit and proper to hold such position in terms of the Section 44A and Section 76H of the Banking Act.
6. The Board, CEO and key management personnel shall contribute to the effectiveness of the internal audit function by:
7. providing the function with full and unconditional access to any records, file data and physical properties of the bank, including access to management information systems and records and the minutes of all consultative and decision-making bodies; 7.1 requiring the function to independently assess the effectiveness and efficiency of the internal controls, risk management and governance systems and processes; and, 7.2 requiring timely and effective correction of audit issues by senior management.
8. The internal audit function shall perform a periodic assessment of the bank’s overall risk governance framework, including but not limited to the assessment of: 8.1 the effectiveness of the risk management and compliance functions; 8.2 the quality of risk reporting to the Board and senior management; and, 8.3 the adequacy and integrity of the bank’s internal controls and management information systems.

43 9. The Board, CEO and key management personnel shall promote the independence of the internal audit function by ensuring that: 9.1 internal audit reports are provided to the Board or the Audit Committee without management filtering and the internal auditors have direct access to the Audit Committee; and, 9.2 CIA’s primary reporting line is to the Audit Committee, which is also responsible for the selection, oversight of the performance and, if necessary, dismissal of CIA.

44 Schedule V Extended Timelines for Compliance Direction New/ Amended Requirement Date to be complied 2.5 a) At least half of the total number of directors shall be independent non￾executive directors. 01.01.2027 Licensed banks shall comply with the Directions prevailing immediately preceding these Directions, till the above date. 2.5 b) Enhanced independent criteria

1. 2.5 b)(iv)
2. 2.5 b)(viii)
3. 2.5 b)(ix) 01.01.2026 2.7 At least half of the Board members shall constitute the quorum for the Board meetings. A meeting of the Board shall not be duly constituted, although the number of directors required to constitute the quorum at such meeting is present, unless more than one third of the number of directors present at such meeting are independent non-executive directors. 01.01.2026 Licensed banks shall comply with the Directions prevailing immediately preceding these Directions, till the above date. 5.2 a) The Chairperson shall be an independent non-executive director. In the event the Chairperson becomes non-independent after the initial appointment, as an interim arrangement, the Board shall designate an independent director as the Senior Director for a period not exceeding six months with suitably documented Where a non-independent director is currently serving as the Chairperson, such director may continue to serve as the Chairperson for a further period not beyond 31.12.2027.

45 Direction New/ Amended Requirement Date to be complied terms of reference. The designation of the Senior Director shall be disclosed in the bank’s Annual Report. 6.2 Board Audit Committee

1. 6.2 a)
2. 6.2 b)
3. 6.2 c) 01.01.2027 6.3 Board Human Resources and Remuneration Committee
4. 6.3 a)
5. 6.3 i) 01.01.2026 6.4 Board Nomination and Governance Committee
6. 6.4 a) 01.01.2027 6.5 Board Integrated Risk Management Committee
7. 6.5 a)
8. 6.5 b)
9. 6.5 c) 01.01.2027 6.6 Board Related Party Transactions Review Committee Listed licensed banks by 01.01.2025. Unlisted licensed banks by 01.01.2027.