Standard of Sound Practice for Effective Corporate Governance of DTIs and FHCs

| 1

| 2 Table of Contents List of Abbreviations......................................................................................................................................................3 Glossary ..........................................................................................................................................................................4

1. Purpose and Scope of the Standard........................................................................................................................ 10
2. Legal Basis and Transitional Arrangements.......................................................................................................... 12
3. Introduction............................................................................................................................................................. 14
4. The Board ................................................................................................................................................................ 16 4.1Key Responsibilities of the Board ....................................................................................................................16 4.2Composition of the Board.................................................................................................................................18 4.3 Chairman of the Board ....................................................................................................................................23 4.4 Appointment and Removal of Directors ..........................................................................................................24 4.5 Board Performance Assessment and Evaluation ...........................................................................................25 4.6 Board Meetings ...............................................................................................................................................25 4.7 Board Committees...........................................................................................................................................26 4.8 The Board’s Relationship with and Oversight of Senior Management ...........................................................30
5. Group Governance .................................................................................................................................................. 33 5.1 Parent Company Boards.................................................................................................................................35 5.2 Subsidiary Boards ...........................................................................................................................................35 5.3 Outsourcing .....................................................................................................................................................36
6. Governance and Risk Management........................................................................................................................ 37
7. Risk Culture and Business Conduct....................................................................................................................... 40 7.1 Risk Culture.....................................................................................................................................................40 7.2 Corporate Values and Code of Conduct .........................................................................................................41 7.3 Conflict of Interest ...........................................................................................................................................42
8. Disclosure and Transparency ................................................................................................................................. 43 Appendix 1: Responsibilities of Other Board Committees ...........................................................................................i Appendix 2: Board Performance and Assessment Guide.............................................................................................ii

| 3 List of Abbreviations BOJ Bank of Jamaica BSA The Banking Services Act, 2014 DTI Deposit-Taking Institution FHC Financial Holding Company FPC Financial Policy Committee SSP Standard of Sound Practice

| 4 Glossary The terms and expressions used in this Standard shall have the same meanings as defined in the Banking Services Act, 2014 (BSA), and companion regulations applicable to deposit-taking institutions and financial holding companies. For the purpose of this Standard, the following definitions are also provided: Affiliated Arm’s length Beneficial Owner Has the meaning ascribed in section 2 of the Companies Act and extends to the use of the words affiliate and/or affiliates. The condition or fact that the parties to a transaction are independent, on an equal footing and are beyond the reach of personal influence or control. Has the meaning ascribed in section 2 of the Companies Act as amended in 2023. Board of Directors1 /Board A governing body of persons appointed or elected with ultimate responsibility for the governance and oversight of a deposit-taking institution or financial holding company. Centralised Approach Compliance Function A governance model where decision-making authority is concentrated at the top levels of the financial group, ensuring uniformity and consistency in policies and strategic direction. This function does not necessarily denote an organisational unit. It comprises a set of processes, policies, and systems to ensure the deposit-taking institution or group adheres to all applicable laws, regulations, guidelines, and internal policies. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance, who should be independent of business lines.

1 Please be reminded of the definition of Director in Section 2 of the BSA which states that - “subject to section 32, means a director, trustee or other person who is a member of the board or other body (by whatever name called) of a company (by whatever name called) that is responsible for the governance and oversight of the company;”

| 5 Conflict of Interest A conflict of interest is deemed to arise where a person or entity has one or more interests which may affect and/or actually affect their judgement and conduct in the exercise of their professional duties. This includes where a person in the making of or the participation of making a decision in the execution of his/her office knows, or ought reasonably to have known, that there is an opportunity to either directly or indirectly further his/her private interests, or that of a member of his/her family, or of any other person or entity from which he/she stands to benefit. It also includes conflicts of duty which arise when a person is required to fulfil two or more roles that may be in conflict with each other. It further includes instances where a deposit-taking institution or financial holding company has one or more interests that could impact impartiality or professional judgment, such as investing clients' funds in assets or schemes where the entity itself has a stake. Connected Person Control Functions Has the meaning ascribed in Section 2(1) and (2) of the Banking Services Act, 2014. Those functions that have a responsibility independent from business and operational functions to provide objective assessment, reporting and/or assurance. This includes the risk management, compliance, actuarial, and internal audit functions. Corporate Governance Decentralised Approach A set of relationships between the entity’s Board, Senior Management, customers and other stakeholders which provide the structure through which the objectives of the institution are set, and the means of attaining those objectives and monitoring performance are determined. It helps define the processes and procedures by which authority and responsibility are allocated and how corporate decisions are made. A governance model where decision-making authority is distributed across various levels or units within the financial group, allowing for flexibility and responsiveness to specific conditions. Duty of Care The duty of Board members, key employees and senior managers to decide and act on an informed and prudent

| 6 basis with respect to the deposit-taking institution or financial holding company. Duty of Loyalty The duty of Board members, key employees and senior managers to act in good faith in the interest of the deposit￾taking institution or financial holding company. Executive Director A member of the Board who also has management responsibilities within the deposit-taking institution or financial holding company. Financial Group Financial Holding Company Has the meaning ascribed in section 2(1) of the BSA. Has the meaning ascribed in section 2(1) of the BSA. Group-wide Governance This refers to the framework of policies, practices and mechanisms that manage the governance of the financial group and the group-wide application of the group governance framework to all material activities and entities of the financial group. Independent Director Internal Control System Has the meaning ascribed in Section 2(1) of the Banking Services Act, 2014. A set of rules and controls governing the institution’s organizational and operational structure, including reporting processes, and functions for risk management, compliance and internal audit. Key Employee Has the meaning ascribed in Section 2(1) of the Banking Services Act, 2014. Parent Company A parent company is one that has a controlling or majority interest in another company which gives it the right to control the subsidiary’s operations. The parent company can also be a financial holding company licensed under the BSA.

| 7 Non-Executive Director Related Parties Risk Appetite2 A member of the Board who does not have management responsibilities within the DTI or FHC. Include: (a) the institution’s subsidiaries and affiliates (including their subsidiaries, affiliates and special purpose entities) and any other party over which the institution exerts control or that exerts control or ultimate effective control over the institution; (b) the institution’s substantial shareholders (as defined in Section 2(1) of the BSA), including beneficial owners; (c) the Board members, senior management, key employees and corresponding affiliates, and parties that can exert significant influence on Board members or senior management; and (d) for the natural persons identified in (a) to (c), their direct and related interests, and their immediate relatives. The aggregate level and types of risk an entity is willing to assume, decided in advance and within its risk capacity (that is, the maximum amount of risk the institution is able to assume given its capital base, risk management and control capabilities, as well as its regulatory constraints), to achieve its strategic objectives and business plan. Risk Appetite Framework (RAF)3 The overall approach, including policies, processes, controls and systems, through which risk appetite is established, communicated and monitored. It includes a risk appetite statement, risk limits and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the framework. The RAF should consider material risks to the institution, as well as to its reputation vis-à-vis depositors, investors, and creditors. Risk Appetite Statement (RAS) The aggregate level and types of risk that the institution will accept or avoid in order to achieve its business objectives. It includes quantitative measures expressed

2 Some financial institutions and supervisors use the term “risk tolerance” to describe the amount of risk the institution is willing to accept. Other institutions and supervisors use the term “risk appetite” to create a distinction between the absolute risks which the institution a priori is open to take (risk appetite) versus the actual limits within the risk appetite which the institution pursues (risk tolerance). Risk appetite can imply a more forward￾looking or wider view of acceptable risks, whereas risk tolerance suggests a more immediate definition of the specific risks that the institution will take. 3See Financial Stability Board (FSB), Principles for an Effective Risk Appetite Framework, November 2013; and Bank of Jamaica Corporate Governance: Board Oversight (Section 3), 2023. The forthcoming guidelines on Internal Capital Adequacy Assessment Process (ICAAP) for Deposit-Taking Institutions will include guidance on developing the risk appetite statement and framework.

| 8 relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also include qualitative statements to address reputation and conduct risks, as well as money laundering and unethical practices. Risk Capacity The maximum amount of risk the financial institution is able to assume given its capital base, risk management and control capabilities, as well as regulatory constraints. Risk Culture The institution’s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during day-to-day activities and has an impact on the risks they assume. Risk Governance Framework Part of the overall corporate governance framework, through which the Board and management establish and make decisions about the institution’s strategy and risk approach; articulate and monitor adherence to risk appetite and risk limits vis-à-vis the institution’s strategy; and identify, measure, manage and control risks. Risk Limits Specific quantitative measures or limits based on, for example, forward-looking assumptions that allocate the institution’s aggregate risk to business lines, legal entities as relevant, specific risk categories, concentrations and, as appropriate, other measures. Risk Management The processes established to ensure that all material risks and associated risk concentrations are identified, measured, limited, controlled, mitigated and reported on in a timely and comprehensive basis. Risk Profile Point-in-time assessment of the institution’s gross risk exposures (i.e. before the application of any mitigants) or, as appropriate, net risk exposures (i.e. after taking into account mitigants) aggregated within and across each relevant risk category based on either current or forward￾looking assumptions.

| 9 Senior Manager/Management This is a subset of the definition of “manager” ascribed in section 2(1) of the BSA, and speaks to senior roles in the deposit-taking institution or financial holding company, such as the Chief Executive Officer, heads of control functions and heads of major business units. These individuals are responsible for managing the deposit￾taking institution or financial holding company on a day￾to-day basis in accordance with strategies, policies and procedures approved by the Board. Systemically Important Financial Institution/SIFI4 Ultimate Effective Control Systemic importance is determined by the size, interconnectedness, substitutability, and global or cross￾jurisdictional activity (if any) of the entity. A SIFI’s distress or disorderly failure because of its size, complexity and/or interconnectedness would threaten the smooth functioning of the financial system and the wider economy, and would likely place the financial system in danger of disruption, substantial damage, and impairment. Has the meaning ascribed in section 2 of the Companies Act as amended in 2023. Ultimate Holding Company Has the meaning ascribed in section 2(1) of the BSA.

4 See A Systemic Risk Buffer for Jamaica, August 2023; Bank of Jamaica. The Bank of Jamaica will advise a financial institution whether it has been designated as systemically important in accordance with the framework for the identification of a Domestically Systemically Important Financial Institution (D-SIFI).

| 10

1. Purpose and Scope of the Standard
2. This updated Standard of Sound Practice for Effective Corporate Governance serves as a comprehensive, overarching governance standard, outlining Bank of Jamaica's expectations with respect to corporate governance practices at Deposit-Taking Institutions (DTIs)5 and Financial Holding Companies (FHCs). Bank of Jamaica (“BOJ” or “the Bank”) expects these institutions to align their corporate governance practices with this Standard as far as practicable, and comply with all corporate governance requirements stipulated in the legislation under which they are licensed.
3. The corporate governance expectations addressed in the Standard are principles-based and recognize that an institution’s corporate governance practices may depend on its size; corporate structure to which it belongs; nature, scope and complexity of its operations; and business model. The Standard will be reviewed periodically to ensure its continued relevance and alignment with legislative amendments and recommended best practices issued by international standard-setting bodies.
4. In the case of FHCs, the Bank requires that the Board of the FHC develop and implement governance arrangements appropriate to the nature and scale of the financial group’s operations. The Board should also ensure that the provisions of the governing legislation, regulations, and guidelines applicable to the FHC and the requirements contained in this Standard are applied appropriately throughout the financial group, including in relation to institutions regulated and supervised by the Bank.
5. The Standard seeks to reinforce the collective oversight and governance responsibilities of the Board and senior management and addresses key components of risk governance, such as risk culture and risk appetite in relation to the entity’s risk capacity. The Bank expects the Board of a DTI or FHC to oversee the development and implementation of adequate policies and procedures to protect the institution against threats to its integrity or security. The Standard also specifies supervisory expectations with respect to the role of Board committees; the Board’s relationship with and oversight of senior management; group governance; governance and risk management, including the role of the Chief Risk Officer (CRO)6 ; risk culture and business conduct; and disclosure and transparency.
6. The Board and senior management of these institutions are expected to be fully aware of and compliant with the relevant legislation and other rules and guidance issued by other organizations to address these issues. These include the Companies Act, as well as rules and guidance issued by other bodies, for example, the Jamaica Stock Exchange (JSE), as applicable.

5 Commercial Banks, Building Societies, and Merchant Banks. 6 This includes an individual who may be performing the functions typically assigned to a Chief Risk Officer though he/she has not been designated with the title of Chief Risk Officer.

| 11 6. The Board and senior management of a DTI or FHC are responsible for the institution’s financial soundness and prudent risk management. The BSA imposes various requirements and duties on the Board and senior management of these institutions, in addition to those that apply to all entities under the Companies Act and other legislation. These requirements cover the size and composition of the Board, including appointment, conflicts of interest, and fitness and propriety. An institution’s corporate governance practices are a key component of the Bank’s supervisory assessments and are an important factor in determining the level of supervisory intensity applied to it. DTIs and FHCs should strive to continuously enhance their governance practices and arrangements to reflect emerging best practices and changes in the scope and complexity of their operations and business models, as appropriate. 7. In the application of this Standard, the Bank will take into account the principle of proportionality, which means tailoring regulatory requirements, supervisory practices, and risk management expectations to the nature, size and complexity of the institution’s operations and business model. Each institution is expected to discharge its legal and governance responsibilities as a separate entity, notwithstanding any group-wide arrangements on which the entity may be relying. Where an institution fails to adhere to the provisions of this Standard, Bank of Jamaica may, by notice in writing to the institution: i. impose restrictions on the activities of the institution if there are safety and soundness concerns regarding the institution and/or its customers, and may act in accordance with the powers conferred on the Bank by section 109 of the BSA; and/or ii. give such other directions to the institution as the Bank considers appropriate pursuant to section 109 of the BSA; 7 and/or iii. take any other action pursuant to section 109 of the BSA.; and/or iv. take any other action allowed under any relevant law. 8. The Standard does not apply to the branch operations of foreign banks. However, branches of foreign banks are required to establish a Board of Management or such other governing body that is satisfactory to the BOJ and in compliance with the law, regulations and other guidance, in relation to their branch operations in Jamaica8 .

7 That is, section 109(1)(c) and (2). General reference is made to Part A of the Fifth Schedule. 8 Section 31(2) of the BSA.

| 12 2. Legal Basis and Transitional Arrangements 9. The principles contained in this Standard of Sound Practice build on Sections 31-39 of the BSA, which establish minimum requirements for the Board of Directors of DTIs and FHCs in fulfilling their corporate governance responsibilities. Pursuant to section 34FL(b)(ii) of the Bank of Jamaica Act, 2020, the Financial Policy Committee (FPC) is tasked with the authority to make determinations on Standards of Sound Practice for licensees. While this Standard itself does not have the force of law, direct contravention or non-observance by licensees may be regarded by Bank of Jamaica as evidence of “unsafe and unsound” business practice9 . Institutions should, in that regard, be aware that contravention of a standard of sound practice is a condition subject to remedial action under Section 109 of the BSA, as supported by Part A of the Fifth Schedule10 . 10. It should be noted that this publication is an update to the Standard of Best Practice for Effective Corporate Governance of Deposit-Taking Entities issued by Bank of Jamaica in 2008, replacing it while building on its foundational principles and introducing additional provisions that reflect current and evolving international best practice. 11. The Standard must be read together with other relevant legal instruments (i.e., the BSA and applicable regulations), as well as standards, guidelines, and other relevant communication issued by the Bank11. This Standard complements relevant provisions of regulations issued under the Banking Services Act and the following policy documents and standards: i. Consultation on the Methodology for the Treatment of Debarred Persons (BOJ, 2023); and ii. Corporate Governance: Board Oversight (BOJ, 2023). 12. Section 34 of the BSA requires that the number of independent directors appointed to the Board of a DTI or FHC shall not be less than one-third of the membership of the Board or such other fraction as may be prescribed by Supervisory Rules. In accordance with section 34, the Bank hereby advises that it intends to issue Supervisory Rules to increase the statutory minimum fraction of independent directors required on the respective Boards of a DTI and FHC from the current one-third to a fraction which allows the independent directors to constitute a majority. This proposed change will align with the Bank’s ongoing efforts to strengthen corporate governance frameworks and reinforce the objectivity and independence of board oversight within DTIs and FHCs12 . Once effected, it will require an increased proportion of independent directors on the respective Boards of a DTI and FHC. Licensees are encouraged to begin reviewing their current board composition in anticipation of this change and to assess what adjustments may be necessary to ensure timely compliance upon the passage and effective date of the Supervisory Rules. Further guidance will be issued in due course.

9 Reference paragraph 7 above. 10 Reference paragraph 2(b)(iii). 11 The transition to a Twin Peaks model will result in the transfer of prudential supervision of securities firms, insurance companies, and private pension plans from the Financial Services Commission (FSC) to Bank of Jamaica. The FSC’s mandate will be revised with a focus on market conduct and consumer protection. 12 Further pursuant to section 132 of the BSA and building on these Standards, the Bank intends to issue Supervisory Rules for Corporate Governance.

| 13 13. This Standard comes into effect on 21/11/2025. A conformance period of one (1) year from the effective date shall be granted to existing institutions to enable full compliance with the provisions of this Standard. New DTIs and FHCs seeking to be licensed after the effective date will be required to comply with the provisions of the Standard from the date of their licensing.

| 14 3. Introduction A key role of Bank of Jamaica is to promote robust corporate governance within Deposit-Taking Institutions and Financial Holding Companies. This is accomplished by setting minimum standards and expectations throughout this Standard, which the board and management are required to uphold. The adoption of sound corporate governance standards and practices by these institutions serves to protect their critical role in intermediating funds to support the real economy. Effective corporate governance practices ensure that entities are managed in a sound and prudent manner, with due regard to the interests of depositors, shareholders and other stakeholders. Governance weaknesses, particularly in systemically important financial institutions (SIFIs), can result in the transmission of problems across the banking sector and the economy as a whole. Corporate governance is defined as “a set of relationships between a company’s senior management, its Board, its shareholders, customers and other stakeholders13 ”. Corporate governance determines the allocation of authority and responsibilities by which the business and affairs of the institution are carried out by its Board and senior management, including:

1. determining the institution’s strategy and business objectives;
2. appointing and overseeing personnel;
3. operating the institution’s business on a day-to-day basis;
4. protecting the interests of depositors, shareholders, and other stakeholders;
5. aligning corporate culture, corporate activities and behaviour with the expectation that the institution will operate in a safe and sound manner, with integrity and in compliance with applicable laws and regulations; and
6. establishing control functions. Good corporate governance practices should be reflected in a corporate culture that reinforces ethical, prudent and professional behaviour. This begins with the right “tone from the top”, where the example set by the Board and senior management shapes the core values of the institution. The Board and senior management at each DTI and FHC have an obligation to implement good governance practices and promote sound corporate culture (codes of ethics and business conduct). The code of ethics should define acceptable and unacceptable behaviours and business practices; promote zero tolerance for illegal activity, such as financial misreporting and misconduct, fraud, and money laundering; and safeguard the rights of depositors, shareholders and other stakeholders who conduct business with the institution. Within a group of companies, there can be more than one regulated institution. Effective corporate governance at the group and legal entity levels is essential, and may help to mitigate the associated risks of carrying on businesses in financial conglomerates or group structures that are complex. A deposit-taking institution within a corporate group may be required to adopt group policies and align itself with other operational processes of its parent company. While this can be

13 Reference is made to the G20/OECD Principles of Corporate Governance, June 2023.

| 15 entirely appropriate and indeed may add strength to the oversight and control framework, the Board of a DTI that is asked to adopt a group policy cannot abrogate its regulatory responsibilities. It must satisfy itself that the group’s policy is ‘fit for purpose’, i.e. it is appropriate for the institution and will meet all regulatory requirements for that institution. The extent to which the financial group adopts a centralised or decentralised approach will affect its corporate governance arrangements. This may determine the: a) degree of authority or autonomy given to the FHC and to different entities within the financial group to set objectives and strategy, policies and processes, and organise the risk management and internal controls; b) allocation of responsibilities and accountabilities of senior management, Board members and key employees in control functions within the financial group; and c) control functions at different levels of the group, how they interact with each other, and with the financial group as a whole. In keeping with its mandate for maintaining the stability of the financial system, Bank of Jamaica maintains a keen interest in promoting sound corporate governance at DTIs and FHCs, as it is an essential element in the safe and sound functioning of each institution and may adversely affect its risk profile if it is not operating effectively. Sound and effective corporate governance practices may permit the Bank to place more reliance on the institution’s internal processes. Supervisory experience underscores the importance of having the appropriate levels of authority, responsibility, accountability, and checks and balances within each institution, not only at the level of the Board of Directors, but also of senior management, and within the risk, compliance, actuarial, and internal audit functions. Although each institution makes independent decisions regarding the nomination of Board members or appointment of senior management in the course of conducting its day-to-day business, the Bank should be notified immediately of any actual or potential changes to the membership of the Board and senior management, and any circumstances that may adversely affect the suitability of Board members and senior management. The quality of corporate governance practices is an important factor in maintaining the confidence of depositors and shareholders, as well as overall market confidence and financial stability. This Standard, therefore, reflects recommended best practices14 and specific areas of corporate governance (e.g., risk governance) that are especially important for DTIs and FHCs due to their unique nature and circumstances, and risks assumed relative to other corporations15 .

14 Corporate Governance Principles for Banks, 2015 (BCBS). 15 The cost of, and potential disruption from the failure of a financial institution may be significantly greater than that of a normal commercial enterprise – beyond the impact on its own depositors, shareholders, or other creditors. This is because the failure of one financial institution may result in the transmission of problems to other financial institutions through direct and indirect inter-linkages or as a result of loss of consumer confidence. By setting minimum standards, prudential regulation and supervision seeks to ensure that the risks of financial instability, and the wider costs to the economy of such instability, are adequately taken into account in the way in which financial institutions operate, including their corporate governance practices and arrangements.

| 16 4. The Board 14. The Board of Directors (the Board) is ultimately responsible for oversight of the sound and prudent management of that institution. The Board must have a charter that sets out the mandate, responsibilities and procedures of the Board and the Board sub-committees, including matters that are reserved for the Board’s decision. The role of a Board sub-committee is to support the Board. These committees are accountable to the Board, but should not relieve the Board of any of its responsibilities. 15. The Board is responsible for approving and overseeing the implementation of the institution's business plan, strategy, risk appetite and corporate values, whilst senior management holds responsibility for the ongoing and detailed operationalisation of the Board’s decisions. While the Board may delegate the day-to-day management of the institution to senior management, it is ultimately responsible for the safe and sound operation of the financial institution. This delegation of authority must be clearly articulated and documented. Importantly, the Board must have mechanisms in place for monitoring the exercise of delegated authority; it should not abrogate its responsibility for oversight of the functions delegated to senior management. 16. The Board must ensure that directors or members of the Board and senior management of the institution collectively have the full range of skills needed for the effective and prudent operation of the institution, and that all directors possess the skills that allow them to make effective contribution to Board deliberations and processes. The directors, individually and collectively, should have the necessary skills, knowledge and experience to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account its risk exposures. This does not preclude the Board from supplementing its skills and knowledge by engaging external consultants and experts. 4.1 Key Responsibilities of the Board16 17. In addition to the roles and responsibilities of the Board outlined in the BSA, the Board should discharge, at a minimum, the following essential duties in relation to the financial institution, either directly, or, where appropriate, through delegation to specialised board committees to enhance efficiency and enable more focused oversight in specific areas: i. approve the risk appetite framework, short-term and long-term business plan and strategy, and other initiatives, which could, singularly or cumulatively, have a material impact on the financial institution’s risk profile; ii. approve and oversee significant policies, plans and strategic initiatives related to its management or those that could materially impact the institution’s capital (e.g., internal capital targets, share issuance and buy-back) and liquidity;

16 See also Bank of Jamaica’s supervisory guidance on Corporate Governance: Board Oversight, December 2023.

| 17 iii. approve and oversee the appointment, performance, compensation/remuneration and succession plans of the Chief Executive Officer (CEO), control function heads and other members of senior management, such that the Board is satisfied with the fitness and propriety, and collective competence of senior management to effectively lead the operations of the institution; iv. oversee the design and operation of the institution’s remuneration system, ensuring the incentives are aligned with prudent risk-taking (See, for example, Principles for Sound Compensation Practices, Financial Stability Forum (FSF), April 2009; Financial Stability (FSB) Principles for Sound Compensation Practices-Implementation Standards, September 2009; and Compensation Principles and Standards Assessment Methodology, BCBS, January 2010); v. approve the mandate, resources and budgets for the control functions; vi. approve and oversee material commitments, including major capital expenditures, mergers, acquisitions and divestitures, intra-group and connected party exposures, and material outsourcing arrangements, including with related parties; vii. approve and oversee the implementation of the institution’s Risk Appetite Framework (RAF), including policies, procedures and processes for the identification, measurement, monitoring and control of both financial and non-financial risks, and periodically review whether these remain appropriate in the event of material changes in the size, nature, and complexity of the institution’s operations; viii. develop and promote a sound corporate culture (codes of ethics and conduct) within the institution, which reinforces ethical, prudent and professional behaviour and enables employees to alert the board and management in good faith to potential misconduct without the fear of retribution; ix. provide oversight to ensure that effective processes and procedures (to include an appropriate internal sanctioning framework) are developed and implemented to ensure compliance with all applicable laws, regulations, guidelines and standards issued by the BOJ; x. approve and oversee the integrity, independence and effectiveness of the institution’s policies and procedures for whistleblowing; xi. promote sustainability through appropriate environmental, social and governance (ESG) considerations in the institution’s business strategies; xii. provide oversight to ensure that their institutions’ operations, physical premises, people, information technology, and data and information systems are resilient and protected against threats; xiii. oversee the development and implementation of Information Technology (IT) Frameworks that, at a minimum, cover data confidentiality, data protection and privacy, information security, third-party connections, incident response and reporting; xiv. oversee and approve the recovery plans to restore the institution’s financial strength and stability during periods of stress, as well as business continuity plans to ensure the ability to maintain or preserve critical operations and services in order to operate on an ongoing basis and to limit losses in the event of severe business disruption;

| 18 xv. approve and oversee implementation of both internal and external audit plans, including audit fees and scope of external audit engagement; and xvi. promote timely and effective communication between the institution and the Bank on matters affecting or that may affect the entity's safety and soundness. 4.2 Composition of the Board 4.2.1 Criteria for Board Members 18. Each entity should establish a Board of Directors responsible for delivering effective leadership and oversight of the organisation. The Board should be comprised of individuals who are adept at making prudent decisions and implementing necessary changes in the institution's structure, business activities and operations, as directed by BOJ or dictated by macroeconomic conditions to ensure the institution's viability. In guiding this conclusion, an examination should be conducted of the person’s fitness and propriety17 coupled with his or her ability to commit sufficient time to perform duties, 19. When assessing whether a person meets the time commitment18 criterion for appointment to the Board, the institution should consider the following: a. the person’s other mandates; professional obligations (taking into account the nature, scale, complexity and location of other entities with which he/she is affiliated) or non-professional activities; voluntary work or political involvement to determine the overall time required to fulfil such commitments; and b. whether the person will be able to fulfil his/her duties effectively, particularly during periods of increased activity or stress. 20. The members of the Board and Board committees should be comprised of individuals who collectively reflect a balance of expertise, skills, experience, competencies and perspectives, taking into consideration the institution’s strategy, risk profile, culture and overall operations. Relevant financial industry and risk management expertise are key competencies for the Board. The Board must develop, document, and regularly review the criteria and skill sets required of its members, both individually and collectively. 21. The Board and Board committees should have adequate knowledge and understanding of the institution’s business, including its products, markets, strategy, risks, and regulatory obligations.

17 Refer to section 3 of the BSA. 18 In practical terms, time commitment refers to the individual’s ability to consistently attend Board and sub-committee meetings at the required frequency, as well as their availability and accessibility when urgent matters arise. The extent of this commitment may vary depending on the size, complexity and operational demands of the institution. All proposed board members, senior managers, independent control function personnel and key employees must have sufficient time to devote to the performance of their duties effectively, even during periods of increased activity.

| 19 This knowledge enables them to critically evaluate and challenge senior management’s decisions effectively. To maintain this capacity, the Board should include members with diverse expertise and provide regular training on industry developments and emerging risks. 22. To promote objectivity in decision-making by the Board, the actual and perceived objectivity of Board Members should be ensured. To that end, Board members should avoid personal ties or financial or business interests which conflict with those of the institution. Where a conflict or potential conflict develops, such conflicts should be managed and remedied19 . Documented procedures and policies should be in place to identify and address conflicts of interest, which could include disclosure of potential conflicts of interest, requirements for arm’s length transactions, abstention from voting and, where appropriate, prior approval by the Board or shareholders of professional positions or transactions. Moreover, when a conflict of interest is deemed material, mere disclosure is insufficient, bearing in mind the implications for fitness and propriety. In such cases, the board of a DTI or FHC must implement additional measures to effectively manage and remedy these conflicts20 . Additional measures may include recusal from decision-making processes, the engagement of a third party to oversee or validate decisions, periodic rotation of committee members, or the removal of the source of conflict. By taking proactive steps, the Board can safeguard the integrity of the institution and maintain trust among stakeholders, ensuring that decisions are made in the best interest of the institution and its clients, rather than being influenced by personal interests. 23. Importantly, board members should lead by setting the institution’s ethical tone and upholding their fiduciary responsibilities. These obligations are grounded in two fundamental duties: the duty of care and the duty of loyalty. 24. Duty of care requires that every Board member, key employee and senior manager of the institution shall, in exercising his/her powers and in discharging his/her duties, (a) act honestly and in good faith with a view to the best interests of the institution; and (b) exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. In determining what is in the best interest of the institution, each member of the Board, key employee and senior manager shall also have regard to the interests of the institution’s employees in general as well as to the interests of its shareholders, creditors, depositors and other key stakeholders. 25. The duty of loyalty should prevent individual Board members, key employees and senior managers from acting in their own interests or in the interest of another individual or group at the expense of the institution and its shareholders, creditors, and depositors. It should also prevent individual Board members, key employees and senior managers from engaging in transactions

19 Being mindful of the fact that pursuant to section 3 of the BSA, a conflict of interest is a basis for finding a person not fit and not proper. 20 Further reference is made to section 33 (d) of the BSA where approval of the Supervisor is required and is reserved for exceptional circumstances.

| 20 that might involve an appearance of conflict of interest and require them to deal with matters with transparency. 4.2.2 Size and Composition 26. Appointments to the Board, as well as its size and composition, must be consistent with legislative, regulatory, and supervisory requirements, the financial institution’s own by-laws, and the institution's size and complexity. The board's size and composition should enable effective deliberation while allowing individual directors to manage their workloads responsibly. Bank of Jamaica requires that the board of all DTIs and FHCs should, at a minimum: i. Comprise at least five (5) members, of which at least one-third should be independent directors, in accordance with Sections 32 and 34 of the BSA. 21 Licensees are reminded that this Standard will be followed by the issuance of Supervisory Rules, which will prescribe an increase in the minimum required proportion of independent directors from one-third to a fraction which allows the independent directors to constitute a majority. 22 , 23

ii. Separate the roles of Chairman and Executive Director (which may be the Chief Executive Officer), in accordance with Section 35(1) of the BSA 24 . Failure to ensure this separation is a breach of the BSA. 25 Separating the two positions helps preserve the Board's independence, contributes to achieving an appropriate balance of influence, increases accountability, and improves the Board’s capacity for decision-making and effective execution of its mandate. iii. Establish appropriate board sub-committees (refer to paragraphs 47-59 below) to provide advice and support, and assume responsibility for matters that require more detailed and frequent review.

21 The planned revisions of the BSA contemplate amendments relating to the minimum size and composition of the Board and Board Committees. An increase in the number of directors would allow for adequate representation of independent directors such that the Board and its sub-committees maintain the ability to exercise objective judgment independent of the views of the executives. 22 Section 34 of the BSA allows Supervisory Rules to prescribe “such other fraction” of independent directors to be appointed to the board of directors of a licensee. 23 We recommend that, in preparation for the issuance of Supervisory Rules that will increase the proportion of independent Board members, licensees consider increasing the minimum number of directors on their Boards. This measure is intended to strengthen governance structures by expanding the pool from which independent directors may be selected, thereby facilitating compliance with the forthcoming independence requirements. 24 Section 35(1) of the BSA states than an individual shall not hold the positions of Chairman of the Board and Executive Director contemporaneously. Subsection (1) shall not apply to the branch operations of a foreign bank in Jamaica. 25 It is punishable pursuant to the principles contained in section 109 of the BSA, read in conjunction with Part A of the Fifth Schedule (i.e., section 2(b)(i)).

| 21 4.2.3 Independent Directors 27. The BSA in section 2(1) defines an independent director of a licensee or company as a director who is not a) an employee, b) a person holding 5% or more of the shares of the licensee or company or a connected person in relation to the licensee or company, or c) a party to a significant economic or other relationship that, in the Supervisor's opinion, is inconsistent with that director being considered as independent of the licensee or company. International Standard￾Setting Bodies and Regulatory Authorities also provide specific definitions of an independent director, with the aim of promoting transparency, accountability, and effective governance. While definitions may vary across jurisdictions, some key principles are emphasised broadly to ensure that independent directors are free from conflicts of interest and are capable of providing unbiased oversight and challenge to management. 28. Independent directors must be able to make decisions based on objective judgment, without undue influence from management or major shareholders, having fulfilled the following criteria, which are widely accepted as international best practice:26 i. No Executive Role: Independent directors must not be involved in the day-to-day management of the institution. ii. Absence of Material Relationships: Independent directors must have no financial or personal relationships with the institution, its affiliates, or its senior management, other than board service or activities conducted in the ordinary course of business, that could compromise their impartiality. Such ordinary business may include, for example, maintaining a deposit account or holding shares below the five per centum threshold specified in the definition of “independent director” under Section 2(1) of the BSA. iii. No Conflicting Relationships: Independent directors should not have close personal or familial ties with key executives or other board members or significant business relationships, such as being a major customer, consultant, or holding executive roles in companies that have substantial business relationships with the institution, that could compromise independence. 29. Independent directors perform a pivotal role on the Board of Directors. They are expected to, at a minimum, carry out the following roles and responsibilities: a. Provide objective and unbiased perspectives during board discussions and decision-making; b. Chair Board sub-committees, such as Audit, Risk, Compliance and Remuneration; c. Meet separately on a periodic basis to ensure unbiased oversight, evaluate management, address sensitive issues, and strengthen governance; d. Provide unbiased challenge to decisions of management and the Board Chair; and

26 Corporate Governance Principles for Banks, Basel Committee on Banking Supervision (BCBS), July 2015; and G20/OECD Principles of Corporate Governance, June 2023;

| 22 e. Ensure the equitable treatment of shareholders and safeguard minority interests against abusive related party transactions. 27 30. DTIs and FHCs should ensure that there is clear documentation of the criteria used to determine whether an individual is to be appointed as an independent director is independent in character and judgement, and free from associations or circumstances that may impair the exercise of his/her independent judgement in keeping with the legal requirements contained in the BSA. Further, an independent director must immediately disclose to the Board any change in his/her circumstances that may affect his/her status as an independent director. In such a case, the Board must review the designation of his/her status as an independent director and immediately28 notify the BOJ, in writing, of any decision to change his/her designation or removal from the Board. 4.2.4 Directorship Limits 31. Boards must refrain from significant cross-directorships among entities within the financial group or with the financial holding company, which could create a conflict between the decisions that prioritise the institution’s safety and soundness and those of the financial group or other subsidiaries. Cross-directorships shall be considered significant where the number of directors serving concurrently on the board of a parent or subsidiary entity exceeds the following thresholds: a) In the case of a DTI that is a subsidiary of an FHC, the aggregate number of directors from the DTI and other subsidiaries within the group shall not exceed 30% of the total membership of the FHC board. b) The number of directors on the boards of entities within the financial group concurrently serving on the board of a DTI within the group shall not exceed 30% of that DTI's total Board membership. 32. These limitations are intended to preserve board independence and prevent undue influence or concentration of decision-making authorities across groups. Cross-directorships are not being prohibited; these restrictions apply only where the level of overlap exceeds the specified thresholds and may compromise the independence and effectiveness of board oversight.

27 For this purpose, the laws and the codes in most jurisdictions call for some board members to be independent of dominant shareholders. Additionally, certain regions mandate a specialized board approval process for related party transactions, often involving independent board members, auditors, or external experts. 28 For the avoidance of doubt, the Bank interprets immediately as within twenty-four hours.

| 23 4.3 Chairman of the Board 33. The Chairman of the Board carries significant responsibility for steering the Board’s activities and ensuring that the DTI or FHC meets its regulatory requirements. The Chairman provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members.29 This role demands that the Chairman possess not only the appropriate expertise and leadership qualities, but also adequate time to dedicate to the institution’s needs in the performance of his or her duties. The Chairman must meet Bank of Jamaica’s standards, which include a strong reputation, deep expertise in financial and regulatory matters, and the necessary skills, experience, and ethical principles to foster trust and effective collaboration among board members. Maintaining integrity in both personal and professional behaviour is essential for the Chairman to effectively lead the Board with accountability and responsibility. 34. The Chairman is expected to provide impartial oversight and a balanced approach to risk management while actively promoting adherence to global best practices. This commitment supports the Board’s alignment with risk frameworks, regulatory standards, and ethical principles, ultimately safeguarding the institution’s reputation and financial stability. 4.3.1 Corporate Secretary 35. The Board is often supported by a corporate secretary, whose role is crucial to effective governance. Corporate secretaries should serve as governance facilitators, ensuring that boards remain accountable, comply with legal frameworks, and make informed decisions. By acting as a communication bridge between the board, management, and stakeholders, they promote a transparent and ethical governance structure. 36. Moreover, corporate secretaries should play a key role in keeping boards informed about regulatory changes and evolving governance trends, enabling institutions to address challenges proactively. Their commitment to compliance and ethical practices not only reinforces the institution's integrity but also ensures alignment with international best practices in governance. 37. The Corporate Secretary should report directly to the Board of Directors and work closely with the Chairman and other board members to fulfil governance responsibilities. To fulfil the role effectively, the Corporate Secretary must operate with sufficient independence from management influence in governance matters to ensure unbiased advice and decision-making.

29 See the Basel Committee on Banking Supervision’s Guidelines – Corporate Governance Principles for Banks, 2015.

| 24 38. Key responsibilities of the Corporate Secretary include: i. Monitoring potential conflicts of interest among directors and executives, ensuring compliance with internal policies and regulatory requirements; ii. Collaborating with the Ethics Committee or such other committee in developing codes of ethics and conduct for the Board and senior management; and iii. Collaborating with the Risk Management and Audit Committees to align board decisions with institutional risk frameworks. 4.4 Appointment and Removal of Directors 39. DTIs and FHCs achieve effective corporate governance and management when led by individuals who are deemed fit and proper. When assessing the fitness and propriety of persons considered for appointment, the Board must conduct its assessment against the following criteria: competence and capability; probity, integrity and reputation; and financial integrity30 . Accordingly, all DTIs and FHCs are required to establish and implement robust due diligence policies and processes to guide the nomination and appointment of directors to ensure that these persons are and remain fit and proper. 40. The Board must establish a comprehensive process for appointing directors. Such a process must involve assessing candidates against the requirements for fitness and propriety outlined in section 3 of the BSA. Direct engagements between a candidate and the Board nominations committee should help facilitate the assessment of each candidate's proposed appointment to the Board. 41. The Board should establish policies and procedures to govern the resignations and removal of members from the Board. These policies must be based on the principles of transparency, objectivity and independence31 . At a minimum, the policies should establish: i. minimum notice required for resignations from the Board (taking into consideration the extent of the due diligence process that must precede appointments); ii. conditions for removal from the Board. These should include failure to satisfy the fit and proper criteria established by law, as well as failure to comply with the institution’s corporate governance standards (e.g., conviction of an offence involving dishonesty); and iii. requirement for BOJ to be immediately notified of removals/resignations, as well as the reasons for such actions32 .

30 Refer to section 3 of the BSA and Standard of Sound Practice on Fitness and Propriety; Bank of Jamaica, April 2024. 31 Refer to Companies Act (CA) 2004 Section 179, “Removal of Directors”; and Section 180, “Court Disqualified Directors”. 32 Refer section 39(1)(c) of the BSA.

| 25 4.5 Board Performance Assessment and Evaluation 42. The Board should regularly assess its practices and those of its sub-committees, and should pursue strategies to enhance its overall effectiveness. In this regard, the Board is expected to undertake a formal annual assessment of its performance33 and that of its committees and individual directors to ensure the maintenance of a balance of skills, knowledge and experience within the context of the nature of the institution’s operations/activities. 43. The Board should periodically conduct a skills and competency evaluation process that is integrated with the overall Board succession plans and the desired technical and behavioural competencies of the Board chair and chairs of the Board committees. 44. The Board should engage external consultants or experts, at least once every five years, to assist it in conducting the evaluation exercises described in paragraphs 42 and 43. 4.6 Board Meetings 45. The Board's ability to act independently of senior management can be demonstrated through practices such as regularly scheduled Board and Board committee meetings that include sessions without senior management present. The frequency of Board meetings should depend on circumstances such as the nature and size of the institution’s operations, governance structure (e.g. the number of Board sub-committees and their respective mandate, and frequency of meetings held), risk profile, as well as the current internal and external environment and its impact on its operations. The BOJ recommends that, at a minimum, all deposit-taking institutions hold full board meetings at least quarterly, distinct from the more frequent meetings of various Board sub-committees. Additionally, it is expected that the Board will convene more often if risk conditions demand it, ensuring that the institution can respond proactively to emerging challenges. This flexibility allows the Board to maintain effective oversight and governance in a dynamic financial landscape. 46. The minutes of each meeting of the Board should be well documented. The minutes should provide: a. an accurate and adequate record of Board deliberations, reflecting the issues discussed and the conclusions/decisions made; b. a list of directors in attendance at each meeting; and c. an appropriate record of the material contribution of each member of the Board, and any significant concerns or dissenting views. The minutes must indicate whether any director abstained from voting or excused himself/herself from deliberating on a particular matter.34

33 Refer to Appendix 2 for the BOJ’s recommended Board Performance and Assessment Guide. 34 The BSA places an obligation on board members to make sound decisions (Section 36 - Duty of Care). Each board member's contributions should be documented to ensure that there is a record of his/her involvement in fulfilling this obligation.

| 26 The minutes of the meetings of the Board, as well as proper records of Board papers/submissions, should be appropriately signed and made available to the BOJ examiners for review upon request. 4.7 Board Committees 47. To support the effective discharge of the responsibilities of the Board, the Board should assess whether the establishment of committees of the Board is appropriate and will serve to maximise the effectiveness of the governance framework. At a minimum, the Board should establish audit, risk management, and corporate governance committees. Other committees that a Board may establish include compliance, remuneration, and nominations 35 . The number, size, composition, and type of each committee should be in accordance with the institution’s size, complexity, and business model. 48. Where committees are appointed, they should have clearly defined mandates, working procedures (including reporting to the Board), authority to carry out their respective functions, and a degree of independence and objectivity as appropriate to the role of the committee. The Board should consider periodic rotation of its members and committee chairs, as well as tenure limits for committee service, in order to avoid undue concentration of power and to promote fresh perspectives. The Board should ensure that there are no material conflicts of interest arising from directors serving on multiple committees. 49. The size and composition of each Board committee established must: i. have at least three directors; ii. a majority of independent directors;36 iii. be chaired by an independent director; and iv. comprise directors who have the skills, knowledge and expertise relevant to the responsibilities of the board committee. 50. With the exception of the Board Nominations Committee (or combined Nominations and Remuneration Committee), it is not recommended that Board committees have an executive director37 in its membership. 51. The Board is fully accountable for any authority delegated to the Board committees.

35 A financial institution may combine its Board Nominations Committee and Board Remuneration Committee. If the functions of any committees are combined, the Board should ensure such a combination does not compromise the integrity and/or effectiveness of the functions combined. Where the Board chooses not to establish a Remuneration Committee, the Board should establish and document policies and procedures to discharge its duties and responsibilities effectively in the absence of a Remuneration Committee. The Board must also ensure that a formal process is in place to review the framework for remuneration plans, processes and outcomes at least annually. 36 See the BCBS Corporate Governance Principles for Banks, 2015. It is recommended that Board committees, such as the Risk Committee, include a majority of members who are independent. 37 An Executive Director is a member of the board who also has management responsibilities within the financial institution.

| 27 52. The Board must ensure that the mandate and operating procedures for each Board committee are set out in the Board charter and clearly– i. delineate the areas of authority delegated to the Board committee; and ii. define reporting arrangements for keeping the Board informed of the work of the committee, key deliberations, and decisions on delegated matters. 4.7.1 Audit Committee 53. Bank of Jamaica recommends that DTIs and FHCs establish a permanent, independent internal audit function proportionate to the size and nature of the entity's operations, that is, an Audit Committee38 . This requirement ensures that the internal audit function can effectively assess and enhance the governance, risk management, and control processes of the institution. 54. The responsibilities of the Audit Committee should include the following: i. support the Board in ensuring a reliable and transparent financial reporting process within the institution. ii. approve the institution’s audit plans (internal and external). Audit plans should be risk￾based and address all the relevant activities over a minimum 5-year cycle. Where part or all of the internal audit function is outsourced, the Audit Committee should still be responsible for overseeing the performance of the institution’s internal audit function as a whole. iii. oversee the effectiveness of the internal audit function of the entity. At a minimum, this must include– a. reviewing and approving the scope, policies and frequency of audits; b. reviewing key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non￾compliance with laws, regulatory requirements, policies and other matters identified by the internal audit and other control functions; and c. noting significant disagreements between the chief internal auditor and the rest of the senior management team, irrespective of whether these have been resolved, in order to identify any actual or potential impact the disagreements may have on the audit process or findings. iv. foster a quality external audit of the institution by exercising oversight over the external auditor. At a minimum, this must include– a. making recommendations to the Board on the appointment, removal and remuneration of the external auditor. It is important to note that the Audit Committee, not senior management, should recommend to the shareholders the appointment and removal of the external auditor. It should also recommend for approval by the Board the engagement letter and remuneration of the external auditor;

38 Please be reminded of the external audit requirements contained in the BSA.

| 28 b. monitoring and assessing the independence of the external auditor, including approving the provision of non-audit services by the external auditor; c. monitoring and assessing the effectiveness of the external audit, including meeting with the external auditor without the presence of senior management at least annually. d. reporting annually to the Board on the effectiveness of the external auditor; e. maintaining regular, timely, open and honest communication with the external auditor, and requiring the external auditor to report to the Board Audit Committee on significant matters; and f. ensuring that senior management is taking necessary corrective actions in a timely manner to address supervisory and external audit findings and recommendations. v. review and update the Board on all related party transactions, where there is no Board Conduct Review Committee. vi. discuss with senior management and the external auditor the overall results of any audit conducted, the annual and quarterly financial statements and related documents, the audit report, the quality of the financial statements and any related concerns raised by the external auditor. The Audit Committee should be satisfied that the financial statements present fairly the financial position, the results of operations and the cash flows of the institution. vii. meet with the Chief Internal Auditor and the Appointed (or Consulting) Actuary to discuss the effectiveness of the institution's internal controls and the adequacy of practices for reporting and determining financial reserves. viii. review the accuracy and adequacy of the Chairman’s statement in the directors’ report, corporate governance disclosures, interim financial reports and preliminary announcements in relation to the preparation of financial statements. ix. monitor compliance with the Board’s conflicts of interest policy. x. meet with the External Auditor, the Chief Internal Auditor and heads of other control functions, as appropriate, with and without the CEO or other members of senior management present. xi. evaluate and approve internal control policies for the institution, and review third-party findings and recommendations on the design and effectiveness of the institution’s internal control and enterprise risk management frameworks. 4.7.2 Risk Committee 55. The Board should establish an independent Risk Committee that comprises members who have expertise in risk management issues and practices to oversee risk management on an enterprise￾wide basis. For small, less complex institutions, in place of establishing a separate Risk Committee, the Board should be satisfied that it has the collective skills, time and information (i.e., appropriate reporting) to provide effective oversight of risk management on an enterprise￾wide basis.

| 29 56. Guided by the institution’s Risk Appetite Framework, the Risk Committee should have an understanding of the types of risks to which the institution may be exposed, and the techniques and systems used to identify, measure, monitor, report on and mitigate those risks. As part of its duty to oversee the risk management of the institution, the Risk Committee should seek assurances from the Chief Risk Officer (CRO), or equivalent, that the risk management function of the institution is independent from operational management and business lines, is adequately resourced, and has appropriate status and visibility throughout the organization. 57. The Risk Committee should receive timely and accurate reports from the CRO or equivalent officer and other relevant functions on the institution's significant risks and exposures relative to the institution’s risk appetite (including approved risk limits). The Risk Committee should be satisfied with the manner in which material exceptions to risk policies and controls are identified, measured, monitored, reported, and controlled, as well as how exceptions/breaches are addressed. 58. Where established, the Risk Committee should at least: i. provide input on material changes to the institution’s strategy and corresponding risk appetite; ii. advise and support the management body in its supervisory function regarding the monitoring of the institution’s risk appetite and strategy, taking into account all types of risks, to ensure that they are in line with the business strategy, objectives, corporate culture and values of the institution; iii. oversee and monitor the implementation of the institution’s risk appetite (and corresponding limits) and strategy, taking into account all types of risks, to ensure that they are in line with the business strategy, objectives, corporate culture and values of the institution; iv. oversee the implementation of the strategies for capital and liquidity management as well as for all other relevant risks of the institution, such as market, credit, operational (including legal, cyber, and IT risks), actuarial and reputational risks, to ensure they are consistent with the stated risk appetite; v. provide recommendations on necessary adjustments to the risk strategy resulting from, inter alia, changes in the business model of the institution, market developments or recommendations made by the risk management function; vi. provide advice on the appointment of external consultants that senior management may decide to engage for advice or support; vii. review and provide advice on possible scenarios, including stressed scenarios, to assess how the institution’s risk profile would react to external and internal events; viii. collaborate with other Board committees whose activities may have an impact on the strategy and operations of the institution, and regularly communicate with the heads of the institution’s internal control functions, in particular, the risk management function; ix. oversee the alignment between all material financial products and services offered to clients and the business model and risk strategy of the institution, including assessment of the risks associated with the offered financial products and services and take into account the

| 30 alignment between the prices assigned to and the profits gained from those products and services; and x. assess the recommendations of internal or external auditors and follow up on the appropriate implementation of measures taken. 59. Appendix 1 summarises minimum expectations regarding the responsibilities of other Board committees. Given the advancement in international best practices relating to the governance of DTIs and FHCs, each institution is strongly encouraged to establish a Risk Committee in addition to the Audit Committee, especially in circumstances where the size and complexity of the institution’s operation warrant its establishment. 4.8 The Board’s Relationship with and Oversight of Senior Management 60. Senior management is a subset of “manager” as defined in section 2(1) of the BSA, and speaks to senior roles in the DTI or FHC responsible for managing the entity on a day-to-day basis in accordance with strategies, policies and procedures approved by the Board. These roles include the Chief Executive Officer (CEO), heads of control functions, such as the Chief Financial Officer (CFO), Chief Risk Officer (CRO)39, Chief Compliance Officer (CCO), Chief Internal Auditor (CIA), Chief Information Security Officer (CISO)40 , and Chief Actuary (CA), as well as the heads of major business units. 61. Pursuant to section 37 of the BSA, the licensee has an ongoing duty to ensure the fitness and propriety of each substantial shareholder, director and key employee. As such, the Board must ensure that each member of senior management, including heads of control functions, is and continues to be fit and proper and that senior management, individually and collectively, has the full range of skills needed for the effective and prudent operation of the institution. 62. Senior management of a locally incorporated deposit-taking institution must ordinarily reside in Jamaica or relocate to Jamaica for the duration of their tenure. This ensures that key decision￾makers are physically present and accessible while serving in their roles. The Board and/or senior management must be available to meet with the BOJ on request. 63. The Board should immediately advise the BOJ of all proposed appointments to the senior management team, and also advise of all resignations and removals, with details of the reasons for such action41 .

39 This includes an individual who may be performing the functions typically assigned to a Chief Risk Officer though he/she has not been designated with the title of Chief Risk Officer. 40 The CISO should be primarily responsible for enterprise-wide oversight and management of cyber risk and timely reporting of breaches of the institution’s cyber-risk management architecture. 41 On this point, please be reminded of the provisions of section 39 of the BSA.

| 31 64. Senior Management is responsible for implementing the Board's decisions and directing the operations of the institution within the authority delegated to them by the Board, and in compliance with applicable laws and regulations. The Board should clearly articulate and document what it delegates to senior management and the limitations and accountabilities associated with matters that are delegated, including matters reserved to the Board. A clear mandate for senior management that outlines its accountabilities and responsibilities should also be established. 65. The Board must develop and establish appropriate protocols and channels for reporting, including the exercise of judgement in escalating matters of particular significance, even if within the delegated mandate to senior management. The Board, and particularly the non-executive directors, should hold senior management to account against the matters delegated and be able to challenge senior management effectively and promptly. 66. The Board should understand the decisions, plans and policies being implemented by senior management and their potential impact on the institution. The Board should be satisfied that the decisions and actions of senior management are consistent with the Board-approved business plan, strategy and RAF of the institution and that the corresponding internal controls are sound and effective. 67. The Board is expected to provide advice, guidance, and feedback to senior management, as appropriate, on the following: (i) operational and business policies; (ii) performance of the institution relative to the Board-approved business plan and strategy; and (iii) effectiveness of the Risk Appetite Framework, the control functions, and significant policies and plans related to management of capital and liquidity. 68. In order to fulfil its responsibilities, the Board relies on senior management to provide sound advice on the organizational objectives, plans, strategy, structure and significant policies of the institution. To manage risks effectively, the Board and senior management must understand the risks associated with the institution's business model, including each business line and product, and how they relate to the institution's strategy and Risk Appetite Framework. 69. Senior management is expected to provide material information and recommendations to the Board in a manner that enables the Board to focus on key issues and make informed decisions in a timely manner. 70. Key Responsibilities of Senior Management include: i. implementing the business plan, strategy, RAF, remuneration and other policies approved by the Board, and in accordance with directions given by the Board; ii. establishing a management structure that promotes accountability and transparency throughout the institution’s operations, and preserves the effectiveness and independence of control functions;

| 32 iii. promoting, together with the Board, a sound corporate culture within the institution which reinforces ethical, prudent and professional behaviour; iv. addressing actual or suspected breaches of regulatory requirements or internal policies in a timely and appropriate manner; v. ensuring informed decision-making while exercising the duty of care and duty of loyalty, prioritizing the institution’s interests over personal gains; and vi. providing relevant, accurate and timely information to the Board in order to facilitate the Board’s oversight responsibilities, particularly on matters relating to: (i) the performance, financial condition and operating environment of the institution; (ii) internal control failures, including breaches of risk limits; and (iii) legal and regulatory obligations, including supervisory concerns and recommendations and the remedial actions taken to address them. 71. In order to provide effective oversight of senior management, the Board should: i. ensure that there are adequate policies and processes relating to the appointment, dismissal and succession of senior management, and be actively involved in such processes; ii. ensure that senior management’s knowledge and expertise remain appropriate given the nature of the institution’s business operations and risk profile; iii. monitor whether senior management is managing the affairs of the institution in accordance with the strategies and policies set by the Board, and the institution’s risk appetite, corporate values and corporate culture; iv. set appropriate performance and remuneration standards for senior management consistent with the long-term strategy and the financial soundness of the institution, and monitor whether senior management is meeting the performance goals set by the Board; v. regularly meet with the senior management to discuss and critically review the decisions made, information provided and any explanations given by senior management relating to the business and operations of the institution; and vi. interact regularly with senior management as well as with other key functions, and proactively request information from them and challenge that information when necessary.

| 33 5. Group Governance 72. Within a group of companies, there can be more than one regulated entity. Effective corporate governance at the levels of parent company and subsidiaries is essential, and may help to mitigate the associated risks of carrying on businesses in complex financial conglomerates or group structures. Complex structures involving a large number of regulated and unregulated legal entities can exacerbate group-wide risks, including risks arising from operational interdependencies, intra-group exposures, and reputational associations, including step-in risk42 . 73. In a group structure, the Board of the parent company has overall responsibility for establishing and operating a corporate governance framework appropriate for the structure, business, and risks of the group and its entities. The parent company may be a regulated financial institution or a financial holding company established under the BSA, and may or may not have cross-border subsidiaries. 74. A comprehensive and consistent group-wide corporate governance framework should be designed to promote the following processes and practices: i. effective assessment and consistent management of risks across the financial group; ii. timely reporting to the FHC to ensure a good overview of risks across the financial group; iii. availability of adequate aggregated information about all risks at the FHC; iv. timely reaction to risks at the FHC and subsidiary levels; v. due consideration and incorporation of local circumstances and requirements at the FHC; and vi. adequate communication of the risk management approach within the financial group43 . 75. The Board and senior management of the FHC should promote risk awareness and encourage open communication and discussion about risk-taking across the financial group and its regulated entities by: i. setting clear reporting requirements to report locally identified risks (including compliance risks) in a timely and comprehensive manner at the FHC; ii. providing for a Chief Risk Officer or other person at the DTI, who is responsible for regularly reporting to the CRO at the FHC; iii. providing for, on an ongoing basis, the reporting by control functions at the DTI to control functions at the FHC in order to make it possible for the FHC to identify risks emerging at the DTI in a timely manner; and

42 “Step-in risk” is the risk that the regulated entity decides to provide financial support to an unconsolidated entity that is facing stress, in the absence of, or in excess of, any contractual obligations to provide such support. The main reason for step-in risk might be to avoid the reputational risk that the institution might suffer were it not to provide support to an entity facing a stress situation. The financial crisis in 2007/08 provided evidence that a bank might have incentives beyond contractual obligation or equity ties to “step in” to support unconsolidated entities to which it is connected. If step-in risk is related to reputational risk, it is distinct from operational risk. Operational risk is considered separately within the Basel framework, and its definition explicitly excludes reputational risk (See “Identification and Management of Step-in Risk”; BCBS, 2017) 43 IAIS Issues Paper on Approaches to Group Corporate Governance, Impact on control functions, Oct. 2014 (para 51 b-g).

| 34 iv. assessing the representation of risk officers at the FHC level at risk committees of the DTI to contribute to effective communication of the group risk approach to entities. 76. The DTI's Board and senior management should ensure that the group structure does not undermine its ability to effectively oversee the activities of the subsidiary-regulated institution and enterprise-wide oversight responsibilities applicable to the institution. This must be supported by a sound understanding of risks associated with the financial group structure and an evaluation of whether group controls and policies are adequate to address those risks. 77. As part of the governance framework, and regardless of whether a more centralised or more decentralised approach is used, FHCs should have effective group control functions. 44 Financial groups of varying size and complexity will have control functions of different levels of sophistication. The Board should periodically assess the appropriateness and effectiveness of the FHC control functions, including key persons in control functions. This assessment can be performed by the Board or an appropriate committee delegated by the Board. 78. When implementing governance policies, the Board of the FHC should ensure that robust governance arrangements are in place for each subsidiary and consider specific arrangements, processes and mechanisms where business activities are organised not in separate legal entities, but within a matrix of business lines that encompass multiple legal entities. 79. The Board of the FHC must establish a clearly defined process for approving the establishment of new legal entities and/or modifications to the financial group’s corporate structure, which may result in the establishment of potentially complex structures. Institutions should consider in their decision-making the results of a risk assessment performed to ensure that any changes to the financial group’s corporate structure fulfill a legitimate business purpose and its associated risks are understood and managed, and whether the structure poses obstacles to effective supervision by Bank of Jamaica or conceals the identity of the ultimate beneficial owner(s). 80. Independent directors serving on the Board of the parent company or its subsidiaries may also sit as independent directors on the Board of the regulated institution, subject to restrictions on significant cross-directorships. These restrictions should take into account the nature and extent of such appointments across the group, including between the ultimate parent or holding company and other group entities. Each Board should remain sufficiently independent in order to avoid significant overlap in membership that could result in a “mirror board” structure, which may compromise the independence of objective decision-making.

44 The Chief Risk Officer (CRO) role may be combined across entities; however, it must be adequately resourced to ensure effective execution of responsibilities at the required standard. Sufficient coverage must be maintained to address the risk management needs of both the FHC and the DTI.

| 35 5.1 Parent Company Boards 81. In order to fulfil its responsibilities, the Board of the financial holding company must: i. ensure that the financial group’s corporate governance framework, including the establishment of appropriate Board committees, clearly defines roles and responsibilities for the oversight and implementation of group-wide policies, and that the framework addresses risk management across the businesses and legal entities; ii. ensure that the differences in the operating environment, including the legal and regulatory regime for each jurisdiction in which the group has a presence, are properly understood and reflected in the group governance framework; iii. have in place reporting arrangements that promote the understanding and management of material risks and developments that may affect the parent company and its subsidiaries; iv. ensure that the financial group’s risk management frameworks address risks across the group, including those arising from intra-group transactions; v. ensure that there are adequate resources to effectively monitor compliance of the FHC and its subsidiaries with all applicable legal and regulatory requirements; and vi. establish an effective internal audit function that ensures audits are being performed at the FHC and across all its subsidiaries and affiliated companies. 5.2 Subsidiary Boards45 82. A deposit-taking institution must discharge its own legal and governance responsibilities as a separate entity, even if it is a subsidiary of another financial institution, financial holding company or a foreign entity which is subject to prudential regulation. Subsidiary boards must be capable of acting in the best interests of their depositors, shareholders, and creditors, while safeguarding the safety and soundness of the institution for which they are responsible. 83. It is not good practice for key positions on the subsidiary boards of DTIs, such as the Chairman, Chair of key board sub-committees, CEO or finance director, to be occupied by executive directors of the group or parent board. This does not prevent group executive and non-executive directors from sitting on the subsidiary board as non-executive directors, so long as the overall independent balance of the Board is satisfactory. It also does not preclude independent group non-executive directors from chairing the Board of the subsidiary or its sub-committees. 84. Where a deposit-taking institution is part of an FHC, and is asked or required to adopt and/or utilize group policies or functions, the Board of the DTI must approve the use of group policies and functions and ensure that these policies and functions are appropriate for the institution's business plan, strategy and risk appetite, and comply with specific regulatory requirements. Accordingly, the Board and senior management of the DTI Board must:

45 This applies to locally incorporated financial institution subsidiaries with either a local or foreign financial institution as a parent.

| 36 i. ensure that the objectives, strategies, plans, governance framework and other policies set at the FHC level are fully consistent with the regulatory obligations and the prudential management of the DTI and ensure that entity-specific risks are adequately addressed in the implementation of group-wide policies; ii. ensure timely engagement with the BOJ on strategic and regulatory developments at the FHC that may significantly impact the local operations of the DTI; and iii. should take such further steps as are necessary to ensure that the DTI meets its own corporate governance responsibilities and the legal, regulatory and supervisory requirements that apply to it, in the event that a regulated subsidiary is significant due to its systemic importance or size relative to the parent company’s overall operation. 5.3 Outsourcing 85. Deposit-taking institutions within a group may outsource control functions to either third parties or to other financial or non-financial legal entities within the financial group. This latter form of outsourcing, referred to as “insourcing,” can apply downstream (e.g., with group-wide control functions conducted at entities within the group) or upstream (i.e., with control functions conducted by the group control function)46 . 86. The Board of the DTI is required to retain at least the same degree of oversight of, and is accountable for, any outsourced material activity or function (such as a control function) as applies to non-outsourced activities or functions. Even if the relevant tasks of a control function can be outsourced, the ultimate responsibility for those control functions continues to reside with the group or Board of each institution within the group.

46 Please be mindful of the actions requiring notification and or the approval of the Supervisor/ Supervisory Committee as contained in the BSA. For example, section 39(5).

| 37 6. Governance and Risk Management 87. Following the global financial crisis (GFC), several international bodies, including the OECD and BCBS have engaged in reforms to strengthen governance and risk management standards. These reforms emphasize the Board’s responsibility for the strategy and enterprise-wide risk management and conduct of their institutions47 . The control functions are expected to provide objective assessments to the Board to allow the directors to fulfil their responsibilities. The Board, with the support of senior management, should regularly assess the effectiveness of the control functions. 88. Key responsibilities of the control functions include: (i) identifying, measuring, and reporting on the institution’s risk exposures; (ii) assessing and reporting on the effectiveness of the institution’s risk management and internal controls; and (iii) determining whether the institution’s operations, results and risk exposures are consistent with the Board-approved risk appetite. 89. The heads of the control functions should: (i) have sufficient stature, and authority within the institution; (ii) be independent from the business lines48; and (iii) have unfettered access and a functional reporting line to the Board or the appropriate Board committee. The Board should ensure that the control functions (such as risk management, compliance, actuarial and internal audit49) are adequately staffed with individuals with appropriate experience and qualifications to undertake their respective responsibilities objectively and effectively. 90. As part of the overall corporate governance framework and in furtherance of the safe and sound operation of the financial institution, and protection of depositors and shareholders, the Board is ultimately responsible for ensuring that the institution has in place effective systems of risk management50 and internal controls to address the key risks it faces and for the key legal and regulatory obligations to which it is subject. Senior management is required to implement these systems and provide the necessary resources and support for these functions. 91. The systems and functions established to support the institution’s Risk Appetite Framework should be adequate and aligned with the institution’s objectives, strategy, risk profile, and applicable legal and regulatory requirements. They should be adapted as the institution’s business model, and internal and external circumstances change. Business model analysis has

47 Supervision of corporate governance was introduced as a separate core principle in the BCP in 2012, incorporating lessons from the GFC. Refer to BCBS Core Principles (CPs 14 and 15) for Effective Banking Supervision, and the “Corporate Governance Principles for Banks”; BCBS, 2015. 48 The business lines, as the first line of defence, take risks and are responsible for their operational management directly and on a permanent basis. For that purpose, business lines should have appropriate processes and controls in place that aim to ensure that risks are identified, analyzed, measured, monitored, managed, reported and kept within the limits of the institution’s risk appetite and that the business activities are in compliance with external and internal requirements. 49 In the case of institutions within a corporate structure, some control functions may be outsourced to other financial institutions within the group or the parent company. Where deposit-taking institutions are considered small and non-complex, and do not have the capacity to establish a separate risk management function, it may be combined with the compliance function or outsourced to an affiliated financial institution or undertaken by the parent Financial Holding Company within the corporate group. 50 Risk management systems and practices will differ, depending on the size and complexity of the institution’s operation and business model, and the nature of its risk exposures.

| 38 become integral to supervisory frameworks in many jurisdictions, including Jamaica, to support the early identification of vulnerabilities and the supervisory dialogue on the sustainability of financial institutions. 92. The institution’s business model and strategy should be supported by a well-articulated and measurable statement of risk appetite, which is approved by the Board, and used by the Board to monitor and control actual and prospective risks, and to inform key business decisions. The Board and its relevant sub-committees should exercise effective oversight of risk management and controls, supported with meaningful and well-targeted management information used to inform Board discussions. 93. It is the responsibility of the Board to ensure that the effectiveness of the risk management framework is kept actively under review, that it remains aligned with the institution’s risk appetite, and that the Board has the management information it needs. The risk management framework should enable the institution to make fully informed decisions on risk-taking. The risk management framework should: i. include policies and procedures for identifying, measuring, monitoring and reporting on the risks of the institution on an enterprise-wide and disaggregated level, independently of the business lines or operational management; ii. include policies, procedures, risk limits and risk controls ensuring adequate, timely and continuous identification, measurement or assessment, monitoring, management, mitigation and reporting of the risks at the business line, institution and consolidated or sub￾consolidated levels; iii. provide specific guidance on the implementation of the business model and strategy – the guidance should, where appropriate, establish and maintain internal limits consistent with the institution’s risk appetite and commensurate with its sound operation, financial strength, capital base and strategic goal; and iv. be subject to independent internal review, e.g., performed by the internal audit function, and reassessed regularly against the institution’s risk appetite, taking into account information from the risk management function and, where established, the risk committee should consider factors such as internal and external developments, including balance-sheet and revenue changes; any increase in the complexity of the institution's business, risk profile or operating structure; geographic expansion; mergers and acquisitions; and the introduction of new products or business lines. 94. Where the Board has established dedicated risk and audit committees, the chairs of these committees will be deemed responsible for safeguarding the independence, and overseeing the

| 39 performance of the institution’s risk management function51 and internal audit function52 , respectively, including the Chief Risk Officer and Head of Internal Audit. The institution should have a senior officer (CRO or equivalent)53 as the head of the institution's risk management function with responsibility for the oversight of all risks across the institution. The Board also needs to ensure that it has robust arrangements for oversight of other control functions, such as compliance54 . 95. The CRO and risk management function should not be directly involved in revenue generation or the management and financial performance of any business line or product of the institution. Additionally, the CRO's compensation should not be linked to the performance (e.g., revenue generation) of specific business lines of the institution. While the CRO and the risk management function should influence the institution’s risk-taking activities (e.g., to ensure that the institution’s strategy or business initiative is operating within the approved risk appetite), the ongoing assessment of risk-taking activities by the CRO and risk management function should remain objective. 96. The CRO should provide regular reports to the Board, the Risk Committee and Senior Management in a manner and format that allows them to understand the risks being assumed by the institution. The CRO should provide an objective view to the Risk Committee or the Board, as appropriate, on whether the institution is operating within the Risk Appetite Framework. The CRO should have unfettered access and a functional reporting line to the Board or the Risk Committee, and should meet with the Risk Committee or the Board on a regular basis, with and without the CEO or other members of senior management present.

51 The risk management function facilitates the implementation of a sound risk management framework throughout the institution and has responsibility for further identifying, monitoring, analyzing, measuring, managing and reporting on risks and forming a holistic view on all risks on an individual and consolidated basis. It challenges and assists in the implementation of risk management measures by the business lines in order to ensure that the process and controls in place at the first line of defence are properly designed and effective. 52 The independent internal audit function, as the third line of defence, conducts risk-based and general audits and reviews the internal governance arrangements, processes and mechanisms to ascertain that they are sound and effective, implemented and consistently applied. The internal audit function is expected to conduct independent reviews of the first two lines of defence. The internal audit function must perform its tasks fully independently of the other lines of defence and audited activities, and should therefore not be combined with other functions. 53 For small, less complex institutions, the CRO role can be held by another executive of the institution (i.e., the executive has dual roles). Some institutions may not have a CRO position per se, but nonetheless can clearly identify an individual within the institution that is accountable to the Board and Senior Management for the same functions. In these cases, the dual role must not compromise the independence required of the CRO. 54 The compliance function monitors compliance with legal and regulatory requirements and internal policies, provides advice on compliance to the management body and other relevant staff, and establishes policies and processes to manage compliance risks and to ensure compliance. The compliance function along with the risk management function form the second line of defence.

| 40 7. Risk Culture and Business Conduct 7.1 Risk Culture 97. Culture55 can influence sound decision-making, prudent risk-taking and effective risk management, which can materially support or weaken the resilience of the institution. In light of the impact that culture can have on the safety and soundness of deposit-taking institutions and financial holding companies and confidence in the broader financial system, the BOJ expects them to: a. define a desired culture and continuously develop and improve the culture to support their purpose, strategy, effective management of risks, and resilience; and, b. continuously evaluate and respond to behaviour risks that can affect the institution’s overall safety and soundness. 98. All DTIs and FHCs should develop and implement an integrated and institution-wide risk culture56, based on a full understanding and holistic view of the risks they face and how they are managed, taking into account the institution’s risk appetite. A strong risk culture should include, but is not necessarily limited to: i. Tone from the top: The Board and senior management are responsible for setting and communicating the institution’s core values and expectations, and their behaviour should reflect the values being espoused. Members of senior management, including heads of control functions, should contribute to the internal communication of core values and expectations to staff. Staff should act in accordance with all applicable laws and regulations and promptly escalate observed non-compliance within or outside the institution (e.g. to the Bank of Jamaica through a whistleblowing process). The Board should, on an ongoing basis, promote, monitor and assess the risk culture of the institution; consider the impact of the risk culture on the financial stability, risk profile and robust governance of the institution; and make changes where necessary. ii. Accountability: Relevant staff at all levels should know and understand the institution's core values and, to the extent necessary for their role, its risk appetite and risk capacity. They should be capable of performing their roles and be aware that they will be held accountable for their actions in relation to the institution’s risk-taking behaviour. iii. Effective communication and challenge: A sound risk culture should promote an environment of open communication and effective challenge in which decision-making processes encourage a broad range of views, allow for testing of current practices, stimulate a constructive critical attitude among staff, and promote an environment of open and constructive engagement throughout the entire organization.

55 ‘Culture’ refers to the commonly held values, mindsets, beliefs and assumptions that guide both what is important and how people should behave in an organization. 56 ‘Risk culture’ refers to a subset of culture that specifically refers to the commonly held values, attitudes and beliefs about risks and risk-taking within the financial institution. This Standard focusses on an institution’s culture more broadly, which encompasses risk culture but is not limited to that scope.

| 41 iv. Incentives: Appropriate incentives should play a key role in aligning risk-taking behaviour with the institution’s risk appetite and risk capacity. The compensation policies approved by the Board must prioritize the long-term interest of the institution and should be consistent with the institution’s risk appetite, and must not incentivize excessive risk-taking and imprudent practices57 . In relation to the control functions, it is important that the Board routinely review their compensation packages to ensure that they are aligned with their effectiveness in exercising their duties and achieving their objectives, and are not dependent on the performance of any business line. 7.2 Corporate Values and Code of Conduct 99. The Board and senior management should develop, adhere to and actively promote high ethical and professional standards, taking into account the specific needs and characteristics of the institution, and should ensure the implementation of such standards (through a code of conduct or ethics)58 . The code of ethics should provide guidance on appropriate conduct and address issues of confidentiality, conflicts of interest, integrity in reporting, and the fair treatment of customers. The DTI or FHC must maintain a record of breaches of the code of ethics and address such breaches in a manner that upholds high standards of integrity. 100. The Board of the institution should establish a whistleblowing policy59 that sets out a framework to facilitate the receipt, investigation and handling of disclosures of improper conduct. Individuals and staff members must be able to raise concerns about illegal, unethical or questionable practices in confidence, and without the risk of reprisal. To this end, the Board and senior management must: i. clearly indicate the parties to whom such concerns can be escalated within the institution; ii. ensure that individuals are made aware of other avenues for whistleblowing to regulators or law enforcement agencies; iii. communicate the whistleblowing policy to third parties such as contractors, and consultants and allow them to report their concerns; and iv. be responsible for the effective implementation of the policy60 .

57 See, for example, Principles for Sound Compensation Practices, Financial Stability Forum (FSF). 58 In establishing the code of ethics, a DTI or FHC institution should consider established professional and ethical standards recommended by local and international standard-setting bodies. 59 Please be reminded of the legal obligations found in the Protected Disclosures Act, 2011. 60 This includes evaluating periodic reports that monitor and assess how concerns are escalated and dealt with, and overseeing periodic reviews of the effectiveness of the whistleblowing policy.

| 42 7.3 Conflict of Interest 101. The Board is responsible for approving and overseeing the implementation and maintenance of effective policies to identify, assess, manage and mitigate or prevent actual, perceived and potential conflicts of interest: a. as a result of the various activities and roles of the institution, of different institutions within a corporate group or of different business lines or units within an institution, or with regard to external stakeholders; and b. between the interests of the institution and the private interests of staff, including members of the Board, which could adversely influence the performance of their duties and responsibilities. 102. When assessing whether there are perceived, potential or actual conflicts of interest, the Board must consider elements such as economic interests, personal and professional relationships, and political influence and relationships. At a minimum, the Board must: i. Ensure the institution's interest is always placed ahead of the interest of any related party. In circumstances where there is uncertainty, the Board should intervene to prevent the institution’s interest from being subordinated to that of any other party. ii. Ensure appropriate policies and procedures are in place to guarantee that all transactions with related parties are conducted at arm’s length. iii. Require full transparency from all Board members, senior management, and other key employees that may create an actual, potential or perceived conflict of interest. iv. Ensure that appropriate mechanisms are in place to prohibit self-dealing, insider trading and any other activity that puts the interest of any person above the interests of the institution.

| 43 8. Disclosure and Transparency 103. The objective of transparency is to provide all relevant parties (shareholders, depositors, other relevant stakeholders and market participants) with the information necessary to enable them to assess and monitor the effectiveness of the Board and senior management in governing the deposit-taking institution or financial holding company. 104. All DTIs and FHCs should disclose relevant and useful information that support key areas of corporate governance61 . Timely public disclosure is required and can be done via the institution’s public website, in its annual and periodic financial reports, or by other appropriate means. Such disclosure should be proportionate to the size, complexity, structure, economic significance, and risk profile of the financial institution. Disclosure should include, at a minimum: i. Material information on the institution’s objectives, organisational and governance structures and policies, major share ownership and voting rights, and connected or related party transactions. Where necessary, the disclosure should include all entities within a corporate group structure. ii. All material developments since the last disclosure, including any change in governance or organisational structures. iii. Size and composition of the Board and Board committees, including their respective mandates. iv. Overview of the code of conduct and conflict of interest policy applicable to the institution and, where necessary, the corporate group. v. Overview of the internal control framework and business continuity management framework. vi. Information relating to its risk exposures and risk management strategies, including cyber risk management, without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the institution should disclose adequate information on its purpose, strategies, structures, and related risks and controls.

61 Principle 28 of the BCBS Core Principle for “Effective Banking Supervision” underscores the responsibility of the supervisory authority to ensure that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes (including compensation practices).

| i Appendix 1: Responsibilities of Other Board Committees Nominations Committee This Nominations Committee should comprise a majority of independent directors, and provide support to the Board in carrying out its function in the following matters concerning the Board, Senior management and Corporate Secretary. The Nomination Committee makes recommendations to the Board on relevant matters relating to:

1. the review of succession plans for directors, in particular, the appointment and/or replacement of the Chairman, the CEO and senior management;
2. the process and criteria for evaluation of the performance of the Board, Board committees, and directors;
3. the review and/or supervision of training and professional development programs for the Board and its directors; and
4. the appointment and re-appointment of directors. The Nomination Committee should review and assess the knowledge, experience and competence of nominees for suitability of a role on the Board and their ability to discharge responsibilities in accordance with the role. Remuneration Committee This Remuneration Committee should support the Board in actively overseeing the design and operation of the institution’s remuneration system. If established, this committee should periodically review the remuneration of directors on the board, particularly to determine whether remuneration remains appropriate and consistent with the institution’s culture, long-term business and risk appetite, and performance, as well as with any legal or regulatory requirements. The Remuneration Committee should work closely with the entity’s Risk Committee in evaluating the incentives created by the remuneration system. Conduct Review Committee This committee makes recommendations for implementing procedures for reviewing transactions with connected (and related) parties, as well as mechanisms for monitoring and reporting such transactions on a continuous basis. The procedures should ensure that all transactions are conducted at “arm’s length”. Information Technology Committee This committee supports the Board in carrying out its function of reviewing and approving the institution's information technology, digital governance, and cyber-risk management strategy. It monitors and evaluates existing and emerging technologies, including Artificial Intelligence, as well as evolving cyber-risk exposures that could impact the institution’s operations and strategic direction. The committee is also responsible for guiding the implementation of a digital governance framework that includes regular cybersecurity audits, digital literacy training for directors and senior management, and policies on ethical AI use and data privacy aligned with international standards. It also facilitates collaboration with regulators and industry-wide cybersecurity simulations and other activities to enhance resilience.

| ii Appendix 2: Board Performance and Assessment Guide For Licensed Deposit-Taking Institutions and Financial Holding Companies in Jamaica Purpose This guide sets out key evaluation criteria, framed as questions, to support a structured assessment of the performance and effectiveness of boards of directors. It applies both to individual directors, and to the board as a collective body. The criteria are designed to promote a culture of accountability, reinforce corporate governance standards, and ensure the board’s continued effectiveness in safeguarding institutional safety, soundness, and long-term stability. In the course of the assessment, the following questions are to be carefully examined and answered with honestly and accuracy:

1. Strategic Oversight and Direction i. Has the board actively contributed to the development and monitoring of the institution’s strategic objectives? ii. Does the board ensure alignment among strategy, risk appetite, and capital/liquidity planning? iii. Is there evidence that the board challenges and approves major strategic decisions and business plans?
2. Risk Oversight and Governance i. Does the board adequately oversee the institution’s risk management framework? ii. Are risks (financial, operational, compliance, reputational) discussed meaningfully at the board level? iii. Does the board receive timely, comprehensive risk reports? iv. Is the board effective in overseeing the risk appetite framework and stress testing processes?
3. Board Composition and Capability i. Does the board possess a balance of skills, experience, and diversity relevant to the institution’s business model? ii. Have board members demonstrated sufficient understanding of financial and risk matters? iii. Is there evidence of continuous training and upskilling among board members? iv. Is the board size appropriate to support effective debate and decision-making?

| iii 4. Board Leadership and Culture i. Is the chair effective in facilitating meetings and promoting inclusive and constructive discussions? ii. Do board dynamics support challenge, transparency, and consensus-building? iii. Is there a demonstrated tone from the top that reinforces ethical behaviour, prudence, and accountability? 5. Board Processes and Meeting Effectiveness i. Are board meetings well-structured, focused, and efficiently run? ii. Are board papers and agendas clear, relevant, and circulated on a timely basis? iii. Do members prepare adequately and engage meaningfully in discussions? iv. Are decisions followed up on effectively with clear accountability? 6. Committee Effectiveness i. Are committees operating effectively in accordance with their mandates? ii. Do committee outputs provide valuable input into board-level decisions? iii. Is reporting from committees clear, timely, and aligned with strategic priorities? iv. Are committee meetings appropriately attended and documented? 7. Director Engagement and Accountability i. Do all directors attend meetings consistently and participate actively? ii. Do directors maintain independence of thought and fulfil fiduciary duties? iii. Is there a clear process for assessing the performance of individual directors? iv. Are directors held accountable for their contributions? 8. Stakeholder and Regulatory Engagement i. Does the board demonstrate effective oversight of stakeholder interests (e.g., shareholders, depositors, regulators)? ii. Is there proactive and transparent engagement with Bank of Jamaica and other relevant regulators? iii. Does the board respond promptly and comprehensively to supervisory findings and guidance?

| iv 9. Board Evaluation and Continuous Improvement i. Is there a structured annual board evaluation process (internal or external)? ii. Are evaluation outcomes documented and used to improve board performance? iii. Is there a formal follow-up on action plans arising from prior evaluations? iv. Are evaluations aligned with the institution’s size, complexity, and risk profile?