Guideline on Internal and Effective Governance of Banks

GUIDELINE “ON INTERNAL AND EFFECTIVE GOVERNANCE OF BANKS”

1. Purpose This guideline provides the manner in which the subjects of the Regulation “On core management principles of banks and branches of foreign banks and the criteria on the approval of their administrators”, approved by the Decision No. 63, dated 14.11.2012 of the Supervisory Council (for simplicity, hereinafter shall be referred as “the regulation”), may implement the main principles on the internal and effective governance, as well as may improve it through the establishment of the appropriate structures, the ensuring of the individual and collective suitability of the members of the steering organs, drafting of policies, setting up the committees and setting the roles and responsibilities for each committee, developing governance culture and risk culture, including the appropriate risk appetite/tolerance framework. I. STEERING COUNCIL
2. The responsibilities of the Steering Council 2.1 The Steering Council is the body of the bank, created in compliance with the law on banks and responsible for the determination of the strategy, objectives and internal governance of the bank. This body is responsible for the determination of the of the bank’s approach and organization of governance, as well as controls and monitors the implementation of the decision-making of bank’s governance, in order to ensure an effective and prudent activity of the bank. 2.2 The duties and responsibilities of the Steering Council should be clearly defined in the statute of the bank. 2.3 All members of the Steering Council should be fully aware of the structure and responsibilities of the Steering Council, as well as of the division of tasks between different functions of the steering organs and of the committees established by the Steering Council.

2 2.4 The decision-making of the Steering Council should not be dominated by a single member or a small subset of its members, in order to have appropriate checks and balances in place. 2.5 The Steering Council and the Directorate, while fulfilling their supervisory and management fuctions, should interact effectively. Both functions should provide each other with sufficient information, to allow them to perform their respective functions. 2.6 The Steering Council’s responsibilities should include setting, approving and overseeing the implementation of: a) the overall business strategy and the key policies of the bank, within the applicable legal and regulatory framework, taking into account the bank’s long-term financial interests and solvency; b) the overall risk strategy, including the bank’s risk appetite/tolerance, its risk management framework and measures to ensure that the Steering Council devotes sufficient time to risk issues/problems; c) an adequate and effective internal governance and internal audit framework, that includes a clear organisational structure, as well as well￾functioning and independent risk management, compliance and internal audit functions, that have sufficient authority, stature and resources to perform their functions; d) the amounts, types and distribution of both internal capital and regulatory capital, to adequately cover the risks of the bank; e) targets for the liquidity management of the bank; f) a remuneration policy, that is in line with the remuneration polices, as defined in the regulation; g) arrangement of the assessment process for the individual and collective suitability of the Steering Council and the Directorate, to ensure the effectivity of this assessment, as well as to ensure that the composition and the succession plans of the Steering Council and the Directorate are appropriate, in order to perform their functions effectively; h) an assessment process for the selection and suitability of key function holders; i) regulatory acts regarding the functioning of the committees established by the Steering Council, that should detail: a. role, composition and duties for each of them; and b. appropriate information flow, including the documentation of recommendations and conclusions, as well as reporting lines among each committee and the steering organs, competent authorities and third parties;

3 j) risk culture, in line with the principles of this guideline, which addresses the bank’s risk awareness and risk-taking behaviour; k) organisation culture and values, which foster responsible and ethical behaviour, including a code of conduct or similar instruments; l) conflict of interest policy at bank level, in line with the requirements of the law on banks and the principles of this guideline; and m) undertaking the necessary measures, to ensure the integrity of the accounting and financial reporting systems, including financial and operational controls, as well as compliance with the law and relevant standards. 2.7 The Steering Council should oversee the process of disclosure and communication with interested parties and competent authorities. 2.8 All members of the Steering Council and of the Directorate should be informed about the overall bank activity, financial and risk situation of the bank, taking into account the economic environment, and should also be informed about the implementation of the decisions taken, that have a major impact on the bank’s business. 2.9 The Steering Council should monitor, periodically review and address any weaknesses identified, regarding the implementation of processes, strategies and policies related to the responsibilities listed in paragraphs 2.7 and 2.8 of this guideline. The internal governance framework and its implementation should be reviewed and updated periodically, taking into account the proportionality principle, and a deeper review should be ensured in case of material changes affecting the bank. 3. The functions of the Steering Council 3.1The Steering Council, in addition to what is stipulated in the law on banks and in the regulation, should ensure to carry out the following functions: a) oversees and monitors the decision-making and actions of management and provides effective oversight of the Directorate and executive directors, including monitoring and scrutinising their individual and collective performance, and the implementation of the bank’s strategy and objectives; b) constructively debates and critically reviews proposals and information provided by the Directorate and executive directors, as well as their decisions;

4 c) ensures and periodically assesses the effectiveness of the bank’s governance framework and takes appropriate steps to address any identified deficiencies; d) oversees and monitors the consistent implementation of the strategic objectives, organisational structure and risk strategy of the bank, including its risk appetite/tolerance and risk management framework, as well as other policies (e.g. remuneration policy) and the disclosure framework; e) monitors the consistent implementation of the bank’s risk culture; f) oversees the implementation and maintenance of a code of conduct and effective policies to identify, manage and mitigate actual and potential conflicts of interest; g) oversees the integrity of the financial information and reporting, as well as the internal audit framework, including an effective and sound risk management framework; h) ensures that the heads of internal control functions are able to act independently and, regardless of the responsibility of reporting to other internal bodies, business lines or units, can raise concerns and warn the Steering Council directly, where necessary, when adverse risk developments affect or may affect the bank; and i) monitors the implementation of the internal audit plan. 3.2The bank’s Steering Council should approve and oversee the implementation of the management approach and of the internal functioning of each committee of the Steering Council, when established, detailing the: a) role, composition and duties for each of them; b) appropriate information flow, including the documentation of recommendations and conclusions, as well as reporting lines among each committee and the steering organs, supervisory authorities and third parties. 3.3The Steering Council The Steering Council should ensure a suitable and transparent organisational and operational structure for that bank and should have a written description of it. The structure should support and demonstrate an effective and prudent management of the bank, at individual and consolidated level. The reporting lines and the allocation of responsibilities, in particular among key function holders, within a bank, should be clear, well-defined, coherent, enforceable and duly documented (the documentation should be updated as appropriate). 3.4The Steering Council should ensure that the internal audit functions are independent of the business lines they control, taking into account that there is an adequate segregation of duties, and that they have the appropriate

5 financial and human resources, as well as powers to effectively perform their role. II. INDIVIDUAL AND COLLECTIVE SUITABILITY CRITERIA OF THE MEMBERS OF THE STEERING COUNCIL 4. Individual suitability criteria of the members of the Steering Council 4.1Members of the Steering Council should have an up-to-date understanding of the business of the bank and its risks, at a level commensurate with their responsibilities. This includes an appropriate understanding of those areas for which an individual member is not directly responsible, but is collectively accountable along with other members of the Steering Council. 4.2Members of the Steering Council should have a clear understanding of the bank’s governance arrangements and management, as well as of the roles and responsibilities of the Directorate. Where applicable, they should also have an understanding of the group structure and of any possible conflicts of interest that may arise therefrom. Members of the Steering Council should be able to contribute to the implementation of appropriate culture, values and behaviour, both within the Steering Council and the bank. 4.3When assessing the knowledge, skills and experience of a member of the Steering Council, the bank should give consideration to theoretical and practical experience relating to: a) banking and financial markets; b) legal requirements and regulatory framework; c) strategic planning, the understanding of a bank’s business strategy or business plan and accomplishment thereof; d) risk management (identifying, assessing, monitoring, controlling and mitigating the main types of risk of a bank); e) accounting and auditing; f) the assessment of the effectiveness of a bank’s arrangements ensuring effective governance, oversight and control; and g) the interpretation of a bank’s financial information, the identification of key issues based on this information, and appropriate controls and measures. Additional experience might be considered necessary, based on relevant factors, as for instance the function to which it applies, the nature, scale and complexity of the entity, or other factors to be considered case by case.b For instance, for a member that holds other positions as well (such as CRO,

6 CFO, Head of Compliance, Risk/s Committee or Audit Committee’s Chair), specialized experiences in relevant areas shall be identified. 4.4Members of the Steering Council should have gained sufficient practical and professional experience from a managerial position over a sufficiently long period. Short term positions may be considered as part of the assessment, but such positions alone should not be sufficient to assume that a member has sufficient experience. When assessing the practical and professional experience gained from previous positions, particular consideration should be given to: a) the nature of the management positions held and their hierarchical level; b) the length of service; c) the nature and complexity of the business where the position was held, including its organisational structure; d) the scope/implementation of competencies, decision-making powers and responsibilities of the member; e) the technical knowledge gained through the position; and f) the number of subordinates. 5. Collective suitability criteria of the members of the Steering Council 5.1 The Steering Council should collectively be able to understand the bank’s activities, including the main risks it faces. 5.2 The members of the Steering Council should collectively be able to take appropriate decisions, considering the nature and complexity of bank’s activity, bank’s risk appetite/tolerance, strategy and markets in which the bank operates. 5.3 The members of the Steering Council should collectively be able to effectively discuss and monitor decisions made by the Steering Council. 5.4 All areas of knowledge required for the bank’s business activities should be covered by the Steering Council collectively, with sufficient expertise among members of the Steering Council. The Steering Council should have a sufficient number of members with knowledge in each area, to allow a discussion of decisions to be made. The members of the Steering Council should collectively have the skills to present their views and to influence the decision-making process within the Steering Council.

7 5.5 The composition of the Steering Council should reflect the knowledge, skills and experience necessary to fulfil its responsibilities. This includes that the Steering Council collectively should have an appropriate understanding of those areas for which the members are collectively accountable, and the skills to effectively manage and oversee the bank, including the following aspects: a) the business/activity of the bank and main risks related to it; b) each of the material activities of the bank; c) relevant areas of sectorial/financial competence, including financial and capital markets, capital adequacy and risk evaluation models; d) financial accounting and reporting; e) risk management, compliance and internal audit; f) information technology and security; g) local, regional and global markets, where the bank is active; h) the legal and regulatory environment; i) managerial skills and experience; j) the ability to plan strategically; and k) the management of (inter)national groups and risks related to group structures, where applicable. 5.6 The Steering Council should collectively have high and also sufficient managerial skills, in order to organise its tasks effectively. The Steering Council should be able to understand and discuss the management practices applied and the decisions taken. 6. Nomination process of candidates for Steering Council members 6.1 The Steering Council should nominate its new member, where the nominations committee is not established, as well as in cases of re-appointments. Nominations for re-appointment should take place only after the Steering Council assessment of the results regarding the performance of the member that has been observed during his/her last term. 6.2 The Steering Council should identify and select qualified and experienced members, and ensure appropriate succession planning for the functioning of the Steering Council. 6.3 Without prejudice to the shareholder’s rights to appoint members, the Steering Council, where the nominations committee is not established, should actively contribute to the selection of candidates for vacant Steering Council positions, in cooperation with human resources and should:

8 a) prepare a description of the roles and capabilities for a particular appointment; b) evaluate the adequate knowledge, skills and experiences of the Steering Council; c) assess the time commitment expected; and d) consider the objectives of the diversity policy. 6.4 The nomination should contain a shortlist with a preselection of suitable candidates, which takes into account the diversity objectives set out in the bank’s diversity policy. The decision should take into account the fact that a more diverse Steering Council fosters constructive discussion based on different points of view. Banks should not however recruit members of the Steering Council with the sole purpose of increasing diversity, to the detriment of the functioning and at the expense of the collective and individual suitability of the members of the Steering Council. 6.5 Without prejudice to the shareholders’ rights to appoint and replace members of the Steering Council, the latter should establish a succession plan for its members, to ensure the continuity of decision making and prevent, where possible, too many members having to be replaced simultaneously. Succession planning should set out the bank’s plans, policies and processes for dealing with unexpected absences or departures of the members of the Steering Council. Succession planning should also take into account the objectives and targets defined in the bank’s diversity policy. 7. Evaluation of needs for new appointments in the Steering Council in the context of the bank’s strategic objectives 7.1 The appointment of the new members of the Steering Council should start with a review of the bank’s business strategy, within the applicable legal and regulatory framework and the overall risk strategy, including the bank’s risk culture, risk appetite/tolerance and governance framework. It is crucial to review the context for each new appointment as strategy and business environment change and new challenges and risks arise. 7.2 The assessment of the composition, profile, skills of the members of the Steering Council shall be aligned with the medium-term strategic objectives, challenges and risks that the bank is facing or is going to face. Strategic objectives include, but are not limited to:

9 a. business growth through legal reorganisation (merges & acquisitions or split-ups): in such case, people with investment banking experience might be needed; b. organic growth in retail and/or corporate lending, in such case people with experience in these areas might be needed; c. significant reduction of non-performing loans (NPLs) within a short time period: in such case, people with work-out and change management, NPL management/collections and/or risk management experience might be needed; d. the need of operational restructuring of the bank: in such case experienced people, focused on operations and information technology might be needed; e. the need to drive growth by digital transformation, i.e. by converting traditional “analog” businesses to “digital” ones, using the potential of modern online technologies and data: in such case people with experience in financial technology, cyber security and cyber risk, “big data” management and digital operations might be needed; f. efficient dealing with the new regulatory environment and the respective challenges (e.g. supervisory review and evaluation framework, capital and liquidity adecuacy assessment framework, personal data protection framework, as well as the legal and regulatory framework effective, regulating financial instruments markets): in such case, people with strong risk management, compliance and regulatory policy experience might be needed. 7.3 Other areas to be assessed during this phase include: the size and composition of the Steering Council, taking into account legal, regulatory and contractual constraints, the evaluation of current members, the succession planning of the members, skills and experiences required, gender diversity within the Steering Council, and potential conflicts of interest. 7.4 In addition to this and what is stipulated in paragraph 7.2 of this guideline, a non-exhaustive list of skills that banks should consider when performing the suitability assessments of the Steering Council members is provided (in Appendix 1 of this guideline). 7.5 Steering Council members of systemically important banks also need to share the vision of bringing knowledge and international expertise in the Albanian banking sector, thus helping banks to operate in a challenging macroeconomic and banking environment.

10 8. Profile of the new Steering Council member 8.1. The Steering Council or the nominations committee (where established) should develop a detailed list of the criteria that the new member should possess, as well as should analyze the role and responsibilities of the Steering Council member and the knowledge, experience and the competencies which the role requires. 8.2. In addition to what this guideline stipulates regarding the areas of experience required by the banks’ Steering Council members, or nominations committee members, the fitness and propriety of the Steering Council, or nominations committee, should be assessed against five criteria: i. experience; ii. reputation; iii. conflicts of interest and independence of mind; iv. time commitment; and v. collective suitability. 8.3. The nominations committee should continuously fulfil the following tasks and responsibilities, regarding the selection process and assessment of the candidates for Steering Council members: a) gather input from multiple stakeholders, including the Steering Council, the major shareholders and, in some instances, bank’s management, thus aligning what the bank expects from this critical role and what it needs; b) provide clarity about the expecations, soliciting feedback from a variety of sources, both within and outside the bank; c) a clearly defined profile of the Steering Council member should be developed, distinguishing between qualities that are needed and those that are merely desirable, as well as the necessary documents to prove that the person has the attributes required should be defined; d) should strive to ensure that the Steering Council is not dominated by any one individual or small group of individuals, in a manner that is detrimental to the interests of the bank as a whole. 8.4. The profile, skills and competencies of each Steering Council role (Steering Council chair, chairs of committes established by the Steering Council, independent non-executive directors, non-executive directors, executive directors) should take into account not only legal and regulatory requirements, but also international best practices.

11 9. Establishment of a pool of candidates for Steering Council members 9.1. In order to achieve a well-balanced and effective Steering Council, the bank should establish a pool of available candidates for the position of member/s of the Steering Council. 9.2. While selecting and establishing the pool of candidates for Steering Council members, the Steering Council should avoid the exclusive reliance on the traditional approach (use of personal contacts and networks), or the reliance on recommendations by advisors or external auditors, as relying exclusively on these sources limits the pool of potential candidates for Steering Council members. This may lead to proposed candidates who do not have the right competencies and may result to the phenomenon of “group think”, caused by a lack of diversity in Steering Council composition. 10.Selection and nomination of candidates 10.1 The list of potential candidates should be reviewed to narrow the search and produce a short list. The nominations committee (where established) should make an initial assessment of potential candidates’suitability, in order to ensure a merit selection process. The nomination process should take into account an asessment of potential members background, skills and experiences, against the agreed member/s profile. 10.2 The nominations committee (where established) should determine if there are any candidates that should be taken off the list because of: a) conflict of interest; b) independence issues; c) limited time to devote to the job, as they already participate in many Steering Councils; or d) any other reason which should be documented. 10.3 With the pared down short list, the nominations committee (where established) should ensure: a) to carry out a detailed due diligence; b) to carefully assess records, references and profiles of candidates; and c) to make verification checks through alternative sources (e.g. past colleagues, banks’ association, credit register and penal records). 10.4 The candidate shall be informed in detail about his/her responsibilities, including particularly for international Steering Council members,

12 information on tax and legal issues, and commit on the amount of time that shall devote. 10.5 Upon completion of its assessment, the nominations committee (where established) shall recommend the best candidate/s to the Steering Council, according to the number of seats available. III. ASSESSMENT AND MONITORING OF THE SUITABILITY OF THE MEMBERS OF THE STEERING COUNCIL 11.Assessment of the individual suitability of the members of the Steering Council 11.1 Banks should ensure that the members of the Steering Council are individually suitable at all times and should assess or re-assess their suitability, in particular: a) when applying for obtaining the prior approval by Bank of Albania; b) when material changes to the composition of the Steering Council occur, including: i. when appointing new members of the Steering Council, as a result of a direct or indirect acquisition or increase of a qualifying holding in a bank. This assessment should be limited to newly appointed members; ii. when re-appointing members of the Steering Council, if the requirements of the position have changed or if the member is appointed to a different position within the Steering Council. This assessment should be limited to the members, whose position has changed and to the analysis of the relevant aspects, taking into account any additional requirements for the position. c) on an ongoing basis, in accordance with paragraphs 11.5 and 11.6. 11.2 During the assessment process of the suitability of the Steering Council members, banks should make sure to assess whether the following criteria have been fulfilled by members: a) are of sufficiently good repute; b) possess sufficient knowledge, skills and experience to perform their duties; c) are able to act with honesty, integrity and independence of mind to effectively assess and discuss/challenge the decisions of the Steering

13 Council, in its management function, and other relevant decisions where necessary and to effectively oversee and monitor the Steering Council decision-making; and d) are able to commit sufficient time to perform their functions in the bank and, where the bank is systemically important, whether or not the limitation of directorships of the Steering Council members, of not holding more than one of the combinations of directorships listed below, is being complied with:  one executive directorship with two non-executive directorships; and  one executive directorship with four non-executive directorships. 11.3 Where an assessment is made for a specific position, the assessment of sufficient knowledge, skills, experience and time commitment, should take into account the role in relation to the specific position concerned. 11.4 Banks should monitor on an ongoing basis the suitability of the members of the Steering Council to identify in the light of any new fact, situations where a re-assessment of their suitability should be performed. In particular, a re-assessment should be performed in the following cases: a) where there are concerns regarding the individual or collective suitability of the members of the Steering Council; b) in the event of a material impact on the reputation of the member of the Steering Council, or the bank, including cases where members do not comply with the bank’s conflict of interest policy; c) as part of the review of the internal governance arrangements by the Steering Council; and d) in any event that can materially affect the suitability of the member of the Steering Council. 11.5 Banks should also re-assess the sufficient time commitment of the member of the Steering Council, if that member takes on an additional directorship or starts to perform new activities, including political ones. 11.6 Banks should base their suitability assessments on the notions defined in paragraph 5 of this guideline, taking into account the diversity of the Steering Council, as specified in paragraph 17, and should implement a policy and processes of ongoing assessment, as set out in this guideline (paragraph 13).

14 12.Assessment of the collective suitability of the members of the Steering Council 12.1 Banks should ensure that at all times the Steering Council collectively possesses adequate knowledge, skills and experience to be able to understand the banks’ activities, including the main risks taken. 12.2 Banks should assess or re-assess the collective suitability of the Steering Council members, in particular: a) when applying for obtaining approval; b) when material changes to the composition of the Steering Council occur, including: i. when appointing new members of the Steering Council, as a result of legal reorganisation or as a result of an increase of a qualifying holding in a bank; ii. when re-appointing members of the Steering Council, if the requirements of the position have changed, or if the member is appointed to a different position within the Steering Council; and iii. when appointed or reappointed members cease to be members of the Steering Council. c) on an ongoing basis, in accordance with paragraph 12.3 of this guideline. 12.3 Banks should also re-assess the collective suitability of the members of the Steering Council, in particular, in the following cases: a) when there is a material change to the business model, risk appetite/tolerance and risk strategy, or structure at bank’s individual or collective level; b) as part of the review of the bank’s internal governance arrangement by the Steering Council; and c) in any event that can materially affect the collective suitability of the Steering Council. 12.4 Where re-assessments of the collective suitability are performed, banks should focus their assessment on the relevant changes in the bank’s business activity, strategy and risk appetite/tolerance and in the distribution of duties within the Steering Council and their effect on the collective knowledge, skills and experience of the Steering Council. 12.5 Banks should ensure at all times the assessment of the initial and ongoing collective suitability of the Steering Council.

15 13.On-going monitoring and re-assessment of the individual and collective suitability of the members of the Steering Council 13.1 The on-going monitoring of the individual and collective suitability of the members of the Steering Council should take into account the individual or collective performance and the relevant situation or event which caused a re-assessment and the impact it has on the actual or required suitability. 13.2 When re-assessing the individual or collective performance of the members of the Steering Council, the Shareholders’ Assembly or the Steering Council, or the nominations committee (where established), should consider: a) the efficiency of the Steering Council’s processes, on the basis of the efficiency of information flows and reporting lines to the Steering Council, and taking into account any follow-up or recommendations made by the internal audit function; b) the effective and prudent management of the bank, including whether or not the Steering Council acted in the best interest of the bank; c) the ability of the Steering Council to focus on strategically important matters; d) the adequacy of the number of meetings held, the degree of attendance, the appropriateness of the time committed and the intensity of directors’ involvement during the meetings; e) any changes to the composition of the Steering Council and any weaknesses with regard to individual and collective suitability, taking into account the bank’s business model and risk strategy; f) any performance objectives set for the bank and the Steering Council; g) the independence of mind of members of the Steering Council, including the requirement that decision making is not dominated by any one individual or small group of individuals and the compliance of members of the Steering Council with the conflict of interest policy; h) the degree to which the composition of the Steering Council has met the objectives set in the bank’s diversity policy; and i) any events that may have a material impact on the individual or collective suitability of the members of the Steering Council, including changes to the bank’s business model, strategies and organisation. 13.3 Banks should perform a periodic suitability re-assessment annually. Where a re-assessment is triggered by a specific event, banks may focus the re-assessment on the situation or event that has triggered the re-

16 assessment; e.g. where certain aspects have not changed, these can be omitted from the assessment. 13.4 The result of the re-assessment, the reason for the re-assessment and any recommendation with regard to identified weaknesses should be documented and submitted to the Steering Council. 13.5 The Steering Council or the nominations committee, where established, should report the result of the re-assessment of collective suitability even if no changes to its composition or other measures are recommended. Recommendations may include, but are not limited to training, change of processes, measures to mitigate conflicts of interest, the appointment of additional members with a specific competence and the replacement of members of the Steering Council. 13.6 The Steering Council should assess the report and decide on the recommendations made by the Steering Council or, where established, the nominations committee, and where recommendations are not approved, document the underlying reasons. 13.7 In the event that the Steering Council concludes that a member of the Steering Council is not suitable individually or collectively, the bank should immediately inform Bank of Albania without delay, including about the measures proposed or taken by the bank to remedy the situation. IV. SUFFICIENT TIME COMMITMENT OF THE MEMBER OF THE STEERING COUNCIL 14.Sufficient time commitment of the member of the Steering Council 14.1 Banks should assess whether or not a member of the Steering Council is able to commit sufficient time to perform his or her functions and responsibilities including understanding the business of the bank, its main risks and the implications of the business and the risk strategy. Where the person holds a mandate in a systemically important bank, this should include an assessment to ensure that the limitation of the maximum number of directorships held by one person is being complied with. 14.2 Members of the Steering Council should also be able to fulfil their duties in periods of particularly increased activity, such as a restructuring, a relocation of the bank, an acquisition, a merger, a takeover or a crisis situation, or in periods of major difficulties with one or more of its operations, taking into account that in such periods a higher level of time commitment than in normal periods of activity may be required.

17 14.3 In the assessment of sufficient time commitment of a member of the Steering Council, banks should take at least the following into account: a) the number of directorships in banks and non-banks financial institutions, part of a banking/financial group, held by that member at the same time, taking into account possible synergies, including when acting as an alternate of a member of the Steering Council; b) the size, nature, scope and complexity of the activities of an entity, where the member holds a directorship; c) the member’s geographical presence and the travel time required for his/her role fulfilment; d) the number of meeetings scheduled for the Steering Council; e) the directorships in organisations which do not pursue predominantly commercial/lucrative objectives held by that member at the same time; f) the nature of specific position and the responsibilities of the member, including specific roles such as Chief Executive Officer, chair of the Steering Council, or chair or member of a committee, whether the member holds an executive or non- executive position, and the need of that member to attend meetings in the companies listed in letter (a) of this paragraph and in the bank; g) other external professional or political activities, and any other functions and relevant activities, both within and outside the financial sector; h) the time necessary for induction and training; i) any other relevant duties of the member that banks consider to be necessary to take into account when carrying out the assessment of sufficient time commitment of a member. 14.4 Banks should record in writing the roles, duties and required capabilities of the various positions within the Steering Council and the expected time commitment required for each position, also taking into account the need to devote sufficient time for induction and training. For this purpose, smaller and less complex banks may differentiate the expected time commitment only between executive and non-executive directorships. 14.5 A member of the Steering Council should be aware of the expected time commitment required to spend on his or her duties and banks may require the member to confirm that he or she can devote the amount of time needed to his/her role. 14.6 Banks should monitor whether the members of the Steering Council commit sufficient time to perform their functions. Preparation for meetings,

18 attendance and the active involvement of members in Steering Council meetings are all indicators of time commitment. 14.7 A bank should also consider the impact of any long-term absences of members of the Steering Council, in its assessment of the sufficient time commitment of other individual members of the Steering Council. 14.8 Banks should keep records of all external positions held by the members of the Steering Council and such records should be updated whenever a member notifies the bank of a change and when such changes come otherwise to the attention of the bank. 14.9 Where changes to such positions occur, that may reduce the ability of a member of the Steering Council to commit sufficient time to perform his or her function, the bank should reassess the member’s ability to respect the required time commitment for his or her position. V. INDEPENDENCE OF MIND, INDEPENDENT MEMBERS AND THE DIVERSITY WITHIN THE STEERING COUNCIL 15. Interaction between independence of mind and the principle of being independent 15.1 When assessing the independence of members, banks should differentiate between the notion of “independence of mind”, applicable to all members of a bank’s Steering Council and the principle of “being independent”, required for certain members of a bank’s Steering Council. 15.2 Acting with “independence of mind” is a pattern of behaviour, shown in particular during discussions and decision-making within the Steering Council, and is required for each member of the Steering Council regardless of whether or not the member is considered as “being independent”. All members of the Steering Council should engage actively in their duties and should be able to make their own sound, objective and independent decisions and judgments when performing their functions and responsibilities. 15.3 “Being independent” means that a member of the Steering Council does not have any present or past relationships or links of any nature with the bank or its management that could influence the member’s objective and balanced judgement and reduce the member’s ability to take decisions independently. The fact that a member is considered as “being independent” does not mean that the member of the Steering Council

19 should automatically be deemed to be “independent of mind” as the member might lack the required behavioural skills. 16.Independence of mind 16.1 When assessing the independence of mind, banks should assess whether or not all members of the Steering Council have: a) the necessary behavioural skills, including: i. courage, conviction and strength to effectively assess and discuss the proposed decisions of other members of the Steering Council; ii. being able to ask questions to the members of the Steering Council; and iii. being able to resist “group-think”. b) conflicts of interest to an extent that would impede their ability to perform their duties independently and objectively. 16.2 When assessing the required behavioural skills of a member, referred to in paragraph 1, letter (a) above, his or her past and ongoing behaviour, in particular within the bank, should be taken into account. 16.3 When assessing the existence of conflicts of interest referred to in paragraph 16.1 of this guideline (letter (b)), banks should identify actual or potential conflicts of interest, in accordance with the bank’s conflicts of interest policy and assess their materiality. Beyond what Article 44 of the law on banks stipulates, banks should also consider the following situations that could create actual or potential conflicts of interests: a) economic interests (e.g. shares, other ownership rights and memberships, holdings and other economic interests in bank’s customers, property rights, loans guaranteed for company/ies owned by members of the Steering Council); b) personal and professional relationships with the owners of qualifying holdings in the bank; c) personal and professional relationships with staff of the bank or entities included within the scope of consolidation, for supervisory purposes (e.g. close family relationships); d) other employments and previous employments within the recent past (e.g. five years); e) personal or professional relationships with relevant external stakeholders, (e.g. being associated with material suppliers, consultants or other service providers);

20 f) membership in and/or leadership of a managing body, or in a body or entity with conflicting interests; and g) political influence or political relationships. 16.4 All actual and potential conflicts of interest at Steering Council level should be adequately communicated, discussed, documented, and duly managed by the Steering Council (i.e. the necessary mitigating measures should be taken). 16.5 Banks should inform Bank of Albania if they have identified a conflict of interest that may impact the independence of mind of a member of the Steering Council, including the mitigating measures taken. 16.6 Being a shareholder, owner or member of the Steering Council of a bank, having private accounts, loans or using other services of the bank or any entity within the scope of consolidation should not be automatically considered to affect the independence of mind of a member of the Steering Council. 17.Diversity policy within the Steering Council 17.1 Banks should draft and implement a policy promoting diversity on the Steering Council, in order to promote a diverse pool of members. The bank should aim to include a broad set of qualities and competences when selecting and nominating members of the Steering Council, to achieve a variety of views and experiences and to facilitate independent opinions and sound decision-making within the Steering Council. 17.2 The diversity policy should mainly refer to the following diversity aspects: educational and professional background, gender, age and, in particular for banks that are active internationally, the geographical provenance as well. 17.3 Systemically important banks should also document, as part of the annual review of the composition of the Steering Council, their compliance with the objectives and targets set. In the event that any objectives have not been met, the systemically important bank should document the reasons why, the measures to be taken and the timeframe for measures to be taken, in order to ensure that the diversity objectives and targets will be met.

21 18.The presence and role of non-executive directors in the Steering Council 18.1 The Steering Council should ensure an adequate balance between executive and non-executive directors, so that no individual or small group of individuals dominates decision-making of the Steering Council. 18.2 Within the overall responsibility of the Steering Council, the non-executive members should play a key role in enhancing the effectiveness of checks and balances in the bank, by improving oversight of management decision￾making and ensuring that: a) the interests of all stakeholders, including minority shareholders, are appropriately taken into account in the discussions and decision-making of the Steering Council. Independent members could also help offset or mitigate the unnecessary dominance by individual members of the Steering Council, representing a particular group or category of stakeholders; b) no individual or small group of members dominates decision￾making; and c) conflicts of interest between the bank, its business units, other entitites within the scope of consolidation and external stakeholders, including clients, are appropriately managed. VI. THE CHAIR AND THE SECRETARY OF THE STEERING COUNCIL 19.Role of the chair of the Steering Council 19.1 The chair of the Steering Council should lead the Steering Council, should contribute to ensure an efficient flow of information within the Steering Council, and between the Steering Council and the committees at Steering Council level, where established, and should be responsible for its effective overall functioning. 19.2 The chair should encourage and promote open and critical discussion and ensure that dissenting views can be expressed and discussed within the decision-making process. 19.3 The chair of the Steering Council should set meeting agendas and ensure that strategic issues are discussed with priority and that documents and information are received in enough time before the meeting.

22 19.4 The chair of the Steering Council should contribute to a clear allocation of duties between members of the Steering Council and the existence of an efficient flow of information between them, in order to allow the members of the Steering Council to constructively contribute to discussions and to cast their votes on a sound and well-informed basis. 20.The Secretary of the Steering Council function 20.1 Taking into account their complexity, banks may establish the function of the Secretary of the Steering Council. 20.2 The Secretary plays a key role as a channel for information exchange, communication, advice and arbitration between the Steering Council and the Directorate, as well as between the bank and its shareholders and other stakeholders. The Secretary can, among other things, help the Steering Council understand the challenges faced by the Directorate in meeting the requirements of the Council and also help the bank manage stakeholder relations. 20.3 The Secretary of the Steering Council should perform the following functions and duties: a) ensures compliance with the governance procedures; b) manages the internal governance framework for the bank; c) oversees and conducts induction trainings for newly elected directors; d) ensures compliance with laws and regulations in force; e) manages shareholder relations and their meetings; f) ensures communication between the Steering Council and the Directorate; and g) communicates with directors. 20.4 The Secretary of the bank should be responsible to the Steering Council and should report, through the chair, on all matters relating to his or her core duties in relation to the Steering Council, as well as may perform other non-core duties. 20.5 Banks should determine, in their internal procedures or regulations, the role, the function, duties and responsibilities of the Secretary of the bank.

23 VII. HUMAN AND FINANCIAL RESOURCES FOR TRAINING OF MEMBERS OF THE STEERING COUNCIL 21.Objectives of induction and training 21.1 Banks should ensure the necessary information is provided for the members of the Steering Council, so that they can get acquainted with their main duties, functions and responsibilities, the induction of the members of the Council, as well as the information to facilitate their clear understanding of the bank’s structure, nature and complexity of bank’s activity, bank’s risk profile and governance arrangements, as well as the role of the bank’s key function holders. 21.2 Banks should provide for relevant general and as appropriate individually￾tailored training programmes. 21.3 Banks should allocate sufficient resources for induction and training for members of the Steering Council individually and collectively. 21.4 All newly nominated members of the Steering Council should receive key information 1 month after taking up their position at the latest, and the induction should be completed within 6 months. 21.5 Where nominated members of the Steering Council are subject to fulfilling a particular aspect of the knowledge and skill requirements, the training and induction for that member should aim to fill the identified gap within an appropriate timeframe, where possible before the position is effectively taken up or otherwise as soon as possible after the position is effectively taken up. Members of the Steering Council should continually maintain and deepen the knowledge and skills needed to fulfil their responsibilities. 22.Induction and training 22.1 Banks should have in place policies and procedures for the induction and training of members of the Steering Council, to be approved by the latter. 22.2 The policies and procedures for induction and training should at least set out: a) the induction and training objectives for the Steering Council. This should also include where appropriate, the induction and training objectives for specific positions according to their specific responsibilities and involvement in committees;

24 b) the responsibilities for the development of a detailed training programme; c) the financial resources and human resources made available by the bank for induction and training, taking into account the number of induction and training sessions, their cost and any related administrative tasks, in order to ensure that induction and training are provided in line with the respective policy; d) a clear process under which any member of the Steering Council can request induction or training. 22.3 In the development of the policy, the Steering Council or the nominations committee, when established, should consider the contribute of the human resources function and the function responsible for the budgeting and organisation of training, as well as relevant internal control functions, where appropriate. 22.4 Banks should have in place a process to identify the areas in which training is required, both for the Steering Council collectively and for individual members of the Steering Council. Relevant business areas and internal functions, including internal control functions, should be involved as appropriate in the development of the content of induction and training programmes. 22.5 The policies and procedures as well as training plans should be kept up to date, taking into account bank’s governance changes, strategic changes, new products and other changes, as well as changes in applicable legislation and market developments. 22.6 Banks should have evaluation processes in place to review the execution and the quality of induction and training provided and to ensure compliance with the induction and training policies and procedures. VIII.COMMITTEES, THEIR ROLE AND FUNCTIONING 23.Setting up the risk/s committee, remuneration committee and nominations committee 23.1 The Steering Council, as determined in the regulation, in accordance with the nature, size, complexity of operations and risk profile of the bank, may establish specialised committees at Steering Council level, such as the risk/s committee, remuneration committee, nominations committee, etc., which advise/assist the Council on special issues.

25 23.2 Systemically important banks, on individual and consolidated basis, must establish risk/s, remuneration and nominations committees, to advise the Steering Council and to prepare the decisions to be taken by the latter. 23.3 Banks should ensure a clear allocation of duties between specialised committees at Steering Council level. 23.4 The Steering Council should determine the mandate, the scope of responsibilities and the working procedures, that are appropriate for each committee. 23.5 Committees should facilitate the development and implementation of a sound internal and effective governance framework for the bank. Delegating to committees does not in any way release the Steering Council from its collective responsibility, in fulfilling the respective functions and duties. 24. Composition of the risk/s committee, remuneration committee and nominations committee 24.1 Committees should be composed of at least three members and should be chaired by a non-executive independent member of the Steering Council. 24.2 Independent members of the Steering Council can be actively involved in committees and banks, taking into account the size of the Steering Council and the number of its independent members, should ensure that each committee is not composed of the same group of members that forms another committee. 24.3 Banks should consider the occasional rotation of chairs and members of committees, taking into account the specific experiences, knowledges and skills, that are individually or collectively required for those committees. 24.4 The risk/s, remuneration and nominations committees should mainly be composed of independent (non-executive) members of the Steering Council, that have the knowledges, the experiences and the qualifications required for those members, combined with each other, in order to create a collective appropriate qualification of the committees. 24.5 Members of the nominations committee should have, individually and collectively, appropriate skills and expertise, concerning the selection process and suitability requirements. The members of the risk/s committee should have, individually and collectively, appropriate skills and expertise, concerning risk management, to fully understand and oversee the risk

26 strategy and the risk appetite/tolerance of the bank, as well as control practices. 25.Committee’s functions and reporting lines 25.1 Committees should regularly report to the Steering Council. 25.2 Committees should interact with each other as appropriate. Without prejudice to paragraph 24.2 of this guideline, such interaction could take the form of cross-participation, so that the chair or a member of a committee, may also be a member of another committee. 25.3 Members of committees should engage in open and critical discussions, during which dissenting views are discussed in a constructive manner. 25.4 Committees should document the agendas of their meetings and their main results and conclusions. 25.5 Banks should ensure that committees have access to all information and data necessary to perform their role, from all bank’s functions. 25.6 Committees should receive regular reports, ad hoc information, communications and opinions from heads of internal control functions, concerning the current risk profile of the bank, its risk culture and its risk limits, as well as on any material breaches that may have occurred, accompanied with detailed information on and recommendations for corrective measures taken, to be taken or suggested to address them. 25.7 Committees should periodically review and decide on the content, format and frequency of the information on risk to be reported to them and, where necessary, should ensure also the involvement of the internal control functions and other relevant functions (human resources, legal, finance) within their respective areas of expertise and/or seek external expert advice. 25.8 Banks should ensure that the internal control function have access to information on the activities performed by all committees established by the Steering Council. 26.Role and duties of the risk/s committee 26.1 The risk/s committee should ensure the fulfilment of the following duties at least:

27 a) advise and support the Steering Council regarding the monitoring of the bank’s overall actual and future risk appetite/tolerance, taking into account all types of risks, to ensure that they are in line with the business strategy, objectives, corporate culture and values of the bank; b) assist the Steering Council in overseeing the implementation of the bank’s risk strategy and the corresponding limits set; c) oversee the implementation of the strategies for capital and liquidity management as well as for all other relevant risks of a bank, such as market, credit, operational (including legal and Information Technology) and reputational risk, in order to assess their adequacy against the approved risk appetite/tolerance and risk strategy of the bank; d) provide the Steering Council with recommendations on necessary adjustments to the risk strategy resulting from, inter alia, changes in the nature and complexity of bank’s activity, market developments or recommendations made by the risk management function; e) provide the Steering Council with advice on the nomination of external consultants that the latter may decide to engage for advice or support; f) review a number of possible scenarios, including stressed scenarios, to assess how the bank’s risk profile would react to internal and external events; g) oversee the alignment between all material financial products and services offered to clients and the nature and complexity of bank’s activity and bank’s risk strategy. The risk committee should assess the risks associated with the offered financial products and services and take into account the alignment between the prices assigned to and the profits gained from those products and services (where this function is not fulfilled by another committee); h) assess the recommendations of internal or external audit and follow up on the appropriate implementation of measures taken; i) collaborate with other committees whose activities may have an impact on the risk strategy (e.g. audit and remuneration committees) and regularly communicate with the bank’s internal control functions, in particular the risk management function; and

28 j) without prejudice to the responsibilities of the remuneration committee, examine whether incentives provided by the remuneration policies and practices take into consideration the bank’s risk profile, capital and liquidity and the likelihood and timing of earnings. 27.Treatment of risks 27.1 The risk/s committee should advise the Steering Council on the bank's overall current and future risk appetite/tolerance and risk strategy and assist the Steering Council in overseeing the implementation of that strategy by the senior management.The Steering Council shall retain overall responsibility for risks taken during bank’s activity. 27.2 The risk/s committee should review whether prices of assets and liabilities and prices of products and services offered to clients take fully into account the nature and complexity of bank's activity and bank’s risk strategy. Where prices do not properly reflect risks in accordance with the nature and complexity of bank's activity and bank’s risk strategy, the risk/s committee should present a remedy plan to the Steering Council. 27.3 The Steering Council and/or the risk/s committee, where established, should determine the nature, quantity, template and frequency of the information on the risk that those bodies can take. 28.Role and duties of the remuneration committee 28.1 The remuneration committee should ensure the fulfilment of the following duties at least: a) prepare the decisions on remuneration to be taken by the Steering Council, in particular regarding the remuneration of the members of the Directorate and other bank’s managers, as well as of the rest of the staff, in accordance with the provisions of Article 15, paragraph (6) of the regulation; b) provide its support and advice to the Steering Council on the design of the bank’s remuneration policy; c) support the Steering Council in overseeing the remuneration policies, practices and processes as well as the compliance with the remuneration policy;

29 d) check whether the existing remuneration policy is appropriate to the bank’s current situation and, if necessary, make proposals for changes; e) assess the appointment of external consultants should the Steering Council decide to engage them for advice on remuneration policies; f) ensure the accuracy of the information provided to shareholders on remuneration policies and practices, in particular on a proposed higher maximum level of the ratio between fixed and variable remuneration; g) assess the control mechanisms and systems adopted to ensure that the remuneration system takes into account all types of risks, liquidity and capital levels and that the overall remuneration policy is consistent with and promotes sound and effective risk management and is in line with the business strategy, objectives, corporate culture and values and the long-term interest of the bank; h) assess the achievement of performance targets and identify the need for changes of the policy that defines variable payments, based on ex post adjustments, including the application of financial penalties (malus arrangement)1 and returning of the money already paid (clawback arrangement)2 . This aims to align variable remuneration to the additional risk that has been identified or materialised after the award has been approved; i) review a number of possible scenarios to test how the remuneration policies and practices react to internal and external events, and back￾test the criteria used for determining the ex ante risk adjustment of the variable remuneration based on the actual risk outcomes; and j) periodically assess the achievement of performance targets, at bank level and functions/individuals level, depending upon the identification of the needs for change of the remuneration policies and practices. 28.2 The remuneration committee should oversee the remuneration of the executive directors, head of the risk management structure/unit and head of compliance.

1 malus – is an arrangement that permits the bank to reduce the value of all or part of deferred variable remuneration, based on ex-post risk adjustments, before the remuneration is awarded. 2 clawback – is an arrangement under which the employee has to return an amount of variable remuneration paid in the past, under certain well defined conditions.

30 29.Role and duties of the nominations committee 29.1 The nominations committee should ensure the fulfilment of the following duties at least: a. identify and recommend candidates to fill Steering Council vacancies; b. evaluate the balance of knowledge, skills, diversity and experience of the Steering Council and prepare a description of the roles and capabilities for a particular nomination, as well as assess the time commitment expected; c. decide on a target for the representation of the underrepresented gender in the Steering Council and prepare a policy on how to increase the number of the underrepresented gender in the Steering Council; d. periodically, and at least annually, assess the structure, size, composition and performance of the Steering Council, and make recommendations to the Steering Council with regard to changes that are needed; e. periodically, and at least annually, assess the knowledge, skills and experience of individual members of the Steering Council and of the Steering Council collectively, and report to the Steering Council accordingly; and f. periodically review the policy of the Steering Council for selection and nomination of senior management and make relevant recommendations to the Steering Council. Where the nominations committee is not established, the assessment and review mentioned in letters “d”, “e” and “f” of this paragraph, should be performed by the Steering Council at least biennially. 29.2 In performing its duties, the nominations committee shall take account, on an ongoing basis, of the need to ensure that the Steering Council’s decision making is not dominated by any one individual or small group of individuals in a manner that is detrimental to the interests of the bank as a whole. 29.3 The nominations committee shall be able to use any forms of resources it deems appropriate, including external advice and shall have the adequate funds for this purpose.

31 29.4 Members of the nominations committee should have adequate collective knowledge, expertise and experience relating to the bank’s activity, to be able to assess the appropriate composition of the Steering Council, including candidates recommended to fill Steering Council vacancies. IX. CONFLICT OF INTEREST POLICY 30.Conflict of interest policy at bank level 30.1 The Steering Council should be responsible for establishing, approving and overseeing the implementation of policies to identify, assess, prevent, or mitigate actual and potential conflicts of interest at bank level, coming as a result of the bank’s activity, or of different enitities within a banking/financial group, or of different business lines or units within a bank, that are connected to third parties. 30.2 Banks should take, within their organisational and administrative arrangements, adequate measures to prevent conflicts of interest from adversely affecting the interests of their clients. 30.3 Banks’ measures to prevent or where appropriate mitigate conflicts of interest should be documented and include, inter alia: a) an appropriate segregation of duties, e.g. of conflicting activities within the processing of transactions or of supervisory and reporting responsibilities for conflicting activities; b) establishing information barriers, e.g. through the physical separation of certain business lines or units; and c) establishing adequate procedures for transactions with related parties. 31.Conflict of interest policy for staff 31.1 The Steering Council should be responsible for establishing, approving and overseeing the implementation of effective policies to identify, assess, manage and mitigate or prevent where possible, actual and potential conflicts between the interests of the bank and the private interests of staff, including members of the Steering Council, which could adversely influence the performance of their duties and responsibilities. A consolidating bank

32 within a banking group should consider interests within a group-wide conflict of interest policy on a consolidated basis. 31.2 The policy should aim to identify conflicts of interest of staff, including the interests of their closest family members. Banks should take into consideration that conflicts of interest may arise not only from present but also from past personal or professional relationships. Where conflicts of interest arise, banks should assess their materiality and decide on and implement as appropriate mitigating measures. 31.3 Regarding conflicts of interest that may result from past relationships, banks should set an appropriate timeframe for which they require from their staff to disclose such conflicts of interest, that may still have an impact on staff’s behaviour and participation in decision-making. 31.4 Beyond what Article 44, paragraph 2 of the law on banks stipulates, conflict of interest policy should cover also the following situations or relationships, where conflicts of interest may arise: a) economic interests (e.g. shares, other ownership rights and memberships, financial holdings and other economic interests in bank’s customers, intellectual property rights, loans granted by the bank to a company owned by staff, membership in and/or leadership of a managing body or entity with conflicting interests); b) personal or professional relationships with the owners of qualifying holdings in the bank; c) personal or professional relationships with staff of the bank or entities included within the scope of prudential consolidation (e.g. family relationships); d) other employment or previous employment within the recent past; e) personal or professional relationships with external stakeholders (e.g. relations with material suppliers, consultancies or other service providers); and f) political influence or political relationships. 31.5 Notwithstanding the above, banks should take into consideration that being a shareholder of a bank or having private accounts or bank loans with or using other services of a bank should not necessarily lead to a situation where staff are considered to have a conflict of interest if they stay within an appropriate de minimis threshold. Staff should have the duty to promptly disclose internally any matter that may result, or has already resulted, in a conflict of interest. 31.6 The policy should differentiate between conflicts of interest that persist and, as such, need to be managed permanently and conflicts of interest that

33 occur unexpectedly with regard to a single event (e.g. a transaction, the selection of service provider, etc.) and can usually be managed with a one￾off measure. In all circumstances, the interest of the bank should be central to the decisions taken. 31.7 The policy should set out procedures, measures, documentation, requirements and responsibilities for the identification and prevention of conflicts of interest, for the assessment of their materiality and for taking mitigating measures. Such procedures, requirements, responsibilities and measures should include at least: a) entrusting conflicting activities or transactions to different persons; b) preventing the staff who are also active outside the bank from having inappropriate influence within the bank regarding those other activities; c) establishing adequate procedures for transactions with related parties (banks may consider, inter alia, requiring transactions to be conducted at arm’s length, requiring that all internal control procedures fully apply to such transactions, requiring binding consultative advice from independent members of the Steering Council, requiring the approval by shareholders of the most relevant transactions and limiting exposure to such transactions). 31.8 The policy should specifically cover the risks of conflicts of interest at the level of the Steering Council and provide sufficient guidance on the identification and management of conflicts of interest that may impede the ability of members of the Steering Council to take objective and impartial decisions. 31.9 Banks should take into consideration that conflicts of interest can have an impact on the independence of mind of members of the Steering Council. 31.10 If a conflict of interest of staff is identified, the bank should document the decision taken, in particular if the conflict of interest and the related risks have been accepted, and if it has been accepted, how this conflict of interest has been mitigated or remedied. 31.11 All actual and potential conflicts of interest at Steering Council level, individually and collectively, should be adequately documented, communicated to the Steering Council, and analyzed by the Steering Council, aiming to prevent or mitigate them. .

34 32.Internal reporting (whistleblowing) procedures 32.1 Banks should design and implement appropriate internal reporting (whistleblowing) policies and procedures, for staff to report actual or potential breaches of regulatory or internal requirements, according to the definitions in the legal framework and sublegal acts, for whistleblowing dhe the protection of whistleblowers. X. RISK CULTURE AND BUSINESS CONDUCT 33.Risk culture 33.1 A sound and consistent risk culture should be a key element of effective risk management. It should enable banks to make sound and well￾informed decisions. 33.2 Banks should develop an integrated and institution-wide risk culture, based on a full understanding of risks they face and how they are managed, taking into account the risk appetite/tolerance. 33.3 Banks should develop a risk culture through policies, communication and staff training regarding the bank’s activities, strategy and risk profile, and should adapt communication and staff training, to take into account staff’s responsibilities regarding risk-taking and risk management. 33.4 Staff should be fully aware of their responsibilities relating to risk management. Risk management should not be confined to risk specialists or internal control functions. Business units, under the oversight of the Steering Council, should be responsible for managing risk, on a day-to￾day basis, in line with bank’s policies, procedures and controls, taking into account the bank’s risk appetite/tolerance and risk capacity. 33.5 A strong risk culture should include, but its not limited to the following principles: a) The responsibility stands to the top: The Steering Council should be responsible for setting and communicating the bank’s core values and expectations. The behaviour of the members of the Council should reflect the values being espoused by the bank. The Directorate, including key function holders, should contribute to the internal communication of core values and expectations to staff. Staff should act in accordance with the law and regulations and promptly escalate the non-compliance, within or outside the bank (e.g. to the competent authority through the whistleblowing

35 process). The Steering Council should on an ongoing basis promote, monitor and assess the risk culture of the bank, consider the impact of the risk culture on the financial stability, risk profile and robust governance of the bank, and make changes where necessary. b) Accountability: staff, at all levels, should know and understand the core values of the bank and, to the extent necessary for their role, its risk appetite/tolerance and risk capacity. Staff should be capable of performing their roles and be aware that they will be held accountable for their actions in relation to risk-taking. c) Effective communication and challenges: a sound risk culture should promote an environment of open communication and effective challenge, in which decision-making processes encourage a broad range of views, allow for testing of current practices, stimulate a constructive critical attitude among staff, and promote an environment of open and constructive engagement, throughout the entire bank. d) Incentives: appropriate incentives should play a key role in aligning risk-taking with the bank’s risk profile and its long-term interest. 34.Bank values and code of conduct 34.1 The Steering Council should develop, adapt, adhere to and support high ethical and professional standards, taking into account the specific needs and characteristics of the bank, and should ensure the implementation of such standards (through a Code of Conduct or similar instrument). The Steering Council should also oversee adherence to these standards by staff. Where applicable, the Steering Council may adopt and implement the banking/financial group’s standards, or common standards, released by the association of banks or other similar organisations. 34.2 The applicable standards should aim to reduce the risks to which the bank is exposed, in particular operational and reputational risk, which have a considerable adverse impact on a bank’s profitability and sustainability (e.g. fines, litigation costs, restrictions imposed by competent authorities, other financial and criminal penalties, and the decrease of client confidence). 34.3 The Steering Council should have clear and documented policies for how these standards should be met. These policies should:

36 a) stipulate that all the bank’s activities should be conducted in compliance with the applicable law and with the bank’s values; b) support risk awareness through a strong risk culture, in line with paragraph 33 of this guideline, conveying the Steering Council’s expectation that activities will not go beyond the defined risk appetite/tolerance and limits defined by the bank, as well as the respective responsibilities of staff; c) set out principles on and provide examples of acceptable and unacceptable behaviours, linked in particular to financial misreporting and misconduct, economic and financial crime (including fraud, money laundering/terrorist financing and anti-trust practices, financial sanctions, corruption, market manipulation, mis￾selling and other violations of consumer protection laws); d) stipulate that, in addition to complying with legal and regulatory requirements and internal policies, staff are expected to conduct themselves with honesty and integrity and perform their duties with skill, care and due diligence; and e) ensure that staff are aware of the potential internal and external disciplinary actions, legal actions and sanctions that may follow misconduct and unacceptable behaviors. 34.4 Banks should monitor compliance with such standards and ensure staff awareness, e.g. by providing training. Banks should define the function responsible for monitoring compliance with, evaluating breaches of the code of conduct and a process for dealing with issues of non-compliance with this code. The results of this monitoring should periodically be reported to the Steering Council. XI. RISK APPETITE/TOLERANCE FRAMEWORK 35.Risk appetite/tolerance framework 35.1 The risk appetite/tolerance framework (RAF) sets the bank’s risk profile and forms part of the process of development and implementation of the bank’s strategy and determination of the risks taken in relation to the bank’s risk capacity. 35.2 The RAF should provide a common framework and comparable measures across the bank for the Steering Council and Directorate to communicate,

37 understand, and assess the types and level of risk that they are willing to accept. It explicitly defines the boundaries within which management is expected to operate when pursuing the bank’s business strategy. Banks that implement a RAF most effectively are those that incorporate the framework into the decision-making process and into the bank-wide risk management framework, as well as communicate and promote the framework throughout the organisation, starting from the top. Banks should check that the “top down” risk appetite/tolerance is consistent with the “bottom up” perspective through, for example, employee surveys, independent reviews and internal reporting. 35.3 The assessment of a bank’s consolidated risk profile against its risk appetite/tolerance should also be an ongoing process. Implementing an effective RAF requires an appropriate combination of policies, processes, controls, systems and procedures to accomplish the objectives. The RAF should enable risk capacity, risk appetite/tolerance, risk limits and risk profile to be considered adequate for business lines, individually and within the group context, taking also into account existing relationships across legal entities As such, an effective and efficient RAF should be closely linked to the development of information technology and management of information systems in the bank. 35.4 An effective RAF should: a) establish a process for communicating the RAF across and within the bank as well as sharing non-confidential information to external stakeholders (e.g. shareholders, depositors, fixed income investors); b) be driven by both top-down Steering Council leadership and bottom-up involvement of the Directorate at all levels, as well as understood across the bank; c) facilitate embedding risk appetite/tolerance into the bank’s risk culture; d) evaluate opportunities for appropriate risk taking and act as a defence against excessive risk-taking; e) allow for the risk appetite/tolerance statement to be used as a tool to promote robust discussions on risk and as a basis upon which the Steering Council, risk management and internal audit functions can effectively and credibly debate and challenge the Directorate recommendations and decisions;

38 f) be adaptable to changing business and market conditions so that, subject to approval by the Directorate and Steering Council as appropriate, opportunities that require an increase in the risk limit of a business line or legal entity could be met while remaining within the approved risk appetite/tolerance level; and g) focuses on activities, operations and systems of the bank that fall within its risk landscape but are outside its direct control, including subsidiaries and third party outsourcing suppliers. 36.Risk appetite/tolerance statement 36.1 The risk appetite/tolerance statement should: a) be easy to communicate and easy for stakeholders to understand; b) be directly linked to the bank’s strategy; c) address the bank’s material risks under both normal and stressed market and macroeconomic conditions; d) set clear boundaries and expectations by establishing quantitative limits and qualitative statements; and e) establish quantitative measures of loss or negative outcomes that can be aggregated and disaggregated. These measures may be expressed in terms of earnings, capital, liquidity, or other appropriate metrics. 36.2 Qualitative statements should complement quantitative measures; set the overall bank’s approach to risk taking and articulate clearly the motivations for taking on or avoiding certain types of risks, products, country/regional exposures, or other categories. 36.3 Setting the bank-wide risk appetite/tolerance is the first step; the aggregate risk appetite/tolerance should be allocated to the bank’s business lines, legal entities as relevant, and other levels as appropriate, in alignment with the bank’s strategic and business plans. This entails judgement and necessitates input from bottom-up as well as top-down. 36.4 The summary risk appetite/tolerance statement should be easy for all stakeholders to understand and should address the levels and types of risk the bank is willing to accept to achieve its business objectives. Risk appetite/tolerance may not necessarily be expressed in a single document; however, the way it is expressed and the manner in which multiple documents form a “coherent whole” need to be carefully reviewed to ensure that the Steering Council obtains a holistic, but compact and easy to absorb, view of the bank’s risk appetite/tolerance.

39 36.5 An effective risk appetite/tolerance statement should: a) include background information and assumptions that informed the bank’s strategic and business plans at the time they were approved; b) be linked to the bank’s short- and long-term strategic, capital and financial plans, as well as compensation programs; c) establish the amount of risk the bank is prepared to accept in pursuit of its strategic objectives and business plan, taking into account the interests of its customers and the fiduciary duty to shareholders, as well as capital and other regulatory requirements; d) determine for each material risk and overall the maximum level of risk that the bank is willing to take, based on its overall risk appetite/tolerance, risk capacity, and risk profile; e) include quantitative measures that can be translated into risk limits applicable to business lines and legal entities at group level, which in turn can be aggregated and disaggregated to enable measurement of the risk profile against risk appetite/tolerance and risk capacity; f) include qualitative statements that articulate clearly the motivations for taking on or avoiding certain types of risk, including for reputational and other conduct risks across markets where the bank is active, and establish some form of boundaries or indicators (e.g. non-quantitative measures) to enable monitoring of these risks; g) ensure that the strategy and risk limits of each business line and legal entity align with the bank’s risk appetite/tolerance statement; and h) be forward looking and, where applicable, subject to scenario and stress testing to ensure that the bank understands what events might push the bank outside its risk appetite/tolerance and/or risk capacity. 37.Risk limits 37.1 For the purposes of risk appetite/tolerance, risk limits are the allocation of the banks’ aggregate risk appetite/tolerance statement to business lines, levels and entities of banking/financial group, specific risk categories, concentrations, and as appropriate, other levels. In order to facilitate effective monitoring and reporting, the risk limits should be specific and

40 sensitive to the shape of actual portfolios, measurable, frequency-based, reportable, and based on forward looking assumptions. 37.2 Having risk limits that are measurable can prevent a bank from exceeding its risk capacity as market conditions change and be an effective defence against excessive risk-taking. In setting risk limits, banks should consider the interaction between risks within and across business lines, and their compounding impact on exposures and outcomes. 37.3 Risk limits should: a) be set at a level to constrain risk-taking within risk appetite/tolerance, taking into account the interests of customers and shareholders as well as capital and regulatory requirements, in the event that a risk limit is breached and the likelihood that each material risk is realised; b) be established for business lines and legal entities and generally expressed relative to earnings, capital, liquidity or other relevant measures (e.g. growth, volatility); c) include material risk concentrations at the bank level or group-wide, business line and legal entity levels as relevant (e.g. counterparty, industry, country/region, collateral type, product); d) not be overly complicated, ambiguous, or subjective; and e) be monitored regularly. Banks ensure that risk limits are in alignment with the provisions of the strategy, policies and other documents (e.g. guidelines on Internal Capital Adequacy Assessment and on Internal Liquidity Adequacy Assessment Process, recovery plans, etc). 38. Definition of the role and responsibilities of the Steering Council, Directorate and executive directors 38.1 The Steering Council must establish the Risk Appetite Framework (hereinafter shall be referred as “RAF”) and approve the risk appetite/tolerance statement, which should be developed in collaboration with the chief executive officer and the executive directors that are in charge of the risk and finance functions.

41 38.2 The directors mentioned in paragraph 1 above, should translate those expectations into targets and constraints for business lines and legal entities to follow. The independent assessment of the bank’s RAF (e.g. by external auditor and/or independent third parties) is critical to the ongoing monitoring and evaluation of the design and overall effectiveness of a bank’s internal controls and risk management. 38.3 A strong relationship between the Steering Council, the executive directors, the business line leaders and internal audit plays an instrumental role in the RAF’s effectiveness. Banks should allocate roles and responsibilities in accordance with their organisational structure, but the oversight and control functions (usually performed by the executive directors, business line leaders and internal audit) should play a key role. 38.4 The statement should be approved by the Steering Council to ensure the highest level of understanding of the bank’s risk appetite/tolerance. 38.5 The Steering Council also should ensure that the risk limits in the risk appetite/tolerance statement are reflected appropriately in strategic business plans and specific risk limits. 39.Role and responsibilities of the Steering Council 39.1 The Steering Council should: a) approve the bank’s RAF, developed in collaboration with the chief executive director (CEO), chief risk officer and chief finance officer, and ensure it remains consistent with the bank’s short- and long-term strategy, business and capital plans, risk capacity as well as compensation programs; b) hold the CEO and other directors accountable for the viability of the RAF, including the timely identification, management and escalation of breaches in risk limits and of material risk exposures; c) ensure that annual business plans are in line with the approved risk appetite/tolerance and incentives/disincentives are included in the compensation programmes to facilitate implementation of the risk appetite/tolerance; d) include an assessment of risk appetite/tolerance in the strategic discussions including decisions regarding legal reorganisations and growth in business lines or products;

42 e) regularly review and monitor the actual risk profile and risk limits against the agreed levels (e.g. by business line, entities within a banking/financial group, products, risk category), including qualitative measures of conduct risk; f) discuss and monitor to ensure appropriate action is taken regarding breaches in risk limits; g) obtain an independent assessment (through internal assessors and/or third parties) of the design and effectiveness of the RAF and its alignment with supervisory expectations; h) has mechanisms in place to ensure the Directorate can act in a timely manner to effectively manage, and where necessary mitigate, material adverse risk exposures, in particular those that are close to or exceed the approved risk appetite/tolerance statement or risk limits; i) discuss with supervisors decisions regarding the establishment and ongoing monitoring of risk appetite/tolerance as well as material changes in the current risk appetite/tolerance levels, or regulatory expectations regarding risk appetite/tolerance; j) ensure adequate resources and expertise are dedicated to risk management as well as internal audit in order to provide independent assurances to the Steering Council and Directorate that they are operating within the approved RAF, including the use of third parties to supplement existing resources where appropriate; and k) ensure risk management is supported by adequate and robust information technology and management of information systems to enable identification, measurement, assessment and reporting of risk in an accurate and timely manner. 40.Role and responsibilities of the Chief Executive Officer 40.1 The Chief Executive Officer (CEO) should: a) establish an appropriate risk appetite/tolerance for the bank (in collaboration with the chief risk officer and chief finance officer) which is consistent with the bank’s short- and long-term strategy, business and capital plans, risk capacity, as well as compensation programs, and also aligns with supervisory expectations;

43 b) be accountable, together with the chief risk officer, chief finance officer, and business lines leaders for the integrity of the RAF, including the timely identification and escalation of breaches in risk limits and of material risk exposures; c) ensure, in conjunction with the chief risk officer and chief finance officer, that the risk appetite/tolerance is appropriately translated into risk limits for business lines and legal entities and that business lines and legal entities incorporate risk appetite/tolerance into their strategic and financial planning, decision-making processes and compensation decisions; d) ensure that the bank’s risk appetite/tolerance statement is implemented by the Directorate through consistent risk appetite/tolerance statements or specific risk limits for business lines and legal entities; e) provide leadership in communicating risk appetite/tolerance to internal and external stakeholders so as to help embed the bank’s risk culture for appropriate risk taking; f) ensure the support for the chief risk officer and chief finance officer in their responsibilities, incorporating, among others, the effective implementation of risk appetite/tolerance into their decision-making processes; g) ensure business lines and legal entities have processes in place to effectively identify, measure, monitor and report on the risk profile relative to established risk limits on a continual basis; h) dedicate sufficient resources and expertise to risk management, internal audit and information technology infrastructure to help provide effective oversight of adherence to the RAF; i) act in a timely manner to ensure effective management, and where necessary mitigation, of material risk exposures, in particular those that are close to or exceed the approved risk appetite/tolerance statement and/or risk limits; and j) design rules and procedures of the notification of Steering Council and supervisors of serious breaches of risk limits and ensure their implementation.

44 41.Role and responsibilities of the Chief Risk Officer 41.1 The Chief Risk Officer (CRO) should: a) develop an appropriate risk appetite/tolerance for the bank (in collaboration with the CEO and chief finance officer) that meets the needs of the bank and aligns with supervisory expectations; b) actively monitor the bank’s risk profile relative to its risk appetite/tolerance, strategy, business and capital plans, risk capacity; c) establish a process for reporting on risk and on alignment of risk appetite/tolerance and risk profile with the bank’s risk culture; d) ensure the integrity of risk measurement techniques and management of information systems that are used to monitor the bank’s risk profile relative to its risk appetite/tolerance; e) establish and approve, in collaboration with the CEO and chief finance officer, appropriate risk limits for business lines and legal entities that are prudent and consistent with the bank’s risk appetite/tolerance statement; f) independently monitor business line and legal entity risk limits and the bank’s aggregate risk profile to ensure they remain consistent with the bank’s risk appetite/tolerance; g) act in a timely manner to ensure effective management, and where necessary mitigation, of material risk exposures, in particular those that are close to or exceed the approved risk appetite/tolerance and/or risk limits; and h) report promptly to the Steering Council and CEO any material risk limit breach that places the bank at risk of exceeding its risk appetite/tolerance, and in particular, of putting in danger the financial condition of the bank. 42.Role and responsibilities of the Chief Finance Officer 42.1 The Chief Finance Officer (CFO) should: a) develop an appropriate risk appetite/tolerance for the bank (in collaboration with the CEO and CRO) which is consistent with the

45 bank’s short- and long-term strategy, business and capital plans, risk capacity, as well as compensation programs; b) incorporate risk appetite/tolerance into the bank’s compensation and decision-making processes (in collaboration with the CEO and CRO), including business planning, new products, legal reorganisations, as well as risk assessment and capital management processes; c) work effectively with the CEO and CRO to establish, monitor and report on adherence to applicable risk limits; d) act in a timely manner to ensure effective management, and where possible mitigation, of material risk exposures, in particular those that are close to or exceed the approved risk appetite/tolerance and/or risk limits; and e) escalate promptly to the CEO and the Steering Council (if appropriate) breaches in risk limits and material risk exposure that would put in danger the bank’s financial condition. 43.Role and responsibilities of the Business Line Leaders 43.1 The Business Line Leaders should: a) be accountable for effective management of the risk within their business unit; b) ensure alignment between the approved risk appetite/tolerance and planning, compensation, and decision-making processes of the business unit and legal entity; c) embed the risk appetite/tolerance statement and risk limits into their activities so as to embed prudent risk taking into the bank’s risk culture and day to day management of risk; d) actively monitor adherence to approved risk limits; e) cooperate with the CRO and risk management function and not interfere with their independent duties; f) implement controls and processes to be able to effectively identify, monitor and report against allocated risk limits;

46 g) act in a timely manner to ensure effective management, and where necessary, mitigation of material risk exposures, in particular those that exceed or have the potential to exceed the approved risk appetite/tolerance and/or risk limits; and h) escalate in a timely manner breaches in risk limits and material risk exposures to the CRO and Directorate. 44.Role and responsibilities of the internal audit 44.1 The internal audit should: a) routinely include assessments of the RAF on an bank-wide basis as well as on an individual business line and legal entity basis; b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, as well as report on the implementation of the RAF to the Steering Council and Directorate as appropriate; c) independently assess periodically the design and effectiveness of the RAF and its alignment with supervisory expectations; d) assess the effectiveness of the implementation of the RAF, including linkage to organisational culture, as well as strategic and business planning, compensation, and decision-making processes; e) assess the design and effectiveness of risk measurement techniques and management of information systems used to monitor the bank’s risk profile in relation to its risk appetite/tolerance; f) report in a timely manner any material deficiencies in the RAF and on alignment of risk appetite/tolerance and risk profile with risk culture to the Steering Council and Directorate; and g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF.

47 45.New products 45.1. The bank should have in place a well-documented new product approval policy (NPAP), approved by the Steering Council, that addresses the access in new markets, the development of new products and services, or significant changes to existing ones, as well as the participation in exceptional transactions, e.g. mergers and acquisitions, setting up new structures, or single purpose vehicles. This policy should in addition encompass material changes to related processes (e.g. new outsourcing arrangements) and systems (e.g. IT change processes). The NPAP should ensure the necessary steps in order that products, services and changes of processes are consistent with the risk strategy and the risk appetite/tolerance of the bank and the corresponding limits, before their approval. 45.2. The NPAP should also include the definitions of “new product/market/business” and “significant changes” to be used from the bank and the internal functions to be involved in the decision-making process. 45.3. The NPAP should set out the main issues to be addressed before a decision is made. These should include regulatory compliance, accounting, pricing models, the impact on risk profile, capital adequacy and profitability, the availability of adequate front, back and middle-office resources, and the availability of adequate internal tools and expertise to understand and monitor the associated risks. The decision to launch a new activity should clearly declare the accountable business unit and persons. A new activity should be undertaken only when adequate resources to understand and manage the associated risks are available. 45.4. The risk management function, the compliance function and the legal unit should be involved in approving new products or significant changes to existing products, processes and systems. Their input should include a full and objective assessment of risks arising from new activities, under a variety of scenarios, of any potential shortcomings in the bank’s risk management and internal control frameworks, and the ability of the bank to manage any new risks effectively. The risk management function and the compliance function should also have a clear overview of the roll-out of new products (or significant changes to existing products, processes and systems) across different business lines and portfolios, and the power to require that changes to existing products go through the formal NPAP process.

48 Appendix 1 of the Guideline Non-exhaustive list of skills that banks should consider using when performing their suitability assessments for Steering Council members and key function holders. a) Authenticity: is consistent in word and deed and behaves in accordance with own stated values and beliefs. Openly communicates his or her intentions, ideas and feelings, encourages an environment of openness and honesty, and correctly informs the supervisor about the actual situation, at the same time acknowledging risks and problems. b) Language: is able to communicate orally in a structured and conventional way. c) Communication: is capable of conveying a message in an understandable and acceptable manner, and in an appropriate form. Focuses on providing and obtaining clarity and transparency and encourages discussion. d) Decisiveness: takes timely and well-informed decisions by acting promptly or by committing to a particular course of action, for example by expressing his or her views and not procrastinating. e) Judgement: is capable of weighing up data and different courses of action and coming to a logical conclusion. Examines, recognizes and understands the essential elements and issues. Has the breadth of vision to look beyond his or her own area of responsibility, especially when dealing with problems that may jeopardize the continuity of the bank. f) Customer and quality-oriented: focuses on providing quality and, wherever possible, finding ways of improving this. Specifically, this means withholding consent from the development and marketing of products and services and to capital expenditure, in circumstances where he or she is unable to gauge the risks properly owing to a lack of understanding of the architecture, principles or basic assumptions. Identifies and studies the wishes and needs of customers, ensures that customers run no unnecessary risks and arranges for the provision of correct, complete and balanced information to customers. g) Leadership: provides direction and guidance to a group, develops and maintains teamwork, motivates and encourages the available human resources and ensures that members of staff have the professional competence to achieve a particular goal. Is receptive to criticism and provides scope for critical debate. h) Loyalty: identifies with the bank and has a sense of involvement. Shows that he or she can devote sufficient time to the job and can discharge his or her duties properly, defends the interests of the bank and operates objectively and critically. Recognizes and anticipates potential conflicts of personal and business interest.

49 i) External awareness (staying informed): monitors developments, competencies and attitudes within the bank. Is well-informed on relevant financial, economic, social and other developments at national and international level that may affect the bank and also on the stakeholders and is able to put this information to effective use. j) Negotiator: identifies and reveals common interests in a manner designed to build consensus, while pursuing the negotiation objectives. k) Persuasive: is capable of influencing the views of others by exercising persuasive powers and using natural authority and tact. Is a strong personality and capable of standing firm. l) Teamwork: is aware of the group interest and makes a contribution to the common result, able to function as part of a team. m) Acumen: is capable of developing a realistic vision of future developments and translating this into long-term objectives, for example by applying scenario analysis. In doing so, takes account of risks that the bank is exposed to and takes appropriate measures to control them. n) Stress resistance: is resilient and able to consistently fulfil his/her duties even when under great pressure or in times of uncertainty. o) Sense of responsibility: understands internal and external interests, evaluates them carefully and takes them into consideration. Has the capacity to learn and realize that his or her actions affect the interests of stakeholders. p) Chairing meetings: is capable of chairing meetings efficiently and effectively and creating an open atmosphere that encourages everyone to participate on an equal footing; is aware of other people's duties and responsibilities.