Credit Risk Management

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-1 The translation is intended solely for the convenience of the reader. Only the Hebrew text is binding. Credit Risk Management Credit Risk Management Principles

1. The board of directors of a banking corporation shall devise a credit management strategy, construct a risk management framework, and approve and periodically review the banking corporation’s credit policy statement. The strategy shall reflect the tolerance for risk, as set forth in Chapter C of Proper Conduct of Banking Business Directive 310 (“Risk Management”), and the level of profitability the banking corporation expects to achieve for incurring various credit risks.
2. Senior management is responsible for implementing the credit risk strategy set forth by the board of directors and for developing a credit risk management framework anchored in a policy statement and in procedures for identifying, measuring, monitoring, and controlling credit risk. Such policies and procedures shall address credit risk in all activities of the banking corporation and shall be applicable at both the individual credit and portfolio levels.
3. A banking corporation shall identify and manage the credit risks inherent in all its products and activities. It shall ensure that the risks in new products and new activities be subject to adequate procedures and controls before they are introduced or created. It shall also ascertain that new products and activities receive prior approval from the board of directors or an appropriate board committee, as set forth in Section 16 of Directive 310.
4. A banking corporation shall operate within sound, well-defined credit-granting criteria. These criteria shall include clear guidelines concerning the target market and thorough understanding of the borrower or counterparty, the purpose and structure of the credit, and its source of repayment.
5. A banking corporation shall establish overall credit limits at the level of individual borrowers and counterparties and for groups of connected counterparties that aggregate, in a comparable and meaningful manner, different types of exposures, both in the banking and trading book and on and off the balance sheet (not only

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-2 those dealt with in Directive 313). These exposure limits shall be set so as to offer added value and comparability. 6. A banking corporation shall have a clearly established process in place for granting new credit as well as the amendment, renewal, and re-financing of existing credit (in this Directive, “Credit granting”). 7. All extensions of credit must be made under market conditions and in accordance with accepted policies and processes. In particular, to prevent abuse and to handle conflicts of interests, credits to related parties entail special approval and shall be monitored with particular care to control or mitigate the risks of non-arm’s-length lending. 8. A banking corporation shall have in place a system for the ongoing administration of its various credit risk-bearing portfolios. 9. A banking corporation shall have in place a system for monitoring the condition of individual credits, including determining the adequacy of the classification and of credit loss provisions. 10. A banking corporation shall develop and validate an internal credit rating system and use it in managing credit risk. The rating system shall be consistent with the nature, size, and complexity of the corporation’s activities. (See also Proper Conduct of Banking Business Directive 314, “Proper Assessment of Credit Risks and Proper Measurement of Debts.”) 11. A banking corporation shall have information systems and analytical techniques that enable management to measure the credit risk inherent in all on- and off￾balance sheet activities. The management information systems shall provide adequate information on the composition of the credit portfolio, including identification of any concentrations of risk. 12. A banking corporation shall have in place a system for monitoring the overall composition and quality of its credit portfolio. 13. A banking corporation shall take into consideration potential future changes in economic conditions when assessing individual credits and credit portfolios, and

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-3 shall assess its credit risk exposures under adverse scenarios including stress scenarios. 14. A banking corporation shall establish a system for independent, ongoing assessment of its credit risk management processes and the results of such reviews should be communicated directly to the board of directors and senior management. (See also Proper Conduct of Banking Business Directive 310.) 15. A banking corporation shall ensure that its credit-granting business functions are well managed and that its credit exposures do not deviate from the credit policies set forth, including internal limits. It shall have in place internal controls and other measures to ensure that exceptions to policies, procedures, and limits are immediately reported to the appropriate echelon (including the board of directors) for action. 16. A banking corporation shall have in place an appropriate organizational structure, systems and processes in place for early remedial action on deteriorating credits, managing problem credits, workout, and similar situations (see Proper Conduct of Banking Business Directive no. 314A on the issue of “Management of Workout and Collection Processes involving Substantial Troubled Credit”.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-4 Introduction

1. While banks have faced difficulties over the years for a multitude of reasons, the major cause of serious banking problems continues to be directly related to inadequate procedures for credit to borrowers and counterparties, poor portfolio risk management, or lack of attention to changes in economic or other circumstances that can lead to a deterioration in the credit standing of counterparties to which the bank is exposed. This conclusion is based on experience amassed by banks in both more advanced economy and less advanced economy countries.
2. Credit risk is most simply defined as the potential that a borrower from or a counterparty vis-à-vis a banking corporation will fail to meet its obligations in accordance with agreed terms. The goal of credit risk management is to maximize a bank’s risk-adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banking corporations need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions. Banking corporations should also consider the relationship between credit risk and other risks. Effective management of credit risk is a critical component of comprehensive risk management and is essential to the long-term success of any banking institution.
3. Loans are the largest and most obvious source of credit risk to a banking corporation. However, other sources of credit risk exist in many other activities of a banking corporation, including the banking book and the trading book, and both on and off the balance sheet. Banking corporatons are increasingly facing credit risk (and counterparty risk) in various financial instruments other than loans, including interbank transactions, trade financing, foreign exchange transactions, financial futures, swaps, bonds, equities, and options; the extension of commitments and guarantees; and the settlement of transactions.
4. Since exposure to credit risk remains the leading source of problems in banks worldwide, banking corporations must be able to draw useful lessons from past experience. A banking corporation should have a keen awareness of the need to

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-5 identify, measure, monitor, supervise, and control credit risk as well as to determine that they hold adequate capital against these risks and that they are adequately compensated for risks incurred. This Directive was drawn up to promote the establishment of sound working methods for the management of credit risk. Although the principles contained in this Directive relate mainly to lending activity, they should be applied to all activities where credit risk is present. 5. A specific example of credit risk relates to the process of settling financial transactions. If one side of a transaction is settled but the other fails, a loss equal to the principal amount of the transaction may be incurred. Even if one party is simply late in settling, the other party may incur a loss relating to missed investment opportunities. Thus, settlement risk (i.e., the risk that the completion or settlement of a financial transaction will fail to take place as expected) includes elements of liquidity, market, operational, and reputational risk as well as credit risk. The level of risk is determined by the particular arrangements for settlement. Factors in such arrangements that have a bearing on credit risk include the timing of the exchange of value; payment/settlement finality; and the role of the intermediary and the clearing house. 6. The credit risk management practices set out in this Directive specifically address the following areas: (i) establishing an appropriate credit risk environment; (ii) operating within a sound credit-granting framework; (iii) maintaining appropriate and up-to-date credit administration, measurement, monitoring and supervision processes; (iv) ensuring adequate controls over credit risk, as well as (v) processes for managing troubled debts and restructuring deteriorating debts (see also Proper Conduct of Banking Business Directive no. 314A on “Management of Workout and Collection Processes involving Substantial Troubled Credit” Although specific credit-risk management practices may differ among banking corporations depending upon the nature and complexity of their credit activities, a comprehensive credit-risk management program shall address these four areas. These practices should also be applied in conjunction with sound practices related

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-6 to the assessment of asset quality, the adequacy of provisions, and the disclosure of credit risk. 7. The principles set forth in this Directive shall serve the Banking Supervision Department in assessing a banking corporation’s credit-risk management systems. The credit-risk management approach that a banking corporation applies shall correspond to the extent of its activity and its level of sophistication.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-7 A. Establishing an appropriate credit risk environment Principle 1: The board of directors of a banking corporation shall devise a credit management strategy, construct a risk management framework, and periodically approve and review the banking corporation’s credit policy statement. The strategy should reflect risk appetite, as set forth in Chapter C of Proper Conduct of Banking Business Directive 310 (“Risk Management”) and the level of profitability the banking corporation expects to achieve for incurring various credit risks. 8. The board of directors of a banking corporation has a critical role to play in overseeing the banking corporation’s credit granting and credit-risk management functions. Each banking corporation shall develop a credit risk strategy that establishes the objectives and basic principles of the banking corporation’s credit granting activities and shall adopt the necessary policies and procedures for conducting such activities. Accordingly, a banking corporation shall construct a credit-risk management framework that includes policies and procedures for these activities, all of which anchored in a credit policy statement and allowing continued advancement of the banking corporation’s goals even in situations of changes in management. For details relating to the requisite contents of the credit policy statement, see Section 15 below. a. The credit management strategy and the credit policy statements shall be approved and periodically reviewed by the board of directors (in accordance with Section 18 of Proper Conduct of Banking Business Directive 301, “Board of Directors,” hereinafter “Directive 301,” i.e., at least once per year). b. The board of directors shall also approve mid-year changes in the credit policy and shall examine the need for mid-year changes in response to external changes that so require. The board of directors shall assure that the strategy and the policy covers all banking corporation activities in which credit exposure carries a significant risk.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-8 c. The board of directors of a controlled corporation shall consider the objectives of the group’s overall strategy and credit risk policy insofar as they are consistent with the well-being of the controlled corporation. d. To allow the board of directors to perform thorough examination of the risk and the control mechanisms applied by management, it shall be presented with clear, high quality, complete, relevant, and up-to-date information that shall include, inter alia:

1. a review of the state of the business environment;
2. a description of main developments in credit risk and their effect on capital adequacy, particularly in respect of the following: (1) compliance with the limitations and targets set forth in the credit policy; (2) composition of the credit portfolio in terms of measures of risk and concentration (diversification) of credit (sectoral, geographic, large borrowers, borrower groups, etc.); (3) developments in outstanding problem debts and credit-loss allowances, significant credit defaults, and so on.
3. a description of main problems with which management is contending, including specific significant borrowers;
4. data concerning credit approvals that deviated from policies;
5. stress tests, their outcomes, and their underlying assumptions;
6. information in periodic reports that are presented to the board of directors for discussions concerning the “business situation of the banking corporation,” as set forth in Section 8 of Directive 301.
7. Credit management strategy: a. The strategy shall set credit granting targets based on types of exposure (e.g., commercial, consumer, real estate), industry, geographic location, currency, maturity, and expected profitability. The strategy shall also identify target

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-9 markets and general indicators that the banking corporation is interested in attaining in its credit portfolio (including concentration targets and limitations). b. The strategy should give recognition to the goals of credit quality, earnings, and growth. Every banking corporation, regardless of size, is in business to be profitable and, consequently, must determine the acceptable risk/reward trade￾off for its activities, factoring in the cost of capital. The board of directors shall approve the banking corporation’s strategy for selecting risks and maximizing profits. The board shall periodically review the financial results of the banking corporation and, based on these results, determine if changes need to be made to the strategy. The board must also determine that the banking corporation’s capital is adequate for the risks to which the corporation is exposed. c. The credit risk strategy of a banking corporation should be consistent. Therefore, the strategy should take into account the cyclical aspects of the economy and the resulting shifts in the composition and quality of the overall credit portfolio. Although the strategy should be periodically assessed and amended, its essence should be valid in the long run and should remain so amid changes in the economic cycle. d. The credit strategy and policies of the banking corporation should be effectively assimilated at all levels of the organization. All relevant personnel should clearly understand the banking corporation’s approach to granting and managing credit, and should be held accountable for complying with established policies and procedures. 10. The board of directors should ensure that senior management is fully capable of managing the credit activities conducted by the banking corporation and that such activities are done within the risk strategy, policies, and tolerances that the board has approved. a. The board shall approve the organizational structure of the credit granting functions and the powers and responsibilities at various levels of management that flow from this organizational structure—including control functions,

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-10 particularly those involved in independent review of credit approvals and the performance of management and of the credit portfolio at large. b. The board of directors shall establish a format for, and frequency of, regular reporting on the performance of the banking corporation and the level of its credit risk exposure, and shall oversee the soundness of timely detection of problem debts, the soundness of their classification, and the adequacy of credit loss allowances on their account. c. The board of directors shall establish a format for, and frequency of, credit control reporting, particularly: the scope and comprehensiveness of the reports, review of findings, distribution and monitoring, as well as the qualifications and independence of credit-control unit employees. 11. Credit to customers who have a relationship with officers at the banking corporation shall be managed like any other credit. To prevent conflicts of interest in such cases, officers who may be considered involved in a transaction shall not be involved in the banking corporation’s decision-making processes. In this context, see also Sections 56–57 of Directive 301. 12. The board of directors shall ensure that the banking corporation’s remuneration policies do not contradict its credit risk strategy. Remuneration policies that reward unacceptable behavior, such as generating short-term profits while deviating from credit policies or exceeding established limits, weaken the banking corporation’s credit processes. Principle 2: Senior management is responsible for implementing the credit risk strategy set forth by the board of directors and for developing a credit risk management framework anchored in a policy statement and in procedures for identifying, measuring, monitoring, supervising, and controlling credit risk. Such policies and procedures shall address credit risk in all activities of the banking corporation and shall be applicable at both the individual credit and portfolio levels.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-11 13. Senior management of a banking corporation is responsible for implementing a credit-risk management framework that accords with the strategy set forth by the board of directors. a. Senior management shall ascertain that the banking corporation’s credit￾granting activities conform to the established strategy and that procedures have been developed that are clear, binding, and approved by the appropriate function at the banking corporation. b. Senior management shall ascertain that the procedures are applied in practice and that the responsibility for credit granting and control is clear and properly assigned to the relevant functions. c. Senior management shall ascertain that a periodic independent internal assessment of the credit-granting and management functions is conducted. Credit policy: 14. A cornerstone of sound banking management is the implementation of written policies, anchored in a policy statement, and procedures related to identifying, measuring, monitoring, supervising, and controlling credit risk. The credit policy establishes the framework for lending and guides the banking corporation’s credit￾granting activities. The Chief Risk Officer of a banking corporation is responsible for helping the Chief Executive Officer to prepare the credit policy statement in conjunction with all relevant functions at the banking corporation, particularly staff and managers of business lines. 15. The credit policy statement shall include, inter alia: a. a standard definition of the term “risk” in order to ensure consistency in identifying, rating, and managing risk; b. a description of the structure of risk management governance, including lines of reportage and responsibility and clear separation of the three lines of defense specified in Section 4 of Proper Conduct of Banking Business Directive 310, “Risk Management” (hereinafter: “Directive 310”);

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-12 c. a description of the working methods and tools that shall be used in identifying, measuring, assessing, monitoring, overseeing, and controlling focal points of risk, including testing the possible effects of macroeconomic developments on the credit portfolio and stress testing (see also Chapter D of Directive 310); d. the desired risk profile of the credit portfolio, including a breakdown of types of loans that the banking corporation issues, business objectives and target markets, and composition of the credit portfolio—quantitative targets at the portfolio and product levels (for significant products), with reference to indicators of magnitude, diversification, and risk; e. setting of risk tolerance and desired limits at the portfolio and product levels, including per-industry limits, borrower and borrower-group exposure limits, leveraged lending limits (as noted in Proper Conduct of Banking Business Directive 327 “Leveraged Lending Management”, hereinafter, “Directive 327”), exposure by credit ratings, exposure to target markets, geographic limitations, currency exposure, maturity and collateral-concentration exposure, desired ratio of total credit to the public to total banking corporation assets and capital, share of troubled loans and losses that the banking corporation is willing to absorb as well as other limitations, in accordance with the credit portfolio structure and characteristics and the risk factors to which the banking corporation is exposed (see also Section 18 below). Within this construct, the banking corporation’s approach to determining, monitoring, and controlling focal points of risk and risk exposure limitations shall be described. e1. internal limits on providing credit to borrowers that are leveraged to a materially higher extent than accepted in the industry. The banking corporation shall determine the materiality threshold, such that any credit of an amount higher than that will be subject to these limits. The banking corporation shall define the manner of calculating borrowers’ leverage level.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-13 f. credit risk mitigation policy (e.g., by means of credit insurance, sale of debts, syndication) and the use of additional mechanisms to mitigate portfolio concentration; g. a program for monitoring developments in the credit portfolio, including indicators for reporting, frequency of reporting, action plans when credit risk increases or when limits are breached, and description of management information systems (see also Chapter E of Directive 310); h. requisite borrower characteristics for credit granting (including general conditions and covenants) including assessment of capacity to repay, credit rating, business experience, updated financial data—which allow the reliable analysis of the borrower’s up to date financial status, the strength and stability of the initial and secondary sources of repayment, and conditions under which the banking corporation will agree to extend credit (e.g., LTV ratio, maximum amount of exposure, and accepted collateral). In particular, the policy shall refer to leveraged lending in accordance with the requirements detailed in Directive 327; i. a hierarchy of credit powers, including definition of powers for exceptional approvals in contravention of ordinary rules and ordinary price policy. The hierarchy shall be determined so as to limit the involvement of the board of directors in approving credit that deviates from the credit policy set forth. It shall also set a threshold, in absolute or relative terms, for an amount of banking corporation capital beyond which the authority to approve credit shall be vested in senior management; j. loan pricing—the requisite correlation of risk to reward, interest terms, and other terms; k. maximum maturity, with reference to the expected source of repayment, purpose of the loan, and duration of collateral. Amortization schedules shall be determined in accordance with customer’s capacity to repay;

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-14 l. collateral policy—particularly, specification of types of collateral that the banking corporation agrees to accept, safety margins relating to them, and maximum LTV ratio for collateral; m. policy on lending to staff and related parties; n. policy on managing problem debts, including a method for the identification and classification of debts, the creation of credit loss allowances, and policy on collection, settlement, and write-off of debts, among other things as detailed in Proper Conduct of Banking Business Directive no. 314A on “Management of Workout and Collection Processes involving Substantial Troubled Credit”; o. specification of uses of the outcomes of the rating system, as described in Principle 10 below; p. the banking corporation’s program for avoiding association with individuals involved in fraudulent activities and other crimes, subject to the terms of any law; q. reference to housing loans, including:

1. limiting the total loan so that total borrowing from all sources, including government and other deposits for which the depositor is not liable, shall not exceed a certain fraction of dwelling value as the banking corporation’s management shall specify;
2. if the loan that is for the purchase of a dwelling is from earmarked deposits for which the depositor is liable—criteria relating to the collateral that the borrower must provide. r. reference to the originator’s pipeline1 transactions: Market disruptions can substantially impede the ability of an arranger to consummate syndications or otherwise sell down exposures, which may result in material losses. Accordingly, banking corporations should have strong risk 1 “Pipeline transactions” are syndication transactions in which the organizing bank has not yet completed the process of selling/distributing the credit to the additional financial institutions that are particiapting in the syndication.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-15 management and controls over transactions in the pipeline, including amounts to be held and those to be distributed. The credit policy of an originator should include, at least, reference to the following issues:

1. A clearly articulated and documented appetite for underwriting risk that considers the potential effects on earnings, capital, liquidity, and other risks that result from pipeline exposures;
2. Written policies and procedures for defining and managing distribution failures and “hung” deals, which are characterized by an inability to sell down the exposure within a reasonable period (generally 90 days from transaction closing). The banking corporation’s board of directors and management should establish clear expectations for the disposition of pipeline transactions that have not been sold according to their original distribution plan. Such transactions that are subsequently reclassified as hold-to-maturity should also be reported to management and the board of directors;
3. Limits on aggregate pipeline commitments;
4. Limits on the amount of loans that a banking corporation is willing to retain on its own books (that is, borrower, counterparty, and aggregate hold levels), and limits on the underwriting risk that will be undertaken for amounts intended for distribution;
5. Plans and provisions addressing contingent liquidity when market liquidity or credit conditions change, interrupting normal distribution channels.
6. The policy should be clearly defined, consistent with prudent banking practices and relevant supervisory requirements, and adequate for the nature and complexity of the banking corporation’s activities. They should be designed and implemented within the context of internal and external factors such as the banking corporation’s market position, trade area, human capital capabilities, and technology. Policies and procedures that are properly developed and implemented enable the banking

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-16 corporation to (i) maintain sound credit-granting standards, (ii) monitor, supervise, and control credit risk, (iii) properly evaluate new business opportunities, (iv) identify and administer problem credit, and (v) learn lessons from prior failure events. 17. Credit policy shall ensure ongoing painstaking assessment of credit risk even under “good” economic conditions and, in particular, shall establish rules to prevent the eventuation of the following risks: a. over-reliance on borrowers’ optimistic forecasts and those that expect favorable conditions to continue—lengthy and ongoing periods of economic well-being may prompt a banking corporation to base its decisions on optimistic assessments by the borrower and to assume that the borrower will continue to enjoy free access to the market for financing under convenient terms in the future. Such optimism may be manifested in an assumption that vigorous growth is the logical expected scenario; reliance on positive collateral valuations that fit poorly with long-term expectations; willingness to grant loans without a systematic repayment schedule; willingness to waive borrower undertakings, release collateral, forgo guarantees, or restructure the loan under the assumption that the borrower will recover quickly under auspicious economic conditions; b. under-reliance on stress testing—credit policy should specify meaningful stress tests for the borrower’s expected ability to meet its obligations. 18. As stated below (Sections 28 and 35–39), a banking corporation shall develop and apply policies and procedures that will assure adequate diversification of its credit portfolio in accordance with its target markets and overall credit strategy. As stated in Section 1(c) of Proper Conduct of Banking Business Directive 313, “Limitations on the Indebtedness of a Borrower and a Group of Borrowers” (hereinafter: “Directive 313”), a banking corporation must set internal limits.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-17 18a. A banking corporation must ensure that the internal exposure limits that it sets do not clash with limits or restrictions set by the Banking Supervision Department. The supervisory restrictions are minimum rules. 19. To be effective, credit policies must be assimilated throughout the organization, implemented through appropriate procedures, and monitored and periodically revised to take into account changing internal and external circumstances. They shall be applied on a banking group basis, subject to the provisions of law, and at the level of individual banking corporations. Risk concentrations shall be analyzed at the level of legal entity in the banking corporation, and at the consolidated level, since uncontrolled concentration at a banking corporation that is a subsidiary may be perceived as immaterial at the consolidated level but may threaten to destabilize the subsidiary nevertheless. Furthermore, the policies shall address equally the important control functions relating to the review of individual credits and the assurance of appropriate diversification at the portfolio level. 20. “Country risk” and “transfer risk”: a. When a banking corporation engages in granting credit internationally, it incurs, in addition to the standard credit risk, risk associated with conditions in the home country of a foreign borrower or counterparty. Country risk encompasses the entire spectrum of risks arising from the economic, political, and social environments of a foreign country that may have potential consequences for foreigners’ debt and capital investments in that country. Transfer risk focuses more specifically on a borrower’s capacity to obtain the foreign exchange necessary to service its cross-border debts and other contractual obligations. In all their international transactions, banking corporations need to understand the international financial markets and the potential for spillover effects from one country to another or contagion effects for an entire region. b. Banking corporations that engage in granting credit internationally must have adequate policies and procedures in place for identifying, measuring,

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-18 monitoring, supervising, and controlling country risk and transfer risk in their international lending and investment activities. In this context, they shall take the following factors into account: (1) their ability to manage their risks on a consolidated basis; (2) resources and tools that will support this ability; (3) the control and oversight mechanisms they will apply to their activity outside Israel and the adequacy of these mechanisms relative to the size, complexity, and risk level of the activity; (4) the extent of access to information and the types of reports sent to the banking corporation from its offices or subsidiaries outside Israel, including reports to the board of directors; (5) their prior experience in operations outside of Israel. c. Credit policy shall refer to the banking corporation’s activity abroad (via subsidiaries and/or branches) at the level of the individual office in accordance with its strengths and weaknesses, including aspects of management resources and operating, control, and audit infrastructures in the foreign country, the types of activity that it carries out, and the country in which it operates. In particular, the policy is to refer to banking corporation activity in countries classified by the World Bank in the Low Income or the Upper/Lower Middle Income groups. The banking corporation is to establish internal limitations regarding its activity in countries in such income groups. d. A banking corporation’s credit policy shall refer separately to borrowers whose main activity takes place in countries that have special risk indicators and/or to debts for which the source of repayment is based on assets located in such countries. This reference shall include, inter alia, (i) specification of the relevant countries and/or geographic regions and their characteristics (political, macroeconomic, etc.); (ii) quantitative limits on exposure to such credit; and (iii) specification of safety coefficients (or ranges of safety coefficients) to be

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-19 used in making credit decisions; such coefficients shall represent an especially conservative approach. e. The monitoring and oversight of country risk factors shall incorporate (i) the potential default of foreign private sector counterparties arising from country￾specific economic factors and (ii) an assessment of the enforceability of loan agreements and the timing and ability to realize collateral under the legal framework in that country. The function responsible for this area shall include professionals who specialize in these specific matters. Principle 3: A banking corporation shall identify and manage the credit risks inherent in all its products and activities. The banking corporation shall ensure that the risks in new products and new activities be subject to adequate procedures and controls before they are introduced or created. It shall also be ascertained that new products and activities receive the prior approval of the board of directors or an appropriate board committee, as set forth in Section 16 of Directive 310. 21. The basis for an effective credit risk management process is the identification and analysis of existing and potential risks inherent in every product or activity. Consequently, it is important that a banking corporation identify all the credit risks inherent in the products it offers and the activities in which it engages. Such identification stems from a careful review of the existing and potential credit risk characteristics of the product or activity. 22. Banking corporations must develop a clear understanding of the credit risks inherent in complex credit-granting activities (for example, loans to certain industry sectors, asset securitization, customer-written options, credit derivatives, and credit-linked notes (CLN)). This is particularly important because the credit risks involved, while not new to the banking system, may be less obvious and, for this reason, require more analysis than the risks of traditional credit-granting activities. Although more complex credit-granting activities may require tailored procedures and controls, the basic principles of credit risk management shall still apply.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-20 23. New ventures require significant planning and careful oversight to ensure that the risks are appropriately identified and managed. A banking corporation shall ensure that the risks inherent in new products and activities are subject to adequate procedures and controls before being introduced or undertaken. Any major new activity shall be approved in advance by the board of directors or its appropriate delegated committee. 24. Senior management shall ascertain that the personnel involved in any activity that involves borrower or counterparty credit risk, whether established or new, basic or complex, are fully capable of conducting the activity to the highest standards and in compliance with the banking corporation’s policies and procedures.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-21 B. Operating under a sound credit granting process Principle 4: A banking corporation shall operate within sound, well-defined credit￾granting criteria. These criteria shall include clear guidelines concerning the target market and athorough understanding of the borrower or counterparty, the purpose and structure of the credit, and its source of repayment. 25. Establishing sound, well-defined credit granting criteria is essential to safe and sound credit activity. The criteria should set out who is eligible for credit and for how much, what credit instruments are available, and under what terms and conditions the credits should be granted. Once the banking corporation has established credit-granting criteria, it must obtain all requisite information for credit decision making in accordance with those criteria. This information should also be used for the banking corporation’s internal credit rating process. 26. Banking corporations shall collect enough information to allow a comprehensive assessment of the true risk profile of the borrower or counterparty to a transaction. The banking corporation shall base the risk assessment on, inter alia, updated financial data (as detailed in Section 27a below) of the borrower, including, where relevant, of affiliated companies, controlling shareholder, substantial guarantors, etc. Depending on the type of credit exposure and experience amassed vis-à-vis the same borrower or counterparty, the factors to be considered and documented in approving credit shall include: a. the purpose of the credit and sources of repayment; b. the current risk profile of the borrower or counterparty and (where relevant) the collateral and its sensitivity to economic and market developments; c. the borrower’s repayment history and assessment of current capacity to repay, based inter alia on future cash flow projections under various scenarios; where necessary, a banking corporation shall stress-test various parameters when issuing credit to test the sensitivity of the borrower and/or its collateral to economic developments;

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-22 d. for commercial credit, the borrower’s business expertise and the status of the borrower’s economic industry and its position within that industry; e. the proposed terms of the credit, including covenants designed to limit an increase in the borrower’s credit risk; and f. where applicable, the adequacy and enforceability of collateral or guarantees under various scenarios, including reference to the enforceability of arrangements concluded in this context. In approving borrowers or counterparties, consideration shall also be given to the integrity and reputation of the borrower or counterparty as well as its legal capacity to assume the liability. 27. A banking corporation needs to understand to whom it is granting credit. Therefore, before approving credit, it must become familiar with the borrower or counterparty and be confident that it is dealing with an individual or organization of sound repute and creditworthiness. In particular, strict policies must be in place to avoid association with individuals involved in fraudulent activities and other crimes. This can be achieved in various ways, including asking for references, accessing credit registries, and becoming familiar with individuals responsible for managing a company and checking their personal references and financial condition. However, a banking corporation shall not grant credit simply because the borrower or counterparty is familiar to it or is perceived to be highly reputable. 27a. When granting credit to a corporation, the banking corporation shall take into account, among other things, updated financial data. These data shall include updated financial statements as well as additional financial data from other sources, as necessary. The credit agreement is to include a requirement that the borrower submit its financial statement to the banking corporation immediately after the date it is signed. In this matter, “financial statement”—a financial statement prepared in the format established by law or by accepted accounting principles. The financial statement is to be considered updated if it meets the date established for it by the law applicable

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-23 to the borrower, and with regard to a borrower in Israel that is a nonreporting corporation, the report shall be considered updated if submitted within 9 months from the date of the financial statement. The provisions of this section apply as well to a branch of the banking corporation abroad. 27b. Notwithstanding the above, a banking corporation may grant credit to a corporation even without having a financial statement, in the following cases, subject to the relevant compensating controls: a. Total indebtedness is less than NIS 1 million. b. Total indebtedness of the borrower is backed by guarantees of the type recognized as deductions under Section 5 of Directive no. 313. c. Indebtedness is in the form of investment in bonds, commercial paper, or participation in international syndications of very large companies (loans of more than $100 million), and the investment decision is based on the borrower’s rating by one of the rating companies whose eligibility regarding capital adequacy and measurement is recognized by the Supervisor; d. When renewing credit, including extending additional credit that does not exceed 25 percent of the balance of the borrower’s indebtedness, the banking corporation may approve the credit without a financial statement, under the following documented circumstances:

1. When a plausible reason prevents the borrower from submitting a financial statement, including in respect of extensions from tax authorities, for a period of up to six months, and the following conditions are fulfilled: (1) The banking corporation received authorization from the borrower’s accountant-auditor that they did not complete their audit of the financial statement, with notation of the estimated date of completing the audit;

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-24 (2) In lieu of an updated financial statement, the banking corporation received an unaudited financial statement as well as other information, including a Value Added Tax report. 2. When the borrower’s indebtedness exceeds NIS 200 million, the provisions of Subsection 1 above may not be implemented, unless exceptional circumstances exist, such as when the banking corporation is of the opinion that non-approval of the credit is expected to lead to a material adverse impact to the activities of the borrowing corporation. Said implementation shall be subject to: (1) A declaration by the borrower that no negative material change has occurred in the annual profit and capital data as of the date of the financial statement that has not yet been provided, compared with the most recent audited financial statement. Attached to the declaration shall be a negative assurance from the accountant-auditor. (2) Approval of the Chief Risk Officer (3) The above is to be reported in the banking corporation’s risk document. e. Debtors’ indebtednesses that were purchased in factoring transactions and to which all the following conditions apply:

1. Total indebtedness does not exceed NIS 10 million;
2. The transaction is appropriate for accounting treatment of purchase/sale of debt;
3. The debtor’s debt was created via a sale transaction or in conjunction with a nonfinancial service and was purchased by the banking corporation within the framework of a factoring transaction, where an insurance company undertook to bear the credit risk in respect of the debt, and provided that: (1) the insurance company is subject to the directives of the Supervisor of Capital Markets, Insurance, and Savings, or is subject to the directives of a supervisory authority in a foreign country, provided that the country is an OECD member and rated A- or higher, and (2) the insurance

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-25 company has a domestic rating of at least AA- (or Aa3 from Moody’s), which is updated at least once a year. 4. The banking corporation does not have a direct connection with the debtor and does not have the ability to attain an updated financial statement; the banking corporation is to document the reasons for the lack of an updated financial statement in the borrower’s file, supporting the above. 27c. Furthermore, when granting a substantial amount of credit to a corporation, the banking corporation will also be required to take into account semiannual financial data for the period ending June 30, within three months of the end of the period, as detailed below: a. When the total indebtedness exceeds NIS 50 million, the banking corporation shall require semiannual financial data signed by the corporation’s management and in the format to be determined by the banking corporation in accordance with its risk policy; b. When the total indebtedness exceeds NIS 200 million, the banking corporation shall require semiannual financial data signed by the corporation’s management and in the format of a semiannual financial statement; This section shall not apply to the approval of credit for/to a corporation that is part of a banking group abroad that is not required to publish semiannual financial statements according to the law that applies to it”27d. When granting credit to a corporation in an amount that exceeds NIS 50 million, a banking corporation shall take into account, among other things, the following information: a. Information on credit taken by the borrowing corporation’s controlling shareholder to finance the purchase of controlling shares in the corporation, or on credit against which 5 percent or more of such shares were pledged (in particular: funder’s identity, repayment dates, dividend distribution plans and covenants related to the borrowing corporation or to the value of the securities). b. Information on conduct of the controlling shareholder in situations in which the controlling shareholder or a corporation controlled by the controlling shareholder

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-26 entered into a default process, such as bankruptcy, liquidation, or creditors’ proceeding, as well as information on processes in the framework of which personal liability was assigned to the controlling shareholder by a court or regulatory authority with regard to a business occurrence of the corporation (including determination of breach of fiduciary duty or caution by the controlling shareholder, including proceedings that ended in a compromise). 27e. Notwithstanding the provisions of this section, the banking corporation may, in exceptional cases, withhold from taking steps as required according to its procedures due to the lack of updated financial statements, provided that this shall be for a fixed period of time, subject to the approval of the Chief Risk Officer and to the reporting of such in the risk document. 28. A banking corporation shall have procedures in place to identify situations where, in considering credits, it is appropriate to classify a group of obligors as connected borrowers or even as a single obligor. The limits and definitions in Directive 313 are not exhaustive in this matter; a banking corporation must expand them commensurate with the nature of its activity and the composition of its credit portfolio. This generality includes aggregating exposures to groups of accounts exhibiting financial interdependence, including corporate or non-corporate, where they are under common ownership or control or with strong connecting links (for example, common management, familial ties). Banking corporations shall also measure their total exposure to a given borrower or counterparty across business activities. 29. Banking corporations sometimes lend in concert with other lenders (syndications, consortia, assignments, or similar arrangements). In such transactions, at times, undue reliance is placed on the credit risk analysis carried out by the lead underwriter or by external commercial loan credit ratings entities. All participants in the issue of such loans are required to perform their own fundamental, independent self-evaluation of the transaction and the risks incorporated in it prior

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-27 to committing to providing funds. Each banking corporation shall implement the same cautious standards, credit assessments, approval criteria and internal limits as it would for a loan initiated by the banking corporation on its own, and shall determine the requisite return in a similar manner to a directly sourced loan, To carry this out, the banking corporation’s procedures shall ensure, at least, the following requirements: (a) Attaining complete relevant data for a credit analysis, both before and after acquiring participation, and its independent and periodic analysis; (b) Receiving copies from the lead lender/originator of documentation of all loans offered and extended, legal opinions, title insurance policies, and other relevant documents; (c) Close monitoring of loan execution throughout the life of the loan. 30. Granting credit involves accepting risks as well as producing profits. Banking corporations should assess the risk/reward relationship in any credit as well as the total return target for the credit portfolio. In evaluating whether and on what terms to grant credit, banking corporations shall ascribe the utmost importance to risks against expected return, factoring in price of credit (interest) and additional elements (e.g., collateral, restrictive covenants, etc.). In evaluating risk, banks shall also consider the effects of potential downside scenarios and even stress scenarios and their impact on borrowers or counterparties. A common problem in the banking industry is the tendency not to price a credit or overall borrower relationship properly and therefore not to receive adequate compensation for the risk incurred. 31. In considering potential credits, a banking corporation must recognize the necessity of making provisions for identified and expected losses and holding adequate capital to absorb unexpected losses. A banking corporation shall also factor these considerations into its overall portfolio risk management process. 32. A banking corporation may utilize transaction structure, collateral, and guarantees to help mitigate risks (both identified and inherent) in individual credits; however, transactions should be entered into primarily on the strength of the borrower’s

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-28 repayment capacity. Collateral cannot be a substitute for a comprehensive assessment of the borrower or counterparty and cannot compensate for insufficient information. A banking corporation must recognize that any credit enforcement actions (e.g., receivership) may eliminate the profit margin on the transaction. In addition, banking corporations should be mindful that the value of collateral may well be impaired by the same factors that impair the recoverability of the credit. Banking corporations should have policies covering the acceptability of various forms of collateral, procedures for the ongoing valuation of such collateral, and a process to ensure that collateral is legally and practically enforceable and realizable if necessary. With regard to guarantees, banking corporations shall evaluate the level of coverage being provided in relation to the guarantor’s credit quality and legal capacity. Banking corporations shall be careful when making assumptions about implied support from third parties such as the government. 32a. Within the framework of the considerations detailed in Section 32 above, a banking corporation holding a first lien on an asset is to take into account the ramifications deriving from the borrower’s right to pledge the asset as a subsequent lien, with inferior status, to another creditor, unless the banking corporation has reasonable grounds to deny the additional pledge; this is in accordance with Section 7h(a) of the Banking (Service to Customer) Law, 5741-1981. In addition, the banking corporation is to take into account the ramifications deriving from the possibility of realization of the pledge by the other creditor, as in accordance with Section 7h(b) of the Banking (Service to Customer) Law, in a case where the borrower pledged an asset as a subsequent lien to another creditor, the banking corporation is prohibited from denying the other creditor’s request to realize the additional lien, other than for reasonable grounds. 33. Netting agreements are an important way to reduce credit risks, especially in interbank transactions. To ensure the effectiveness of such a mechanism, the agreements should be sound and legally enforceable.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-29 34. Where actual or potential conflicts of interest exist within the banking corporation, the board of directors shall erect firewalls between the corporation’s activities, as set forth in Section 16(b) of Directive 301, and management shall install procedures for internal sharing and non-sharing of information. Such procedures shall ensure, inter alia, that there is no hindrance to the banking corporation obtaining all relevant information from the borrower. Principle 5: A banking corporation shall establish overall credit limits at the level of individual borrowers and counterparties and for groups of connected counterparties that aggregate, in a comparable and meaningful manner, different types of exposures, both in the banking and trading book and on and off the balance sheet (not only those dealt with in Directive 313). These exposure limits shall be set so as to offer added value and comparability. 35. An important element of credit risk management is the establishment of exposure limits on single counterparties and groups of connected counterparties. Such limits are frequently based in part on the internal risk rating assigned to the borrower or counterparty, with counterparties assigned better risk ratings having potentially higher exposure limits. A banking corporation must also establish limits for particular industries or economic sectors, geographic regions, specific products, and other shared risk factors. Among the shared risk factors, the banking corporation shall refer to its activities abroad, and establish a limit, or a system of limits, with regard to it. 36. Banking corporations shall set exposure limits in all areas of activity that involve credit risk. These limits help to ensure that the corporation’s credit-granting activities are adequately diversified. As mentioned above, much of the credit exposure faced by some banking corporations comes from activities or instruments in the trading book and off-balance-sheet activities. Limits on such transactions are particularly effective in managing a banking corporation’s overall credit risk profile or counterparty risk. To be effective, limits should generally be binding (to the

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-30 possible exclusion of aberrant exceptions) and not influenced by customers’ specific requests. 37. Effective measures of potential future exposure are essential for the establishment of meaningful limits, placing an upper bound on the overall scale of activity with, and exposure to, a given counterparty, based on a comparable measure of exposure across a banking corporation’s various activities (both on and off the balance sheet). 38. Banking corporations shall also consider the results of stress testing in the overall limit setting and monitoring process. Such stress testing should take into consideration business cyclicality, technological changes, changes in ownership, interest rate and other market movements, and potential liquidity conditions. 39. A banking corporations shall set its credit limits in accordance, inter alia, with risks associated with the near-term liquidation of positions in the event of counterparty default. Where a banking corporation has several transactions with a counterparty, its potential exposure to that counterparty is likely to vary significantly and discontinuously during the maturity over which it is calculated. Therefore, a banking corporation shall calculate potential future exposures over multiple time horizons. Limits should also factor in scenarios of counterparty bankruptcy, suspension of proceedings, etc., particularly in respect of unsecured exposures. Principle 6: A banking corporation shall have a clearly established process in place for approving new credits as well as the amendment, renewal, and refinancing of existing credits. 40. Many individuals within a banking corporation are involved in the credit-granting process. They include personnel from the business function, the credit analysis function, and the credit granting function. In addition, one counterparty may approach several different areas of the banking corporation for different forms of credit. A banking corporation may choose to assign staff responsibilities for the credit granting process in different ways; however, it is important that the credit

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-31 granting process coordinate the efforts of all employees involved to ensure that sound credit decisions are made. 41. To maintain a sound credit portfolio, a banking corporation must have an official and binding process in place for the evaluation and approval of risks inherent in a transaction as part of the granting of credit. Approvals should be made in accordance with written guidelines and the appropriate level of management. There should be a clear audit trail documenting that the approval process was complied with and identifying, by name, the individual(s) and/or committee(s) providing input as well as the main considerations (for and against) behind the credit decision, and the individual(s) and/or committee(s) who made the credit decision. Banking corporations shall consider the establishment of specialist credit teams to analyze and approve credits related to significant product lines, types of credit instruments, and industrial and geographic sectors. Banking corporations shall invest in adequate credit decision resources so that they are able to make sound credit decisions consistent with their credit strategy and meet competitive time, pricing, and structuring pressures. 42. Each credit application should be subject to thorough analysis by a qualified credit analyst with expertise commensurate with the size and complexity of the transaction. The analysis should include, where relevant, examination of the effect of approving the application for the borrower’s financial resilience and the banking corporation’s credit portfolio at large. An effective evaluation process establishes minimum requirements for the information on which the analysis is to be based. The banking corporation should have explicit written policies in place regarding the information and documentation needed to approve new credits, renew existing credits, and/or change the terms and conditions of previously approved credits. The information received will be the basis for any internal evaluation or rating assigned to the credit or for any other internal assessment. Therefore, its accuracy and adequacy is critical for appropriate management decisions about the acceptability of the credit.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-32 43. A banking corporation must develop a corps of credit officers who have the experience, knowledge, and background to exercise prudent judgment in assessing, approving, and managing credit risks in accordance with strategies and policies set forth. A banking corporation’s credit granting process shall establish accountability for decisions taken and determine a clear and absolute hierarchy of powers for the approval of credits or changes in credit terms. Banking corporations may combine individual or joint signature authority (e.g., “double signature”), and a credit granting group or committee, depending on the nature and size of the credit. This hierarchy shall be determined in view of the expertise of the individuals involved. In this regard,—“individual signature authority” shall be permitted given the existence of one of the following: (a) based on, among other things, a credit analysis carried out by an entity with expertise but that is not certified, and when approving of substantial credit exposures shall also be based on a written opinion of the Chief Risk Officer as noted in Section 44 below; (b) the scope of credit to be extended under individual signature authority does not exceed NIS 1 million. It is hereby clarified that extending credit based on an automatic underwriting model shall not be considered the enactment of “individual signature authority”. 44. To ensure that credit decisions comply with the banking corporation’s stated policy and are based on validated risk assessments, the Chief Risk Officer shall be involved in proceedings for the approval of credit exposures that are significant for the banking corporation. Accordingly, wherever a significant credit exposure is at stake, the person responsible for credit granting shall relate to a written opinion drawn up by the banking corporation’s risk management function. Said opinion, addressing itself to the credit application and rating, shall perform an independent analysis of the transaction and shall challenge the business function’s judgment as the case may be. A banking corporation shall have a procedure in place for treatment of disagreements between the business function and the risk management function concerning the approval of a significant credit exposure.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-33 For the purpose of this Section, a “significant credit exposure” is an exposure one of NIS 50 million or more, or 1 percent of the banking corporation’s Tier 1 Capital—the lower of those alternatives—as well as other exposures determined by the board of directors of the banking corporation in accordance with the size and complexity of the credit portfolio. Notwithstanding the above, a banking corporation may determine that the significance threshold shall be NIS 25 million even if this is more than 1 percent of Tier 1 Capital. Principle 7: All extensions of credit must be made under market conditions and in accordance with accepted policies and processes. In particular, to prevent abuse and handle conflicts of interests, credits to related parties entail special approval and shall be monitored with particular care to control or mitigate the risks of such lending. 45. Extensions of credit by a banking corporation shall be subjected to the criteria and processes described above, which create a system of checks and balances that promote sound credit decisions. Therefore, directors, senior management and other influential parties (e.g., shareholders) shall not attempt to override the established credit-granting processes and controls that the banking corporation has established. (In this context, see also Sections 31 and 55–57 of Directive 301, which deal with conflicts of interest.) 46. A potential area of abuse arises when credit is granted under non-market conditions (e.g., in terms of maturity, interest rates, collateral requirements, etc.) to related parties (as defined in Proper Conduct of Banking Business Directive 312, “A Banking Corporation’s Business with Related Parties,” hereinafter: “Directive 312”), either corporations or private individuals.2 Consequently, it is important that a banking corporation lend to such parties on market terms and that the credit be subject it to suitable control. Responsibility for issuing guidelines in this matter 2 A transaction executed in the ordinary course of business and at a rate inconsistent with the rate set forth for this purpose in a collective labor agreement or some other collective arrangement applying to employees of the banking corporation, between the banking corporation and a related party who is an employee of the banking corporation, shall not be considered “abuse.”

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-34 belongs to the board of directors, as stated in Section 16(a) of Directive 301. A banking corporation shall apply these controls, inter alia, by determining that the credit terms shall be no better than those offered to non-related parties under similar circumstances. Additional methods of control may include the setting of explicit and absolute limits on such credit beyond those established in Directive 312, and public disclosure of the terms of credit granted to related parties. A banking corporation’s credit granting criteria should not be altered to accommodate related companies and individuals. 47. A banking corporation shall deny related parties and their associates the possibility of influencing the creation and management of an exposure. Material transactions with related parties (including forgiveness of a debt), at least in accordance with the provisions of Section 7(a) of Directive 312, entail approval by the Audit Committee or the board of directors Committee on Transactions with Related Parties, beyond ordinary credit granting. Transactions with related parties must be reported to the Banking Supervision Department, as set forth in Directive 312. Deviations from policy rules, processes, and limits shall be reported to the appropriate member of senior management and the Audit Committee or the board of directors Committee on Transactions with Related Parties for timely action.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-35 C. Maintaining an appropriate credit administration, measurement, monitoring and supervision process Principle 8: A banking corporation shall have in place a system for the ongoing administration of its various credit risk-bearing portfolios. 48. High-quality credit administration is a critical element in maintaining the safety and soundness of a banking corporation. Once credit is granted, it is the responsibility of the business function, often in conjunction with a credit administration support team, to ensure that it is properly maintained. This includes keeping the borrower’s file up to date, obtaining current financial information (see also Principle 4 in this Directive), sending out credit renewal notices, drawing up various documents such as loan agreements, etc. 49. Given the wide range of tasks associated with credit administration, a banking corporation may tailor the organizational structure of this function to its size and sophistication. In large banking corporations, responsibility for the various components of credit administration is usually assigned to different departments. In a small banking corporation, it may suffice to assign a few individuals to several functional areas. Where individuals perform sensitive functions in credit administration such as custody of key documents, executing payments, or entering facilities into computer systems (back office activity), they should report to managers who are uninvolved in the business activity and credit granting processes. A banking corporation shall establish, with the approval of the Supervisor of Banks, the level of organizational differentiation needed in order to meet this requirement. 50. In developing their credit administration mechanisms, banking corporations shall ensure: a. the existence of an effective mechanism that fully serves the requisites of credit administration, including document monitoring and control, detailed documentation, monitoring of compliance with contractual requirements, financial covenants, and collateral, etc.;

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-36 b. the accuracy and timeliness of information provided to management information systems; c. model validation policy; d. adequate segregation of duties; e. the adequacy of controls over all back office procedures; and f. compliance with prescribed management policies and procedures as well as applicable laws and regulations. 51. For the various components of credit administration to function appropriately, senior management must recognize the importance of the monitoring, oversight, and control of credit risk in credit administration activity and should signal this to the various functions in the organization. 52. An up-to-date borrower file should provide the credit officer, the credit committee, and internal and external auditors (including the credit control function) with all information about the borrower or counterparty as is needed to analyze the credit before it is granted and to monitor and assess it over time. The documentation requirements will vary depending on the type of loan, borrower, and collateral. A borrower file should include, inter alia: a. identification of a commercial borrower or, in the case of a non-business borrower, the borrower’s occupation; b. documentation of borrower’s current and past economic condition; and the condition of related companies, the controlling party, substantial guarantors, and similar, where relevant. c. details on the purposes of loans issued to the borrower, source of repayment, and payment program; d. details about collateral, its value, and origin of the valuation; e. where relevant—factors that mitigate or may mitigate credit risk originating in borrower’s exposure to exchange-rate changes. Borrower files should also include adequate documentation of decisions made and credit history, including current financial data (as detailed in Section 27a above),

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-37 financial analyses and internal rating documentation, internal memoranda, reference letters, appraisals, and documents related to collateral. The banking corporation’s control functions shall oversee the implementation of the above issues, particularly that the borrower files are complete and that all credit approvals and other necessary documents have been obtained. Principle 9: A banking corporation shall have in place a system for monitoring the condition of individual credits, including determining the soundness of classification and the adequacy of credit loss allowances. 53. A banking corporation shall develop and implement comprehensive procedures and information systems to monitor the condition of specific credits and obligors across its various portfolios. These procedures shall set criteria for identifying and reporting potential problem credits and other transactions to ensure that they are subjected to more frequent monitoring and, where necessary, to reinforcing actions (e.g., stronger collateral), classification, and/or credit loss provisioning. The banking corporation’s business functions are responsible for locating and sharing information about the deterioration of a debt so that the debt can be reviewed and recommendations made. Responsibility for credit classification and provisioning, however, should belong to a member of management who is not in charge of business activity. This person shall, among other things, complement the actions of the business functions by taking independent measures to identify deteriorating debts. 54. An effective credit monitoring system includes measures to: a. ensure that the banking corporation understands the current financial condition of the borrower or counterparty; b. monitor compliance with existing covenants; c. where applicable, assess collateral coverage in consideration of the obligor’s current condition;

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-38 d. identify contractual payment delinquencies and classify potential problem credits on a timely basis; and e. promptly and directly refer problems to a management function for action. 55. Specific personnel should be responsible for monitoring credit quality, including ensuring that relevant information is forwarded to those responsible for assigning internal risk ratings to the credit. In addition, specific personnel should be responsible for ongoing monitoring of all underlying collateral and guarantees. Such monitoring assists the banking corporation in revising contractual arrangements as warranted, maintaining adequate credit loss provisions, and reviewing capital adequacy. In assigning these responsibilities, management should recognize the potential for conflicts of interest, especially among personnel who are judged and rewarded on indicators such as loan volume, portfolio quality, or short￾term profitability. 56. Banking corporations shall maintain and document watch lists of borrowers and debts that show downside symptoms. a. Explicit criteria should be established for downside symptoms and the removal of borrowers from watch lists, e.g., poor credit rating, arrears in payment, deviation from credit facility, request for rescheduling debt, request for postponement of payments, deterioration of financial ratios, capital deficit, non-compliance with covenant, negative cash flow from current activity, operating loss, etc. In addition to these criteria, borrowers should be included on a watch list at the discretion of the business function in charge and of the debt classification function (as set forth in Section 53 above), including considerations in relation to lack of cooperation by the borrower.. b. Said watch lists shall specify, inter alia, the banking corporation’s credit exposure to relevant borrowers, the first date of said borrowers’ inclusion on the list, the classification of their debt, the function in charge, rating of the credit, and the downside symptoms for which the borrowers are included on the lists.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-39 c. Watch lists shall be discussed at least once per quarter, before the banking corporation publishes its financial statements. A written quarterly review of watch lists shall be produced for the purposes of credit loss provisioning and problem debt classification, including the reasoning behind the decisions made: decisions about non-classification, decisions about removing a borrower from the watch list, etc. Principle 10: A banking corporation shall develop and validate an internal credit rating system and use it in managing credit risk. The rating system shall be consistent with the nature, size, and complexity of the banking corporation’s activities. (See also Proper Conduct of Banking Business Directive no. 314, “Sound Credit Risk Assessment and Valuation for Loans”.) 57. Rating of credit is essential for the effective management of credit risk because it facilitates good credit decisions. a. An internal credit rating system allows a banking corporation to differentiate among levels of credit risk that are inherent in different credit exposures so that it can monitor the quality of a specific credit and of the overall portfolio. b. An internal rating system allows a banking corporation to define more accurately the range of characteristics of the credit portfolio, measure portfolio concentration, identify problem credits, and test the adequacy of credit loss provisions. c. More detailed and sophisticated internal rating systems, used primarily by large banks around the world, are also helpful in internal allocation of capital, pricing of credit, and calculation of the profitability of specific transactions or of overall relationships with borrowers. d. The use of internal rating gives official expression to the banking corporation’s approach to risk assessment in the discussion at hand. A credit rating represents the level of risk that the corporation has determined for the credit at issue. This risk level should be borne in mind in all relevant actions that the corporation takes: risk management, accounting presentation, and capital adequacy.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-40 58. As a rule, a banking corporation should rate all its credit exposures. It may deviate from this rule in exceptional cases that constitute a negligible share of its total exposure. 59. To install a systematic process of risk management even in the presence of competitive, market, personal, and other pressures, a banking corporation shall: a. invest requisite resources in the development and maintenance of a quality rating system that will have an influence on credit in all relevant respects; b. make meaningful reference to the rating in all credit decisions, including setting of credit policy and credit targets, defining risk appetite and tolerance (by setting limits, inter alia), approving individual credits, credit pricing, testing the soundness of credit classifications and allowances, evaluating capital adequacy, holding strategic discussions, measuring performance, etc. In this context, it bears emphasis that a strong connection (a strong positive correlation) between credit ratings and debt classifications must be maintained. Documentation that connects the internal rating system with the classifications set forth in the Reporting to the Public Directives must be retained. 60. An internal rating system categorizes credits into various classes that are designed to take into account gradations in credit risk. The internal rating system of a banking corporation shall consist of ten rating categories. In developing the rating system, a banking corporation shall decide whether to rate borrower or counterparty risk, the risk inherent in a specific transaction, or both. 61. Internal rating is an important tool in monitoring and controlling credit risk. To facilitate early identification of changes in risk profiles, the internal rating system shall be responsive to indicators of potential or actual deterioration in credit risk. Credits with deteriorating ratings shall be subject to additional oversight and monitoring, for example, through more frequent visits from credit officers and inclusion on a watch list that is regularly reviewed by senior management. The internal ratings shall be used by line management in different departments to track the current characteristics of the credit portfolio and help determine necessary

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-41 changes to the banking corporation’s credit strategy. Consequently, it is important that the board of directors and senior management also receive periodic reports on the condition of credit portfolios based on such ratings inter alia. (In this matter, see credit policy document in Section 15 of Directive 310.) 62. Initial credit ratings assigned to individual borrowers or counterparties at the time credit is granted shall be reviewed periodically (at least annually). Credit ratings of debts individually evaluated as large, complex, risky, classified loans or “leveraged lending” as noted in Directive 327, shall be reviewed more frequently. Furthermore, whenever a banking corporation detects a change (upside or downside) in the condition of a specific credit, it shall revise the rating. Borrowers’ credit files shall include documentation of the internal ratings established. 63. Given the importance of ensuring that internal ratings are consistent and accurately reflect the quality of individual credits, responsibility for setting or confirming such ratings should rest with the risk management function. 64. The consistency and accuracy of ratings shall be reviewed periodically by an independent body (see Sections 77-78 below). It is stated for clarity that actions taken by a credit control function are additional to the foregoing and shall not be substitutes for ongoing periodic review. Principle 11: A banking corporation shall have information systems and analytical techniques that enable management to measure the credit risk inherent in all on￾and off-balance-sheet activities. The management information systems shall provide adequate information on the composition of the credit portfolio, including identification of any concentrations of risk. 65. A banking corporation shall measure quantitatively the risk inherent in exposures to specific borrowers or counterparties. It shall also analyze credit risk at the product and portfolio level to identify particular sensitivities or concentrations. The measurement of credit risk shall take account of (i) the specific nature of the credit (loan, derivative, etc.) and its contractual conditions (term to maturity, reference rate, etc.); (ii) the sensitivity of the credit to potential market movements until

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-42 maturity; (iii) the existence of collateral or guarantees; and (iv) borrower risk, based inter alia on the internal rating. The analysis of credit risk data shall be undertaken using measurement techniques that are appropriate to the complexity and level of the risks that the banking corporation identifies and the level of risk shall be examined against established limits. A banking corporation shall use measurement methods that correspond to the level and complexity of risks in its activity and shall use reliable data. The measurement process shall be subject to periodic validation. In this regard see also Section 8 of Directive 301. 66. The effectiveness of a banking corporation’s credit risk measurement process is highly dependent on the quality of management information systems. The information generated by such systems allows the board of directors and all levels of management to fulfill their roles, including determining the amount of capital that the banking corporation should hold against the risks to which it is exposed. Therefore, the quality, detail, and timeliness of information are critical. In particular, information on the composition and quality of the various portfolios, including on the basis of the banking group as a whole, should enable management to assess quickly and accurately the level of credit risk that the banking corporation has incurred through its various activities and determine whether the corporation’s performance corresponds to its established credit management strategy. 67. A banking corporation shall monitor actual exposures against established limits, including credit facilities. Management information systems shall warn about exposures approaching limits and shall call this information, wherever it is significant, to the attention of senior management. The limit measurement systems shall include all exposures that the banking corporation has established. Said systems shall aggregate all credit exposures to an individual borrower and counterparty and report on overruns of limits on an added-value and timely basis. 67a. The banking corporation originating a syndication transaction is to maintain controls to monitor performance of the pipeline against original expectations, and regular reports of variances to management, including the amount and timing of

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-43 syndication and distribution variances, and reporting of recourse sales to achieve distribution; reports are to be submitted to management that include information at individual and aggregate levels, a rating of credit risk levels, and a portrayal of risks and concentrations in the pipeline. 68. A banking corporation’s information systems shall enable management to identify any concentrations of risk within the credit portfolio. The adequacy of the scope of information managed by these systems shall be reviewed periodically by managers at all levels, and by senior management, to ensure that it is appropriate for the complexity of activity. In addition, a banking corporation shall develop information systems that will permit additional analysis of the credit portfolio, including stress testing. Principle 12: A banking corporation shall have in place a system for monitoring the overall composition and quality of the credit portfolio. 69. Without derogating from the importance of overseeing the performance of individual credits, a banking corporation must also monitor the composition of its credit portfolio and of credit quality at the levels of the individual portfolio and various credit portfolios, using systems suited to the nature, size, and complexity of the banking corporation's credit portfolio. Credit concentration: 70. A continuing source of credit related problems in banks worldwide is concentration within the credit portfolio. Concentration of risks may take many forms and arises whenever a significant number of credits have similar risk characteristics. Concentration occurs when, among other things, a banking corporation’s credit portfolio contains a high level of direct or indirect exposures to one or more of: (i) a single counterparty, (ii) a group of connected counterparties (such as a "group of borrowers"), (iii) a particular industry or economic sector, (iv) a geographic region, (v) an individual foreign country or a group of countries whose economies are strongly interrelated, (vi) a specific type of credit instrument, (vii) a type of

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-44 collateral, or (viii) a specific currency. Concentrations also occur in credits with similar term to maturity. Concentration can stem from more complex or subtle linkages among credits in the portfolio. The concentration of risk applies not only to the granting of loans but also to the whole range of banking activities that, by their nature, involve counterparty risk. A high level of concentration exposes the banking corporation to adverse changes in the area in which the credits are concentrated. 71. In certain instances, due to a banking corporation’s dependency on a given trade area, geographic location, or lack of access to economically diverse borrowers or counterparties, avoiding or reducing concentrations may be extremely difficult. In addition, a banking corporation may wish to capitalize on its expertise in a particular industry or economic sector. A banking corporation may also determine that it is being adequately compensated for incurring certain concentrations of risk (e.g., in price). Consequently, a banking corporation is not necessarily required to forgo booking sound credits solely due to concern about concentration. It may reduce or mitigate concentrations in alternative ways, e.g., pricing in the additional risk, increasing capital to compensate for the additional risks, and using loan participations (such as consortiums) to reduce dependency on a particular sector of the economy or a group of related borrowers. A banking corporation must be careful not to enter into transactions with borrowers or counterparties whom it does not know or engage in credit activities that it does not fully understand simply for the sake of diversification. 72. Credit-concentration management methods are undergoing much innovation worldwide. The novelties include such mechanisms as loan sales, credit derivatives, securitization programs, and other secondary loan markets. However, mechanisms to deal with portfolio concentration issues also involve risks that banking corporations must identify and manage. Consequently, before a banking corporation can employ these mechanisms, it must have policies and procedures, as well as adequate controls, in place.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-45 Principle 13: A banking corporation shall take into consideration potential future changes in economic conditions when assessing individual credits and credit portfolios, and shall assess its credit risk exposures under adverse scenarios including stress scenarios. 73. An important element of sound credit risk management entails discussing what could potentially go wrong with individual credits and within the various credit portfolios, and factoring this information into the analysis of the adequacy of capital and credit loss provisions. This “what if” analysis may reveal previously undetected areas of potential credit risk exposure for the banking corporation. The linkages between different focal points of risk that are likely to emerge in times of crisis should be fully understood. In case of adverse circumstances, there may be a substantial correlation of various risks, especially credit and market risks. Scenario analysis and stress testing are effective ways of assessing areas of potential problems. 74. Analysis of adverse scenarios includes identifying potential events or future changes in economic conditions that may have unfavorable effects on a banking corporation’s credit exposures and assessing the corporation’s ability to withstand them. Three areas that a banking corporation may usefully examine are: (i) economic or industry downturns; (ii) market-risk events; and (iii) liquidity conditions. Adverse scenario analyses may range from relatively simple changes in assumptions about one or more financial, structural, or economic variables to the use of highly sophisticated financial models. Typically, sophisticated models are used, in Israel and abroad, by large, internationally active banks. 75. Irrespective of the level of sophistication of the adverse scenarios, the outcomes of the scenarios should be reviewed periodically by senior management and appropriate action taken in cases where they exceed specified risk tolerances. A banking corporation should also bear the scenario analysis outcomes in mind when determining and updating credit policies and activity limits.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-46 76. A banking corporation should act to identify the types of situations—such as economic downturns, both in the economy at large or in particular sectors, higher than expected levels of delinquencies and defaults, or the combinations of credit and market events—that may produce substantial losses or liquidity problems. Such an analysis should be done on a consolidated basis. Scenario analyses and stress￾test outcomes should also include contingency plans, i.e., actions that management should take given certain scenarios, such as hedging against an outcome or reducing the size of an exposure.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-47 D. Ensuring adequate controls over credit risk Principle 14: A banking corporation shall establish a system for independent, ongoing assessment of its credit risk management processes and the results of such reviews should be communicated directly to the board of directors and senior management. (See also Proper Conduct of Banking Business Directive 310.) 77. Because a banking corporation authorizes many staff members to grant and administer credit, it must have an effective internal review and reporting system to manage its various credit portfolios effectively. This system should provide the board of directors and senior management with sufficient information to evaluate the performance of the business function that engages in the issue of credit and the condition of the overall credit portfolio. 78. Given the importance and the subjective character of credit classification and rating, and of the timely identification of credit risks in general, banking corporations are to ensure that the debt classifications and credit ratings determined are also reviewed by individuals who do not have control over the credit they are reviewing and who are not impacted by the function that approves the credit. As noted in Section 44 above, such a review is to be conducted in real time when making credit decisions. In addition, a retroactive review is to be conducted by the designated unit at the banking corporation, hereinafter, “credit control”. The credit control function helps to supervise and monitor the main focal points of risk in the various business lines at the banking corporation. For this purpose, it must examine the reliability of the rating, and the appropriateness of the classification and allowances. Work plan and its implementation 78a. Credit control is to operate based on a work plan, both annual and multiyear. The plan is to reflect the following guidelines: (1) Scope of reviews:

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-48 (a) The work plans shall be based on credit examination, according to a risk based sample; (b) The sample that is chosen shall ensure that part of the portfolio that is chosen for review is sufficient for assessing the credit quality, and for identifying trends in the development of the risk inherent in the overall credit portfolio; (c) The work plans and sample shall be set while taking into account the size and complexity of the banking corporation’s credit portfolio, and its credit providing activity; (d) The activity of the credit control function, particularly choosing the sample, shall be documented and include, among other things, the list of all the loans reviewed and a summary of the analysis on which the ratings or classifications that were set for the loans are based. (2) Credit reviews shall include: (a) Very material credit—greater than some predetermined amount (b) Sufficient sample of other credit—(that is not included in Section (a) above) (c) Sample of criticized credit, by its various classifications (under special mention, substandard, impaired) (d) Sample of credit whose terms have changed but that is not classified as criticized. (e) Sample of credit that in the past was classified as criticized (f) Sample of credit that was determined, by the banking corporation or by the Banking Supervision Department, to require management’s special attention. (g) Sample of credit to related parties (h) Sample of credit that creates focal points of concentration of credit risk (3) Extent of the reviews—The credit control reviews are to analyze several important aspects of the credit chosen, including: (a) Credit quality, including borrower’s performance (b) Compliance with rating and classification policy, including an examination of the appropriateness of the classification or the allowance

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-49 for credit losses relative to the risk inherent in credit. Every credit control check should include a self-enacted rating of the borrower, based on the rating scale existing at the banking corporation; (c) Meeting the terms of the covenants established in the credit agreement; (d) The banking corporation shall decide whether to impose the responsibility to carry out “inherently technical” examinations (sufficient documentation of credit and collateral, completeness and validity of the pledges, etc.) on credit control, or on other control functions. If the banking corporation decides to impose the responsibility for such examinations on another function, the responsibility shall be well defined. Handling credit control reports and their distribution 78b. (1) At least once per year a review shall be presented to the CEO and board of directors covering the credit control function’s activity in the past year. This is to include, among other things, the following particulars:  The scope of the assessment (number of borrowers and amount of credit)  Analysis of findings that arose in credit control, their handling, and the impact on the quality of the banking corporation’s credit portfolio  Opinion on the suitability of the classification and allowance for credit losses and borrower ratings. (2) In addition, banking corporation management should be presented with material credit control reports, and credit control reports including material findings, that were conducted during the reporting period. (3) The banking corporation shall define in advance the framework for setting the rating, classification, and/or allowance for credit losses, in cases in which it is of the credit control’s opinion that the rating, classification, and/or allowance for credit losses are not suitable. Supervision on a consolidated basis

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-50 78c. The credit control function shall verify that in banking subsidiaries (including credit card companies) of the banking corporation, in Israel and abroad, a credit control unit is operating at a proper professional level. The credit control in a branch outside of Israel shall be administratively and professionally subordinate to the credit control in Israel (and not to the branch manager abroad). Subordination 78d. Credit control shall be subordinate to the Chief Risk Officer, to the Internal Auditor, or directly to the Board of Directors. Principle 15: A banking corporation shall ensure that its credit-granting business functions are well managed and that its credit exposures do not deviate from the credit policies set forth, including internal limits. A banking corporation shall have in place internal controls and other measures to ensure that exceptions to policies, procedures, and limits are immediately reported to the appropriate echelon (including the board of directors) for action. 79. The goal of credit risk management is to keep a banking corporation’s credit risk exposure within the parameters set by the board of directors and senior management. The establishment and enforcement of internal controls, operational limits, and other measures will help to ensure that credit risk exposures do not exceed levels acceptable to the banking corporation. Such a system allows banking corporation management to monitor and control adherence to the established credit risk objectives. 80. A banking corporation’s limit systems should ensure that the granting of credit beyond certain predetermined levels receives prompt management attention. An appropriate limit system should flag credit that has been approved in violation of the criteria so as to allow examination of its size and relevant characteristics. Good systems help management to control credit risk exposures, initiate fruitful discussion about opportunities and risks, and monitor actual risk taking against predetermined credit risk tolerances.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-51 81. Internal audits of the credit risk processes should be conducted periodically to ascertain that credit activities comply with the banking corporation's credit procedures and policies, that credit is approved in accordance with board of directors guidelines, and that the existence, quality, and value of an individual credit are reported accurately to senior management. Such audits are also useful in identifying weaknesses in credit risk management processes, policies, and procedures, and in detecting any deviation from policies, procedures, and limits. Principle 16: A banking corporation shall have systems and processes in place for early remedial action on deteriorating credits, managing problem credits, workout, and similar situations. 82. One reason for having a systematic credit review process is to identify weakened credits and, in particular, problem credits. A reduction in credit quality should be recognized at an early stage when there may be more options available for improving the credit. A banking corporation shall have in place a systematic and vigorous management process for the improvement of troubled credit and shall activate this process pursuant to specific events determined by the credit administration and problem credit identification and classification systems. 83. A banking corporation’s credit risk policies shall clearly set out how the corporation will manage problem credits. The banking corporation may apply a range of methods and organizational structures in managing such credits. Responsibility for them may be assigned to the originating business function, a specialized workout section, or a combination of the two, depending upon the size and nature of the credit and the reason for its classification as problematic. 83a. Deleted. 84. Effective workout programs are critical to managing risk in the credit portfolio. When a banking corporation has significant credit-related problems, the workout function shall be segregated from the area that originated the credit because the additional resources, expertise, and more concentrated focus of a specialized

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-52 workout section may improve collection results. A workout section may help to develop an effective strategy to rehabilitate a troubled credit or increase the amount of repayment ultimately collected. An experienced workout section can also provide valuable input into any credit restructurings organized by the business function.

Supervisor of Banks: Proper Conduct of Banking Business [10] (11/23) Credit Risk Management Page 311-53

---

Updates Circular 06 no. Version Details Date 2357 1 Original circular Dec. 27, 2012 2441 2 Revision Nov. 23, 2014 2461 3 Revision April 28. 2015 2533 4 Revision July 10, 2017 2542 5 Revision October 22, 2017 2594 6 Revision October 27, 2019 2672 7 Revision September 30, 2021 2669 8 Revision September 30, 2021 2728 9 Revision October 31, 2022 2762 10 Revision November 7, 2023