FMA Minimum Standards for BWG Compliance

MINIMUM STANDARDS BWG COMPLIANCE Document No.: Publication date: 02 / 2022 03.11.2022 FMA MINIMUM STANDARDS ON BWG COMPLIANCE (FMA-MS-BWG-Compliance)

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 2 TABLE OF CONTENTS I. Preliminary remarks ......................................................................................................................... 3 II. Scope of application and definition .................................................................................................. 4 III. Principle of proportionality ............................................................................................................... 5 IV. General Remarks on Policies and Procedures ................................................................................ 6 A. BWG Compliance Risks ............................................................................................................. 6 B. Definition of Policies and Procedures in Writing ......................................................................... 6 C. Ongoing activity .......................................................................................................................... 7 D. Reducing compliance risks to a minimum .................................................................................. 7 V. Incorporating the BWG compliance function into the Organisational Structure .............................. 7 A. Embedding the compliance function in the organisation as a whole .......................................... 7 B. Independence of the BWG compliance function ........................................................................ 8 C. Resources, Inspection and Access Rights ................................................................................. 9 D. Fit & Proper Requirements ....................................................................................................... 10 E. Combination with other functions ............................................................................................. 10 F. The BWG compliance function within the Group of Credit Institutions and the Affiliation of Credit Institutions ................................................................................................................................. 11 G. Outsourcing .............................................................................................................................. 12 VI. Duties of the BWG compliance function in credit institutions that are required to establish a BWG compliance function in accordance with Article 39 para. 6 no. 2 BWG ......................................... 13 A. Regular Assessment ................................................................................................................. 13 B. Ongoing monitoring within the scope of a monitoring programme ........................................... 13 C. Responsibility of the management body ................................................................................... 14 D. Reporting .................................................................................................................................. 14 E. Approval of new products and procedures ............................................................................... 15 VII. Duties within the scope of BWG compliance in credit institutions that are not required to establish a BWG compliance function under Article 39 para. 6 no. 2 BWG ................................................. 15 A. Regular Assessment ................................................................................................................. 15 B. Checks ...................................................................................................................................... 16 C. Approval of new products and procedures ............................................................................... 16 VIII. Supervision .................................................................................................................................... 16 A. Regular communication with the supervisory authority ............................................................ 16 B. Notifications .............................................................................................................................. 17 Disclaimer: All English translation of the authentic German text is unofficial and serves merely information purposes. All translations are prepared with great care, but linguistic compromises may have been made. The reader should also bear in mind that some provisions will remain unclear without a certain background knowledge of the Austrian legal and political system. Please note that laws and regulations are subject to future amendments.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 3 I. PRELIMINARY REMARKS

1. These Minimum Standards do not constitute a legal regulation. They serve as guidance for credit institutions and financial institutions and reflect the legal interpretation and practical recommendations for conduct of the Austrian Financial Market Authority (FMA). No rights and obligations extending over and above the provisions of the law can be derived from them. The FMA reviews whether legal provisions were also breached on a case-by-case basis, especially Article 39 para. 6 of the Austrian Banking Act (hereinafter: “BWG”1 ) as a result of the non-observance of recommendations in Minimum Standards.
2. Further-reaching requirements for the internal governance of credit institutions, including among others those for the compliance function, are contained in the “Guidelines on internal governance” (EBA/GL/2021/05, “IG-GL”2 ), issued by the European Banking Authority (EBA). The addressees of the IG-GL are the competent supervisory authorities and the supervised credit institutions in equal measure and the IG-GL have been applicable since 01.01.2022.3
3. These FMA Minimum Standards shall not prevent higher standards from being set by credit institutions. Other FMA Minimum Standards shall remain unaffected.
4. The BWG compliance function has an important role within the credit institution as part of the three internal control functions4 – risk management, compliance in its broadest sense (consisting of BWG compliance, WAG compliance and the prevention of money laundering and terrorist financing5 ) and internal audit, and is also part of the “three lines of defence”. The Three Lines of Defence Model6 states that risks should be addressed and managed on three levels. While the operative business lines – the first line of defence – should identify and manage risks which they encounter within the scope of their activities, the risk management function, as the second line of defence should identify, measure, monitor and report about risks across departments. The BWG compliance function in accordance with Article 39 1 The Austrian Banking Act (BWG; Bankwesengesetz), published in Federal Law Gazette No. 532/1993, as amended. 2 EBA Guidelines on internal governance (EBA/GL/2021/05). 3 Pursuant to Article 69 para. 5 BWG as well as Article 16(3) of Regulation (EU) No 1093/2013 ("EBA Regulation") the FMA shall take European convergence in respect of supervisory tools and supervisory procedure into account when performing its duties. To this end the FMA shall participate in the activities of the EBA and apply the Guidelines, Recommendations, Standards and other measures passed by the EBA. On the basis of the specific legal amendment in this regard it has not been possible to implement the requirements for the composition of the nomination committees (independent members). Consequently the FMA’s compliance declaration to the EBA was one of partial compliance with regard to this point. 4 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 169. 5 FMA Circular “on internal organisation for the prevention of money laundering and terrorist financing” version published in 02/2022, FMA Circular “on Risk assessment for the prevention of money laundering and terrorist financing” version published in 02/2022, FMA Circular “on due diligence obligations for the prevention of money laundering and terrorist financing” version published in 02/2022, FMA Circular “on reporting obligations for the prevention of money laundering and terrorist financing” version published in 02/2022. 6 EBA Guidelines on internal governance (EBA/GL/2021/05) paras. 30-35.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 4 para. 6 BWG, the WAG7 compliance function in accordance with Delegated Regulation (“Del Reg”) (EU) 2017/5658 as well as the function of the anti-money-laundering officer(s) in accordance with Article 23 para. 3 FM-GwG are also part of the second line of defence. One of the tasks of the BWG compliance function is the managing of BWG compliance risks, thereby ensuring that BWG compliance risks are minimised to a large extent even before they are able to materialise. They thereby make a significant contribution towards an appropriate risk culture in the credit institution. In this context it should be noted that the role of the WAG compliance function is established pursuant to Article 22 (2) of Del Reg (EU) 2017/565 focuses on the identification, assessment and monitoring of the compliance risks that may arise from the failure to observe the regulations contained in Del Reg (EU) 2017/565, as well as their mitigation.9 The internal audit function is responsible for the third line of defence. 10 II. SCOPE OF APPLICATION AND DEFINITION 5. These FMA Minimum Standards apply to all credit institutions with the authorisation to perform one or several of the banking transactions listed in Article 1 para. 1 BWG as well as finance institutions as defined in point 26 of Article 4 (1) of Regulation (EU) No 575/2013.11,12 The FMA Minimum Standards apply to Austrian credit institutions that are active in other Member States (Article 2 no. 5 BWG) under either or both the freedom to provide services or the freedom of establishment (Article 10 BWG). They also apply to credit institutions from other Member States, where they conduct activities in Austria through a branch (Article 9 para. 7 BWG) or/and by way of the freedom to provide services (Article 9 para. 8 BWG), and to the extent that they are required to observe Article 39 para. 6 no. 1 BWG accordingly with regard to the rules that apply to them (Article 9 paras. 7 and 8 BWG) and accordingly also in chapters IV, V.G and VII of these Minimum Standards.13 They also apply to groups of credit institutions pursuant to Article 30 BWG and affiliations of credit institutions pursuant to Article 30a BWG. Furthermore, they also address instances of the partial or complete outsourcing of the BWG compliance function’s tasks. 7 The Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 2018), published in Federal Law Gazette I no. 107/2017, as amended. 8 Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive, OJ L 87, 31.03.2017, p. 1-83. 9 See also in this regard the FMA Circular on the organisational requirements under WAG 2018 and Delegated Regulation (EU) 2017/565, in the version published in 01/2021 (WAG 2018 Organisational Circular). 10 Cf also the FMA Minimum Standards on Internal Auditing (FMA MS-IR) in the version published in 01/2020. 11 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, OJ L 176, 27.06.2013, pp. 1-337 in the version amended in Regulation (EU) No 876/2019, OJ L 150, p. 1-22. 12 These minimum standards do not apply to investment fund management companies, since Article 10 para. 6 of the Investment Funds Act (InvFG 2011; Investmentfondsgsetz) excludes them from the application of Art. 39 para. 6 BWG. 13 The rules, regulations and administrative decisions listed that apply to branches in accordance with Article 9 para. 7 or para. 8 BWG are therefore relevant for drawing up principles and procedures for BWG compliance, the risk assessment and the monitoring programme. In the case of branches, the performance of duties in accordance with chapter VII is therefore the responsibility of the management of the branch, unless determined otherwise.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 5 6. Pursuant to Article 77d BWG, the enforcement of Article 39 para. 6 BWG only falls within the FMA’s competences where the enforcement of such tasks is not conferred upon the European Central Bank (ECB) pursuant to Regulation (EU) No 1024/2013 (SSM-R; SSM Regulation)14. Article 4 (1) (e) SSM Regulation lists the ECB’s areas of competence, in particular ensuring compliance with the requirements for credit institutions to have robust governance arrangements in place, including internal control mechanisms. In conjunction with Article 6 SSM-R there is therefore a direct ECB competence for the enforcement of Article 39 para. 6 BWG for “significant institutions” as defined in Article 6 (4) SSM-R. Pursuant to Article 4 (3) SSM-R, the ECB is required to apply relevant Union law. Provided that this exists in the form of Directives that are transposed into national law, it shall apply the latter. This means that the ECB directly applies the regulations set out in the BWG regarding the BWG compliance function. III. PRINCIPLE OF PROPORTIONALITY 7. A BWG compliance function in accordance with Article 39 para. 6 no. 2 BWG is required to be established in credit institutions of significant importance as defined in Article 5 para. 4 BWG. Credit institutions that are not required to establish a BWG compliance function on the basis of the size criterion defined in Article 5 para. 4 BWG, are nevertheless required pursuant to Article 39 para. 6 no. 1 BWG to define written policies and procedures. The objective of such policies and procedures is to address the risks arising from the non-observance of the regulations listed in Article 69 para. 1 BWG by the management board, the members of the supervisory board and the staff members of the credit institution and to restrict them to a minimal level. The defined policies and procedures represent the overall process regarding BWG compliance and are regularly updated and observed on an ongoing basis. 8. The observance of Article 39 para. 6 nos. 1 and 2 BWG is subject to the principle of proportionality. Credit institutions perform their duties that result from these provisions in such a way and manner that is commensurate to their size, internal organisation and the nature, scope and complexity of their business. In particular, Chapters I - IV, V.G and VII of these Minimum Standards are also relevant for credit institutions that are not considered to be significant as defined in Article 5 para. 4 BWG. 14 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions OJ L 287, 29.10.2013, p. 63-89.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 6 IV. GENERAL REMARKS ON POLICIES AND PROCEDURES A. BWG COMPLIANCE RISKS 9. A BWG compliance risk arises where applicable regulations are not observed, with the threat, for example, of administrative penalties, measures by the supervisory authority or other disadvantages, which in turn bear both a financial risk as well as a reputational risk for the credit institution. BWG compliance risks are covered that arise as a result of non-observance of the legal regulations listed in Article 69 para. 1 BWG as well as standards and supervisory expectations issued by competent regulatory and supervisory authorities on the basis of such regulations (FMA Regulations, FMA Circulars, FMA Minimum Standards and FMA Guides as well as Regulatory Technical Standards (RTS) / Implementing Technical Standards (ITS)) as defined in Articles 10 to 15 of Regulation (EU) No 1093/2010 (“The EBA Regulation”) and EBA Guidelines as defined in Article 16 of the EBA Regulation based on a regulation listed in Article 69 para. 1 BWG that applies to the credit institution, hereinafter referred to as “applicable regulations”. In its wording, Article 39 para. 6 no. 1 BWG refers, on the one hand, to the risk of a breach of an applicable regulation and, on the other hand, to the risk of such a breach arising downstream (in particular the risk of an (administrative) penalty). 10. Credit institutions shall take into account all material risks relating to their banking business and banking operations in their risk appetite framework. BWG compliance risk forms part of such risks. The BWG compliance risk that is identified within a risk assessment is therefore also taken into account when drawing up a risk appetite framework, and assessed for the credit institution’s individual situation on a case-by-case basis. B. DEFINITION OF POLICIES AND PROCEDURES IN WRITING 11. The applicable regulations listed above in MN 9 are applied in order to devise internal principles and procedures for BWG compliance in accordance with Article 39 para. 6 no. 1 BWG which are proportionate in relation to the nature, scope and complexity of the credit institution’s business activities. 12. The extent and precise structure of the BWG compliance risk is identified and evaluation by means of a risk assessment. On a risk-based basis, it analyses principles, procedures, processes, systems and controls that the credit institution applies for its activities within the scope of its licence, as well as the findings of monitoring activities and relevant internal and external audits regarding the observance of applicable regulations. 13. The principles and procedures of BWG compliance describe the process of the ongoing identification and assessment of (new) applicable regulations. At the same time, these principles and procedures present how monitoring is performed about whether the respective departments adequately consider BWG compliance risks within the scope of the credit institution’s activities.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 7 14. The management board approves the policies and procedures of the BWG compliance function, before it informs the supervisory board and all affected staff members about them. At the same time it ensures that the BWG compliance function in credit institutions required to establish one under Article 39 para. 6 no. 2 BWG is able to guarantee that principles and procedures are implemented by means of a risk￾based monitoring programme. C. ONGOING ACTIVITY 15. The identification and evaluation of BWG compliance risks shall occur on an ongoing and proactive basis, in any case whether there are changes to the business model, where new business activities are taken up, new products established, or in the case of legal and regulatory changes. This ensures that the risk assessment also always captures BWG compliance risks arising from newly applicable regulations. Such new BWG compliance risks are also monitored in a risk-based manner. D. REDUCING COMPLIANCE RISKS TO A MINIMUM 16. Under Article 39 para. 6 no. 1 BWG, the principles and procedures drawn up in writing serve to ensure, among other things, that risks of non-compliance with the applicable regulations by the management board, the supervisory board or employees, as well as the associated risks are pointed out and reported on. Consequently it is possible to counteract BWG compliance risks in a timely manner. By addressing and counteracting such risks in a timely manner, they can be kept to a minimum. V. INCORPORATING THE BWG COMPLIANCE FUNCTION INTO THE ORGANISATIONAL STRUCTURE A. EMBEDDING THE COMPLIANCE FUNCTION IN THE ORGANISATION AS A WHOLE 17. Credit institutions of significant relevance under Article 5 para. 4 BWG shall establish a BWG compliance function in accordance with Article 39 para. 6 no. 2 BWG for performing the duties explained in Chapter VI of these minimum standards. This BWG compliance function shall report directly to the management board in its entirety (Article 39 para. 6 no. 2 BWG). A person who satisfies the suitability requirements in accordance with Article 39 para. 6 no. 3 shall be entrusted with the running of this function.15 This person is responsible for this function for the entire credit institution. See Chapter V.E below regarding possibilities for combined roles. The responsibility for establishing and ensuring orderly functioning of the BWG compliance function lies with all members of the management body in its management function collectively, and may not be delegated. This responsibility also covers the 15 Cf. MNs 26 – 28 below as well as the FMA Circular on Fit and Proper testing of directors, members of the supervisory board and key function folders ("Fit & Proper Circular") version published 08/2018, MN 125.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 8 obligation to react in a timely manner, where the BWG compliance function fails to perform its duties in accordance with its legal mandate. 18. Credit institutions of significant relevance in accordance with Article 5 para. 4 BWG shall have internal control policies that among other things guarantee the exchange of information between the business lines, the management body and the supervisory body, as well as the control functions of the credit institution. The exchange of information between units shall also be ensured at group level.16 The BWG compliance function shall in particular exchange such information with the risk management function that are useful for both functions in order to be able to perform their respective duties. Observations and doubts raised by the BWG compliance function shall be taken into account by the risk management function and the management body in its management function in decision-making processes. 19. The internal control framework17 shall clearly define the role of the BWG compliance function in writing. 20. The BWG compliance function differs from the internal audit function in that the duty of the BWG compliance function is primarily ex ante monitoring, whereas the internal audit function is responsible for ex post review of the departments that it audits. The BWG compliance function reveals and evaluated BWG compliance risks and sets measures to reduce them to a minimum amount. The BWG compliance function may draw on the findings of audits conducted by the internal audit function, although it also has its own possibilities for performing checks. Reviews by the internal audit function are downstream of ex ante controls by the BWG compliance function, while the latter may also be the subject of an audit conducted by the internal audit function (cf. MN 33). B. INDEPENDENCE OF THE BWG COMPLIANCE FUNCTION 21. In accordance with Article 39 para. 6 no. 2 BWG, the BWG compliance function, including the head of the BWG compliance function, is independent from the business units. The whole management body is responsible for the establishment of an independent BWG compliance function and monitors its effectiveness. The organisational placement of the BWG compliance function in the credit institution reflects its standing. The BWG compliance function being as high up as possible in the hierarchy of the institution (e.g. as a staff unit) increases its independence and also facilitates the performance of its activities. With regard to the activities and responsibilities of the BWG compliance function, the right to issue instructions or by any managerial staff positioned between the BWG compliance function and the management body to similarly exert influence is therefore excluded. Since the BWG compliance function is required to have direct access to the management body as a whole (Article 39 para. 6 no. 2 BWG) and to report to it, it is therefore problematic if it is located in organisational terms subordinate to and reporting to a single member of the management body. Organisational arrangements that impede the compliance function’s direct reporting to the management body (e.g. due to an intermediate reporting obligation to a head of division as well as the existence of any approval obligation by that person) must be avoided. It must also be ensured that such a head of division is unable to exert any indirect influence, 16 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 142. 17 EBA Guidelines on internal governance (EBA/GL/2021/05) paras. 146-151.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 9 e.g. by awarding bonuses, or by approving training and continuous professional development measures. The remuneration of the staff members of the BWG compliance function shall not be dependent on the outcome of the monitored activities and shall not impair their objectiveness.18 22. The head of the BWG compliance function shall be appointed and dismissed by the management body, reports to the management body as a whole and shall act independently and not be subject to instructions in the fulfilment of their duties. Without prejudice to the overall responsibility of the management body, the head of the BWG compliance function shall not report to any person having responsibility for the performance of activities that are monitored and controlled by the BWG compliance function. C. RESOURCES, INSPECTION AND ACCESS RIGHTS 23. The staffing and resources of the BWG compliance function must be dimensioned in a way that is commensurate to the size, internal organisation and the nature, scope and complexity of business activities, so that it is able to perform its duties in a meaningful matter. The management body shall confer the necessary powers and grant access to all relevant information to the staff members of the BWG compliance function. In the event of material changes regarding the size, internal organisation, and the nature, scope and complexity of business activities, the staffing and resources of the BWG compliance function shall be adjusted accordingly. The adequacy of staffing and resources shall be reviewed by the management body in its management function at regular intervals that is appropriate for the credit institution's risk environment, however at least once every three years as well as on an ad hoc basis, with the findings of such reviews being documented in writing. Where a consensus fails to be reached between the management body and the head of the BWG compliance function regarding staffing and resources, the BWG compliance function shall express its concerns to the supervisory board or the other competent supervisory body under law or its statutes.19 24. The BWG compliance function is therefore a permanently established unit, which therefore performs its activity on an ongoing basis throughout the entire year rather than only on an ad hoc basis. Written measures shall be defined to cover the absence of the head of the BWG compliance function as well as one or several staff members (especially deputation in the event of absence). 25. In order to perform their duties effectively, the head and staff members of the BWG compliance function shall have unrestricted information, inspection and access rights to documentation, databases and other IT systems and other information that are necessary for investigating relevant circumstances. This shall in particularly also apply to relevant subsidiaries with high risk profiles, which may potentially generate material risks for the respective credit institution.20 The head of the BWG compliance function, or their representative shall be given the opportunity to participate at meetings of the management body or the supervisory body, provided that doing so does not compromise the independence of the BWG 18 EBA, Guidelines on internal governance (EBA/GL/2021/05) para 175 and Guidelines on sound remuneration policies (EBA/GL/2015/22) para. 176. 19 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 34.i. 20 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 161.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 10 compliance function. If they are denied this opportunity, this shall be required to be documented and justified in writing. The head and staff members of the BWG compliance function shall have thorough knowledge of the organisation, corporate culture, and the decision-making process of the credit institution, in order to know at which meetings their participation may be expedient. 26. The tasks, competences and powers of the heads and staff members of the BWG compliance function shall be recorded in writing. This shall also include information on the structured monitoring programme, the reporting obligations of the BWG compliance function as well as information on the risk-based approach to compliance monitoring activities. In the event of changes in the legal or regulatory environment, these organisational and work instructions are adapted accordingly. D. FIT & PROPER REQUIREMENTS 27. The head of the BWG compliance function established under Article 39 para. 6 no. 2 BWG shall be required to be of good reputation pursuant to Article 39 para. 6 no. 3 in conjunction with Article 5 para. 6 BWG, and to possess the requisite knowledge and experience in accordance with Article 39 para. 6 no. 3 BWG. The requirement for reputation applies irrespective of the nature, scale and complexity of business activities of the credit institution and shall be required to exist for the entire duration of the period of office. MNs 25-35 and MNs 38-42 of the FMA’s Fit & Proper Circular21 shall apply accordingly with regard to the exact formulation regarding reputation. 28. Particular requirements shall exist for technical suitability of the head of the BWG compliance function, that shall be commensurate to the nature, scale and complexity of the credit institution’s business activities.22,23 See MN 129 of the FMA’s Fit & Proper Circular regarding the specific requirements regarding technical suitability. 29. All staff members of the BWG compliance function shall also be required to have sufficient knowledge, skills and expertise in order to be able to perform their duties. They shall have access to regular training measures.24 E. COMBINATION WITH OTHER FUNCTIONS 30. If it is disproportionate to appoint a single person who exclusively performs the duties of the head of the BWG compliance function, this function may be combined with the role of the head of the risk management function, or performed by another senior position (e.g. head of the legal department), provided that no conflict of interests exists between the combined functions. Furthermore, it is also possible to combine it with the functions of the WAG compliance officer or the Anti-Money Laundering officer in accordance with the Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt￾21 FMA Circular on the assessment of suitability of executive directors, non-executive directors and key function holders (“Fit & Proper Circular”), August 2018. 22 Cf. also EBA Guidelines on internal governance (EBA/GL/2021/05) para. 37. 23 Regarding the fit and proper requirements for the WAG Compliance Officer, see the FMA WAG 2018 Organisational Circular, version published in 01/2021, MN 40 et seq. 24 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 207.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 11 Geldwäschegesetz25). However, in this context it is important to take note of the respective requirements and standards regarding the (non-)admissibility of the combination of functions (see in this regard MN 82 of the WAG 2018 Organisational Circular26, as well as MN 30 of the FMA Circular on “internal organisation for the prevention of money laundering and terrorist financing”27). 31. In any case of a combination of roles it must be ensured that any combining of roles does not compromise the effectiveness and independence of the respective function. 32. Where use is made of the possibility to combine roles, the justification for doing so shall be set out in writing and submitted to the FMA upon request. Part of this justification shall also be a description about how conflicts of interest are avoided, and about to what extent, despite combining roles adequate resources are available for the performing of all duties. 33. It is not possible to combine the BWG compliance function with the internal audit function, as the BWG compliance function is the subject matter of the internal audit function’s audit examination. F. THE BWG COMPLIANCE FUNCTION WITHIN THE GROUP OF CREDIT INSTITUTIONS AND THE AFFILIATION OF CREDIT INSTITUTIONS 34. Within the group of credit institutions (CI group) in accordance with Article 30 BWG and within the affiliation of credit institutions in accordance with Article 30a BWG, the resources, both in terms of staff and material, must be adequate both at the level of the superordinate credit institution as well as on the level of the member or allocation credit institutions.28

35. The BWG compliance function at the level of the superordinate credit institution or the central organisation shall be responsible for ensuring that the duties regarding BWG compliance are performed accordingly with the entire group of credit institutions or affiliation of credit institutions and at the same time shall also be directly responsible for BWG compliance on the level of the superordinate credit institution or the central organisation. In order to perform this function, it shall be necessary for all documentation and information to be made available to them upon request.
36. The superordinate credit institution in a group of credit institutions of the central organisation in the affiliation of credit institutions shall take due care to ensure that all credit institutions that belong to the group or affiliation of credit institutions take necessary measures to ensure that their activities correspond to the regulations that apply within whose territorial scope of application they fall. In the event of any conflicts existing between (stricter) group-wide or affiliation-wide BWG compliance policies and procedures and the regulations applicable according to their territorial scope of application, in particular where these hinder the exchange of information within the group or affiliation, the credit 25 Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt- Geldwäschegesetz), published in Federal Law Gazette I No. 118/2016 as amended. 26 FMA WAG 2018 Organisational Circular, version published in 01/2021, MN 64 et seq. 27 FMA Circular on “Internal organisation for the prevention of money laundering and terrorist financing” in the version published in 02/2022 28 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 160.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 12 institutions belonging to the group or affiliation of credit institutions shall inform the head of the BWG compliance function in the superordinate credit institution.29 G. OUTSOURCING 37. The fulfilment of duties regarding BWG compliance under Article 39 para. 6 BWG is considered a "material operational task” as defined in Article 25 para. 2 BWG. The outsourcing of the performance of individual or all tasks in accordance with Article 39 para. 6 no. 1 BWG as well as the outsourcing of the entire BWG compliance function in accordance with Article 39 para. 6 no. 2 BWG shall be notified in writing to the FMA, taking into account the relevant regulations under Article 25 BWG. The central provision of guidelines in the group of credit institutions in accordance with Article 30 BWG, in the affiliation of credit institutions in accordance with Article 30a BWG and in the sectoral association is however excluded from this, since they are only centrally prescribed templates and are not solutions that are individually tailored to credit institutions, and such guidelines are subsequently individually adapted by the credit institution and then adopted. Against such a background centralised guidelines in the group of credit institutions in accordance with Article 30 BWG, in the affiliation of credit Institutions in accordance with Article 30a BWG and the sectoral association do not fulfil the definition of outsourcing as defined in Article 25 BWG. Both the performances of duties under Article 39 para. 6 no. 1 BWG as well as the establishment of a BWG compliance function in accordance with Article 39 para. 6 no. 2 BWG is to be classified as a “critical or important function” as defined in section 4 of the EBA Guidelines on Outsourcing30 . 38. Material outsourcing processes take place under consideration of BWG compliance. In credit institutions with a BWG compliance function in accordance with Article 39 para. 6 no. 2 BWG this is incorporated on a risk-based basis in the analysis prior to the outsourcing regarding the observance of supervisory conditions.31 In credit institutions where a BWG compliance function in accordance with Article 39 para. 6 no. 2 BWG has been established, outsourcing agreements regarding “critical and material functions” will be accompanied by it when being concluded.32 29 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 213. 30 EBA Guidelines on outsourcing (EBA/GL/2019/02) paras. 29-31. 31 In the case of credit institutions that are not required to establish a separate BWG compliance function in accordance with Article 39 para. 6 no. 2 BWG, it should be noted in clarification that it shall suffice, for example, for the legal department to check the outsourcing agreement. 32 EBA Guidelines on outsourcing (EBA/GL/2019/02) paras. 42 and 68.b.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 13 VI. DUTIES OF THE BWG COMPLIANCE FUNCTION IN CREDIT INSTITUTIONS THAT ARE REQUIRED TO ESTABLISH A BWG COMPLIANCE FUNCTION IN ACCORDANCE WITH ARTICLE 39 PARA. 6 NO. 2 BWG A. REGULAR ASSESSMENT 39. For BWG compliance purposes, a process shall be established to regularly assess amendments to the applicable laws and legal regulations as well as changes in business activity (e.g. acquisitions of entities, IT migrations, internal reorganisations etc.), to deduce any necessary need for adjustments, as well as to ensure that all affected business lines and staff members are informed accordingly, and to define any necessary implementation steps in the processes of their respective departments. 40. When updating processes in relation to changes that are relevant for BWG compliance, the BWG compliance function shall be required to at least have an overview about whether staff members possess the corresponding knowledge, or whether relevant courses and training measures have been organised. It shall organise such training measures itself if necessary. B. ONGOING MONITORING WITHIN THE SCOPE OF A MONITORING PROGRAMME 41. Risks of a potential breach of the applicable regulations are reduced by the BWG compliance function ensuring that BWG compliance risks are taken into account in all the departments’ processes and procedures. The BWG compliance function monitors this by meaning of a structured, risk-based and precisely defined BWG compliance monitoring programme. An underlying risk assessment regarding existing and new BWG compliance risks is the basis for this BWG compliance programme. Priorities shall be defined for the BWG compliance function’s monitoring and advisory activities based on the regular assessment of the BWG compliance risks. The underlying risk assessment of the monitoring programme shall be conducted on both regular and ad hoc bases, to ensure that the priorities for BWG compliance are always up-to-date. 42. When, in accordance with which criteria, and how frequently which monitoring activities are performed is determined in the risk-based monitoring programme. The purpose of such monitoring activities is an ex ante check. Both off-site activities (e.g. desk study of files and analyses) as well as on-site monitoring of operative business lines should be considered. This allows the earliest possible detection of risks to be guaranteed, which in turn may lead to BWG compliance risk being minimised in a timely manner by means of providing relevant advice. Suitable monitoring activities include the examination of files, participation at meetings, interviews with responsible staff members, documentation and reports

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 14 submitted to the management body about any discrepancies between the current and target situations or other situations requiring solutions, with the objective of reducing BWG compliance risk to a minimum. 43. Within the scope of the monitoring programme based on the predicted or identified risk, the implementation and effectiveness of any measures taken will be monitored on a risk-based and ad hoc basis that the credit institution has taken based on a BWG compliance risk that has already occurred. 44. When conducting its monitoring activities, in accordance with Article 39 para. 6 no. 2 BWG, the BWG compliance function shall take into account to what extent legal or regulatory rules are applicable to the respective business area, and to what extent specialist departments or other control functions (risk management function, internal audit function) have already imposed such limits. The internal control functions shall coordinate their reviewing and monitoring measures, taking into account the independence and duties of the various functions, and the monitoring and audit activities of other control functions shall not replace the BWG compliance function’s own monitoring activities. C. RESPONSIBILITY OF THE MANAGEMENT BODY 45. The BWG compliance function shall advise the management body about the measures that are necessary in order to (i) ensure compliance with the applicable regulations and (ii) analyse the potential impact of changes to the legal or regulatory environment as well as changes in business activity (e.g. acquisitions of entities, IT migrations, internal reorganisations etc.) upon the credit institution and the compliance framework. 46. BWG compliance makes a significant contribution towards a good compliance culture than therefore the credit institution’s risk culture. Where it is established, the BWG compliance function is therefore in constant contact with the management body, makes it aware of deficiencies, advises about how such deficiencies may be rectified, and assessed whether any corrective actions taken were sufficient. 47. The location of the BWG compliance function in the specialist departments should be considered in relation to the BWG compliance function’s information and advisory role. It shall not however be the BWG compliance function under Article 39 para. 6 no. 2 BWG’s duty to adapt all relevant processes in relation to BWG compliance. The specialist departments are primarily obliged to develop and implement suitable measures for avoiding BWG compliance breaches themselves, with risk-based and ad hoc checking by the BWG compliance function only taking place in a subsequent second stage within its monitoring programme. D. REPORTING 48. The BWG compliance function shall report directly to the management body as a whole33, and where necessary the risk management function, about the results of its analysis about BWG compliance risk and controlling it. The BWG compliance function also has the possibility at any time to report to the supervisory board or the competent supervisory body in accordance with the law or statutes. The BWG 33 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 161.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 15 compliance function and the risk management function shall co-operate with one another while maintaining their respective independence and shall exchange information where appropriate in order to perform their respective duties. The management body and the risk management function shall take the recommendations of the BWG compliance function into account in their decision-making processes, especially with regard to necessary measures for minimising BWG compliance risk. E. APPROVAL OF NEW PRODUCTS AND PROCEDURES 49. The credit institution shall have guidelines for approving new products34 as well as procedures for ensuring compliance with these guidelines. Such procedures cover both the contributions of the risk management function as well as a systematic prior evaluation and documented opinion by the BWG compliance function, for new products or material changes to existing products. 50. The BWG compliance function is involved in the approval process for new products and procedures in accordance with paras. 168 and 211 of the IG-GL35. It assesses whether new products and procedures or material changes to existing products and procedures are in line with the current legal framework and as appropriate with known impending changes to the applicable rules. 51. In the event that processes are required to be adapted due to the approval of new products and procedures, this shall by monitored by the BWG compliance function.36 VII. DUTIES WITHIN THE SCOPE OF BWG COMPLIANCE IN CREDIT INSTITUTIONS THAT ARE NOT REQUIRED TO ESTABLISH A BWG COMPLIANCE FUNCTION UNDER ARTICLE 39 PARA. 6 NO. 2 BWG A. REGULAR ASSESSMENT 52. For BWG compliance purposes, a process shall be established to regularly assess amendments to the applicable laws and regulations as well as changes in business activity (e.g. acquisitions of entities, IT migrations, internal reorganisations etc.), to deduce any necessary need for adjustments, as well as to ensure that all affected business lines and staff members are informed accordingly, and that the necessary steps are duly taken. 34 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 163. 35 EBA Guidelines on internal governance (EBA/GL/2021/05). 36 With regard to product governance obligations that apply to credit institutions regarding financial instruments see also Article 30 of the Securities Supervision Act 2018 as well as the WAG 2018 Organisational Circular, version published in 01/2021, MN 118.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 16 B. CHECKS 53. BWG compliance means reducing risks of any non-compliance with relevant regulations to a minimum by establishing appropriate processes and procedures, and to ensure they are observed. It is a duty of the management body to have an overview of the BWG compliance risks of the respective credit institution, and using risk-based checks to ensure that such risks are counteracted accordingly in the respective specialist departments. In so doing, for example, the implementation and effectiveness shall be considered of any measures that the credit institution has taken on the basis of a BWG compliance risk that has already occurred. Information about the risk-based approach for checking activities within the scope of BWG compliance shall be defined in writing. In the event of changes in the legal or regulatory environment, they will be adapted accordingly. C. APPROVAL OF NEW PRODUCTS AND PROCEDURES 54. The credit institution shall have guidelines for approving new products37 as well as procedures for ensuring compliance with these guidelines. Such procedures cover aspects in relation to both risk management and BWG compliance.38 VIII. SUPERVISION A. REGULAR COMMUNICATION WITH THE SUPERVISORY AUTHORITY 55. Within the scope of its regular communication (e.g. within the scope of an on-site inspection or a Supervisory Review and Evaluation Process (“SREP”)), the supervisory authority discusses the identified deficiencies with the BWG compliance function. Such a dialogue does not create any further reporting obligations over and above the existing legal obligations. By means of direct communication with the BWG compliance function, the supervisory authority obtains an impression about how the credit institutions deals with BWG compliance issues, how it handles identified deficiencies, and what importance is attached to the BWG compliance function within the credit institution. 37 EBA Guidelines on internal governance (EBA/GL/2021/05) para. 163. 38 With regard to product governance obligations that apply to credit institutions regarding financial instruments see also Article 30 of the Securities Supervision Act 2018 as well as the WAG 2018 Organisational Circular, version published in 01/2021, MN 118.

MINIMUM STANDARDS BWG COMPLIANCE 03.11.2022 PAGE 17 B. NOTIFICATIONS 56. Credit institutions of significant relevance as defined in Article 5 para. 4 BWG shall notify the FMA without delay in writing about the head of the BWG compliance function (Article 73 para. 1b no. 3 BWG). 57. The notification about the head of the BWG compliance function must contain detailed information about how they meet the requirements about their fitness and propriety as well as independence of mind in accordance with Article 39 para. 6 no. 3 and Article 5 para. 1 nos. 6 and 7 BWG. With regard to the documents to be submitted together with the notification, we also refer to the Annex to the Fit & Proper Circular39 . 39 Cf. the Annex to the FMA Circular on the assessment of suitability of executive directors, non-executive directors and key function holders (Fit & Proper Circular) in the version published in August 2018, Annex 1.