Region

Jurisdiction

Regulator

2014-08-15 | Circular 10/2012: Minimum Requirements for Risk Management (MaRisk BA)

Circular 10/2012: Minimum Requirements for Risk Management (MaRisk)

The German Federal Financial Supervisory Authority (BaFin) issued Circular 10/2012 to establish a flexible, principles-based framework for risk management across banking and financial services institutions. The regulation mandates robust governance, internal capital adequacy assessments, and clearly defined risk control and compliance functions while applying dual proportionality to tailor requirements by institution size and complexity. It comprehensively addresses credit, market, liquidity, and operational risks alongside internal audit standards and outsourcing rules to safeguard asset safety and ensure consistent investor protection.

Germany

Federal Financial Supervisory Authority Germany

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 1 of 62 Annex 1: Annotated text of the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement) in the version of 14 December 2012 1 Please note: This English version is provided for information purposes only. The original German text is binding in all respects. For the sake of clarity, some key concepts used in this document are listed below together with the respective German term to which they refer and which defines their precise meaning. Management board – Geschäftsleitung Supervisory board – Aufsichtsorgan Integrated performance and risk management – Gesamtbanksteuerung Financial position and financial performance - Vermögens-, Finanz- und Ertragslage Segregation of duties – Funktionstrennung

1 Anlage 1: Erläuterungen zu den MaRisk in der Fassung vom 14.12.2012.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 2 of 62 AT 1 Prelimimnary remarks ................……………………………………………………………………………………………………………………………………………..3 AT 2 Subject matter..................................................................................................................................................... 6 AT 2.1 Scope............................................................................................................................................................ 6 AT 2.2 Risks ............................................................................................................................................................. 7 AT 2.3 Business transactions ...................................................................................................................................... 8 AT 3 Joint responsibility of the management board members ............................................................................................ 9 AT 4 General risk management requirements .................................................................................................................10 AT 4.1 Internal capital adequacy................................................................................................................................10 AT 4.2 Strategies .....................................................................................................................................................12 AT 4.3 Internal control system...................................................................................................................................14 AT 4.3.1 Organisational and operational structure .....................................................................................................14 AT 4.3.2 Risk management and risk control processes ...............................................................................................14 AT 4.3.3 Stress tests .............................................................................................................................................16 AT 4.4 Special functions............................................................................................................................................17 AT 4.4.1 Risk control function .................................................................................................................................17 AT 4.4.2 Compliance function .................................................................................................................................18 AT 4.4.3 Internal audit function...............................................................................................................................20 AT 4.5 Risk management at group level......................................................................................................................21 AT 5 Organisational guidelines......................................................................................................................................22 AT 6 Documentation....................................................................................................................................................23 AT 7 Resources...........................................................................................................................................................23 AT 7.1 Staff.............................................................................................................................................................23 AT 7.2 Technical and organisational resources .............................................................................................................23 AT 7.3 Contingency plan ...........................................................................................................................................24 AT 8 Adjustment processes ..........................................................................................................................................25 AT 8.1 New product process ......................................................................................................................................25 AT 8.2 Modifications of operational processes or structures ...........................................................................................26 AT 8.3 Mergers and acquisitions.................................................................................................................................26 AT 9 Outsourcing........................................................................................................................................................27 BT 1 Special requirements relating to the internal control system .....................................................................................30 BTO Requirements relating to the organisational and operational structure ........................................................................30 BTO 1 Credit business...............................................................................................................................................32 BTO 1.1 Segregation of duties, and voting................................................................................................................32 BTO 1.2 Requirements relating to credit business processes .......................................................................................35

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 3 of 62 BTO 1.2.1 Granting of loans....................................................................................................................................37 BTO 1.2.2 Further processing of loans......................................................................................................................37 BTO 1.2.3 Credit processing control.........................................................................................................................38 BTO 1.2.4 Intensified loan management...................................................................................................................38 BTO 1.2.5 Treatment of problem loans.....................................................................................................................39 BTO 1.2.6 Risk provisioning....................................................................................................................................40 BTO 1.3 Procedure for the early detection of risks .....................................................................................................41 BTO 1.4 Risk classification procedures .....................................................................................................................42 BTO 2 Trading .........................................................................................................................................................42 BTO 2.1 Segregation of duties ................................................................................................................................42 BTO 2.2 Requirements relating to trading processes ..................................................................................................43 BTO 2.2.1 Trading .................................................................................................................................................43 BTO 2.2.2 Settlement and control ...........................................................................................................................45 BTO 2.2.3 Capturing in risk control..........................................................................................................................49 BTR Requirements relating to risk management and risk control processes ........................................................................49 BTR 1 Counterparty and credit risk.............................................................................................................................49 BTR 2 Market risk.....................................................................................................................................................51 BTR 2.1 General requirements ................................................................................................................................51 BTR 2.2 Market risk in the trading book ...................................................................................................................53 BTR 2.3 Market risk in the banking book (including interest rate risk) ..........................................................................53 BTR 3 Liquidity risk ..................................................................................................................................................55 BTR 3.1 General requirements ................................................................................................................................55 BTR 3.2 Additional requirements relating to capital market-oriented institutions............................................................57 BTR 4 Operational risk ..............................................................................................................................................58 BT 2 Special requirements relating to the internal audit function.......................................................................................59 BT 2.1 Tasks of the internal audit function ..................................................................................................................59 BT 2.2 General principles relating to the internal audit function......................................................................................59 BT 2.3 Planning and conduct of the audit ....................................................................................................................60 BT 2.4 Reporting requirement....................................................................................................................................60 BT 2.5 Reaction to identified findings..........................................................................................................................62

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 4 of 62 AT2 1 Preliminary remarks 1 This Circular provides a flexible and practical framework for structuring institutions’ risk management on the basis of section 25a (1) of the German Banking Act (Kreditwesengesetz). Moreover, it specifies the requirements laid down in section 25a (1a) and (2) of the Banking Act (risk management at group level, and outsourcing). Geared to maintaining internal capital adequacy, appropriate and effective risk management encompasses, in particular, defining strategies and establishing internal control mechanisms. Internal control mechanisms shall consist of an internal control system and an internal audit function. The internal control system shall comprise, in particular,

rules on the organisational and operational structure,
processes for identifying, assessing, managing, monitoring and reporting risks (risk management and risk control processes), and
a risk control function and a compliance function. Risk management creates a basis for the proper performance of the supervisory board’s (Aufsichtsorgan) monitoring functions and thus shall also include the adequate involvement of the supervisory board. Branches pursuant to section 53 of the Banking Act As there is no supervisory board for branches of enterprises domiciled outside Germany pursuant to section 53 of the Banking Act, these institutions must instead involve their corporate headquarters in an appropriate manner. 2 Furthermore, this Circular provides a qualitative framework for implementing Articles 22 and 123 of Directive 2006/48/EC (Banking Directive). Pursuant to these Articles, institutions shall have in place robust governance arrangements as well as strategies and processes which ensure that adequate internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process, or ICAAP). The quality of these processes shall be assessed periodically by the supervisory authority pursuant to Article 124 of the Banking Directive as part of the Supervisory Review and Evaluation Process. Therefore, taking account of the principle of dual proportionality, this Circular provides the regulatory framework for qualitative supervision in Germany (Supervisory Review Process). In line with the principles-based structure of the Minimum Requirements for Risk Management, proper application of the principle of dual proportionality by

2 The abbreviations referring to the various parts of the Minimum Requirements for Risk Management are taken from the original German text and are defined as follows: AT = general part; BT = special part; BTO = special part regarding requirements relating to the organisational and operational structure; BTR = special part regarding requirements relating to risk management and risk control processes.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 5 of 62 institutions also includes the demand that institutions, in individual cases, shall make more extensive provisions over and above particular requirements that are explicitly formulated in the Minimum Requirements for Risk Management if this is necessary to ensure that their risk management is appropriate and effective. Therefore, institutions which are particularly large or whose business activities are particularly complex, internationalised or exposed to risk shall make more extensive risk management arrangements than smaller institutions with less complexly structured business activities that do not incur any extraordinary risk exposure. The former institutions, on their own initiative, shall also incorporate into their implementation of an appropriate risk management structure the insights provided in the relevant publications on risk management issued by the Basel Committee on Banking Supervision and the Financial Stability Board. With regard to the methods used for calculating the regulatory own funds stipulated in the Banking Directive, this Circular’s requirements are designed in a neutral manner such that they can be met irrespective of the chosen method. 3 Moreover, this Circular implements Article 13 of Directive 2004/39/EC (Markets in Financial Instruments Directive, or MiFID) by way of section 33 (1) of the Securities Trading Act (Gesetz über den Wertpapierhandel) in conjunction with section 25a (1) of the Banking Act insofar as the Directive applies equally to credit institutions and financial services institutions. This concerns the general organisational requirements pursuant to Article 5, the risk management and internal audit requirements pursuant to Articles 7 and 8, the requirements regarding the responsibility of the management board (Geschäftsleitung) pursuant to Article 9 and outsourcing pursuant to Articles 13 and 14 of Directive 2006/73/EC (MiFID Implementing Directive). These requirements serve to achieve the objective of the MiFID, namely to harmonise the financial markets in the European Union in the interests of facilitating the cross-border flow of financial services and a uniform framework for investor protection. 4 This Circular takes due account of the heterogeneous structure of institutions and the diversity which characterises business activities. It contains numerous opening clauses which enable simplified implementation depending on the institution’s size, core business activities and risk situation. It can, therefore, be implemented flexibly, in particular also by smaller institutions. This Circular is open to the ongoing development of risk management processes and procedures, provided that such processes and procedures are in line with the objectives of this Circular. To this end, the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, hereinafter referred to as BaFin) will maintain an ongoing dialogue with the

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 6 of 62 industry. 5 BaFin expects the Circular’s flexible basic tenor to be taken into due account in audit activities. Audits shall, therefore, be conducted on the basis of a riskoriented audit approach. 6 This Circular has a modular structure to enable necessary adjustments in certain regulatory areas to be confined to the timely revision of individual modules. A general part (the AT module) contains basic principles for structuring risk management. Specific requirements regarding the organisation of credit business and trading are laid down in a special part (the BT module). Taking account of risk concentrations, this module also outlines the requirements for identifying, assessing, managing, monitoring and reporting counterparty and credit risk, market risk, liquidity risk and operational risk. Furthermore, the BT module provides a framework for structuring institutions’ internal audit function. AT 2 Subject matter 1 Compliance with the requirements of this Circular by the institutions is intended to help to counteract undesirable developments in the banking and financial services sector that might endanger the safety of the assets entrusted to institutions, impair the proper conduct of banking business or provision of financial services or lead to serious disadvantages for the economy as a whole. Moreover, when providing investment services and ancillary investment services, institutions shall comply with the requirements also in the light of protecting the interests of investment services customers. AT 2.1 Scope 1 The requirements set out in this Circular shall be complied with by all institutions within the meaning of section 1 (1b) of the Banking Act as well as

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 7 of 62 section 53 (1) of the Banking Act. They also apply to the branches of German institutions located outside Germany. They do not apply to branches of enterprises domiciled in another state of the European Economic Area pursuant to section 53b of the Banking Act. The requirements laid down in module AT 4.5 of this Circular shall be observed at group level by the superordinated enterprises or by the superordinated financial conglomerate enterprises of a group of institutions, financial holding group or financial conglomerate. 2 Financial services institutions and securities trading banks shall comply with the requirements of this Circular insofar as this appears necessary, given the institution’s size as well as the nature, scale, complexity and riskiness of its business activities, to comply with the statutory duties laid down in section 25a of the Banking Act. This shall apply, in particular, to modules AT 3, AT 5, AT 7 and AT 9. AT 2.2 Risks 1 The requirements set forth in this Circular relate to the management of an institution’s material risks. In order to assess whether or not a risk is material, the management board shall, regularly and on an ad hoc basis, gain an overview of the risks faced by the institution in the context of a risk inventory (overall risk profile). The risks shall be captured at the level of the institution as a whole irrespective of the organisational unit in which they were caused. At least the following risks shall be considered material: (a) counterparty and credit risk (including country risk), (b) market risk, (c) liquidity risk, and (d) operational risk. The risk concentrations associated with material risks shall likewise be taken into account. Appropriate arrangements shall be made for any risks which are not considered material. Risk concentrations Besides risk exposures to single counterparties which constitute a risk concentration on account of their size alone, risk concentrations can arise both from a co-movement of risk positions within a risk type (“intra-risk concentrations”) and from a co-movement of risk positions across different risk types (due to common risk factors or interactions between various risk factors of different risk types – “inter-risk concentrations”). 2 In the context of the risk inventory, the institution shall examine which risks Holistic risk inventory

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 8 of 62 may materially impair its financial position (including its capital resources), financial performance or liquidity position. The risk inventory should not focus exclusively on the impact on the institution’s accounting or on de jure views. The risk inventory shall also take account of risks arising from off-balancesheet entities (eg risks from special-purpose entities not subject to consolidation). Depending on the institution’s specific overall risk profile, other risks, such as reputational risks, should be considered material, where appropriate. AT 2.3 Business transactions 1 Credit business within the meaning of this Circular shall basically mean the transactions pursuant to section 19 (1) of the Banking Act (asset items and off-balance-sheet items subject to counterparty and credit risk). Credit business Classification as credit business applies regardless of whether or not the relevant positions are to be used for securitisations. 2 A credit decision within the meaning of this Circular shall mean any decision on new loans, loan increases, equity investments, breaches of limits, the setting of borrower-related limits as well as of counterparty and issuer limits, prolongations and changes in the risk-relevant circumstances on which a credit decision was based (eg collateral, designated use). It is irrelevant whether or not this decision was taken solely by the institution itself or together with other institutions (syndicated credit business). Prolongations With regard to the term “prolongations”, no distinction is made between external and internal prolongations (eg internal rollover of external loan commitments valid until further notice). Internal “loan monitoring actions”, which serve merely monitoring purposes during the term of the loan, do not, however, count as prolongations and are thus not credit decisions within the meaning of this Circular. Interest rate adjustments Interest rate adjustments made after the expiry of interest rate fixation periods (that do not match the total term of the loan) may be considered part of the overall loan agreement and thus processes which must (also) be reviewed prior to granting the loan. This is, therefore, generally not a separate credit decision within the meaning of this Circular. Deferrals Deferrals do not constitute changes to the credit relationship that are planned ex ante. They serve, for example, to bridge gaps briefly prior to restructuring, and should thus be classified as a credit decision within the meaning of this Circular. 3 Trading shall basically mean all trades based on a (a) money market transaction, (b) securities transaction, (c) foreign exchange transaction, Issuing business The initial issue of securities does not generally constitute trading within the meaning of this Circular. However, the first-time purchase of newly issued securities does constitute a trade within the meaning of this Circular. In the case of first-time purchases, market conformity may be verified more simply (note on BTO 2.2.2 number 5).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 9 of 62 (d) transaction involving tradable receivables (eg trading in borrower’s notes), (e) commodities transaction, or (f) derivatives transaction which are concluded in the institution's own name and for its own account. Securities transactions shall also include transactions involving registered bonds as well as securities lending, but not the initial issue of securities. Regardless of the underlying, trading shall also include any form of securities lending as well as repurchase agreements. Classification of receivables as trading Regarding (d): receivables should be classified as trading if the institution intends to trade in them. The institution must define suitable criteria for this. Commodities transactions Regarding (e): commodities transactions shall include, in particular, trading in precious metals and commodities, as well as CO2 emission trading and electricity trading. By analogy with section 296 (2) of the Regulation Governing the Capital Adequacy of Institutions, Groups of Institutions and Financial Holding Groups (Solvency Regulation (Solvabilitätsverordnung)), commodities transactions that constitute matched positions for the entire duration of the transaction as a result of outright agreements to accept or deliver the commodity in question at the time of performance do not qualify as commodities transactions within the meaning of this Circular. Traditional commodities transactions conducted by mixed-activity credit cooperatives (gemischtwirtschaftliche Kreditgenossenschaften) Corresponding implementation of the requirements for trading may be appropriate for traditional commodities transactions conducted by mixedactivity credit cooperatives depending on the nature, scale and riskiness of these business activities. 4 Derivatives transactions shall include forward transactions, the price of which is derived from an underlying asset, a reference price, a reference interest rate, a reference index or a predefined event. Guarantees/sureties Guarantees/sureties and the like do not come under the definition of derivatives used in this Circular. AT 3 Joint responsibility of the management board members 1 All members of the management board (section 1 (2) of the Banking Act) shall be responsible for ensuring an institution’s proper business organisation and the further development thereof irrespective of the internal allocation of responsibilities. Taking account of outsourced activities and processes, this responsibility shall cover all material elements of risk management. Members of the management board can fulfil this responsibility only if they are able to assess risks and take the necessary measures to limit them. The members of the management board of a superordinated enterprise of a group of institutions or a financial holding group, or of a superordinated financial

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 10 of 62 conglomerate enterprise shall be additionally responsible for ensuring the group’s proper business organisation and thus also for ensuring appropriate and effective risk management at group level (section 25a (1a) of the Banking Act). AT 4 General risk management requirements AT 4.1 Internal capital adequacy 1 Based on their overall risk profile, institutions shall ensure that their material risks, taking account of risk concentrations, are constantly covered by available financial resources (risk coverage potential) thus maintaining internal capital adequacy. 2 Each institution shall establish an Internal Capital Adequacy Assessment Process (ICAAP). The institution’s internal capital adequacy shall be taken into account when defining the strategies (AT 4.2) and adjusting them. Moreover, suitable risk management and risk control processes (AT 4.3.2) shall be put in place for implementing the strategies and ensuring internal capital adequacy. 3 If the internal capital adequacy approach is linked to the annual financial statement items, the institution shall take due account of any developments occurring after the balance sheet date. Taking due account of developments after the balance sheet date If the internal capital adequacy approach is linked to the annual financial statement items, considering developments up to the next-but-one balance sheet date starting no later than in the middle of the year or using a rolling 12- month forward window would normally be appropriate solutions. 4 Institutions shall specify any material risks that are not included in the internal capital adequacy approach. The exclusion of a material risk shall be plausibly substantiated and shall be permissible only if the risk in question cannot be meaningfully limited by means of available financial resources (risk coverage potential) owing to its specific nature (eg illiquidity risk). It shall be ensured that such risks are appropriately factored into the risk management and risk control processes.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 11 of 62 5 If an institution does not have any suitable methods for quantifying individual risks that are to be included in the internal capital adequacy approach, it shall set a reasonable risk amount for these risks based on a plausibility check. The plausibility check can be conducted using a qualified expert judgement. 6 Where an institution factors risk-reducing diversification effects within or between risk types into its internal capital adequacy approach, the underlying assumptions shall stem from an analysis of the institution’s individual circumstances and shall be based on data that can be considered applicable to the institution’s individual risk situation. The underlying data histories shall be sufficiently long in order to reflect changes in the diversification effects during economic upswings and downturns. The diversification effects shall be estimated conservatively enough to be assumed to be sufficiently stable even in economic downturns and under market conditions that are unfavourable for the institution’s business and risk structure. Data from other sources Diversification effects calculated on the basis of data and assumptions taken over unreflectedly from other sources may not be factored into the internal capital adequacy approach. If the assumptions regarding diversification effects are based on external data (eg in the context of credit portfolio models) the institution shall be able to plausibly demonstrate that the underlying data reflect the institution’s business and risk structure. Data histories The determination of diversification effects through pure averaging across economic upswings and downturns is adequate only if the diversification effects have proved to be very stable over the entire economic cycle and there is nothing to suggest that they will not remain stable in the future. If the data history analysis shows that these conditions are not met, diversification effects may be factored in, at most, to the extent that they also apply in market phases which are extremely unfavourable for the institution. The specification of diversification assumptions within market risks may, where appropriate, be based on time series that do not cover all of the phases of an economic cycle. It must be ensured, however, that diversification effects are also calculated over a period which constitutes an unfavourable market phase in respect of the institution’s current portfolio. If the observable data history does not contain a correspondingly suitable market phase, a hypothetical market phase structured in an appropriately conservative manner may be factored in exceptionally instead of a historical market phase. 7 The reliability and stability of the diversification assumptions shall be reviewed regularly and, where applicable, on an ad hoc basis. 8 The institution shall be responsible for choosing the methods and procedures for assessing internal capital adequacy. The assumptions underlying the methods and procedures shall be plausibly substantiated. The specification of key elements of the internal capital adequacy management system and major underlying assumptions shall be approved by the management board. The responsible expert staff shall review the appropriateness of the methods Critical analysis of risk quantification procedures As all risk quantification methods and procedures are incapable of fully reflecting reality, the assessment of internal capital adequacy should take due account of the fact that the risk amounts contain inaccuracies – at both individual risk and aggregate level – or may underestimate the risk.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 12 of 62 and procedures at least once a year. These reviews shall take due account of the limits and constraints arising from the methods and procedures employed, the underlying assumptions and the input data used in quantifying the risk. In this respect the robustness and significance of the risk quantification shall be analysed critically. The procedures used for internal capital adequacy management shall take due account of ensuring an institution’s continuation as a going concern and protecting creditors against economic losses. If the risk amounts calculated using comparatively simple and transparent procedures are discernibly sufficiently conservative in terms of the limits and constraints of the procedures, a deeper analysis may be waived. If the methods and procedures, the underlying assumptions, parameters, or the input data are comparatively complex, an appropriate quantitative and qualitative validation of these components and the risk results is necessary in respect of their use. Going concern and creditor protection objectives Where a specific management approach focuses on one of the two aims (institution’s continuation as a going concern or creditor protection), account shall be taken, where appropriate, of the other aim by means of suitable adjustments and additions to the management approach. Details are provided in the paper entitled “Supervisory assessment of bank-internal capital adequacy concepts” (published on 7 December 2011, see in particular numbers 17, 18 and 49). 9 Every institution shall have a process in place for planning future capital needs. The planning horizon shall cover a suitably long period of several years. The institution shall also take due account of how changes in its own business activities or strategic objectives and changes in the economic environment beyond the risk horizon of the internal capital adequacy approach might affect its capital needs. Potential adverse developments which deviate from expectations shall be appropriately factored in at the planning stage. Forward-looking capital planning process The forward-looking capital planning process is a complement to the internal capital adequacy approach with a view to also appropriately monitoring and planning an institution’s future ability to bear its own risks. The aim of capital planning is to identify in good time any capital needs (internal and regulatory) that could arise beyond the risk horizon and, if necessary, to initiate suitable measures as quickly as possible. AT 4.2 Strategies 1 The management board shall define a sustainable business strategy outlining the institution’s objectives for each material business activity and the measures to be taken to achieve these objectives. When defining or adjusting the business strategy, the management board shall take account of both external factors (eg market developments, the competitive situation or the regulatory environment) and internal factors (eg internal capital adequacy, liquidity, profit situation, staffing level or technical and organisational resources). It shall make assumptions with regard to how the relevant factors will develop in future. It shall review these assumptions regularly and on an ad hoc basis; it shall adjust the business strategy as and Audit activities of external auditors or the internal audit function The substance of the business strategy is solely the responsibility of the management board and is not subject to examination in the course of audit activities of external auditors or the internal audit function. The business strategy is to be drawn upon when examining the risk strategy in order to verify the consistency between the two strategies. The audit activities should also cover the strategy process set out in AT 4.2 number 4. Strategic objectives and measures to achieve them The description of the strategic objectives and the measures to be taken to

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 13 of 62 when necessary. achieve them define the key points of operational planning and must, therefore, be sufficiently specific to enable the objectives and measures to be plausibly incorporated into operational corporate planning. Special strategic aspects Given the significance of IT systems for the functioning of processes within an institution, the institution, depending on the nature, scale, complexity and riskiness of its business activities, must also provide statements on the planned future arrangement of its IT systems. Where there are extensive outsourcing activities, specifications regarding outsourcing are also required. 2 The management board shall define a risk strategy that is consistent with the business strategy and the risks resulting therefrom. The risk strategy – where applicable, divided into sub-strategies for the material risks – shall include the risk management objectives for the key business activities and the measures to be taken to achieve these objectives. In particular, risk tolerance levels shall be set for all material risks, taking account of risk concentrations. Risk concentrations shall also be taken into account with regard to the institution’s profit situation (profit concentrations). This requires the institution to be able to delineate its sources of income and quantify them (eg with regard to the terms and structural contribution in the interest book). Risk tolerance levels In setting risk tolerance levels, the management board makes a conscious decision regarding the extent to which it is willing to take risks. Risk tolerance levels can be expressed in many different ways. Besides purely quantitative specifications (eg strictness of risk measurement, global limits, definition of buffers for certain stress scenarios), risk tolerance levels can also be reflected in qualitative specifications (eg requirement for the collateralisation of loans, avoidance of certain transactions). 3 The management board shall be responsible for defining and adjusting the strategies; this responsibility cannot be delegated. The management board shall see to it that the strategies are implemented. The level of detail of the strategies shall depend upon the scale, complexity and riskiness of the planned business activities. The institution may, at its own discretion, integrate the risk strategy into the business strategy. 4 The management board shall set up a strategy process which includes, in particular, the steps for planning, implementing, assessing and adjusting the strategies. To facilitate assessment, the objectives defined in the strategies shall be formulated in a way that allows their achievement to be meaningfully reviewed. The causes of any deviations shall be analysed. 5 The strategies and, where applicable, adjustments to the strategies shall be brought to the attention of and discussed with the institution’s supervisory board. In the event of deviations from the objectives, this discussion shall also include an analysis of the causes pursuant to AT 4.2 number 4. Supervisory board committees Strategies should generally be addressed to each member of the supervisory board. If the supervisory board has set up committees, the strategies may also be passed on to and discussed with a committee. The preconditions for

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 14 of 62 this are that a corresponding resolution was adopted to set up the committee and that the chair of the committee reports regularly to the entire supervisory board. Moreover, every member of the supervisory board must retain the right to inspect the strategies that have been passed on to the committee. 6 The contents of and adjustments to the strategies shall be communicated within the institution in a suitable manner. AT 4.3 Internal control system 1 Depending on the nature, scale, complexity and riskiness of the business activities conducted, every institution shall (a) set up rules governing the organisational and operational structure, (b) establish risk management and risk control processes, and (c) implement a risk control function and a compliance function. AT 4.3.1 Organisational and operational structure 1 When designing the organisational and operational structure it shall be ensured that activities that are not compatible with each other are performed by different staff members and that conflicts of interest are avoided when staff members change posts. 2 Processes as well as the related tasks, competencies, responsibilities, controls and reporting channels shall be clearly defined and coordinated. This includes the regular and ad hoc reviews of IT access rights, authorities to sign and other competencies that have been assigned. The same shall apply to interfaces to material outsourced activities and processes. Reviewing rights and competencies At least in the case of IT access rights and authorities to sign in connection with payment accounts, no less than an annual review and, in the case of critical IT access rights, no less than a semi-annual review is expected. AT 4.3.2 Risk management and risk control processes

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 15 of 62 1 Each institution shall establish appropriate risk management and risk control processes in order to ensure that the material risks and associated risk concentrations are (a) identified, (b) assessed, (c) managed, (d) monitored and reported. These processes shall be integrated into an integrated performance and risk management (Gesamtbanksteuerung). Suitable measures shall be taken to ensure that the risks and associated risk concentrations are effectively limited and monitored, taking internal capital adequacy and risk tolerance levels into account. Limiting and monitoring of risks and associated risk concentrations Suitable measures to limit risks and associated risk concentrations can include quantitative instruments (eg limit systems, traffic-light systems) and qualitative instruments (eg regular risk analyses). Risks included in the internal capital adequacy approach are generally, where this is meaningful, limited and monitored on the basis of an effective limit system. Where risks cannot be meaningfully limited and monitored by a limit system, other, primarily qualitative instruments may be used. 2 The risk management and risk control processes shall ensure that the material risks – including risks resulting from outsourced activities and processes – can be identified early, fully captured and adequately presented. To this end the institution shall derive suitable indicators for the early identification both of risks and of potential consequences across different types of risk, which are based on quantitative and/or qualitative risk features depending on the nature of the risk type concerned. 3 Risk reports on the risk situation shall be submitted to the management board at appropriate intervals. The risk report shall be written in a comprehensible and meaningful manner. It shall cover both a description and an assessment of the risk situation. Where necessary, the risk report shall also include proposals for action, for example on mitigating risk. Details on risk reporting are set forth in BTR 1 to BTR 4. Guidance on risk reporting If the institution considers it meaningful, risk reports to the management board may be supplemented by concise presentations (eg a management summary). Where there are no relevant changes to information that was provided in previous reports, the current report may refer to such earlier information. As risk aspects cannot be discussed in isolation from cost and income aspects, the latter may also be included in the risk report. A discussion of the proposals for action with the responsible units is unproblematical as long as it is ensured that the information contained in the risk report or in the proposals for action is not improperly distorted. 4 In particular, the risk reports shall include the results of stress tests and their potential impact on the risk situation and the available financial resources (risk coverage potential). The key assumptions underlying the stress tests shall likewise be described. The risk reports shall, moreover, address risk concentrations and their potential impact separately.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 16 of 62 5 Material risk-related ad hoc information shall be promptly passed on to the management board, the responsible officers and, where applicable, to the internal audit function, so that suitable measures or audit activities can be initiated at an early stage. A suitable procedure shall be established for this purpose. Duty to inform the internal audit function The internal audit function shall be informed whenever, in the opinion of the organisational units concerned, relevant risk-related shortcomings are identified, major loss or damage has been incurred, or there is a concrete suspicion that irregularities have occurred. 6 The management board shall inform the supervisory board quarterly of the risk situation in an appropriate written form. The reports shall be written in a comprehensible and meaningful manner, and shall cover both a description and an assessment of the risk situation. The reports shall separately address particular risks to business development and the management board’s intended remedial measures. The management board shall promptly pass on material risk-related ad hoc information to the supervisory board. A suitable procedure for this shall be established by the management board in consultation with the supervisory board. Supervisory board committees Risk reports should generally be addressed to each member of the supervisory board. If the supervisory board has set up committees, the information may also be passed on solely to a committee. The preconditions for this are that a corresponding resolution was adopted to set up the committee and that the chair of the committee reports regularly to the entire supervisory board. Moreover, every member of the supervisory board must retain the right to inspect the reports that have been passed on to the committee. 7 The risk management and risk control processes shall be swiftly adjusted to changing conditions. AT 4.3.3 Stress tests 1 Appropriate regular and ad hoc stress tests shall be carried out in respect of the material risks, which shall reflect the nature, scale, complexity and riskiness of the business activities. To this end the material risk factors pertaining to the respective risks shall be identified. The stress tests shall additionally cover the assumed risk concentrations and diversification effects within and between risk types. The stress tests shall also take account of risks resulting from off-balance-sheet entities and securitisation transactions. The stress tests shall also be carried out at the firm-wide level of the institution. Stress tests In the following, the term “stress tests” is used as a generic term for the various methods via which institutions examine the individual potential risk they face with regard, inter alia, to exceptional but plausible events at each relevant level of the institution (eg at portfolio level, at the firm-wide level, at business unit level). This includes, for example, sensitivity analyses (in which generally only one risk factor is varied) or scenario analyses (in which several or all risk factors are changed simultaneously in order to simulate a predefined event). 2 The stress tests shall also reflect exceptional but plausible events. Appropriate historical and hypothetical scenarios shall be defined. Additionally, the stress tests shall be used to analyse the impact of a severe

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 17 of 62 economic downturn on the firm-wide level of the institution. The institution’s strategic orientation and its economic environment are likewise to be taken into consideration when defining the scenarios. 3 In addition, the institution shall carry out reverse stress tests. Their content and implementation shall depend on the nature, scale, complexity and riskiness of the business activities and may be of a qualitative or quantitative nature. Reverse stress tests Reverse stress tests are carried out to examine what events could jeopardise the institution’s viability. Its viability may be assumed to be jeopardised if the original business model proves to be no longer feasible or sustainable. Reverse stress tests serve to complement other stress tests. Given their approach, reverse stress tests focus on a critical evaluation of the results. The results generally do not need to be taken into account when assessing internal capital adequacy. 4 The appropriateness of the stress tests and their underlying assumptions shall be periodically reviewed, at least once a year. 5 The results of the stress tests shall be critically evaluated. Institutions shall determine whether and, if so, what action is required. The results of the stress tests shall also be duly taken into account when assessing internal capital adequacy. Particular attention shall be paid to the impact of a severe economic downturn. Need for action An identified need for action does not automatically necessitate backing the identified risks with available financial resources (risk coverage potential). Alternative measures may be suitable, such as intensifying risk monitoring, modifying the limits or adjusting the objectives of the business strategy orientation. The identified risks have to be covered by available financial resources (risk coverage potential) in cases where the stress tests are exclusively used to quantify internal capital requirements. AT 4.4 Special functions AT 4.4.1 Risk control function 1 Each institution shall have a risk control function in place which is responsible for independently monitoring and reporting risks. The risk control function shall be segregated organisationally, up to and including the management board level, from the organisational units that are responsible for initiating and/or concluding transactions. Segregation of duties (Funktionstrennung) This is without prejudice to the special requirements regarding the segregation of duties set forth in BTO. 2 In particular, the risk control function shall perform the following tasks:

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 18 of 62

support the management board in all risk policy issues, in deciding and implementing the risk strategy and evolving a risk limitation system;
carry out the risk inventory and draw up the overall risk profile;
support the management board in developing and improving the risk management and risk control processes;
develop and improve a system of risk ratios and a procedure for the early detection of risks;
monitor the institution’s risk situation and internal capital adequacy as well as compliance with the risk limits in place on an ongoing basis;
draw up the regular risk reports for the management board;
assume responsibility for the processes for passing on material riskrelated ad hoc information promptly to the management board, the responsible officers and, where applicable, the internal audit function. 3 Staff of the risk control function shall be granted all necessary powers and unrestricted access to all information needed to perform their tasks. 4 The head of the risk control function shall be involved in important risk policy decisions of the management board. This task shall be assigned to an individual on a sufficiently high management level. This individual shall generally perform his/her tasks exclusively, depending on the institution’s size as well as the nature, scale, complexity and riskiness of its business activities. Head of the risk control function In the case of large financial institutions which operate internationally and with complex business activities, the head of the risk control function should be a member of the management board. 5 The supervisory board shall be notified if the head of the risk control function is replaced. AT 4.4.2 Compliance function 1 Each institution shall have a compliance function in place in order to counteract the risks that may arise from non-compliance with legal rules and regulations. The compliance function shall ensure the implementation of effective procedures for complying with the legal rules and regulations that are material to the institution, and of corresponding controls. The compliance function shall additionally support and advise the management board with regard to complying with these legal rules and regulations. Responsibility of the management board members and the business units Notwithstanding the duties of the compliance function, the management board members and the business units remain fully responsible for complying with legal rules and regulations. Relevance of other supervisory requirements This is without prejudice to all other compliance function requirements arising from other prudential supervisory legislation (in particular, section 33 of the Securities Trading Act in conjunction with Circular 4/2010 (WA) - Minimum

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 19 of 62 Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organisation and Transparency pursuant to Sections 31 et seq of the Securities Trading Act for Investment Services Enterprises; section 25c of the Banking Act in conjunction with corresponding administrative provisions). 2 The compliance function shall regularly identify the material legal rules and regulations, non-compliance with which might jeopardise the institution's assets, in the light of risk factors. 3 The compliance function shall be, in general, directly subordinate to and report to the management board. It may also be linked to other control units. It may also be assisted by other functions and units in the performance of its duties. Link to other control units Other control units may be, for example, the risk control function or the antimoney laundering officer, but not the internal audit function. Notwithstanding this, larger institutions should set up an independent organisational unit for the compliance function. 4 The institution shall appoint a compliance officer who is responsible for carrying out the compliance function tasks. Depending on the nature, scale, complexity and riskiness of the business activities as well as on the institution’s size, the compliance officer may in exceptional cases be a member of the management board. 5 Compliance function staff shall be granted sufficient powers and unrestricted access to all information needed to perform their tasks. They shall be notified of instructions and decisions of the management board that are material to the compliance function. The compliance function staff shall be notified in due time of material amendments of the rules that are intended to ensure compliance with the material legal rules and regulations. 6 The compliance function shall report to the management board on its activities at least once a year and on an ad hoc basis. Such reports shall address the appropriateness and effectiveness of the rules that are intended to ensure compliance with the material legal rules and regulations. The reports shall also cover information on potential deficits and on remedial measures. These reports shall be additionally passed on to the supervisory board and the internal audit function. 7 The supervisory board shall be notified if the compliance officer is replaced.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 20 of 62 AT 4.4.3 Internal audit function 1 Each institution shall have an effective internal audit function. At institutions at which establishing an audit unit would be incommensurate with the institution’s size, the tasks of the internal audit function may be performed by a member of the management board. 2 The internal audit function is an instrument of the management board, being directly subordinated and reporting to it. It may also be subordinated to a single member of the management board, preferably to the chair of the management board. Notwithstanding this, it shall be ensured that the chair of the supervisory board is able, with the involvement of the management board, to obtain information from the head of the internal audit function directly. Obtaining of information by the chair of the supervisory board If the institution has established an audit committee, it may alternatively be ensured that the chair of the audit committee obtains information from the head of the internal audit function. 3 The internal audit function shall examine and assess in a risk-oriented and process-independent manner the effectiveness and appropriateness of the risk management system in general and of the internal control system in particular as well as the appropriateness of all activities and processes in general, irrespective of whether or not they have been outsourced. This shall be without prejudice to BT 2.1 number 3. 4 The internal audit function shall be granted the complete and unrestricted right to obtain information to enable it to perform its tasks. This right shall be ensured at all times. To this end the internal audit function shall be promptly provided with the necessary information and access to the necessary documentation, and be given insight into the institution’s activities and processes as well as its IT systems. 5 The internal audit function shall be notified of instructions and decisions of the management board that may be of relevance to it. The internal audit function shall be notified in due time of any material amendments of the risk management system. 6 The supervisory board shall be notified if the head of the internal audit function is replaced.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 21 of 62 AT 4.5 Risk management at group level 1 Pursuant to section 25a (1a) of the Banking Act, the management board members of the superordinated enterprise of a group of institutions or a financing holding group as well as the management board members of the superordinated financial conglomerate enterprise of a financial conglomerate are responsible for establishing appropriate and effective risk management at group level. Risk management at group level includes all the group’s material risks, whether or not they are caused by enterprises subject to consolidation (eg risks arising from special-purpose vehicles not subject to consolidation). The methods and procedures applied (eg IT systems) shall not hamper the effectiveness of risk management at group level. Special criteria may apply to risk management at group level resulting from specific legal regulations, such as those applying to building and loan associations (Bausparkassen) regarding the treasury risk management of their collective savings and loans (Kollektivsteuerung) or to Pfandbrief banks. Structure of risk management at group level The specific structure of risk management at group level depends, in particular, on the nature, scale, complexity and riskiness of the group’s business activities as well as on the available options under company law. Focus on material risks Risk management at group level comprises all material risks. Thus, for example, subordinated enterprises whose risks are not considered material by the superordinated enterprise may be exempted from the risk management requirements at group level. This does not apply if the aggregated risks of those subordinated enterprises are considered material in an overall view. 2 The management board of the superordinated enterprise shall decide on a business strategy and a consistent risk strategy (“group-wide strategies”). The strategic orientation of the group enterprises shall be aligned with the group-wide strategies. The management board of the superordinated enterprise shall ensure that the group-wide strategies are implemented. 3 Based on the group’s overall risk profile, the superordinated enterprise shall establish an ICAAP at group level (AT 4.1 number 2). The group’s internal capital adequacy shall be maintained on an ongoing basis. 4 Appropriate workflow patterns shall be established at group level, ie processes, along with the related tasks, competencies, responsibilities, controls and reporting channels within the group, shall be clearly defined and coordinated. 5 The superordinated enterprise shall establish appropriate risk management and risk control processes integrating the group enterprises. Appropriate stress tests in respect of material risks at group level shall be carried out regularly. The superordinated enterprise shall obtain information about the risk situation of the group at appropriate intervals. 6 As part of risk management at group level, the group internal audit function shall operate complementarily to the internal audit functions of the group

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 22 of 62 enterprises. To this end the group internal audit function may also consider findings of the internal audit functions of the group enterprises. AT 5 Organisational guidelines 1 The institution shall ensure that business activities are conducted on the basis of organisational guidelines (eg manuals, work instructions or workflow descriptions). The level of detail of the organisational guidelines depends on the nature, scale, complexity and riskiness of the business activities. Presentational form of the organisational guidelines The organisational guidelines should be presented in a way that ensures, above all, that they are appropriate and comprehensible for the institution’s staff. Their precise form is at the institution’s own discretion. 2 The organisational guidelines shall be set down in writing and communicated to the staff members concerned in a suitable manner. It shall be ensured that the latest version of these guidelines is available to these staff members. The guidelines shall be swiftly amended in the event of changes to the activities and processes. 3 In particular, the organisational guidelines shall contain the following: (a) rules governing the organisational and operational structure as well as the allocation of tasks, the assignment of competencies, and responsibilities, (b) rules governing the organisation of the risk management and risk control processes, (c) rules governing the internal audit function, (d) rules which ensure observation of legal rules and regulations (eg data protection, compliance), (e) rules governing procedures for material outsourced activities and processes. 4 The organisational guidelines shall enable the internal audit function to conduct an audit review.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 23 of 62 AT 6 Documentation 1 Business, control and monitoring documentation shall be systematical and written in a manner that is readily comprehensible for expert third parties and, subject to legal provisions, shall generally be saved for two years. It shall be ensured that the documentation is up to date and complete. 2 The actions and provisions material to ensuring compliance with this Circular shall be comprehensibly documented. This shall include provisions governing the use of material opening clauses, which shall be substantiated where appropriate. AT 7 Resources AT 7.1 Staff 1 The quantity and quality of the institution’s staffing shall be commensurate, in particular, with its internal operational needs, business activities and risk situation. This shall also apply to the use of temporary staff. 2 Staff members and their deputies shall possess the expertise and experience needed for their tasks, competencies and responsibilities. Appropriate measures shall be taken to ensure that staff are suitably qualified. Qualification requirements for special functions Thehead of the risk control function and the head of the internal audit function as well as the compliance officer shall possess special professional and personal qualifications corresponding to their particular duties. 3 The absence, resignation or departure of staff should not lead to a persistent operational disruption. AT 7.2 Technical and organisational resources

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 24 of 62 1 The scope and quality of the technical and organisational resources shall be based, in particular, on the internal operating needs, business activities and risk situation. 2 The IT systems (hardware and software components) and the related IT processes shall ensure the integrity, availability, authenticity and confidentiality of the data. To this end, generally established standards shall apply to the arrangement of the IT systems and related IT processes; in particular, processes shall be established for appropriately allocating IT access rights to ensure that staff have only those rights that they need to perform their particular tasks; IT access rights may be collated in a role model. The suitability of the IT systems and related processes shall be regularly reviewed by the responsible business unit staff and IT staff. Standards for IT management arrangements These standards include, for example, the IT Baseline Protection manual (Grundschutz) issued by the Federal Office for Information Security (BSI) and the standard ISO/IEC 2700X of the International Organization for Standardization. The adherence to established standards does not mean that standard hardware or software must be used. In-house solutions are generally equally permissible. IT access rights The IT access rights allocated to staff should not conflict with their assignment to a particular organisational unit. It should be ensured that, especially when granting access rights in conjunction with role models, the segregation of duties is observed and conflicts of interest are avoided. 3 The IT systems shall be tested before their first use and after any material changes and approved by both the responsible business unit staff and IT staff. To this end a standard process of development, testing, approval and implementation in the production processes shall be established. The production and testing environments shall be segregated. Changes to IT systems The assessment of the materiality of changes shall be based not on the extent of changes but on the impact they may have on the functioning of the IT system concerned. Approval by IT staff and business unit staff The approval process carried out by the staff of the business unit and IT staff should focus on the suitability and appropriateness of the IT systems for the institution’s specific situation. Third-party certifications may be taken into account in the approval process but cannot substitute it entirely. 4 The responsible business unit and IT staff shall be involved in developing and modifying technical specifications (eg parameter adjustments). Generally the technical approval shall occur independently of the user. AT 7.3 Contingency plan

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 25 of 62 1 Plans shall be provided for contingencies affecting time-critical activities and processes (contingency plan). The measures detailed in the contingency plan shall be aimed at reducing the extent of any potential damage. Regular contingency tests shall be carried out in order to verify the effectiveness and suitability of the contingency plan. The results of the contingency tests shall be communicated to the respective responsible staff. In the case of outsourced time-critical activities and processes, the outsourcing institution and the service provider shall have mutually coordinated contingency plans. 2 The contingency plan shall include business continuity and recovery plans. The business continuity plans shall ensure that back-up solutions are swiftly available in the event of contingencies. The recovery plans shall ensure that normal operations can be resumed within an appropriate timeframe. The communication channels to be used in contingencies shall be defined. The contingency plan shall be made available to the staff involved. AT 8 Adjustment processes AT 8.1 New product process 1 Each institution shall have a sound understanding of the business activities it conducts. It shall decide on a strategic plan before commencing business activities involving new products or new markets (including new distribution channels). The strategic plan shall be based on the analysis of the riskiness of these new business activities and their impact on the overall risk profile. The strategic plan shall also outline the resulting material consequences for risk management. Contents of the strategic plan The consequences outlined in the strategic plan should include those relating to organisation, staffing, necessary modifications to the IT systems and the methods of assessing the associated risks as well as any legal implications (in accounting law, tax law etc) where they are of material importance. 2 An organisational unit that is segregated from the front office or trading shall be involved in deciding whether business activities involve new products or new markets. 3 In the case of trading, a test phase shall be required before regular trading in new products or on new markets may commence. During the test phase, trading shall be limited to a modest scale. The institution shall ensure that it does not commence regular trading until after the test phase has been successfully completed and suitable risk management and risk control Credit business and test phase A test phase may form the basis of the strategic plan in the case of credit business, too, depending on the complexity of the business. One-off transactions

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 26 of 62 processes are in place. A test phase may be waived in the case of non-recurrent transactions. 4 The organisational units that will subsequently be involved in the operational processes shall participate in both the drafting of the strategic plan and the test phase. The risk control function, the compliance function and the internal audit function shall also be involved within the scope of their duties. 5 The strategic plan and the commencement of regular business activities shall be approved by the responsible members of the management board in cooperation with the members of the management board responsible for monitoring the activities in question. The approval procedure may be delegated provided that clear guidelines have been laid down and that the management board is swiftly informed of the decisions. 6 AT 8 need not be applied if the organisational units involved in the operational processes consider that activities involving a new product or a new market can be properly managed. AT 8.2 Modifications of operational processes or structures 1 Before material modifications are made to the organisational and operational structure or the IT systems, the institution shall analyse the impact of the planned modifications on the control mechanisms and control intensity. The organisational units that will subsequently be involved in the operational processes shall be involved in these analyses. The risk control function, the compliance function and the internal audit function shall also be involved within the scope of their duties. AT 8.3 Mergers and acquisitions 1 Prior to an acquisition of or a merger with other enterprises, the institution shall draw up a strategic plan that sets out the material strategic objectives, the likely main implications for risk management and the material impact on the overall risk profile of the institution or group. This shall include the planned medium-term development of the financial position and financial performance (Vermögens-, Finanz- und Ertragslage), the likely level of the

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 27 of 62 risk positions, the necessary adjustments to the risk management and risk control processes and the IT systems, and an outline of any material legal implications (in accounting law, tax law etc). AT 9 Outsourcing 1 Outsourcing is the commissioning of another enterprise to provide activities and processes relating to the execution of banking business, financial services or any of an institution's other usual services that would otherwise be provided by the institution itself. Other external procurement of goods and services Other external procurement of goods and services is not to be classified as outsourcing within the meaning of this Circular. This includes the one-off or occasional purchase of goods and services. It also includes services that are usually provided by a supervised enterprise and which, owing to actual circumstances or legal provisions, the institution itself is normally unable to provide either at the time of external procurement or in the future (eg the use of central banking functions within a network of affiliated financial institutions, the use of clearing houses in the context of payment transactions and securities settlement, the involvement of correspondent banks or the safe custody of customers‘ assets in accordance with the Safe Custody Act (Depotgesetz). The relevant provisions of section 25a (2) of the Banking Act will normally not apply given the particular risks associated with such collaborations. Nonetheless, the institution must still comply with the general requirements relating to a proper business organisation pursuant to section 25a (1) of the Banking Act in the case of other external procurement of services. Other usual services The reference to other usual services takes into account article 13 (5) sentence 1 of the Markets in Financial Instruments Directive insofar as that article relates to the outsourcing of operational functions which are critical for the provision of continuous and satisfactory service to clients and the performance of investment activities. Other usual services of an institution can also include, for example, the ancillary services listed in Annex I Section B of the Markets in Financial Instruments Directive. 2 Based on a risk analysis, the institution shall determine independently which outsourced activities and processes it regards as material in terms of risk (material outsourced activities and processes). The relevant organisational units shall be involved in conducting the risk analysis. The internal audit function shall also be involved within the scope of its duties. The risk analysis shall be adjusted to any material changes in the risk situation. Risk analysis The risk analysis shall take into account all aspects of the outsourced activities and processes that are relevant to the institution (eg outsourcing risks, suitability of the service provider); the intensity of the analysis shall depend on the nature, scale, complexity and riskiness of the outsourced activities and processes. Hence in the case of a major outsourcing – such as the complete

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 28 of 62 outsourcing of the internal audit function by a large institution – the institution must intensively consider whether and how it can ensure that the outsourced activities and processes can be integrated into its risk management. Intra-group outsourcing In the case of intra-group outsourcing, effective safeguards, especially grouplevel risk management and powers to intervene, may be considered riskmitigating factors when compiling and adjusting the risk analysis. 3 Outsourced activities and processes that are not regarded as material in terms of risk shall be subject to the general requirements relating to a proper business organisation pursuant to section 25a (1) of the Banking Act. 4 In general, all activities and processes can be outsourced provided that the proper business organisation pursuant to section 25a (1) of the Banking Act is not impaired. Outsourcing shall not entail the delegation of the management board responsibility to the service provider. The management board tasks shall not be outsourced. Additional criteria for outsourcing arrangements may arise from specific legal regulations (eg regulations that apply to building and loan associations regarding the treasury risk management of their collective savings and loans or that apply to Pfandbrief banks regarding the management of the collateral register (Deckungsregisterführung) and the coverage calculation (Deckungsrechnung). Responsibilities of the management board Responsibilities of the management board that cannot be outsourced include corporate planning, coordination and control, as well as the filling of senior positions. They also comprise tasks which are explicitly assigned to the management board through legislation or other regulations (eg deciding on large exposures pursuant to sections 13 to 13b of the Banking Act or defining strategies). Management board responsibilities should be distinguished from functions or organisational units which the management board uses to perform its management tasks. These can be delegated either internally or externally through outsourcing. 5 In the case of material outsourced activities and processes, the institution, in the event of an intended or expected termination of the outsourcing arrangement, shall adopt safeguards to ensure the continuity and quality of the outsourced activities and processes also after the termination of outsourcing arrangement. In cases of unintended or unexpected termination of these outsourced activities and processes that might seriously impair business activity, the institution shall examine the feasibility of any courses of action. 6 In the case of material outsourced activities and processes, the outsourcing contract shall specifically (a) specify and, where applicable, delineate the services to be provided by the service provider, (b) set out internal and external auditors’ rights of information and review, The institution’s power to give instructions/internal audit inspections An explicit agreement granting the institution the power to give instructions can be waived if the service to be performed by the external service provider is specified clearly in the outsourcing contract. Furthermore, the outsourcing institution’s internal audit function may waive its own audit activities subject to the conditions set forth in BTR 2.1 number 3. These waivers may also be applied where activities and processes are outsourced to “multi-client service providers”.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 29 of 62 (c) ensure BaFin’s rights of information and review and ability to supervise, (d) include powers to give instructions, where necessary, (e) include rules ensuring compliance with data protection provisions, (f) specify termination rights and appropriate notice periods, (g) include rules covering the possibility and modalities of subcontracting which ensure that the institution continues to comply with the prudential supervisory requirements, (h) obligate the service provider to inform the institution of any developments that might impair the proper performance of the outsourced activities and processes. 7 The institution shall appropriately manage the risks associated with material outsourced activities and processes and shall properly monitor the provision of the outsourced activities and processes. This shall include regularly evaluating the service provider’s performance on the basis of defined criteria. The institution shall clearly specify the responsibilities for managing and monitoring. 8 Where the internal audit function is entirely outsourced, the management board shall appoint an audit officer to be responsible for ensuring that internal audit is effective. The requirements of AT 4.4 and BT 2 shall be complied with accordingly. The tasks of the audit officer The audit officer should draw up the inspection plan together with the commissioned third party. The audit officer should also, where appropriate together with the commissioned third party, draw up the overall report in accordance with BT 2.4 number 4 and review pursuant to BT 2.5 whether the identified findings have been remedied. Depending on the nature, scale, complexity and riskiness of the institution’s business activities, the audit officer’s tasks may be performed by an organisational unit, a staff member or a member of the management board. It shall be ensured that this person or entity has both sufficient knowledge and the necessary independence to perform these tasks. 9 The requirements governing the outsourcing of activities and processes shall be complied with also in the event that the outsourced activities and processes are subcontracted.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 30 of 62 BT 1 Special requirements relating to the internal control system 1 This module sets forth special requirements relating to the structure of the internal control system. The requirements relate primarily to the organisational and operational structure in credit business and trading (BTO). Additional requirements relate to the structure of the risk management and risk control processes for counterparty and credit risk, market risk, liquidity risk and operational risk, taking due account of risk concentrations (BTR). BTO Requirements relating to the organisational and operational structure 1 This module primarily sets out requirements relating to the organisational and operational structure in credit business and trading. Depending on the size of the institution, the business focus and the risk situation, the BTO requirements may be implemented in simplified form. 2 This Circular distinguishes between the following organisational units: (a) the unit which initiates credit transactions and has a vote in credit decisions (front office), (b) the unit which has an additional vote in credit decisions (back office), and (c) trading. It also distinguishes between the following functions: (d) the functions serving to monitor and report risk (risk control), and (e) the functions serving to settle and monitor trading. Note on the use of the word “unit” A “unit (Stelle) that is independent of the front office and trading” may be answerable to the same member of the management board who is responsible for trading or the front office. A “unit (Bereich) that is segregated from trading and the front office” is organisationally separated from trading and the front office right up to and including the management board level. 3 The organisational structure shall ensure that the front office and trading are segregated up to and including the management board level from the organisational units or functions listed in number 2 under (b), (d) and (e) Segregation of duties at legally dependent foreign branches Organisational segregation up to and including management board level means that both functional and disciplinary responsibility are separated.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 31 of 62 and in BTO 1.1 number 7, BTO 1.2 number 1, BTO 1.2.4 number 1, BTO 1.2.5 number 1 and BTO 1.4 number 2. However, functional responsibility and disciplinary responsibility may diverge at legally dependent foreign branches. The precondition for this is that at least functional responsibilities are separated in line with the aforementioned principle of the segregation of duties up to and including management board level. Note on clause 2 BTO 1.1 number 7: the review of certain collateral items to be determined in terms of risk and decisions regarding risk provisioning for significant exposures. BTO 1.2 number 1: responsibility for the development and quality of loan processing, credit processing control, intensified loan management, the processing of problem loans and risk provisioning. BTO 1.2.4 number 1: responsibility for the development, quality and regular review of the criteria governing when an exposure shall be subjected to intensified loan management. BTO 1.2.5 number 1: responsibility for the development, quality and regular review of the criteria governing when an exposure shall be transferred to recovery or liquidation as well as the main responsibility for the recovery or liquidation process or for monitoring these processes. BTO 1.4 number 2: responsibility for the development and quality of the risk classification procedures and for monitoring their application. 4 Market risk control functions shall be segregated up to and including the management board level from those units which bear responsibility for the respective positions. 5 The segregation of duties shall also be maintained at deputy level. A suitable member of staff from below management level may also act as deputy. 6 The member of the management board responsible for risk control functions may collaborate in a committee tasked by the management board with risk management without breaching the principle of the segregation of duties. 7 Accounting tasks, especially the setting of the accounting rules and the development of the accounting system, shall be assigned to a unit that is independent of the front office and trading. Segregation of duties at institutions with significant trading Given the extensive discretionary scope in valuing certain trades (eg structured products), institutions with significant trading should ensure that accounting is located in a unit that is segregated from trading. 8 Material legal risks shall be assessed by a unit that is independent of the front office and trading (eg the legal department).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 32 of 62 9 In the case of IT-based processing, the segregation of duties shall be ensured by appropriate procedures and safeguards. BTO 1 Credit business 1 This module sets out requirements relating to the organisational and operational structure, the procedures for the early detection of risks and the procedures for risk classification in credit business. Individual provisions in this module may be waived in the case of trading and equity investments if their implementation is not relevant in view of the specific features of these types of business (eg the requirements in BTO 1.2.2 number 1 to monitor the purpose of the loan). Corresponding implementation in the case of equity investments Corresponding implementation in the case of equity investments shall comprise an equity investment strategy and the establishment of an equity investment control function – regardless of whether the particular equity investment is a credit-equivalent/credit-substituting equity investment or a strategic equity holding. In the case of a credit-equivalent or creditsubstituting equity investment, the requirements regarding the organisational and operational structure shall generally be observed in addition. In the case of equity investments in a network of affiliated financial institutions or of mandatory equity investments (eg equity investments prescribed by legislation applying to the savings bank sector or by the articles of association, or equity investments in SWIFT), the establishment of a separate risk control function may be waived. In these cases, the necessary monitoring activity may also be achieved by other means (eg by examining annual financial statements or annual reports or by monitoring the equity investment accounts). BTO 1.1 Segregation of duties, and voting 1 The core principle for structuring credit business processes shall be the clear organisational segregation of the front office and back office up to and including management board level. Exceptions to the segregation of duties may be made under certain circumstances in the case of small institutions. Simplified implementation for small institutions Where complying with the required segregation of duties between the back office/other functions independent of the front office and the front office up to and including management board level would be disproportionate owing to the institution’s small size, the requirement to segregate duties may be waived if direct management board involvement in the granting of riskrelevant loans ensures that credit business continues to be handled in a manner that is proper and commensurate with the existing risks. In such cases, the management board shall itself process and approve risk-relevant loans. Absent management board members shall be subsequently informed of any decisions taken in risk-relevant business.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 33 of 62 This simplified implementation may be applied if, in toto, the following conditions are met:

the overall credit volume does not exceed €100 million,
there are only two management board members, and
the institution’s credit business is simply structured. Staff loans In the case of loans to staff and to management board members, the organisational requirements often cannot be implemented one-to-one, particularly because there is no front office involvement. A suitable unit not involved in loan processing, such as Human Resources, shall generally be involved in such credit decisions. Where appropriate, such loans may also be processed by the loan processing staff. 2 Depending on the nature, scale, complexity and riskiness of the exposure in question, a credit decision shall require two positive votes by the front office and back office. This shall be without prejudice to other provisions referring to the act of decision-making (eg the Banking Act, articles of association). Where these decisions are made by a committee, the voting structure within that committee shall be defined such that the back office cannot be outvoted. Documenting the votes, and substantive plausibility check The votes may be summarised in a single document. In this case, the (positive) vote by the back office should be documented by the responsible staff member’s signature. It must not be an uncritical, complimentary signature. Depending on how the credit processes are assigned between the front office and back office, the vote by the back office should at least be based on a substantive plausibility check. The substantive plausibility check need not repeat activities already carried out by the front office. It should focus instead on the comprehensibility and justifiability of the credit decision. This includes assessing the robustness of the front office vote and the extent to which the loan amount and type are justifiable. The intensity of the substantive plausibility check also depends on the complexity of the credit transactions in question. The staff member responsible for the vote by the back office must at least have access to all material credit documents. 3 Counterparty and issuer limits for trading shall be set by a back office vote. 4 For credit decisions that are considered immaterial in terms of risk, the institution may determine that only one vote is necessary (“non-riskrelevant credit transactions”). Simplified implementation is also possible in cases where credit transactions are initiated by third parties. The organisational segregation of the front office and back office is thus only relevant for credit transactions for which two votes are necessary. Where a second vote is unnecessary, it shall be ensured that the requirements set out in BTO 1.2 are implemented appropriately. Differentiation between risk-relevant and non-risk-relevant credit business Each institution is individually responsible for differentiating between riskrelevant and non-risk-relevant credit transactions in terms of risk. For instance, standardised retail business could normally count as non-riskrelevant credit business. Third-party initiation

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 34 of 62 Simplified implementation of the segregation of duties is also possible where credit transactions are initiated by third parties. In development lending business, for instance, it is normally unnecessary to obtain two internal votes within the institution because the credit transactions are often initiated by a principal bank of a borrower (Hausbank) or a holding company. Similar situations can occur, inter alia, in the case of credit transactions by institutions via dealer organisations, by building and loan associations via commercial agents, by guarantee banks via a principal bank or, in the case of syndicate members, by the lead manager in syndicated loans. In the case of risk-relevant credit decisions, the additional vote to be obtained within the institution should be generally submitted by a unit independent of the front office, ie the back office, where one exists. Third-party initiation/process standardisation via external rules The requirement to obtain an additional vote can also be waived if decisionmaking is so standardised by external rules (eg owing to statutory requirements such as in the German Housing Promotion Act (Wohnraumfördergesetz)) that the institution follows standard procedures and thus has little discretionary scope with regard to the granting of loans. De minimis limits De minimis limits may be used to a certain degree for defining risk-relevant business. Thus simplified implementation may be considered appropriate where an additional credit application is filed for a relatively small amount even though the customer’s total exposure is classified as being risk-relevant. 5 Each member of the management board may, within the scope of his/her individual credit approval authority, independently make credit decisions and also maintain customer contacts. This shall be without prejudice to the organisational segregation of the front office and back office. In addition, two votes shall be obtained where this is considered necessary in terms of risk. If the decisions made within the scope of a management board member’s individual credit approval authority differ from the votes or where they are made by the member of the management board responsible for the back office, they shall be highlighted in the risk report (BTR 1 number 7). Individual credit approval authority and management board members Individual credit approval authority can only be exercised by a management board member. A management board member’s right to autonomously make credit decisions within the scope of his/her individual credit approval authority is not automatically transferred to his/her deputy below management board level. Risk-relevant credit decisions made by the entire management board or made jointly by several management board members also generally necessitate appropriate processing as well as two votes from the front office and back office. 6 The institution shall establish a clear and consistent credit approval structure for decision-making in credit business. Decision-making rules shall be defined in the credit approval structure for divergent votes: in such cases the loan shall be rejected or escalated to a higher level of authority for a decision (escalation procedure).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 35 of 62 7 The review of certain collateral items, which shall be determined in terms of risk, shall be conducted outside the front office. This assignment of competence shall apply likewise to decisions regarding risk provisioning for significant exposures. The competence for all other processes and subprocesses mentioned in BTO 1.2 (such as loan processing or loan processing sub-processes) shall be assigned at the institutions’ discretion, unless this Circular stipulates otherwise. Valuation appraisals The making of valuation appraisals for certain collateral items may also be entrusted to suitably qualified staff members from the front office as long as it is assured that the valuations are subject to a substantive plausibility check by a unit segregated from the front office. Review of legal validity The legal validity of collateral may also be reviewed by a unit that is independent of the front office and trading (eg the legal department). BTO 1.2 Requirements relating to credit business processes 1 The institution shall set up processes for loan processing (the granting and further processing of loans), loan processing control, intensified loan management, the processing of problem loans, and risk provisioning. Responsibility for the development and quality of these processes shall lie outside the front office. Methodological responsibility Processes may also be developed in the front office provided it is ensured that a back office unit assures the quality of these processes on the basis of a substantive plausibility check. 2 The institution shall draw up processing principles for credit business processes which, where necessary, shall be suitably differentiated (eg by loan type). Furthermore, procedures shall be established for collateral review, management and realisation. Differentiated processing principles Differentiated processing principles should also be drawn up for transactions with hedge funds and private equity enterprises, eg with regard to procuring financial and other information, analysing the purpose and structure of the transaction that is to be financed, the nature of the collateral provided or analysing the counterparties’ capacity to repay. Differentiated processing principles should likewise be drawn up for foreign currency loans that take account of the particular risks involved in this loan type. 3 All aspects material to the counterparty and credit risk of the credit exposure shall be identified and assessed, with the intensity of these activities depending on the riskiness of the exposures. Due account shall be taken of sectoral risk and, where applicable, country risk. Critical aspects of an exposure shall be highlighted and, where applicable, considered under various scenarios. 4 The use of external credit assessments shall not relieve the institution of its obligation to form its own opinion on counterparty and credit risk and to

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 36 of 62 factor its own knowledge and information into the credit decision. 5 In the case of property/project financing, the institution shall ensure in the course of loan processing that not only the economic examination but also notably the technical feasibility and development as well as the legal risks associated with the property/project are included in the assessment. In this context, the institution may also draw on the expertise of an expert and competent organisational unit that is independent of the borrower. To the extent that external sources are used for these purposes, their qualification shall be reviewed beforehand. Economic examination and technical feasibility The economic examination may include aspects such as

project analysis,
funding structure/equity ratio,
collateral strategy, or
ex ante and ex post calculations. Technical feasibility and development can be taken into account by conducting inspections or monitoring building construction progress, for example. 6 Depending on the riskiness of the credit transactions, the risks associated with an exposure shall be evaluated using a risk classification procedure, both in the context of the credit decision and in regular or ad hoc assessments. The risk score shall be reviewed annually. Intensity of assessment Annual risk assessments are required, eg by the German Commercial Code (Handelsgesetzbuch), also for low-risk exposures that would otherwise not be subject to the risk classification procedure. However, the assessment may be less intense in such cases and, for example, may be limited to validating the proper repayment of the loan by the borrower. 7 There should be a verifiable link between the classification in the risk classification procedure and the terms and conditions of the loan. 8 The institution shall establish a procedure consistent with the credit approval structure that stipulates how breaches of limits shall be handled. To the extent acceptable in terms of risk, the requirements set forth in BTO 1.1 and BTO 1.2 may be implemented in a simplified manner on the basis of clear rules for breaches of limits as well as prolongations. 9 A procedure shall be put in place to monitor the timely submission of the requisite credit documentation and ensure its timely evaluation. A suitable reminder procedure shall be set up for outstanding documents. 10 The institution shall use standardised credit documents where this is possible and appropriate given the different types of transactions; the structure of the credit documents shall depend on the nature, scale, complexity and riskiness of the credit transactions. 11 Contractual agreements in credit business shall be concluded on the basis of legally validated documentation.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 37 of 62 12 Legally validated standard texts shall be used for the individual loan agreements and updated on an event-driven basis. Where it is planned to deviate from the standard texts for a given exposure (eg in the case of customised agreements), legal validation shall be carried out by an organisational unit that is independent of the front office prior to concluding the agreement, to the extent deemed necessary in terms of risk. Validation by a front office expert Where it is planned to deviate from legally validated standard texts, validation of non-risk-relevant credit transactions may also be carried out by an expert from the front office. BTO 1.2.1 Granting of loans 1 The process of granting loans encompasses the necessary operational steps up to the loan payout. All factors which are material for assessing the risk shall be analysed and assessed, taking particular account of the debtservicing capacity of the borrower or the property/project, with the intensity of the assessment depending on the riskiness of the exposures (eg creditworthiness assessment, risk score in the risk classification procedure or an assessment based on a simplified procedure). Foreign currency loans Foreign currency loans should only be granted to borrowers whose creditworthiness has been assessed with a view to whether they are likely to be able to repay the loan also in the event that exchange rates and the foreign currency interest rate level develop particularly unfavourably. Debt-servicing capacity Taking particular account of the debt-servicing capacity essentially necessitates considering the individual borrower’s financial circumstances, with the intensity of the assessment depending on the riskiness of the loan. Assessing debt-servicing capacity based on a simplified procedure does not, however, amount to a general waiver of such activities. 2 As a general rule, the value and legal validity of collateral shall be reviewed prior to granting the loan. When reviewing the value of collateral, available collateral values may be relied on if there are no indications of any change in value. 3 If the collateral value depends largely on the situation of a third party (eg a guarantee), the third party’s counterparty and credit risk shall be appropriately reviewed. 4 The institution shall define the eligible types of collateral and the procedures for determining the value of this collateral. BTO 1.2.2 Further processing of loans

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 38 of 62 1 The further processing of loans includes monitoring the borrower’s compliance with the contractual agreements. In the case of special-purpose loans, the institution shall verify whether the funds provided are being used for the agreed purpose (verification of earmarked use). 2 Counterparty and credit risk shall be assessed annually, with the intensity of the assessments depending on the riskiness of the exposures (eg creditworthiness assessment, risk score in the risk classification procedure or an assessment based on a simplified procedure). 3 The further processing of loans shall include reviewing the value and legal validity of collateral at appropriate intervals, depending on the type of collateral, above a certain threshold which the institution shall define in terms of risk. 4 Ad hoc reviews of exposures, including collateral, shall be promptly conducted at the very least whenever the institution obtains knowledge from external or internal sources that indicate a material negative change in the risk assessment of the exposures or the collateral. Such information shall be promptly passed on to all of the organisational units that are to be involved. BTO 1.2.3 Credit processing control 1 Process-related controls shall be put in place for loan processing in order to ensure compliance with the requirements of the organisational guidelines. The controls can also be carried out as part of the customary four-eyes principle. 2 Such controls shall particularly examine whether the credit decision was made in line with the established credit approval structure and whether the preconditions and/or requirements set out in the loan agreement were met before the loan was provided. BTO 1.2.4 Intensified loan management

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 39 of 62 1 The institution shall specify criteria governing when an exposure shall be subjected to heightened observation (intensified loan management). Responsibility for the development and quality of these criteria and their regular review shall lie outside the front office. Criteria for initiating intensified loan management The institution may freely decide whether the criteria constitute an automatic trigger, or whether they are indicators which serve as a basis for the review. The aim is to swiftly identify problem exposures so as to enable suitable measures to be initiated as quickly as possible. The same applies to the criteria for subjecting exposures to problem loan treatment (BTO 1.2.5 number 1). Exemptions from intensified loan management and problem loan treatment As in applying the procedure for the early detection of risks, the institution may exempt certain types of credit transactions, depending on the riskiness of these transactions, or credit transactions below certain thresholds from intensified loan management and problem loan treatment. Institutions may also waive intensified loan management or problem loan treatment if objective circumstances hinder access to the required data and the institution has consequently also opted not to set up a procedure for the early detection of risks (third-party-initiated business). The institution shall nonetheless ensure that it is notified of all material events concerning the borrower. 2 Exposures that are subject to intensified loan management shall be reviewed at predefined intervals to determine what further treatment they require (further intensified loan management, return to normal monitoring, transfer to liquidation or recovery). BTO 1.2.5 Treatment of problem loans 1 The institution shall define criteria governing the transfer of an exposure to, or the involvement of the staff or organisational units specialising in, recovery and/or liquidation. Responsibility for the development and quality of these criteria and their regular review shall lie outside the front office. The main responsibility for the recovery or liquidation process or for monitoring these processes shall lie outside the front office. Criteria for initiating problem loan treatment The above note on the criteria for initiating intensified loan management also applies to the criteria for initiating problem loan treatment (see BTO 1.2.4 number 1). Review of non-standardised agreements in recovery cases The requirement to have non-standardised agreements reviewed by a unit independent of the front office can be waived in recovery cases if the recovery is pursued by specialists whose expertise and experience enables them to draw up such contractual documents autonomously and without any

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 40 of 62 additional independent review. Votes on recovery loans and exposures in legacy portfolios One vote from the back office is sufficient for decisions on recovery loans. The same applies to exposures in legacy portfolios, whereby the portfolios and the institution’s intention in each case shall be comprehensibly documented (eg in a legacy portfolio strategy). 2 If an institution considers pursuing the recovery option, it shall require submission of a restructuring plan in order to assess the extent to which the borrower can be restructured and shall make its decision on this basis. 3 The institution shall monitor the implementation of the restructuring plan and the impact of the measures taken. 4 In the case of significant exposures, the responsible members of the management board shall be regularly notified of the state of the restructuring process. If necessary, the institution may enlist the help of external specialists with the requisite expertise during the restructuring process. 5 If an exposure is to be liquidated, a liquidation plan shall be drawn up. Staff or, where appropriate, external specialists with the relevant expertise shall be included in the collateral realisation process. BTO 1.2.6 Risk provisioning 1 The institution shall define criteria on the basis of which, taking due account of the accounting standards used, write-downs, impairments and provisions for credit business (including country risk provisions) shall be formed (eg an internal claim valuation procedure). 2 The necessary risk provisions shall be calculated and updated in a timely manner. Should substantial risk provisions be required, the management board shall be notified promptly.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 41 of 62 BTO 1.3 Procedure for the early detection of risks 1 The procedure for the early detection of risks serves, in particular, to identify in good time borrowers whose exposures are starting to show signs of heightened risk. The aim is to enable the institution to initiate countermeasures (eg intensified loan management of exposures) as early as possible. 2 To this end, the institution shall develop early risk identification indicators based on quantitative and qualitative risk features. 3 The institution may exempt certain types of credit business, to be defined in terms of risk, or credit transactions below certain thresholds from the procedure for the early detection of risks. The function of early detection of risks may also be performed by a risk classification procedure, provided that it allows risks to be detected at an early stage. Exemptions for loans via a principal bank The requirement to establish a procedure for the early detection of risks may be waived if objective circumstances hinder access to the requisite early risk detection data. This may be assumed where credit transactions are initiated via, and subsequently managed by, a third-party institution (eg principal bank (Hausbank) in credit business of development banks (Förderbanken) or also of banks mainly granting bank guarantees (Bürgschaftsbanken)). The institution providing the credit must nonetheless ensure that it is notified of any material events concerning the borrower. Risk classification procedure and early detection of risks A risk classification procedures shall notably contain the following components in due consideration of the operational needs if it is to simultaneously serve as a procedure for the early detection of risks.

The procedure’s underlying indicators (eg account turnover, cheque returns) should be able to detect impending risks early (“indicator-based component”),
the indicators should facilitate the ongoing detection of impending risks (“period-based component”), and
signals provided by the early risk detection procedure should also swiftly trigger suitable measures by the institution (eg intensified customer contact, acceptance of new collateral, suspension of repayments) to minimise the potential that risks may materialise as losses (“processbased component”).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 42 of 62 BTO 1.4 Risk classification procedures 1 Each institution shall set up informative risk classification procedures for the initial, regular or ad hoc assessment of counterparty and credit risk and, where applicable, property/project risk. Criteria shall be specified that ensure the logical and transparent assignment to a risk category as part of the risk assessment procedure. 2 Responsibility for the development and quality of the risk classification procedures, and for monitoring their application, shall lie outside the front office. 3 Core indicators for determining counterparty and credit risk in the risk classification procedure shall include not only quantitative criteria but also, where possible, qualitative criteria. Special consideration shall be given to the borrower’s ability to generate future income streams with which to repay the loan. 4 The classification procedures shall be appropriately incorporated into the credit business processes and, where applicable, into the credit approval structure. BTO 2 Trading 1 This module sets out requirements regarding the organisational and operational structure in trading. BTO 2.1 Segregation of duties 1 The core principle applying to the structuring of trading processes is to ensure the clear organisational segregation of trading from the risk control function and settlement and control functions up to and including the management board level. Customer advisors It is compatible with this Circular for customer advisors to forward customer orders to trading within a given limit for pricing purposes. They should not fix prices and rates independently or build up their own positions.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 43 of 62 2 An institution may simplify the principle of segregation up to and including the management board level if the whole of its trading are focused on trades which may be considered immaterial in terms of risk (“non-risk-relevant trading”). Non-risk-relevant trading This simplified implementation may be applied if the following conditions have been met in toto:

the institution is a non-trading book institution,
trading is focused on long-term assets or the liquidity reserve,
the volume of trading is small relative to the total business volume,
trading has a simple structure, and the positions have a low level of complexity, volatility and riskiness. The above conditions do not have to be met cumulatively. The determining factor is the overall view, ie taking account of the above factors and their respective weight in each case. Where an institution applies this simplified implementation, organisational segregation may likewise be waived with respect to duties independent of trading, eg their assignment to different units. However, activities that are not compatible with each other must be performed by different staff members (AT 4.3.1 number 1). Hence staff members tasked with trading must generally not be given responsibility for duties independent of trading. Simplified implementation for small institutions and very limited trading If it is not possible to segregate duties in trading owing to the institution’s small size, the proper conduct of trading must be ensured through direct involvement of the management board. If an institution engages in trading only on a very limited scale, such that there would be insufficient work for one staff member, the requirement to segregate duties may be met through temporary assignment to other staff members who are otherwise not tasked with trading. BTO 2.2 Requirements relating to trading processes BTO 2.2.1 Trading 1 When trades are concluded, the terms and conditions, including any Internal trades

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 44 of 62 covenants, must be agreed in full. The institution shall use standardised contract texts insofar as this is possible and appropriate with respect to the types of transaction in question. Internal trades shall be concluded only on the basis of clear regulations. Internal trades within the meaning of this Circular are trades within a legal entity which serves to transfer risk between individual organisational units or sub-portfolios (eg trades between an institution’s own branches, organisational units or portfolios etc.). It shall be ensured that the requirements applying to external trades are adhered to in internal trades analogously. 2 As a general rule, trades that do not conform to usual market conditions shall not be permitted. Exceptions to this may be made in individual cases if (a) they are made at the customer’s request, they are objectively justified, and the deviations from usual market conditions are clearly shown in the transaction documentation, (b) they are made on the basis of internal rules detailing the types of transaction, the range of customers, the scope and the structure of these trades, (c) the deviation from usual market conditions is disclosed to the customer in the trade confirmation, and (d) significant exceptions are reported to the management board. 3 The conclusion of transactions outside the business premises shall be permissible only insofar as this is allowed by internal rules. In particular, these rules shall specify the authorised individuals, as well as the purpose, scope and recording of such transactions. Prompt written confirmation shall be requested from the counterparty for such trades. Such trades shall be promptly reported by the trader in a suitable form to his/her own institution, flagged, and brought to the notice of the responsible member of the management board or to an organisational unit authorised by the latter. 4 An audio recording shall be made of traders’ transaction conversations and kept for at least three months. 5 Trades shall be promptly recorded after conclusion of the trade together with all the relevant transaction data, included in the calculation of the relevant position (updating of positions) and passed on to the settlement office together with all the documentation. Transaction data may also be passed on automatically via a settlement system. Transaction data Relevant transaction data include the transaction type, volume, terms and conditions, maturity, counterparty, date, time, trader, consecutive transaction number and covenants.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 45 of 62 6 Where transactions are recorded directly in the IT systems, it shall be ensured that a trader can enter trades only under his/her own trader ID. It shall be ensured that the date and time of recording as well as consecutive transaction numbers are generated automatically and cannot be altered by the trader. 7 Trades concluded after the cut-off time for settlement (late trades) shall be flagged as such and shall be included in the calculation of that day’s positions (including subsequent settlement) if they lead to material changes. Transaction data and documentation relating to late trades shall be promptly passed on to an organisational unit outside trading. Duty to flag late trades Late trades do not have to be flagged separately if a fixed timeframe is defined for the settlement’s cut-off time and a late trade is thus readily identifiable from the time or, where appropriate, time zone in which it is concluded. 8 Prior to the conclusion of trading contracts, in particular in the case of master agreements, netting agreements and collateral agreements, an organisational unit that is independent of trading shall determine whether, and to what extent, the agreements are legally enforceable. 9 Staff who are organisationally assigned to trading shall be authorised signatories for transaction accounts only jointly with staff from an organisational unit that is independent of trading. 10 The institution shall ensure by means of suitable measures that traders’ responsibility for specific positions is annually transferred to another employee for an uninterrupted period of at least ten trading days. During this period, the institution shall ensure that an absent trader does not access the positions for which he/she is responsible. BTO 2.2.2 Settlement and control 1 Based on the transaction data received from trading, the settlement office shall issue the trade confirmations or contract notes and carry out subsequent settlement tasks. Settlement systems Depending on its nature, scale, complexity and riskiness, trades shall generally be settled electronically; existing settlement systems shall be used as far as possible. 2 As a general rule, trades shall be promptly confirmed in written or in equivalent form. The confirmation shall include the required transaction data. If the trade is transacted via a broker, the broker shall be named. The prompt receipt of the reconfirmations shall be monitored, whereby it must Reconfirmations for foreign trades If reconfirmations cannot be obtained, the institution must verify the existence and details of the transaction in another suitable manner.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 46 of 62 be ensured that the incoming reconfirmations are sent first and directly to the settlement office and are not addressed to trading. Missing or incomplete reconfirmations shall be promptly claimed, unless all parts of the trading in question have been duly executed. Confirmation procedure for complex products If the master agreements for complex products stipulate that only one of the two parties draws up the contract, ad hoc (short-form) confirmation from both parties and preparation of the (long-form) contract by the relevant party once all the details have been clarified are sufficient. Ad hoc confirmation should include the material information on the agreed trade. Cancellations and amendments Particular attention should be paid in the cancellation and amendment procedures to an accumulation of cancellations or amendments by individual staff members or in certain trades. 3 The confirmation process may be waived where trading is settled through a settlement system which ensures automatic matching of the relevant transaction data and executes trades only if the data match (“matching”). Where there is no automatic matching of the relevant transaction data, the confirmation process may be waived if the settlement system allows both counterparties to access the transaction data at any time and if these data are verified. 4 Trades shall be subject to ongoing control. In particular, it shall be controlled whether (a) the transaction documentation is complete and is quickly available, (b) the information supplied by traders is correct and complete and matches the details on broker confirmations, printouts from trading systems or the like, where these are available, (c) the transactions are within the defined limits with respect to their type and scope, (d) usual market conditions have been agreed, and (e) any deviations from prescribed standards (eg master data, delivery channels, payment methods) are agreed. Amendments to and cancellations of transaction data or bookings shall be controlled outside trading. Automatic forwarding to the settlement office Controls of (a) and (b) may be waived if the transaction data entered by the traders are forwarded to the settlement office automatically and without the possibility of further intervention by the traders. 5 Suitable procedures shall be established for verifying the market conformity of transactions, where applicable differentiated according to transaction type. The member of the management board responsible for verifying market conformity shall be notified promptly if, in deviation from BTO Note on verifying market conformity For liquid spot, future and forward instruments, verification may take the form of sample checks, provided such checks are acceptable in terms of risk.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 47 of 62 2.2.1 number 2, trading is concluded which do not conform to usual market conditions. Verification of market conformity may be waived in the case of trades executed, directly or through third parties (eg through a correspondent bank),

on a German exchange, or
on another regulated market irrespective of the country in which it is located. The following lists may be used to identify the markets which may be regarded as regulated markets within the meaning of this requirement.
“Annotated presentation of regulated markets and national provisions implementing relevant requirements of ISD” published by the European Commission on 22 February 2007 (2007/C 38/07) for regulated markets in EU member states and in the other signatories to the Agreement on the European Economic Area.
“List of exchanges with an official market and of other organised markets” pursuant to section 47 (1) numbers 2 and 4 of the German Investment Act (Investmentgesetz) for regulated markets in countries outside the EU member states and outside the other signatories to the Agreement on the European Economic Area. In the case of first-time purchases of newly issued securities, market conformity may be verified more simply, depending on the nature and structure of the business. For instance, where a security is issued via public auction/bid, market conformity may be verified simply by ensuring that the issue price has been settled correctly. The task of verifying market conformity shall also cover internal trades. Exceptions to this are possible, subject to the conditions set out in BTO 2.2.1 number 2. 6 Any discrepancies and incongruities identified during settlement and control shall be clarified promptly under the main responsibility of an organisational unit which is independent of trading. The institution shall establish suitable escalation procedures for any discrepancies and incongruities that cannot be plausibly clarified. 7 The positions calculated in trading shall be regularly matched with the positions in the downstream processes and functions (eg settlement office, accounting unit). The matching operations shall also cover dormant portfolios and dummy counterparties. Particular attention shall be paid to Audit trail To ensure appropriate matching processes, the institution may have to establish processes and procedures which enable the full history of positions and cash flows to be verified at any time (audit trail).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 48 of 62 the matching of intermediate and suspense accounts. Any incongruities concerning these accounts shall be clarified promptly.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 49 of 62 BTO 2.2.3 Capturing in risk control 1 Trades, including covenants that generate positions, shall be promptly captured in risk control. Capturing in risk control This is without prejudice to the ability to access data from the accounting unit for risk control purposes. BTR Requirements relating to risk management and risk control processes 1 This module sets out specific requirements for risk management and risk control processes (AT 4.3.2), taking account of risk concentrations, in respect of (a) counterparty and credit risk (BTR 1), (b) market risk (BTR 2), (c) liquidity risk (BTR 3), and (d) operational risk (BTR 4). 2 The suitability of the methods and procedures used to measure risk, as well as the plausibility of the quantified risk amounts, shall be subject to regular review. BTR 1 Counterparty and credit risk 1 The institution shall take suitable steps to ensure that counterparty and credit risk and associated risk concentrations can be limited in relation to its internal capital adequacy. Counterparty and credit risk concentrations These comprise counterparty and sectoral concentrations, regional concentrations and other concentrations in credit business which, in relation to the available financial resources (risk coverage potential), could lead to considerable losses (eg concentrations with regard to borrowers, products or underlyings of structured products, to sectors, distributions of exposures

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 50 of 62 across size and risk classes, collateral, countries and other highly correlated risks). 2 No credit transaction may be concluded without a borrower-related limit (single borrower limit, connected-clients borrower limit), ie without a credit decision. 3 As a general rule, trading may be concluded only with contracting parties for whom counterparty limits have been agreed. All trading with a given counterparty shall be counted towards the specific limit applying to that counterparty. Replacement risk and settlement risk shall be included in calculating the level of utilisation of counterparty limits. The individuals responsible for the positions shall be promptly informed of the limits that apply to them and their current utilisation level. Counterparty limits Exempted from this are exchange-traded transactions and spot transactions in which the countervalue has been delivered or has to be delivered on a delivery-versus-payment basis or for which corresponding cover has been provided. 4 In addition, issuer limits shall generally be set for trading. Where trading does not yet have issuer limits, they may be agreed at short notice for trading purposes on the basis of clear rules, without first having to perform the respective full processing procedure defined according to risk aspects. The respective processing procedure shall be performed within three months at the latest. The applicable rules shall take due account of risk aspects. They shall be consistent with the objectives set out in the institution’s strategies. Recognition of the specific position risk of trading positions Setting a separate limit for the issuer’s counterparty and credit risk may be waived if the specific position risk of the trading positions has been duly taken into account in setting the market risk limit using appropriate procedures. Due account must be taken of risk concentrations. Liquid credit products (eg loan trading) Counterparty or issuer limits must be set in accordance with this Circular prior to commencing trading in liquid credit products which are traded on the secondary markets like securities. The simplified implementation set forth in number 4 may be applied when setting issuer limits. 5 Transactions shall be promptly counted towards the borrower-related limits. Compliance with the limits shall be monitored. Any breaches of the limits and the measures taken in response shall be documented. Breaches of counterparty and issuer limits above a level defined according to risk aspects shall be reported daily to the responsible members of the management board. 6 Risk concentrations shall be identified. Due account shall be taken of any interdependencies. The assessment of risk concentrations shall be based on qualitative and, where possible, quantitative procedures. Risk concentrations shall be managed and monitored using suitable procedures (eg limits, traffic light systems or other precautionary measures). Interdependencies Interdependencies may occur, inter alia, as economic or legal dependencies between enterprises.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 51 of 62 7 A risk report containing the main structural features of credit business shall be drawn up and made available to the management board periodically, at least once a quarter. The risk report shall contain the following information: (a) the performance of the credit portfolio, broken down, for example, by sector, country, risk class and size or collateral category, taking particular account of risk concentrations, (b) the scope of the agreed limits and external lines; in addition, large exposures and other noteworthy exposures (eg problem loans of material importance) shall also be listed and, where applicable, commented on, (c) a separate analysis of country risk, where applicable, (d) significant limit breaches (including reasons), (e) the scope and development of new business, (f) the development of the institution’s risk provisioning, (g) credit decisions of material importance which deviate from the strategies, and (h) credit decisions in risk-relevant credit business taken by members of the management board acting within the scope of their individual credit approval authority, either where these decisions diverge from the votes or where they are taken by a member of the management board responsible for the back office. Individual credit approval by the member of the management board responsible for the back office in the case of recovery loans Since noteworthy exposures (eg problem loans of material importance) must be reported pursuant to number 7 (b), there is no need for an additional reporting requirement applying to decisions on recovery loans taken by a member of the management board responsible for the back office within the scope of his/her individual credit approval authority. BTR 2 Market risk BTR 2.1 General requirements 1 A limit system shall be established, based on the institution’s internal capital adequacy, in order to limit market risk, taking due account of risk Structure of BTR 2 In BTR 2.1 the Circular sets out general requirements that apply to all types

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 52 of 62 concentrations. of market risk (including interest rate risk in the banking book). BTR 2.2 complements BTR 2.1, adding rules which apply to market risk in the trading book. BTR 2.3 sets out simplified implementation for market risk in the banking book. Market risk Market risk includes the following:

price/rate risk,
interest rate risk,
foreign exchange risk, and
market risk arising from commodities business (including electricity derivatives and CO2 emission certificates). However, market risk arising from traditional commodities business conducted by mixed-activity credit cooperatives should be disregarded. Market-related risk which results from a change in a counterparty's creditworthiness (eg specific position risk or potential changes in credit spreads) or which is attributable to market liquidity must be adequately covered by the risk management and risk control processes. 2 No transaction subject to market risk shall be concluded without a market risk limit. 3 The procedures for assessing market risk shall be reviewed regularly. Such reviews shall examine whether the procedures produce robust results also in the event of severe market disruptions. Alternative valuation methods shall be defined for material positions in the event that market prices are unavailable, out of date or distorted for a prolonged period. 4 Regular plausibility checks shall be conducted on the outcomes calculated by the accounting and risk control units. 5 A risk report on the market risk incurred by the institution shall be drawn up and made available to the members of the management board periodically, at least quarterly. The report, which shall also cover internal trades, shall contain the following information: (a) an overview of the risk and return development of the positions subject Profit and loss development For the purposes of the risk report, reference may be made either to the change in profit and loss as recorded in the financial statements (including gains and losses in the course of settlement) or to the change in the operating result.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 53 of 62 to market risk, (b) significant breaches of the limits, (c) changes in the major assumptions or parameters on which the procedures for assessing market risk are based, (d) incongruities that came to light during the matching of trading positions (eg with regard to trading volumes, impact on the profit and loss statement, cancellation rates). BTR 2.2 Market risk in the trading book 1 Measures shall be taken to ensure that trading book transactions subject to market risk are promptly counted towards the relevant limits and that the person responsible for the position is kept up to date concerning the limits relevant for him/her and their current level of utilisation. Suitable measures shall be taken in the event that limits are exceeded. An escalation procedure shall be initiated, where applicable. 2 Trading book positions subject to market risk shall be valued daily. 3 A trading book result shall be calculated daily. The current risk positions shall be aggregated into overall risk positions at least once a day at the close of business. The overall risk positions, results and limit utilisation levels shall be reported to the member of the management board responsible for risk control early on the next trading day. This report shall be agreed with trading. Daily reporting In the case of non-trading book institutions with limited trading book positions in terms of risk, daily reporting may be waived in favour of a less frequent reporting frequency. 4 The results of the quantified risk amounts derived from models shall be compared with the actual outcomes on an ongoing basis. BTR 2.3 Market risk in the banking book (including interest rate risk) 1 Banking book positions subject to market risk shall be valued at least once a quarter. 2 A banking book result is likewise to be calculated at least once a quarter.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 54 of 62 3 Suitable measures shall be taken to avoid limit breaches due to interim changes in risk positions. 4 Depending on the nature, scale, complexity and riskiness of the banking book positions, daily, weekly or monthly valuation, result calculation and risk reporting may also be necessary. 5 The procedures for assessing interest rate risk in the banking book shall capture the material features of interest rate risk. Treatment of interest rate risk in the banking book The institution is basically free to decide in what way it will manage interest rate risk in the banking book. Interest rate risk may be treated either separately in the trading book and in the banking book or in an integrated manner at the level of the institution as a whole (taking due account of the daily valuation of risk positions and daily profit/loss calculation that is mandatory for the trading book). Positions to be included The on-balance-sheet and off-balance-sheet positions in the banking book which are subject to interest rate risk shall be included in the assessment. 6 The calculation of interest rate risk may be based either on the impact of interest rate changes on the institution’s profit and loss as recorded in the financial statements or on the market or present values of the relevant positions. Where the calculation of interest rate risk is based on the impact on profit and loss as recorded in the financial statements, developments after the balance sheet date shall be duly taken into account. Monitoring profit and loss as recorded in the financial statements The institution should monitor the change in the profit and loss as recorded in the financial statements also when applying an economic -value method. Monitoring developments after the balance sheet date when applying an earnings-related approach Monitoring developments after the balance sheet date takes account of the fact that there is generally a time lag before interest rate risk has an impact on the profit and loss as recorded in the financial accounts. The length of the monitoring period should be chosen with due regard to the individual portfolio structure. The appropriate monitoring period could be gauged, for example, by the average interest rate maturity for on-balance-sheet and off-balancesheet positions included in the calculation. 7 Appropriate assumptions shall be specified regarding the inclusion of positions with an indeterminate capital or interest rate lock-in period (nonmaturity positions). Non-maturity positions (positions with an indeterminate capital or interest rate lock-in period) Non-maturity positions may comprise, for example,

positions where the behavioural interest rate maturity differs from the contractual interest rate maturity (mainly sight deposits and savings deposits), or
optional components (eg deposits with notice terms, loan prepayment

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 55 of 62 features, repayment options). Equity components that are available to the institution for an indefinite period must not be included in the economic-value calculation of interest rate risk. 8 Institutions that incur material interest rate risk in different currencies shall calculate the interest rate risk in each of these currencies. BTR 3 Liquidity risk BTR 3.1 General requirements 1 The institution shall ensure that it can meet its payment obligations at all times. It shall ensure sufficient diversification, particularly regarding its asset and capital structure. The institution shall also safeguard intraday liquidity if necessary. Institutional network solutions (Verbundlösungen) The requirement in sentence 2 may also be fulfilled via existing institutional network or group structures. 2 The institution shall ensure that any imminent liquidity shortfall is identified early. It shall implement appropriate procedures and regularly review their suitability. The impact of other risks (eg reputational risk) on the institution’s liquidity shall be taken into account. 3 The institution shall draw up an informative liquidity overview for an appropriate period listing the anticipated inflows and outflows of funds. It shall take due account of the usual volatility in payment flows that also occur in normal market phases. It shall specify the assumptions on which inflows and outflows of funds are based. The breakdown into time buckets shall ensure that the development of the short-term liquidity position is likewise captured. Assumptions about inflows and outflows of funds The assumptions should also take account of any drawdowns on liquidity and credit lines which the institution has made available to third parties. 4 The institution shall continuously review its ability to cover any liquidity requirement that may arise, including in a tense market environment. The review shall focus among other aspects particularly on asset liquidity. The institution shall regularly verify that it has permanent access to the funding sources that are relevant to it. The institution shall maintain sufficient sustainable liquidity reserves (eg highly liquid, unencumbered assets) to cover any deteriorations in the liquidity position that may occur in the short

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 56 of 62 term. 5 The institution shall set up a suitable internal allocation system for liquidity costs, benefits and risks. The design of this allocation system shall depend on the nature, scale, complexity and riskiness of the institution’s business activities as well as its funding structure. The allocation system for liquidity costs, benefits and risks shall be approved by the management board. Simplified implementation for granular customer business Institutions with predominantly granular customer business on both the asset and the liability side and stable funding may also comply with the requirements by means of a simple cost allocation system. 6 Large institutions with complex business activities shall establish a liquidity transfer pricing system in order to allocate internally and in line with the point of origination the respective liquidity costs, benefits and risks. The determined transfer prices shall be factored into the integrated performance and risk management via allocation at transaction level wherever possible. This shall apply both to on-balance-sheet and off-balance-sheet business activities. The institution shall take account of the assets’ holding period and market liquidity when determining the relevant transfer prices. It shall make appropriate assumptions in the case of uncertain cash flows. The costs of maintaining the requisite liquidity reserves shall also be factored into the liquidity transfer pricing system. Liquidity transfer pricing system A liquidity transfer pricing system within the meaning of this requirement is a specific type of the allocation system described in number 5; it is typically characterised by internal allocation of costs, benefit and risks by means of centralised transfer pricing. Allocation in line with the point of origination In a liquidity transfer pricing system, costs, benefits and risks shall be allocated at transaction level wherever possible; products and transactions with similar liquidity features may be aggregated. 7 Responsibility for the development and quality as well the regular review of the liquidity transfer pricing system shall be assigned to an organisational unit that is independent of the front office and trading. The current liquidity transfer prices shall be made transparent to the staff concerned. The consistency of the liquidity transfer pricing systems used within the group shall be ensured. 8 Appropriate liquidity risk stress tests shall be conducted regularly. Both institution-specific (idiosyncratic) and market-wide causes of liquidity risk shall be incorporated into the analysis. The institution shall define the stress tests individually. The stress tests shall be based on time horizons of differing lengths. Instititution-specific (idiosyncratic) and market-wide causes Institution-specific (idiosyncratic) causes may result in, for example, withdrawal of customer deposits at a given institution. Market-wide causes may lead, for example, to a deterioration in the funding conditions of some or all institutions. 9 The institution shall specify the measures to be taken in the event of a liquidity shortfall (liquidity shortfall contingency plan). This shall include a description of the liquidity sources available in such cases, taking due account of possibly reduced proceeds. The communication channels to be used in the event of a liquidity shortfall shall be defined. The operational feasibility of the planned measures shall be reviewed regularly and the measures modified if necessary. The stress test results shall be taken into account in this process.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 57 of 62 10 The extent to which the intra-group transfer of liquid funds and unencumbered assets may be incompatible with company law provisions and with regulatory and operational constraints shall be reviewed. 11 The liquidity position, stress test results and material modifications of the liquidity shortfall contingency plan shall be reported regularly to the management board. Particular liquidity risk arising from off-balance-sheet entities shall be addressed separately. 12 An institution that incurs material liquidity risk in foreign currencies shall implement appropriate procedures for managing foreign exchange liquidity in the major currencies in order to safeguard its payment obligations. For the currencies concerned, this shall include at least one separate liquidity overview, separate foreign currency stress tests and explicit inclusion in the liquidity shortfall contingency plan. Material liquidity risk arising from different foreign currencies Material liquidity risk arising from different foreign currencies exists, in particular, if a significant part of the assets or liabilities is denominated in a foreign currency and, at the same time, there are significant currency mismatches or maturity mismatches between the respective foreign currency assets and liabilities. BTR 3.2 Additional requirements relating to capital market-oriented institutions 1 The institution shall be able to bridge its funding requirement arising from the institution-specific stress scenarios over the time horizon of at least one month using the liquidity reserves required pursuant to BTR 3.1 number 4, as further specified in BTR 3.2 number 2. Capital market-oriented institutions Section 264d of the German Commercial Code applies mutatis mutandis to the criterion of capital market orientation. 2 In order to bridge its short-term funding requirement of at least one week, the institution shall maintain, besides cash, highly liquid assets which can be liquidated at any time in private markets without significant losses of value and which are eligible as central bank collateral. For the ongoing funding requirement up to the end of the time horizon of at least one month, other assets may be used as additional components of the liquidity reserves if these can be liquidated without significant losses of value within the given time horizon. Private markets The term “private markets” is used to differentiate such transactions from those with central banks (eg open market operations or marginal lending facilities). Liquidation Liquidiation may also be effected by repurchase agreements (repos) provided that no significant haircuts apply. 3 The institution shall consider stress scenarios under which the liquidity reserves pursuant to number 1 shall also be measured. The stress tests shall, first, encompass stress scenarios based on institution-specific causes. They shall, second, separately encompass stress scenarios due to marketwide causes. And they shall, third, encompass both aspects in combination. A scenario based on institution-specific causes shall also model a significant Institutional investors Institutional investors are professional market players such as large banks and insurers, hedge funds, pension funds or other sizeable enterprises. General deterioration in funding conditions A general deterioration in funding conditions may be reflected, for example, in the non-rollover also of secured institutional funding, the shortening of

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 58 of 62 rating downgrade, incorporating at least the following assumptions:

no rollover of unsecured funding by institutional investors at least during the first week of the stress scenario;
withdrawal of part of the retail deposits. In addition, the following assumptions shall be incorporated into a scenario based on market-wide causes:
general decline in the prices of marketable assets, particularly securities;
general deterioration in funding conditions. funding maturities or a general widening of funding spreads. 4 The institution shall ensure that the deployment of the liquidity reserves is not incompatible with any legal, regulatory or operational constraints. The liquidity reserves’ diversification and their dispersion across different jurisdictions shall accord with the structure and business activities of the institution and the group. BTR 4 Operational risk 1 The institution shall adopt appropriate measures to take account of operational risk. 2 It shall be ensured that any material operational risk is identified and assessed at least once a year. 3 The causes of material damage events shall be analysed promptly. 4 The management board shall be informed at least once a year of material damage events and material operational risk. The report shall cover the nature of the damage or risk, the causes, the scale of the damage or risk and the countermeasures already taken, where applicable. 5 The report shall serve as a basis for deciding whether and, if so, what measures are to be taken to eliminate the causes or what risk management measures are to be taken (eg insurance, backup procedures, reorientation

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 59 of 62 of business activities, catastrophe protection measures). Implementation of the measures to be taken shall be monitored. BT 2 Special requirements relating to the internal audit function BT 2.1 Tasks of the internal audit function 1 As a general rule, the auditing operations of the internal audit function shall cover all of the institution’s activities and processes on the basis of a riskoriented audit approach. 2 The internal audit function, while guarding its independence and avoiding conflicts of interest, shall be involved in key projects. 3 Where material activities are outsourced to another enterprise, the institution’s internal audit function may waive conducting its own audit activities, provided that the audit activity conducted by other audit functions complies with the requirements in AT 4.4 and BT 2. The outsourcing institution's internal audit function shall regularly verify compliance with these requirements. The audit findings that are relevant to the institution shall be passed on to the internal audit function of the outsourcing institution. Auditing activity performed by other audit functions The auditing activity may be performed by

the internal audit function of the external service provider
the internal audit function of one or more of the outsourcing institutions on behalf of the outsourcing institutions
a third party commissioned by the external service provider, or
a third party commissioned by the outsourcing institutions. BT 2.2 General principles relating to the internal audit function 1 The internal audit function shall perform its tasks autonomously and independently. In particular, it shall be ensured that it is not subject to any instructions in connection with reporting and evaluating the audit findings. The management board’s right to order additional audits shall not conflict with the autonomy and independence of the internal audit function. 2 As a general rule, staff employed in the internal audit function shall not be entrusted with tasks which are unrelated to auditing. In particular, they shall not perform any tasks which are incompatible with auditing activities.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 60 of 62 Provided that the independence of the internal audit function is ensured, it may, as part of its tasks, provide advisory services to the management board and other organisational units of the institution. 3 As a general rule, staff employed in other organisational units of the institution shall not be entrusted with the internal audit function’s tasks. This shall not, however, preclude other members of staff working for the internal audit function on a temporary basis in legitimate individual cases on account of their specialist knowledge. BT 2.3 Planning and conduct of the audit 1 The internal audit function’s activities shall be based on a comprehensive audit plan, which shall be updated once a year. Audit planning shall be riskoriented. The institution’s activities and processes, including those outsourced, shall be audited at appropriate intervals, as a general rule within three years. An annual audit shall be conducted where particular risks exist. The three-year audit cycle may be waived in the case of activities and processes which are immaterial in terms of risk. 2 Audit planning, methods and quality shall be reviewed and refined regularly and on an ad hoc basis. 3 It shall be ensured that any special audits required at short notice, eg due to deficiencies which have arisen or certain informational requirements, can be performed at any time. 4 Audit planning as well as any material modifications thereto shall be approved by the management board. BT 2.4 Reporting requirement 1 The internal audit function shall swiftly prepare a written report on each audit and, as a general rule, submit it to the responsible members of the management board. In particular, the report shall detail the audit subject and the audit findings, including the envisaged remedial measures, where Grading of findings This Circular distinguishes in BT 2 between “material”, “serious” and “particularly serious” findings. This means that the relevant identified findings are graded in terms of their (potential) significance in terms of risk. The

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 61 of 62 appropriate. Any material findings shall be highlighted. In addition, the results of the audit shall be evaluated. In the event of serious findings, the report shall be promptly submitted to the management board. individual institution is free to decide the precise definition of the individual grades. The institution may decide at its discretion to define its own classification system for identified findings that are less relevant in terms of risk. 2 The audits shall be documented by working documents. These shall show the work that has been performed as well as the identified findings and conclusions in a way that is comprehensible for expert third parties. 3 If there is no agreement between the audited organisational unit and the internal audit function regarding the measures to be taken in order to remedy the findings, the audited organisational unit shall issue a statement on this matter. 4 The internal audit function shall swiftly write an overall report on the audits it has performed during the financial year and swiftly submit it to the management board. The overall report shall provide information on the material findings and the remedial measures taken. Furthermore, it shall contain an account of whether and to what extent the audit plan’s specifications have been adhered to. Method of reporting the findings A highlighting approach may be used for reporting the findings. Similar individual findings as well as the status of the adopted implementation measures may be summarised. 5 If the audits reveal serious findings concerning members of the management board, this shall be reported promptly to the management board. The management board shall promptly inform the chair of the supervisory board as well as the supervisory authorities (BaFin, Deutsche Bundesbank). If the management board fails to meet its reporting obligation or if it fails to adopt appropriate remedial measures, the internal audit function shall inform the chair of the supervisory board. 6 The management board shall provide the supervisory board at least once a year with concise information on the serious findings identified by the internal audit function and on any material findings that have not yet been remedied. The serious findings that have been discovered, the measures adopted to remedy them and the implementation of those measures shall be specially highlighted. The management board shall promptly inform the supervisory board of particularly serious findings. 7 Audit reports and working documents shall be kept for six years.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management in the version of 14 December 2012 - Page 62 of 62 BT 2.5 Reaction to identified findings 1 The internal audit function shall monitor in an appropriate form whether the findings identified during the audit are remedied within the specified timeframe. A follow-up audit shall be conducted where applicable. 2 If the material findings are not remedied within an appropriate period of time, the head of the internal audit function shall first inform the responsible member of the management board of this in written form. If the findings are still not remedied, the management board shall be informed in writing of the outstanding findings in the next overall report at the latest.