Regulation on the Internal Capital Adequacy Assessment Process for Banks

Pursuant to Article 35, paragraph 1.1 of the Law No. 03/L-209 of the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/16 August 2010), and Article 102 of the Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (Official Gazette of the Republic of Kosovo, No. 11/11 May 2012), the Board of the Central Bank of the Republic of Kosovo at the meeting held on November 29 , 2018 approved the following: REGULATION ON THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS FOR BANKS Article 1 Purpose and Scope

1. The purpose of this regulation is to determine the Internal Capital Adequacy Assessment Process of the bank (hereafter: ICAAP) to ensure the amount, type and allocation of adequate capital considered necessary to cover bank’s risks for the purpose of risk management processes, setting risk strategies and capital planning.
2. This regulation is applied to all banks licensed by the CBK to operate in the Republic of Kosovo.
3. Apart of the requirements of Article 31 paragraph 3 of this regulation, this regulation does not apply to foreign bank branches. Article 2 Definitions
4. The terms used in this regulation have the same meaning with the terms defined on the Law No:04/L-093 for Banks, Microfinance Institutions and Non-bank Financial Institutions (hereafter referred to as the Law on Banks), or as further defined for the purpose of this regulation:

2 1.1.“Risk profile” - is the assessment of the overall exposure to risks to which a bank is or could be exposed in its operations at a specific moment, including interactions and concentration risk (hereinafter: the bank’s risks). This assessment may take account of exposure to risks before or after the application of risk management measures; 1.2.“Risk appetite” (also “acceptable risk” and “risk tolerance”;) - is the overall level of risk accepted in advance, including the levels of individual types of risk, that the bank is willing to take up for the purpose of realizing its business objectives, strategies, policies and plans, having regard for the bank’s risk bearing capacity, its strategies and policies for the take-up and management of risks, and its capital, liquidity and compensation system or policies ; 1.3.“Risk limits” - are the adopted quantitative restrictions and measures based on which a bank manages the take-up of risks and their concentration across products, investments, business lines, entities in the group or other risk management criteria, and that allow the bank to allocate risks across business lines and types of risk and that the bank sets with regard to its risk appetite, various stress scenarios and other criteria; 1.4.“Risk bearing capacity” - is the largest overall risk level that a bank is able to take up, having regard for its available capital, liquidity, risk management and control measures, stress test results and other restrictions on the take-up of risks; 1.5. “Risk management culture” - is a bank’s level of standards and values implemented, considering the risk awareness of the members of the board of directors, senior management, and other employees that via their actions and attitudes to the bank’s risk and the proposals for internal control functions is reflected in their decision with regard to the take-up and management of risks at the level of the bank’s daily activities and has an impact on the implementation of the adopted risk appetite; 1.6.“Concentration risk” - is the risk of excessive direct and/or indirect exposure arising from the credit risk of a bank or banking group vis-à-vis an individual client, a group of connected clients or clients linked by common risk factors; 1.7.“Reputation risk” - is the risk of a loss as a result of a negative image about a bank held by its customers, business partners, employees, owners and investors, competent authorities or supervisory authorities, or other relevant public audiences;

3 1.8.“Strategic risk” - is the risk of loss as a result of incorrect business decisions by the board of directors and senior management, a failure to implement the decisions taken, and weak responsiveness on the part of the board of directors and senior management to changes in the business environment; 1.9.“Capital risk” - is the risk of a loss as a result of the inadequate composition of capital with regard to the nature and scope of a bank’s operations or to the difficulties that the bank faces in obtaining fresh capital, particularly in the event of the need for a rapid increase in capital or in the event of adverse business conditions; 1.10. “Profitability risk” - is the risk of a loss as a result of the inadequate composition or diversification of income or a bank’s inability to ensure a sufficient and sustainable level of profitability; 1.11. “Internal capital requirements” - is an estimate of the capital, needed for covering the bank’s risks; 1.12. “Internal capital assessment” - is the capital calculated on the basis of the internal definition of a bank’s capital components; 1.13. “Stress test” - entails the use of various quantitative and qualitative techniques for testing a bank’s robustness to severe but plausible developments set out by the bank on the basis of various combinations of changes in risk factors (stress test scenarios); 1.14. “Sensitivity analysis” - is a technique that is less complicated technique of a stress test and that merely includes an assessment of the impact of a change in a single precisely determined risk factor on a bank’s financial position, whereby the cause of the shock is not defined; 1.15. “ICAAP” – means Internal Capital Adequacy Assessment Process

4 Article 3 Assessing and ensuring internal capital adequacy

1. A bank shall have appropriate, effective and comprehensive strategies and processes to continuously assess and ensure the amounts, types and distribution of internal capital that it deems necessary as coverage with respect to the characteristics and extent of the risks to which it is or could be exposed in its operations.
2. A bank shall ensure on the basis of regular reviews that the strategies and processes referred to in the previous paragraph are comprehensive and proportionate to the nature, scale and complexity of the activities it performs, and internal capital adequacy to cover those risks. Article 4 Relationship between bank’s business strategy and risk strategy
3. For the purpose of implementing effective internal capital adequacy process the board of directors and senior management shall ensure that a bank’s business objectives, strategies and policies are appropriately connected with the risk strategies and policies referred to in Articles 5 and 6 of this regulation.
4. When the business objectives, strategies and policies referred in paragraph 1 of this article pursue a strategy of high risk appetite, the board of directors shall, having regard for the nature, scale and complexity of the risks inherent in the bank’s business model and the activities pursued by the bank, ensure effective internal governance arrangements commensurate therewith.
5. A risk strategy that is not based on commensurately effective internal governance arrangements may be reflected in the bank’s strategic risk, and in the excessive take￾up of risks. Article 5 Risk strategies
6. A bank shall put in place and implement effective and comprehensive strategies for taking up and managing risks set out paragraph 1 and 2 of Article 9 of this regulation (hereinafter: risk strategies) that take account of the bank’s business strategy and its long-term interests, including the protection of the interests of the bank’s unsecured creditors. The risk strategies shall define the bank’s objectives and general approach to taking up and managing risks, including a definition of the risk appetite, taking account of factors in the bank’s internal and external environment and the bank’s risk attributes.

5 Article 6 Risk policies

1. A bank shall put in place and implement policies for taking up and managing risks set out in paragraphs 1 and 2 of Article 9 of this regulation (hereinafter: risk policies) that set out the implementation of the risk strategies referred to in Article 5 of this regulation.
2. The risk policies referred to in paragraph 1 of this article shall provide a detailed definition of the functions, systems, processes, procedures, methodologies and rules of the bank’s internal governance arrangements, including the corresponding powers and responsibilities, and the reporting flows at all levels of the bank’s hierarchical and organizational structure. Article 7 Risk appetite
3. A bank shall ensure that its take-up of risks at any moment is in accordance with the adopted risk appetite referred to in subparagraph 1.2, paragraph 1 of Article 2 of this regulation. The bank’s approach to the realization of the risk appetite shall be integral, shall take account of the interests of the bank’s owners and other stakeholders, and shall be based on the bank’s policies, processes and internal controls and the corresponding responsibilities of the risk management function and the compliance function.
4. The board of directors shall approve and explain the bank’s approach to the realization of the risk appetite referred to in paragraph 1 of this article on the basis of the concise risk statement as it is defined in paragraph 9 of Article 9 in the Regulation on Corporate Governance of Banks. Article 8 Risk bearing capacity
5. A bank shall ensure that its take-up of significant risks at any moment is within the framework of the risk bearing capacity referred to in subparagraph 1.4, paragraph 1 of Article 2 of this regulation.
6. The bank shall put in place a methodology for assessing the risk bearing capacity at any moment, which takes under account of: 2.1 All significant risks that the bank takes up within the framework of its operations, including interactions and risk concentrations; 2.2 The available measures for managing the identified and assessed risks; 2.3 The bank’s capital and liquidity;

6 2.4 Other restrictions, including any restrictions deriving from the bank’s bylaws, regulations and standards, or the requirements of the CBK. 3. Where specific risks or other factors are not taken into account in the assessment of the risk bearing capacity, the bank shall explain what the risks and factors are, citing the reasons why they have not been taken into account. 4. The bank shall regularly asses the risk bearing capacity, including during any significant change in exposure to taken-up risks. The assessment of risk bearing capacity shall be documented. The bank shall review the adequacy of the methodology for assessing risk bearing capacity at least once a year, including the proposals for its potential updating. Article 9 Bank’s risk

1. The risks that a bank takes up within the framework of its operations may include credit risk and counterparty risk, concentration risk within the framework of credit risk, market risks, interest rate risk, liquidity risk, operational risk (including legal risk), currency risk, compliance risk, model risk, reputation risk, strategic risk, capital risk, profitability risk, risk of excessive leverage, and securitization risk.
2. The bank shall ensure that at any moment it is capable of managing all of its other significant risks on a consolidated and individual basis. Significant risks shall be identified early, treated comprehensively, monitored within the framework of the bank’s daily activities and presented in timely fashion to the board of directors, the senior management, the internal audit department, the compliance department. Effective risk management reduces the probability of unexpected losses, and consequently prevents reputation risk deriving from such losses.
3. In addition to the general requirements in connection with risk management set out by this regulation, the bank shall additionally meet the requirements with regard to the treatment of the following risks: 3.1 Credit risk; 3.2 Liquidity risk; 3.3 Operational risk; 3.4 Market risk. Article 10 Effective risk management process
4. The bank shall ensure effective risk management processes for identifying, measuring or assessing, managing and monitoring risks, including recovery plans and the reporting of the risks to which the bank is or could be exposed in its operations.

7 2. The risk management processes referred to paragraph 1 of this article are deemed effective if they facilitate the production of high-quality assessments, analysis, reports, proposals of measures and other results of these processes, including an internal assessment of risk-based capital requirements and an internal capital assessment, based on which the board of directors and senior management is able to take business decisions that are in accordance with the adopted risk appetite, and other measures in connection with the realization of stable internal governance arrangements at the bank. 3. The bank shall provide for systematic planning of the development of the risk management processes referred to in paragraph 1 of this article, for the purpose of their effective tailoring to any changes in the bank’s risk profile, the risks of the external environment and best risk management practice. Article 11 Identification and assessment or measurement of risks

1. The process of identifying risks shall ensure that all the significant risks referred to in paragraphs 1 and 2 of Article 9 of this regulation are taken into account. The identification of significant risks shall include: 1.1. Comprehensive risk analysis, including risks that could have an adverse impact on the bank’s earnings, liquidity and book value of the bank; 1.2. Consideration of risk concentrations and the potential risks inherent in the complexity of the bank’s legal and organizational structure; 1.3. Analysis of trends for the purpose of identifying new or emerging risks as a result of changes in the bank’s business conditions.
2. The process of the ordinary and, where appropriate, extraordinary assessment or measurement of the identified risks referred to in paragraph 1 of this article shall be based on: 2.1 Established and documented processes for the assessment or measurement of losses that are in accordance with the bank’s methodologies for the calculation of minimum own funds requirements; 2.2 The use of an appropriate toolkit of scenarios with regard to causes of risk and risk interactions; 2.3 The use of appropriate and reliable databases. Article 12 Stress tests
3. A bank shall provide for a comprehensive approach to the implementation of stress tests and sensitivity analysis (hereinafter: stress tests) that includes:

8 1.1. The identification of the most significant causes of risk, and the preparation of appropriate stress scenarios; 1.2. The application of the results of stress tests for the purpose of: 1.2.1. Identifying risks and the development of the bank’s exposure to these risks, 1.2.2. Reviewing the adequacy of assessments or measurements of risks; 1.3. Compiling a toolkit of potential risk management measures referred to paragraph 1 of Article 13 of this regulation in the event of adverse operating conditions for the bank (e.g. the preparation of business continuity plans). 2. The bank shall take account of the results of stress tests in the process of reviewing and planning the bank’s risk appetite, risk limits and risk bearing capacity, planning the bank’s capital and liquidity, and making an internal assessment of capital adequacy and sustainable liquidity. The board of directors, the risk committee, the senior management and the internal audit department shall be briefed on the results of stress tests. The management board shall confirm the results of stress tests on each occasion. 3. The management board/ senior management shall review and approve the stress scenarios referred to in paragraph 1 of this article on each occasion, and shall brief the risk committee accordingly. Article 13 Managing taken-up risks

1. The process of managing taken-up risks shall ensure the definition and implementation of potential risk management measures including: 1.1. The transfer or diversification of risks (e.g. via insurance) or the avoidance of risks (e.g. via the withdrawal of a product or business line); 1.2. Risk limitation (e.g. via risk limits); 1.3. The temporary acceptance or take-up of risks that exceed the adopted risk limits, because their mitigation over the relevant period is not possible; 1.4. The acceptance or take-up of risks that cannot be mitigated to the level of the adopted risk limits or cannot be adequately insured against.
2. The bank shall ensure that the measures referred to in subparagraph 1.3, paragraph 1 of this article are applied in exceptional cases only, and on the basis of an appropriate approval by the senior management, which shall be briefed on the effects of such measures regularly.
3. The risk management function shall propose the measures referred to paragraph 1 of this article for identified and assessed or measured risks, and shall guide and monitor their implementation. In the event of a decision by the management board with regard to the acceptance of significant risks referred to in subparagraphs 1.3 and 1.4, of paragraph 1 of

9 this article, in conjunction with the organizational units that are taking up the risks the risk management function shall provide for the regular monitoring and reporting of the risks for the purpose of managing these risks within the agreed risk limits or in accordance with the senior management decisions. Article 14 Risk monitoring and communication about risks

1. The process of monitoring risks shall ensure systematic communication about risks at all of the bank’s hierarchical and organizational levels, including reporting on risks to the board of directors, the senior management and the internal control functions.
2. Effective risk monitoring ensures that the take-up of risks is in accordance with the risk limits put in place. To this end the bank shall put in place: 2.1 A system that facilitates the identification of breaches of risk limits in an appropriate time with regard to the nature and type of the risks; 2.2 Procedures for handling breaches of risk limits and for determining the causes of the breaches, including the corresponding measures; 2.3 Procedures for informing the board of directors, the risk management committee, the senior management and the risk management function with regard to breaches of risk limits. Article 15 Regular and ad hoc reports on risks
3. The reporting on risks referred to in paragraph 1 of Article 14 of this regulation shall be based on a transparent reporting system that includes regular and ad hoc reports on risks.
4. The regular reports on risks referred to in paragraph 1 of this article shall facilitate the monitoring of effective decisions with regard to measures to manage and control risks, and the monitoring of the results of such measures. These reports shall provide for a clear overview of the risk profile, particularly on the basis of information about: 2.1 The consideration of risk appetite across different business lines, and breaches of risk limits; 2.2 The bank’s significant risks and the assessments thereof; 2.3 The results of stress tests.
5. The ad hoc reports on risks referred to in paragraph 1 of this article shall facilitate the earliest possible reporting of extraordinary information on the occurrence of a significant risk that requires immediate attention or action on the part of the management board or

10 the senior management. The senior management shall brief the board of directors on such risks without delay. 4. In connection with the compilation of reports on risks the bank shall provide for an appropriate level of automation in the process of preparing individual reports that ensures their compliance with the actual situation. In the event of manual interventions in the content of a report, the bank shall provide for appropriate internal controls (e.g. an audit trail, the four eyes principle). Article 16 Adequacy of reports on risks

1. The scope and detail of reports on risks shall take account of the needs of the target users of the reports, as follows: 1.1. The bank’s board of directors, risk committee, and senior management shall receive comprehensive information about all significant issues in connection with the bank’s operations and its risks; 1.2. The internal audit department, the risk management function and the bank’s other managers shall receive relevant information about key issues in connection with the bank’s operations and its risks. Information is deemed relevant if is presented in a manner that transparently summarizes the significant content of an issue with regard to its priority.
2. Reports on risks shall be: 2.1 Understandable; reports are deemed understandable if they contain clear and accurate information about risks; 2.2 Sufficient; reports are deemed sufficient if they include all significant risks and together provide for a comprehensive overview of the bank’s risk profile; 2.3 Useful; reports are deemed useful if they constitute a basis for the adoption of appropriate measures; 2.4 Comparable and compatible; reports are deemed comparable and compatible if their form is as standardized as possible with regard to the information that they contain; 2.5 Timely; reports are deemed timely if they facilitate the taking of decisions in an appropriate time with regard to the nature and type of the risks. Article 17 Risks of new products and external contractors
3. A bank shall ensure that the risks inherent in the introduction of new products are also included in the risk management processes referred to in Article 10 of this regulation.

11 2. Should the bank use external contractors in the pursuit of its business activities, the risk management processes referred to paragraph 1 of this article shall also include the risks inherent in the use of external contractors. Article 18 Policy for approval of new product and external contractors

1. For the purpose of managing the risks inherent in the introduction of new products, a bank shall put in place and implement a policy for the approval of new products.
2. For the purpose of managing the risks inherent in the use of external contractors, a bank shall put in place and implement a policy for the use of external contractors. Article 19 ICAAP as integral part of risk management processes
3. A bank shall ensure that the ICAAP is an integral part of the risk management processes referred to in paragraph 2 of Article 10 of this regulation. To this end, in the implementation of the ICAAP and the corresponding calculations of the internal assessment of risk-based capital requirements and the internal capital assessment, the bank shall apply the same systems, processes, methodologies, data and definitions of risks as those applied in the identification, assessment or measurement, management, monitoring and controlling of risks.
4. The board of directors shall ensure that the results of the ICAAP, including the internal assessment of risk-based capital requirements and the internal capital assessment, are taken into account in: 2.1 The adoption of the bank’s business decisions; 2.2 The definition and adoption of risk strategies, the risk appetite and the risk bearing capacity, and in the bank’s long-term capital planning. Article 20 Board of Directors’ responsibility for approval of ICAAP
5. For the purpose of the proper application and results of the ICAAP in the adoption and supervision of business decisions and risk strategies, the board of directors shall approve the adequacy of the ICAAP at least once a year, including the internal assessment of risk-

12 based capital requirements and the internal capital assessment on each occasion and the corresponding measures (hereinafter: results of the ICAAP). In so doing: 1.1. The senior management shall approve the adequacy of the ICAAP and its results on the basis of detailed knowledge of the objectives, processes, procedures and methodologies of the ICAAP; 1.2. The board of directors shall approve the adequacy of the ICAAP and its results on the basis of ensuring general awareness of the concept and objectives of the ICAAP, including an understanding of the importance of its results and the corresponding measures. 1.3. With each approval of the adequacy of the ICAAP, the board of directors and senior management confirms that the ICAAP is taking account of the risk strategies. 2. For the purpose of the effective adoption and monitoring of the implementation of business decisions and risk strategies referred to in paragraph 1 of this article, the bank shall ensure that the board of directors and senior management is regularly briefed on which of the bank’s risks are addressed in the ICAAP, including the corresponding internal assessments of risk-based capital requirements. Article 21 Planning and implementation of ICAAP

1. A bank shall ensure the inclusion of the ICAAP in the processes of planning the bank’s operations for the upcoming planning period.
2. The bank shall provide for adequate powers and responsibilities of the bank’s organizational units and functions for the implementation, monitoring, review and adoption of operational decisions for the purpose of the implementation of the ICAAP, including the calculation of the bank’s internal assessment of risk-based capital requirements and internal capital assessment. The powers and responsibilities are deemed adequate if they are set out in accordance with the following requirements: 2.1 The bank’s functions that develop methodologies in connection with risk management and calculate the internal assessment of risk-based capital requirements should be functionally and organizationally separate from the business units and other organizational units that take up risks and should be within the risk management function in compliance with Regulation on Corporate Governance of Banks. 2.2 The business units and other organizational units that take up risks in the ICAAP should participate in the ICAAP under the leadership of the risk management

13 function, which ensures the proper balance of interests between the bank’s take-up of risks and its risk management. 2. The bank shall ensure sufficient human resources (HR) and financial conditions for the purpose of the implementation of the ICAAP, including the use of appropriate information technology. 4. The bank shall ensure that the ICAAP is regularly updated with regard to changes in the bank’s internal and external environments or changes in the objectives, strategies and policies referred to in paragraph 1 of Article 4 of this regulation. Article 22 Inclusion of identified risks in ICAAP

1. A bank shall ensure that the ICAAP covers all of the bank’s identified significant risks, including risks inherent in the introduction of new products and the use of external contractors on a consolidated and individual basis.
2. Notwithstanding paragraph 1 of this article, for the purpose of including specific risks referred to in paragraph 1 of this article in the ICAAP, instead of using quantitative methodologies for the calculation of the internal assessment of risk-based capital requirements for the aforementioned risks the bank may use the corresponding risk management measures referred to in paragraph 1 of Article 13 of this regulation. In this case the bank shall ensure high quality in the use of the aforementioned measures, supporting them with argumentation.
3. The bank shall provide for a review of the adequacy and comprehensiveness of the inclusion of identified risks in the ICAAP at least once a year, and during any significant change in risk exposure. Article 23 Risk measurement and use of economic capital models
4. For the purpose of calculating the internal assessment of risk-based capital requirements, a bank shall ensure the use of comprehensive data in risk measurement. Data is deemed comprehensive if it covers all the risks inherent in the bank’s business model, activities

14 and products on a consolidated and individual basis. The bank shall ensure the regular review of the comprehensiveness of the data and the coordination of the data used with information from the balance sheet and other relevant data deriving from the bank’s financial reports. 2. A bank that uses advanced risk measurement techniques in its risk measurement (hereinafter: economic capital model) shall to this end ensure that the economic capital model, including the data used, is tailored to the bank’s business model, activities, products, and other internal and external circumstances. The validation (confirmation of the adequacy) of the economic capital model shall be provided by one of three organizational options of the bank which are independent, determined as follows: 2.1 Two separated units (i.e., one unit which develops the model and the other unit which validates the model) which report to different members of senior management. 2.2 Two separated units (i.e., one unit which develops the model and the other unit which validates the model) which report to the same member of senior management. 2.3 The separation of staff (i.e., the staf which develops the model and the staff which validates the model) within the same organizational unit which report to Chief Risk Officer. 3. In its risk measurement referred to in paragraph 1 of this article, the bank shall ensure that any consideration of the effects of risk management measures in the calculation of the internal assessment of risk-based capital requirements does not act to reduce the internal assessment of risk-based capital requirements such that the reduction in the internal assessment of risk-based capital requirements could be disproportionate to the actual effect of the risk management measures. Article 24 Internal assessment of risk-based capital requirements A bank shall calculate an internal assessment of risk-based capital requirements on the basis of its own methodology, including the combination of internal assessments of risk-based capital requirements for individual risks, or another appropriate methodology. Article 25 Internal capital assessment and objectives for maintenance of risk bearing capacity

1. On the basis of appropriate objectives for the maintenance of risk bearing capacity, a bank shall provide for the definition of the relevant capital components included in the internal capital assessment for the purpose of the ICAAP. The objectives for the maintenance of risk

15 bearing capacity are deemed appropriate if they include the bank’s approach to ensuring capital adequacy under the following scenarios at least: 1.1. The bank as a going concern; 1.2. An emergency (but plausible) situation in the bank’s operations. 2. The bank shall provide for the regular assessment (at least once a year) of the adequacy of capital components referred to in paragraph 1 of this article, including the consideration of any planned changes with regard to these components. Article 26 Capital planning For the purpose of stably ensuring capital adequacy, a bank shall provide for adequate capital planning for a period of at least three years that takes account of the bank’s approach to the distribution of any dividends and the possibility of recapitalization. The capital planning shall be based on realistic assumptions, having regard for the business strategy and the risk strategy referred to in paragraph 1 of Article 4 of this regulation, and any restrictions deriving from regulations and standards and from the requirements of the CBK. Article 27 Analysis of risk bearing capacity

1. A bank shall ensure that the internal capital assessment is aligned with its risk bearing capacity at all times. To this end the bank shall provide for analysis of its risk bearing capacity, including on the basis of the scenarios for the maintenance of risk bearing capacity referred to in paragraph 1 of Article 25 of this regulation.
2. The scenario for the maintenance of risk bearing capacity at the bank as a going concern referred to in subparagraph 1.1, paragraph 1 of Article 25 of this regulation shall take account of the appropriate protection of the interests of shareholders, the board of directors, senior management and the bank’s other employees. The protection of these interests is deemed appropriate if access to the capital provides for protection against developments that could endanger the bank’s continuation as a going concern. For the purpose of this scenario the bank shall ensure at all times that the internal assessment of risk-based capital requirements is at least at the level of the own funds requirements calculated in accordance with Regulation on Capital Adequacy.
3. The scenario for the maintenance of risk bearing capacity in an emergency but plausible situation in the bank’s operations referred to in subparagraph 1.2, paragraph 1 of Article 25 of this regulation shall take account of the appropriate protection of the interests of the

16 bank’s investors. The protection of these interests is deemed appropriate if the bank’s capital is sufficient to repay the bank’s creditors. 4. The bank may also define scenarios for the maintenance of risk bearing capacity for the purpose of covering other, less significant risks that are frequently realized. 5. The bank shall monitor the consideration and any breaches of the risk bearing capacity under the scenarios for the maintenance of risk bearing capacity put in place. Article 28 Use of stress tests

1. For the purpose of the calculation of the internal assessment of risk-based capital requirements, a bank shall conduct the stress tests at least once a year, according to stress scenarios that assume changes in market conditions, having regard for all the relevant entities in the group. To identify the changes in market conditions that could have an adverse impact on the bank’s future capital adequacy, the stress tests shall also take account of the state of the current business cycle in connection with a general deterioration in the economic situation as a result of a decline in economic activity (recession) and a specific deterioration in the economic sectors that the bank supports financially.
2. The bank shall ensure that the results of the stress tests referred to in paragraph 1 of this article are taken into account in the capital planning process referred to in Article 26 of this regulation, and in the definition of measures in connection with the risk strategies and policies (Article 5 and 6 of this Regulation), including with regard to the risk profile and the business continuity plans. Article 29 Capital allocation process
3. A bank shall provide for an appropriate process for allocating capital across business lines and/or entities in the group, on the basis of the internal assessment of risk-based capital requirements referred to in Article 24 of this regulation and the analysis of risk bearing capacity referred to in Article 27of this regulation. The capital allocation process is deemed appropriate if it links the bank’s business strategy with its risk strategy.
4. The bank shall provide for an assessment of capital adequacy and capital allocation at least once a year and during any significant change in risk exposure.

17 Article 30 Documentation related to ICAAP process

1. A bank shall provide for the systematic storage of important documentation in connection with the bank’s operations, its risk management, including the implementation of internal controls, and the internal reporting of the bank’s risks (hereinafter: documentation). The documentation related to ICAAP process shall in particular include: 1.1. the bank’s bylaws, with regard to the chronology of their updating (e.g. strategies, policies, codes of conduct, instructions); 1.2. relevant documents in connection with the activities of organizational units (e.g. adopted decisions, analysis, measures, financial results); 1.3. a detailed description of the ICAAP (e.g. scope of application, objectives, methodologies, assessments, procedures, calculations, measures). Article 31 Reporting and time limits for reporting
2. A bank shall submit a written report to the Central Bank of the Republic of Kosovo on the ICAAP in accordance with ICAAP Submission Template as it is defined in Appendix 1.
3. Bank shall prepare the report referred to paragraph 1 of this article on the ICAAP as at 31 December of the previous year and submit it to the CBK at the latest until 30 April of the current year.
4. Foreign bank branches shall submit to the CBK: 3.1 the ICAAP report for the parent bank; 3.2 the strategy of the parent bank for the branch; 3.3 a detailed report on the risk assessment and risk management process taking into account the risk profile in accordance with the parent bank’s strategy for the branch operating in Kosovo and the capacity of capital support. 3.4 The report and the strategy mentioned in subparagraphs 3.1, 3.2 and 3.3 of this paragraph should be delivered to CBK not later than 30th of May of the current year. Article 32 Supervisory Review The CBK, as part of its supervision process, shall review and evaluate the ICAAP, with the aim of ensuring adequate capital levels, to monitor risks undertaken by the bank and to use, develop and improve the risk management methods. The CBK shall review and evaluate the

18 ICAAP, overall, on the basis of the ICAAP report, supervisory examinations, and the dialogue with the bank regarding the capital adequacy, risk management, and risk bearing capacity. Article 33 Implementation, remedial measures and civil penalties Any violation of the provisions of this Regulation shall be subject to remedial and punitive measures, as defined in the Central Bank Law and the Law on Banks. Article 34 Appendices An integral part of this regulation is the Appendix 1. Article 35 Entry into force This Regulation shall enter into force on 01.01.2020 The Chairman of the Board of the Central Bank of the Republic of Kosovo

---

Prof. Dr. Flamur Mrasori

19 APPENDIX 1 Internal Capital Adequacy Assessment Process (ICAAP) Submission Template

1. The purpose of this appendix is to provide guidance to banks in preparing the document/ report of the ICAAP in accordance with the requirements of this Regulation.
2. The report of the ICAAP should be approved by the board of directors and the senior management of the bank.
3. The completion of this template is mandatory for submission purposes. In addition, banks must also complete an additional appendix outlining the risk assessment and quantification methodology used.
4. The amount of detail in the ICAAP document will vary based on the size and complexity of the bank. Supplementary information such as policies, risk management frameworks and processes can be referred to by way of appendices. ICAAP Submission Template Elements 1 Executive Summary 2 Background on ICAAP 3 Information on Business Model and Strategy 4 Information on Risk Governance and Management Framework 5 Information on Risk Appetite Framework 6 Material Risks 7 Risk Bearing Capacity 8 Information on Capital Planning 9 Stress Testing 10 Integration of ICAAP into Risk Management 11 Challenge & Next Steps Two Required Appendices Form ICAAP - Summary Key Metrix Report Appendix Bank’s Risk Assessment Framework and Quantification Methodology

20 ICAAP Submission Template Executive Summary This summary should provide an overview of the ICAAP framework and results such as:  Confirmation that the bank (on a consolidated basis) has assessed its capital as adequate given the size and complexity of its business.  Commentary on the most material risks faced by the bank, why the level of risk is acceptable or, if it is not, what mitigating actions is planned.  Summary of the main findings of the ICAAP analysis including: • The level and composition of internal capital the bank believes should be held, with a comparison to the regulatory capital requirement under “Pillar 1” calculation (please complete the ICAAP - Report Summary Key Metrix Report for comparison of the risk components within the Bank’s Pillar 1 capital and its ICAAP assessment); • The adequacy of the Banks risk management processes; • Whether the bank has adequate capital resources over its planning horizon; and • A summary of the capital plans approved by the board – at minimum, these should include Common Equity Tier 1 (CET1) Ratio, Tier 1 Capital, Total Capital Ratio, and amounts / or structure of regulatory capital and internal capital assessments; • Summary of the financial position of the bank, its business strategy, balance sheet structure and projected profitability. • Description of the review, challenge and approval process of the ICAAP.

21 Background of ICAAP This section should provide a high level overview of the banks’ ICAAP, pulling together the Bank’s risk management framework, business planning and capital management. The overview should cover relevant policies and systems used by the bank to identify, manage and monitor its risks according to its risk appetite and its risk bearing capacity. Information on Business Model and Strategy This section should provide a high level overview of the bank’s business model and strategy, risk strategies and risk policies, and relationships as referred to Article 4. In this section the bank should provide also a description of the current business models including identification of core business lines, markets, geographies, and products the bank operates; description of main income and cost drivers, allocated to core business line, and markets; and forward-looking strategy in terms of description of the changes planned by the bank to the current business model and its underlying activities. Information on Risk Governance and Management Framework This section should provide a high level overview and description of the bank’s overall governance arrangements, including the roles and responsibilities within the risk management and control organization, including at the level of board of directors and senior management; description of reporting lines and frequency of regular reporting to the management; description of interaction between risk measurement and monitoring and actual risk taking practice (e.g. limit setting, monitoring, dealing with breaches etc.), etc.. Information on Risk Appetite Framework This section should provide a high level overview of the bank’s risk appetite and set out the frequency of review of the risk tolerance by senior management and the board of directors.

22 Material Risks This section should provide a concise description of the bank’s risk identification process and outline how the bank identifies material risk areas. Key risks which should be considered as part of an ICAAP include:  In a separate appendix (include as Appendix 1 to your ICAAP submission), please provide further detail on the bank’s risk assessment and quantification methodology, including:  How the bank defines each of the key risks listed above as well as any other risks identified as key based on the bank’s risk profile;  How the bank determines the materiality of each key risk; and  A description of how each material risk is then quantified for capital allocation purpose, including detailed methodology to specify data, assumptions and calculations. Risk Bearing Capacity This section should provide a high level overview of the Banks’s risk bearing capacity and maintenance of risk bearing capacity. The Bank here generally presents the methodology and process for assessing the risk capacity, including the risk- bearing capacity analysis as required by Article 27 of this Regulation. In appendix is presented in detail the methodology, calculations, and the entire process, including detailed analysis of the risk-bearing capacity. Information on Capital Planning This section should include:  the bank’s “baseline” capital forecasts (at least quarterly, based on annual business plan);  a 3-year summary forecast capital position; and  A description of the bank’s capital planning and management process, including an outline of how ICAAP is incorporated into this process. Stress Testing This section should provide a concise description of how the bank’s stress testing program is used to support capital adequacy assessment and management.

23 CBK expects banks to stress test all material portfolios and significant risks identified. The detailed methodology of stress tests should be presented in a appendix. Integration of ICAAP into Risk Management This section should:  Summarize how ICAAP has been used by the bank and how it is embedded in the decision making process;  Describe how ICAAP results have been integrated into risk limits setting and monitoring; and  Describe how the ICAAP results are reported to the board. Challenge & Next Steps This section should:  Summarize the extent of challenge and testing of the ICAAP and the control processes applied to the ICAAP calculations;  Outline the board and senior management sign-off procedures;  Identify the nature of any third party review of the ICAAP; and  Identify any plans to enhance the ICAAP going forward.

24 ICAAP - Summary Key Metrix Report Capital Planning Summary Form Institution: Financial Year End: Submission date: Risk Weighted Assets: (000 Euro) Board Approval: Total Equity (000 Euro) ICAAP Elements Pillar I capital requirements ICAAP estimate (in 000 EUR) (in 000 EUR) Risk subject to minimum capital requirements Credit risk Market risks Operational risk Total Pillar I Risks Risks not fully covered by minimum capital requirements Residual risk (from credit risk) Securitisation risk Residual risk (from market risk) Currency risk Risks not subject to minimum capital requirements Interest rate risk Concentration risk Counterpart risk Market liquidity risk Reputation risk Model risk Profitability risk Strategic risk Capital risk Compliance risk ….. (If needed, add additional rows) Total Pillar II Risks Additional capital to cover stress testing and capital planing Internal assesment of risk-based capital Diversification effects (-) a) for the same risk b) for different rikss Overall capital requirement/estimate Total Pillar I capital requirement Total Pillar II capital requirement (Reference to Appendix 2 of your ICAAP Submission) of which: (000 Euro) Current (t) Year (t+1) Year (t+2) Year (t+3) Risk-weighted Exposures Regulatory Capital Minimal capital requirement (Pillar 1) Capital Adequacy Ratio (%) Capital requirement (Pillar II) Total capital requirement Capital Planing