Decision No 311/2025 Approving the Regulation on Own Funds Requirements for Operational Risk

1 EU Project EXECUTIVE BOARD OF THE NATIONAL BANK OF MOLDOVA DECISION No 311 of 23 December 2025 For the approval of the Regulation on own funds requirements for operational risk, amendment and repeal of certain normative acts of the National Bank of Moldova Pursuant to Article 70 paragraph (1) of Law No 202/2017 on the activity of banks (Official Gazette of the Republic of Moldova, 2017, No 434 - 439, Article 727), as amended, the Executive Board of the National Bank of Moldova DECIDES: This decision partially transposes (transposes Article 1 letter (a), Article 4 paragraph 52, paragraphs 52a- 52c, paragraphs 311a - 313, Article 314 paragraphs (1), (2), (5) - (8), Article 315, Article 316 paragraphs (1), (2), Article 317 paragraphs (1) - (8), Article 318, Article 319, Article 320 paragraphs (1), (2), Article 321 paragraph (1), Article 322, Article 323 paragraph (1), and Article 324) Regulation No 575/2013 of the European Parliament and of the Council of 26 June 2013, on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012, published in the Official Journal of the European Union L 176 of 27 June 2013, CELEX: 32013R0575, as last amended by Regulation (EU) 2024/1623 of the European Parliament and of the Council of 31 May 2024.

1. The Regulation on own funds requirements for operational risk is hereby approved (attached).
2. Decision No 113/2018 of the Executive Board of the National Bank of Moldova on the approval of the Regulation on the treatment of banks’ operational risk for according to the basic approach and the standardised approach (Official Gazette of the Republic of Moldova, 2018, No 183-194, Article 903), registered with the Ministry of Justice of the Republic of Moldova under No 1335/2018, is repealed.
3. The Regulation on the framework for the administration of banking activities, approved by Decision No 322/2018 of the Executive Board of the National Bank of Moldova (Official Gazette of the Republic of Moldova, 2019, No 1-5, Article 56), registered with the Ministry of Justice of the Republic of Moldova under No 1400/2018, is amended as follows: 3.1. In paragraph 4: 3.1.1. the term “information and communications technology risk (ICT risk)” shall have the following meaning: “information and communications technology risk (ICT risk)” means the risk of loss associated with any circumstance that can be reasonably identified in connection with the use of computer networks and systems which, if it materialises, could compromise the security of computer networks and systems, of any technology-dependent tool or process, operations and processes, or service delivery by producing adverse effects in the digital or physical environment; 3.1.2. in the term “compliance risk,” the words “operational risk sub-category that refers to” are excluded; 3.1.3. after the term “financing risk,” the term “legal risk” shall be added with the following content: “legal risk means the risk of loss, including expenses, fines, penalties, or

2 punitive damages that a bank may incur as a result of events leading to legal proceedings, including the following: a) supervisory actions and out-of-court settlements; b) failure to take action when such action is necessary to comply with a legal obligation; c) actions taken to avoid compliance with a legal obligation; d) events related to misconduct, which are events resulting from intentional or negligent misconduct, including the improper provision of financial services or the provision of inadequate or misleading information regarding the financial risk of products sold by the bank; e) failure to comply with any requirement derived from national or international statutory or legislative provisions; f) failure to comply with any requirement derived from contractual agreements or internal rules and codes of conduct established in accordance with national or international rules and practices; g) failure to comply with ethical standards. Legal risk does not include reimbursements to third parties or employees and compensation resulting from business opportunities where no rules or ethical standards have been breached and the bank has fulfilled its obligations in a timely manner. Legal risk does not include external legal costs if the event generating those external costs is not an operational risk event.”; 3.1.4. after the term “liquidity risk,” the term “model risk” is added with the following content: “model risk” means the risk of loss that arises from decisions based primarily on the output of internal models due to errors in the design, development, estimation of parameters, implementation, or use or monitoring of such models, including due to the following: a) inadequate design of the chosen internal model and its characteristics; b) inadequate verification of the appropriateness of the chosen internal model in relation to the financial instrument to be valued or the product to be priced, or of the appropriateness of the chosen internal model for the applicable market conditions; c) errors in the implementation of the chosen internal model; d) incorrect market price valuations and incorrect risk measurement as a result of an error when recording a transaction in the trading system; e) using the chosen internal model or its results for a purpose for which the model was not designed or intended, including manipulating the modelling parameters; f) delayed or ineffective monitoring or validation of model performance or predictive capacity to assess whether the chosen internal model is still fit for purpose;” 3.1.5. the term “operational risk” shall have the following meaning: “operational risk – the risk of loss resulting from inadequate or failed internal processes, people, or systems, or from external events, including legal risk, compliance risk, model risk, and information and communications technology risk, without limitation, but excluding strategic risk and reputational risk;”. 3.2. Paragraph 260: 3.2.1. sub-paragraph 2) shall read as follows: “2) risk related to information and communications technology (ICT risk);”; 3.2.2. sub-paragraphs 3) and 4) are added with the following content: “3) legal risk; 4) model risk.”; 3.3. Paragraph 262 shall read as follows: 262. In the process of operational risk management, the bank shall take into account at least the loss events listed in Section 9, Chapter III of the Regulation on own funds requirements for operational risk, approved by Decision No 311/2025 of the Executive Board of the National Bank of Moldova”; 3.4. In paragraph 354, sub-paragraph 3), the text “,underestimating operational risk in the context of using the underlying approach or the standardized approach” is excluded.

3 4. The Regulation on the requirements for the publication of information by banks, approved by Decision No 158/2020 of the Executive Board of the National Bank of Moldova (Official Gazette of the Republic of Moldova, 2020, No 188-192, Article 667), registered with the Ministry of Justice of the Republic of Moldova under No 1581/2020, is amended as follows: 4.1. Paragraph 59, sub-paragraph 5) shall read as follows: “5) own funds requirements calculated in accordance with the Regulation on own funds requirements for operational risk, approved by Decision No 311/2025 of the Executive Board of the National Bank of Moldova.”. 4.2. Paragraph 64 is repealed. 4.3. In Annex 11, rows 23-25 of the table are excluded. 5. This decision shall enter into force on 1 January 2027. 6. The provisions of paragraph 29 of the Regulation referred to in paragraph 1 of this Decision, insofar as they relate to the 10-year period, shall apply from 1 January 2037. Until 1 January 2037, banks shall update the calculation of net loss based on observed or estimated variations in gross loss and recovery for each financial year starting on 1 January 2027. Chairman of the Executive Board Anca – Dana DRAGU Chișinău, 23 December 2025 No 311

4 Approved by Decision of the Executive Board of the National Bank of Moldova No 311 of 23 December 2025 REGULATION ON OWN FUNDS REQUIREMENTS FOR OPERATIONAL RISK This regulation partially transposes Regulation No 575/2013 (transposes Article 1 letter (a), Articles 311a - 313, Article 314 paragraphs (1), (2), (5) - (8), Articles 315, Article 316 paragraphs (1), (2), Article 317 paragraphs (1) - (8), Articles 318, Article 319, Article 320 paragraphs (1), (2), Article 321 paragraph (1), Article 322, Article 323(1) and Article 324) of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012, published in the Official Journal of the European Union L 176 of 27 June 2013, CELEX: 32013R0575, as last amended by Regulation (EU) 2024/1623 of the European Parliament and of the Council of 31 May 2024. Chapter I GENERAL PROVISIONS Section 1. Scope

1. This Regulation lays down rules on own funds requirements for operational risk under the standardised approach, for the purpose of calculating own funds requirements in accordance with the normative acts of the National Bank of Moldova on own funds and capital requirements.
2. This Regulation shall apply to legal entities banks in the Republic of Moldova, as well as branches in the Republic of Moldova of banks from other countries.
3. Banks shall comply with the obligations set out in this Regulation on an individual basis. Where applicable, banks shall comply with the obligations set out in this Regulation on the basis of their consolidated situation, to the extent and in accordance with the methods stipulated in Chapter IV of the Regulation on the consolidated supervision of banks, approved by Decision No 101/2020 of the Executive Board of the National Bank of Moldova. Section 2. Definitions
4. The terms and expressions used in this Regulation have the meaning provided in Law No 202/2017 on the activity of banks (hereinafter – Law No 202/2017) and in the normative acts of the National Bank of Moldova issued in application of the aforementioned law.
5. For the purposes of this Regulation, the following definitions shall apply: 5.1. “operational risk event” means any event linked to an operational risk which generates a loss or multiple losses, within one or multiple financial years; 5.2. “aggregate gross loss” means the sum of all gross losses linked to the same operational risk event over one or multiple financial years;

5 5.3. “aggregate net loss” means the sum of all net losses linked to the same operational risk event over one or multiple financial years; 5.4. “grouped losses” means all operational losses caused by a common trigger or root cause that could be grouped into one operational risk event. Chapter II OWN FUNDS REQUIREMENT FOR OPERATIONAL RISK Section 1. Calculation of own funds requirements for operational risk 6. The own funds requirement for operational risk shall be the business indicator component calculated in accordance with paragraph 7. 7. Banks calculate the business indicator component according to the following formula: where: BIC = the business indicator component; BI = the business indicator, expressed in billions of Moldovan lei, calculated in accordance with section 2. Section 2. Business indicator 8. Banks calculate their business indicator according to the following formula: BI = ILDC + SC + FC where: BI= the business indicator, expressed in billions of Moldovan lei ILDC = the interest, leases and dividend component, expressed in billions of Moldovan lei and calculated in accordance with paragraph 9; SC = the services component, expressed in billions of Moldovan lei and calculated in accordance with paragraph 10; FC = the financial component, expressed in billions of Moldovan lei and calculated in accordance with paragraph 11. 9. For the purposes of paragraph 8, the interest, leases and dividend component shall be calculated in accordance with the following formula: where: ILDC = the interest, leases and dividend component;

6 IC = the interest component, which is the bank’s interest income from all financial assets and other interest income, including finance income from financial leases and income from operating leases and profits from leased assets, minus the institution’s interest expenses from all financial liabilities and other interest expenses, including interest expense from financial and operating leases, depreciation and impairment of, and losses from, operating leased assets, calculated as the annual average of the absolute values of the differences over the last three financial years; AC = the asset component, which is the sum of the bank’s total gross outstanding loans, advances, interest bearing securities, including government bonds, and lease assets, calculated as the annual average over the last three financial years on the basis of the amounts at the end of each of the respective financial years; DC = the dividend component, which is the bank’s dividend income from investments in stocks and funds not consolidated in the financial statements of the bank, including dividend income from non-consolidated subsidiaries, associates and joint ventures, calculated as the annual average over the last three financial years 10. For the purposes of paragraph 8, the services component shall be calculated in accordance with the following formula: SC = max (OI, OE) + max (FI, FE) where: SC = the services component; OI = the other operating income, which is the annual average over the last three financial years of the bank’s income from ordinary banking operations not included in other items of the business indicator but of similar nature; OE = the other operating expenses, which is the annual average over the last three financial years of the bank’s expenses and losses from ordinary banking operations not included in other items of the business indicator but of similar nature, and from operational risk events; FI = the fee and commission income component, which is the annual average over the last three financial years of the bank’s income received from providing advice and services, including income received by the bank as an outsourcer of financial services; FE = the fee and commission expenses component, which is the annual average over the last three financial years of the bank’s expenses paid for receiving advice and services, including outsourcing fees paid by the bank for the supply of financial services, but excluding outsourcing fees paid for the supply of non-financial services. 11. For the purposes of paragraph 8, the financial component shall be calculated in accordance with the following formula: FC = TC + BC where: FC = the financial component; TC = the trading book component, which is the annual average of the absolute values over the last three financial years of the net profit or loss, as applicable, on the bank’s trading

7 book, determined as appropriate either in accordance with accounting standards or in accordance with Chapter II of the Regulation on the treatment of market risk according the standardised approach, approved by Decision No 114/2018 of the Executive Board of the National Bank of Moldova, including from trading assets and trading liabilities, from hedge accounting and from exchange differences; BC = the banking book component, which is the annual average of the absolute values over the last three financial years of the net profit or loss, as applicable, on the bank’s non￾trading book, including from financial assets and liabilities measured at fair value through profit and loss, from hedge accounting, from exchange differences and from realised gains and losses on financial assets and liabilities not measured at fair value through profit and loss. 12. Banks shall not use any of the following elements in the calculation of their business indicator: 12.1. income and expenses from insurance or reinsurance business; 12.2. premiums paid and payments received from insurance or reinsurance policies purchased; 12.3. administrative expenses, including staff expenses, outsourcing fees paid for the supply of non-financial services, and other administrative expenses; 12.4. recovery of administrative expenses including recovery of payments on behalf of customers; 12.5. expenses of premises and fixed assets, except where those expenses result from operational risk events; 12.6. amortisation of tangible assets and amortisation of intangible assets, except the depreciation related to operating lease assets, which shall be included in financial and operating lease expenses; 12.7. provisions and reversal of provisions, except where those provisions relate to operational risk events; 12.8. expenses due to share capital repayable on demand; 12.9. impairment and reversal of impairment; 12.10. changes in goodwill recognised in profit or loss; 12.11. corporate income tax. 13. Where a bank has been in operation for less than three years, it shall use forward-looking business estimates in calculating the relevant components of its business indicator, subject to the satisfaction of the National Bank of Moldova (hereinafter – NBM) in the supervisory process. The bank shall start using historical data as soon as that data are available. Section 3. Adjustments to the business indicator 14. Banks shall include business indicator items of merged or acquired entities or activities in their business indicator calculation from the time of the merger or acquisition, as applicable, and shall cover the last three financial years.

8 15. Banks may request permission from the NBM to exclude from the business indicator amounts related to disposed entities or activities. CHAPTER III DATA COLLECTION AND GOVERNANCE Sections 1. Calculation of the annual operational risk loss 16. Banks with a business indicator equal to or exceeding MDL 750 million shall calculate their annual operational risk loss as the sum of all net losses over a given financial year, calculated in accordance with paragraph 28, that are equal to or exceed the loss data thresholds set out in paragraph 36 or 37. 17. By way of derogation from paragraph 16, the NBM may grant a waiver from the requirement to calculate an annual operational risk loss to banks with a business indicator that does not exceed MDL 1 billion, provided that the bank has demonstrated to the satisfaction of the NBM that it would be unduly burdensome for the bank to apply the paragraph 16. 18. For the purposes of paragraph 16, the relevant business indicator shall be the highest value of the business indicator that the bank has reported at the last eight reporting reference dates. A bank that has not yet reported its business indicator shall use its most recent business indicator. Section 2. Loss data set 19. Banks that calculate an annual operational risk loss in accordance with paragraph 16 shall have in place arrangements, processes and mechanisms to establish and maintain updated on an ongoing basis a loss data set compiling for each recorded operational risk event the gross loss amounts, non-insurance recoveries, insurance recoveries, reference dates and grouped losses, including those from misconduct events. 20. The bank’s loss data set shall capture all operational risk events stemming from all entities that are part of the scope of consolidation according to the Regulation on consolidated supervision of banks, approved by Decision No 101/2020 of the Executive Board of the National Bank of Moldova. 21. For the purpose of paragraph 19, banks shall: 21.1. include in the loss data set each operational risk event recorded during one or multiple financial years; 21.2. use the date of accounting for including losses related to operational risk events in the loss data set; 21.3. allocate losses and recoveries related to a common operational risk event or related operational risk events over time and posted to the accounts over several years, to the corresponding financial years of the loss data set, in line with their accounting treatment. 22. Banks shall also collect: 22.1. information about the reference dates of operational risk events, including: 22.1.1. the date when the operational risk event happened or first began (“date of occurrence”), where available;

9 22.1.2. the date on which the bank became aware of the operational risk event (“date of discovery”); 22.1.3. the date or dates on which an operational risk event results in a loss, or the reserve or provision against a loss, recognised in the bank’s profit and loss accounts (“date of accounting”); 22.2. information on any recoveries of gross loss amounts as well as descriptive information about the drivers or causes of the loss events. 23. The level of detail of any descriptive information shall be commensurate with the size of the gross loss amount. 24. A bank shall not include in the loss data set operational risk events related to credit risk that are accounted for in the risk-weighted exposure amount for credit risk. Operational risk events that relate to credit risk but are not accounted for in the risk-weighted exposure amount for credit risk shall be included in the loss data set. 25. Operational risk events related to market risk shall be treated as operational risk and shall be included in the loss data set. 26. A bank shall, upon request from the NBM, be able to map its historical internal loss data to the event type. 27. For the purposes of this Section, banks shall ensure the soundness, robustness and performance of their IT systems and infrastructure necessary to maintain and update the loss data set, in particular by ensuring all of the following: 27.1. their IT systems and infrastructure are sound and resilient and that that soundness and resilience can be maintained on a continuous basis; 27.2. their IT systems and infrastructure are subject to configuration management, change management and release management processes; 27.3. where a bank outsources parts of the maintenance of its IT systems and infrastructure, the soundness, robustness and performance of the IT systems and infrastructure is ensured by confirming at least the following: 27.3.1. its IT systems and infrastructure are sound and resilient and that soundness and resilience can be maintained on a continuous basis; 27.3.2. the process for planning, creating, testing and deploying the IT systems and infrastructure is sound and proper with reference to project management, risk management, governance, engineering, quality assurance and test planning, systems’ modelling and development, quality assurance in all activities, including code reviews and, where appropriate, code verification, and testing, including user acceptance; 27.3.3. its IT systems and infrastructure are subject to configuration management, change management and release management processes; 27.3.4. the process for planning, creating, testing and deploying the IT systems and infrastructure and contingency plans is approved by the bank’s board or the bank’s executive body and the both the bank’s board and executive body are periodically informed about the IT systems and infrastructure performance. Section 3. Calculation of net loss and gross loss

10 28. For the purposes of paragraph 16, banks shall calculate for each operational risk event a net loss as follows: net loss = gross loss – recovery where: gross loss = a loss linked to an operational risk event before recoveries of any type; recovery = one or multiple independent occurrences, related to the original operational risk event, separated in time, in which funds or inflows of economic benefits are received from a third party. 29. Banks shall maintain on an ongoing basis an updated calculation of the net loss for each specific operational risk event. To that end, banks shall update the net loss calculation based on the observed or estimated variations of the gross loss and the recovery for each of the last 10 financial years. Where losses, linked to the same operational risk event, are observed during multiple financial years within that 10-year time window, the institution shall calculate and maintain updated: 29.1. the net loss, gross loss and recovery for each of the financial years of the 10-year time window where that net loss, gross loss and recovery were recorded; 29.2. the aggregated net loss, aggregated gross loss and aggregated recovery of all relevant financial years of the 10-year time window. 30. For the purposes of paragraph 28, the following items shall be included in the gross loss computation: 30.1. direct charges, such as impairments, settlements, amounts paid to make good the damage, penalties and interest in arrears and legal fees, to the institution’s profit and loss accounts and write-downs due to the operational risk event, including: 30.1.1. where the operational risk event relates to market risk, the costs to unwind market positions in the recorded loss amount of the operational risk items; 30.1.2. where payments relate to failures or inadequate processes of the bank, penalties, interest charges, late-payment charges, legal fees and, with the exclusion of the tax amount originally due, tax, unless that amount is already included under sub-paragraph 30.5; 30.2. costs incurred as a consequence of the operational risk event, including external expenses with a direct link to the operational risk event and costs of repair or replacement, incurred to restore the position that was prevailing before the operational risk event occurred; 30.3. provisions or reserves accounted for in the profit and loss accounts against the potential operational loss impact, including those from misconduct events; 30.4. losses stemming from operational risk events with a definitive financial impact which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss accounts (“pending losses”); 30.5. negative economic impacts booked in a financial year and which are due to operational risk events impacting the cash flows or financial statements of previous financial years (“timing losses”).

11 31. For the purposes of the sub-paragraph, 30.4, material pending losses shall be included in the loss data set within a time period commensurate with the size and age of the pending item. 32. For the purposes of the sub-paragraph 30.5, the bank shall include in the loss data set material timing losses where those losses are due to operational risk events that span more than one financial year. Banks shall include in the recorded loss amount of the operational risk item of a financial year losses that are due to the correction of booking errors that occurred in any previous financial year, even where those losses do not directly affect third parties. Where there are material timing losses and the operational risk event affects directly third parties, including customers, providers and employees of the bank, the bank shall also include the official restatement of previously issued financial reports. 33. For the purposes of paragraph 28, the following items shall be excluded from the gross loss computation: 33.1. costs of general maintenance of contracts on property, plant or equipment; 33.2. internal or external expenditure to enhance the business after the operational risk losses, including upgrades, improvements, risk assessment initiatives and enhancements; 33.3. insurance premiums. 34. For the purposes of paragraph 28, recoveries shall be used to reduce gross losses only where the bank has received payment. Receivables shall not be considered as recoveries. 35. Upon request from the NBM, the bank shall provide all documentation needed to verify the payments received and factored in the calculation of the net loss of an operational risk event. Section 4. Loss data thresholds 36. To calculate the annual operational risk loss referred to in paragraph 16, banks shall take into account from the loss data set operational risk events with a net loss, calculated in accordance with Section 3, that are equal to or exceed MDL 20 000. 37. Without prejudice to paragraph 36 banks shall also calculate the annual operational risk loss referred to in paragraph 16, taking into account from the loss data set operational risk events with a net loss, calculated in accordance with Section 3, that are equal to or exceed MDL 100 000. 38. In the case of an operational risk event that leads to losses during more than one financial year, as referred to in paragraph 29, the net loss to be taken into account for the thresholds referred to in paragraphs 36 and 37 shall be the aggregated net loss. 39. For the purpose of collecting and analysing general data on internal losses, banks shall apply internal thresholds for losses arising from operational risk events, depending on the complexity and risk profile of the bank, for the purpose of prudent operational risk management.” Section 5. Exclusion of losses 40. A bank may request the NBM’s prior approval to exclude from the calculation of its annual operational risk loss exceptional operational risk events that are no longer relevant to the bank’s risk profile, where all of the following conditions are met: 40.1. the bank can demonstrate to the satisfaction of the NBM that the cause of the operational risk event at the origin of those operational risk losses will not occur again;

12 40.2. the aggregated net loss of the corresponding operational risk event is either of the following: 40.2.1. equal to or exceed 10 % of the bank’s average annual operational risk loss, calculated over the last 10 financial years and based on the threshold referred to in paragraph 36, where the operational risk loss event refers to activities that are still part of the business indicator; 40.2.2. related to an operational risk event that refers to activities divested from the business indicator in accordance with paragraph 15; 40.3. the operational risk loss was in the loss database for a minimum period of one year, unless the operational risk loss is related to activities divested from the business indicator in accordance with paragraph 15. 41. For the purposes of the sub-paragraph, 40.3, the minimum period of one year shall start from the date on which the operational risk event, included in the loss data set, first became greater than the materiality threshold provided for in paragraph 36. 42. A bank requesting the permission referred to in paragraph 40 shall provide the NBM with documented justifications for the exclusion of an exceptional operational risk event, including: 42.1. a description of the operational risk event; 42.2. proof that the loss from the operational risk event is above the materiality threshold for loss exclusion referred to in sub-paragraph 40.2.1, including the date on which that operational risk event became greater than the materiality threshold; 42.3. the date on which the operational risk event concerned would be excluded, considering the minimum retention period set out in sub-paragraph 40.3; 42.4. the reason why the operational risk event is no longer deemed relevant to the bank’s risk profile; 42.5. a demonstration that there are no similar or residual legal exposures and that the operational risk event to be excluded has no relevance to other activities or products; 42.6. reports of the bank’s independent review or validation, confirming that the operational risk event is no longer relevant and that there are no similar or residual legal exposures; 42.7. proof that competent bodies of the bank, through the bank’s approval processes, have approved the request for exclusion of the operational risk event and the date of such approval; 42.8. the impact of the exclusion of the operational risk event on the annual operational risk loss. Section 6. Inclusion of losses from merged or acquired entities or activities 43. Losses stemming from merged or acquired entities or activities shall be included in the loss data set as soon as the business indicator items related to those entities or activities are included in the bank’s business indicator calculation in accordance with paragraph 14. To that end, banks shall include losses observed during a 10-year period prior to the acquisition or merger. Section 7. Comprehensiveness, accuracy and quality of the loss data 44. Banks shall have in place the organisation and processes to ensure the comprehensiveness, accuracy and quality of the loss data and to subject that data to independent review.

13 45. NBM shall periodically, and at least every five years, review the quality of the loss data of a bank that calculates an annual operational risk loss in accordance with paragraph 16. NBM shall carry out such review at least every three years for a bank with a business indicator that exceeds MDL 1 billion. Section 8. Operational risk management framework 46. Subject to the provisions of the Regulation on Banking Activity Management Framework, approved by Decision No 322/2018 of the Executive Board of the National Bank of Moldova, banks shall have: 46.1. a well-documented assessment and management system for operational risk which is closely integrated into day-to-day risk management processes, forms an integral part of the process of monitoring and controlling the bank’s operational risk profile, and for which clear responsibilities have been assigned; the assessment and management system for operational risk shall identify the bank’s exposures to operational risk and track relevant operational risk data, including material loss data; 46.2. an operational risk management function that is independent from the bank’s business and operational units; 46.3. a system of reporting to senior management that provides operational risk reports to relevant functions within the bank; 46.4. a system of regular monitoring and reporting of operational risk exposures and loss experience, and procedures for taking appropriate corrective actions; 46.5. routines for ensuring compliance, and policies for the treatment of non-compliance; 46.6. regular reviews of the bank’s operational risk assessment and management processes and systems, carried out by internal or external auditors that possess the necessary knowledge; 46.7. internal validation processes that operate in a sound and effective manner; 46.8. transparent and accessible data flows and processes associated with the bank’s operational risk assessment system. Section 9. Loss event type classification 47. The loss events types referred to in paragraph 26 are the following: Table Event-Type Category Definition Internal fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or bank policy, excluding diversity/discrimination events, which involves at least one internal party External fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party

14 Employment Practices and Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events Clients, Products & Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events Business disruption and system failures Losses arising from disruption of business or system failures Execution, Delivery & Process Management Losses from failed transaction processing or process management, from relations with trade counterparties and vendors CHAPTER IV PROCEDURE FOR THE ISSUANCE BY THE NATIONAL BANK OF MOLDOVA OF PRELIMINARY APPROVALS RELATED TO THE OWN FUNDS REQUIREMENT FOR OPERATIONAL RISK 48. This chapter applies to prior approvals issued by the NBM in accordance with paragraphs 15 and 40. For the issuance of prior approval, the bank shall submit to the NBM an application accompanied by documents and information confirming the bank's compliance with the conditions set out in the respective paragraphs. 49. Applications for the issuance of prior approvals issued by the NBM in accordance with paragraphs 15 and 40, as well as documents and information confirming the bank's compliance with the conditions set out in those paragraphs, shall be submitted to the NBM in Romanian and signed by the person authorised by the bank. 50. If the documents and/or information submitted by the bank do not comply with paragraphs 48 and 49, the NBM shall notify the bank in written form within 5 business days from the date of submission of the request. The bank shall, within 10 working days from the date of receipt of the NBM letter, complete and submit to the NBM the missing documents and/or information. 51. If the bank fails to complete the set of documents and information within the time limit specified in paragraph 50, the NBM shall inform the bank of the termination of the administrative procedure within 3 working days of the expiry of the time limit granted. 52. Within 60 business days of receiving the complete set of documents and information in accordance with this chapter, the NBM shall issue the appropriate prior approval or reject the application, informing the bank in written form of its decision. If further examination is required or more time is needed to process the information and documents, the deadline may be extended by a maximum of 30 working days, with notification to the bank.

15 53. If the documents and information submitted in accordance with this chapter are insufficient to make a decision on the request for prior approval in the context of paragraph 48, the NBM shall be entitled to request the submission of additional documents and information. 54. The bank is required to submit the additional information and documents within the timeframe specified by the NBM, during which the timeframe specified in paragraph 52 is suspended. 55. If the application for prior approval is rejected, the grounds for rejection shall be indicated. The following shall be considered grounds for rejecting an application for prior approval by the NBM: 55.1. failure to meet the conditions set for obtaining the relevant prior approval, as applicable, and/or 55.2. submission of erroneous, inauthentic, and/or contradictory information to the NBM; 55.3. failure to submit documents and information confirming that the bank meets the conditions set for obtaining the respective prior approval. 56. The bank is entitled to apply the provisions set out in the prior approvals from the date of issue of the prior approval.