Agreement No. 012-2019: Regulations on Securities Investments

Republic of Panama Superintendency of Banks AGREEMENT No. 012-2019 (October 15, 2019) “By which provisions are issued regarding investments in securities”

THE BOARD OF DIRECTORS

In exercise of its legal powers, and

CONSIDERING:

That following the issuance of Decree-Law No. 2 of February 22, 2008, the Executive Branch prepared a systematic ordering in the form of a single text of Decree-Law No. 9 of February 26, 1998, and all its modifications, which was approved through Executive Decree No. 52 of April 30, 2008, hereinafter referred to as the Banking Law;

That in accordance with the provisions of paragraphs 1 and 2 of Article 5 of the Banking Law, it is the objective of the Superintendency of Banks to ensure the maintenance of the solidity and efficiency of the banking system; as well as to strengthen and foster the favorable conditions for the development of the Republic of Panama as an international financial center;

That in accordance with paragraphs 3 and 5 of Article 11 of the Banking Law, it is a technical attribute of the Board of Directors to approve the general criteria for the classification of risk assets and the guidelines for the establishment of reserves for risk coverage, and to fix, within the administrative scope, the interpretation and scope of legal or regulatory provisions in banking matters;

That in accordance with paragraph 10 of Article 11 of the Banking Law, it is an attribute of the Board of Directors to issue technical norms necessary for the compliance of the Law;

That in accordance with paragraph 3 of Article 91 of the Banking Law, banks must send to the Superintendency, within the timeframe and manner prescribed by this Superintendency, any information with the frequency determined by this Superintendency;

That by Agreement No. 7-2000 of July 19, 2000, the norms regulating the classification and registration of securities investments by banks were established;

That Agreement No. 6-2012 of December 18, 2012, modified by Agreement No. 9-2019 of September 24, 2019, establishes that the technical accounting standards used in the preparation of accounting records and the presentation of financial statements of regulated entities shall be exclusively the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board (IASB);

That prudential regulation regarding the coverage and determination of provisions for securities portfolios must be in full harmony with the International Financial Reporting Standards (IFRS), specifically IFRS 9, and the basic principles of effective supervision of the Basel Committee;

That in working sessions of this Board of Directors, the need and convenience of updating the regulatory framework for securities investments has been highlighted, in accordance with international regulatory standards.

Agreement No. 012-2019 Page 2 of 11

AGREES:

CHAPTER I SCOPE OF APPLICATION AND DEFINITIONS

ARTICLE 1. SCOPE AND APPLICABILITY. The provisions of this Agreement are applicable to:

1. Official banks.
2. General License banks.
3. International License banks.

In the case of banks that are branches of foreign banks, or international license banks for which the Superintendency of Banks is the home supervisor, compliance with Chapter II may be evidenced by an annual certification from their parent house or the responsible regional office. If the Superintendency determines that these banks do not have the referred structures, organization, and controls for compliance with the said chapter, it will require their faithful compliance.

Notwithstanding, the provisions provided in Chapters III, IV, and V of this Agreement will apply to all types of banks.

ARTICLE 2. DEFINITIONS AND TERMS. For the purpose of applying the provisions contained in this Agreement, the following shall be understood:

1. Obligor: Any natural or legal person who is related to the entity with a debt contract by which the entity holds an asset and the obligor holds a liability.
2. Senior Management: The highest executive authority (referred to as General Manager, Executive Vice President, Executive President, or any other denomination), as well as the second highest-ranking executive (referred to as Deputy General Manager, or any other denomination) and other managers and collaborators who perform key functions that must report directly to the aforementioned.
3. Comprehensive Risk Management: The process by which the bank identifies, measures, monitors, controls, mitigates, and reports to the operational areas within the bank the different types of risk to which it is exposed according to the size and complexity of its operations, products, and services.
4. Board of Directors: The superior body responsible for the direction and control of the bank, which ensures the achievement of the best interests of the entity without participating in any way in the direct management of the bank's business activities.
5. Counterparty Risk: The possibility that in a financial contract of which the bank is a party, any counterparty fails to fulfill its financial obligations in whole or in part, causing the bank to incur a loss.
6. Credit Rating System: Allows assigning to each obligor a rating, score, or any other symbol that defines the estimated degree of future fulfillment of the obligor's payment obligations. The rating system includes the models, algorithms, rules used, databases, forms, professionals, committees, and work methods used.
7. Security: Any bond, negotiable commercial paper, or other debt instrument, share (including treasury shares), recognized stock right in a custody account, participation share, participation certificate, securitization certificate, fiduciary certificate, deposit certificate, mortgage bond, option, and any other title, instrument, or right commonly recognized as a security or that the Securities Market Superintendency determines constitutes a security. This expression does not include the following instruments: a. Certificates or non-negotiable titles representing obligations, issued by banks to their clients as part of the usual banking services offered by said banks, such as non-negotiable deposit certificates. This exception does not include negotiable bank acceptances or negotiable commercial papers issued by banking institutions. b. Insurance policies, capitalization certificates, and similar obligations issued by insurance companies. c. Any other instruments, titles, or rights that the Securities Market Superintendency of Panama has determined do not constitute a security.

CHAPTER II MANAGEMENT OF SECURITIES INVESTMENTS AND RESPONSIBILITIES

ARTICLE 3. POLICIES AND PROCEDURES. Banks must design and implement manuals, policies, and procedures for the management of securities investments, which must include at least the following:

1. The functions and responsibilities of the board of directors, senior management, risk committee, risk management unit, and areas involved in the operation and registration of securities transactions.
2. Detailed description of the techniques and models used for the estimation of fair value and risk measurement of securities investments. These must be technically appropriate and validated in international banking practice.
3. Risk measurements and contingencies for scenarios resulting from retrospective stress analysis and worst-case scenarios.
4. Detailed description of the management process (identification, measurement, mitigation, monitoring, control, and reporting) of the risks borne by the entity in securities investments.
5. The process to be followed for the approval of proposals for new investments.
6. The manner and periodicity with which the board of directors, risk committee, and senior management must be informed, and regarding the results of the management of securities investments.
7. The internal organization of the risk management process.
8. The profiles and selection criteria for the different managers and executors of securities investments.
9. The remuneration criteria for the managers of securities investments.
10. The strategic guidelines that determine the composition of securities investments in their different portfolios.
11. Detailed description collected in manuals of the methodology, assumptions, and inputs used for the construction of rating systems and the estimation of expected loss.

ARTICLE 4. RESPONSIBILITIES OF THE BOARD OF DIRECTORS. The board of directors is responsible for approving and periodically reviewing the strategy for taking positions and managing securities investments and the significant policies and processes for the identification, measurement, evaluation, monitoring, disclosure, and control or mitigation of the risks to which the entity is exposed by such investments. The board of directors must:

1. Approve and monitor the adequate implementation of objectives, strategies, policies, standards, procedures, and actions for the management of securities investment, which essentially implies identifying, measuring, analyzing, monitoring, controlling, reporting, and disclosing risks, whether quantifiable or not, in proportion to the nature, importance, and complexity of the securities investments made.
2. Approve the risk appetite for securities investments according to different types of instruments, credit rating, concentrations by issuer, concentrations by geographic location and economic sector, markets in which the titles are traded, term, duration, currency, maximum realized and unrealized losses, market risk exposures, and other characteristics of expected return and risk of investments.
3. Approve internal alerts and exposure limits consistent with the established risk appetite, globally and for each category of securities.
4. Establish the responsibility of the risk committee and the risk management unit.
5. Review at least once a year the objectives, strategies, policies, standards, procedures, and actions established and adapt them in the face of significant changes in the environment or within the entity.
6. Monitor the adequate implementation of an information system that allows identifying, collecting, and processing useful information for the management of investment risks and that serves as an aid to the decision-making of the board of directors and other areas and committees linked to the management of securities investments.
7. Approve general guidelines for the remuneration and compensation policy for professionals involved in the management of securities investments, which do not incentivize the taking of risks misaligned with the risk appetite established by the board of directors.
8. Foster compliance with laws and regulations related to securities investments.
9. Approve the hiring procedures for professionals responsible for the management of securities investment risks, the minimum requirements of technical capabilities, competence, knowledge, and professional expertise.
10. Approve the policies, procedures, and budget for permanent training and updating of the knowledge of professionals involved in the management of securities investment risks.
11. When topics contemplated in this Agreement are addressed or discussed in Board of Directors meetings, the corresponding minutes shall include a detail of the pertinent discussion.
12. Approve the annual report containing the main aspects and results of the management of securities investments.

ARTICLE 5. RESPONSIBILITIES OF SENIOR MANAGEMENT. Senior management is in charge of implementing risk management in accordance with what was approved by the board of directors, and its responsibilities include the following:

1. Ensure consistency between securities investment decisions and risk tolerance levels.
2. Establish review programs by the risk management unit and business units, regarding compliance with objectives, procedures, and controls in securities investments, as well as exposure limits and risk tolerance levels.
3. Ensure that the risk management unit has sufficient budget for the performance of its functions.
4. Ensure the existence of adequate systems for storage, processing, and handling of information.
5. Ensure that training and updating programs are established for the personnel of the risk management unit and all those involved in operations that imply risk of securities investments for the bank.
6. Establish procedures that ensure an appropriate flow, quality, and timeliness of information between business units and the comprehensive risk management unit, and for all those involved in securities investments.
7. Create and foster an organizational culture of securities investment risk management and establish adequate internal control practices, including standards of conduct, integrity, and ethics for all employees.

ARTICLE 6. RESPONSIBILITIES OF THE RISK COMMITTEE. The risk committee established in accordance with the comprehensive risk management agreement issued by this Superintendency is in charge of ensuring sound management of the bank's risks and will perform at least the following functions:

1. Evaluate and propose for approval by the board of directors, the manual, policies, procedures, and methodology for the management of securities investment risks.
2. Ensure that an adequate process for the administration of securities investment risks is maintained and keep the board of directors informed about its effectiveness.
3. Supervise that securities investment risks are effectively and consistently identified, measured, mitigated, monitored, and controlled. The compliance with this responsibility will be documented in the minutes of the risk committee sessions.
4. Follow up on risk exposures and compare said exposures against the tolerance limits approved by the board of directors.
5. Define the scenarios and time horizon for analyses on the behavior of securities investment risks.
6. Inform the board of directors about exposures against established limits and the main risks assumed, as well as the historical behavior of these risks. For this purpose, it will request the corresponding periodic reports from the risk management unit.
7. Inform the board of directors about changes in the entity's risk profile and the results of risk indicators for securities investments.
8. Review provision requirements.
9. Monitor and guide the work of the risk management unit in the implementation of risk management in securities investments.
10. Faithfully document in the minutes of the risk committee the matters discussed and the decisions taken regarding the management of securities investments.
11. Approve changes made to credit risk rating models and ensure that this reflects the current situation of the bank regarding its nature and complexity.
12. The other functions and requirements established by the board of directors.

ARTICLE 7. RESPONSIBILITIES OF THE RISK MANAGEMENT UNIT. In accordance with what is established in the Comprehensive Risk Management Agreement, the risk management unit has within its functions to manage risks in securities investments. In addition to the responsibilities established in the cited Agreement, it must:

1. Present to the board of directors through the risk committee the ideal structure for the management of securities investment risk, designating the managers or coordinators of the different functional units for the administration of said risks.
2. Design and implement the methods and tools for the measurement of securities investment risks, consistent with the degree of complexity and volume of financial instruments.
3. Ensure that responsible areas supply the necessary information that will be used in the methods and tools for the measurement of securities investment risks.
4. Ensure that any deficiency detected regarding the quality, timeliness, and integrity of the information used by the risk management unit is reported to the areas responsible for its preparation and control.
5. Permanently evaluate the models and tools for the measurement of securities investment risks, the results of which must be presented to the risk committee.
6. Follow up on the exposures of securities investment risks and compare said exposures against the limits approved by the board of directors. Furthermore, a permanent evaluation of the adequacy and performance of controls and limits over time must be carried out.
7. Make proposals regarding corrective actions that can be implemented as a result of a deviation from the established tolerance limits.
8. Collect and report on the historical evolution of the securities investment risks assumed by the entity with respect to the established tolerance limits.
9. Opine on the risks of securities investments in the case of new types of financial instruments, markets where to operate, or new hedging instruments, prior to their admission.
10. Investigate and document the causes that originate deviations from established limits and inform timely the risk committee, the manager or administrator, and the person responsible for internal audit functions.
11. The functions and requirements established by the risk committee.

ARTICLE 8. RESPONSIBILITIES OF THE INTERNAL AUDIT UNIT. The internal audit unit will evaluate the compliance with the procedures and policies used for the management of securities investment risks developed in accordance with what is provided in this Agreement. In addition, it will evaluate the effectiveness in controls according to the list of risks and at the request of the risk management unit, those where the behavior of events and incidents requires an evaluation of the control, ensuring to notify the risk committee in advance. For the compliance with this article, the internal audit unit must ensure to make the pertinent communications to the internal audit committee.

ARTICLE 9. OPERATIONAL REQUIREMENTS. For the adequate management of securities investments, the entity must satisfy the following operational requirements:

1. Have the adequate technical and technological infrastructures for the nature and complexity of the operations.
2. Have the capacity to aggregate risk exposures in homogeneous categories according to different relevant risk factors.
3. Have the capacity to comprehensively measure the risks of securities investments, aggregating risks for different instruments and portfolios and incorporating existing correlation relationships.
4. Have adequate information and analysis systems to evaluate the effect of different economic and financial scenarios on the returns and risks of securities investments.
5. Have the capacity to preemptively evaluate the effect of different types and models of hedging on the returns and risks of securities investments.
6. Have a credit rating system in line with what is proposed in this Agreement.
7. Have personnel with adequate training and experience consistent with the nature, complexity, and risks of securities investments.

CHAPTER III REGISTRATION, CLASSIFICATION, AND MEASUREMENT OF SECURITIES INVESTMENTS

ARTICLE 10. REGISTRATION, CLASSIFICATION, AND MEASUREMENT OF SECURITIES INVESTMENTS. Securities investments will be registered, classified, and measured in accordance with the current International Financial Reporting Standards (IFRS) and, in particular, based on the business models established and the nature of the contractual cash flows of each instrument.

In the case of securities that are equity instruments, the entity will classify assets according to the business model chosen for their management and the viability of measuring them at fair value.

In the event of instruments that do not have frequent quotes in a liquid market and are valued with models, as well as derivatives whose underlying assets do not have frequent quotes in a liquid market, the Superintendency during the supervision process will evaluate the classification, registration, and valuation of the same and, if necessary, will make the observations it deems convenient, in order for the banking entity to make the pertinent corrections.

The reclassification of securities investments must be justified before the Superintendency of Banks through the preparation of a report that explains and details the reasons that give rise to the change in the business model. The report must have the approval of the board of directors, which must be documented in minutes, a copy of which will be attached to the justification for reclassification.

The Superintendency of Banks may decide the reclassification of securities investments if it is appreciated that they do not meet the conditions established in this Agreement or other prudential regulations established by this Superintendency.

For prudential classification purposes for the estimation of capital requirements, securities not classified in the trading portfolio will be part of the banking book, as defined in the Agreement “By which capital requirements are established for financial instruments registered in the trading portfolio.”

ARTICLE 11. VALUATION OF SECURITIES INVESTMENTS. The valuation of securities investments, even in the case of those accounted for at amortized cost, is an essential component of the management process. The valuation of securities investments must be governed by the following criteria:

1. In valuation techniques and models, the use of market information must be prioritized and the use of discretionary parameters minimized.
2. In the case of market information, its relevance and generality must be taken into account, avoiding...