Recommendation A on the Management by Banks of Risks Related to Derivative Instruments Activities

Financial Supervision Authority Recommendation A regarding the management by banks of risks related to activities on derivative instruments Warsaw, October 2022

Recommendation A Page 2 of 32 INTRODUCTION I. This Recommendation (hereinafter: "Recommendation A", "Recommendation") constitutes a set of rules concerning good practices in the management by banks of risks related to activities on derivative instruments.

The basis for issuing this Recommendation is Article 137(1)(5) of the Act of 29 August 1997 – Banking Law (Journal of Laws of 2021, item 2439, as amended; hereinafter: "Banking Law Act") and Article 11(1) of the Act of 21 July 2006 on the Supervision of the Financial Market (Journal of Laws of 2022, item 660, as amended; hereinafter: "Supervision Act") in relation to banks, but it also applies to:

• branches of foreign banks1, based on Article 137(1)(5) of the Banking Law Act in conjunction with Article 41 of that Act and Article 11(1) of the Supervision Act;
• foreign credit institutions2 operating on the territory of the Republic of Poland (hereinafter: "RP") through a branch (hereinafter: "branches of credit institutions"), based on Article 137(1)(5) of the Banking Law Act in conjunction with Article 48k(2) of that Act and Article 141a(8) of the Banking Law Act and Article 11(1) of the Supervision Act, provided that their activity involves activities covered by the scope of the Recommendation. Detailed expectations of the Financial Supervision Authority (hereinafter also: "KNF") regarding the application of Recommendation A by branches of credit institutions and branches of foreign banks operating on the territory of the RP have been specified in Part III.

Whenever the term "bank" is used in Recommendation A, it shall also mean, as appropriate, the branch of a credit institution and the branch of a foreign bank operating on the territory of the RP, to the extent that the provisions of the Banking Law Act and provisions of other laws regulating the activity of banks in Poland apply to them.

Recommendation A concerns derivative instrument transactions concluded by banks with all categories of clients, with the note that the definition of client has changed compared to the previously applicable Recommendation A.

1 Branch of a foreign bank - within the meaning of Article 4(1)(20) of the Banking Law Act. A branch of a foreign bank must be duly authorized to conduct activities on derivative instruments, i.e., possess a relevant license for conducting brokerage activity based on Article 115 of the Act on Trading in Financial Instruments of 29 July 2005 (Journal of Laws of 2022, item 1500, as amended). 2 Foreign credit institution - a credit institution within the meaning of Article 4(1)(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ EU L 176 of 27.06.2013, p. 1, as amended), conducting brokerage activity on the basis of a permit from the competent supervisory authority on the territory of another Member State.

Recommendation A Page 3 of 32 The Recommendation concerns all types of derivative instruments, including those admitted to organized trading within the meaning of the Act of 29 July 2005 on Trading in Financial Instruments (Journal of Laws of 2022, item 1500, as amended; hereinafter "Trading Act"), as well as derivative instruments outside such trading.

The basic requirements regulating the trading of derivative instruments result in particular from:

• the Banking Law Act and the Regulation of the Minister of Finance, Public Funds and Regional Policy of 8 June 2021 on the risk management system and internal control system as well as remuneration policy in banks (Journal of Official Items item 1045; hereinafter: "Regulation on the risk management system"), which implement Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ EU L 176 of 27.06.2013, p. 338, as amended);
• the Trading Act, which implements Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ EU L 173 of 12.06.2014, p. 349, as amended; hereinafter: "MiFID II Directive");
• the Regulation of the Minister of Finance of 30 May 2018 on the procedure and conditions for the conduct of business by investment firms, banks referred to in Article 70(2) of the Trading Act, and trust banks (Journal of Laws of 2020, item 1922, as amended; hereinafter: "Regulation on the procedure and conditions for conduct of business");
• Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ EU L 201 of 27.07.2012, p. 1, as amended; hereinafter: "EMIR Regulation"), supplemented by delegated regulations and implementing regulations of the European Commission establishing regulatory technical standards in relation to the EMIR Regulation and by Q&A of the European Securities and Markets Authority (hereinafter: "ESMA") of 31 March 2021 ESMA70-1861941480-52 "Implementation of the Regulation (EU) No 648/2012 on OTC derivatives, central counterparties and trade repositories (EMIR)", relating to the manner, scope and form of implementation of the EMIR Regulation;
• Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ EU L 176 of 27.06.2013, p. 1, as amended; hereinafter: "CRR Regulation");
• Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ EU L 173 of 12.06.2014, p. 84, as amended);
• Regulation (EU) No 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for retail packaged retail and insurance-based investment products (OJ EU L 352 of 09.12.2014, p. 1, as amended; hereinafter: "PRIIP Regulation");
• Delegated Regulation (EU) No 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards on organisational requirements and conditions of operation of investment firms and defined terms for the purposes of that Directive (OJ EU L 87 of 31.03.2017, p. 1, as amended; hereinafter: "Delegated Regulation 2017/565");
• Delegated Regulation (EU) No 2017/653 of 8 March 2017 supplementing Regulation (EU) No 1286/2014 of the European Parliament and of the Council on key information documents for retail packaged retail and insurance-based investment products (PRIIP) by establishing regulatory technical standards on the presentation, content, review and amendment of key information documents and conditions for fulfilling the requirement to provide such documents (OJ EU L 100 of 12.04.2017, p. 1, as amended; hereinafter: "Delegated Regulation 2017/653");
• EBA Guidelines of 19 July 2018 on stress tests conducted by institutions (EBA/GL/2018/04);
• Recommendation of the European Systemic Risk Board of 25 May 2020 on liquidity risk arising from margin calls (ESRB/2020/6).

Detailed supervisory expectations relevant to the management by banks of risks related to activities on derivative instruments are also contained in other recommendations of the Financial Supervision Authority, in particular in Recommendations: C, D, G, H, I, M, P, R, W and Z. Recommendation A should be applied in accordance with these recommendations to the extent resulting from their subject matter. Banks conducting activities on derivative instruments should comply with decisions3 and take into account the positions and guidelines of supervisory authorities towards supervised entities in this regard.

Recommendation A is not intended to duplicate existing legal provisions, in particular those resulting from the legal acts indicated above (along with implementing acts), but presents supervisory expectations in selected areas.

II. Client protection issues in the trading of derivative instruments have been fully regulated by two key regulatory packages, which apply here.

1. The first regulatory package covers comprehensive rules for concluding transactions, providing services and conducting investment activity in accordance with the MiFID II Directive, implemented in the Trading Act and implementing acts issued on its basis, in particular regarding the proper authorization of banks to conclude such transactions.

In the scope of concluding transactions on financial instruments, including derivative instruments, attention should be drawn to the following regulatory standard. According to Recital 103 of Delegated Regulation 2017/565, the conclusion by an investment firm4 of transactions on its own account with clients should be considered as the execution of client orders, and thus as operations covered by the requirements of the MiFID II Directive and the aforementioned Regulation, especially requirements concerning the obligation to ensure best execution of orders. Moreover, pursuant to Article 73(2) of the Trading Act: "execution of orders to buy or sell financial instruments may also consist in the conclusion by an investment firm on its own account of purchase or sale agreements of financial instruments with the client (...)"5.

3 As an example of a supervisory authority decision, one can indicate the KNF decision of 25 June 2019 on the prohibition of introducing binary options to trading, distribution or sale to retail clients (Journal of Official Items of KNF item 18) and the KNF decision of 1 August 2019 on establishing restrictions on introducing to trading, distribution and sale to retail clients of contracts for difference (CFD) (Journal of Official Items of KNF item 27, ref. DAS.456.2.2019). 4 Pursuant to Article 1(2) of Delegated Regulation 2017/565, references to investment firms include credit institutions (...). 5 In light of Article 70(4) of the Trading Act, in the scope of performing activities referred to in Article 69(2)(1)-(7) of the Trading Act, provisions of Article 73(2) of the Trading Act apply mutatis mutandis to the bank referred to in Article 70(2) of the Trading Act.

Recommendation A Page 6 of 32 Banks conducting activities whose subject matter is derivative instruments are obliged to comply with the requirements resulting from the so-called MiFID system6, which have been introduced in particular into the following legal acts: a) the Trading Act; b) the Regulation on the procedure and conditions for conduct of business; c) the Regulation of the Minister of Finance of 29 May 2018 on detailed technical and organizational conditions for investment firms, banks referred to in Article 70(2) of the Trading Act on Trading in Financial Instruments and trust banks (Journal of Laws item 1111); d) the Regulation of the Minister of Development and Finance of 22 February 2019 on the scope, procedure and form and deadlines for providing information by investment firms, banks referred to in Article 70(2) of the Trading Act on Trading in Financial Instruments and trust banks (Journal of Laws item 531, as amended).

The above catalog of regulations is supplemented in particular by directly applicable legal acts issued on the basis of the MiFID II Directive7, as well as ESMA Guidelines, ESMA Q&A regarding client relations8 and positions and guidelines issued by KNF and UKNF.

Banks, in the area of client relations, should in particular fulfill obligations regarding: a) product management, including defining the target group and negative target group; b) cross-selling; c) information obligations towards the client, in particular regarding the information standard, information on client categorization, information on the bank, including the bank conducting brokerage activity and services provided by it, information on financial instruments, information on costs and associated fees, information on collateral for financial instruments or client funds; d) assessment of the client's investment profile within the suitability test (appropriateness test concerns investment services consisting in portfolio management and investment advice defined respectively in Article 69(2)(4) and (5) of the Trading Act; Recommendation A essentially concerns services referred to in Article 69(2)(2) and (3) of the Trading Act); e) reporting requirements within the execution of client orders;

6 The MiFID system in this context includes both the MiFID II Directive and Delegated Regulation 2017/565. 7 https://ecropa.eu/info/law/markets-financial-instruments-mifid-ii-directive-2014-65-eu/amending-and-supplementary-acts/implementing-and-delegated-acts_en 8 https://www.esma.europa.eu

Recommendation A Page 7 of 32 f) execution of orders in the best interest of the client; g) methods and principles for determining margins; h) order execution policy; i) recording of conversations and registration and archiving of correspondence with clients; j) knowledge and competencies of employees providing clients with information on services and financial instruments; k) management of conflicts of interest.

2. The second regulatory package covers a catalog of regulatory obligations imposed on financial market entities towards retail clients, specified in the PRIIP Regulation.

Regardless of the MiFID system, in the area of client relations, banks should fulfill obligations resulting from the PRIIP Regulation. Derivative instruments meet the definition criteria of a retail packaged retail and insurance-based investment product (hereinafter: "PRIP") pursuant to Article 4(1) of the PRIIP Regulation.

Regarding the PRIIP Regulation, banks should pay special attention to the fact that, unlike the MiFID system, obligations9 resulting from it relate only to relations with individual investors and include in particular: a) application of a uniform format and content of the key information document to be prepared by PRIP creators; b) providing individual investors with the key information document to enable them to understand and compare key features of PRIP and key risks associated with it.

The detailed standard regarding the content and presentation of the key information document is specified in Delegated Regulation 2017/653.

III. In order to increase the efficiency of the risk management process in the bank and earlier identification of potential threats, banks should take into account: a) the purpose for which they conclude transactions on derivative instruments:

• hedging the bank's own positions (in particular managing the asset and liability structure);
• arbitrage on the bank's own account;

9 Additionally, in the context of fulfilling this obligation, reference should be made to the UKNF Position of 16 August 2021 regarding the application of Article 8(3) and (5) of the PRIIP Regulation addressed to PRIP creators.

Recommendation A Page 8 of 32

• speculation on the bank's own account;
• execution of client orders; b) the specificity of the client; c) the type of derivative instruments.

Recommendation A relates to activities on derivative instruments and concerns the following areas: a) management board and supervisory board; b) identification and assessment (including measurement/estimation of risk), monitoring, controlling and reporting regarding risk; c) internal control system.

Recommendation A should be implemented taking into account the principle of proportionality, understood as adapting adopted solutions to the individual specificity and profile of the bank's activity and the scale of risk borne by the bank. This means that a bank conducting activities on derivative instruments should comply with the provisions of the Recommendation, and the scope of policy and procedures should be adequate to the scale and degree of complexity of this activity.

The Financial Supervision Authority expects that branches of credit institutions and branches of foreign banks operating on the territory of the RP will apply the provisions of Recommendation A to the extent that the provisions of the Banking Law Act and provisions of other laws regulating the activity of banks on the territory of the RP apply to them. Therefore, the Financial Supervision Authority expects that branches of foreign banks operating on the territory of the RP will apply the provisions of Recommendation A in full, while branches of credit institutions will apply the provisions of Recommendation A excluding recommendations 3-6 and 14.

The Financial Supervision Authority expects that Recommendation A, constituting an annex to Resolution No 402/2022 of the Financial Supervision Authority of 19 October 2022 (Journal of Official Items of KNF item 24), will be implemented by banks, and respectively by branches of credit institutions and branches of foreign banks operating on the territory of the RP, no later than by 31 December 2023.

Recommendation A Page 9 of 32 DEFINITIONS

1. Database - standardized internal and external data sets maintained by the bank and institutions referred to in Article 105(4) of the Banking Law Act;
2. Derivative instrument (derivative) - derivative instrument within the meaning of Article 3(28a) of the Trading Act;
3. Bank Management - the management board of the bank, directors of organizational units, acting independently or jointly, depending on the importance of the issue;
4. Client - retail client within the meaning of Article 3(39c) of the Trading Act, professional client within the meaning of Article 3(39b) of the Trading Act, including eligible counterparty within the meaning of Article 3(39d) of the Trading Act;
5. Credit Risk - the risk of non-performance of an obligation or deterioration of creditworthiness threatening the performance of the obligation;
6. Counterparty Credit Risk10 - the risk of non-performance of an obligation by the party to a derivative instrument transaction before the final settlement of cash flows related to that transaction;
7. Pre-settlement Risk11 - the risk of non-performance of an obligation by the party to a derivative instrument transaction, resulting in the loss of future receivables from the concluded transaction, occurring before the date of final settlement of cash flows related to that transaction;

10 Definition consistent with the definition of counterparty credit risk in Article 272(1) of the CRR Regulation. In Article 286(2)(b) of the CRR Regulation, within counterparty credit risk, pre-settlement risk and settlement risk are distinguished. 11 In the definitions "pre-settlement risk" and "settlement risk", English names respectively pre-settlement risk and settlement risk are given alongside Polish names, which should be understood in accordance with Article 286(2)(b) of the CRR Regulation. In banking practice, the use of the terms "pre-settlement risk" and "settlement risk" for the risks referred to in Article 286(2)(b) has become established. This is visible, for example, in reports and disclosures. Both terms also function in Recommendation A from 2010. In the current legislation in Poland, e.g., in the Trading Act, the concepts "settlement" (Article 45b(1)) and "clearing/settlement" (Article 45b(2)) appear to designate two different activities. However, we draw attention that after Poland's accession to the EU, the need arose to translate EU legislation from English to Polish. In Polish language versions of EU legislation concerning derivative instruments, in particular the EMIR Regulation, MiFID II Directive and CRR Regulation, the English "settlement" is translated once as "rozrachunek" and another time as "rozliczenie".

Recommendation A Page 10 of 32 8. Settlement Risk11 - the risk of non-performance of an obligation by the party to a derivative instrument transaction on the date of final settlement of cash flows related to that transaction; 9. Derivative transaction collateral (collateral) - monetary funds or other assets from which the bank can satisfy its claims in the event of the materialization of counterparty credit risk;

Recommendation A Page 11 of 32 TABLE OF RECOMMENDATIONS Management Board and Supervisory Board Recommendation 1 The Management Board of the bank is responsible for developing and approving, in written or electronic form, and subsequently introducing a policy on the management of risks related to activities on derivative instruments and procedures regarding the management of risks related to this activity.

Recommendation 2 The Management Board of the bank should appoint persons responsible for implementing and carrying out the policy on the management of risks related to activities on derivative instruments. The Management Board of the bank should ensure adequate resources (including technical, human) necessary for concluding contracts whose subject matter is derivative instruments, as well as for proper identification, measurement/estimation, monitoring, controlling and reporting of risk resulting from activities on derivative instruments.

Recommendation 3 The Management Board of the bank should ensure that the organizational structure of the bank corresponds to the scale of activities on derivative instruments and the profile of risk taken related to this activity.

Recommendation 4 The bank's policy on the management of risks related to activities on derivative instruments should include, among other things, issues related to the commencement of new or expansion of existing activities on derivative instruments.

Recommendation 5 The Management Board of the bank should implement, monitor and control a coherent risk management system, taking into account risks associated with activities on derivative instruments, adequate to the scope, size and complexity of this activity, and also appropriate to the risk taken.

Recommendation A Page 12 of 32 Recommendation 6 The Supervisory Board should supervise the implementation of the risk management policy related to activities on derivative instruments, including in the context of the bank's strategy, based on periodically received reports. The Management Board of the bank should inform the Supervisory Board about the results of the assessment of the adopted policy along with recommendations for introducing any necessary changes to it.

Identification and assessment (including measurement/estimation of risk), monitoring, controlling and reporting regarding risk Recommendation 7 The bank should use appropriate internal systems, databases and analytical tools supporting the management of risks related to activities on derivative instruments. The functionality of these internal systems, databases and analytical tools should support the bank in fulfilling regulatory requirements and applying internal metho