Omni-Risk Return Industry Workshop Presentations

OMNI-RISK RETURN INDUSTRY WORKSHOP NOVEMBER 2025

1. Opening remarks
2. Presentation
3. Q & A session
4. Closing remarks Agenda

Opening Remarks Focus on the contents of the Return If you think a question will not work for your sector, advise why not. What could be a better question? Currently you are not getting information as requested? Why not? How could you obtain this? These webinars will not be the only engagements on the Return Further guidance/engagements will be customized to the different sectors Final decisions must still be made on certain aspects. Examples: Frequency of reporting; participation in Pilot; etc. Please read and watch all the information published on the Return

STRUCTURE OF THE OMNI-RISK RETURN Overview of Sections to Be Covered in Today’s Session

Structure of the Omni-Risk Return NOTE Data points serve multiple supervisory purposes, often affecting several aspects of risk scoring simultaneously. Additionally, interpretation of data will not always be one-directional. Depending on the circumstances, a particular data point may either increase or decrease an institution’s risk.

SECTION 1 GROUP STRUCTURE, OWNERSHIP AND SHARED SERVICES

Section 1: Group Structure 1.1 Group Structure Select the option that best describes the financial institution's group structure (a) An institution that does not form part of an organisational group * (b) An institution forming part of a non-financial organisational group * (c) An institution forming part of a financial organisational group * If either (b) or (c) is selected, provide the following additional information: (i) Primary jurisdiction of the parent entity of the organisational group * (ii) Name of the parent entity of the organisational group * (iii) List of all entities forming part of the organisational group * PURPOSE: To determine whether the institution operates independently or within a group, providing insight into organisational complexity, ownership, and decision-making structures. An 'organisational group' is a group of entities, irrespective of their institutional form, including companies, partnerships, trusts, associations, joint ventures, cooperatives, that are connected, directly or indirectly, through ownership or control, and includes a 'group of companies' as defined in section 1(1) of the Companies Act. A "non-financial organisational group" refers to an organisational group in which none of the entities, other than the financial institution completing the return, provides, as a business or part of a business, a financial product, a financial service or a market infrastructure.

1.2 Inter-group financial transactions and shared services Select all applicable options that describe the FI's involvement in inter￾group transactions or shared services (a) The financial institution engages in inter-group financial transactions (b) The financial institution utilises shared services (c) The financial institution does not engage in inter-group financial transactions or use shared services If either (a) or (b) is selected, provide the following additional information: (i) Nature of the inter-group financial transactions and/or shared services (iii) Counterparty involved (e.g. name of the group entity providing or receiving services or funding) Section 1: Inter-Group transactions & Shared Services PURPOSE: To assess reliance on intra-group financial flows and shared services, which may indicate dependencies, related-party exposures, or structural complexities. High reliance can create concentration risks, single points of failure, and reduced transparency. “"Inter-group financial transactions" refers to loans or investments made between entities within the same organisational group, including the allocation or transfer of funds or distribution of profits from one entity to another within the group.” “A centralised model in which specific support functions, such as finance, human resources, IT, legal, compliance and risk management, audit or procurement, are consolidated, managed and delivered by a single entity to other entities within an organisational group. The costs and resources associated with these shared services are distributed among the entities that utilise them.”

1.3 Indicate whether any beneficial owner of the financial institution is a national of any of the following categories of countries: * (a) High Risk Country (b) Medium Risk Country (c) A foreign country not listed as a high or medium risk country Section 1: Beneficial owner nationality PURPOSE: To identify beneficial owners linked to FATF high-risk jurisdictions, indicating elevated AML/CFT risk. Nationality details further support AML/CFT assessments. "High risk Country" means the Democratic People’s Republic of Korea, Iran, Myanmar, Central African Republic, Democratic Republic of Congo, Eritrea, Guinea-Bissau, Iraq, Lebanon, Libya, Mali, Somalia, South Sudan, Sudan, Yemen "Medium risk Country" means Algeria, Angola, Bulgaria, Burkina Faso, Cameroon, Côte d’Ivoire, Croatia, Haiti, Kenya, Monaco, Mozambique, Namibia, Nigeria, Philippines, Syria, Tanzania, Venezuela, Vietnam, Yemen, United Arab Emirates

SECTION 2 GEOGRAPHICAL PRESENCE

2.1 Jurisdictions Provide the following information on the FI's geographical footprint, categorised into areas where the FI conducts financial services￾related business and all other business activities Financial Services￾Related Business * Other Business Activities (Non￾Financial Services￾Related) * (a) Total number of countries where the financial institution has a legal or operational presence 3 1 2.2 Physical locations Provide the total number of business premises the FI operates, categorised into areas where the FI conducts financial services￾related business and all other business activities Financial Services￾Related Business * Other Business Activities (Non￾Financial Services￾Related) * (a) In South Africa 5 2 (b) In foreign countries 8 4 2.3 Additional info on jurisdictions List the countries in which the financial institution has a legal or operational presence * Financial Services￾Related Business * Other Business Activities (Non￾Financial Services￾Related) * Bangladesh Yes No Section 2: Geographical Presence PURPOSE: To determine the institution’s operational footprint across all countries, including South Africa. This helps assess cross-border complexity, geopolitical and regulatory risks, and the scale and reach of operations. A larger footprint may indicate higher operational risk, while reductions may signal financial or strategic changes. '"Business premises" refer to all the physical locations, whether temporary or permanent, used by a financial institution to conduct its operations, provide services, perform functions, or engage with customers or stakeholders. These premises can vary based on the nature and scope of the business and may include spaces owned, leased, or otherwise occupied by the entity. Examples of business premises include: (a) Offices or headquarters where administrative or management functions are performed. (b) Branches or outlets where customer-facing services are provided. (c) Call centers or customer service hubs. (d) Any other physical location used predominantly or primarily for operational, strategic, or service delivery purposes. If the institution has a legal presence in South Africa, it must be included in the country count under 2.1 and also be listed in 2.3.

SECTION 3 GOVERNANCE

Section 3: Governance PURPOSE: To assess the governing body’s level of independence, diversity, and expertise. Low independence may increase conflicts of interest or management dominance, while greater diversity and balanced skills enhance decision￾making, governance, and risk management. WHY ARE WE COLLECTING RACE DATA? Race is an important aspect of diversity that strengthens governance and risk management. In future, this information will also assist the FSCA in monitoring institutions’ implementation of their Transformation Plans. Institutions are required to provide the requested information based on their own assessment of the governing body’s skills. They should determine and record these skills based on objective evidence, such as: • Qualifications (e.g., degrees, certifications, or professional memberships); • Previous experience (e.g., roles held in finance, risk, compliance, operations, or strategy); and • Demonstrated competencies relevant to the listed categories (e.g., financial literacy, regulatory understanding, governance expertise, or industry-specific insight).

Performance and Incentive Framework Provide the following information regarding all remuneration paid, including remuneration paid to the Governing Body members, by the FI during the reporting period: (a) Total fixed remuneration paid * (b) Total remuneration, other than fixed remuneration, categorised by whether it is linked to qualitative measures and the following: Directly linked to qualitative measures Not linked to qualitative measures (i) Variable remuneration * (ii) Remuneration other than fixed or variable * (c) Overall total remuneration, including fixed remuneration, variable remuneration and other remuneration, regardless of whether they are linked to qualitative measures. * 0 Section 3: Governance PURPOSE: To assess whether remuneration practices support fair customer outcomes or incentivise excessive risk-taking. The balance of fixed and variable remuneration, and whether incentives are tied to qualitative or quantitative measures, are important indicators of culture. A very low fixed￾to-variable ratio may indicate over￾reliance on performance-based remuneration especially if not linked to qualitative measures. For example, sales-volume-driven incentives increase conduct risk, whereas more balanced incentives that include links to strong ethical culture and positive customer outcomes reduce risk. WHY CAN'T THE FSCA OBTAIN THIS INFORMATION FROM THE AFS? The FSCA cannot rely solely on the information in the Annual Financial Statements (AFS) because AFS disclosures are typically aggregate, high-level, or group￾based, and do not provide the level of detail or consistency. "Variable remuneration" is the discretionary or performance-based component of a person's remuneration , which is contingent upon meeting specific targets, outcomes, or predefined criteria. It is designed to incentivise and reward individual, team, or organisational achievements, and includes short-term and long-term incentives such as bonuses, cash and non-cash incentives, share options and profit sharing. '"Fixed remuneration" refers to the guaranteed portion of a person's total remuneration that is not influenced by performance or other outcomes and that is pre￾determined, e.g. base salary and benefits such as retirement contributions. "Qualitative measures" are non-financial performance criteria used to determine remuneration and incentives, focusing on outcomes that prioritise the interests of customers and the long-term sustainability of the entity over purely financial performance or sales-driven objectives. These measures assess behaviors, actions, and results aligned with customer-centric goals, ethical practices, and regulatory compliance. Examples of qualitative measures include: (a) Achievement of good customer outcomes, such as resolving complaints effectively or meeting customer needs. (b) Compliance with regulatory and ethical standards. (c) Delivery of high-quality service and support to customers. (d) Adherence to organisational values, such as fairness, transparency, and accountability. (e) Contributions to improving customer satisfaction or enhancing trust in the entity. (f) Efforts to innovate or improve processes. (g) Contributions toward effective risk management, such as identifying, mitigating, and managing risks that could harm customers or the entity.

3.3 Risk Tolerance Levels Provide the following information regarding non-compliance incidents recorded during the reporting period (a) The total number of non-compliance incidents * (b) Of the total incidents recorded, the number of non-compliance incidents that exceeded the financial institution’s established risk tolerance level * Section 3: Governance PURPOSE: To assess an institution’s exposure to non-compliance incidents and compare non-compliance incidents against board approved risk tolerance levels. A high ratio of incidents, especially those beyond tolerance thresholds, may signal governance weaknesses and future harm. In the context of non-compliance incidents, "risk tolerance level" refers to the threshold established by a financial institution that specifies the acceptable level or frequency of non-compliance incidents it is willing to tolerate. For example, if a financial institution’s risk tolerance allows for up to five minor non-compliance incidents per quarter, but ten incidents are recorded, five of these would exceed the risk tolerance level. A "non-compliance incident" refers to any act, omission, or event that results in a failure to adhere to applicable laws, regulations, rules, standards, policies, or contractual obligations. This may include breaches of regulatory requirements, internal policies (including rules, guidelines and procedures established to govern the financial institution's operations, ensure ethical conduct and manage risks) , or industry codes of conduct, and can arise from intentional or unintentional actions.

3.4 Remediation of non-compliance incidents Provide the following information regarding the remedial actions taken during the reporting period in response to non-compliance incidents (a) The total number of compliance remediation actions taken in response to non￾compliance incidents * (b) The total number of compliance remediation actions completed within the targeted timeframe * Section 3: Governance PURPOSE: To assess whether and how promptly non-compliance issues are remediated. Persistent delays in remediation and elevation of governance and regulatory risk concerns may signal poor conduct culture or inadequate compliance capacity.

3.5 Insurance & Guarantee claims Provide the following details regarding Professional Indemnity, Fidelity and Cyber insurance claims and guarantees, as well as fraud, theft or professional misconduct incidents that did not result in insurance or guarantee claims, during the reporting period Number Value (a) Total number of Professional Indemnity (PI) insurance claims lodged * (b) Total number of Fidelity insurance claims lodged * (c) Total number of Cyber insurance claims lodged * (d) Total number of guarantees invoked * (e) Number of fraud, theft, or professional misconduct incidents that were identified but did not result in PI, Fidelity or Cyber insurance claims. * (f) Total value of PI, Fidelity and Cyber insurance cover and Guarantees. Section 3: Governance PURPOSE: To assess the institution’s exposure to professional liability, cyber liability and non-insurable risks, as well as the adequacy of risk transfer arrangements to absorb losses when risk incidents occur. Frequent or high number of professional misconduct or negligence claims may point to weak internal controls or poor ethical culture. Frequent or severe cyber-related claims or incidents may signal IT and other operational resilience vulnerabilities. Insufficient insurance cover or high volumes of non￾insurable risk incidents may also indicate cultural or control vulnerabilities and heighten supervisory concerns. DO ALL FINANCIAL INSTITUTIONS NEED TO HAVE INSURANCE? No, not all financial institutions are legally required to hold insurance. The purpose of the section is to assess the institution’s risk exposure and adequacy of risk transfer arrangements, not legal compliance.

SECTION 4 NATURE OF CUSTOMER BASE

4.1 Number of customers per legal entity type Provide the number of customers in each of the following customer categories For Profit Non￾Profit (a) Companies (incorporated or registered under any law): (i) Companies with an annual turnover of less than R2 million * (ii) Companies with an annual turnover of more than R2 million and less than R10 million * (iii) Companies with an annual turnover of more than R10 million and less than R50 million * (iv) Companies with an annual turnover of more than R50 million * (b) Trusts * (c) Partnerships * (d) Organ of state * (e) Retirement Fund * (f) Other (excluding natural persons) * If Other, please provide additional information * Section 4: Legal Entity Customer Segmentation PURPOSE: To assess the composition and economic scale of the institution’s customer base. From an AML/CFT view, larger or higher￾turnover customers pose higher risk due to greater transaction volumes. From a conduct view, understanding the type of legal customer (e.g., company, trust, non￾profit, or retirement fund) helps assess their sophistication and governance capacity. Less experienced entities may rely heavily on intermediaries or lack understanding of products, increasing conduct risk, while well￾governed, sophisticated institutions typically present lower risk. “financial customer” means a person to, or for, whom a financial product, a financial instrument, a financial service or a service provided by a market infrastructure is offered or provided, in whatever capacity, and includes— (a) a successor in title of the person; & (b) the beneficiary of the product, instrument or service;” The turnover categories help the FSCA understand the scale and type of business customers served, to assess whether products are appropriately targeted, and to identify potential conduct risks. The thresholds offer a practical, consistent way to group customers by size and are not aligned with the SMME thresholds under the National Small Enterprise Act, which serves a different purpose (developed for economic policy and enterprise support, rather than for assessing customer outcomes or market conduct within financial services).

4.2 Number of customers that are natural persons Provide the total number of customers that are natural persons, categorised by customer segmentation. Additionally, from the total number of natural person customers, indicate the number of customers based on their politically exposed person status. (a) Customer segmentation 8 (i) Low Income or Mass Market (e.g. customers with below-average income levels, primarily requiring affordable and essential financial services) * 5 (ii) Medium Income or Mass Affluent (e.g. customers with moderate or above-average income levels, having discretionary income for savings, investments and premium financial services) * 2 (iii) High Income or High-Net-Worth (e.g. customers with substantial income or investable assets, often requiring tailored financial solutions, wealth management, and exclusive services) * 1 (b) Politically exposed persons (only to be completed by financial institutions that are accountable institutions and supervised by the FSCA for FIC Act compliance) 8 (i) Foreign politically exposed persons * 3 (ii) Domestic politically exposed persons * 2 (iii) Non-resident financial customers (excluding foreign politically exposed persons) * 3 4.3 Total number of customers Provide the total number of customers across all customer categories as referred to in question 4.1 and 4.2 for the reporting period. 8 Section 4: Natural Person Customers PURPOSE: To segment customers by income/affluence level and PEP status in order to understand exposure to customer vulnerability and AML/CFT risks. A high proportion of low-income or mass￾market customers may increase conduct risks, particularly around affordability and potential mis-selling. Whilst PEPs, both domestic and foreign, present increased AML/CFT and reputational risks, requiring enhanced due diligence and stronger controls. A "foreign politically exposed person" refers to an individual who holds, or has held, a prominent public position or role that carries a higher risk of exposure to corruption, bribery, or other financial crimes due to the nature of their position such as Heads of State or Governement, senior politicians or members of Parliament, senior Judicial or Military Officials, senior executives of state-owned enterprises, high-ranking officials of international organisations, etc. These categories provide a broad segmentation of customers by financial capability and product needs, not fixed income levels. Institutions should apply a consistent, justifiable approach and may use recognised tools like the Socio-Economic Measure (SEM), which classifies consumers by living standards and access to resources. The FSCA welcomes feedback on whether specific monetary thresholds or formal SEM classifications should be defined to improve consistency across sectors. A "domestic politically exposed person" means a person referred to in Schedule 3A of the FIC Act.

4.4 Number of customers and their beneficial owners from grey and black listed countries (only to be completed by financial institutions that are accountable institutions and supervised by the FSCA for FIC Act compliance) Grey listed Black listed (a) Number of customers listed in question 4.1 from grey listed and black listed countries * (b) Number of beneficial owners of customers listed in question 4.1 from grey listed and black listed countries * Section 4: Customers/ UBOs from grey/black-listed countries PURPOSE: To measure the institution’s exposure to high-risk jurisdictions. Customers or UBOs from black or grey-listed countries significantly increase AML/CFT risks. Higher proportions of, or exposure to, such customers will increase the AML/CFT risk score and attract closer supervisory scrutiny.

TIMELINES

TIMELINES OVERALL IRS IMPLEMENTATION ROADMAP September 2025 ✓ Publication of Omni-Risk Return and Explanatory Note ✓ Links to comments template and explanatory webinar recording 1 October – 30 November 2025 ✓ Consultation period on Omni-Risk Return ✓ General and targeted engagement activities (planned and on request) November 2025 ✓ Two rounds of three (3) live virtual workshops – two (2) hours each focusing on different sections of the Omni-Risk Return ✓ General invitation to industry, first come, first serve basis December 2025 ✓ Comments period officially closed Details on system pilot – TBC 2026 OMNI-RISK RETURN Consultation Timeline

THANK YOU