LogoRegulatory Alerts
2018-12-20

Regulation on Banking Activity Management Framework No. 322 of December 20, 2018

The National Bank of Moldova issued Decision No. 322 to approve the Regulation on Banking Activity Management Framework, which transposes key provisions of EU Directives 2013/36/EU and 2016/1075. The regulation establishes a comprehensive management framework for banks in Moldova, defining risk appetite, governance structures, and specific roles for the management body and specialized committees. It mandates strict compliance with prudential standards, including the submission of Internal Capital Adequacy Assessment Process reports and the assessment of council members' collective adequacy and independence.

National Bank of Moldova logo

Moldova

National Bank of Moldova

Click to view thumbnail

1 NATIONAL BANK OF MOLDOVA DECISION Regarding approval of Regulation on Banking Activity Management Framework No 322 of 20 December 2018 (in effect as of 4 April 2019) Official Monitor of the Republic of Moldova No 1-5, Article 56 of 4 January 2019

Registered: Ministry of Justice of the Republic of Moldova No 1400 of 28 December 2018 This Decision transposes Article 76; Article 79, item a); Article 83, paragraph (1) and (3), first section; Article 85, paragraph (1); Article 86; Article 87, Article 88, paragraph (2); Article 92, paragraph (2), items d)-g); Article 94, paragraph (1), items e) and h); Article 95, paragraph (2), of the Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC, published in the Official Journal of the European Union L 176 of 26 June 2013, according to the latest amendments introduced by the (EU) Directive 2018/843 of the European Parliament and Council of 30 May 2018 and transposes Article 3-12, 14-19 and Article 21 of the Commission Delegated Regulation (EU) 2016/1075 of 23 March 2016 supplementing Directive 2014/59/EU of the European Parliament and of the Council with regard to regulatory technical standards specifying the content of recovery plans, resolution plans and group resolution plans, the minimum criteria that the competent authority is to assess as regards recovery plans and group recovery plans, the conditions for group financial support, the requirements for independent valuers, the contractual recognition of write-down and conversion powers, the procedures and contents of notification requirements and of notice of suspension and the operational functioning of the resolution colleges (Text with EEA relevance), published in the Official Journal of the European Union L 184 of 8 July 2016. [The harmonization clause amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] [The harmonization clause amended by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022] [The harmonization clause amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] Pursuant to Article 27, paragraph (1), item (c), of the Law on the National Bank of Moldova No 548/1995 (Official Monitor of the Republic of Moldova, 1995, No 56-57, Article 624), with further amendments, and Articles 38, 39, 43 and 44, paragraph (5), of the Law on Bank’s Activity No 202/2017 (Official Monitor of the Republic of Moldova, 2017, No 434-439, Article 727), with further amendments, the Executive Board of the National Bank of Moldova DECIDES:

  1. To approve the Regulation on Banking Activity Management Framework, according to the Annex.
  2. To repeal the Regulation on Banking Activity Management Framework approved by Decision No 146/2017 on approving and repealing some normative acts of the National Bank of Moldova

2 (Official Monitor of the Republic of Moldova, 2017, 201-213, Article 1183), registered with the Ministry of Justice under No 1229 on 14 June 2017. 3. Upon entry into force of this Decision, banks shall have a management framework aligned with the provisions of the Regulation referred to under paragraph 1. 4. Notwithstanding paragraphs 5-6, this Decision shall come into effect within 3 months from the date of publishing in the Official Monitor of the Republic of Moldova. 5. By 30 April 2019, banks shall submit their first Internal Capital Adequacy Assessment Process (ICAAP) reports as of 31 December 2018. 6. Within 9 months following the entry into force of this Decision, banks shall assess the collective adequacy of the members of the council of the bank, as required by paragraph 15 of the Regulation referred to under paragraph 1, using the criteria for assessing the independence of members of the council of the bank set forth under paragraphs 16 and 17 of the Regulation referred to under paragraph 1, and shall take the necessary steps for bank compliance with the requirement set forth in paragraph 15 of the Regulation referred to in paragraph 1. CHAIRMAN OF THE EXECUTIVE BOARD OF THE NATIONAL BANK OF MOLDOVA Octavian ARMAŞU No 322, Chisinau, 20 December 2018

3 Annex to the Decision of the Executive Board of the National Bank of Moldova No 322 of 20 December 2018 Note: throughout the regulation, the words “audit firm,” in any grammatical form, shall be replaced by the words “audit entity,” in the appropriate grammatical form in accordance with Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026; Regulation on Banking Activity Management Framework TITLE I GENERAL PROVISIONS Chapter I SCOPE AND SUBJECT

  1. This Regulation shall apply to banks in the Republic of Moldova and to branches of banks from a foreign state operated on the territory of the Republic of Moldova and establish a management framework for their activity aimed to ensure effective and prudent risk management.
  2. A branch of a bank from a foreign state operated on the territory of the Republic of Moldova may be guided by the management framework policies regulating the activity of the parent company provided the observance of requirements established by the legislation of the Republic of Moldova and this Regulation. Otherwise, the management body of the branch of a bank from a foreign state shall establish its own policies and shall assess any group-level decisions or practices to ensure that they do not lead to the branch being in violation of Moldovan legislation or prudential norms applicable in the territory of the Republic of Moldova. Chapter II DEFINITIONS
  3. The terms and expressions used in this Regulation shall have the meanings prescribed to them in the Law on Bank’s Activity No 202/2017 (hereinafter: Law No 202/2017), Law on the National Bank of Moldova No 548/1995 (hereinafter: Law No 548/1995), Law No 232/2016 on banks recovery and resolution (hereinafter: Law No 232/2016) and normative acts of the National Bank issued for enforcement thereof.
  4. For the purposes of this Regulation, the terms and expressions set forth below shall have the following meaning: Risk appetite – aggregate level of risks and types of risks that a bank is willing to take within its risk capacity, according to its business model, to achieve its strategic objectives; Statutory audit – mandatory audit of individual financial statements and consolidated financial statements, as provided by Article 85, paragraph (2), of Law No 202/2017; Risk capacity – maximum amount of risk that a bank is able to take given its own capital, risk management and control capabilities, as well as regulatory constraints; Internal capital – equity of the bank needed to cover unexpected future losses at a confidence level selected for a certain time horizon. This is a form of risk measurement which links capital to the bank's specific risks, regardless of the existence of assets; Risk culture – an institution’s norms, attitudes and behaviors related to risk awareness, risk￾taking and risk management, as well as the mechanism of control that shape decisions on risks;

4 Internal control – a system that ensures efficient operations, appropriate risk control, prudent conduct of business, credibility of reported financial and non-financial information, both internally and externally, as well as compliance with legal and regulatory frameworks, supervisory requirements and the bank’s internal rules and decisions; Idiosyncratic event – an event that risks having serious negative consequences for a single bank; System-wide event – an event that risks having serious negative consequences for the financial system or the real economy; Critical function – as defined in Law No 232/2016; Recovery plan indicators – qualitative and quantitative indicators established by each bank based on the framework provided in this regulation to identify the stages in which the appropriate measures mentioned in the recovery plan can be taken; Corporate governance – a set of relationships among the bank’s management body, its shareholders and other stakeholders. Corporate governance also includes the structures (manner of internal organization), which set the objectives of the bank, and the methods of their implementation, and monitors the performance; Business model – all activities carried out based on a strategy aimed at achieving financial performance; Identified staff – bank staff referred to under Article 39, paragraph (1), of Law No 202/2017, which includes members of the executive body, individuals holding key positions in the bank, as well as any other employee paid within the same pay range as the members of the executive body and individuals holding key positions; Internal capital adequacy assessment process (ICAAP) – process of identification, quantification, management and monitoring of internal capital, implemented by the bank under Article 78 of Law No 202/2017; Internal liquidity adequacy assessment process (ILAAP) – process of identification, quantification, management and monitoring of internal liquidity, implemented by the bank under Article 79 of Law No 202/2017; Risk profile – point-in-time assessment of a bank’s gross risk exposures or, as appropriate, net risk exposures (i.e. after taking into account the risk mitigants) aggregated within and across each relevant risk category based on anticipatory estimations; Primary bylaws – statutes, strategies, codes, policies, regulations, and other internal regulatory acts on banking activity management, and risk exposure, approved by the bank's council or, as appropriate, by the general shareholders' meeting, in view of complying with regulatory acts; Secondary bylaws – instructions, procedures, guidelines, manuals, or other documents approved by the executive body of the bank to implement the provisions of primary bylaws; Information and communication technology risk (ICT risk) – operational risk sub-category that refers to the risk of loss/negative impact caused by the compromise of information confidentiality, data integrity, information systems, unavailability of information and/or data systems and incapacity to change ICT over a given period and at a reasonable cost. These losses/negative impacts may be the product of external or internal factors, such as inadequate organization, insufficiently secured or malfunctioning information systems and network infrastructure, and insufficient staff or insufficiently qualified staff who is in charge of the bank’s information system management; risk associated to excessive use of leverage - the risk resulting from a bank's vulnerability to leverage or contingent leverage that may require unplanned corrective measures to its business plan, including emergency asset sales, which could result in losses or revaluations of remaining assets; Concentration risk – risk of profit and capital losses resulting from exposure to each counterparty and/or groups of related parties and/or groups of persons that operate in the same economic sector, conduct the same business or are parties to a joint venture;

5 Compliance risk – operational risk sub-category that refers to a current or future risk of profit and capital losses, which may result in fines, damages and/or termination of contracts, or which may affect a bank's reputation as a result of violations or non-compliance with regulatory acts, agreements, recommended practices or ethical standards; Credit risk – current or future risk of profit and capital losses resulting from failure of the debtor or counterparty to meet its contractual obligations, or failure to meet those set out in the contract; Counterparty credit risk – credit risk sub-category which represents the risk of profit and capital losses when a counterparty to a transaction enters into default before the final settlement of transaction-related cash flows; Settlement risk – risk of loss resulting from the difference between the agreed settlement price and the current market value for transactions where the debt instrument, securities or foreign currency remain outstanding after the due date; Liquidity risk – current or future risk of profit and capital losses resulting from the bank's incapacity to meet its obligations upon maturity; Operational risk – current or future risk of profits and capital losses resulting from inappropriate or failed internal processes or systems and/or actions of external persons or events; Market risk – risk of losses in relation to items on and off the balance sheet due to unfavorable market fluctuations in the prices of tradeable financial instruments, in interest rates and exchange rates; Position risk – risk of profit and capital losses that may arise from price inconsistencies over time, between the time of contract conclusion and the time when payment is made and the amount provided by the contract is collected; Residual risk – risk of profit and capital losses that may arise due to the less effective than expected risk mitigation techniques, as these techniques generate new risks (such as liquidity and compliance risks) that could affect the effectiveness of mitigation techniques; Interest rate risk – current or future risk of profit and capital losses resulting from adverse changes in interest rates; Reputational risk – current or future risk of profit, capital or liquidity losses determined by the unfavorable perception of a bank's image by counterparties, shareholders, investors or supervisory authorities; Strategic risk – current or future risk of profit and capital losses resulting from changes in business environment or unfavorable business decisions, inappropriate implementation of decisions or lack of responsiveness to changes in the business environment; Conversion risk – risk of profit and capital losses resulting from a counterparty’s impossibility to convert the national currency into foreign currency required for financial liabilities payments because of that currency’s unavailability due to restrictions imposed by the counterparty’s country; Country risk – risk of exposure to losses resulting from economic, social and/or political circumstances and events in a foreign state, affecting the bank activity; Foreign exchange risk – risk of exposure to losses arising from trade agreements or other economic relationships as a result of market fluctuations in the exchange rate in the period between contract conclusion and its maturity; Information system – a bank’s information management system, together with related organizational resources, such as information resources, human resources, organizational structures; Stress test – risk management technique used to assess the potential effects of events or future changes in economic conditions that may have an impact on the bank's financial position; Reverse stress-test – stress testing starting from the identification of the predefined result (for example a state of major difficulty in ensuring continuity) then exploring scenarios and circumstances that could cause it to occur;

6 Risk tolerance – maximum amount of risk accepted by a bank, which falls within the real limits of the risk appetite framework assumed by the bank; Economic value – updated value of the net cash flows expected by a bank; Diversity – a situation in which the characteristics of the members of the management body, including age, gender, geographical origin, educational and professional experience, differ to an extent that enables a variety of opinions within the management body; Training – improving the skills, knowledge, or competencies of members of the management body and persons holding key positions, carried out on an ongoing or ad hoc basis through any initiative or program; Induction – training a candidate for a specific role as a member of the management body and as a key holder, delivered through any initiative or program; Gender-neutral remuneration policy – remuneration policy based on the principle of equal treatment, i.e. equal remuneration between male and female staff members for the same work or work of equal value; Financing risk – the risk that the bank will not have stable sources of medium- and long-term financing, leading to the existing or potential risk that the bank will be unable to meet its financial obligations as they fall due in the medium and long term, or will be able to do so only at unacceptable financing costs; Significant risk – risk with a significant impact on the financial and/or reputational situation of a bank. [Paragraph 4 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] [Paragraph 4 amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] [Paragraph 4 amended by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022] [Paragraph 4 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] Title II ROLE AND COMPOSITION OF THE MANAGEMENT BODY AND SPECIALIZED COMMITTEES Chapter I ROLE AND RESPONSIBILITIES OF THE MANAGEMENT BODY 5. The bank shall establish the size and composition of its management body and its governance mechanism, considering the nature, scale and complexity of inherent risks, according to the bank’s business model and activities. 6. The duties and responsibilities of the management body shall be explicitly established and efficiently distributed between the bank’s council and the executive body. The role, structure, numerical composition, term of election/appointment of members of the management body, manner of operation and duties of the management body shall be determined by the bank's charter and primary bylaws, in compliance with the provisions of Law No 202/2017, regulatory acts issued by the National Bank of Moldova for enforcement thereof and Law on Joint-Stock Companies No 1334/1997, insofar as their applicability is not limited by Law No 202/2017. 7. Meetings of the bank’s council and executive body, including the number of present members and frequency of meetings, shall be organized to ensure thorough consideration of the bank's issues and a critical debate of topics to maintain efficiency. The bank shall ensure that the full body of information on issues considered and topics discussed, including main topics of the agenda, with names of speakers and all suggestions/opinions of the members of management bodies, is included in the minutes of the management body. The bank shall ensure consecutive numbering of the minutes of the management body.

7 8. All members of the management body shall be aware of the structure and responsibilities of the management body and of the division of duties and responsibilities between the executive body, the council and the specialized committees of the council. For an adequate system of verification and assessment of bank activity, the decision-making process of the management body cannot be dominated by only one member or a small group of members of the management body. The council of the bank and the executive body must interact and exchange sufficient information to enable them to properly perform their duties and responsibilities. 8 1 . Each member of the management body shall have independent thinking, this representing a model of behaviour expressed especially during discussions and decision-making within the management body, regardless of whether or not the respective member is considered independent in accordance with the provisions of paragraph 16. [Paragraph 81 added by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] 8 2 . While valuating the independence of members, banks should differentiate between the notion of “independent thinking”, which applies to all members of the bank's management body, and the principle of “being independent”, which is imposed on bank board members. The criteria for evaluating “independent thinking” are stated in paragraph 8 3 . [Paragraph 82 added by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] 8 3 . In order to evaluate the independent thinking banks shall determine if the members of the management body:

  1. have the necessary behavioural skills, namely: a) courage, persuasiveness and tenacity to evaluate and challenge effectively the proposed decisions of other members of the management body; b) ability to question the other members of the management body; c) ability not to be influenced by “group thinking”, i.e by the opinions of other members without carrying out own analysis regarding the topic addressed.
  2. are not in conflicts of interest likely to impede the ability to perform their duties independently and objectively. [Paragraph 83 added by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] 8 4 . Each member of the management body must allocate sufficient time to perform their duties. In order to assess whether sufficient time has been allocated by the member of the management body, banks shall take into account at least the following:
  3. the number of positions held concurrently within a bank and/or other entity by that member, taking into account possible overlaps, where the positions are held in accordance with Article 43, paragraph (13) of Law No 202/2017, including when the member of the management body acts on behalf of a legal person or as a substitute member of a full member of the management body;
  4. the size, nature, scope, and complexity of the activities of the entity in which the member of the management body holds a mandate and, in particular, whether the entity is located outside the country;
  5. the member's presence in the country and the travel time required to perform the tasks of the member of the management body;
  6. number of meetings scheduled for the management body;
  7. positions held concurrently by the member of the management body within organizations or entities that do not primarily pursue commercial objectives;
  8. willingness to participate in unscheduled meetings, in particular with competent authorities or other interested parties outside the official meeting schedule of the management body;

8 7) the nature of the position held by the member of the management body and the related responsibilities, including specific duties such as those of chief executive officer or chair or member of a committee, as well as the need for that member to attend meetings within the entities referred to in sub-paragraph 1) and within banks; 8) other external activities of a professional or political nature, as well as any other relevant functions and activities of the member of the management body, both within and outside the financial sector, both inside and outside the Republic of Moldova; 9) time needed to be allocated for training; 10) the impact of any long-term absences of the member; 11) any other relevant duties of the member that the bank considers necessary to take into account when assessing whether a member of the management body has sufficient time available; 12) the ability to fulfil the responsibilities of the position during periods of particularly intense activity, such as in the event of reorganization, restructuring, acquisition, takeover, or crisis situations, or as a result of a major difficulty related to one or more of its operations, etc. [Paragraph 84 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] Chapter II DUTIES AND ORGANIZATION OF THE COUNCIL OF THE BANK 9. The council is the management body of the bank, which has supervisory duties of bank performance, approval and monitoring of implementation of strategic objectives, governance framework and corporate culture by the executive body, and is responsible for overall bank activity. 10. The council of the bank shall determine the manner in which the bank regulates and organizes its activity. For this purpose, the council shall define the management framework of the bank by ensuring the elaboration, approval, implementation, monitoring of ongoing implementation and periodic review of primary bylaws in all areas of bank activity. 11. The council shall have at least the following duties:

  1. to perform all duties set forth by Article 41 of Law No 202/2017;
  2. to fulfill the responsibilities assigned to the committee of appointments and committee of remuneration, if these were not established at bank level;
  3. to approve a code of conduct that clearly determines acceptable and unacceptable staff behavior, including unacceptable activities and excessive risk taking for the bank, and the way of handling conflicts of interest at bank level;
  4. to supervise the implementation and compliance with the bank's code of conduct, in particular to identify, manage and prevent potential and/or current conflicts of interest;
  5. to ensure that internal control functions can act independently and, regardless of their responsibility to report to other internal bodies or reporting lines, can raise issues and alert the board directly, where appropriate, when there are adverse developments in risks that affect or may affect the bank;
  6. to approve and monitor the implementation of the internal audit plan, after a prior review by the risk management committee and the internal audit committee;
  7. to approve and supervise the implementation of the policy on the appointment of the management body and of the personnel holding key positions;
  8. to approve and monitor the implementation of risk management policies and ensure the training of bank staff in relevant areas;
  9. supervising and monitoring the decision-making process and actions of the executive body, so as to ensure its effective supervision, including monitoring and reviewing its individual and collective performance;
  10. constantly monitoring the implementation of the bank's risk culture. [Paragraph 11 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]

9 [Paragraph 11 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 12. The council shall ensure individual and collective compliance of experience and knowledge of members of the council and executive body, the nature and complexity of the activity and risk profile of the bank, shall set performance standards for the executive body according to the strategy and policies of the bank, and monitor the compliance of its performance with the respective standards. 13. The members of the council shall exercise their duties with honesty, integrity, objectivity and loyalty, devote sufficient time and prudence, and strictly observe the legal provisions and the normative framework. 14. The members of the council shall actively participate in bank activity and be able to make sound, objective and independent decisions. 15. The council shall be composed of a sufficient number of independent members, but not less than one third of all members elected in the council. The criteria for assessing the independence of the council’s members are set forth under paragraph 16. 16. Notwithstanding item 17, a member of the council of the bank shall be deemed as "non￾independent" in the following cases:

  1. holds or has held in the last 5 year the status of member in the management body of the bank and/or in entities within the scope of prudential consolidation, except for the status of independent member in the management body of the bank and/or in entities within the scope of prudential consolidation;
  2. has a direct/indirect holding within the bank of at least 5% of its capital or represents the interests of a holder of such holding;;
  3. has a significant financial or economic relationship with the bank (more than 5% of the bank's equity);
  4. is an employee of, or is in other similar relationships with a holder of holding within the bank of at least 5% of its capital;
  5. is employed by any entity within the perimeter of prudential consolidation, unless the following two conditions are met: a) does not belong to a hierarchical level that is directly responsible only to the management body of the bank/a member of the management body; b) was elected as a member of the council of the bank in the context of a staff representation system, with adequate protection against abusive dismissal and other forms of unfair treatment;
  6. has been employed in the last calendar year in a position at a hierarchical level within a bank or other entity within the perimeter of prudential consolidation, which is directly responsible before the management body;
  7. in the last calendar year, held a senior position, acted as a leader and/or member of the management body in a professional consultancy entity, an external auditor or an important consultant for a bank or for another entity within the perimeter of prudential consolidation or, in other cases, an employee substantially involved in the provided service;
  8. is or has been, in the last year, a significant supplier (provided goods or services worth more than 5% of the bank's assets) or an important client of the bank or other entity within the perimeter of prudential consolidation, or had another important business relationship, or is an employee substantially or otherwise involved, directly or indirectly, with a supplier, client or business entity that has an important business relationship with the bank;
  9. under paragraph (5), receives as addition to the remuneration for his/her role and remuneration for the position, commissions or other significant benefits from the bank or other entity within the perimeter of prudential consolidation;
  10. acted as an independent member of the management body of the bank, for the past 12 consecutive years;

10 11) is the spouse or a first- or second-degree relative of a member of the management body of the bank or other entity within the perimeter of prudential consolidation, or of a person in one of the situations referred to under paragraphs 1-10. [Paragraph 16 amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] [Paragraph 16 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 17. Fitting into one or more situations described in paragraph 16 cannot automatically qualify a member as "non-independent". Where a member falls into one or more situations referred to under paragraph 16, the bank may choose to qualify the member as independent provided there are justified reasons as to the capacity of the member to exercise his/her duties in an objective and balanced manner to make independent decisions, and the arguments (justifications) presented to the National Bank of Moldova were accepted by it. 18. The council shall supervise the activity of the executive body, by monitoring its actions to ensure their conformity with the strategy and policies of the bank, through review of information provided by the executive body and the compliance, internal audit and risk management functions, and also, through regular meetings with the executive body and the respective functions. 19. The council shall periodically approve and update the regulations on its own activities, considering the regulatory acts and the regulation of the council, approved by the general shareholders’ meeting, which establish the organization, rights, duties and activities of the council, and shall maintain performance and integrity through periodic individual evaluations of each member and collective evaluations of the council. 20. To perform their duties, the members of the council shall have access at all times to any information related to the activity of the bank and executive body, as well as to the internal and external audit reports. Chapter III SPECIALIZED COMMITTEES OF THE COUNCIL Section 1 Organization of Committees 21. In addition to setting up the committees provided for under Article 44 of Law No 202/2017, banks shall also be entitled to other specialized committees (ethics, conduct, compliance and/or other committees) to assist the council in its tasks. Pursuant to Law No 202/2017, a significant bank is an undertaking of systemic importance, as defined in Law No 202/2017 and identified according to the regulatory acts of the National Bank. 22. The bank’s council can determine the number and structure of committees to facilitate its own activities. The existence of committees shall not in any way exonerate the council from the collective fulfillment of its duties and responsibilities. 23. Where the bank has not set up the appointment committee and/or the remuneration committee, the provisions of Sections 4 and 5 of Chapter III on the appointment committee and the remuneration committee shall apply to the members of the council of bank. 24. The duties, functions and responsibilities of specialized committees of the council of the bank shall be established in primary bylaws approved by the council of the bank, which shall comply with this Regulation and the provisions of Article 44 of Law No 202/2017. 25. In the event of a change in the composition of the council of the bank, during the first meeting in that new composition, the council shall examine the numerical structure of committees with a view to completing them. 26. Specialized committees shall support the council of the bank in specific areas and contribute to the development and improvement of the activity management framework of the bank.

11 27. Specialized committees shall have a general or separate regulation for each committee, approved by the council of the bank, regarding their role, purpose and manner of operation, and shall also contain rules regarding the activity of the members of the committee. 28. Specialized committees shall be formed exclusively out of the members of the council of the bank. Other persons may also be invited to participate in the meetings of the committee upon the committee’s decision, either due to their specific experience or due to their recommendations which are relevant for a particular issue/area. 29. A specialized committee may not comprise less than 3 members. The chair of the committee shall be appointed by the council of the bank out of the elected members of the committee. 30. Banks that are not considerate significant shall have the right to convene the audit committee and the risk management committee, while banks considered significant shall have the right to convene the appointment committee and the remuneration committee, pursuant to Article 44 of Law No 202/2017. The reasoned decision to convene the committees, in both cases, shall be notified to the National Bank of Moldova within 10 days from the approval of the respective decision by the bank's board. The members of the committees thus assembled shall have the necessary knowledge, skills and experience to ensure their good functioning. Failure to meet the requirements regarding the quality of the members of the assembled committees gives the National Bank of Moldova the right to oppose the decision to assemble the committees, including to request the bank to take the necessary measures for the remediation of deficiencies. [Paragraph 30 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] [Paragraph 30 in version of the Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 31. Specialized committees shall:

  1. have access to all relevant information and data to fulfill their duties, including data and information from relevant functions and internal control functions;
  2. receive periodic reports and ad hoc information, communications, and opinions from the heads of internal control functions regarding the bank's current risk profile, risk culture, and risk limits, as well as any serious violations, including in the area of preventing and combating money laundering and terrorist financing, accompanied by detailed information and recommendations for remedial measures that need to be taken or suggested to be taken in this regard in order to fulfil the responsibilities assigned;
  3. periodically review and decide on the content, format and frequency of risk information that shall be reported to them;
  4. if necessary, ensure proper involvement of internal control functions and other relevant functions in their specific areas of expertise and/or seek advice from an external expert. [Paragraph 31 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  1. Specialized committees shall interact, where appropriate, to ensure consistency and avoid discrepancies in their decisions. This interaction shall take place, at a minimum, by cross-participation, so that the chair or a member of a specialized committee may also be a member of another specialized committee.
  2. Specialized committees shall report on their work to the council of the bank, as established by internal bylaws but, at a minimum, annually.
  3. The agenda, debates, conclusions, and outcomes of meetings of specialized committees shall be documented. 341 . Members of specialized committees should participate in open and critical discussions where differing opinions are discussed in a constructive manner. [Paragraph 34 1 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]

12 35. Where the bank is a subsidiary of a bank from a foreign state, as well as in the case of a branch of a bank from a foreign state, the functions of specialized committees shall be distributed according to the principles established by the bank of the country of origin, provided the observance of requirements set forth by the legislation of the Republic of Moldova and this Regulation. [Paragraph 35 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] Section 2 Audit Committee 36. The chair of the audit committee shall be an independent member. The chair of the audit committee may not be the chair of the council of the bank, including where this committee is reunited with other committees. The chair of the audit committee shall have expertise in applying auditing and accounting principles and internal control processes. 37. At least one of the members of the audit committee shall have relevant experience in the financial or accounting field, or experience related to financial and/or control/audit activity. 38. Without prejudice to the duties assigned to members of the council of the bank, the audit committee shall have, at a minimum, the following duties:

  1. to inform the council of the bank about the results of statutory audit and its findings;
  2. to monitor the financial reporting process and submit recommendations or proposals to the council of the bank to ensure its integrity;
  3. to monitor the effectiveness of internal control and risk management systems and, where appropriate, the internal audit function, without prejudice to its independence, on the bank’s financial reporting;
  4. to review and monitor the independence and adequacy of service provision by statutory auditors or audit entities engaged for purposes other than statutory audit;
  5. to monitor the conduct of statutory audit of financial statements;
  6. to be in charge with the selection of the audit entity and to recommend the audit entity to be designated for the statutory audit in accordance with the requirements of the Regulation on External Auditing of Banks, approved by Decision of the Executive Board of the National Bank of Moldova No 118/2018;
  7. to monitor the adequacy of the bank’s accounting policies;
  8. to revise the scope and frequency of external audit;
  9. to receive, review and consider the results of internal and/or statutory audit;
  10. to review and approve the scope and frequency of internal audit;
  11. to verify timely adoption by the bank's executive body of required corrective measures to address control deficiencies, non-compliance with the regulatory framework, policies, and other issues identified by internal and external auditors. [Paragraph 38 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] Section 3 Risk Management Committee
  1. The risk management committee provides advice to the council on risk appetite and current and future risk strategy, and supports the council in monitoring the implementation of this strategy by the executive body. The overall responsibility for risks shall remain with the council of the bank.
  2. The risk management committee shall assist the council in determining the nature, volume, format, and frequency of risk information.
  3. Without prejudice to the responsibilities of the remuneration committee, and to support the establishment of sound remuneration policies and practices, the risk management committee shall

13 verify whether the incentives provided by the remuneration system consider the risks, capital, liquidity, and revenue probability and forecasts. 42. The risk management committee shall have at least adequate access to the important information and data necessary to perform its duties, including information and data received from control functions and other relevant functions (e.g., legal, finance, human resources, information technology), including information on compliance with anti-money laundering and counter-terrorist financing requirements and aggregate information on suspicious transaction reports and risk factors associated with money laundering and terrorist financing. [Paragraph 42 in version of the Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 421 . The risk management committee, where appropriate, should ensure the appropriate involvement of internal control functions and other relevant functions (human resources, legal, financial, others, as appropriate) in their specific areas of expertise and/or seek external expert advice. [Paragraph 421 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 43. Without prejudice to the responsibilities assigned to members of the bank’s council, the risk management committee shall have, at a minimum, the following duties:

  1. to supervise the implementation of capital and liquidity management strategies and the management of risks relevant to bank activity, such as credit risk, market risk, operational risk (including compliance and ICT risks) and reputational risk, to assess their adequacy for risk appetite and approved risk management strategy;
  2. to review a range of possible scenarios, including stress scenarios, to assess how the bank's risk profile would change as a result of potential external and internal events;
  3. to supervise the alignment of all products and financial services provided to customers and the bank’s business model and risk strategy, to assess the risks associated with the provided products and financial services, and to consider the alignment between prices awarded and profits obtained from these products and services;
  4. to provide advice to the council of the bank on required adjustments to the resulting risk strategy, including changes in the bank's business model, market developments, or recommendations from the risk management function;
  5. to assess the recommendations of internal and/or external auditors and to follow adequate implementation of required risk management measures;
  6. to provide advice on the appointment of external consultants, whom the members of the council may decide to hire for advice or support in their risk management work.
  7. to inform and support the council of the bank in monitoring risk appetite and implementing the risk management strategy to which the bank is or may be exposed, taking into account all types of risks, to ensure their compliance with the bank's business strategy, objectives, corporate culture, and values;
  8. assist the council of the bank in monitoring the implementation process of the risk management strategy and the established risk limits. [Paragraph 43 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  1. The risk management committee shall collaborate with other committees (audit committee, remuneration committee) including communicating regularly with internal control functions if the latter were set up and the activity of which can impact the bank's risk strategy. [Paragraph 44 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]

14 441 .The chair of the risk management committee must be an independent member. The chair of the risk management committee must not be the chair of the council of the bank or the chair of any other committee, including in the case of this committee being combined with other committees. [Paragraph 441 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 45. At least one of the members of the risk management committee shall have relevant experience in risk management and/or control. Section 4 Appointment Committee 46. At least one of the members of the appointment committee shall have adequate experience in the selection and assessment of candidates for positions in the bank's management body and key functions, as appropriate. 47. Without prejudice to the duties assigned to members of the council of the bank, the appointment committee shall have, at a minimum, the following duties:

  1. to identify and assess independently, and/or from the list of candidates proposed by shareholders, candidates for filling vacant positions within the council and to submit their candidacies to the council of the bank, after which, the considered candidates are submitted for approval to the general shareholders’ meeting;
  2. to identify and evaluate independently, or from the list of candidates proposed by the council and/or executive body, candidates for filling vacant positions in the executive body and, as appropriate, key functions and to submit these candidatures for approval to the council of the bank;
  3. to assess knowledge, skills, diversity, and experience in the management body, to review roles and capabilities for appointment to a particular position, and assess the capacity to allocate time with a view to perform these duties;
  4. to assess periodically the structure, size, composition, and performance of the management body and make recommendations to the management body on any changes;
  5. to assess periodically knowledge, skills and experience of each member of the management body and of the management body as a whole, as well as of persons holding key positions, and to report accordingly before the council;
  6. to review periodically the policy of the management body as regards the selection and appointment of members of the executive body and of persons holding key positions, and to make recommendations for the council. [Paragraph 47 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 471 . If no appointment committee has been established, the provisions of paragraph 23 shall apply, and the assessment referred to in paragraph 47 sub-paragraph 4) and 5) shall be carried out at least once every two years. [Paragraph 471 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  1. In performing its duties, the appointment committee shall consider the need to ensure that the decision-making process of the management body is not dominated by any person or group of persons in a way that is detrimental to the interests of the bank as a whole. Section 5 Remuneration Committee
  2. The remuneration committee shall be formed in a way that enables it to fulfill its duties, with competence and independence in relation to remuneration policies, practices and incentives created for risk management, capital and liquidity management.

15 50. Without prejudice to the duties assigned to the members of the council of the bank, the remuneration committee shall have, at a minimum, the following duties:

  1. to develop decisions on remuneration which shall be adopted by the council, in particular as regards the remuneration of members of the executive body and persons holding key positions;
  2. to assist and advise the council in the development of the bank's remuneration policy;
  3. to support the council in monitoring remuneration policies, practices and processes and in observing the remuneration policy;
  4. to verify that the existing remuneration policy is up-to-date and, if appropriate, propose changes thereto;
  5. to advise on the appointment of external consultants in the field of remuneration, which the council may decide to employ for advice or assistance in its work;
  6. to ensure the adequacy of information provided to shareholders on remuneration policies and practices, in particular regarding the ratio between fixed and variable remuneration;
  7. to assess the adopted mechanisms and systems aimed to ensure that the remuneration system duly considers all types of risk, liquidity and capital levels and that the overall remuneration policy is aligned with them, and to promote sound and effective risk management aligned with the business model, corporate goals, culture and values, and long-term interests of the bank;
  8. to assess the achievement of performance targets and the need for ex-post adjustment to risks;
  9. to review a range of possible scenarios to test how remuneration policies and practices react to external and internal events, and to perform ex-post tests of the criteria used and ex-ante risk adjustment based on actual risk implications.
  1. Where the bank has set up a remuneration committee, the remuneration of heads of independent control functions (risk management, compliance and internal audit functions) shall be directly supervised by the remuneration committee. The remuneration committee shall submit recommendations to the council on for the elaboration of the remuneration package and the amounts of remuneration to be paid to the heads of control functions.
  2. The remuneration committee shall:
  1. have access to all data and information on the decision-making process of the council regarding formulation, implementation, supervision, and review of remuneration policies and practices;
  2. have adequate financial resources and unlimited access to all information and data from internal control functions, including from the risk management function; and
  3. ensure adequate involvement of internal control functions and other relevant functions in those areas of expertise and seek external advice when necessary.
  1. The remuneration committee shall collaborate with other specialized committees (risk management committee, audit committee, appointment committee of the council), the activity of which may have an impact on the formulation and proper functioning of remuneration policies and practices, and provide adequate information on the activities of the council and, by case, the general shareholders’ meeting.
  2. A member of the risk management committee shall attend the meetings of the remuneration committee provided that the establishment of the latter is mandatory and vice versa.
  3. At least one of the members of the remuneration committee shall have relevant experience in remuneration, risk management and/or control/audit policies and practices, in particular with regard to the mechanism for aligning the remuneration structure to the risk profile and bank capital. CHAPTER IV DUTIES AND ORGANIZATION OF THE EXECUTIVE BODY OF THE BANK

16 56. The executive body is in charge of managing the current business of the bank and reports to the council, including under Article 42, paragraph (3), of Law No 202/2017. To this end, the executive body shall ensure proper implementation of the bank's management framework, develop and approve secondary bylaws, where appropriate. 57. The executive body shall have knowledge of and understand the organizational structure of the bank, the risks it generates, to ensure the conduct of bank activities in accordance with the bank's strategy, risk appetite and bank policies approved by the council. 58. For the purpose of promoting and ensuring an efficient bank activity, the executive body shall be responsible for:

  1. performance of duties provided for by Article 42 of Law No 202/2017; and
  2. regular reporting to the council of the bank on the work carried out.
  1. The executive body shall not make decisions that are inconsistent with the strategies of the bank approved by the council. If other limits/possibilities are required, they shall be coordinated and approved in advance by the council of the bank.
  2. Depending on the nature, complexity and volume of bank activity, the executive body shall set up specialized committees of the executive body to assist in the performance of its duties, but it shall not be entitled to delegate its tasks to these committees.
  3. A member of the executive body may be empowered with overall responsibility for the bank's risk management function (Chief Risk Officer) or compliance function (Chief Compliance Officer), or combined function in accordance with paragraph 173 provided that the member has no other duties or responsibilities in the executive body that may compromise internal control activities carried out by that member and the independence of internal control functions, and cannot be responsible for profit-generating activity lines according to the provisions of Section IV of Chapter III, Title IV. The council of the bank may assign to that member the right to veto decisions of the executive body. [Paragraph 61 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]

17 Title III ACTIVITY MANAGEMENT FRAMEWORK Chapter I ORGANIZATIONAL FRAMEWORK AND STRUCTURE Section 1 Organizational Framework 62. The management body of the bank shall be responsible for the existence of a rigorously designed management framework including, at a minimum, the following:

  1. a clear organizational structure with clearly defined, transparent and consistent lines of responsibility;
  2. effective processes for identifying, managing, monitoring, and reporting the risks to which the bank is or might be exposed (stress tests);
  3. a capital adequacy assessment process (ICAAP); 3 1 ) an internal liquidity adequacy assessment process (ILAAP); 3 2 ) a recovery plan, according to Article 9 of Law No 232/2016;
  4. adequate internal control mechanisms, including rigorous administrative and accounting procedures;
  5. information systems appropriate to the needs of the bank and assurance of their continuity;
  6. mechanisms for complying with transparency and disclosure requirements;
  7. remuneration policies and practices. [Paragraph 62 amended by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022] [Paragraph 62 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]
  1. Upon establishing the activity management framework of the bank, the management body shall consider the size of the bank, organizational structure and the nature, scale and complexity of risks inherent in the business model and activities developed by the bank.
  2. The bank shall carry out its activities, including its operations and service provision, in strict compliance with the management framework for its activity. Internal business-related regulations shall be applicable at all bank levels, including the level of bank branch and/or structural subdivision, to meet all the requirements of business conduct/organization.
  3. The bank shall have sufficient resources to ensure compliance of the bank, including each of its subsidiaries and/or structural subdivisions, with the general management framework at both bank and individual levels of each branch/structural subdivision.
  4. The bank shall organize its work so that decisions taken by the management body and/or practices used to support sound and prudent management do not jeopardize the financial soundness of the bank and legal interests of stakeholders.
  5. The bank shall perform activities, operations and services, providing assurance that associated risks shall be appropriately managed.
  6. The bank shall maintain an appropriate mix of basic skills at operational level for outsourced activities, including a reintegration plan, to be able to deploy immediately, if necessary, outsourced activities and have policies in the outsourcing field, taking into account the Regulation on Outsourcing of Bank Activities and Operations approved by Decision of the Executive Board of the National Bank of Moldova No 46/2020.

18 Section 2 Organizational Structure of the Bank 69. The bank shall have an organizational and operational structure appropriate to its activity and transparent, which promotes efficient management and provides the necessary prudence to the bank's management. 70. The management body shall be responsible for determining the organizational structure, to be documented and, where appropriate, updated. 71. The reporting lines and distribution of responsibilities and competencies in the bank shall be clear, well defined, consistent, effectively implemented, and documented. 72. The organizational structure of the bank shall be assessed on how its various elements complement and interact with one another, and shall be improved according to the evolutions of the bank, in line with the approved business model and risk profile, and not involve an excessive or inappropriate level of complexity. 73. The organizational structure of the bank shall not limit the capacity of the management body to effectively supervise and manage its operations and risks it faces, as well as enable the National Bank of Moldova to exercise its supervisory function in relation to that bank. Section 3 Corporate Values and Code of Conduct 74. The management body shall develop, adopt, adhere to, and promote high ethical and professional standards, considering the specific needs and characteristics of the bank, and shall ensure implementation of such standards (through a code of conduct or a similar instrument). The management body shall supervise staff compliance with these standards. 741 . The bank must ensure that there is no discrimination between staff members on any grounds, including gender, age, race, skin colour, ethnicity, language, membership of a national minority, religion, political opinion, social origin, domicile, disability, or other criteria unrelated to their professional qualities. [Paragraph 741 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 742 . The bank must have policies in place to facilitate the reintegration of staff after maternity, paternity, and childcare leave. [Paragraph 742 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 75. The standards applied shall aim at reducing the risks to which the bank is exposed, in particular operational and reputational risks, which may have a considerable negative impact on the profitability and sustainability of the bank through fines, litigation costs, restrictions imposed by competent authorities and criminal penalties, as well as loss of image and consumer confidence. 76. The management body shall have clear and documented policies on how to comply with these standards. These policies shall:

  1. promote the conduct of bank activities in accordance with the applicable law and corporate values of the bank;
  2. promote risk awareness through a solid risk culture reflecting the expectations of the management body, that bank activities shall not exceed the risk appetite and risk limits set at bank level, and shall not exceed the respective responsibilities of staff;
  3. establish principles and show examples of acceptable and unacceptable behavior, in particular as regards erroneous financial reporting and inappropriate conduct, illegal economic and financial actions, including money laundering and terrorist financing, anti-competitive practices, unfair competition, financial sanctions, bribery and corruption, market manipulation and transactions, as well as consumer protection violations;

19 4) clearly state that, in addition to complying with the requirements of domestic legislation and regulations, staff shall behave with honesty and integrity and shall carry out their duties in a competent manner, by applying the necessary professional competencies, care and diligence; 5) ensure that staff are aware of potential disciplinary measures, legal actions and sanctions that may arise from improper behavior. [Paragraph 76 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 77. The bank shall monitor the compliance with these policies and ensure staff accountability through regular training. The bank shall designate the function responsible for monitoring of compliance and assessment of violations of the code of conduct, and establish a mechanism for addressing non-compliance issues. The results shall be periodically reported to the management body. Section 4 Business Model and Strategy 78. In developing the business model, the bank shall identify and consider the main exogenous and endogenous factors that influence the success of the business model, including the most important lines of business in terms of business model viability and which are most likely to increase the exposure of the bank to existing or future vulnerabilities. 79. The business model of the bank shall be based on plausible strategic assumptions about the business environment and business strategies, which shall be sustainable. 80. Under paragraph 78, the viability of the business model shall refer to the ability of the bank to generate acceptable revenues over the next 12 months. 81. Under paragraph 79, the sustainability of the strategy shall consist in the capacity of the bank to generate revenues over a 3-year projection period according to strategic plans and shall be determined based on projected financial performance, as well as the risk level of the business strategy and the likelihood of success, depending on the execution capacities of the bank. 82. Under paragraph 81, the bank shall establish a correlation between its financial performance and risk appetite, considering the level of risks, profit and losses, balance sheet, concentrations, including trends thereof. 83. The management body shall establish the legal, organizational and operational structure of the bank, including in accordance with the approved business model and strategies. Section 5 Conflicts of Interest at Bank Level 84. The management body shall be responsible for establishing, approving and supervising the implementation and maintenance of effective policies for identifying, assessing, managing and mitigating or preventing current and potential conflicts of interest at bank level, including as a result of various activities of the bank, prudential entities or different business lines or units of an entity, or from external stakeholders. 85. Within the framework of organizational arrangements, the bank shall take appropriate measures to prevent the legitimate interests of the bank and its clients from being adversely affected by conflicts of interest, taking into account interests in the conflict-of-interest policy at group level on a consolidated basis. 86. The measures taken by the bank to manage or, where appropriate, mitigate conflicts of interest shall be documented by internal regulations and shall include, but not limited to:

  1. adequate separation of tasks or responsibilities of supervision and reporting activities that generate conflicts of interest in the course of transactions or service provision;

20 2) establishing information barriers by limiting access to information, including the physical separation of certain business lines or units; 3) establishing appropriate procedures for related-party transactions. Section 6 Conflicts of Interest at Staff Level 87. The management body shall be responsible for establishing, approving and supervising the implementation and maintenance of effective policies for identifying, assessing, managing and mitigating or preventing current and potential conflicts between the interests of the bank and the private interests of staff, management body, which could affect the fulfillment of their tasks and responsibilities. 88. Under paragraph 87, the management body of the bank shall ensure that the conflict-of￾interest policy is brought to the attention of all bank staff and is observed by them. 89. The conflict-of-interest policy shall aim at identifying conflicts of interest of staff, including the interests of their family members (first- and second-degree relatives, spouses). The bank must take into account that conflicts of interest may arise not only as a result of current personal or professional relationships, but also as a result of past personal or professional relationships. [Paragraph 89 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 90. The bank shall consider conflicts of interest that might arise from past relationships. To this end, the bank shall set an appropriate time frame but, at a minimum, a year, for staff to report such conflicts of interest on the basis that they may still have an impact on the behavior and participation of staff in decision-making. [Paragraph 90 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 91. In the event of conflicts of interest, the bank shall assess their significance in relation to its business and decide and implement, where appropriate, mitigation measures. 92. The conflict-of-interest policy shall, at a minimum, cover the following situations or relationships where conflicts of interest may arise in relation to:

  1. economic interests (including shares, other property and membership rights, financial holdings and other business interests with commercial clients, intellectual property rights, loans provided by a bank to an undertaking owned by staff, membership in a body or ownership of a body or entity with conflicting interests);
  2. personal or professional relationships with qualified bank owners;
  3. personal or professional relationships with bank staff or entities within the perimeter of prudential consolidation;
  4. other present employment and previous jobs within the appropriate time frame, but not less than 1 year;
  5. personal or professional relationships with relevant external stakeholders (including suppliers, consultants or other service providers);
  6. personal or professional relationships with politically exposed persons and/or family members (first- and second-degree relatives, spouses) of the politically exposed person and/or persons associated with politically exposed persons.
  1. Without prejudice to paragraphs 87-92, banks shall consider the fact that holding a share in the share capital of a bank, or holding personal accounts or loans, or the use of other services of a bank, shall not lead to a situation where the staff is deemed to have a conflict of interest, if the relationship between the bank and its clients is a standard one. [Paragraph 93 amended by Decision of the NBM No133 of 25.04.2019, in force 03.05.2019]

21 94. The conflict-of-interest policy shall establish the policy-based reporting and communication processes to the relevant function. Bank staff shall be required to promptly disclose any matter that may or may have already resulted in a conflict of interest. 95. The conflict-of-interest policy shall differentiate persistent and permanent conflicts of interest and unexpected conflicts of interest concerning a single event (including a transaction, selection of a service provider, etc.) and which can usually be managed with a single measure/set of single measures. Under all circumstances, the interest of the bank shall prevail over the decisions to be taken. 96. The conflict-of-interest policy shall establish the procedures, measures, documentation requirements and duties regarding the identification and prevention of conflicts of interest, their elimination. If not possible, the policy shall establish procedures for documenting, managing and monitoring after detection, assessing their significance, and taking mitigation measures. These procedures, requirements, duties, and measures shall include, but not limited to:

  1. entrusting different people with conflicting activities or transactions;
  2. instruments that prevent bank staff with businesses outside the bank from exercising inappropriate influence within the bank in relation to their business;
  3. determining the responsibility of members of the management body to refrain from any activity in which they (individually) have or may have a conflict of interest, or where objectivity or ability to properly perform functions in the interest of the bank may be compromised;
  4. establishing appropriate procedures for dealing with related parties. The bank shall consider and establish functional mechanisms that ensure, at a minimum, the conduct of transactions with related parties under objective conditions, based solely on the interests of the bank, full enforcement of all relevant internal control procedures in the case of such transactions, opinion of at least one independent member of the management body on the conclusion of such transactions, approval of transactions by the management body, and limitation of exposure to such transactions;
  5. the terms under which management body members may hold management positions in competing entities, unless they act in the entities within the perimeter of prudential consolidation.
  6. establishing the responsibility of members of the management body to abstain from voting on any matter in which a member has or may have a conflict of interest or in which the member's objectivity or ability to properly perform their duties to the bank could be compromised. [Paragraph 96 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  1. The conflict-of-interest policy shall cover the risk of conflicts of interest at the level of the management body and provide sufficient guidance on the identification and management of conflicts of interest, which could impede the ability of members of the management body to make objective and impartial decisions to satisfy the interests of the bank. The bank shall take into account the impact that conflicts of interest can have on the independent thinking of the members of the management body. [Paragraph 97 amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023]
  2. Current or potential conflicts of interest that have been disclosed to the bank's relevant function shall be properly assessed and managed. In the event of a staff-level conflict of interest, the bank shall document the decision taken, especially if the conflict of interest and related risks have been accepted, and whether the conflict of interest has been mitigated or remedied, and whether it was satisfactory or not. The bank shall inform the National Bank of Moldova no later than 5 working days about any conflict of interest identified, which may have an impact on the independent thinking of a member of the management body, including on the mitigating measures taken. [Paragraph 98 added by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023]

22 99. All current and potential conflicts of interest at the level of the management body, individually and collectively, shall be adequately documented, communicated to the management body and properly discussed, decided upon and managed by the management body. Section 7 Internal Alert Procedure 100. The bank shall establish and maintain adequate internal alert policies and procedures that can be used by staff to report potential or actual violations of the requirements of domestic legislation or regulations through a specific, independent and autonomous channel. 101. It is not necessary that a reporting staff have relevant evidence of a violation; however, it should have a sufficient degree of certainty that would provide sufficient grounds for initiating an investigation. 102. To avoid conflicts of interest, the staff shall be able to report violations outside the normal reporting lines, including through the compliance function, internal audit function or an independent internal alert procedure. 103. Alert procedures shall ensure protection of personal data of both the person who reports the violation and the person alleged to be responsible for the violation. 104. Alert procedures shall be made available to all bank staff. 105. The information provided by staff through alert procedures shall, where appropriate, be made available to the management body and other responsible functions, as defined in the internal alert policy. Where staff who reported a violation so requests, that information shall be provided to the management body and other anonymous functions. The bank shall provide for an information communication process that allows for anonymous transmission of information. 106. The bank shall ensure that the person reporting the violation is adequately protected from any negative impacts, including constraints, discrimination or other unfair treatment. 107. The bank shall also protect reported individuals from any adverse effects where the investigation does not find evidence to justify action against that person. Where measures are to be taken, the bank shall take them in a way that seeks to protect that person from unintended adverse effects that go beyond the objective of the measure. 108. In particular, internal alert procedures shall meet the following requirements:

  1. be documented, including staff manuals developed;
  2. provide clear rules to ensure that reporting information, reported persons and violations are treated with confidentiality;
  3. protect staff who may be victimized following the disclosure of reported violations;
  4. ensure the assessment and escalation of potential or actual violations and, as appropriate, reporting to the National Bank of Moldova;
  5. ensure, where possible, confirmation of receipt of information to staff alerting potential or actual violations;
  6. ensure follow-up on the outcome of investigation of a reported violation;
  7. ensure relevant record-keeping.
  1. Without prejudice to the possibility of reporting violations to the National Bank of Moldova, bank staff may initially use the internal alert procedures of the bank. Chapter II POLICY ON APPOINTMENT OF MEMBERS OF THE MANAGEMENT BODY AND PERSONS HOLDING KEY POSITIONS
  2. The bank shall have a policy on the appointment of members of the management body and persons holding key positions, to ensure the observance of provisions of Article 43, paragraph (1) of

23 the Law No202/2017, and shall be adapted to the nature, size, structure, complexity, economic importance, risk profile and business model of the bank. For this purpose, the bank shall demand relevant and reasonable information in order to ensure that the person holds a good reputation, knowledge, skills and expertise, which comply with the nature, extent and complexity of the bank and its entrusted responsibilities. [Paragraph 110 amended by Decision of the NBM No126 of 25.04.2019, in force 03.06.2019] 111. The policy on appointment of members of the management body and persons holding key positions shall regulate the selection and assessment of the adequacy of candidates for the respective position, setting out, at a minimum, requirements for:

  1. the internal procedure applicable to assessing the adequacy of the candidate for membership in the management body and of persons holding key positions, with an evaluation and related results;
  2. required skills and qualifications of the candidate for the position and the information to be provided to the bank for its evaluation;
  3. measures to ensure that shareholders are informed about the requirements for members of the management body;
  4. circumstances in which the degree of adequacy is reassessed and measures for identifying such situations;
  5. obligation of the candidate applying for the position of member in the management body and of persons holding key positions to notify the bank of any significant change affecting the compliance with the requirements of the National Bank of Moldova through its regulations;
  6. methods used by the bank to provide professional training, if training and/or improvement is required for the candidate applying for the position of member in the management body and persons holding key positions. 1111 . The policy on the appointment of members of the management body and persons holding key functions, in addition to the requirements set out in paragraph 111, shall also include succession planning for members of the management body and persons holding key functions, a policy for promoting diversity within the management body, and a policy for the induction and training of members of the management body and persons holding key functions. [Paragraph 1111 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 1112 . When establishing the succession plan, the bank must ensure continuity in decision￾making within the bank and prevent, where necessary, a situation in which a large number of persons or all such persons are replaced simultaneously. [Paragraph 1112 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 1113 . Succession planning should cover at least:
  7. the process for selecting, appointing, reappointing, and planning the succession of members of the management body and key function holders;
  8. the internal procedure for assessing the suitability of the person, including the internal function responsible for providing support in the assessment;
  9. the bank's plans, policies, and processes for dealing with the absence or unexpected departure of members of the management body and key function holders, including any relevant interim measures. Succession planning should also take into account the objectives and targets defined in the diversity promotion policy. [Paragraph 1113 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]

24 1114 . The bank should have and implement a policy to promote diversity within the management body to encourage a diverse membership base. This should aim to draw on a wide range of qualities and skills when appointing/electing members of the management body in order to achieve a variety of views and experiences and to facilitate the expression of independent views and sound decision￾making within the management body. The bank must ensure compliance with the principle of equal opportunities in the selection of members of the management body. [Paragraph 1114 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 1115 . In order to facilitate the creation of a diverse pool of candidates for management positions, the bank must have a diversity promotion policy for employees that includes aspects related to career planning and measures to ensure equal treatment, as well as opportunities for employees of different genders. [Paragraph 1115 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 1116 . The diversity promotion policy must refer to at least the following aspects related to diversity: educational and professional context, gender, age, and geographical origin. [Paragraph 1116 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 1117 . The bank must have and implement a policy for the induction and training of members of the management body and persons who hold key functions. The bank must ensure that members of the management body and key function holders are trained in order to ensure that they have a clear understanding of the legislation, the bank's internal regulations, its structure, business model, risk profile, and the framework for managing the bank's activities, as well as the role of each member of the management body/key function holder within it. The bank should provide members of the management body and persons in key functions with relevant training programs that are general in nature and, where appropriate, tailored to the individual. The training should promote their awareness of the benefits of diversity at the level of the management body and within the bank. [Paragraph 1117 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 1118 . The bank must have primary and secondary internal regulations regarding the induction and training of members of the management body and persons holding key functions. The induction and training policy must be approved by the council of the bank. [Paragraph 1118 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 1119 . The bank must allocate sufficient resources to carry out the induction and training of members of the management body and persons who hold key functions at an individual level, where appropriate, at a collective level. These resources must ensure that members of the management body and persons holding key functions are suitable for their roles and comply with the requirements set out in the Regulation on the requirements for members of the management body of a bank and a financial holding company or mixed holding company, managers of a branch of a bank in another state, persons holding key positions and the liquidator of a bank in liquidation, approved by Decision No 292/2018 of the Executive Board of the National Bank of Moldova. [Paragraph 1119 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 11110 . The initiation must stipulate that each person proposed as a member of the management body or as a key function holder must undergo an initiation program to be completed before the person

25 is submitted for approval to the National Bank of Moldova in the context of Article 43 paragraph (5) of Law No 24/2015 on the prevention and combating of money laundering and terrorist financing. [Paragraph 11110 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 11111. The training must provide for each member of the management body and person holding a key function to undergo, on an annual basis, an external training program with a minimum duration of 40 academic hours and be designed to include training in areas related to banking, including the prudential regulatory framework, corporate governance, risk identification, administration, and management, internal control mechanisms, etc. [Paragraph 11111 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 11112. Primary and secondary internal regulations on the induction and training of members of the management body and persons in key functions should provide for at least:

  1. induction and training objectives for the management body, separately for members of the executive body and members of the council of the bank, and for persons holding key functions. This should include induction and training objectives for functions that involve specificities in relation to the particular responsibilities of members of the management body and involvement in committees;
  2. responsibilities for developing a detailed induction program, where appropriate, training;
  3. the financial resources made available by the bank for induction and training, taking into account the number of induction and training sessions, their costs, and any related administrative tasks to ensure that induction and training courses can be provided in accordance with the policy;
  4. a clear process whereby any member of the management body or person in a key function can request training. [Paragraph 11112 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  1. When developing the induction and training policy, the management body or the appointment committee, if established, should take into account the input of the human resources function and the function responsible for budgeting and organizing induction and training courses, as well as the relevant internal control functions, where appropriate. The bank should have a process in place to identify areas where training is needed for members of the management body and persons in key functions, on an individual basis, where appropriate, and on a collective basis. The relevant business areas and internal functions, including internal control functions, should be involved, where appropriate, in developing the content of induction and training programs. [Paragraph 11113 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  2. The induction and training policy must be updated in line with changes in the management framework, strategic changes, new products, changes in relevant legislation or market developments, as well as other changes deemed relevant by the bank in the context of this policy. [Paragraph 11114 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  3. The bank must implement a process to ensure the evaluation of the induction and training programs offered and to ensure compliance with the policies and procedures regarding induction and training. [Paragraph 11115 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]

26 Chapter III REMUNERATION POLICY Section 1 General Principles 112. The bank shall have a gender-neutral remuneration policy that contributes to prudent risk management and does not favor risk-taking that exceeds the level of risk acceptable to the bank, based on the principles set out in Article 39 of Law No 202/2017 and abiding by the normative acts of the National Bank of Moldova, developed for the implementation of Law No 202/2017. [Paragraph 112 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 1121 . A gender-neutral remuneration policy must ensure that all aspects of the policy are gender￾neutral, including the conditions for granting and paying remuneration. The bank must be able to demonstrate that the remuneration policy is gender-neutral. [Paragraph 1121 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 113. The remuneration policy of the bank for all staff shall be linked to the objectives of the business strategy and risk strategy of the bank, including the business model, corporate culture and values, the bank's long-term interests and measures preventing conflicts of interest. Changes to these objectives and measures shall be considered in the process of updating the remuneration policy. 114. The bank shall ensure that remuneration practices are aligned with the general risk appetite of the bank, considering all risks, including reputational risks and risks arising from the abusive sale of products, and considering the long-term interests of shareholders and other stakeholders. 115. The remuneration policy shall support the bank in building and maintaining a viable capital base in accordance with Article 63, paragraph (1), of Law No 202/2017, and shall consider, as appropriate, the restrictions on distributions provided by the normative acts of the National Bank of Moldova related to equity and capital amortization. 116. The remuneration policy shall contain, at a minimum, the following provisions:

  1. bank's performance objectives, areas of activity and staff;
  2. performance measurement methods, including performance criteria;
  3. structure of variable remuneration, including instruments in which parts of variable remuneration are provided;
  4. ex-ante and ex-post measures to adjust variable remuneration according to the level of risk assumed.
  1. The bank shall ensure that possible conflicts of interest caused by payment through instruments as part of variable or fixed remuneration are properly identified and managed. This implies that compliance with the rules on non-admission of insider trading on the capital market is ensured and no action is taken that could have a short-term effect on the price of shares or instruments.
  2. The remuneration policy shall be adjusted to the specific situation of the bank, also considering that bank staff, including members of the executive body, persons holding key positions, are also direct or indirect holders, including in their capacity of actual beneficiaries, of shares in bank capital.
  3. Under Article 39, paragraph (1), item (c), of Law No 202/2017, the periodic assessment of compliance with internal remuneration policies, procedures and rules shall be performed by the bank's internal audit function. In making that assessment, it shall ensure that remuneration policies, practices and processes:
  1. operate as intended, especially if they are complied with;
  2. whether the remuneration payments are appropriate according to the business model, risk profile, long-term objectives and other objectives of the bank and are adequately reflected;

27 3) are consistently implemented within the bank and ensure compliance with the provisions of Law No 202/2017 and normative acts issued in support thereof and do not limit the ability of the bank to maintain or restore a solid capital base under Article 63, paragraph (1), of Law No 202/2017. Section 2 Identified Staff 120. The bank shall carry out an annual assessment to determine the identified staff. The identification process shall be part of the bank's remuneration policy. 121. The assessment shall be clear, consistent, well documented and regularly updated throughout the year. The bank shall ensure that staff who fall or could fall into the category of identified staff for a period of at least three months in a financial year is treated as identified staff. [Paragraph 121 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 122. The management body shall have the ultimate responsibility for the identification process and policy. Regarding the remuneration policies, the council shall have the following responsibilities:

  1. approve the identification process policy as part of the remuneration policy;
  2. participate in the development of the assessment methodology;
  3. ensure that the staff identification assessment is correctly conducted;
  4. continuously monitor the identification process;
  5. approve any significant exemptions from the adopted policy or its amendments, carefully review and monitor their effect;
  6. periodically review the approved policy and, if necessary, amend it.
  1. The remuneration committee or the council of the bank, as appropriate, shall actively participate in the identification of identified staff in accordance with its responsibilities.
  2. The risk management committee shall be engaged in the process of determining such staff, without prejudice to the tasks of the remuneration committee, to analyze whether the incentives offered by remuneration policies and practices take into account risks, capital, liquidity, as well as the probability and timing of the bank's earnings. [Paragraph 124 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  3. The bank shall ensure adequate exchange of information between the management body and the internal functions involved in the process of determining the identified staff. The identification process and its outcomes shall be subject to an independent internal or external review. Section 3 Fixed Remuneration
  4. Fixed remuneration of identified staff shall reflect their professional experience and organizational responsibility, considering the level of education, length of service, competence level and skills, experience in the bank, and relevant business experience outside the bank.
  5. Under Article 39, paragraph (1), item (g), of Law No 202/2017, staff shall not be dependent on variable remuneration, as incentives are thus created for short-term risk taking, including abusive sale of products, where, without assuming this short-term risk, the performance of the bank or staff would not allow for variable remuneration.
  6. The remuneration is fixed when the terms of tis provisions and its value are cumulatively met:
  1. are based on predetermined criteria;
  2. are non-discretionary, reflecting the level of professional experience and seniority of staff;
  3. are transparent about the individual value provided to the individual staff member;

28 4) are permanent, i.e. maintained for a period linked to the specific role and organizational responsibilities; 5) are irrevocable; 6) the permanent value is changed only by collective bargaining or following a renegotiation in accordance with the criteria for determining the salaries, provided for by the legal framework; 7) may not be reduced, suspended or canceled by the bank except in the cases expressly provided for in the relevant legal framework; 8) do not provide incentives for risk taking; 9) do not depend on performance. 129. When the clear allocation of a component as fixed remuneration is not possible based on the criteria set out in paragraph 128, it should be considered variable remuneration. 130. Remuneration components that are either part of a remuneration policy at bank level and meet the conditions listed in paragraph 128, or are mandatory payments under the current legislation, are regarded as fixed remuneration. 131. The following remuneration components shall also be considered to be fixed where all similar situations are treated consistently:

  1. remuneration paid to seconded staff, considering the cost of living and tax rates in another country;
  2. allowances used to increase the fixed base salary where staff work abroad and receive less pay compared to the local labor market for a comparable position if the following conditions are cumulatively met: (a) the allowance is paid in a non-discriminatory manner to all staff in a similar situation; (b) the allowance is provided because staff temporarily work abroad or in another position, with a level of remuneration that needs adjustment to reflect the payment levels in that market; c) the level of additional payments is based on predetermined criteria; d) the allowance duration is related to the duration of the situation referred to above. Section 4 Special Cases of Remuneration Components
  1. Variable and fixed remuneration paid to bank staff may consist of various elements, including payments or additional or ancillary benefits. The bank shall review the benefits and allocate them to the variable component of remuneration provided that the criteria set out in Section 5 of this Chapter are met, or fixed remuneration provided that the criteria set out in Section 3 of this Chapter are met.
  2. Where the benefits are based on the role, function or organizational responsibility of staff, and for adequate fitting under the fixed component of remuneration, they shall meet the criteria set out in paragraph 128, considering the following particular aspects:
  1. the benefit is related to an organizational role or responsibility and is provided as long as there are no major changes in the responsibilities and duties of the role, as a result of which staff would actually have another role or other organizational responsibility;
  2. the value does not depend on any other factor aside from fulfilling a certain role or a certain organizational responsibility and the criteria provide for in paragraph 126;
  3. any staff member who fulfills the same or similar organizational responsibility and is in a similar situation would be entitled to a similar benefit, without prejudice to paragraph 126. Section 5 Variable Remuneration

29 134. Variable remuneration may consist of financial instruments and/or money. Banks, as appropriate, shall establish a balanced ratio of financial instruments to variable remuneration in cash. 135. The variable remuneration ratio in financial instruments, calculated as a coefficient of the amount of variable remuneration in financial instruments and the amount of variable remuneration in cash, may be no more than 0.5. All amounts shall be valuated at the time of award. 136. Variable remuneration in financial instruments shall be subject to an adequate conservation policy designed to align incentives with the bank's long-term interests and may be a balanced combination of the following:

  1. shares or other securities equivalent to shares;
  2. other financial instruments within the meaning of paragraph 16 of the Regulation on Banks’ Equity and Capital Requirements approved by Decision of the Executive Board of the National Bank of Moldova No109/2018, or which may be fully converted into basic level 1 own funds instruments.
  1. Upon providing guaranteed variable remuneration in recruiting new staff, the bank shall not be allowed to guarantee variable remuneration for a period longer than the first year of employment.
  2. The bank shall provide guaranteed variable remuneration only once to the same staff member. In situations where staff conclude a new contract with the same bank, guaranteed variable remuneration shall no longer be payable.
  3. The bank shall not include the amount of guaranteed variable remuneration in calculating the ratio between the fixed and the variable component of total remuneration for the first performance period where the guaranteed variable remuneration is provided upon recruitment of new staff before the start of the first performance period. Section 6 Compensatory Payments
  4. The bank's remuneration policies shall specify the possible use of compensatory payments, including the maximum amount or criteria for determining those values that may be provided to identified staff identified as compensatory payment.
  5. Compensatory payments shall be regarded as variable remuneration.
  6. Regular remuneration payments related to the length of a prior notice period shall not be considered as compensatory payments.
  7. In cases of contract termination, compensatory payments shall not provide disproportionate compensation, but adequate compensation of the staff member. Compensatory payment should not be granted when there is a clear failure providing for immediate contract termination or staff dismissal.
  8. Failures of identified staff shall be assessed on a case-by-case basis and include the following situations:
  1. when a member of the management body or a person holding a key position is no longer considered to meet the standards of good repute, competence and appropriate qualification;
  2. when an identified staff member has participated in, or is responsible for, a conduct that caused significant losses to the bank;
  3. when an identified staff member acts contrary to applicable law and internal regulations.
  1. The following amounts of compensatory payments shall neither be considered for purposes of calculating the ratio between the fixed and the variable component of remuneration, nor for the enforcement of deferral and payment in financial instruments:
  1. compensatory payments under the labor law, which are mandatory per court order;
  2. payments made for loss of service if they are subject to a non-competition clause stipulated in the contract and paid in future periods up to the amount of the fixed remuneration that would have been paid for the non-compete period if the staff were still employed.

30 Section 7 Remuneration of Members of the Council of the Bank and Staff of Internal Control Functions 146. Remuneration of the members of the council of the bank shall be consistent with their prerogatives, tasks, experience and responsibilities. 147. To properly address conflicts of interest, remuneration of the council’s members shall not include incentive-based mechanisms based on bank performance. The reimbursement of costs to the members of the council and payment of a fixed amount per hour or work day, even if the time to be paid/compensated is not predefined, shall be considered fixed remuneration. 148. Internal control functions shall be independent and have sufficient resources, knowledge and experience to carry out its tasks with regard to the remuneration policy of the bank. Internal control functions shall actively and periodically cooperate with each other and with other relevant functions and committees on remuneration policy and risks that may arise from remuneration policies. 149. Remuneration of staff of internal control functions shall enable the bank to employ qualified and experienced staff in these functions. 150. Remuneration of internal control functions shall be predominantly fixed to reflect the nature of their responsibilities. 151. The methods used to determine the variable remuneration of internal control functions shall not compromise staff objectivity and independence. TITLE IV INTERNAL CONTROL MECHANISM AND ORGANIZATION OF INTERNAL CONTROL FUNCTIONS Chapter I INTERNAL CONTROL MECHANISM REQUIREMENTS 152. The bank shall have its own internal control mechanism, which shall ensure efficient bank management, safe and prudent financial activities, compliance with legal provisions, and protection of the interests of depositors and other creditors of the bank. 153. The objectives of internal control are: to identify, adequately monitor and minimize the risks associated with financial activities carried out, exercise control over bank compliance with the legislation, ensure security of information, transparency of ownership and control over the bank, conflict resolution, required level of security appropriate to the nature, character and volume of transactions made. 154. Upon designing, organizing and implementing the internal control mechanism, the bank shall consider the volume, number, type, complexity and diversity of transactions, the degree of risk associated with each area of activity, volume of control by management bodies over daily operations, degree of centralization and/or decentralization of the bank, degree of use of the information system. 155. Upon designing, organizing and implementing the internal control mechanism, the bank shall determine the scope and type of internal control procedures to be implemented. The factor linked to the cost of establishing and maintaining the internal control mechanism shall not serve as a reason for failing to implement adequate and effective internal control procedures. 156. The bank’s internal control mechanism shall involve the participation of the bank's management body and its staff, regardless of the position held, to contribute to an increase in bank revenues, minimize expenses, ensure authorization and execution of expenses according to purpose, adequate protection of assets, limitation and accurate recording of obligations, limitation and/or mitigation of risks.

31 157. The internal control mechanism shall ensure, at a minimum, the following:

  1. activities are planned and conducted in an orderly, prudent and efficient manner;
  2. transactions and operations are performed and commitments are met in accordance with the limits of professional and functional competencies of members of the management body and bank staff;
  3. the management body is able to ensure asset protection and control of transactions with liabilities, existence of measures to minimize the risk of losses, violations and frauds, errors, as well as measures to identify them, to manage the appropriate level of capital, liquidity, profitability and the quality of bank assets, and to determine the risk of losses in the course of transactions and required reserves for possible losses on loans and other assets, as well as off-balance-sheet commitments;
  4. the management body shall be able to ensure that complete and accurate reports are compiled in accordance with regulatory acts, and that reliable, complete and timely information is provided in accounting records and other registers;
  5. corporate governance allows the management body to pursue objectives that are in the bank's interest and facilitate effective monitoring of its business;
  6. the management body shall be able to regularly organize, supervise and verify the integrity of bank property and means of security. Chapter II REQUIREMENTS FOR INTERNAL CONTROL ACTIVITIES AND PROCEDURES
  1. Internal control activities shall be tailored to the specific nature of bank activity and be consistent with the way it is structured, organized and managed, the type, volume, number and complexity of transactions and operations conducted, and shall include, at a minimum, the following:
  1. organizational and administrative controls;
  2. methods of activity management;
  3. separation of functions and obligations;
  4. procedures for authorizing and approving activities;
  5. record-keeping procedures;
  6. security procedures;
  7. verification procedures;
  8. assessment procedures;
  9. risk management and control procedures;
  10. business continuity procedures.
  1. Within the framework of organizational and administrative controls, the bank shall develop and have, at a minimum:
  1. explicit documents about the objectives of the bank's short- and long-term policies and strategies;
  2. documents describing the functions and duties of staff, manner of reporting and communication;
  3. documents describing the accounting, opening/modification/closure of bank accounts, documentation on the accounting system, including a registry of changes in the system, indicating the date and names of persons who authorized and executed their implementation;
  4. documents containing the description of procedures for internal control in all areas of activity, including daily, automated and manual operational controls;
  5. a register with the signatures of authorized persons, including specimens of signatures, determining for each of these persons the limits of their professional and functional competencies (powers); the registry shall be updated based on changes in circumstances related to topics specified in the register;

32 6) documents related to the regulation of outsourcing processes for certain activities, also including the requirements for adjustment and improvement of the internal control mechanism, internal reporting system and internal audit function, to ensure that outsourced activities do not affect the bank's ability to conduct effective corporate governance; 7) a register of minutes of the general shareholders’ meeting, specifying the topics discussed; a register of internal documents; correspondence with legal/physical persons, with state bodies, including law enforcement bodies, on credits and other assets; 8) clear procedures for knowing the direct, indirect owners of bank shares, including their actual beneficiaries, as well as the bank's knowledge of any concerted activities and links between the bank's owners and its debtors; 9) clear procedures for knowing the bank’s related parties, including knowing all the criteria for affiliation of members of the council of the bank and the bank; 10) security procedures for bank assets against theft, abuse, misuse and any form of destruction; 11) independent and objective evaluation procedures for real and personal securities, which shall determine the way and criteria for selecting individuals for the assessment of real and personal securities, which may be third parties or an internal function, methods for monitoring the value of real and personal securities, methods for assessing the opportunity and correctness of the methodology applied by the bank to estimate the value of real and personal securities. 160. Within the framework of activity management methods, the bank shall ensure, at a minimum, that the following activities shall be carried out by relevant subdivisions:

  1. monitor the size of exposures to risk, with regularity (permanently, daily, weekly, monthly and/or quarterly), within the established limits; develop reports on this monitoring, indicating specific risk positions that have exceeded the established limits;
  2. develop procedures for the identification, reporting and liquidation of violations and shortcomings at the workplace, ensuring the correct and systematic assessment of commitments in relation to the established limits, written explanations of actions regarding positions that exceed the admissible limits and indication of positions which are close to exceeding these limits;
  3. develop procedures that ensure regular and reliable transmission of accurate and complete information to the bank's management body and relevant control functions;
  4. regular review of established policy and procedures for conducting transactions involving credit risk and other transactions, quality of the credit portfolio, transactions involving advance payments, placements with other banks, and securities provided to detect in a timely manner problems related to these transactions, also providing to relevant control functions and management body the possibility to assess their impact on bank activity, but especially on its stability;
  5. periodically review, in accordance with the bank's internal policies, realized and missed profits and losses arising from financial assets available for sale;
  6. verify on a monthly basis current performance reports and performance analysis, both separately and in a consolidated manner, compared to operational budgets and results of the previous reporting period;
  7. obtain, hold and update per Annex 1 and Annex 2 of this Regulation the documents and relevant information concerning: a) direct, indirect owners, including actual beneficial owners, of holdings in bank capital; b) borrowers of the bank who have benefited from loans and financial leasing, including direct, indirect holders and their beneficial owners, except:
  • debtor banks that have benefited from loans and financial leasing;
  • debtors to whom the bank has granted loans and financial leases, whose total balance for a debtor does not exceed the limits set out in paragraph 9 item h) of the Regulation on assets and conditional commitments classification, approved by the DCA of the NBM No 231/2011;

33 The information received from the debtor and/or from other reliable and independent sources is submitted by filling out a questionnaire, which is confirmed by the debtor through signature. For debtors, whose total balance is below the thresholds set out above, banks shall develop simplified questionnaires aimed at identifying their degree of affiliation with the bank. 8) existence or lack of affiliation of members of the council of the bank to the bank, except for the affiliation determined by membership in the council of the bank; 9) verify the tax status and obligations of the bank based on the tax legislation; 10) regularly check the technical condition of physical security means of the bank and its assets. [Paragraph 160 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] [Paragraph 160 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 161. The bank shall ensure that the methods of management, manner of information accumulation, assessment, submission, its degree of detail shall vary according to the hierarchical level of staff handling this information. Similarly, the importance and methods shall determine the appropriate level of staff required to perform the instructions. 162. The bank shall ensure separation of functions and obligations to reduce the risk of intentional manipulation, violations or errors and enhance the effectiveness of control over the bank's transactions and operations. To this end, the bank shall have procedures for the separation of functions and obligations to ensure, at a minimum, that:

  1. different people are responsible for keeping registers, assets, authorizing, initiating and supervising transactions and commitments assumed;
  2. authorization/approval, execution, registration, custody (keeping), registry design and registration and electronic recording system functions, their application in daily operations, are separated;
  3. separation is made in such a way that no person may in any way (intentionally or unintentionally) acquire the assets of the bank or clients.
  1. The bank's authorization and approval procedures shall ensure, at a minimum, the following:
  1. performing transactions and operations in accordance with their authorization and approval requirements, which provide for establishment of limits according to powers held and terms of granting an authorization/approval by the bank’s management;
  2. performing transactions and operations in accordance with decisions of the bank's management bodies and assigned powers of authorization and approval.
  1. The bank's recordkeeping procedures shall ensure, at a minimum, the following:
  1. accurate recording of authorized/approved transactions, existing and future, spot, forward or any other types of derivatives in the accounting records in a manner that ensures that they can be recorded on the balance sheet in the period in which they are reflected and in the profit and losses report in the period to which they relate;
  2. impossibility of recording economic facts and transactions that do not correspond to reality;
  3. de facto existence of past assets and liabilities in the books or other types of registers;
  4. daily recording of transactions, full, adequate and timely reflection of all transactions in the bank's bookkeeping, and development of the balance sheet at the end of each day;
  5. performing full and effective control over accounting books and electronic records and bookkeeping systems;
  6. verifying the arithmetical correctness of records; keeping and verifying totals, verifying settlement accounts and checking balances; checking documents through the accounting system; reporting detected errors and misstatements to the executive body;
  7. keeping (entering in the registry) of documents that serve as basis for transaction recording and which prove that it has been entered in the accounting records or other registries.

34 165. The bank's security procedures shall include requirements for protection systems and equipment, in particular regarding physical security of portable, negotiable, exchange and bearer assets and goods, by using locked filing cabinets for unused strict registration forms, as well as requirements for protection of cash, securities, which shall ensure, at a minimum:

  1. physical security and physical custody of its own assets, assignment of responsibility to some authorized persons, whose functions are not tied to keeping the accounting records;
  2. limitation of both direct and indirect physical access to assets and goods, by granting access only to authorized persons;
  3. security and custody of goods held on behalf of clients or other persons, either on their behalf or in the name of a person appointed in their place;
  4. protection of bank books and other types of registries.
  1. The bank shall have verification procedures that ensure, at a minimum, the following:
  1. permanent compliance of accounting books with the assets, documents and settlement accounts concerned. The periodicity of verification shall be determined by the volume and type of transactions passed through a certain verified account and by the balance sheet size (balance);
  2. determining the nature and volume of differences detected after verification; investigating verification positions, including clearing, and subsequently, as appropriate, adjusting accounting books with the authorization of persons having such mandates;
  3. justifying the differences between the balance sheets at the end of a reporting period and the beginning of another period, and reporting any other divergences to persons with such mandates;
  4. rapid exchange of transaction confirmations;
  5. organizing, performing and verifying daily primary control over transactions and operations carried out, as well as canceled ones.
  1. The bank's valuation procedures shall ensure, at a minimum, the following: (1) assets held for sale and/or trading are regularly revalued at prices independently verified by other persons who manage these assets (under the responsibility of the back/middle office);
  1. value of off-balance sheet assets, liabilities, rights and obligations is reviewed and evaluated on a regular basis, but not less than once a year (except for fixed assets (buildings, special constructions), the value of which changes insignificantly the bank’s accounting);
  2. reserves and other adjustments related to these assets are formed and recorded to ensure compliance with the provisions of the legislation, including normative acts of the National Bank of Moldova, accounting standards and accounting policy of the bank.
  1. In risk management and control processes, the bank shall be guided by risk management policies and shall have procedures ensuring management and control of both risks that are controllable by the bank (assets and liabilities, and off-balance sheet items, insurance clauses) and uncontrollable ones (general economic events and conditions, competitive environment, natural disasters, terrorist acts).
  2. Risk management procedures in the case of controllable risks shall contribute to the bank's decision to fully assume those risks or take partial action and reduce them through control procedures. In the case of uncontrollable risks, these procedures shall ensure that the bank can decide whether to accept or eliminate or reduce the level of activities affected by those risks.
  3. The bank shall have procedures to ensure business continuity and, in this respect, the bank shall take all necessary measures to ensure business continuity at any time, regardless of circumstances and in all business lines. For this purpose, the bank shall develop and implement procedures to ensure maintenance and/or restoration of core activities in the event of a malfunctioning incident.
  4. To ensure a complex and efficient approach to planning and ensuring business continuity, the bank shall review, at a minimum:
  1. risks that could lead to incidents capable of creating malfunctions in the bank's core business;

35 2) impact of incidents on core activities; 3) strategies for restoring basic activities and their continuity plans; 4) business continuity procedures’ test plans; 5) bank staff training programs; 6) crisis communication and crisis management programs; 7) plans and procedures to ensure the continuity of outsourced and restoration activities as a result of exceptional circumstances identified based on risk analysis, which are periodically tested to ensure their compliance with policies and procedures on outsourcing. Chapter III ORGANIZATION OF INTERNAL CONTROL FUNCTIONS Section 1 General Provisions for Internal Control Functions 172. Internal control functions shall include a risk management function, a compliance function and an internal audit function. The risk management and compliance function shall be verified by the internal audit function. 173. The risk management function and compliance function may be combined, but the internal audit function shall not be combined with another internal control function. 174. Where the bank is a subsidiary of a bank licensed in a foreign state and in the case of a branch of a bank from a foreign state, the internal control functions shall comply with the principles established by the home bank provided the observance of requirements set out in the national legislation and this Regulation. 175. Internal control functions shall have access to sufficient financial and human resources to exercise their role. They shall have a sufficient number of qualified staff. Staff shall be permanently qualified and receive training, as appropriate. 176. Internal control functions shall have adequate IT systems and assistance, with access to internal and external information required to exercise their responsibilities. They shall have access to all required information on all business lines that carry risks, in particular those that may give rise to significant risks to the bank. 177. Internal control functions shall be independent. The following criteria shall be met:

  1. internal control staff do not perform operational tasks that fall within the scope of activities that internal control functions are intended to monitor and/or control;
  2. they are organizationally separate from activities they are entrusted with monitoring and/or controlling;
  3. without prejudice to the overall responsibility of members of the management body of the bank, the head of the internal control function shall not be subordinated to a person who is responsible for the management of activities monitored and controlled by the internal control function;
  4. remuneration of staff who perform internal control functions shall not be related to the performance of functions that the internal control function monitors and/or controls, and shall therefore not undermine their objectivity.
  1. Heads of internal control functions shall be appointed by the council of the bank and may not be dismissed/fired without prior approval by the council of the bank.
  2. The council of the bank shall give the heads of supervisory functions the authority and status required to exercise their responsibilities and ensure their independence from the lines of business and subdivisions that they control. To this end, the heads of control functions shall be directly responsible to the council of the bank. The performance of control functions shall be reviewed by the

36 council of the bank or by the appointment committee, informing the council of the bank about the results of the review. 180. The heads of internal control functions shall be able to access and report directly to the council of the bank to signal problems and to alert the council of the bank, as appropriate, of any specific developments affecting or likely to affect bank activity. 181. The bank shall have documented processes for assigning the position of head of the internal control function or for withdrawing his/her responsibilities. The bank shall promptly inform the National Bank of Moldova of the appointment or dismissal and of the main reasons for dismissal/firing of the head of the internal control function. 182. The risk management function and compliance function shall be involved in the approval of new products or significant changes to existing products, processes and systems. Their contribution shall include a full and objective assessment of risks arising from new activities, in a variety of scenarios, of any deficiencies in the risk management and internal control frameworks, as well as the bank’s ability to effectively manage any new risk. The risk management function shall have a clear vision and insight into the introduction of new products (or significant changes in existing products, processes and systems) between different lines of business and portfolios, but also the power to request that changes of these products be approved at the level of the management body. 183. The operational tasks of internal control functions shall be partially or fully outsourced, but the heads of internal control functions and the management body shall remain accountable. Section 2 Role and Responsibilities of the Risk Management Function 184. The bank shall have the risk management function under the direct supervision and responsibility of the council of the bank, the independence of which shall be ensured by reporting directly to the council of the bank. The risk management function shall be appropriate to the nature, size and complexity of bank activity and with consideration for the nature, scale and complexity of various risks to which the bank is exposed. 185. The risk management function shall not be limited to the right of access to the information and processes deemed necessary to form its opinion and draw conclusions and shall not be involved in the direct conduct or recording of transactions and/or operations of the bank. 186. The council of the bank shall ensure that the risk management function is actively involved at an early stage in developing the bank's risk strategy and ensuring that it has in place effective risk management processes. The risk management function shall provide to the council of the bank all relevant risk information to enable it to determine the bank's risk appetite. The risk management function shall assess the robustness and sustainability of the risk management strategy and risk appetite. 187. The risk management function shall be, at a minimum, responsible for the following:

  1. identifying the risks to which the bank is exposed, measuring, evaluating and monitoring those risks and the actual bank exposure to the risks involved;
  2. determining the capital and liquidity position in the context of risks to which the bank is exposed;
  3. monitoring and assessing the consequences of accepting certain risks, mitigating their impact and matching the level of risk to the level of risk tolerance;
  4. reporting to the bank's management body and issuing relevant recommendations.
  1. The role of the risk management function in identifying, quantifying, assessing, managing, mitigating, monitoring, and reporting risks shall be to:

37

  1. ensure that all risks have been appropriately identified, evaluated, quantified, monitored, managed, and reported by relevant subdivisions of the bank;
  2. ensure that identification and evaluation are not solely based on quantitative or model results, but also take into account qualitative approaches, and keep the management body informed of the assumptions used and possible shortcomings of risk models and risk analysis;
  3. ensure that related-party transactions are reviewed and that the risks they pose to the bank are identified and properly assessed;
  4. ensure that all identified risks are effectively monitored by relevant operational subdivisions of the bank;
  5. periodically monitor the bank's actual risk profile and review it in relation to strategic objectives and risk appetite;
  6. review trends and recognize new or emerging risks and analyze the increased risks arising from changing circumstances and conditions. Also, periodically review current risk outcomes against previous estimates to assess and improve the accuracy and effectiveness of risk management processes;
  7. assess possible ways to reduce risks. Reporting to the management body should include proposing appropriate risk mitigation measures.
  1. The risk management function shall continuously collaborate with the council of the bank and specialized committees of the council of the bank, in particular with the risk management committee, to make appropriate decisions regarding the bank’s exposure to risks. In addition to regular reporting, the risk management function shall report to the council of the bank on significant risks to which the bank is exposed.
  2. The risk management function shall independently assess breaches of risk appetite or limits, including determination of the cause and conduct a legal and economic analysis of the actual cost of closing, reducing or covering exposure in relation to the potential cost of its maintenance. The risk management function shall inform the operational subdivisions concerned and the management body and shall recommend possible remedies. The risk management function shall report directly to the council of the bank when a violation is significant, without prejudice to the risk management function’s reporting to/informing other specialized functions and committees.
  3. Prior to making a decision on significant changes, exceptional transactions or significant individual transactions, the risk management function shall be involved in assessing the impact of such changes and transactions on the overall risk of the bank, assess how the identified risks may affect the ability of the bank to manage its risk profile, liquidity and capital under normal and unfavorable conditions, and report its findings directly to the management body before making a decision.
  4. The risk management function staff shall have sufficient experience and qualifications, including knowledge of the market, products, risk management techniques and procedures, and shall have access to regular training.
  5. The head of the risk management function shall report directly to the council of the bank on developments contrary to risk tolerance set out in the bank's strategies and policies and shall report this to the members of the executive body and, where appropriate, the audit committee.
  6. Without any obstacles, the head of the risk management function shall report and have direct access to the council of the bank or risk management committee. The interaction between the head of the risk management function and the relevant council/control functions shall take place on a regular basis and the head of the risk management function shall be able to meet with the risk management committee or the council of the bank without the presence of members of the executive body.

38 195. The head of the risk management function shall have the organizational status, authority and skills required to supervise the bank's risk management activities. The head of the risk management function shall have access to all the information required to fulfill his/her obligations in relation to the position held. 196. The head of the risk management function shall have the ability to interpret and manage risks in a clear and comprehensive manner and engage whenever necessary in constructive discussions with the parties concerned on key issues of risks. 197. The head of the risk management function may participate in meetings of the bank's credit committee without a voting right, or the council of the bank may confer him/her the right to veto the decisions of that committee. His/her participation shall be conditional on the benefits it brings to the decision-making process by providing information on potential exposures (and underwriting practices). 198. The bank may have a member in the executive body with overall responsibility for the risk management function of the bank (Chief Risk Officer, CRO). The activity of this person shall be separate and distinct from other executive functions and shall not be combined with other functions of members of the management body linked to profit generation, to the heads of internal control functions, except for the head of the risk management function; or the head of the combined function per paragraph 173. 199. The CRO has the primary duty to supervise the development and implementation of the risk management function within the bank. This includes the continuous strengthening of staff skills and improvement of systems, policies, processes, quantitative models and risk management reports needed to ensure that the risk management capabilities of the bank are robust and effective enough to fully support the strategic objectives and all activities involving risks. 200. The CRO is responsible for assisting the council in its commitment to supervise the bank's risk appetite and risk appetite report and the transposition of the risk appetite into a risk-based structure. The CRO, together with the executive, shall be actively involved in monitoring performance against risk-taking and adherence to risk limits. The CRO's responsibilities also include managing and participating in key decision-making processes (e.g. strategic planning, capital and liquidity planning, new products and services, remuneration design and operation). 201. The CRO shall be independent and have distinct responsibilities for other executive functions. This requires the CRO to have access to all the information required to carry out his/her tasks. The CRO, however, shall not have financial or managerial responsibility for business lines or revenue-generating functions and there shall be no cumulation of functions. While formal reporting lines may vary depending on the bank, CRO shall report and have direct unimpeded access to the council or the risk management committee. The CRO shall be able to interpret and address risks in a clear and understandable way and effectively engage in a constructive dialogue with the council and executive body of the bank on key issues related to risks. The interaction between the CRO and the council and/or the risk management committee shall take place regularly and the CRO shall be able to meet the risk management committee or council without the presence of members of the executive body. Section 3 Role and Responsibilities of the Compliance Function 202. The bank shall have an independent compliance function that is not involved in any activity and business line support, and whose independence of activity shall be ensured by reporting directly to the council of the bank. 203. The role of the compliance function is to assist the management body in identifying, evaluating, monitoring and reporting the risk associated with bank activity by providing advice on the

39 suitability of business conducted with the provisions of the regulatory framework, its own rules and standards, code of conduct and providing information on developments in this area. 204. The compliance function shall not be involved in the direct performance, support or recording of banks transactions and/or operations, or cumulate with a function of performing, supporting or recording transactions and/or operations of the bank. 205. The compliance function staff shall issue recommendations to the bank’s management body on compliance with laws, rules and standards, including their briefing on the current situation in the field and possible impact of any changes on the bank. 206. The responsibilities of the compliance function shall be fulfilled based on a program comprising, at a minimum:

  1. implementation and review of specific policies and procedures;
  2. assessment of compliance risk, testing and informing bank staff on compliance issues;
  3. checking the conformity of new products and new regulatory framework procedures and amendments included in the adopted normative acts, the provisions of which shall become applicable subsequently;
  4. developing and applying methodologies for assessing compliance risk through performance indicators (assuming any identified violations and/or deficiencies, as well as recommended remedies to eliminate them) that shall be developed by processing, aggregating or filtering data indicating potential compliance issues;
  5. monitoring and testing compliance based on relevant tests and communicating the results according to the bank's reporting lines in accordance with internal risk management procedures.
  1. The compliance function staff shall have the following rights:
  1. communicate upon their own initiative to any bank staff and have access to any records, information or documents required to enable them to fulfill their responsibilities;
  2. investigate possible violations of compliance policy and freely disclose the findings to management bodies;
  3. propose corrective recommendations for detected incompliances.
  1. Where investigations reveal irregularities or violations of the compliance policy, the head of the compliance function shall report immediately to the council of the bank and inform the executive body.
  2. The head of the compliance function shall regularly report to the council of the bank on any matters relating to compliance risk and on the compliance function.
  3. The compliance function staff shall have the required qualifications, experience and personal and professional qualities that enable them to carry out these specific activities. They shall also have good knowledge of the regulatory framework and professional and ethical standards. Section 4 Role and Responsibilities of the Internal Audit Function
  4. The bank shall have an internal audit function under the direct responsibility of the council of the bank, which differs from the primary control performed by a subdivision that provides daily control over transactions and operations. To ensure efficiency of the internal audit function, the bank's management shall ensure the independence of the internal audit function from the executive body and direct reporting to the council of the bank. The head of the internal audit function shall not be a party related to the bank, except for the affiliation determined by the capacity of head of the internal audit function.
  5. The main purpose of the internal audit function is independent, impartial and objective assessment of adequacy and effectiveness of the management framework in accordance with the provisions of the legal and regulatory framework, including this Regulation, the bank’s bylaws, and

40 reporting of results to the council of the bank, the audit committee and informing the executive body to improve bank activity indicators by systematically and orderly applying the methods of evaluation and improvement of the internal control mechanism within the bank. 213. To achieve the main purpose, the internal audit function shall have the following rights:

  1. initiative on communication with any bank staff;
  2. review any activity of any subdivision of the bank structure, including branches of the bank and, where appropriate, related parties;
  3. have access to the information and data communication regime, to any internal records, files and information, including information for the bank’s management;
  4. have access to minutes and other similar materials of all decision-making and advisory bodies that are relevant to the performance of its duties;
  5. propose to the council of the bank the hiring of external consultants to understand a specific audited area;
  6. have sufficient resources, including an adequate number of qualified IT staff.
  1. The internal audit function shall have, at a minimum, the following responsibilities:
  1. develop, based on the risk-based approach, implement and revise, at least annually, the internal audit plan(s) approved by the council of the bank, including the assessment of systems used by the bank to identify, estimate, monitor and control the risks to which it is exposed;
  2. assess the quality and verify compliance with the bank's policies and procedures in all bank activities and subdivisions, the risk analysis and risk management methodology, analyze stress test scenarios and control mechanisms identifying whether they are sufficient and appropriate to the activity carried out;
  3. verify the continuous monitoring of risks that could affect financial activities (credit, operational, market, interest rate, liquidity, country, conversion, reputational and other risks that may occur in the course of the bank’s financial operations);
  4. verify accounting and other records and analyze transactions against financial reports, verify that the current analysis of financial position, including capital, is analyzed based on the level of risk assumed by the bank;
  5. organize and ensure control through systematic inspections in subdivisions of the bank regarding compliance of their activity with the provisions of legislation, normative acts in support thereof and bank bylaws;
  6. issue recommendations following control to eliminate and prevent the repeated occurrence of detected violations and shortcomings, as well as streamline and develop the activity;
  7. supervise the implementation of recommendations issued as a result of control and monitor the liquidation of detected violations and shortcomings;
  8. ensure preparation of documentation related to each control, reflecting the findings of control results that contain the identified problems and proposals for their liquidation, and submit it to the council of the bank, audit committee, executive body and appropriate subdivisions for taking required measures;
  9. inform in due course, according to bank bylaws, the council of the bank and/or the audit committee about: a) significant risks and repeatedly detected risks that would impair the bank's reputation or activity; b) deficiencies in bylaws or in the operation of subdivisions and/or cases of violation by officials of the provisions of legislation, bylaws, which could affect bank activity; c) measures taken by the heads of subdivisions that are subject to control on liquidation of violations detected and outcomes thereof;

41 d) aggregate results of internal audit activity, including an analysis of the level of realization of the annual internal audit plan, opinion on the bank's exposure to significant risks and effectiveness of the bank's internal control mechanism with an yearly reporting frequency, at a minimum; 10) evaluate the efficiency and effectiveness of processes underlying the outsourcing of bank activity and determine the risks that may affect the conduct of bank business and compliance with the legislation in force. In this respect, the institution's audit plan shall include missions to verify the outsourcing of material importance, including adequacy of data protection measures, controls, risk management and measures taken to ensure continuity of bank activity; 11) coordinate with the bank’s external audit entity the information required to discuss the identified risk sectors and measures taken. 215. The bank shall establish the internal audit function in accordance with this Regulation, considering, at a minimum, the following principles:

  1. the internal audit function is based on the internal audit regulation approved by the council of the bank, which includes information on manner of organization, rights and responsibilities, co￾operation with other bank subdivisions, etc. The regulation shall be brought to the attention of all bank staff;
  2. in operational work, the internal audit function shall be guided by the internal audit manual, which includes instructions on the conduct of controls by areas of activity, with priority assigned to sectors subject to a higher risk level. Each internal audit mission shall be run on the basis of a risk￾based plan;
  3. the structure and number of staff of the internal audit function shall be determined by the council of the bank. Scripture staff shall be sufficient to achieve the goals and objectives of internal control and to resolve issues related to it, and shall not be involved in directly conducting or recording transactions and/or operations of the bank;
  4. staff of the internal audit function shall have the relevant qualifications, experience, personal and professional qualities to enable them to perform internal audit work.
  1. Continuous training and professional development of internal auditors shall be continuously ensured to respond to the increasing technical complexity of bank business and the increasing diversity of tasks to be met as a result of the introduction of new products and processes in banks and other developments within the financial sector.
  2. Current reporting by the internal audit function set forth in the bank's internal audit regulation shall include reporting to the council of the bank, audit committee, and information to the executive body as soon as feasible after the completion of audits by the internal audit on significant findings, so that corrective actions can be taken in due course. In addition to current reporting, the regulation shall provide for the internal audit’s obligation to report quarterly to the council of the bank and audit committee on the results of internal audit work. Chapter IV SPECIAL INTERNAL CONTROL REQUIREMENTS Section 1 Information System and Communications System Requirements
  3. The bank shall have effective and credible information and communication systems, covering all its significant activities.
  4. The bank shall have information systems that comply with generally accepted industry standards.
  5. Information systems, including those that store and use data in electronic format, shall be secure, independently monitored and backed up by appropriate contingency plans.

42 Section 2 Business Continuity Requirements 221. The bank shall have a robust business continuity management process to ensure its ability to operate continuously and to limit losses in the event of a severe interruption of activity. 222. To establish a robust business continuity management process, the bank shall analyze its exposure to severe activity disruptions and quantify and qualify its potential impact by using internal and/or external data and of some scenario-type analyses. 223. Based on the analysis provided in paragraph 222, the bank shall have: (1) contingency and continuity plans to ensure that it responds appropriately to emergency situations and is capable of maintaining its most important activities if there is an interruption in the conduct of business; 2) critical resource remediation plans to allow a return to normal business procedures within an adequate timeframe. Any residual risk of any disruption of the business shall be in accordance with the bank's risk tolerance/appetite. Section 3 Special Requirements for Engagements with Financial Derivatives 224. For activities involving financial derivatives, the bank shall establish policies and procedures for the valuation of positions and shall verify their compliance, frequency of valuation and the independence and quality of valuation pricing sources, in particular for instruments issued and traded in low liquidity markets. 225. Prior to engaging in activities involving financial derivatives, the executive body and/or the council of the bank shall ensure that all approvals established in the internal regulatory framework are obtained and that appropriate operational procedures and risk control systems are in place. The decision to engage the bank in activities involving financial derivatives falls within the competence of the management body and is based, at a minimum, on the following:

  1. description of relevant financial derivatives, markets and proposed strategies;
  2. resources required to establish robust and effective risk management systems and to attract and retain staff with adequate knowledge and experience in financial derivatives’ trading;
  3. analysis of proposed activities according to the bank's general financial position and its capital;
  4. analysis of risks the bank may face as a result of these activities;
  5. procedures the bank shall use to quantify, monitor and control risks;
  6. relevant accounting treatment;
  7. analysis of any restriction on the conduct of those activities. Section 4 Special Requirements for Engagement in Paid Service Provision and Issuance of Electronic Currency and Remote Banking
  1. For paid services’ provision and electronic currency issuance, including the operation of remote banking systems, the bank shall develop internal policies and procedures in compliance with normative acts, including those issued by the National Bank of Moldova, to ensure integrity, authenticity and confidentiality of data, contribute to reducing the risk of loss or diminution of funds through fraud, abuse, negligence or deficient management, as well as ensure the security of operational processes.
  2. Policies regarding paid services’ provision and electronic currency issuance shall include, at a minimum:

43

  1. defining responsibilities for the development and implementation of information security procedures by ensuring the confidentiality, integrity and availability of information regardless of its presentation (electronic, paper format) and protecting the resources involved in its management, as well as other features such as: authenticity, responsibility, non-repudiation, reliability;
  2. requirements for the necessary security framework (to prevent fraud or abuse by both staff and non-bank staff, by controlling and monitoring, at a minimum, access to confidential information by ensuring security of storage and transmission of confidential information through instructions to clients on precautions to be taken);
  3. requirements for staff competencies by explicitly describing, at a minimum, staff duties and responsibilities, by regularly training them as part of changing tasks/upgrading information technologies and verifying adequate execution of tasks;
  4. requirements to establish procedures for assessing policy compliance, implementing remedial measures and reporting on non-compliance with security measures that represent a means of reducing the ICT risk, including IT policies, standards, procedures, organizational structures, solutions;
  5. requirements for development and implementation of internal procedures for the identification, management, monitoring and reporting of risks to which the bank is or might be exposed in the course of providing paid services/electronic money and remote services. TITLE V RISK MANAGEMENT Chapter I RISK CULTURE
  1. The bank shall develop a risk culture integrated at general bank level, based on a full understanding and a holistic vision of the risks faced by the bank and the way they are managed, considering the bank's risk tolerance/appetite. [Paragraph 228 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  2. The bank must develop a risk culture through policies, examples, communication, and staff training on the bank's activities, strategy, and risk profile, and adapt communication and staff training taking into account staff responsibilities for risk-taking and risk management. [Paragraph 229 in version of the Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]
  3. Every person in the bank shall be fully aware of his/her responsibilities for risk management. Responsibility for risk management shall not be limited to the level of risk specialists or compliance, internal audit and risk management functions. Bank subdivisions under the supervision of the management body shall be primarily responsible for daily risk management, considering the bank's risk tolerance/appetite, in accordance with the bank's policies, procedures and control outcomes.
  4. The management body shall devote sufficient time to reviewing risk management issues.
  5. A sound risk culture shall consider, at a minimum, the following principles:
  1. tone from the top: the management body shall be responsible for establishing and communicating to lower levels the bank’s core values and expectations. Management bodies and persons holding key positions shall contribute to internal communication of core values and expectations to bank staff. Staff shall act in accordance with all applicable laws and regulations and promptly alert observed non-compliance within or outside the bank. The management body shall continuously promote, monitor and evaluate the bank's risk culture, analyze the impact of risk culture on the bank's financial stability, risk profile and robust governance and make changes where necessary;

44 2) accountability: relevant staff at all levels shall know and understand the bank's core values and, to the extent necessary for their role, the risk appetite and risk capacity. Staff shall be able to perform their roles and be aware that they shall be held accountable for their actions in connection with the bank's risk-taking behavior; 3) effective communication and appeals: a robust risk culture shall promote an open communication environment and effective appeals where decision-making processes encourage a wide range of opinions, allow testing of current practices, stimulate a constructive critical attitude of staff and promote an open and constructive engagement environment across the entire bank; 4) motivation: appropriate incentives shall play a key role in aligning risk-taking behavior with the bank's risk profile and long-term interest. [Paragraph 232 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] Chapter II RISK MANAGEMENT Section 1 General Provisions for Risk Management 233. The bank shall have a comprehensive risk management framework covering all subdivisions, including support and control functions, identifying the economic substance of exposures and covering all risks relevant to the bank. The scope of risk management shall address, at a minimum, the risks referred to in Article 38, paragraph (4), of Law No 202/2017, as well as the risk associated with compliance with the requirements for preventing and combating money laundering and terrorist financing and other financial crimes and the strategic risk. [Paragraph 233 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 234. The bank shall ensure that risk management policies of the bank's business model are consistent with its capital and risk management experience, shall ensure adequate performance of management body duties and ability to execute the bank's obligations towards depositors and creditors, shall determine the level of risk that it is able to assume and provide for the management of all risks related to the activity performed, including in relation to outsourced activities. 235. Risk management policies shall be transposed into secondary bylaws, distinguishing between general rules applicable to all staff and specific rules applicable to certain categories of staff, and shall include, at a minimum, requirements for:

  1. risk management procedures tailored to the size and nature of bank activity, which shall include the permanent identification and assessment of risk positions, risk monitoring and control, including outsourced activities and off-balance-sheet transactions;
  2. process of adjusting risk management procedures to changing risk profile and market developments;
  3. risk exposure limits set for all activities and for each significant activity and/or branch reflecting the chosen risk profile in terms of the ratio between accumulated risks and the profit obtained, which the bank considers acceptable under effective and prudent business continuity conditions. Limits established at the level of activities and/or branches shall be correlated with those set at overall bank level;
  4. procedures for authorizing operations that may be affected by risks, considering the responsibilities of the management body and the bank's risk management staff;
  5. measures required to minimize and limit the exposure to risks affecting the achievement of the bank's objectives and/or its stability;
  6. sufficient bank resources (including technical and human resources) to manage risks.

45 236. The bank shall identify the risk profile by setting objectives for each risk, shall ensure systematic monitoring of compliance with policies and procedures established for risk management, and report, as appropriate, identified violations and their liquidation to the relevant body. 237. The bank shall have an appropriate information exchange system for the systematic identification, assessment, monitoring and systematic documentation of risks both at the level of the bank and its subdivisions and/or branches, including reporting on risk exposures to relevant levels of management for decision-making on risks assumed by the bank. 238. The bank shall prudently review the new products, markets or activities and ensure that new products, significant changes in the features of existing products and major risk management initiatives are approved by the empowered body, shall have internal instruments and staff with appropriate experience to understand, manage and monitor associated risks. 239. In the case of a high level of exposure to risk and/or use of inappropriate risk management methods, the bank shall take corrective measures that include, at a minimum, the following:

  1. improving information systems and estimating exposure to risk;
  2. reducing the level of risk;
  3. enforcing other measures or a combination of these measures depending on the bank’s specific situation, status and conditions. Section 2 Credit Risk, including Counterparty Risk and Settlement Risk
  1. The bank shall have an adequate credit risk management framework that takes into account the bank's risk appetite and risk profile, as well as market and macroeconomic conditions. It shall include risk management policies and procedures for identifying, evaluating, monitoring, and timely control of credit risk, including counterparty credit risk and settlement risk.
  2. The credit risk policy shall refer to all lending activities of the bank and shall consider both individual loans, including credit currency, and the entire portfolio. For this purpose, at a minimum, the credit risk policy shall provide for:
  1. procedures for lending process implementation, including terms of the contractual framework determined by the specificity of credit, the counterparty and securities provided by it (for securities in the form of immovable assets, the bank employee responsible for establishing and reviewing the security value of the immovable asset should have the skills and experience appropriate to the required assessment activity and be independent of the credit decision-making process), arrangements for assuming it, including through more restrictive requirements towards counterparties subject to foreign exchange risk (related to securities, indebtedness indicators and concentration on large debtors), credit risk monitoring and control;
  2. credit categories to be promoted by the bank, including unsecured and/or partially secured credit categories, type of exposure, economic sector, form of ownership, counterparty category (legal persons and individuals, etc.), residence, geographical area, currency, initial duration, estimated profitability;
  3. procedures for identification of markets where the bank intends to operate, determining loan portfolio characteristics (including degree of diversification and concentration) and assessing new business opportunities in lending activities;
  4. procedures for determining eligible counterparties, conditions to be met by them with a view to entering into a business relationship with the bank, of the repayment schedule of the basic amount of the assets, which is to be established according to the specific activity and/or purpose of the asset, being economically justified in relation to the debtor's cash flows and securities acceptable to the bank;

46 5) effective credit management procedures, including analysis of loan use for purposes intended, continuous analysis of debtor's ability to make payments under the contract, also considering the level of foreign exchange risk to which it is exposed, and determining the borrower's level of indebtedness; continuous review of loan-related documentation (loan agreement, real and personal securities and other securities, documents proving the counterparty’s financial situation, etc.); assessing the classification system, which is based on the economic essence of the transaction and less on the legal form, so that it corresponds to the nature, size and complexity of bank activities; 6) procedures for identification, management and monitoring of underperforming assets and contingent liabilities with a view to maintaining sound credit standards and compliance with the limits on credit risk assumption; 7) criteria for defining and approving new assets and conditional commitments, as well as assets with an extended and renegotiated term; 7 1 ) collateral coverage limits on partially guaranteed credit categories, as well as limits on the share of unsecured and/or partially guaranteed loans in the total loan portfolio, including by types of borrowers or types of products, to be correlated with credit risk appetite and the bank's risk profile;”; 8) conducting stress tests to identify weaknesses or potential vulnerabilities in credit risk positions based on different stress test scenarios; 9) internal reporting process to provide the bank's management with adequate information to measure, estimate and report in a timely manner the size and quality of credit risk; 10) ensuring that loan decisions are made independently, without being influenced by pressures or conflicts of interest; 11) information systems and adequate data infrastructure that is detailed and sufficiently granular to support the granting of loans, the administration and monitoring of credit risk throughout the entire life cycle of credit facilities (e.g., loan origination and credit assessment, risk assessment, loan analysis and monitoring); accurate and timely identification, aggregation, and reporting of credit risk exposures to management on an ongoing basis; 12) processes and procedures for identifying, assessing, and managing the risks of money laundering and terrorist financing to which banks are exposed as a result of their lending activities; 13) a comprehensive definition of leverage transactions that takes into account the level of leverage of the borrower and the purpose of the transaction and covers all business lines and credit risk units. [Paragraph 241 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] [Paragraph 241 amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] [Paragraph 241 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 2411 . When using technological innovations for lending activities, banks must:

  1. to adequately cover, through primary and secondary internal control regulations and the risk management framework, the inherent risks associated with the technological innovations used. This must be proportionate to the business model, credit risk exposure, complexity of methods, and degree of use of technological innovations;
  2. to ensure that the management body has a sufficient understanding of how to use technological innovations, their limitations, and their impact on loan granting procedures;
  3. to understand the underlying models used, including their capabilities, assumptions, and limitations, and to ensure their traceability, verifiability, robustness, and resilience;
  4. to ensure that models have been adapted to the purpose for which they were created, taking into account the tasks identified and other criteria such as their performance and use. Where the use of models requires explanation, consideration should be given to developing an interpretable model;

47 5) understand the quality of data and inputs to the model, detect and prevent systematic errors in the credit decision-making process, ensuring that adequate safeguards are in place to ensure the confidentiality, integrity, and availability of information and systems; 6) to ensure that the performance of the model, including the validity and quality of its results, is continuously monitored and that appropriate remedial action is taken in a timely manner if problems are identified. [Paragraph 2411 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 242. To prevent entering into business relations with persons involved in fraudulent activities, the bank shall have procedures that include, at a minimum, provisions related to:

  1. information from persons within the bank, who are authorized to carry out the necessary investigations;
  2. consultation of information obtained by the bank from external structures, organized under the law, with the purpose of collecting and providing information on the counterparty's status as a loan beneficiary and/or other financial information;
  3. knowledge of the structure of participants in the capital of the legal entity, as well as verification of their references and of persons responsible for its management.
  1. The bank shall conduct lending activity based on prudent and well-defined criteria. In assessing a counterparty’s credit risk, the bank shall consider, at a minimum, the following:
  1. purpose of credit, currency of credit, term of credit and source of its repayment;
  2. current risk profile of the counterparty and the securities provided, as well as securities’ sensitivity to market developments;
  3. history of counterparty debt service and its current and future repayment capacity, based on historical financial developments and projections of future cash flows, which are to be critically considered in terms of probability of realization;
  4. economic sector in which the counterparty operates and its position within the respective economic sector;
  5. concentration of bank exposures to the counterparty and how it repays the credit, interest rates;
  6. probability of non-compliance with contractual terms established on the basis of an internal system of counterparty assessment and ability to legally implement contractual commitments, including ability to enforce securities under market conditions.
  1. The bank shall have procedures for assessing the counterparty's risk level, with clear provisions for its classification and for determining credit risk loss reductions based on updated information in the credit file, as well as procedures for continuous assessment of securities to be considered in the classification process.
  2. The bank shall have procedures for identifying and recording large exposures and changes that may occur, as well as mechanisms for their monitoring. Exposures that exceed a certain percentage of the bank's eligible own funds (set in internal policies but which shall not exceed the limits set by the National Bank of Moldova's statutory instruments on large exposures) and/or which involve a high credit risk shall be approved by the council of the bank.
  3. The bank's internal information process shall enable the credit risk assessment of items on and off the balance sheet. The information process shall provide adequate information on the loan portfolio component, with emphasis on standardized, supervised and non-performing loans, and/or identifying non-compliance with the exposure limits set, as well as information to identify any risk concentrations, so as to enable identification of problem loans and allow for timely implementation of appropriate measures.

48 247. The bank shall have a system to remedy in a timely manner credit quality deterioration, as well as a system for managing bad loans. 2471 . The bank must have primary and secondary internal regulations for monitoring collateral and for verifying that such collateral is and remains enforceable and realisable. These policies should specify prudent monitoring methods that are proportionate to the type and potential value of the collateral, to be used by a specialist in the unit responsible for monitoring collateral and using statistical models for each type of collateral. The bank must ensure that these approaches are consistent with credit agreements and comply with primary and secondary internal credit risk regulations. [Paragraph 2471 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 2472 . The bank must establish, through primary and secondary internal regulations, the criteria for using statistical models for the purpose of assessing, re-assessing, and monitoring the value of collateral. These regulations must take into account the proven results of these models, the specific variables of the properties in question, the use of minimum available and accurate information, and the uncertainty of the models. [Paragraph 2472 added by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 2473 . Banks must ensure that the statistical models used are:

  1. specific to buildings and locations at a sufficiently detailed level;
  2. valid and accurate, and subject to regular and rigorous ex-post testing against actual transaction prices;
  3. based on a sufficiently large and representative sample of prices observed in transactions;
  4. based on high-quality, up-to-date data. [Paragraph 2473 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 2474 . When using statistical models, banks are ultimately responsible for the adequacy and performance of the models, and the valuer remains responsible for the valuation performed using a statistical model. Banks must understand the methodology, input data, and assumptions of the models used. Banks must ensure that the documentation of the models is up-to-date. [Paragraph 2474 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] 2475 . Banks must have adequate processes, systems, and IT capabilities, as well as sufficient and accurate data, to perform a statistical model-based valuation or revaluation of collateral. [Paragraph 2475 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] Section 3 Market Risk
  1. The bank shall have adequate policies that clearly describe the roles and responsibilities related to identification, assessment, monitoring and control of market risk.
  2. In the process of market risk management, the bank shall consider, at a minimum, the following subcategories:
  1. position risk, identified as a general risk or specific risk;
  2. foreign exchange risk;
  3. commodity risk.
  1. Under paragraph 248, the assessment shall cover the risks associated with interest rate instruments, debt securities and related securities in the regulated trading book, as well as currency positions and risk positions attributable to both the trading book and banking book (kept outside the trading book till maturity).

49 251. The bank's market risk policies shall establish, at a minimum, requirements for:

  1. procedures for determining acceptable levels for all risks, in particular for the position risk, considering the types of investment allowed, quality and quantity acceptable for each type of investment, and for the currency risk account shall be taken of all currencies, level of profitability, liquidity requirements for each currency operated by the bank, composition of the maturity structure of assets and liabilities, and off-balance sheet exposures, as well as the credit margin risk associated with positions quantified at fair value and the risk associated with equity exposures from the perspective of the banking portfolio;
  2. procedures for identifying, assessing and monitoring risks, as well as establishing the types of instruments and activities allowed for the bank to manage its market risk exposures, including characteristics and purposes of their use;
  3. control processes that they shall specify, including daily operational checks to ensure that the information is true and complete to manage market risk in accordance with the bank's bylaws;
  4. authorization procedures and notification processes for exceptions to market risk policies, as well as substantiating their necessity and acceptability;
  5. methodologies used for stress tests based on information about bank operations and level established for market risk to determine the influence of hypothetical fluctuations of interest rates, foreign exchange rates on the bank's revenues and own funds.
  1. The bank shall establish market risk limits approved by the council of the bank, consistent with its absorption capacity, size and complexity of bank activity and/or its operations and reflecting all significant market risks.
  2. The bank shall have management processes ensuring that all transactions are recorded on time and that market positions are revaluated with sufficient frequency, using credible market information or, in the absence of market prices, internal models, or those accepted at bank level.
  3. The bank shall analyze the results of stress tests, have contingency plans, as appropriate, validate or test the systems used to quantify market risk. Approaches used by the bank need to be integrated into risk management policies and results shall be considered in the bank's risk strategy.
  4. The bank shall ensure independent verification of market information used for the valuation of positions in the trading book by staff who are not involved in this activity.
  5. The foreign exchange risk shall be managed by the bank for all assets and liabilities denominated in national and foreign currencies, including those attached to the foreign exchange rate, for on- and off-balance sheet items.
  6. In position risk management, the bank shall consider identifying, assessing, monitoring and controlling the potential volatility of prices of financial instruments on and off the balance sheet. Limits for position risk exposures shall include limits of exposure to a company, sector, and a limit for losses. Limits for securities and other more volatile and less liquid investments need to be viewed from the perspective of feasibility of maintaining lower limits than those set for securities and other more liquid and less volatile investments.
  7. The bank shall provide information systems whereby the bank's market risk aspects are reported to the management in a timely manner, with an emphasis on the level and trend of risks, including, at a minimum:
  1. for position and commodity risk – an analysis of the total value of investments and current market values, aggregate investment limits and compliance information, changes in the value of assets and liabilities and off-balance sheet positions, the effect of the price risk position on the bank's profit and equity;
  2. for foreign exchange risk – a periodical (monthly, daily) analysis of open foreign exchange positions and cash flow analysis for each currency and aggregate (inputs and outputs) for the nearest future period, maturity of short and long positions, change in the value of assets, liabilities and off-

50 balance sheet positions as a result of exchange rate changes, the effect of foreign exchange risk position on equity. Section 4 Operational Risk 259. The bank shall have operational risk management policies that take into account the individual and corporate competencies and behaviors that determine the bank's commitment and management of risks associated with operational risk. 260. In the process of managing operational risk, the bank shall consider, at a minimum, the following subcategories:

  1. compliance risk;
  2. risk of distortion of security and integrity of information systems as a sub-category of operational risk, ICT risk.
  1. The bank's operational risk management policies shall provide, at a minimum:
  1. procedures for establishing operational risk indicators that can be used to determine the bank's exposure to this risk. Procedures shall include, but shall not be limited to, the number of failed transactions, frequency and/or severity of errors, omissions and frauds, staff rotation rate, rapid increase in the volume of some activities, periodic review of their level and setting of alert thresholds;
  2. procedures for identifying and assessing operational risk exposure based on product, process, and system evaluation for the determination of those carrying operational risks, collecting and analyzing internal loss data that shall help identify areas where additional verification is required;
  3. appropriate and effective information systems for operational risk monitoring by collecting and analyzing operational risk data, as well as facilitating appropriate reporting at the level of the management body and line of business;
  4. control processes that shall specify and perform daily business controls to ensure that the information is true and complete for managing operational risk in accordance with bank bylaws;
  5. procedures for identifying critical operational processes, including those processes that depend on external or third-party suppliers, for which rapid resumption of activity would be critical;
  6. revise policies whenever a significant change in the bank's operational risk profile is observed, but also in other cases where there is a need for such revisions, including introduction of new products, new business areas, changes in the organizational and management structures.
  1. Throughout managing operational risk, the bank shall consider, at a minimum, the following categories of events:
  1. internal and/or external frauds or attempts of internal and/or external fraud;
  2. employment and safety practices in the workplace;
  3. commercial practices for customers and products;
  4. existence of damage to tangible assets;
  5. interruption of activity and inadequate operation of systems;
  6. executing, delivering and managing processes.
  1. The bank shall provide information systems whereby operational risk issues are reported in a timely manner, focusing on the level and trend of risk, changes in the underlying value of assets and liabilities, as well as off-balance sheet positions, and on the effect of operational risk on profits and own funds. [Paragraph 263 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]
  2. Any activity outsourced to a third party shall be reviewed by the bank to ensure that operational risk and other risks are not increased by inappropriate control methods or other deficiencies of third parties that take over these activities.

51 265. To reduce operational risk in certain areas, which may be caused by fraud or natural disasters, the bank's management body shall decide whether insurance against these hazards is feasible and shall substantiate and document the reasons why it has decided in favor of or against insurance for areas where it is available, using cost/benefit analysis when possible. 266. The management body shall be responsible for creating a compliance culture that protects the bank against the risk associated with non-compliance with applicable laws, supporting regulations, rules and codes applicable to banking activity. 267. The bank shall not engage in transactions whereby customers intend to avoid complying with financial reporting requirements, tax obligations, or facilitate unlawful conduct. 268. The identification, assessment, monitoring and control of compliance risk, as well as periodic compliance testing of the bank with the regulatory framework, shall be performed by staff of the compliance function. 269. The bank shall have a compliance risk policy that includes, at a minimum:

  1. basic principles followed by all staff, including the management body, and processes through which compliance risks are managed at all levels of the bank;
  2. requirements for the procedures for identifying and assessing the compliance risk issues faced by the bank and their remediation plans. These plans shall also address policy shortcomings, procedures, and shall prevent similar or related situations in the future;
  3. a description of roles, rights, responsibilities of the compliance function, and establishment of measures to ensure its independence;
  4. requirements for the resource allocation process for the exercise of responsibilities related to the compliance function;
  5. requirements for establishing relations with the bank's risk management function and with the internal audit function.
  1. The management body shall be responsible for ensuring immediate compliance by compliance staff with any failure to comply with the legal framework, normative acts, agreements, recommended practices, or ethical standards that could entail a considerable risk of penalties, financial loss or damage to reputation.
  2. The bank shall have adequate ICT processes and infrastructure to manage ICT risks. These shall meet minimum requirements set by the Regulation on Minimum Requirements for Information and Communication Systems of Banks approved by Decision of the Executive Committee of the National Bank of Moldova No 47/2018.
  3. Within a reasonable timeframe, the bank shall inform in writing the National Bank of Moldova on changes with significant impact on the operational risk to which it is exposed. Section 5 Interest Rate Risk in the Banking Book, IRRBB
  4. The bank shall implement systems for identifying, assessing and managing risk arising from potential changes in interest rates that affect bank activities in the banking book.
  5. Under paragraph 273, the bank shall consider the impact on the economic value, calculated as a percentage of the bank's own equity, and the impact on interest rate changes.
  6. Under paragraph 273, the bank shall consider the following risk subcategories:
  1. revaluation risk, i.e. risk associated with maturity’s timing mismatch with the revaluation of assets, short- and long-term off-balance sheet position debts;
  2. risk associated with the yield curve, i.e. risk associated with variations in the slope and shape of the yield curve;
  3. base interest risk, i.e. risk associated with covering the exposure at a single interest rate with exposure at a rate that is revalued under slightly different conditions;

52 4) option risk, i.e. risk associated with options (e.g. consumers redeeming fixed-rate products when market rates change). 276. The bank shall identify the main determinants of IRRBB exposure and shall assess the potential prudential impact of that risk on the bank. 277. The bank shall identify the IRRBB sources of current or potential exposure. 278. The bank's management body shall establish, approve and periodically review the interest rate risk strategy, policies and processes for the identification, quantification, monitoring and control of the interest rate risk. 279. The bank's executive body shall ensure implementation of the interest rate risk strategy, policies and processes. 280. The bank's IRRBB risk strategy shall accurately reflect the bank's appetite for interest rate risk and shall be consistent with the overall risk appetite. 281. The bank's IRRBB risk strategy shall take into account the cyclical aspects of the economy and the gaps arising from IRRBB risk activities. 282. The bank shall have internal reporting systems that provide prompt and comprehensive information on its IRRBB exposure. 283. The bank shall allocate responsibilities for interest rate risk management to persons who are independent from persons responsible for trading and/or other risk-taking activities, which would benefit from separate reporting lines. 284. To comply with the requirements set out in paragraph 273, the bank shall have comprehensive and appropriate interest rate risk measurement systems, and any models and assumptions used shall be validated on a regular basis but at least annually. 285. The limits set by the bank shall reflect its risk strategy, be understood by relevant staff and communicated to them regularly. 286. Any exception to established policies, processes and limits shall be promptly reviewed by the executive body and, where appropriate, by the council of the bank. 287. The bank shall be able to demonstrate that the amount of equity held, established through the bank's quantification system, also covers the interest rate risk in the banking book. 288. For purposes of measuring exposure to IRRBB, the bank shall consider and assess the impact of:

  1. assumptions on non-interest bearing assets and liabilities in the banking book (including equity and reserves);
  2. assumptions on customer behavior regarding "non-maturing deposits" (maturity assumed for liabilities with short-term contractual, but long-term behavioral maturity);
  3. behavioral factors on assets or liabilities.
  1. The bank shall be able to regularly measure the sensitivity of economic value and net interest/earnings under different scenarios to potential changes in the level and form of the interest rate yield curve, as well as changing relationship between different market rates. 2891 . The bank shall develop and use its own methodologies for calculating the potential changes in the bank's economic value as a result of changing interest rate levels, in accordance with its risk profile and related risk management policies. In cases where the internal methodology of a bank is considered inadequate by the National Bank of Moldova, in the context of the criteria below, or there is no such methodology, the bank shall apply the standardized methodology described in Annex 21 . The internal methodologies of the bank shall meet the following criteria:
  1. any material interest rate risk relating to the bank's assets, liabilities and off-balance sheet positions shall be assessed. For this purpose, all interest rate sensitive on and off- balance sheet actions of the bank shall be included;

53 2) generally accepted financial concepts and risk assessment techniques shall be used. In particular, the internal methodologies shall provide the possibility to assess the risk using the economic value method; 3) data inputs shall be adequately specified (in accordance with the nature and complexity of the bank's actions) in terms of rates, maturities, reassessment and other details to provide a sufficiently accurate description of changes in economic value; 4) assumptions of the methodology (used to convert the positions into cash flows) shall be reasonable, adequately documented and stable over time. Material changes in the assumptions shall be documented, justified and approved by the management body; 5) interest rate risk assessment methodologies shall be incorporated into daily risk management practices. The result shall be used to characterize the interest rate risk level for the management bodies; 6) interest rate risk assessment methodologies shall also include the interest rate shock (or equivalent parameters), as established in paragraph 2892 . [Paragraph 2891 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 2892 . The bank shall calculate the change in economic value following the application of a sudden and unexpected change(s) in interest rates, including using the standard shock(s) of a size of at least 200 core points in both directions, regardless of currency. The calculation and reporting of the change in the economic value is carried out quarterly – individually and annually – at a consolidated level for the parent bank - a legal entity from the Republic of Moldova, in accordance with the provisions of the Instruction No 279/2011 on the compilation and submission by banks of reports for prudential purposes. [Paragraph 2892amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] [Paragraph 2892 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 2893 . If the economic value of a bank decreases by more than 20% of its own funds as a result of the application of the standard shock(s) established in paragraph 2892 , the bank shall take the necessary measures to reduce such potential decline, measures which may include, among others, the following:

  1. improving risk management activity;
  2. changing the internal thresholds;
  3. reducing the risk profile;
  4. increasing the threshold of own funds; [Paragraph 2893 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]
  1. To quantify the vulnerability of economic value and net interest/earnings in the event of adverse changes in the interest rate, the bank shall conduct stress tests, at a minimum annually.
  2. Under paragraph 290, stress tests shall be based on the most unfavorable reasonable scenarios and shall capture all significant sources of risk, including changes in underlying assumptions. The bank's executive body shall take into account the outcomes achieved in setting and reviewing policies, processes and limits for the interest rate risk.
  3. The bank shall have well-grounded, robust and formalized policies addressing issues that are important to its individual circumstances, which, without prejudice to the principle of proportionality, may refer to:
  1. internal definition and delimitation of activities in the banking book and those in the trading book;
  2. definition of economic value and its consistency with the method used for the valuation of assets and liabilities based on the present value of future cash flows or based on the present value of future profits;

54 3) definition of risk associated with earnings and its consistency with the bank's approach to corporate plans and financial forecasts; 4) size and shape of different shocks used for internal calculations; 5) using a dynamic and/or static approach to applying interest rate shocks; 6) treatment of ongoing transactions that are affected by the risk of pipeline transactions, including any coverage thereof; 7) aggregation of multi-currency interest rate exposures; 8) treatment of the base interest risk – resulting from different interest rate indices; 9) inclusion (or lack thereof) of non-interest-bearing assets and liabilities in the banking book – including equity and reserves – In IRBBB measurement calculations; 10) behavioral treatment of current and savings accounts (maturity attributable to liabilities with short-term contractual, but long-term behavioral maturity); 11) measuring IRRBB effects resulting from integrated and automated options from assets or liabilities, covering both convexity effects and non-linearity of the result associated with explicit option type products; 12) degree of granularity used in measurement calculations (using maturity bands, including future cash flows or only the principal balance). Section 6 Liquidity Risk 293. The liquidity risk shall be managed by the bank for all assets and liabilities denominated in national and foreign currency, including those attached to the foreign exchange rate, on and off the balance sheet, and taking into account all additional (deriving) risks. 294. The bank shall ensure that it has sufficient liquidity reserves and alternative financing plans. To this end, the bank shall have policies and procedures for identifying, measuring, managing, and monitoring liquidity risk developed for specific periods, including intraday. 295. The bank's liquidity risk policy shall include, at a minimum, requirements for:

  1. procedures for setting acceptable liquidity risk limits based on clearly identifiable parameters that are consistent with short-term and long-term liquidity objectives of the bank;
  2. procedures for identifying, assessing and monitoring liquidity positions, including with consideration for established limits. This process shall include a robust framework for forecasting cash flows from assets, debts and off-balance sheet items over a set of appropriate time horizons, under both normal and crisis conditions;
  3. procedures for determining the composition of assets and liabilities to maintain sufficient liquidity, diversify deposits and other sources of funds to avoid volatility of liquidity and to determine the limits for transactions with counterparties, establishing the list of instruments and activities allowed for the bank to manage its exposure to liquidity risk, including the characteristics and purposes of its use;
  4. reporting procedures for disseminating information at each level and frequency of reporting;
  5. control procedures to ensure that the information is accurate and complete and of an adequate quality to allow relevant subdivisions and the bank’s management body to exercise their duties;
  6. procedures for authorizing and communicating exceptions to the liquidity risk policy, if exceptions are to be allowed, as well as substantiating their necessity and acceptability;
  7. stress test procedures shall include a variety of short-term scenarios (minimum 3, with 3 different degrees of sensitivity), medium and long scenarios, taking into account the specific circumstances of the bank and the market, on the basis of which the vulnerabilities are analyzed liquidity position, potential adverse effects and ways of avoiding/solving them are determined. These

55 scenarios shall be kept up-to-date, considering both internal (bank specific) and external (market) factors; 8) liquidity management procedures in crisis situations that shall provide for the identification of weaknesses or potential vulnerabilities regarding the bank's liquidity level under unpredictable conditions and development of liquidity management plans for such situations. 296. The bank shall assess cash inflows, comparing them with cash outflows, to determine the value of liquid assets to identify the potential shortfall of future net funding. In this respect, the bank shall identify, assess and monitor liquidity risk positions for:

  1. future cash flows of assets and liabilities;
  2. unpredicted sources of liquidity and trigger factors associated with off-balance-sheet positions;
  3. currencies in which the bank carries out significant weight transactions;
  4. correspondent, custody and settlement accounts.
  1. For purposes of identifying, evaluating and monitoring liquidity risk positions for future cash flows of assets and liabilities, the bank shall:
  1. have a robust liquidity risk management framework that provides dynamic cash flow forecasts that take into account assumptions about the behavior of significant counterparties in the event of changing terms;
  2. build realistic assumptions about short- and long-term liquidity needs, reflecting the complexity of activities, products offered and markets in which they operate;
  3. analyze the quality of assets that can be used as financial collateral to assess their potential to provide funding in times of crisis;
  4. manage, by maturity, cash inflows in relation to cash outflows recorded to obtain a distribution by maturity of the sources at its disposal.
  1. For purposes of identifying, evaluating, monitoring and controlling liquidity risk positions for unpredicted sources of liquidity and triggering factors associated with off-balance sheet positions, the bank shall:
  1. identify, assess and monitor cash flows related to off-balance-sheet commitments and other contingent liabilities;
  2. monitor liquidity risk management linked to the relationship with certain entities established to minimize the risks of financial derivative instruments, securities and other liabilities of the bank.
  1. For purposes of identifying, evaluating and monitoring liquidity risk positions for currencies in significant transactions, the bank shall:
  1. assess the aggregate liquidity needs in foreign currency;
  2. review separately the strategy for each currency in which it carries out significant activity, taking into account the restrictions in times of crisis;
  3. assess the likelihood of losing access to forex markets, as well as the degree of convertibility of currencies used by the bank in its activity.
  1. For purposes of identifying, evaluating and monitoring liquidity risk positions for correspondent, custody and settlement activities, the bank shall understand and be able to manage the way in which the provision of correspondent, custody and settlement services can affect money flows.
  2. The bank shall determine the liquidity of an asset based on its ability to generate liquidity regardless of its classification as an item in the trading book/banking book, or the accounting treatment applicable to it. The bank shall provide information systems whereby liquidity risk issues are reported to management in a timely manner, with an emphasis on the level and trend of that risk, which shall include, at a minimum, a cash flow analysis for each currency (entries and exits) divided over different

56 periods, change in the basic amount of assets, liabilities and off-balance sheet positions caused by changes in the market, effect of the liquidity risk position on profit and equity. 302. The bank shall ensure that procedures are in place to identify different early warning signals indicating possible occurrence of liquidity issues, such as:

  1. concentrations in assets or liabilities;
  2. reduction in asset quality that may result in a reduction of cash inflows;
  3. rapid increase in assets from relatively volatile financing sources;
  4. customer withdrawal of deposits ahead of maturity (term deposits) or accelerating deposit reflux;
  5. increase in the interest rates by bank creditors or reduction in the amount of credit lines;
  6. a higher coefficient of the ratio between loans and deposits, which may lead to a disproportionate increase in debt;
  7. large off-balance sheet exposures;
  8. increase in the occurrence of the early repayment/"cross-default" clause imposed on the bank by creditors, including external ones;
  9. any other factors that are considered important by the risk management function, the executive body, or the council of the bank.
  1. While planning for unpredictable situations, the bank's management shall take into account the results of stress tests. Plans for unpredictable situations shall include:
  1. various options of stress test scenarios to create a clear picture of the required liquidity management in crisis situations;
  2. well-defined communication lines that allow for timely and well-grounded decisions to be taken by the bank's management, as well as timely and effective enforcement of appropriate measures in unpredictable situations. Section 7 Country Risk/Conversion Risk
  1. The bank that has cross-border and foreign currency exposures, including cash, placements, correspondent accounts, investments, loans and other assets on and off the balance sheet, as well as external financing sources, shall develop and implement the country risk and conversion risk policy, which shall establish, at a minimum, requirements for:
  1. procedures for determining the acceptable level of risk for a region, currency, country and activity-related exposure limits;
  2. procedures for determining the criteria for assessing the political, economic and financial situation of the country and the types of instruments and activities that may be allowed for the bank to adequately manage its exposure to country risk and conversion risk;
  3. reporting procedures for the dissemination of information on the bank's cross-border exposures at each organizational level of the bank with a structure, content and frequency corresponding to the operations carried out;
  4. control processes that shall ensure that the information is accurate and complete, and its quality is adequate, by setting the means of control and ensuring the integrity of the system used to identify, assess, monitor and control the country risk and conversion risk;
  5. authorization procedures and notification processes for exceptions to the country risk and conversion risk policy, if exceptions are to be allowed, as well as substantiating their necessity and acceptability;
  6. procedures for assessing and determining write-downs for assets and liabilities subject to country and conversion risks.

57 305. Valuation procedures shall determine the possibility of risk reassignment, i.e. final risk location in the country of the guarantor to whom the risk is transferred, provide for aggregation of exposures and allow the bank's management to monitor the total exposures of the bank to individual countries and currencies. 306. The bank's exposure to an individual country/currency shall include all accounts on and off the balance sheet in respect of counterparties resident in the country/currency concerned. They shall be monitored in accordance with the following: values on and off the balance sheet; residual maturity; contractual maturity; counterparty type (country, bank, non-banking legal person, individual). 307. The bank shall have processes for country risk analysis and country rating that reflect its real risk profile. The rating is used as a basis for determining the exposure limits. For rating, banks can use different sources, such as assessments and ratings of international agencies (Standard & Poor's, Moody's and Fitch-IBCA), official publications of the International Monetary Fund and/internationally recognized publications. These sources can be used as a basis for the bank's own assessment. 308. The bank shall provide information systems whereby country risk and conversion risk issues are reported in a timely manner, focusing on the level and trend of the bank’s country risk and conversion risk, which shall include, at a minimum, information related to on- and off-balance sheet accounts, maturity, type of debtor/creditor, effect of the country risk and conversion risk position on the bank’s equity. Section 8 Concentration Risk 309. The bank shall have policies on exposure to concentration risk. Concentration risk policies shall be revised to take account of any changes in the risk appetite and the environment in which the bank operates, and shall include, at a minimum, the following:

  1. procedures for establishing and using internal limits to reduce concentration risk in line with the general risk management and measurement framework;
  2. procedures for identifying, evaluating and monitoring the concentration risk;
  3. procedures for authorizing and communicating exceptions to the concentration risk policy, if exceptions are to be allowed, as well as substantiating their necessity and acceptability.
  1. The bank shall have adequate internal processes that are consistent with the nature, size and complexity of business conducted to report the concentration risk resulting from:
  1. individual exposures to customers or groups of related customers;
  2. exposures to counterparties in the same economic sector or geographic region;
  3. indirect credit exposures resulting from application of credit risk mitigation techniques.
  1. The bank shall perform analyses of loans and other assets, including estimates of their trends, and shall take into account the results of such analyses upon determining and verifying the adequacy of procedures and limits, thresholds and other similar risk concentration management concepts.
  2. Concentration risk monitoring shall be incorporated by the bank into the risk management and reporting systems and shall be carried out at an appropriate frequency reflecting the nature of activities carried out by the bank.
  3. Where the monitoring activity identifies elements likely to give rise to possible malfunctions, the bank's management body shall undertake, at a minimum, one of the following measures:
  1. detailed review of the risk environment in a specific sector;
  2. running stress tests and analyses based on additional scenarios;
  3. in-depth review of the counterparty's economic performance;

58 4) review of approval levels for new activities; 5) periodic review of risk mitigation techniques, their value and possibilities for their execution. Section 9 Risk of Exposures with Related Parties and Bank Employees [The name of the section 9 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 314. The bank shall have adequate policies and procedures for knowing the bank’s related parties, identifying transactions with related parties and determining individual and total exposures to related parties to establish the total amount of such exposures and to monitor and report those exposures through an independent verification and auditing process. The nature, extent, purpose and economic substance of transactions with related parties shall be considered in the development of those policies and procedures. 315. For the enforcement of provisions of paragraph 314, the bank shall implement, at a minimum, the requirements of the Regulation on Bank Transactions with its Related Parties approved by Decision of the Executive Body of the National Bank of Moldova No 240/2013. 316. Exceptions to the enforcement of policies, procedures and limits for transactions with related parties shall be reported to the council of the bank for appropriate action. 317. Transactions with the bank’s related parties shall be continuously monitored by both the executive body and the council of the bank. 318. The risk management function shall ensure that transactions with related parties are reviewed and that the present or potential risks for the bank are identified and properly assessed. 319. Members of the bank's management body and persons holding key positions within the bank shall be excluded from the process of approving and managing bank transactions with those with whom they are in conflict of interest. 3191 . The bank shall have internal regulations regarding the manner and conditions, including the aggregate limit, of granting loans to its employees. Employees of the bank, who are related to the bank, are granted loans according to the conditions provided for in Regulation No 240/2013. The bank shall keep a separate record of all loans granted to its employees, who are not related persons, to a similar extent applied to other beneficiaries of loans (indicating the amounts, repayment terms, etc.). The aggregate limit is set by the bank taking into account the level of risks assumed by the bank. [Paragraph 3191 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] Section 10 Reputational Risk 320. The bank shall identify, assess and monitor reputational risk at all business levels, including its core components:

  1. corporate reputational risk, which refers to the performance, strategy, execution and delivery of services by the bank, which may be real or perceived;
  2. operational reputation risk, when a bank's activity, action or position, members of the management body and/or related parties of the bank shall damage the bank's image, so that the bank's profit and equity are affected.
  1. Upon identifying and evaluating reputational risk, the bank shall take into account its sources of origin, without being limited to its inability to ensure the confidentiality of information that is not intended for the general public (either internally or externally) of the large number of complaints from customers, penalties by authorities empowered by law, real or perceived association with negatively reputable individuals or companies failing to meet their contractual obligations.

59 322. Upon assessing reputational risk, the bank shall take into account the regulatory framework, as well as any other elements that may affect its business. Such elements may be, at a minimum, attributed to the following:

  1. information, whether or not matching the reality, which is unfavorably perceived for the bank's business image or business practices;
  2. loss of confidence in bank robustness caused by serious damage to its security following internal or external attacks on the information system;
  3. customers encounter difficulties in using certain products without having sufficient information about them and without knowing the procedures for solving problems that have emerged.
  1. The bank shall adopt a reputational risk management policy that includes, at a minimum, the following:
  1. establishing procedures to enable the bank to operate safely and efficiently, build reputational capital, and avoid conflicts of interest and other potential issues that could harm the bank;
  2. managing risk through a process of anticipation, analysis and reduction of risk, and then through internal and external expectations;
  3. measuring trends for the bank's reputation by feasible means, such as the number of customer complaints, items and trends in the banking sector revealing issues that could damage the bank's reputation;
  4. identifying risky events as specific to the bank or the banking sector as a whole to determine remedial actions that may be applied;
  5. imposing transparency so that bank customers can make informed decisions about the bank’s reputation bank;
  6. reporting to management bodies on any significant event that would damage the bank's reputation;
  7. establishing clearly defined procedures for approval of press releases;
  8. designating people who can provide information to the public, especially during crises;
  9. training staff to avoid the flow of incorrect and inappropriate information to customers.
  1. To reduce reputational risk, the bank shall develop customer education programs to use the new products and services offered, to know the costs associated with them, as well as to identify any problems and ways to solve them. [Section 11 (para. 3241 , 3242 ) added by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] Section 11 Risk associated to excessive use of leverage 3241 . Banks shall have policies and processes in place to identify, manage and monitor the risk associated to excessive use of leverage. The indicators of the risk associated to excessive use of leverage should include the indicator of the leverage established in compliance with the Regulation No 274/2020 on leverage for banks and discrepancies between assets and liabilities. [Paragraph 3241 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] [Paragraph 3241 added by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] 3242 . Banks shall treat with caution the issue of risk associated with the excessive use of leverage, taking into account potential increases in this risk caused by the reduction of the bank's own funds through expected or carried out losses, according to the applicable accounting regulations. For this purpose, banks shall face various crisis situations from the point of view of the risk associated with the excessive use of leverage. [Paragraph 3242 added by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023]

60 TITLE VI STRESS TESTS AND THE RECOVERY PLAN [The name of the Title VI amended by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022] Chapter I STRESS TEST REQUIREMENTS 325. The bank shall have documented policies and procedures for the stress test program that shall include, at a minimum, the following:

  1. types of stress tests and main purpose of each program component;
  2. frequency of stress test exercises and criteria according to which they vary;
  3. methodological details of each component, including the definition of relevant scenarios and the role of professional judgment of staff involved at all stages of deployment;
  4. all assumptions of shock and remedial action envisaged, based on the purpose, type and outcome of stress tests, including an assessment of the feasibility of remedial action in crisis conditions.
  1. For each iteration of stress tests, the bank shall document the assumptions and fundamentals of the exercise. These shall include the judgments and decisions underlying the chosen scenarios and the sensitivity of results according to the type and severity of scenarios. An assessment of such assumptions shall be performed by the bank on a regular basis, or in line with developments in external conditions.
  2. The bank shall use stress tests as a diagnostic tool to understand its risk profile and anticipatory tool in its internal process of assessing the level of equity and liquidity risk (assessing how profits and/or equity are affected by crisis situations, risk assessment in a forward-looking manner). Stress tests shall be used in combination with other risk management and control tools, and the outcomes shall be considered in the decision-making process at the appropriate management level, including strategic business decisions of the council of the bank and executive body.
  3. The stress test methodology shall cover all business areas subject to risk and risks related to these areas and shall include a wide range of scenarios, including forward-looking scenarios (of events that may take place) to take into account interactions at the bank and system level. Thus, stress tests shall be developed to identify system-wide risks, including massive deposit reflux, exposures to certain groups of related parties, economic sectors, interbank exposures, etc.
  4. The bank shall determine all the risks that may be subject to stress tests by analyzing the nature and composition of bank portfolios and operational environment. Depending on the risks identified, the bank sets out the risk factors to be used for stress tests. In this context, the stress test program shall contain, at a minimum, the following:
  1. analysis of business areas, types of risk, and separate components of portfolios and business lines;
  2. interdependence of the risks;
  3. a flexible mechanism that shall allow modeling of a variety of stress tests in any area of activity, type of risk, possible event or important client;
  4. data reflecting bank activities to get a complex picture of bank resistance to potential shocks.
  1. The bank shall identify the vulnerabilities of risk factors in stress tests, including macroeconomic, credit, financial risk, in the context of external events that may affect profitability, solvability, unidentified risk concentrations, potential interactions between risk types could threaten the viability of the bank or its compliance with the regulatory framework.
  2. The bank shall be able to justify the choice of risk factors for stress tests and the outcomes shall be used to determine the bank's risk tolerance and set exposure limits to substantiate strategic options for long-term business planning, including planning of equity and liquidity.

61 332. Stress tests shall be based on exceptional but plausible events. Stress tests shall be able to simulate shocks that have not occurred before and are designed to assess the robustness of models to possible changes in the economic and financial environment. Upon choosing stress tests, the bank shall consider the following:

  1. stress tests shall be conducted on portfolios and risk types depending on the changes and correlation between the risks identified for a given portfolio;
  2. stress tests shall be conducted at different levels of severity and likelihood of materialization;
  3. stress scenarios shall be dynamic and include the simultaneous occurrence of events across the bank. Developing a portfolio of hypothetical scenarios that shall also include a scenario based on relevant historical developments of risk parameters;
  4. in the case of historical scenarios, stress tests shall be based on exceptional but plausible scenarios over a given period using, where possible, data recorded over a whole economic cycle;
  5. the bank shall understand how severely its equity can be affected by future profitability or lack thereof and how it shall handle a crisis situation similar to the simulated one.
  1. Stress tests shall be conducted with a periodicity set by the bank, but not less than once a year. Stress tests can also be conducted on an ad hoc basis for specific purposes. Upon determining the frequency of stress tests, the bank shall consider, at a minimum, the following:
  1. objectives and purpose of the stress test program;
  2. purpose of stress tests;
  3. complexity of the bank and the banking sector;
  4. significant changes in the environment in which the bank operates or its risk profile;
  5. availability of external data needed to conduct stress tests.
  1. The bank shall determine the time horizon for conducting stress tests in accordance with the maturity and liquidity of positions subject to test, where appropriate.
  2. The bank shall use true, accurate, sufficiently granular, current and representative data to conduct stress tests. IT resources shall be robust and appropriate to the objectives of the stress test program. IT systems shall allow for the extraction, processing and reporting of information used in stress tests, ensuring its proper quality.
  3. The bank shall ensure that, at a minimum, once a year stress tests are appropriate to the daily situation and, in particular, whether the assumptions about the risk profile and the environment in which they operate remain valid over time. In this respect, the bank shall verify relevance of the following:
  1. scope of exposures to which stress tests are applied;
  2. timeliness of assumptions;
  3. suitability of the information management system;
  4. integration into the bank's management process, including clarity of reporting lines;
  5. policy of approving the process of stress test deployment, including changes;
  6. relevance, accuracy and integrity of data embedded in the stress test process;
  7. quality of formalization of the stress test process.
  1. The management body of the bank shall have ultimate responsibility for the institutional stress test framework. The council of the bank shall approve the general stress test framework, and the executive body shall approve the design of stress tests and analyses based on established scenarios, participate in the review and identification of potential stress tests, and contribute to implementation of risk mitigation strategies.
  2. Both the council of the bank and the executive body shall take into account the outcomes of stress tests and analyze the stress test implications on the bank’s risk appetite and its limits, financial planning and equity, liquidity, financing risk, emergency planning and remediation and resolution

62 planning. Stress test outcomes shall be used in bank portfolio management, bank approval processes, and support any other bank decision-making processes. 339. The bank shall include the stress test process as an integral part of the risk management framework and have clear reporting and communication lines in a comprehensive format. The process of reporting the stress test outcomes shall involve, at a minimum, the following:

  1. outcomes of stress tests shall be reported to management bodies in due time to take adequate action with appropriate frequency;
  2. reports on stress test outcomes shall provide the management body with an overview of risks to which the bank is or might be exposed;
  3. reports on stress test outcomes shall draw attention to potential risks, present key scenario assumptions, and provide recommendations for remedial measures or actions.
  1. The bank's management body shall take action based on the level of risk exposure determined by stress tests and established objectives and risk tolerance. The bank may, as appropriate, take measures such as:
  1. reviewing the set of limits;
  2. using risk mitigation techniques;
  3. reducing exposures or activity in certain sectors, countries, geographical regions or portfolios;
  4. reviewing the funding policy;
  5. adequacy of equity and liquidity;
  6. implementing recovery plans.
  1. Decisions regarding measures taken by the management body per paragraph 34 shall be formalized.
  2. The bank shall formalize the information related to the stress test process, which shall include, at a minimum, the scope of the exposure, assumptions, responsibilities of the management body and of those responsible for daily stress tests, reporting and types of measures to be taken. Chapter II STRESS TESTS BY TYPES OF RISK
  3. The bank shall conduct stress tests for all types of risk to which it is exposed, including the risks listed in Article 38, paragraph (4), of Law No 202/2017.
  4. The bank shall implement policies and processes for the measurement and management of all sources and effects of market risk, to assess exposures to interest rate risk, including those resulting from non-commercial activities and foreign exchange risk exposures. Where stress tests indicate that sudden and unexpected changes in interest rates and/or market fluctuations in the exchange rate have a significant impact on the bank's equity, the bank's management body shall take emergency measures to remedy the situation.
  5. The bank shall simulate the change in quality of exposures between rating categories to assess potential losses resulting from the materialization of credit risk and their impact on equity and prudential indicators. Upon developing stress tests, the bank shall consider the value of real and personal securities and the possibility of reducing their volume or value, especially in crisis situations, reducing their liquidity, which shall lead to partial recovery of non-performing assets and additional losses that may affect their equity.
  6. The bank shall use stress tests as a key tool to identify concentration risk, which would allow to identify the interdependence between exposures that can only become evident in times of crisis, even if the likelihood of such scenarios is significantly reduced. Stress tests shall be conducted individually for legal entities (to take into account potential risk concentrations specific to the local markets), as well as types of concentration that can materialize at group level. The outcomes of

63 concentration risk stress tests shall be communicated to the bank's management and used in decision￾making processes and in establishing limits as part of risk management. 347. The bank shall forecast the liquidity requirements for each period, each scenario, at each crisis level, for which the amount by which forecasted cash inflows exceed the projected outflows (or vice versa) is determined from the two liquidity risk dimensions: financing and market. 348. The bank shall manage its individual risk of liquidity financing, taking into account the possible impact of market liquidity risk. Where the liquidity risk could derive from other sources of risk, "alternative liquidity scenarios" shall be performed in accordance with those risks. 349. Upon developing assumptions under operational risk stress scenarios, the bank shall rely on external events (for example, asset deterioration due to a natural disaster) and domestic ones (such as new products, systems, business areas and outsourced activities). Analysis of stress test events shall involve expertise, macroeconomic environment (e.g. reflecting increased risk of fraud in an economic recession), external risks and other factors. Historical and hypothetical events used by the bank for stress tests shall be of low frequency and severity and be plausible for operational risk. Chapter III RECOVERY PLAN REQUIREMENTS [Chapter III (para. 3491 – 34983) added by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022] Section 1 Content of recovery plans 3491 . The bank shall draw up, update, and submit to the National Bank of Moldova the recovery plan that provides for credible actions, to be implemented in the event of a stress situation, in accordance with the terms laid down in paragraph 394 subparagraph 5). 3492 . The objective of the recovery plan is to identify viable and applicable options to counter both an idiosyncratic crisis and systemic disruptions, and to assess whether these options are sufficiently robust and varied to deal with a wide range of shocks of different nature and to restore the financial position of the bank after a significant deterioration, to ensure a stable and sustainable activity. 3493 . A recovery plan shall be drawn up taking into account a series of major financial and macroeconomic stress scenarios, systemic events relevant to the specific characteristics of the bank, the legal entities in which the bank owns a qualifying holding and, if applicable, the group to which it belongs. 3494 . A recovery plan shall include at least the following items:

  1. a summary of the key elements of the recovery plan;
  2. information on governance;
  3. a strategic analysis;
  4. a communication and disclosure plan;
  5. an analysis of preparatory measures;
  6. description of recovery indicators;
  7. information on the stress scenarios used. Section 2 Summary of the key elements of the recovery plan and governance 3495 . The summary of the key elements of the recovery plan shall cover summaries of the items provided for in paragraph 3494 subparagraph 2-7, which also shall lay down a summary of overall

64 recovery capacity referred to in paragraph 34923, as well as the summary of any significant changes of the recovery plan or of the bank compared to the recovery plan of the previous period, submitted to the National Bank of Moldova. 3496 . For the purpose of this Chapter, a “material change” means any change which could impact the ability of the bank, the parent undertaking or one or more of its subsidiaries, to implement one or several recovery options contained in the recovery plan. 3497 . The information on governance shall contain at least a detailed description of the following matters:

  1. how the recovery plan was developed, including at least the following: a) the role and function of persons responsible for preparing, implementing, and updating each section of the plan; b) the identity of the person who has overall responsibility for keeping the recovery plan up-to￾date and a description of the process to be used for updating the recovery plan to respond to any material changes affecting the bank or group or their environment; c) a description of how the plan is integrated in the corporate governance of the bank and in the overall risk management framework; d) if the bank is part of a group, a description of the measures and mechanisms taken within the group to ensure the coordination and consistency of recovery options at the level of the group and of individual subsidiaries;
  2. the policies and procedures governing approval of the recovery plan, including at least: a) a statement whether the recovery plan has been reviewed by an internal audit function, external auditor or risk committee; b) confirmation that the recovery plan has been assessed and approved by the management body of the bank;
  3. the conditions and procedures necessary to ensure the timely implementation of recovery options, including, at least: a) a description of the internal escalation and decision-making process that applies when the thresholds of the recovery plan indicators have been exceeded, to consider and determine which recovery option may need to be applied in reaction to the situation of financial stress that has materialised, including at least:
  • the role and function of persons involved in this process, including a description of their responsibilities, or, where a committee is involved in the process, the role, the responsibilities and function of committee members;
  • the procedures that need to be followed;
  • the time limit for the decision on taking recovery options, as well as when and how the bank shall inform the National Bank of Moldova on the fact that the thresholds of indicators have been exceeded; b) a detailed description of the indicators, reflecting possible vulnerabilities, weaknesses or threats to, as a minimum, the capital position, liquidity situation, profitability and risk profile of the bank;
  1. the plan's consistency with the general risk management framework, including a description of the relevant benchmarks (early warning signals) used as part of the periodic internal risk management process, where these benchmarks are useful to inform the management that the thresholds of indicators could potentially be reached;

65 5) management information systems, including a description of arrangements in place to ensure that the information necessary to implement the recovery options is available for decision-making in stressed conditions in a reliable and timely way. Section 3 Strategic analysis 3498 . The strategic analysis shall identify core business lines and critical functions and set out the key steps to maintaining those core business lines and critical functions in a situation of financial stress. 3499 . A strategic analysis shall include at least:

  1. a description of the bank, as set out in subparagraph 1 of this section;
  2. a description of recovery options, as set out in subparagraph 2-4 of this section. Subsection 1 The description of the bank 34910 . The subsection of the strategic analysis describing the bank covered by the recovery plan shall comprise the following information:
  3. a general characterisation of the bank, including: a) a description of their overall global business and risk management strategy; b) their business model and business plan, including a list of the main jurisdictions in which they are active, including through a legal entity or a branch meeting the conditions set out in paragraph 34911 . c) their core business lines and critical functions; d) the process and metrics for identifying their core business lines and critical functions;
  4. a mapping of the core business lines and critical functions, on the one hand, and the legal entities and branches meeting the conditions set out in paragraph 34911, on the other hand;
  5. a detailed description of the legal and financial structures of the bank, including an explanation of intra-group interconnectedness with respect to any legal entities or branches meeting the conditions set out in paragraph 34911 and in particular a description of the following: a) all existing material intra-group exposures (which individually exceed 5% of the eligible capital of the bank determined according to the Regulation on banks’ large exposures, approved by the decision of the Executive Board of the National Bank of Moldova No 109/2019) and funding relationships, capital flows within the mentioned entities, intra-group guarantees that are in place and intra-group guarantees that are expected to be in place when recovery action is required; b) legal interconnectedness, which shall cover material legally binding agreements between entities of a group including, the existence of domination agreements and profit and loss transfer agreements; c) operational interconnectedness, which concerns functions that are centralised in one legal entity or branch and are important for the functioning of other legal entities, branches or the group, in particular centralised information technology functions, treasury functions, risk functions or administrative functions;
  6. a description of external interconnectedness including at least: a) significant exposures and liabilities to main counterparties; b) significant financial products and services which are provided by the bank to other financial market participants;

66 c) significant services which third parties provide to the bank; 34911 . For the purposes of paragraph 34910 the reference to legal entities or branches shall be understood as a reference to legal entities or branches which:

  1. substantially contribute to the profit of the bank (at least 5% of the profit of the bank) or to their funding, or hold an important share of their assets, liabilities or capital;
  2. perform key commercial activities;
  3. centrally perform key operational, risk or administrative functions;
  4. bear substantial risks that could, in a worst-case scenario, jeopardise the viability of the bank;
  5. could not be disposed of or liquidated without likely triggering a major risk for the bank;
  6. are systemically important institutions defined according to Law No 202/2017. Subsection 2 Description of the recovery option 34912 . The subsection of the strategic analysis that reflect recovery options shall include a list of all recovery options and a description of each option. It shall set out a range of recovery options designed to respond to financial stress scenarios and which could reasonably contribute to maintaining or restoring the viability and financial position of the bank. 34913 . Each recovery option shall be described by the bank in a way that enables the National Bank of Moldova to assess their impact and feasibility. 34914 . Recovery options shall include measures which are extraordinary in nature as well as measures that could also be taken in the course of the normal business of the bank. 34915 . Recovery options shall not be excluded for the sole reason that they would require a change to the current nature of the business of that bank. Subsection 3 Actions, mechanisms and measures under recovery options 34916 . Recovery options shall indicate at least the following:
  7. a range of capital and liquidity actions required to maintain or restore the viability and financial position of the bank, which have as their primary aim ensuring the viability of critical functions and core business lines;
  8. mechanisms and measures the primary aim of which is to conserve or restore the bank's own funds through external recapitalisations and internal measures aimed to improve the capital position of the bank;
  9. mechanisms and measures to ensure that the bank has adequate access to contingency funding sources to ensure that they can carry on their operations and meet their obligations as they fall due. These shall include external measures, and, where appropriate, measures that aim at reorganizing the available liquidity within the group. The contingency funding sources shall include potential liquidity sources, an assessment of available collateral and an assessment of the possibility to transfer liquidity across group entities and business lines;
  10. mechanisms and measures to reduce risk and leverage, or to restructure business lines including, where appropriate, an analysis of possible material divestment of assets, legal entities, or business lines;
  11. mechanisms and measures the primary aim of which is to achieve a voluntary restructuring of liabilities, without triggering an event of default, termination, downgrade or similar.

67 34917 . Where a recovery option does not include the actions, mechanisms or measures set out in paragraph 34916, the description on recovery options shall contain a demonstration that those actions, mechanisms or measures have been adequately considered by the bank, when drawing up the recovery plan. Subsection 4 Impact, feasibility and continuity of operations assessment 34918 . Each recovery option shall contain an impact assessment that shall include, in particular, a detailed description of the processes for determining the value and marketability of the core business lines, operations and assets of the bank to which the recovery option relates, and at least the following elements:

  1. a financial and operational impact assessment which sets out the expected impact on solvency, liquidity, funding positions, profitability and operations of the bank;
  2. an assessment of external impact and systemic consequences which sets out the expected impact on critical functions performed by the bank and the impact on shareholders, on customers, in particular depositors and retail investors, on counterparties and, where applicable, on the rest of the group of which the bank is a part;
  3. the valuation assumptions and all other assumptions made for the purpose of the assessments referred to in subparagraph 1) and 2), including assumptions about the marketability of bank’s assets to which the recovery option refers, or the behaviour of other financial institutions. 34919 . Each recovery option shall contain a feasibility assessment, which shall include at least:
  4. an assessment of the risk associated with the recovery option, which, if applicable, drawing on any experience of executing the recovery option or an equivalent measure;
  5. a detailed analysis and description of any material impediment to the effective and timely execution of the recovery plan, as well as a description of whether and how such impediments could be overcome;
  6. where applicable, an analysis of potential impediments to the effective implementation of the recovery option which result from the structure of the group or of intra-group arrangements, including whether there are substantial practical or legal impediments to the prompt transfer of own funds or the repayment of liabilities or assets within the group. A material impediment shall refer to any factor that could affect the timely execution of the recovery option;
  7. solutions to the potential impediments identified in paragraphs 1) and 2). 34920 . Each recovery option shall contain an assessment of how the continuity of operations will be ensured when implementing that option. 34921 . An assessment of how business continuity shall be ensured includes an analysis of internal operations (information technology systems, suppliers and human resources operations) and of the access of the bank to market infrastructure (for example, clearing and settlement facilities and payment systems). In particular, the assessment of operational contingency shall take into account:
  8. any mechanisms and measures necessary to maintain continuous access to relevant financial markets infrastructure;
  9. any mechanisms and measures necessary to maintain the continuous functioning of the operational processes of the bank, including infrastructure and IT services;
  10. the expected time frame for the implementation and effectiveness of the recovery option;

68 4) the effectiveness of the recovery option, and the adequacy of indicators in a range of scenarios of financial stress which assesses the impact of each of these scenarios on the bank, in particular on their capital, liquidity, profitability, risk profile and operations. 34922 . An assessment of continuity of operations shall identify the recovery option which could be appropriate in a specific scenario as well as the time frame required for its implementation. 34923 . On the basis of this information, the assessment shall describe the overall recovery capacity of the bank, being the extent to which the recovery options allow the bank to recover in a range of scenarios of severe macroeconomic and financial stress. Section 4 Communication and disclosure plan 34924 . The communication and disclosure plan shall cover the following matters in detail:

  1. internal communication, in particular to staff, works councils or other staff representatives;
  2. external communication, in particular to shareholders and other investors, competent authorities, counterparties, financial markets, financial market infrastructure, depositors and the public, as appropriate;
  3. effective proposals for managing any potential negative market reactions. 34925 . A recovery plan shall include, at least, an analysis of how the communication and disclosure plan would be implemented when one or more of the mechanisms or measures set out in the recovery plan are implemented. 34926 . The communication and disclosure plan shall adequately consider any specific communication needs for individual recovery options. Section 5 Preparatory measures 34927 . A recovery plan shall include an analysis of any preparatory measures that the bank has taken, or which are necessary to facilitate the implementation of the recovery plan or to improve its effectiveness together with a timeline for implementing those measures. 34928 . Such preparatory measures shall include any measures necessary to overcome impediments to the effective implementation of recovery options which have been identified in the recovery plan. Section 6 Framework of recovery plan indicators Subsection 1 Framework of recovery plan indicators 34929 . The bank shall establish the framework of recovery plan indicators which is assessed by the National Bank of Moldova pursuant to Article 17 of Law No 232/2016. 34930 . While setting the thresholds of the recovery plan indicators, the bank should consider the use of progressive metrics, the “traffic light” approach, in order to inform the bank's management body that such indicator thresholds could be reached. 34931 . The bank should include in the recovery plan at least the following categories of indicators:
  4. capital indicators;

69 2) liquidity indicators; 3) profitability indicators; 4) asset quality indicators. 34932 . In addition to the categories of indicators mentioned in paragraph 34931, the bank should include in the recovery plan the two following categories of indicators, unless the bank provides satisfactory justifications to the National Bank of Moldova, as to why such categories of indicators are not relevant to the legal structure, risk profile, size and/or complexity of the bank:

  1. market-based indicators;
  2. macroeconomic indicators. 34933 . The bank should include the recovery plan indicators included in the list per category provided in Annex No 22 to this Regulation, unless the bank provides satisfactory justifications to the National Bank of Moldova as to why such indicators are not relevant to the legal structure, risk profile, size and/or complexity of the bank or cannot be applied due to the characteristics of the market in which the bank operates. 34934 . If the bank is rebutting the presumption as set out in paragraph 34933 for any of the indicators referred to in Annex No 22 , the bank should replace it with another indicator from the same category, which is more relevant to the bank. Where replacement is not possible for each indicator from Annex No 22 , the bank should include in their recovery plan at least one indicator from each of the categories provided for in paragraph 34931 . 34935 . The bank should not limit its set of indicators to the minimum list set out in Annex No 22 and should also give consideration to the inclusion of other indicators according to the principles and in line with the description of the categories provided in this chapter. For this purpose, Annex No 23 includes a non-exhaustive list with examples of additional recovery plan indicators, broken down by categories. 34936 . The framework of the recovery plan indicators should:
  3. be adapted to the business model and strategy of the bank and, at the same time, be adequate to its risk profile. It should identify the key vulnerabilities most likely to impact the bank's financial situation and lead to the stage where they shall decide whether to activate the recovery plan;
  4. be adequate to the legal structure, size and complexity of each bank. In particular, the number of indicators should be sufficient to alert the bank of deteriorating conditions in a variety of areas. At the same time, these indicators should be adequately targeted and manageable by the bank;
  5. be able to establish the stage in which the bank should decide whether or not to activate one of the measures mentioned in the recovery plan;
  6. be aligned with the overall risk management framework and with the liquidity or capital indicators for unforeseen situations, as well as continuity plan indicators;
  7. allow for regular monitoring and be integrated into the bank's governance and within the escalation and decision-making procedures;
  8. include forward-looking indicators. Subsection 2 Requirements for the calibration of recovery plan indicators 34937 . For the calibration of the recovery plan indicators, the bank should consider the following:
  9. the overall recovery capacity (banks with a more limited overall recovery capacity should consider an earlier breach of recovery plan indicators to maximize chances of successful implementation of their more limited recovery options;

70 2) the timeframe and complexity of the implementation of recovery options, taking into account the governance arrangements, regulatory approvals required and potential operational impediments to the execution of the recovery option. For recovery options involving complex execution, which will need more time to implement, the bank should be more conservative in calibrating the indicators to ensure that the warning is carried out on time; 3) at which stage of the crisis the recovery option can be used effectively. The bank should take account of the fact that for some types of recovery options, the full benefits could be difficult to reach later in stress situation as opposed to early implementation. In the case of the recovery option of “raising capital in the market” the bank should consider if and when this can realistically be achieved, based on the fact that it might become more difficult to raise external capital the closer the bank comes to breaching its capital requirements; 4) the pace of deterioration in a crisis. The bank should take into account the fact that the pace of deterioration depends on the specific circumstances of the crisis, specific profiles of the banks, as well as other individual circumstances, which may result in swifter deterioration of the bank's financial position and, subsequently, in a shorter timeframe being available for the implementation of recovery options. In this regard, the bank should consider using indicators showing deterioration over time to detect situations in which a rapid and substantial deterioration of the bank's financial position occurs. If it is difficult to define a single point in time where escalation is needed, consideration should be given to monitoring the change of that indicator; 5) the bank's management framework and risk appetite framework. The bank should ensure that the calibration of recovery plan indicators is consistent with its risk management and risk appetite framework. 34938 . The bank should be able to provide the National Bank of Moldova with an explanation of how the calibration of the recovery plan indicators have been determined and, in order to ensure its effectiveness, be able to demonstrate that the thresholds would be breached early enough to be effective. 34939 . The bank should regularly monitor the appropriateness of the calibration of the recovery plan indicators and recalibrate the recovery plan indicators, when necessary, but at least once per year. 34940 . The bank shall promptly notify the National Bank of Moldova regarding each update in the calibration of recovery plan indicators with the appropriate explanation and justification of the recalibration. 34941 . Recalibration should be agreed by the National Bank of Moldova if it is carried out during the assessment of the banks' recovery plans. 34942 . Accordingly, reasoning assumes that:

  1. the recalibrated indicators of the recovery plan comply with the general requirements for the calibration of recovery plan indicators, as referred to in paragraph 34937;
  2. adjustments shall reflect the changes made to the bank's business model and financial profile and are aligned with the bank's internal risk management framework and risk appetite framework;
  3. the level of calibration of the capital indicators should exceed the own funds requirement. Subsection 3 Notification upon breaching (exceeding) recovery plan indicators 34943 . To show the warning potential of the breach of the recovery plan indicators, within one working day of the breach of the indicator threshold, the bank's management body should be alerted

71 to initiate the escalation process in order to ensure that any breach is considered and, where relevant, acted upon. 34944 . At the latest within one working day following the internal escalation process referred to in paragraph 34943, the bank should notify the National Bank of Moldova about the indicator threshold breach, as well as about the decision of the management body related to the recovery actions applied, the recovery options that should be used and a remedial timetable of the breach. The decision taken should be based on a reasoned analysis of the circumstances surrounding the breach. If the decision does not provide for the application of the recovery measure, the explanation provided by the bank to the National Bank of Moldova should clearly articulate the reasons why and, where appropriate, demonstrate how the restoration of the indicators is possible without the use of recovery measures. 34945 . Any action or option taken or considered by the bank following the breach of the recovery plan indicator, even if previously not included in the recovery plan, should be deemed relevant for the communication with the National Bank of Moldova. Subsection 4 Monitoring recovery plan indicators 34946 . The bank should monitor the recovery plan indicators with an adequate frequency, allowing for the timely submission of the indicators to the National Bank of Moldova upon request. 34947. The bank should be able to provide, upon request of the National Bank of Moldova, with values for its full set of recovery plan indicators, breached (exceeded) or not, even if the values for the indicators have not changed. Section 7 Recovery plan indicators Subsection 1 Capital indicators 34948 . Capital indicators should identify any significant actual and likely future deterioration in the quantity and quality of capital in a going concern, including increasing level of leverage. 34949 . When selecting capital indicators, account should be taken of their ability to allow the bank to timely react to address potential issues. Certain measures to restore the bank's capital position can be subject to longer execution periods or greater sensitivity to market conditions. Thus, when establishing the indicators in an anticipatory phase, the bank should consider material contractual maturities relating to capital instruments. 34950 . The capital indicators should also be integrated into the Internal Capital Adequacy Assessment Process (ICAAP), as well as the existing risk management framework. 34951 . The thresholds for indicators should be calibrated according to the bank’s risk profile and the time required for the escalation of the recovery measures, taking into account the recovery ability resulting from these measures and the speed of capital deterioration, based on the bank’s individual circumstances. 34952 . Thresholds for indicators based on regulatory capital requirements should be calibrated by the bank at adequate levels in order to ensure a sufficient distance from a breach of the capital requirements.

72 Subsection 2 Liquidity indicators 34953 . Liquidity indicators should reflect potential or actual deterioration of the capacity of the bank to meet its current and foreseen liquidity and funding needs. 34954 . The bank's liquidity indicators should refer to both the short-term and long-term liquidity and funding needs of the bank, distinguishing among key currencies where relevant. 34955 . The liquidity indicators should be integrated with the strategies, policies, processes, and systems developed by the bank pursuant to the existing risk management framework. The liquidity indicators should also cover other potential liquidity and funding needs, such as exposures stemming from off-balance-sheet structures. 34956 . The thresholds identified by the bank should be calibrated based on the bank’s risk profile and should take into account the speed with which the liquidity situation can change, given the individual circumstances of the bank, and the calibration should be above the level of the minimum requirement. 34957 . The thresholds should be set based on the bank’s risk profile, the time required to escalate the recovery measures, as well as consider the recovery capacity as a result of these measures. When referring to the minimum regulatory requirements applicable to the bank (including additional liquidity requirements imposed on the bank, if appropriate), the indicators should be set by the bank at appropriate levels to enable the bank to be informed of potential and/or existing risks of non￾compliance of these minimum requirements. Subsection 3 Profitability indicators 34958 . Profitability indicators should capture any bank’s income-related aspect that could lead to a rapid deterioration in the bank’s financial position by registering lowered retained earnings or losses impacting on the own funds of the bank. 34959 . The category of the profitability indicators should include recovery plan indicators referring to operational risk-related losses which may have a significant impact on the profit and loss statement, including but not limited to conduct-related issues, external and internal fraud and/or other events. Subsection 4 Asset quality indicators 34960 . Asset quality indicators should measure and monitor the asset quality evolution of the bank, they should indicate when asset quality deterioration could lead to the point at which the bank should consider taking an action described in the recovery plan. 34961 . The asset quality indicators may include both a stock and a flow ratio of non-performing exposures in order to capture their level and dynamics. 34962 . The asset quality indicators should cover aspects such as off-balance-sheet exposures and the impact of non-performing loans on the asset quality.

73 Subsection 5 Market-based and Macroeconomic indicators 34963 . Market-based indicators aim to capture the expectations from market participants of a rapidly deteriorating financial condition of the institution that could potentially lead to disruptions in access to funding and capital markets. In accordance with this objective, the framework of qualitative and quantitative indicators should refer to the following types of indicators:

  1. equity-based indicators which capture variations in the share price of listed companies, or ratios that measure the relationship between the book and market value of equity;
  2. debt-based indicators, capturing expectations from wholesale funding providers such as “credit default swaps” or “debt spreads”;
  3. portfolio-related indicators, capturing expectations in relation to specific asset classes relevant to each bank (e.g. real estate);
  4. rating downgrades (long-term and/or short-term) as they reflect expectations of the rating agencies that can lead to rapid changes in the expectations of market participants regarding the institution’s financial position. 34964 . Macroeconomic indicators aim to capture signals of deterioration in the economic conditions in which the bank operates, or of concentrations of exposures or funding. 34965 . The macroeconomic indicators should be based on metrics that influence the performance of the bank in specific geographical areas or business sectors that are relevant for the bank. 34966 . The macroeconomic indicators should include the following typologies:
  5. geographical macroeconomic indicators, relating to various jurisdictions to which the bank is exposed, giving also consideration to risks stemming from potential legal barriers;
  6. sectoral macroeconomic indicators, relating to major specific sectors of economic activity to which the bank is exposed (e.g. shipping, real estate). Section 8 Requirements regarding stress scenarios used in the recovery plan 34967 . Pursuant to Article 13 paragraph 2 of the Law No 232/2016, the bank shall establish a range of scenarios aiming to define a range of hypothetical events against which the effectiveness of recovery options and the adequacy degree of indicators contained in the recovery plan shall be tested. 34968 . A bank should include at least three scenarios to ensure coverage of a system-wide event, an idiosyncratic event, and a combination of system-wide and idiosyncratic event. 34969 . Each scenario should be designed to meet each of the following requirements:
  7. the scenario should be based on events that are most relevant to the bank, taking into account, among other relevant factors, its business and funding model, its activities and structure, its size or its interconnectedness to other banks or to the financial system in general, and, in particular, any identified vulnerabilities or weaknesses of the bank;
  8. the events foreseen in the scenario would threaten to cause the failure of the bank, unless recovery measures were implemented in a timely manner; and
  9. the scenario should be based on events that are exceptional but plausible. 34970 . Each scenario should include, where relevant, an assessment of the impact of the events on at least each of the following aspects of the bank:
  10. available capital;

74 2) available liquidity; 3) risk profile; 4) profitability; 5) operations, including payment and settlement operations; 6) reputation. 34971 . Reverse stress testing should be considered as a starting point for developing scenarios that should be only “near-default”; i.e. they would lead to a bank’s business model becoming non￾viable unless the recovery actions were successfully implemented. 34972 . at least one scenario should be included for each of the following types of events:

  1. a system-wide event;
  2. an idiosyncratic event;
  3. a combination of system-wide and idiosyncratic events, which occur simultaneously and interactively. 34973 . The number of scenarios used should be commensurate, in particular, with the nature of the business of the bank, its size, its interconnectedness to other banks and to the financial system in general and its funding models. 34974 . Banks that are systemically important institutions, identified pursuant to Article 63, paragraph (7) of Law No 202/2017, should include more than three scenarios. 34975 . The range of scenarios should include both slow-moving and fast-moving adverse events. 34976 . In designing scenarios based on system-wide events the relevance of at least the following system-wide events should be taken into account:
  4. the failure of significant counterparties affecting financial stability;
  5. a decrease in liquidity available in the interbank lending market;
  6. increased country risk and generalised capital outflow from a significant country of operation of the bank;
  7. adverse movements in the price of assets in one or several markets;
  8. a macroeconomic downturn. 34977 . In designing scenarios based on idiosyncratic events the relevance of at least the following idiosyncratic events should be taken into account:
  9. the failure of significant counterparties;
  10. damage to the bank’s or group’s reputation;
  11. a severe outflow of liquidity;
  12. adverse movements in the prices of assets to which the bank is predominantly exposed;
  13. severe credit losses;
  14. a severe operational risk loss. Section 9 Assessment of recovery plans Subsection 1 Completeness and quality of recovery plans 34978 . The National Bank of Moldova shall assess the extent to which the bank’s recovery plan satisfies the requirements set out in Law No 232/2016 and shall review the completeness of the recovery plan based on the following:

75

  1. whether the recovery plan covers the information listed in section A of the Annex to the Law No 232/2016;
  2. whether the recovery plan provides information that is up to date, also with respect to any material changes, in particular changes to their legal or organizational structure, business or financial situation of the bank since the last submission of the recovery plan, in accordance with Article 10 of Law No 232/2106;
  3. where applicable, whether the recovery plan includes an analysis of how and when the bank may apply, in the conditions addressed by the plan, for the use of the National Bank of Moldova facilities and identify those assets which would be expected to qualify as collateral;
  4. whether the recovery plan adequately reflects an appropriate range of scenarios of severe macroeconomic and financial stress relevant to the specific conditions of the bank, in accordance with Article 13, paragraph (2) of Law No 232/2016, that further specify the range of scenarios to be used in recovery plans, by making every effort to comply with them;
  5. whether the recovery plan contains a framework of indicators which identifies the points at which appropriate actions referred to in the plan may be taken;
  6. whether the plan includes, where applicable, arrangements for intra-group financial support; whether the information referred to in paragraphs (1) to (5) is provided in relation to the group as a whole;
  7. whether the recovery plan identifies, for each of the scenarios of financial and macroeconomic stress, which is reflected in the plan, whether obstacles to implementing recovery measures and substantial practical or legal impediments to the prompt transfer of own funds or the repayment of liabilities or assets within the group. 34979 . In assessing the requirements and criteria set out in Article 10 and Article 13 of Law No 232/2016, as applicable, the National Bank of Moldova shall review the quality of a recovery plan based on the following:
  8. the clarity of the plan is considered to be established if: a) the plan is self-explanatory and is drafted in clear and understandable language; b) definitions and descriptions are clear and consistent throughout the plan; c) assumptions and valuations made within the plan are explained; d) references to documents not contained in the plan and any annexes supplement the recovery plan in a way which substantially contributes to identifying options to maintain or restore the financial strength and viability of the bank;
  9. the relevance of information contained in the plan is considered to be established if such information focuses on identifying options to maintain or restore the financial strength and viability of the bank;
  10. the comprehensiveness of the recovery plan is considered to be established if, taking into account in particular the nature of the business of the bank and their size and interconnectedness to other banks and groups and to the financial system in general: a) the recovery plan provides a sufficient level of detail pursuant to Articles 10 - 13of Law No 232/2016; b) the recovery plan contains a sufficiently wide range of recovery options and indicators, taking into account the guidelines of this Regulation;
  11. the internal consistency of the recovery plan is considered to be established in the case of an individual recovery plan.

76 Subsection 2 Implementation of the mechanisms proposed in the recovery plans 34980 . When assessing the extent to which the recovery plan satisfies the criterion set out in Article 17, item (a) of Law No 232/2016, the National Bank of Moldova shall review the following:

  1. the level of integration and consistency of the recovery plan with the general corporate governance and the internal processes of the bank and its/their risk management framework;
  2. whether the recovery plan contains a sufficient number of plausible and viable recovery options which make it reasonably likely that the institution or group would be able to counter different scenarios of financial distress quickly and effectively;
  3. whether recovery options included in the plan set out actions which effectively address the scenarios of severe macroeconomic and financial stress reflected in accordance with Article 13, paragraph (2) of Law No 232/2016;
  4. whether the timeline for implementing the options is realistic and is taken into account in the procedures designed to ensure implementation of recovery actions;
  5. the level of the bank's preparedness to redress the situation of financial stress, as determined in particular by assessing whether the preparatory measures necessary have been adequately identified and, where appropriate, those measures have been implemented or a plan to implement them has been prepared;
  6. the adequacy of the range of scenarios of severe macroeconomic and financial stress against which the plan has been tested;
  7. the adequacy of the processes for testing the recovery plan against the scenarios referred to in sub-paragraph 6) and the extent to which the analysis of recovery options and indicators in each scenario is verified by that testing;
  8. whether the assumptions and valuations made within the recovery plan and each recovery option are realistic and plausible. 34981 . The plausibility of each recovery option set out in the plan as referred to in paragraph 34980, sub-paragraph 2), shall be assessed taking into account all of the following elements:
  9. the extent to which its implementation is within the bank's control and the extent to which it would rely on action by third parties;
  10. whether the recovery plan includes a sufficiently wide range of recovery options and appropriate indicators, conditions and procedures to ensure timely implementation of these options;
  11. the extent to which the recovery plan considers reasonably foreseeable impacts of the implementation of the proposed recovery option on the bank;
  12. whether the recovery plan and in particular the recovery options would be likely to maintain the viability of the bank and restore its financial soundness;
  13. if applicable, the extent to which the bank, or competitors with similar characteristics, have managed a previous episode of financial stress with similar characteristics to the scenario being considered by using the recovery options described, in particular as regards timely implementation of recovery options. 34982 . When assessing the extent to which the recovery plan satisfies the criterion set out in Article 17, item b) of Law No 232/2016, the National Bank of Moldova shall review the following:
  14. whether it is reasonably likely that the plan and individual recovery options can be implemented in a timely and effective manner even in situations of severe macroeconomic or financial stress;

77 2) whether it is reasonably likely that the recovery plan and particular recovery options can be implemented to an extent which sufficiently achieves their objectives without any significant adverse effect on the financial system; 3) whether the range of recovery options sufficiently reduces the risk that obstacles to implementing those options or adverse systemic effects arise due to the recovery actions of other banks being taken at the same time; 4) the extent to which the recovery options may conflict with those of banks which have similar vulnerabilities, for example due to their similar business models, strategies, or scope of activity, if the options were implemented at the same time; 5) the extent to which the implementation of recovery options by several banks or groups at the same time is likely to negatively affect the impact and feasibility of those options. 34983 . When assessing the overall credibility of a recovery plan in accordance with paragraphs 34980

  • 34982, the National Bank of Moldova shall take into account the nature of the business of the bank, their size and their interconnectedness to other banks and groups and to the financial system in general. [Chapter III (para. 3491 – 34983) added by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022] TITLE VII INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP) AND THE INTERNAL LIQUIDITY ADEQUACY ASSESSEMNT PROCESS (ILAAP) [The name of the title VII amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] Chapter I INTERNAL CAPITAL ADEQUACY ASSESSEMENT PROCESS (ICAAP) [The name of the Chapter I added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]
  1. The internal capital adequacy assessment process shall be a component of the bank's management process and its decision-making culture.
  2. Under paragraph 350, the internal capital adequacy assessment process shall ensure that the management body is able to continually assess the bank's risk profile and the adequacy of its internal capital against that risk.
  3. The internal capital adequacy assessment process shall be formalized in bylaws, including internal strategies and processes. In the internal capital adequacy assessment process, the bank shall achieve:
  1. identifying, measuring, reducing and reporting the risks to which the bank is or may be exposed for the continuous calculation and assessment of internal capital needs;
  2. planning and maintaining the internal capital sources required to achieve capital adequacy with the bank's risk profile.
  1. The bank shall inform the National Bank of Moldova with regard to the following:
  1. structure of the internal process for assessing capital adequacy;
  2. assumptions that are used to determine the risks by sectors and types of risks;
  3. risk sensitivity and safety levels used to quantify the risks;
  4. way of aggregating risks to determine the internal capital requirements;
  5. assumptions used to determine available internal capital, including the time horizon considered in internal capital planning.
  1. In the internal capital adequacy assessment process, the bank shall identify and assess all significant risks to which it is or may be exposed, including:

78

  1. risks which have regulated capital requirements, including significant differences between the regulated risk treatment for the calculation of minimum capital requirements and treatment provided by the internal capital adequacy assessment process risks;
  2. risks without regulated capital requirements and/or that are not fully covered by capital;
  3. risks resulting from less sophisticated approaches underestimating credit risk in the context of using the standardized approach, underestimating operational risk in the context of using the underlying approach or the standardized approach;
  4. underestimation of loss in the event of default in times of crisis;
  5. residual risk associated with credit risk mitigation techniques;
  6. risks generated by lending in foreign currency to borrowers exposed to foreign exchange risk;
  7. interest rate risk from non-commercial activities, concentration risk, liquidity risk, reputational risk and strategic risk. For risks in this category, the bank may use qualitative valuation and mitigation methods;
  8. external risks of the bank, i.e. risks related to the regulatory, economic or banking environment, and which do not fall under the situations set out in sub-paragraphs 1) - 3). [Paragraph 354 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]
  1. The bank shall determine the manner and extent to which significant risks are dealt with in the internal capital adequacy assessment process. In this respect, the bank shall identify the risks for which an internal capital requirement shall be determined to cover them, as well as those for which other methods shall be used to manage and mitigate them.
  2. The bank shall be responsible for the internal capital adequacy assessment process, as well as for establishing internal capital requirements that are consistent with its risk profile and operational environment.
  3. The internal capital adequacy assessment process shall be tailored to the needs of the bank and shall use input data and definitions used by the bank for internal purposes.
  4. Under paragraph 357, the bank may use its own definitions of its internal capital, its risk components and degree of significance of a risk, with explanations provided to the National Bank of Moldova, including on the methodology used for determining the bank’s available internal capital and methods used to cover with capital all significant risks, and how the approach used by the bank interacts with the obligations on Calculation of Capital Requirements in order to cover the assumed risks. [Paragraph 358 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]
  5. The bank shall clearly establish within the internal capital adequacy assessment process the types of risk for which it uses a quantitative approach in their valuation, management and mitigation, and those for which they use a qualitative approach to these aspects.
  6. In the internal capital adequacy assessment process, the strategic plans of the bank and their relationship with macroeconomic factors shall be considered.
  7. Under paragraph 360, the bank shall develop a strategy to maintain capital levels, considering factors such as forecasts of the growth rate of assets and the loan portfolio, sources and uses of future funds, dividends and any variation within an economic cycle of equity requirement regulated under Law No 202/2017.
  8. The bank shall have an explicit capital plan approved by the council of the bank, which shall include, at a minimum, the following:
  1. objectives of the bank and the time horizon required to achieve those objectives;
  2. general description of the capital planning process and its associated responsibilities;
  3. how the bank shall comply with capital requirements in the future;
  4. any relevant capital limits;

79 5) general contingency plan for the treatment of unexpected divergences and events, which shall include the possibility of capital increase, restriction of activity or use of risk mitigation techniques. 363. Under the capital plan, the bank shall set as an objective an internal level of the capital requirement, considering the risk profile, economic environment in which it operates, quality of internal control and risk management processes, strategic plans, available domestic capital. 364. The bank shall conduct stress tests that consider elements such as risks specific to the jurisdiction in which it operates and stage of the economic cycle. 365. The bank shall use stress test outcomes both in the internal capital planning process and in determining internal capital requirements appropriate to the risk profile. 366. The bank shall analyze the impact that the new regulatory framework, behavior of competitors or other factors may have on its performance to determine changes in the operating environment that it might manage. 367. The bank shall design its internal capital adequacy assessment process to use approaches such as:

  1. results produced by regulated methodologies for the calculation of capital requirements related to risks provided by the normative acts issued by the National Bank of Moldova and considering risks such as concentration risk, residual risk resulting from the use of the credit risk mitigation techniques; or interest rate risk in the banking book. When using this approach, the bank shall demonstrate that it has analyzed all the unregulated risks and found that they are either absent or insignificant, or calculated a capital requirement that has been added to that established under the regulatory acts mentioned above;
  2. different methodologies for different types of risks and calculation of a sum of resulting capital requirements. In this respect, for a certain type of risk, the bank may use methodologies other than those used for the purposes of determining minimum capital requirements;
  3. complex methodologies.
  1. The bank shall justify the situations where the methodology takes into account diversification and correlation effects.
  2. Where, for some risk categories, insufficient information is available, the bank may use estimates in the methodology.
  3. The bank shall include in its internal capital adequacy assessment process risk estimates that cannot be measured, if they are material.
  4. The internal capital adequacy assessment process shall be based on appropriate measurement and evaluation processes.
  5. Under paragraph 371, the bank shall have appropriate policies and processes for the assessment of significant risks other than those set out in paragraph 354.
  6. The bank's internal capital adequacy assessment process shall be periodically reviewed, whenever deemed necessary, so that it is kept comprehensive and proportionate to the nature, scale and complexity of activities, and risks are adequately covered, and capital coverage reflects the current risk profile of the bank.
  7. Without prejudice to paragraph 373, the bank shall review the internal capital adequacy assessment process, at a minimum, in the following circumstances: changes in the bank's strategy and operating model, business plan, operating environment, or any other factors that have a significant effect on the assumptions or methodologies used in that process.
  8. Any new risks arising in bank activity shall be identified and included in the internal capital adequacy assessment process.
  9. The bank shall develop and document in detail the internal capital adequacy assessment process. Initiating the internal process of assessing capital adequacy to risks is the duty of the management body of the bank.

80 377. Under paragraph 376, the council of the bank shall approve the design of the internal capital adequacy assessment process at conceptual level, at a minimum the scope, methodology and overall objectives, and the bank's executive body shall be responsible for approving the details of technical criteria design. 378. The management body of the bank shall be responsible for integrating capital planning and management into the bank's risk culture and overall risk management approach. 379. Under paragraph 378, the management body shall ensure that the process related to capital planning, as well as process management policies and procedures, are communicated and implemented at the level of the entire bank and are backed up with sufficient authority and resources. 380. The internal capital adequacy assessment process of the bank, its policies, methodologies, assumptions and procedures must be provided in a document to be approved and, whenever necessary, revised by the council of the bank. 381. The results of the internal capital adequacy assessment process shall be reported to the bank's management body. 382. The internal capital adequacy assessment process shall ensure that the bank's internal capital is established and maintained at an appropriate level in relation to the internal needs of its risk profile. 383. The banks shall report to the National Bank of Moldova on the level of capital surplus/deficit resulting from the internal capital adequacy assessment process in the reporting referred to in paragraph 389. 384. Under paragraph 383, the bank shall be able to explain to the National Bank of Moldova the similarities and differences between the outcome of the internal capital adequacy assessment process and the capital requirements regulated by the National Bank of Moldova. 385. The outcomes and conclusions of the internal capital adequacy assessment process need to be taken into account when developing and revising the risk strategy and appetite. 386. The bank shall prepare and submit annually to the National Bank of Moldova a report on the internal capital adequacy assessment process, which shall include the elements set out in this Title and in Annex 3, with the attachment of copies, confirmed by the bank, of all supporting documents mentioned in the report, including the identification of issues requiring improvements and measures planned for this purpose at bank level. This report shall be reviewed by the National Bank of Moldova in the verification and evaluation process provided for in Article 100, paragraphs (1) - (4), of Law No 202/2017. [Paragraph 386 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 387. The bank shall prepare and report annually to the National Bank of Moldova on measures taken to manage the significant risks to which it is exposed. Chapter II INTERNAL LIQUIDITY ADEQUACY ASSESSEMNT PROCESS (ILAAP) [Chapter II (3871

  • 38712) added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3871 . During the establishment and continuous development of the ILAAP process, the bank shall apply mutatis mutandis the provisions of Chapter I of this title, with the particularities provided for in this chapter. [Paragraph 3871 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3872 . The elements and results of the crisis simulations within the ILAAP process shall be correlated with those within the ICAAP process. This involves taking into account the underlying

81 assumptions, the results of the crisis simulations and the actions that the management body intends to take. [Paragraph 3872 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3873 . Strategies, policies, processes and the systems of the bank referred to in Article 79, paragraph (3) of the Law No 202/2017 shall be adjusted according to the activity lines, currencies, branches and entities and shall comprise appropriate allocation mechanisms for liquidity costs, benefits and risks. [Paragraph 3873 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3874 . The bank shall develop methodologies for identifying, quantifying, managing and monitoring funding sources, which should focus on significant present and expected cash flows from assets, liabilities, off-balance sheet items, including contingent liabilities and the possible impact of reputational risk. [Paragraph 3874 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3875 . The bank shall always distinguish between encumbered assets and available assets, especially in emergency situations. It should also be considered the legal entity where the assets are located, the country where the assets are legally registered either in a register or in an account, as well as their eligibility and supervision on how the assets can be mobilized promptly. [Paragraph 3875 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3876 . The bank shall also take into account the existing legal, regulatory and operational limits, imposed on potential transfers of liquidity and unencumbered assets between entities, from the Republic of Moldova and from another country. [Paragraph 3876 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3877 . The bank shall have different liquidity risk mitigation tools, including a system of liquidity limits and reserves, to be able to address different crisis situations, as well as a funding structure and access to diversified funding sources in a proper manner. These provisions are regularly reviewed by the bank. [Paragraph 3877 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3878 . The bank shall consider alternative liquidity scenarios and risk mitigation factors and review the assumptions underlying the decisions referring the funding position at least once a year. For this purpose, the alternative scenarios shall specifically target off-balance sheet elements and other contingent liabilities, including those of special purpose entities, in relation to which the bank acts as a sponsor or provides significant liquidity support. [Paragraph 3878 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] [Paragraph 3878 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3879 . The bank shall adjust strategies, internal policies and limits regarding liquidity risk and develop effective contingency plans, considering the outcome of the alternative scenarios mentioned in paragraph 3878 . [Paragraph 3879 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 38710 . Liquidity contingency plans shall set out appropriate strategies and enforcement measures to address the issue of eventual liquidity shortages, including in relation to branches established in another country. [Paragraph 38710 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]

82 38711 . Liquidity contingency plans shall be tested by the bank, at least once a year, updated based on the results of the alternative scenarios referred to in paragraph 3878 , reported to the appropriate management body and approved by it, so that the internal policies and processes can be adjusted accordingly. [Paragraph 38711 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 38712 . The bank shall draw up and submit to the National Bank of Moldova, annually, a report on the assessment process of the adequacy of internal liquidity, which should comprise the items provided for in this title and in Annex No 4, enclosing the copies confirmed by the bank of all the supporting documents referred to in the report, including identifying the aspects that require improvement and regarding the measures planned in this regard at the bank level. The respective report is to be examined by the National Bank of Moldova within the review and assessment process provided for in Article 100 paragraph (1)-(4) of Law No 202/2017. [Paragraph 38712 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] TITLE VIII REPORTING [Paragraph 388 repealed by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 389. The reports referred to in paragraph 386 and paragraph 387, drawn up by the bank and approved by its management body, shall be submitted to the National Bank of Moldova, within 4 months from the end of the financial year, while the report referred to in paragraph 38712 shall be submitted within 5 months from the end of the financial year. The reports shall be submitted in Romanian. The aforementioned reports shall be submitted via the web portal of the National Bank of Moldova's information system on licensing, authorization, and notification, in accordance with the Guide on the use of the web portal of the National Bank of Moldova's information system on licensing, authorization and notification. [Paragraph 389 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026] [Paragraph 389 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 390. The bank shall annually prepare and send to the National Bank of Moldova, through the web portal of the National Bank of Moldova's information system on licensing, authorization, and notification, in accordance with the Guide on the use of the web portal of the National Bank of Moldova's information system on licensing, authorization, and notification, within 4 months of the end of the reporting year, a report signed by the chair of the council of the bank on the terms of conduct of internal control, with separate treatment of issues related to the risk management function, compliance function and internal audit function. The report shall be submitted in Romanian and shall include, at a minimum:

  1. an inventory of main deficiencies identified in each internal control function and measures taken to remedy them;
  2. description of significant changes in the three functions: compliance, internal audit and risk management over the reporting period;
  3. description of terms of enforcement of control procedures related to new activities;
  4. conducting internal control within separate bank subdivisions, including from abroad;
  5. information on audit work conducted during the reporting period, showing the findings and recommendations of the internal audit function and the degree of implementation of recommendations by the bank’s executive body;
  6. level of bank compliance with prudential requirements set by the legislative framework. [Paragraph 390 amended by Decision of the NBM No 219 of 25.09.2025, in force 02.03.2026]

83 [Paragraph 390 amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] 3901 . The bank or the persons convening the general meeting of shareholders shall submit to the National Bank of Moldova, by means of an accompanying letter, the information regarding the convening of the general meeting of shareholders, which should include, at least, the following:

  1. the extract from the minutes of the meeting of the management body that decided on the convening of the general meeting of shareholders or of the meeting of other persons convening the general meeting, as the case may be, which should contain the data provided for in Article 51 paragraph (8) items a) – g) of the Law No 1134/1997 on joint-stock companies (hereinafter - Law No 1134/1997);
  2. the copies, signed by the bank/person convening the general meeting of shareholders, of the confirmatory documents certifying the measures taken related to the provisions of Article 53 paragraph (1) item b) or paragraph (2) of Law No 1134/1997;
  3. the copy of the publication in which the announcement about the holding of the general meeting of shareholders was placed, except for the case provided for in Article 53 paragraph (1) item b) of the Law No 1134/1997. [Paragraph 3901 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3902 . The information referred to in paragraph 3901 shall be submitted as follows:
  4. as concerns the annual ordinary general meeting of shareholders, no later than 25 days before its holding;
  5. as concerns the extraordinary general meeting of shareholders, no later than 12 days before its holding;
  6. as concerns the repeated general meeting, no later than 10 days before its holding;
  7. if the general meeting of shareholders is held under the provisions provided for in Article 58 paragraph (7) of the Law 1134/1997, the information should be submitted within 7 days after the respective decision was adopted, but no later than 3 days before the holding of the general meeting of the shareholders. [Paragraph 3902 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3903 . Within 15 working days from the closing date of the general meeting of shareholders, the bank shall submit to the National Bank of Moldova the copies, signed by the bank, the document provided for in paragraph 394 subparagraph 3) and the publication in which the decision approved by the general meeting of shareholders had been placed. If the decision to increase the bank's share capital by issuing additional shares is adopted during the general meeting of shareholders, the bank shall submit to the National Bank of Moldova, at least, the following:
  8. the copy, signed by the bank, of the decision regarding the additional issue of securities approved by the general meeting of shareholders;
  9. the copies, signed by the bank, of the report on the results of the issue of securities and the list of subscribers to the securities placed based on the decision adopted at the general meeting of shareholders, drawn up according to the requirements provided by the normative acts of the National Commission for Financial Markets. The mentioned information shall be submitted to the National Bank of Moldova within 5 days from the date of the meeting of the authorized body at which the results on the issue of securities were approved. [Paragraph 3903 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3904 . The National Bank of Moldova may request the partial or complete submission of the information laid out in the annexes to the minutes of the general meeting of shareholders. [Paragraph 3904 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]

84 3905 . The branch of the bank from another country shall inform the National Bank of Moldova about the convening of the general meeting of shareholders of the bank from another country, if the agenda includes topics related to the activity of the branch of the bank from another country and shall present a copy of the agenda no later than 5 working days before its holding. Within 20 working days from the closing of the general meeting of shareholders, the branch of the bank from abroad shall submit to the National Bank of Moldova the document provided for in paragraph 394 subparagraph 4). [Paragraph 3905 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 391. The bank shall notify the National Bank of Moldova, as soon as possible, of any substantial changes in its activity, structure and general situation, or as soon as it becomes aware of any significant developments, including violations of legal or prudential requirements. [Paragraph 391 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] 3911 . The bank shall inform the National Bank of Moldova about any information that might negatively affect the suitability of a member of the management body as soon as it becomes aware of such information, but no later than 5 working days [Paragraph 3911 added by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] 392. Without prejudice to the provisions of the preceding paragraph, the bank shall notify the National Bank of Moldova of detected fraud cases no later than the next working day from the date of the finding, where they can affect the bank's safety, solidity and reputation. The information shall include the description of the fraud/frauds found, the value of damage incurred by the bank as a result of the fraud. Where the loss amount has not been accurately determined, the bank shall present a loss estimate at the time of reporting. 393. The bank/branch of a bank from a foreign state shall submit its bylaws to the National Bank of Moldova, drawn up in Romanian, except the secondary bylaws in the IT field, in electronic form, through the web portal of the Information system of the National Bank of Moldova on licensing, authorization and notification, according to the Guide on the use of the web portal and the Information system of the National Bank of Moldova on licensing, authorization and notification, for the purpose of sending bylaws by the bank/branch of a bank from a foreign state, as well as for their storage in electronic form. If the bylaws of the bank/branch of a bank from a foreign state are amended, they shall be sent to the National Bank of Moldova together with the amendments, within 10 working days from the date of their approval. [Paragraph 393 amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] [Paragraph 393 added by Decision of the NBM No126 of 25.04.2019, in force 03.06.2019] 394. Under paragraph 393, the bank/branch of a bank from a foreign state shall send to the National Bank of Moldova information drawn up in Romanian, as follows:

  1. On a quarterly basis, within 20 working days from the closure of the reporting quarter, the following documents that have been drafted/approved in the respective quarter: a) the minutes of the meetings of the management body of the bank/branch of a bank from a foreign state; b) the minutes of the meetings of specialized committees of the council of bank/management body of the branch of a bank from a foreign state; c) the reports drafted for the internal audit, risk management function and the compliance function, and subsequently submitted to the council of the bank/management of a branch of a bank from a foreign state.

85 2) On an annual basis, within 10 working days from the date of approval by the council of the bank/management body of the branch of a bank from a foreign state - the plan (program) of internal audit of the bank/branch of a bank from a foreign state, for the reporting year. 3) Within 15 working days from the date of closure of the general meeting of shareholders of the bank - the minutes of the general meeting of shareholders (without annexes); 4) Within 20 working days from the date of closure of the general meeting of shareholders of the bank from a foreign state, the excerpt of the minutes of the general meeting of shareholders, which includes topics related to the activity of the branch of a bank from a foreign state. 5) The recovery plan, referred to in paragraphs 3491 , should be submitted annually to the National Bank of Moldova within 6 months from the completion of the financial exercise, having as reference date 31 December, with the attachment of the extract from the minutes on the meeting of the Executive Board at which the Decision on the approval of the recovery plan and the reasoning note related to the updates was adopted. As the recovery plan is updated, during the management year, the bank, within 15 days from the date of approval by the Executive Board of the bank, shall submit to the National Bank of Moldova the updated recovery plan, the extract from the minutes of the meeting the Executive Board where the Decision was adopted regarding the approval of the updated recovery plan and the reasoning note related to the update. [Paragraph 394 amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] [Paragraph 394 amended by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022] [Paragraph 394 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] [Paragraph 394 added by Decision of the NBM No126 of 25.04.2019, in force 03.06.2019]

86 Annex 1 to the Regulation on Banking Activity Management Framework Documents (information) on direct, indirect owners, including effective beneficiaries, in the bank’s capital, as well as documents (information) on bank debtors (credit beneficiaries), direct, indirect owners, including their effective beneficiaries The bank shall obtain, hold and update, at a minimum annually, in the event of changes in the shareholders' registry whenever they occur, and in the event of affiliation or concerted activity, the following documents (information) on direct, indirect owners, including actual beneficiaries of bank holdings, on bank debtors, direct and indirect owners, including their effective beneficiaries:

  1. For holders who, individually and/or acting in concert, own qualified holdings in the bank's share capital/bank debtors – legal entities:
  1. excerpt from the bank's shareholders’ registry (for bank shareholders);
  2. excerpt from the state registry issued by the body empowered with competencies to register legal entities;
  3. articles of incorporation, including status, with subsequent amendments and addenda;
  4. excerpt from the shareholders' registry – for persons holding 20 percent of its capital;
  5. list of members of the council of the bank and executive body of the holder/debtor;
  6. information on qualifications of members of the council of the bank and executive body of the holder/debtor as members of the management body in other entities and their possession of holdings in the amount of 20 percent or more in the capital of commercial undertakings. Where the holder is a bank or an international financial organization from a foreign state, which applies supervisory provisions and prudential regulation equivalent, at a minimum, to those applied in the Republic of Moldova – information on possession by members of the management body of controlling holdings in commercial undertakings;
  7. information regarding spouses, relatives and relatives of the first and second degree of the persons referred to in subparagraph 5), spouses of the mentioned relatives and in-laws, information regarding the positions of members of the management body held by the respective persons in other entities, as well as their holdings of 20 percent and more in the capital of commercial companies. If the holder is a bank from a foreign country, which applies the provisions of supervision and prudential regulation at least equivalent to those applied in the Republic of Moldova, such information shall not be required;
  8. information on holdings of 20 percent or more of the holder/debtor in the capital of commercial undertakings. Where the holder is a bank from a foreign state that applies prudential supervision and regulation requirements equivalent, at a minimum, to those applied in the Republic of Moldova – information on control holdings in commercial undertakings;
  9. information on the legal person or individual acting in the name or on behalf of the holder/debtor, with indication of these powers;
  10. information on the legal person or individual in the name or on behalf of which the holder/debtor acts, with indication of these powers;
  11. list of other persons acting in concert/related to the holder/debtor, with specification of the criterion that determines their concerted action/relation;
  12. financial statements (at least annual) of the holder possessing qualifying holdings in the bank's bank/debtor's capital, audited by an audit entity or approved by the general meeting of shareholders where the general shareholders’ meeting did not plan for auditing of financial statements.

87 Where the holder is a bank from a foreign state, which applies the provisions of prudential supervision and regulation equivalent, at a minimum, to those applied in the Republic of Moldova, these reports shall not be required; 13) information on the bank’s debtors drawn up according to the requirements of subparagraphs 2) – 12) regarding the direct, indirect and beneficial owner of the debtor drawn up according to the requirements of subparagraphs 2) – 11), except subparagraph 7) (with legal entities) and paragraph 3 subparagraphs 2) - 8), except subparagraph 5) (for individuals). 2. For holders – legal entities with holdings that are inferior to those qualified in the bank's share capital (legal entities and parties related to the legal person that own and/or, together with members of the group, possess concerted holdings that are inferior to the qualified ones) – documents provided by paragraph 1, sub-paragraph 2). 3. For holders with qualifying holdings in the bank's share capital/bank’s debtors – individuals (individuals with individual ownership and/or persons holding qualified holdings jointly with members of the group):

  1. excerpt from registry of bank's shareholders (for bank shareholders);
  2. copy of the identity document;
  3. the current information regarding the position held as the member of the management body ;
  4. information on companies where the holder/debtor has a holding of 20 percent or more, indicating its size, list of members of the management body in these undertakings;
  5. information on first- and second-degree holders and relatives of the holder/debtor, spouses of relatives and related parties mentioned above, information on membership in the management body of other entities, as well as any holdings of 20 percent and more held in the capital of commercial undertakings;
  6. information on the legal person or individual acting in the name or on behalf of the holder/debtor, with indication of these powers;
  7. information on the legal person or individual, in the name or on behalf of which the holder/debtor acts, with indication of these powers;
  8. list of other persons acting in concert/related to the holder/debtor, with specification of the criterion that determines their concerted action/relation;
  9. copies of declarations of the individual on the income tax (submitted according to the tax legislation), confirmed by tax authorities, where submission of the income statements is mandatory according to the provisions of the tax legislation. If they are not required to submit such a declaration under the fiscal law, they shall declare this per own responsibility.
  1. For bank shareholders – individuals and persons related to the individual that individually hold and/or persons who jointly with members of the group have concerted holdings in the bank’s capital that are inferior to the qualified ones – copy of their ID. [Annex 1 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]

88 Annex 2 to the Regulation on Banking Activity Management Framework Documents (information) on the members of the council of the bank The bank shall obtain, hold and update, at a minimum annually, the following documents (information) regarding members of the council of the bank:

  1. Information on places of employment and positions currently held, as well as information on membership in the management body of other entities.
  2. Information on undertakings where the member of the council of the bank, individually and/or acting in concert with members of the group, holds 20 percent or more in their capital, indicating the value, list of members of the management body of these commercial undertakings and the names, addresses of their co-owners in those undertakings.
  3. List of first- and second-degree relatives and spouses of members of the council of the bank, their places of employment and positions held, information on membership in the management body of other entities, as well as holdings held individually or in concert with members of the group, worth 20 percent or more in the capital of commercial undertakings.
  4. List of other related parties, except for those specified in paragraphs 1-3.
  5. Legal persons or individuals acting in the name or on behalf of the member of the council of the bank.
  6. Legal persons or individuals in the name or on behalf of which the member of the council of the bank acts.

89 Annex 21 to the Regulation on Banking Activity Management Framework Standardized methodology for calculating the potential change in the economic value of a bank as a result of changing interest rate levels

  1. In order to calculate the potential change in the economic value of a bank as a result of the change in interest rate levels, the following principles should be met:
  1. all assets and liabilities outside the trading book and all off-balance sheet items outside the trading book that are sensitive to changes in interest rates, including all interest rate derivatives, are assigned to the maturity bands set out in the table. Maturity banding is carried out separately for each currency in which more than 5% of assets or liabilities outside the trading book are expressed;
  2. balance sheet and off-balance sheet items shall be treated at their book value, net of provisions recognized as such in the financial statements. For exposures, the value established according to paragraph 5 and paragraph 6, respectively, of the Regulation on the treatment of banks’ credit risk using standardised approach, approved by the Decision of the Executive Board of the National Bank of Moldova No 111/2018 shall be used;
  3. fixed interest rate instruments are allocated according to the residual period until maturity, and variable interest rate instruments according to the residual period until the next revaluation date - repricing date;
  4. exposures that create practical processing problems due to their considerable number and relatively small individual value, such as mortgages or installment loans, may be allocated based on statistically supported estimation methods;
  5. derivatives are converted into positions on the relevant underlying instrument. The values taken into account are either the principal value related to the underlying financial instrument, or that related to its notional;
  6. futures and forward contracts, including forward rate agreements - FRA, are treated as a combination of a long and a short position. The maturity of a futures or FRA is the period until delivery or until the implementation of the contract, to which is added, if applicable, the life of the underlying financial instrument;
  7. swaps are treated as two notional positions with relevant maturities. Thus, an interest rate swap, in which a bank receives a floating interest rate and pays a fixed interest rate, is treated as a long floating interest rate position with maturity equivalent to the period until the next settlement date interest rate and a short fixed interest rate position with maturity equivalent to the residual life of the swap. The distinct segments of a cross currency swap are mapped to the relevant maturity bands for the respective currencies;
  1. The calculation process consists of 5 steps:
  1. firstly, long positions are offset against short positions within each maturity band, resulting in a single long or short position in each maturity band;
  2. secondly, the resulting long and short positions are weighted with the weighting factors provided in the table that reflect the sensitivity of positions in different maturity bands to the assumed change in interest rates;
  3. thirdly, the resulting weighted positions are added up, compensating the long positions with the short ones, obtaining the net position, short or long, weighted outside the trading book in the respective currency;

90 4) at the fourth step, the weighted position is calculated for the entire book, excluding the trading book by summing the net, short or long, weighted positions calculated for different currencies; 5) at the fifth step, the weighted position for the entire book, excluding the trading book, is reported to the bank's own funds. Table [Annex 21 amended by Decision of the NBM No 275 of 29.12.2022, in force 13.04.2023] [Annex 21 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] Maturity band Middle of the maturity band Approximation of the modified duration The assumed change in yield Weighting factor 1 2 3 4 5=3*4 until 1 month 0,5 months 0,04 years 200 core points 0,08% between 1 and 3 months 2 months 0,16 years 200 core points 0,32% between 3 and 6 months 4,5 months 0,36 years 200 core points 0,72% between 6 and 9 months 7,5 months 0,625 years 200 core points 1,25% between 9 and 12 months 10,5 months 0,875 years 200 core points 1,75% between 1 and 2 years 1,5 years 1,38 years 200 core points 2,77% between 2 and 3 years 2,5 years 2,25 years 200 core points 4,49% between 3 and 4 years 3,5 years 3,07 years 200 core points 6,14% between 4 and 5 years 4,5 years 3,85 years 200 core points 7,71% between 5 and 10 years 7,5 years 5,85 years 200 core points 11,70% between 10 and 15 years 12,5 years 8,92 years 200 core points 17,84% between 15 and 20 years 17,5 years 11,21 years 200 core points 22,43% over 20 years 22,5 years 13,01 years 200 core points 26,03%";

91 Annex 22 to the Regulation on Banking Activity Management Framework Minimum list of recovery plan indicators

  1. Capital indicators
  1. Common Equity Tier 1 ratio
  2. Total Capital ratio
  3. Leverage ratio
  1. Liquidity indicators
  1. Principle I (long term liquidity)
  2. Principle III (maturity band liquidity) c) Liquidity coverage requirement (LCR) d) Available and unencumbered eligible assets that meet the eligibility conditions imposed by the National Bank of Moldova
  1. Profitability indicators
  1. Return on assets and return on equity
  2. Significant operational losses
  1. Asset quality indicators
  1. Growth rate of gross non-performing loans
  2. Coverage ratio (reductions for losses on non-performing loans/total non-performing loans)
  3. Debt balance on non-performing loans/total loans 4)Non-performing loans broken down by significant geographic or sectoral concentration
  4. Exposures restructured following financial difficulties/ total exposures
  1. Market-based indicators
  1. Rating under negative review or rating downgrade
  2. Stock price variation
  3. Margin on “credit default swap” instruments
  1. Macroeconomic indicators
  1. GDP variations [Annex 22 added by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022] Annex 23 to the Regulation on Banking Activity Management Framework Illustrative list of additional recovery plan indicators Additional recovery plan indicators (non-exhaustive list provided for illustration purposes only)
  1. Capital indicators

92

  1. (Retained earnings and reserves)/total equity
  2. Adverse information on the financial position of significant counterparties
  3. MREL and TLAC
  1. Liquidity indicators
  1. Concentration of liquidity and funding sources
  2. Cost of total funding
  3. Balance of liquid assets/individuals’ deposits balance
  4. Contractual maturity mismatch
  5. Liquid assets/total liabilities (%)
  1. Profitability indicators
  1. Cost-income ratio (operating costs/operating income)
  2. Net interest margin
  3. Efficiency index
  4. Average interest-stemming assets/average of assets (%)
  5. Non-interest expenses/total income
  1. Asset quality indicators
  1. Net non-performing loans/equity
  2. The share of total reductions for losses from impairments formed on loans (according to SIRF) in the total of calculated reductions on loans
  3. Share of non-performing loans granted to SMEs in total loans granted to SMEs
  4. Growth rate in impairment of financial assets
  1. Market-based indicators
  1. Price to book ratio
  2. Reputational threat to the bank or significant reputational damage
  3. Base rate
  4. Foreign exchange rate
  1. Macroeconomic indicators
  1. Central government “credit default swap” instruments
  2. Rating under negative review or rating downgrade of sovereigns
  3. Unemployment rate
  4. Inflation rate [Annex 23 added by Decision of the NBM No 220 of 03.11.2022, in force 30.12.2022]

93 Annex 3 to the Regulation on Banking Activity Management Framework ICAAP information submitted to the National Bank of Moldova A. General Provisions for ICAAP-specific Information:

  1. The bank shall provide to the National Bank of Moldova information on ICAAP referred to in this Annex for performance of the following supervisory assessments (SREPs): a) assessment of soundness, effectiveness and completeness of the ICAAP framework in accordance with Section 2, Chapter VI, Title V of the Bank Supervisory Review and Evaluation (SREP); b) assessment of the granularity, credibility, intelligibility and comparability of ICAAP calculations set out in Section 1 of Chapter II, Title VII of the Bank Supervisory Review and Evaluation (SREP); c) as an additional source of information for evaluations of other SREPs, including business model analysis in accordance with Title IV of the Bank Supervisory Review and Evaluation (SREP), assessment of internal governance and control procedures at bank level in accordance with Title V of the Bank Supervisory Review and Evaluation (SREP).
  2. The bank shall submit to the National Bank of Moldova the following: a) "reader's manual" developed in accordance with paragraph 3 of this Annex; b) general information on the ICAAP framework, business models and strategy, as well as on governance, as set out in Section 6, Section A of this Annex; c) ICAAP-specific information, as set out in Section B of this Annex; d) summary of main ICAAP conclusions and information on quality assurance. e) significant changes (carried out or planned) to the risk management framework based on ICAAP results; f) significant results (carried out or planned) to business models, strategies or risk appetite frameworks based on ICAAP results, including management actions (i.e. changing risk position); g) significant changes (carried out or planned) to the ICAAP frameworks, including improvements to be made following compliance with internal validations, internal audit reports and the results of dialogue with the National Bank of Moldova; h) adequate explanations of how the bank ensures that the respective ICAAP frameworks and models used ensure reliable results; i) internal audit reports with ICAAP as their object;
  3. The bank shall make available to the National Bank of Moldova the "reader's manual", which is compiled as a comprehensive document to facilitate the evaluation of ICAAP documents. For this purpose, the "reader's manual" shall provide an overview of all ICAAP-specific documents submitted to the National Bank of Moldova, as well as their status (new, unchanged, modified with minor corrections, etc.). The "reader's manual" shall essentially function as an index by correlating the specific information provided in this Annex with the documents submitted by the bank to the National Bank of Moldova. The "reader's manual" shall also provide information on significant changes to information from previous disclosure, as well as any information that might be relevant to the National Bank of Moldova for evaluation purposes. Furthermore, the "reader's manual" shall contain references to all ICAAP information published by the bank.
  4. Regarding the business model and strategy, the bank shall provide to the National Bank of Moldova information on the following:

94 a) description of the current business model, including identification of core business lines, markets, geographic locations, branches and products used by the bank; b) description of the main determinants of revenues and costs, their distribution among the main business lines, markets and branches. 5. Regarding the forward-looking strategy, the bank shall send to the National Bank of Moldova information on the following: a) description of the bank's expected changes to the current business model and related activities (including information on operational changes, such as IT infrastructure or governance issues); b) projections of key financial quantitative measures for all core business lines, markets and branches; c) description of correlation between the business strategy and ICAAP. 6. Regarding establishment and governance of the risk management and control framework, the bank shall provide to the National Bank of Moldova information on the following: a) description of general governance arrangements, including roles and responsibilities within the risk management and control structures, including at the level of the council of the bank and executive body, covering:

  • assuming risks, managing and controlling risks in general;
  • ICAAP and its key components, including but not limited to risk identification, risk mitigation, stress tests, capital planning, limit structures, limit violations, escalation procedures, etc.); b) description of reporting lines and frequency of periodic reporting to the management body covering risk management and control; c) description of interaction between risk quantification and monitoring and actual risk-taking (e.g. setting limits, monitoring, managing violations, etc.); d) description of processes and measures that ensure that the bank has a sound and integrated framework for managing its significant risks and developments, including: (1) interaction between managing different risk categories and managing risk at bank level, (2) ICAAP integration in the bank's risk management and general management processes, including pricing and performance management.
  1. Regarding the risk appetite framework, the bank shall provide to the National Bank of Moldova information on the following: a) description of alignment of the bank's strategy and business model with its risk appetite framework; b) description of the governance process and measures, including roles and responsibilities of the executive body and the council of the bank with regard to the design and implementation of the risk appetite framework; c) identification of significant risks to which the bank is or might be exposed; d) description of risk appetite/tolerance levels, thresholds and limits for identified significant risks, as well as time horizons and process applied to update these thresholds and limits; e) description of integration and use of the risk appetite framework in the risk and the overall management system, including alignment with the business strategy, risk strategy, ICAAP, including capital planning.
  2. Regarding stress test frameworks and programs, the bank shall provide to the National Bank of Moldova information on the following: a) general description of the bank's stress test program, not limited to the types of stress tests conducted, their frequency, methodological details and models used, assumptions series and relevant data infrastructure; b) description of governance measures related to the stress test program and, in particular, the stress tests used for ICAAP purposes;

95 c) description of the use of stress tests and integration in the risk management and control framework; d) description of the interaction (integration) between solvency and liquidity stress simulations, in particular ICAAP-specific stress simulations and the role of reverse stress simulations 9. Regarding risk, aggregation and information systems data, the bank shall provide to the National Bank of Moldova information on the following: a) description of the framework and process used for collecting, storing and aggregating risk data at different bank levels; b) description of data streams and data structure of risk data used for ICAAP; c) description of checks performed on the risk data used for ICAAP; d) description of the information systems used for collecting, storing, aggregating and disseminating the risk data used for ICAAP. B. ICAAP-specific Information: 10. Regarding the scope, general objectives and underlying assumptions for ICAAP, the bank shall provide to the National Bank of Moldova information on the following: a) description of the scope of ICAAP, including general presentation and justification of any deviations from the bank's scope of applying minimum equity requirements; b) description of the risk identification method (including risk concentrations) and inclusion of identified risks in the categories and subcategories of risks covered by ICAAP, including method of establishing the level of risk significance; c) description of ICAAP key objectives and main assumptions, including the link with certain external credit ratings and how they ensure capital adequacy; d) description of the situation showing whether ICAAP focuses on the impact of risks on the bank's accounting or economic value or on both; e) description of ICAAP time horizon(s), including an explanation of possible differences between risk categories and entities of the target group. 11. Regarding implementation of the overall objectives and underlying assumptions underlying the ICAAP, the Bank shall provide the National Bank of Moldova with information on the following: a) list of ICAAP risk categories and subcategories, including their definitions and perimeter of individual risk categories; b) explanations of the differences between risks covered by ICAAP and the risk appetite framework, where the scope of risks involved is different; c) description of any deviations from the ICAAP process and key assumptions within the group and group entities, as appropriate. 12. Regarding methodologies for quantifying, assessing and aggregating the risks used for ICAAP, the bank shall provide to the National Bank of Moldova information on the following: a) general description of key features of quantification/measurement models and methodologies, including quantitative measures, assumptions and parameters used (including confidence intervals, holding periods, etc.) for all risk categories and subcategories used for approval of methodologies and models by the bank's management body; b) an indication of actual data used, including an explanation of how the data used reflects the scope of group entities covered by ICAAP, including the length of time series; c) description of the aggregation method of the internal capital estimates for the target entities and risk categories, including the approach of mergers and / or diversification benefits, within each risk and risk, when considered in the Bank's methodology.

96 13. Regarding implementation of methodologies for quantifying, assessing and aggregating risks within ICAAP, the bank shall provide to the National Bank of Moldova information on the following: a) internal capital estimates covering all risk categories and subcategories, broken down by ICAAP risk categories and subcategories. Where the bank asserts that some risk categories or subcategories covered by ICAAP are better covered by qualitative mitigation measures than by internal capital allocation, this should be explained in an appropriate way; b) outcomes of calculation of internal capital estimates, as mentioned above, for all significant risk categories and subcategories covered by ICAAP, depending on each risk. Where some significant risk subcategories are identified, but the calculation methods applied did not allow the calculation of internal capital estimates to the required level of detail and for this reason such estimates were integrated into the internal capital estimate, the bank shall explain how such subcategories were actually included in the calculations (i.e. a certain risk subcategory has been identified as significant but the bank cannot provide an estimate of internal capital for such a risk, and includes instead coverage of this risk in the capital estimate for the main risk category); c) outcomes of aggregation of internal capital estimates for entities and risk categories, including the effects of concentrations and/or diversification benefits, within each risk and among, where these aspects are considered by the applied methodology. 14. Regarding the definition of internal capital and capital allocation used in ICAAP, the bank shall provide to the National Bank of Moldova information on the following: a) internal capital used to cover the capital estimates for ICAAP, including all capital elements/instruments considered; b) description of main differences between internal capital elements/instruments and regulated equity instruments, as appropriate; c) description of methodology and assumptions used to allocate internal capital to group entities, as well as core business lines and markets, as appropriate; d) description of monitoring process (comparison of estimates of internal capital with allocated capital), including escalation procedures. 15. Regarding full implementation of the definition of internal capital and of the capital allocation framework in ICAAP, the bank shall provide to the National Bank of Moldova information on the following: a) amount of available internal capital broken down by various elements considered; b) actual amounts of internal capital allocated to risks covered by ICAAP and group entities, as well as core business lines and markets, as appropriate; c) quantitative comparisons between the actual use of domestic capital and the internal capital allocated based on ICAAP estimates, supported by an explanation of cases where the effective use of capital is close to or exceeds the allocated capital. 16. Regarding capital planning, the bank shall provide to the National Bank of Moldova information on the following: a) description of overall capital planning process, including dimensions considered (internal and regulatory), time horizons, capital instruments, capital measures, etc.; b) description of main assumptions underlying capital planning. 17. Regarding implementation of capital planning, the bank shall provide to the National Bank of Moldova information on the following: a) forecasts on the evolution of risk and capital, in terms of internal capital and regulated equity; b) description of current capital planning conclusions, such as planned issues of various capital instruments, other capital measures (including dividend policy) and balance sheet projections (including portfolio sales).

97 18. In addition to general information on stress tests, as specified in paragraph 8, on stress tests applied for ICAAP purposes, including capital planning and internal capital allocation in the scenarios reported to the management body, the bank shall provide to the National Bank of Moldova information on the following: a) description of adverse scenarios analyzed in ICAAP, including a reference to the scenario and key macroeconomic key assumptions, including a description of how reverse stress tests were used to calibrate the severity of scenarios used; b) description of key assumptions used in the scenarios under review, including administrative actions, economic assumptions for the balance sheet, reference dates, time horizons, etc. 19. Regarding full implementation of stress tests and their outcomes, the bank shall provide to the National Bank of Moldova information on the following: a) quantitative outcome of the scenarios analyzed and impact on the key quantitative measures, including the profit and loss account, internal and regulated equity, as well as prudential indicators and, in the context of integrated approaches, impact on the liquidity position; b) explaining how the outcome of the scenario is relevant to the bank's business model, strategy, significant risks, and ICAAP group entities. 20. In addition to the information referred to under paragraphs 10-15, the bank shall provide to the National Bank of Moldova all relevant supporting information, including minutes of relevant committees and senior management meetings, demonstrating sound procedures and processes for designing and implementing ICAAP and, in particular: a) approving the overall process of ICAAP development; b) approving the key elements of ICAAP, such as general objectives and main assumptions, risk measurement and assessment, risk aggregation, internal capital, capital allocation, capital planning, stress test scenarios, their assumptions and their main outcomes, etc.; c) evidence of discussions on the capital and risks situation (and changes thereto), violations of limits, etc., including decisions on management actions or explicit decisions not to take action; d) examples of significant decisions regarding approval committees for new products (or relevant decision-making body) to demonstrate that account is taken of the impact on the risk and capital profile; e) decisions on management actions related to internal capital estimates, their aggregation and comparison with available internal capital (current and prospective situation); f) evidence of discussions on the outcome of ICAAP stress tests and decisions on any action or lack of action by management; g) internal self-assessments, if available, whereby the bank may have the opportunity to justify its level of compliance against available public criteria for the management and control of risks affecting ICAAP. [Annex 3 amended by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021] Annex 4 to the Regulation on Banking Activity Management Framework ILAAP information submitted to the National Bank of Moldova A. General Provisions regarding ILAAP-specific Information: For the purposes of this section, the bank shall apply mutatis mutandis the provisions of section A of Annex 3.

98 B. ILAAP-specific information:

  1. With reference to the establishment of a process to ensure that the bank has a rigorous management framework designed to manage liquidity risk, including financing, including a process for identifying, managing and monitoring liquidity risks, including financing, the bank shall submit to the National Bank of Moldova information regarding the following:
  1. description of the scope of the ILAAP, including an overview and justification of any deviations from the prudential scope of the liquidity requirements, admitting possible exemptions;
  2. description of the ILAAP drafting process, explaining the relation between all its components and justifying the way in which this drafting ensures the bank’s access to sufficient liquidity;
  3. criteria applied by the bank for the selection of significant risk determinants for liquidity risk, including financing, including the selection of significant currencies for monitoring the liquidity and financing position;
  4. criteria applied by the bank for the selection of appropriate tools and assumptions for ILAAP, such as the method of measuring and forecasting current and future cash flows of assets, liabilities and off-balance sheet items over appropriate time horizons.
  1. With reference to the full implementation of a process to ensure that the bank has a solid and specific framework for liquidity risk management, including financing, including a process for identifying, quantifying and controlling liquidity risks, including financing, the bank shall submit to the National Bank of Moldova information regarding the following:
  1. an assessment of intra-group liquidity flows and financing positions, including any possible legal or regulatory obstacles to the transfer of liquidity within the (sub)group;
  2. justification for the selection of significant risk determinants and a quantitative overview of these risk determinants, updated with appropriate frequency;
  3. a quantitative overview of the financing profile and its perceived stability for all significant currencies;
  4. proof of monitoring compliance process with minimum and additional prudential requirements related to liquidity risk, including financing, including forecasting compliance with these requirements under different scenarios over a time horizon appropriate for the purposes of the ILAAP.
  1. With reference to the financing strategy, the bank shall submit to the National Bank of Moldova information regarding the following:
  1. description of the overall process of developing the financing plan, including financing sources, maturities, key markets, used products, etc.;
  2. if applicable, a document on the policy of maintaining the presence in the markets to ensure and periodically test the access to the market and the ability of the bank to obtain financing, if relevant;
  3. if applicable, a document on the policy related to the risk of funding concentration, including principles for measuring and monitoring the correlation between funding sources and the economic link between depositors and other liquidity providers;
  4. if applicable, a policy on financing in foreign currencies, including the most relevant assumptions regarding the availability and convertibility of such currencies.
  1. With reference to the full implementation of the financing strategy, the bank shall submit to the National Bank of Moldova information on the following:
  1. current financing plan;

99 2) a quantitative overview of the characteristics, such as volumes, prices and investor’s appetite, of recently obtained financing and an analysis of the feasibility of implementing the financing plan given (changes in) market volatility; 3) a (desired) evolution perspective of the financing position over a 3-year perspective time horizon; 4) an assessment of the financing position and financing risk after the implementation of the financing plan; 5) information on ex-post testing of the financing plan. 5. With reference to the strategy on liquidity reserves and collateral management, the bank shall submit to the National Bank of Moldova information on the following:

  1. its methodology for establishing the minimum internal size of the liquidity buffer, including the bank's definition of liquid assets, the criteria it applies for determining the liquidity value of liquid assets and the constraints related to the concentration and other risk characteristics of liquid assets;
  2. collateral management policy, including principles related to the location and transferability of collateral and their role in meeting minimum prudential requirements;
  3. asset encumbrance policy, including the principles for measuring and monitoring both encumbered and unencumbered assets and the correlation of the asset encumbrance limits and control framework with risk appetite (liquidity, including financing) of the bank;
  4. the principles regarding the testing of assumptions related to the amount of liquidity of assets and the timing of the sale of assets or the conclusion of a repo agreement with the assets included in the reserve of liquid assets;
  5. the policy relating to the risk of liquidity concentration in the liquidity buffer, including the principles for measuring and monitoring any potential losses of available liquidity due to such concentration.
  1. With reference to the implementation of the strategy on liquidity reserves and collateral management, the bank shall submit to the National Bank of Moldova information on the following:
  1. quantification of the minimum volume of liquid assets considered adequate to meet internal requirements;
  2. quantification of the current liquidity reserve, including its distribution by products, currencies, counterparties, regions/entities within the group, etc.;
  3. description of differences between the definitions regarding the “counterbalancing capacity (the ability of the bank to hold or have access to excess liquidity over short, medium and long time horizons in order to react to crisis scenarios)” and “assets with a high level of liquidity and credit quality”, the latter defined according to the Regulation on Liquidity Coverage Requirements for Banks, approved by the Decision of the Executive Board of the National Bank of Moldova No 44/2020, with the inclusion of arguments proving that the respective counterbalancing capacity may cover risks not included in Law No 202/2017;
  4. forecasts of the evolution of the minimum required internal volume of liquid assets and available liquid assets over appropriate time horizons, both in “normal activity” and crisis conditions;
  5. quantitative overview and analysis of current and forecast levels of asset encumbrance, including details of encumbered as well as unencumbered assets that could be used to generate liquidity;
  6. assessment of the time required to convert liquid assets into directly usable liquidity, taking into account legal, operational or prudential obstacles to the use of liquid assets in order to cover cash outflows;

100 7) analysis of testing the assumptions related to the value of liquidity of assets and the timing of sale of assets or the conclusion of a repo agreement with assets included in the reserve of liquid assets. 7. With reference to the development of the mechanism for the allocation of liquidity costs and benefits, the bank shall submit to the National Bank of Moldova information on the following:

  1. description of the mechanism for allocating liquidity costs and benefits, as well as the criteria for the selection of liquidity and financing items to ensure that all relevant benefits and costs are taken into account, as well as any frequency of price adjustments;
  2. description of the interconnections between the mechanism for allocating liquidity costs and benefits and the risk management and overall management of the bank.
  1. For banks that apply liquidity transfer pricing mechanisms (LTP - an internal bank system for determining liquidity costs, benefits and relevant risks in the framework of liquidity risk management), the bank shall ensure that the information provided in paragraph 7 include the description of the LTP development and operation process and, in particular, the interconnections between the LTP and the strategic decision-making process, as well as the decision-making process within the customer relations department regarding the production of assets and liabilities.
  2. With reference to the implementation of the allocation of costs and benefits under the liquidity mechanism, the bank shall submit to the National Bank of Moldova information on the following:
  1. description of the current mechanisms for allocating liquidity costs and benefits and a quantitative overview of its current calibration (based on interest curves, internal reference rates for the main categories of used assets and liabilities etc.);
  2. description of the current integration of the mechanism for allocating liquidity costs and benefits while quantifying profitability as regards the production of new assets and liabilities, both at the balance sheet and off-balance sheet level.
  3. description of the current integration of the mechanism for allocating liquidity costs and benefits while managing the performance, if the case may be, with a breakdown by different business lines/units or regions.
  1. As concerns banks that apply LTP mechanisms, the information provided for in paragraph 9 shall also cover the function of the LTP and, in particular, the relation between LTP and key-risk rates.
  2. With reference to the development of the liquidity risk management process during the day, the bank shall submit to the National Bank of Moldova information on the following:
  1. description of criteria and instruments for measuring and monitoring intraday liquidity risks;
  2. description of the escalation procedures provided for liquidity deficits occurring during the day, which ensure the timely fulfillment of obligations related to due payments and settlements both in normal activity and in crisis conditions.
  1. With reference to the implementation of the intraday liquidity risk management process, the bank shall submit to the National Bank of Moldova information on the following:
  1. the quantitative overview of intraday liquidity risk over the past year with an appropriate frequency;
  2. the total number of unpaid payments and an explanatory note regarding the failure to make important payments or the bank's failure to promptly fulfill important obligations.
  1. In addition to the overall information regarding crisis simulations, as provided in paragraph 8, section A of Annex 3, regarding the process of developing liquidity crisis

101 simulations, the bank shall submit to the National Bank of Moldova information on the following:

  1. description of the alternative scenarios applied and the assumptions analyzed under liquidity stress simulations, including any relevant elements such as the number of scenarios used, the scope, the frequency of internal reporting to the management body, the determinants of risk (macro and idiosyncratic), the time horizons applied and, where applicable, the breakdown by currencies/regions/activity units;
  2. description of criteria for calibration scenarios, selection of appropriate time horizons (including intraday, if relevant), quantification of the impact of the crisis on the liquidity value of reserve assets, etc.
  1. With reference to the full implementation of liquidity crisis simulation, the bank shall submit to the National Bank of Moldova information on the following:
  1. the quantitative output of stress simulations, including an analysis of (the main determinants of) this output and a clear description of the relevance of the output to internal limits, liquidity buffers, reporting, modeling and risk appetite;
  2. quantitative and qualitative analysis of the results of crisis simulations on financing profile.
  1. With reference to the development of the contingency plan for liquidity, the bank shall submit to the National Bank of Moldova information on the following:
  1. description of the responsibility lines concerning the design, monitoring and execution of the liquidity contingency plan;
  2. description of strategies for covering liquidity deficits in emergency situations;
  3. description of an instrument for monitoring market conditions to enable the bank to promptly determine whether or not escalation and/or application of measures is warranted;
  4. description of testing procedures, as appropriate (based on examples of sales of new assets, collateral deposits with central banks, etc.).
  1. With reference to the implementation of contingency plans for liquidity, the bank shall submit to the National Bank of Moldova information on the following:
  1. the current contingency plan for liquidity;
  2. information on possible management actions, including assessment of their feasibility and ability to generate liquidity under various crisis scenarios;
  3. management's view on the implications of all liquidity-related information published by the bank regarding the feasibility and timeliness of management actions included in the liquidity contingency plan;
  4. a recent analysis of simulations, including conclusions regarding the feasibility of management actions included in the liquidity contingency plan;
  5. description of the internal view regarding the impact of the implementation of the management actions included in the liquidity contingency plan, as for example, on the bank's access to relevant markets and overall stability of its funding profile on short- and long-term.
  1. In addition to the information provided in paragraphs 1-16, the bank shall submit to the National Bank of Moldova the relevant supporting information, including minutes of the meetings of the relevant committees and of the management body, which prove the development and effective implementation of the ILAAP process and, in particular:
  1. approvement of the general ILAAP development process;
  2. approvement of the key elements of ILAAP, such as the funding plan, the liquidity contingency plan, the mechanism for allocating liquidity costs and benefits, the assumptions of the stress simulations and the conclusions regarding the results, the specific liquidity risk appetite, including financing, target size and composition of liquid asset reserve, etc.;

102 3) minutes of discussions regarding (changes regarding) the liquidity risk profile, including funding, limit violations, etc., including decisions regarding whether or not to take administrative actions; 4) examples of significant decisions taken within the new product approval committees, proving, where appropriate, the use of the Liquidity Transfer Pricing (LTP) mechanism and views regarding the risks in making these decisions; 5) minutes of discussions regarding the analysis of the feasibility of the financing plan taking into account (changes in) market depth and volatility; 6) minutes of decisions regarding management actions related to intraday liquidity risk after internal escalation following intraday liquidity events; 7) minutes of discussions about the outcome of the liquidity crisis simulations and the decision regarding any management action or lack of action; 8) minutes of the discussions regarding the regular testing of the liquidity contingency plan and of the decisions regarding the adaptation of the management actions provided for in the liquidity contingency plan; 9) the decision regarding the size and composition of the reserve of liquid assets; 10) minutes of discussions regarding the testing of assets liquidity value and the timing of assets sale or the conclusion of a repo agreement with assets included in the reserve of liquid assets; 11) if the case may be, internal self-assessments in which the bank can have the opportunity to justify the level of compliance relative to the published criteria regarding the management and control of risks affecting ILAAP. [Annex 4 added by Decision of the NBM No 93 of 27.05.2021, in force 11.10.2021]

Share