Consultation Paper on Revised SSP for Effective Corporate Governance of DTIs and FHCs (December 2024)

| 1 THIS PAGE IS INTENTIONALLY LEFT BLANK

| 2 Consultation on the Proposed Standard of Sound Practice for Effective Corporate Governance of Deposit-Taking Institutions and Financial Holding Companies

This consultation paper is available on Bank of Jamaica’s website at www.boj.org.jm. Bank of Jamaica, December 2024. All rights reserved. No reproduction or translation of this publication may be made without the prior written permission of Bank of Jamaica. Applications for such permissions, for all or part of this publication, should be made to: Bank of Jamaica Nethersole Place Kingston, Jamaica (Telephone: 876-922-0750-9 or Email: fisdfeedback@boj.org.jm)

| 3 Responding to this Document This document is being circulated to Deposit-Taking Institutions (DTIs), Financial Holding Companies (FHCs) and other relevant stakeholders to facilitate industry consultation and feedback on the proposed Standard of Sound Practice for Effective Corporate Governance of Deposit-Taking Institutions and Financial Holding Companies. Comments on this consultation paper will be most effective if they:

1. clearly identify the relevant clause and specific matter to which a comment relates;
2. present a clear and logical rationale for an amendment or a specific area of concern;
3. offer substantive evidence to support the feedback; and
4. propose any alternative regulatory approaches Bank of Jamaica should consider.

Submission of Responses Comments should be submitted by 03 March 2025 via email to fisdfeedback@boj.org.jm for the attention of Mr James Robinson.

| 4 Table of Contents Glossary .............................................................................................................................................5

1. Purpose and Scope of the Standard ..........................................................................................11
2. Legal Basis and Transitional Arrangements............................................................................13
3. Introduction................................................................................................................................14
4. The Board ...................................................................................................................................16 4.1 Key Responsibilities of the Board ....................................................................................................16 4.2 Composition of the Board.................................................................................................................18 4.3 Chair of the Board ............................................................................................................................21 4.4 Appointment and Removal of Directors...........................................................................................22 4.5 Board Performance Assessment and Evaluation ..............................................................................23 4.6 Board Meetings.................................................................................................................................24 4.7 Board Committees............................................................................................................................24 4.8 The Board’s Relationship with and Oversight of Senior Management............................................29
5. Group Governance .....................................................................................................................32 5.1 Parent Company Boards...................................................................................................................34 5.2 Subsidiary Boards.............................................................................................................................34 5.3 Outsourcing.......................................................................................................................................35
6. Governance and Risk Management ..........................................................................................36
7. Risk Culture and Business Conduct..........................................................................................39 7.1 Risk Culture......................................................................................................................................39 7.2 Corporate Values and Code of Conduct ...........................................................................................40 7.3 Conflict of Interest............................................................................................................................41
8. Disclosure and Transparency ....................................................................................................42 Appendix: Responsibilities of other Board Committees..................................................................i

| 5 Glossary1 The terms and expressions used in this Standard shall have the same meanings defined in the Banking Services Act, 2014 (BSA), and companion regulations applicable to deposit-taking institutions and financial holding companies. For the purpose of this Standard, the following definitions are provided: Arm’s length The condition or fact that the parties to a transaction are independent, on an equal footing and are beyond the reach of personal influence or control. Board of Directors/Board A governing body of persons appointed or elected with ultimate responsibility for the governance and oversight of a deposit-taking institution and financial holding company. Centralised or Decentralised Approach Compliance Function Conflict of Interest The type of governance structure a financial group uses (e.g., centralised or a more decentralised model). This function does not necessarily denote an organisational unit. It comprises a set of processes, policies, and systems to ensure the deposit-taking institution or group adheres to all applicable laws, regulations, guidelines, and internal policies. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance, who should be independent of business lines. A conflict of interest is deemed to arise where a person or entity has multiple interests which may affect and/or actually affect their judgement and conduct in the exercise of their professional duties. This includes where a person in the making or the participation of making of a decision in the execution of his/her office and at the same time knows, or ought reasonably to have known, that in the making of the decision, there is an opportunity to either directly or indirectly further his/her private interests, or that of a member of his/her family, or of any other person

1 Definitions in the Glossary are consistent with the following: The Banking Services Act, 2014;Corporate Governance Principles for Banks, Basel Committee on Banking Supervision (BCBS), July 2015; Core Principles for Effective Banking Supervision, BCBS, April 2024; Application Paper on Group Corporate Governance, International Association of Insurance Supervisors (IAIS), November 2017; and glossary of corporate governance-related terms in Organization for Economic Co-operation and Development (OECD).

| 6 or entity from which he/she stands to benefit. It also includes conflicts of duty which arise when a person is required to fulfil two or more roles that may be in conflict with each other. It further includes instances where a deposit-taking institution or financial holding company has multiple interests that could impact impartiality or professional judgment, such as investing clients' funds in assets or schemes where the entity itself has a stake. Control Functions Those functions that have a responsibility independent from business and operational functions to provide objective assessment, reporting and/or assurance. This includes the risk management, compliance, actuarial, and internal audit functions. Corporate Governance A set of relationships between the entity’s Board, Senior Management, customers and other stakeholders which provide the structure through which the objectives of the institution are set, and the means of attaining those objectives and monitoring performance are determined. It helps define the processes and procedures by which authority and responsibility are allocated and how corporate decisions are made. Duty of Care The duty of Board members, key persons and senior managers to decide and act on an informed and prudent basis with respect to the deposit-taking institution or financial holding company. Every Board member and officer of the institution shall, in exercising his/her powers and discharging his/her duties, (a) act honestly and in good faith with a view to the best interests of the institution; and (b) exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. In determining what is in the best interest of the institution, each member of the Board, key person and senior manager shall also have regard to the interests of the institution’s employees in general as well as to the interests of its shareholders, creditors, depositors and other key stakeholders. Duty of Loyalty The duty of Board members to act in good faith in the interest of the deposit-taking institution or financial holding company. The duty of loyalty should prevent individual Board members from acting in their own

| 7 interests or in the interest of another individual or group at the expense of the institution and its shareholders, creditors, and depositors. It should also prevent individual Board members from engaging in transactions that might involve an appearance of conflict of interest and require them to deal with matters with transparency. Executive Director A member of the Board (e.g., Director) who also has management responsibilities within the deposit-taking institution or financial holding company. A non￾executive director is a member of the Board who does not have management responsibilities within the institution. Group Level This means that the roles and key players of the group are centralized somewhere within the group. The term ‘group level’ does not necessarily mean the legal entity at the level of the head of the group. Group Control Functions could be placed within an entity anywhere else in the Group, rather than being restricted to the head entity. Group-wide Governance This refers to the framework of policies, practices and mechanisms that manage the governance of the head of a group of entities and the group-wide application of the group governance framework to all material activities and entities of the group. Independent Director Internal Control System A director of a licensee or company who is not – (a) an employee of the licensee or company; (b) a person holding five per centum or more of the shares of the licensee or company or a connected person in relation to the licensee or company; or (c) a party to a significant economic or other relationship with the licensee or company that, in the opinion of the Supervisor, is inconsistent with the director being considered as independent of the licensee or company. A set of rules and controls governing the institution’s organizational and operational structure, including reporting processes, and functions for risk management, compliance and internal audit.

| 8 Key Persons/Employees Non-Executive Member This means – (a) a person who is employed or contracted below the level of the management of a licensee to perform functions that – (i) can substantially affect the financial condition or reputation of the licensee, or both; and (ii) meet the criteria specified in any guidelines prescribed by the Supervisor; or (b) a person who is deemed by the Supervisor to be a key employee of the licensee. A non-executive member of the Board does not have any management responsibilities within the deposit-taking institution or financial holding company and is not under any undue influence, internal or external, or ownership, that would impede the Board member’s exercise of objective judgment. Parent Company Related Parties Risk Appetite2 A parent company is one that has a controlling or majority interest in another company, which gives it the right to control the subsidiary’s operations. The parent company can also be a financial holding company licensed under the BSA. Include: (a) the institution’s subsidiaries and affiliates (including their subsidiaries, affiliates and special purpose entities) and any other party over which the institution exerts control or that exerts control over the institution; (b) the institution’s major shareholders, including beneficial owners; (c) the Board members, senior management, key employees and corresponding persons in affiliated companies, and parties that can exert significant influence on Board members or senior management; and (d) for the natural persons identified in (a) to (c), their direct and related interests, and their close family members. The aggregate level and types of risk an entity is willing to assume, decided in advance and within its risk capacity

2 Some financial institutions and supervisors use the term “risk tolerance” to describe the amount of risk the institution is willing to accept. Other institutions and supervisors use the term “risk appetite” to create a distinction between the absolute risks which the institution a priori is open to take (risk appetite) versus the actual limits within the risk appetite which the institution pursues (risk tolerance). Risk appetite can imply a more forward-looking or wider view of acceptable risks, whereas risk tolerance suggests a more immediate definition of the specific risks that the institution will take.

| 9 (that is, the maximum amount of risk the institution is able to assume given its capital base, risk management and control capabilities as well as its regulatory constraints), to achieve its strategic objectives and business plan. Risk Appetite Framework (RAF)3 The overall approach, including policies, processes, controls and systems, through which risk appetite is established, communicated and monitored. It includes a risk appetite statement, risk limits and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the framework. The RAF should consider material risks to the institution, as well as to its reputation vis-à-vis depositors, investors, and creditors. Risk Appetite Statement (RAS) The aggregate level and types of risk that the institution will accept or avoid in order to achieve its business objectives. It includes quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also include qualitative statements to address reputation and conduct risks, as well as money laundering and unethical practices. Risk Capacity The maximum amount of risk the financial institution is able to assume given its capital base, risk management and control capabilities as well as regulatory constraints. Risk Culture The institution’s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during day-to-day activities and has an impact on the risks they assume. Risk Governance Framework Part of the overall corporate governance framework, through which the Board and management establish and make decisions about the institution’s strategy and risk approach; articulate and monitor adherence to risk

3 See Financial Stability Board (FSB), Principles for an Effective Risk Appetite Framework, November 2013; and Bank of Jamaica Corporate Governance: Board Oversight (Section 3), 2023. The forthcoming guidelines on Internal Capital Adequacy Assessment Process (ICAAP) for Deposit-Taking Institutions will include guidance on developing the risk appetite statement and framework.

| 10 appetite and risk limits vis-à-vis the institution’s strategy; and identify, measure, manage and control risks. Risk Limits Specific quantitative measures or limits based on, for example, forward-looking assumptions that allocate the institution’s aggregate risk to business lines, legal entities as relevant, specific risk categories, concentrations and, as appropriate, other measures. Risk Management The processes established to ensure that all material risks and associated risk concentrations are identified, measured, limited, controlled, mitigated and reported on in a timely and comprehensive basis. Risk Profile Point-in-time assessment of the institution’s gross risk exposures (i.e. before the application of any mitigants) or, as appropriate, net risk exposures (i.e. after taking into account mitigants) aggregated within and across each relevant risk category based on either current or forward￾looking assumptions. Senior Management The individuals or body responsible for managing the deposit-taking institution or financial holding company on a day-to-day basis in accordance with strategies, policies and procedures approved by the Board. Systemically Important Financial Institution/SIFI4 Systemic importance is determined by the size, interconnectedness, substitutability, and global or cross￾jurisdictional activity (if any) of the entity. A SIFI’s distress or disorderly failure because of its size, complexity and/or interconnectedness would threaten the smooth functioning of the financial system and the wider economy, and would likely place the financial system in danger of disruption, substantial damage, and impairment.

4 See A Systemic Risk Buffer for Jamaica, August 2023; Bank of Jamaica. The Bank of Jamaica will advise a financial institution whether it has been designated as systemically important in accordance with the framework for the identification of a Domestically Systemically Important Financial Institution (D-SIFI).

| 11

1. Purpose and Scope of the Standard
2. This updated Standard of Sound Practice for Effective Corporate Governance serves as a comprehensive, overarching governance standard, outlining Bank of Jamaica's expectations with respect to corporate governance practices at Deposit-Taking Institutions (DTIs)5 and Financial Holding Companies (FHCs). Bank of Jamaica (“BOJ” or “the Bank”) expects these institutions to align their corporate governance practices with this Standard as far as practicable, and comply with all corporate governance requirements stipulated in the legislation under which they are licensed.
3. The corporate governance expectations addressed in the Standard are principles-based and recognize that an institution’s corporate governance practices may depend on its size; corporate structure to which it belongs; nature, scope and complexity of its operations; and business model. The Standard will be reviewed periodically to ensure its continued relevance and alignment with legislative amendments and recommended best practices issued by international standard-setting bodies.
4. In the case of FHCs, the Bank requires that the Board of the FHC develop and implement governance arrangements appropriate to the nature and scale of the group’s operations. The Board should also ensure that the provisions of the governing legislation, regulations, and guidelines applicable to the FHC, and the requirements contained in this Standard are applied appropriately throughout the group, including in relation to institutions regulated and supervised by the Bank.
5. The Standard seeks to reinforce the collective oversight and governance responsibilities of the Board and senior management and addresses key components of risk governance, such as risk culture and risk appetite in relation to the institution’s risk capacity. The Bank expects the Board of a DTI or FHC to oversee the development and implementation of adequate policies and procedures to protect the institution against threats to its integrity or security. The Standard also specifies supervisory expectations with respect to the role of Board committees; the Board’s relationship with and oversight of senior management; group governance; governance and risk management, including the role of the Chief Risk Officer (CRO)6 ; risk culture and business conduct; and disclosure and transparency.
6. The Board and senior management of these institutions are expected to be fully aware of and compliant with the relevant legislation, and other rules and guidance issued by other organizations to address these issues. These include the Companies Act, as well as rules and guidance issued by other bodies such as the Jamaica Stock Exchange (JSE).
7. The Board and senior management of a DTI or FHC are responsible for the institution’s financial soundness and prudent risk management. The BSA imposes various requirements and duties on

5 Commercial Banks, Building Societies, and Merchant Banks. 6 This includes an individual who may be performing the functions typically assigned to a Chief Risk Officer though he/she has not been designated with the title of Chief Risk Officer.

| 12 the Board and senior management of these institutions, in addition to those that apply to all entities under the Companies Act and other legislation. These requirements cover the size and composition of the Board, including appointment, conflicts of interest, and fitness and propriety. An institution’s corporate governance practices are a key component of the Bank’s supervisory assessments and are an important factor in determining the level of supervisory intensity applied to it. DTIs and FHCs should strive to continuously enhance their governance practices and arrangements to reflect emerging best practices, and changes in the scope and complexity of their operations and business models, as appropriate. 7. In the application of this Standard, the Bank will take into account the principle of proportionality, which means tailoring regulatory requirements, supervisory practices, and risk management expectations to the nature, size and complexity of the institution’s operations and business model. Each institution is expected to discharge its legal and governance responsibilities as a separate entity, notwithstanding any group-wide arrangements on which the entity may be relying. Where an institution fails to adhere to the provisions of this Standard, Bank of Jamaica may, by notice in writing to the institution: • impose restrictions on the activities of the institution if there are safety and soundness concerns regarding the institution and/or its customers; or • give such other directions to the institution as the Bank considers appropriate7 . 8. The Standard does not apply to the branch operations of foreign banks. However, branches of foreign banks are required to establish a Board of Management or such other governing body that is satisfactory to the BOJ and in compliance with the law, regulations and other guidance, in relation to their branch operations in Jamaica.

7 In accordance with Part XXII (Section 109 of the Banking Services Act).

| 13 2. Legal Basis and Transitional Arrangements 9. This Standard is made in accordance with Sections 31-39 of the Banking Services Act, 2014 (BSA) and is an update to the Standard of Best Practice for Effective Corporate Governance of Deposit￾Taking Entities issued by Bank of Jamaica in 2008, replacing it while building on its foundational principles and introducing additional provisions that reflect current and evolving international best practice. Non-compliance with the Standard will result in a breach of the BSA. 10. The Standard must be read together with other relevant legal instruments (i.e., the BSA, and applicable regulations), as well as standards, guidelines, and other relevant communication issued by the Bank8 . This Standard complements relevant provisions of regulations issued under the Banking Services Act and the following policy documents and standards: • Standard of Sound Practice on Fitness and Propriety (BOJ, 2024) 9 ; • Consultation on the Methodology for the Treatment of Debarred Persons (BOJ, 2023); and • Corporate Governance: Board Oversight (BOJ, 2023). 11. This Standard comes into effect on DD/MM/YYYY. New DTIs and FHCs seeking to be licensed after the Standard comes into effect will be required to comply with the provisions of the Standard from the date of their licensing.

8 The transition to a Twin Peaks model will result in the transfer of prudential supervision of securities firms, insurance companies, and private pension plans from the Financial Services Commission (FSC) to the Bank of Jamaica. The FSC’s mandate will be revised, and a new agency responsible for market conduct and consumer protection will be established. 9 This Standard is an update to the earlier “Standard of Sound Practice on Fitness and Propriety”, 2017 ("SSP 2017"). Among the key updates made to the SSP 2017 were the introduction of the concept of “suitability” and the provision of detailed guidelines regarding the roles and responsibilities of licensees and other relevant institutions. The inclusion of the suitability concept in the updated Standard came about because the Bank recognized that an individual may be fit and proper as defined under section 3 of the BSA, but could nonetheless be deemed unsuitable for a specific role due to factors such as (i) insufficient time to commit to the particular role, and (ii) conflicts of interest situations.

| 14 3. Introduction A key role of Bank of Jamaica is to promote robust corporate governance within deposit-taking institutions and financial holding companies. This is accomplished by setting minimum standards and expectations through this Standard, which the board and management are required to uphold. The adoption of sound corporate governance standards and practices by these institutions serves to protect their critical role in intermediating funds to support the real economy. Effective corporate governance practices ensure that entities are managed in a sound and prudent manner, with due regard to the interests of depositors, shareholders and other stakeholders. Governance weaknesses, particularly in systemically important financial institutions (SIFIs), can result in the transmission of problems across the banking sector and the economy as a whole. Corporate governance is defined as a set of relationships between a company’s management, its Board, its shareholders, and other stakeholders10 . Corporate governance determines the allocation of authority and responsibilities by which the business and affairs of the institution are carried out by its Board and senior management, including: • determining the institution’s strategy and business objectives; • appointing and overseeing personnel; • operating the institution’s business on a day-to-day basis; • protecting the interests of depositors, shareholders, and other stakeholders; • aligning corporate culture, corporate activities and behaviour with the expectation that the institution will operate in a safe and sound manner, with integrity and in compliance with applicable laws and regulations; and • establishing control functions. Good corporate governance practices should be reflected in a corporate culture that reinforces ethical, prudent and professional behaviour. This begins with the right “tone from the top”, where the example set by the Board and senior management shapes the core values of the institution. The Board and senior management at each DTI and FHC have an obligation to implement good governance practices and promote sound corporate culture (codes of ethics and business conduct). The code of ethics should define acceptable and unacceptable behaviours and business practices; promote zero tolerance for illegal activity, such as financial misreporting and misconduct, fraud, and money laundering; and safeguard the rights of depositors, shareholders and other stakeholders who conduct business with the institution. Within a group of companies, there can be more than one regulated institution. Effective corporate governance at the group and legal entity levels is essential, and may help to mitigate the associated risks of carrying on businesses in complex financial conglomerates or group structures. A deposit-taking institution within a corporate group may be required to adopt group policies and align themselves with other operational processes of their parent company. While this can be entirely appropriate and indeed may add strength to the oversight and control framework, the Board of a DTI

10 The Organization for Economic Cooperation and Development (OECD).

| 15 that is asked to adopt a group policy cannot abrogate its regulatory responsibilities. It must satisfy itself that the group’s policy is ‘fit for purpose’, i.e. it is appropriate for the institution and will meet all regulatory requirements for that institution. The extent to which the group adopts a centralised or decentralised approach will affect its corporate governance arrangements. This may determine the: • degree of authority or autonomy given to the group level and to different entities within the group to set objectives and strategy, policies and processes, and organize the risk management and internal controls; • allocation of responsibilities and accountabilities of Senior Management, Board Members and Key Persons in control functions within the group; and • control functions at different levels of the group, how they interact with each other, and with the group as a whole. In keeping with its mandate for maintaining the stability of the financial system, Bank of Jamaica maintains a keen interest in promoting sound corporate governance at DTIs and FHCs, as it is an essential element in the safe and sound functioning of each institution and may adversely affect its risk profile if it is not operating effectively. Sound and effective corporate governance practices may permit the Bank to place more reliance on the institution’s internal processes. Supervisory experience underscores the importance of having the appropriate levels of authority, responsibility, accountability, and checks and balances within each institution, not only at the level of the Board of Directors, but also of senior management, and within the risk, compliance, actuarial, and internal audit functions. Although each institution makes independent decisions regarding the nomination of Board members or appointment of senior management in the course of conducting its day-to day business, the Bank should be notified immediately of any actual or potential changes to the membership of the Board and senior management, and any circumstances that may adversely affect the suitability of Board members and senior management. The quality of corporate governance practices is an important factor in maintaining the confidence of depositors and shareholders, as well as overall market confidence and financial stability. This Standard, therefore, reflects recommended best practices11 and specific areas of corporate governance (e.g., risk governance) that are especially important for DTIs and FHCs due to their unique nature and circumstances, and risks assumed relative to other corporations12 .

11 Corporate Governance Principles for Banks, 2015 (BCBS). 12 The cost of, and potential disruption from the failure of a financial institution may be significantly greater than that of a normal commercial enterprise – beyond the impact on its own depositors, shareholders, or other creditors. This is because the failure of one financial institution may result in the transmission of problems to other financial institutions through direct and indirect inter-linkages or as a result of loss of consumer confidence. By setting minimum standards, prudential regulation and supervision seeks to ensure that the risks of financial instability, and the wider costs to the economy of such instability, are adequately taken into account in the way in which financial institutions operate, including their corporate governance practices and arrangements.

| 16 4. The Board 12. The Board of Directors (the Board) is ultimately responsible for oversight of the sound and prudent management of that institution. The Board must have a charter that sets out the mandate, responsibilities and procedures of the Board and the Board sub-committees, including matters that are reserved for the Board’s decision. The role of a Board sub-committee is to support the Board. These committees are accountable to the Board, but should not relieve the board of any of its responsibilities. 13. The Board is responsible for approving and overseeing the implementation of the institution's business plan, strategy, risk appetite and culture, and senior management holds responsibility for the ongoing and detailed operationalization of the Board’s decisions. While the Board may delegate the day-to-day management of the institution to senior management, it is ultimately responsible for the safe and sound operation of the financial institution. This delegation of authority must be clearly articulated and documented. Importantly, the Board must have mechanisms in place for monitoring the exercise of delegated authority; it should not abrogate its responsibility for oversight of the functions delegated to senior management. 14. The Board must ensure that directors or members of the Board and senior management of the institution collectively have the full range of skills needed for the effective and prudent operation of the institution, and that all directors possess the skills that allow them to make effective contribution to Board deliberations and processes. The directors, individually and collectively, should have the necessary skills, knowledge and experience to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account its risk exposures. This does not preclude the Board from supplementing its skills and knowledge by engaging external consultants and experts. 4.1 Key Responsibilities of the Board13 15. In addition to the roles and responsibilities of the Board outlined in the BSA, the Board should discharge, at a minimum, the following essential duties in relation to the financial institution: • approve the risk appetite framework, short-term and long-term business plan and strategy, and other initiatives, which could, singularly or cumulatively, have a material impact on the financial institution’s risk profile; • approve and oversee significant policies, plans and strategic initiatives related to its management or those that could materially impact the institution’s capital (e.g., internal capital targets, share issuance and buy-back) and liquidity; • approve and oversee the appointment, performance, compensation/remuneration and succession plans of the Chief Executive Officer (CEO), control function heads and other members of senior management, such that the Board is satisfied with the fitness and propriety, and

13 See also Corporate Governance – Board Oversight (BOJ)

| 17 collective competence of senior management to effectively lead the operations of the institution; • oversee the design and operation of the institution’s remuneration system, ensuring the incentives are aligned with prudent risk-taking (See, for example, Principles for Sound Compensation Practices, Financial Stability Forum (FSF), April 2009; Financial Stability (FSB) Principles for Sound Compensation Practices-Implementation Standards, September 2009; and Compensation Principles and Standards Assessment Methodology, BCBS, January 2010); • approve the mandate, resources and budgets for the control functions; • approve and oversee material commitments, including major capital expenditures, mergers, acquisitions and divestitures, intra-group and connected party exposures, and material outsourcing arrangements, including with related parties; • approve and oversee the implementation of the institution’s Risk Appetite Framework (RAF), including policies, procedures and processes for the identification, measurement, monitoring and control of both financial and non-financial risks, and periodically review whether these remain appropriate in the event of material changes in the size, nature, and complexity of the institution’s operations; • develop and promote a sound corporate culture (codes of ethics and conduct) within the institution, which reinforces ethical, prudent and professional behaviour and enables employees to alert the board and management in good faith to potential misconduct without the fear of retribution; • ensure that effective processes and procedures (to include an appropriate internal sanctioning framework) are developed and implemented to ensure compliance with all applicable laws and regulations, and guidelines and standards issued by the BOJ; • approve and oversee the integrity, independence and effectiveness of the institution’s policies and procedures for whistleblowing; • promote sustainability through appropriate environmental, social and governance (ESG) considerations in the institution’s business strategies; • ensure that their institutions’ operations, physical premises, people, information technology, and data and information systems are resilient and protected against threats; • oversee the development and implementation of Information Technology (IT) Frameworks that, at a minimum, cover data confidentiality, information security, third-party connections, incidence response and reporting; • oversee and approve the recovery plans to restore the institution’s financial strength and stability during periods of stress, as well as business continuity plans to ensure the ability to maintain or preserve critical operations and services in order to operate on an ongoing basis and to limit losses in the event of severe business disruption; • approve and oversee implementation of both internal and external audit plans, including audit fees and scope of external audit engagement; and • promote timely and effective communication between the institution and the Bank on matters affecting or that may affect the entity's safety and soundness.

| 18 4.2 Composition of the Board 17. Each entity should establish a Board of Directors responsible for delivering effective leadership and oversight of the organization. The Board should be comprised of suitable individuals who are adept at making prudent decisions and implementing necessary changes in the institution's structure, business activities and operations, as directed by BOJ or dictated by macroeconomic conditions to ensure the institution's viability. Suitability14 refers to the person’s fitness and propriety coupled with his or her ability to commit sufficient time to perform duties, competence, and absence of conflict of interest that cannot be appropriately mitigated. The members of the Board and Board committees should be comprised of individuals who collectively reflect a balance of expertise, skills, experience, competencies and perspectives, taking into consideration the institution’s strategy, risk profile, culture and overall operations. Relevant financial industry and risk management expertise are key competencies for the Board. The Board must develop, document, and regularly review the criteria and skill sets required of its members, both individually and collectively. 18. To promote objectivity in decision-making by the Board, the formal and perceived objectivity of Board Members should be ensured. To that end, Board members should avoid personal ties or financial or business interests which conflict with that of the institution. Where it is not reasonably possible to avoid conflicts of interest, such conflicts should be managed. Documented procedures and policies should be in place to identify and address conflicts of interest which could include disclosure of potential conflicts of interest, requirements for arm’s length transactions, abstention of voting and, where appropriate, prior approval by the Board or shareholders of professional positions or transactions. Moreover, when a conflict of interest is deemed material, mere disclosure is insufficient. In such cases, the board of a DTI or FHC must implement additional measures to effectively manage and mitigate these conflicts. By taking proactive steps, the Board can safeguard the integrity of the institution and maintain trust among stakeholders, ensuring that decisions are made in the best interest of the institution and its clients rather than being influenced by personal interests. 19. The Board and Board committees should have adequate knowledge and understanding of the institution’s business, including its products, markets, strategy, risks, and regulatory obligations. This knowledge enables them to critically evaluate and challenge senior management’s decisions effectively. To maintain this capacity, the Board should include members with diverse expertise and provide regular training on industry developments and emerging risks.

14 This definition of ‘Suitability’ may be found in Bank of Jamaica’s Standard of Sound Practice on Fitness and Propriety, 2024.

| 19 20. The size and composition of the Board should enable effective deliberation while allowing individual directors to manage their workloads responsibly. Boards must refrain from significant cross-directorships among entities within a group or with the financial holding company, which could create a conflict between the decisions that prioritize the institution’s safety and soundness with that of the financial group or other subsidiaries. When assessing whether a person meets the time commitment criteria for suitability and appointment to the Board, the institution should consider the following: a) the person’s other mandates; professional obligations (taking into account the nature, scale, complexity and location of other entities with which he/she is affiliated) or non-professional activities; voluntary work or political involvement, to determine the overall time required to fulfil such commitments; and b) whether the person will be able to fulfil his/her duties effectively, particularly during periods of increased activity or stress. 4.2.1 Independent Directors 21. The BSA defines as independent a director of a licensee or company who is not an employee, a shareholder holding 5% or more of the entity’s shares, or a party to a significant economic or other relationship that, in the Supervisor's opinion, compromises his/her independence. International Standard-Setting Bodies and Regulatory Authorities also provide specific definitions of an independent director, with the aim of promoting transparency, accountability, and effective governance. While definitions may vary across jurisdictions, some key principles are emphasized broadly to ensure that independent directors are free from conflicts of interest and are capable of providing unbiased oversight and challenge to management. 22. Independent directors must be able to make decisions based on objective judgment, without undue influence from management or major shareholders, having fulfilled the following criteria which are widely accepted as international best practice:15 • No Executive Role: Independent directors must not be involved in the day-to-day management of the institution. • Absence of Material Relationships: Independent directors must have no financial or personal relationships with the institution, its affiliates, or its senior management, except for board service, that could compromise their impartiality. • No Conflicting Relationships: Independent directors should not have close personal or familial ties with key executives or other board members or significant business relationships, such as being a major customer, consultant, or holding executive roles in

15 Corporate Governance Principles for Banks, Basel Committee on Banking Supervision (BCBS), July 2015; and G20/OECD Principles of Corporate Governance, June 2023;

| 20 companies that have substantial business relationships with the institution, that could compromise independence. 23. Independent directors perform a pivotal role on the Board of directors. They are expected to, at a minimum, carry out the following roles and responsibilities: a) Provide objective and unbiased perspectives during board discussions and decision-making; b) Chair Board sub-committees, such as Audit, Risk, Compliance and Renumeration; c) Meet separately on a periodic basis to ensure unbiased oversight, evaluate management, address sensitive issues, and strengthen governance; d) Provide unbiased challenge to decisions of management and the Board Chair; and e) Ensure the equitable treatment of shareholders and safeguard minority interests against abusive related party transactions. 16 24. DTIs and FHCs should ensure that there is clear documentation of the criteria used to determine whether an individual to be appointed as an independent director is independent in character and judgement, and free from associations or circumstances that may impair the exercise of his/her independent judgement. Further, an independent director must immediately disclose to the Board any change in his/her circumstances that may affect his/her status as an independent director. In such a case, the Board must review the designation of his/her status as an independent director and immediately notify the BOJ, in writing, of its decision to either affirm or change his/her designation or removal from the Board. 4.2.2 Appointments to the Board 25. Appointments to the Board, as well as its size and composition, must be consistent with legislative, regulatory and supervisory requirements, the financial institution’s own by-laws, as well as the size and complexity of the institution. Bank of Jamaica requires that the board of all DTIs and FHCs should, at a minimum: • Comprise at least five (5) members, of which one-third should be independent directors, consistent with Sections 32 and 34 of the BSA,17,18 except for a non-operating parent or financial holding company (see paragraph 73).

16 For this purpose, the laws and the codes in most jurisdiction call for some board members to be independent of dominant shareholders. Additionally, certain regions mandate a specialized board approval process for related party transactions, often involving independent board members, auditors, or external experts. 17 The planned revisions of the BSA will reflect amendments relating to the minimum size and composition of the Board and Board Committees. An increase in the number of directors would allow for adequate representation of independent directors such that the Board and its sub-committees maintain the ability to exercise objective judgment independent of the views of the executives. 18 A non-executive director is not a member of the regulated financial institution’s management. Non-executive directors may include Board members or senior managers of the parent company of the locally incorporated regulated institution or of the parent company’s subsidiaries, but not executives of the regulated institution or its subsidiaries.

| 21 • Notwithstanding the minimum requirement above, the expectation is that the application of a risk-based approach to board composition should be adopted by DTIs and FHCs. This means that for larger entities the Board's size should reflect the entity's scale, with the number of independent directors proportionate to its size, operational scope, complexity, and business model. Larger, systemically important entities are expected to comprise a majority of independent members to ensure robust oversight and in keeping with international best practice. Conversely, smaller or less complex institutions might require fewer independent directors (not less than one-third). It is important to note that the Basel Committee on Banking Supervision’s Corporate Governance Principles for Banks (2015) recommend that the Board be comprised of a sufficient number of independent directors. Consistent with this principle, Bank of Jamaica strongly recommends that independent members make up two￾thirds of the Board of deposit-taking institutions that are large and complex, with the Board size increasing accordingly, in line with this adjustment. • Separate the roles of Chairman and Chief Executive Officer, in accordance with Section 35(1) of the BSA. Failure to ensure this separation is a breach of the law. Separation of the two positions is regarded as good practice as it helps to preserve the Board's independence, contributes to achieving an appropriate balance of influence, increases accountability, and improves the Board’s capacity for decision-making, and effective execution of its mandate. • Establish appropriate board sub-committees (refer to paragraphs 40 - 52) to provide advice and support, and assume responsibility for matters that require more detailed and frequent review. 4.3 Chair of the Board The Chairman of the Board carries significant responsibility for steering the Board’s activities and ensuring that the DTI or FHC meets its regulatory requirements. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members.19 This role demands that the chairman possess not only the appropriate expertise and leadership qualities but also adequate time to dedicate to the institution’s needs in the performance of his or her duties. The chairman must meet Bank of Jamaica’s suitability standards, which include a strong reputation, deep expertise in financial and regulatory matters, and the necessary skills, experience, and ethical principles to foster trust and effective collaboration among board members. Maintaining integrity in both personal and professional behaviour is essential for the chairman to effectively lead the Board with accountability and responsibility.

19 See the Basel Committee on Banking Supervision’s Guidelines – Corporate Governance Principles for Banks, 2015.

| 22 26. The chairman is expected to provide impartial oversight and a balanced approach to risk management while actively promoting adherence to global best practices. This commitment supports the Board’s alignment with risk frameworks, regulatory standards, and ethical principles, ultimately safeguarding the institution’s reputation and financial stability. 4.3.1 Corporate Secretary 27. The Board is often supported by a corporate secretary, whose role is crucial to effective governance. Corporate secretaries should serve as governance facilitators, ensuring that boards remain accountable, comply with legal frameworks, and make informed decisions. By acting as a communication bridge between the board, management, and stakeholders, they promote a transparent and ethical governance structure. 28. Moreover, corporate secretaries should play a key role in keeping boards informed about regulatory changes and evolving governance trends, enabling institutions to address challenges proactively. Their commitment to compliance and ethical practices not only reinforces the institution's integrity but also ensures alignment with international best practices in governance. 29. The Corporate Secretary should report directly to the Board of Directors and work closely with the Chairperson and other board members to fulfil governance responsibilities. To fulfil the role effectively, the Corporate Secretary must operate with sufficient independence from management influence in governance matters to ensure unbiased advice and decision-making. 30. Key responsibilities of the Corporate Secretary include: • Monitoring and addressing potential conflicts of interest among directors and executives, ensuring compliance with internal policies and regulatory requirements; • Developing and enforcing codes of ethics and conduct for the board and senior management; and • Collaborating with the Risk Management and Audit Committees to align board decisions with institutional risk frameworks. 4.4 Appointment and Removal of Directors 31. DTIs and FHCs achieve effective corporate governance and management when led by individuals who are deemed fit, proper and suitable. When assessing the fitness and propriety of persons considered for appointment, the Board must conduct its assessment against the following criteria: competence and capability; probity, integrity and reputation; and financial integrity20 . Accordingly, all DTIs and FHCs are required to establish and implement robust due diligence

20 Refer to Standard of Sound Practice on Fitness and Propriety; Bank of Jamaica, April 2024. The BOJ will undertake a risk-based approach to the assessment of fitness and probity of relevant persons. This includes a review of information requested by the BOJ, the findings from ongoing supervision, as well as the execution of interviews with relevant persons as necessary.

| 23 policies and processes to guide the nomination and appointment of directors to ensure that these persons are and remain fit and proper. 32. The Board must establish a comprehensive process for appointing directors. Such a process must involve assessing candidates against the minimum requirements set out in Bank of Jamaica’s Standard of Sound Practice on Fitness and Propriety. Direct engagements between a candidate and the Board nominations committee should help facilitate the assessment of each candidate's suitability for the Board. 33. Unless written approval from BOJ is obtained, a DTI or FHC must not confirm or publicly announce the proposed appointment of a director. Furthermore, until such regulatory approval is granted, the institution shall restrict interactions between the Board and the potential candidate to prevent any perceived influence or bias in the approval process. This provision is essential to maintain compliance with regulatory standards and to uphold the integrity of the nomination procedure. 34. The Board should establish policies and procedures to govern the resignations and removal of members from the Board. These policies must be based on the principles of transparency, objectivity and independence21 . At a minimum, the policies should establish: • minimum notice required for resignations from the Board (taking into consideration the extent of the due diligence process that must precede appointments); • conditions for removal from the Board. These should include failure to satisfy the fit and proper criteria established by law and further expounded on in the Standard of Sound Practice on Fitness and Propriety, as well as failure to comply with the institution’s corporate governance standards (e.g., conviction of an offence involving dishonesty); and • requirement for BOJ to be immediately notified of removals/resignations, as well as the reasons for such actions. 4.5 Board Performance Assessment and Evaluation 35. The Board should regularly assess its practices and those of its sub-committees, and should pursue strategies to enhance its overall effectiveness. In this regard, the Board is expected to undertake a formal annual assessment of its performance and that of its committees and individual directors to ensure the maintenance of a balance of skills, knowledge and experience within the context of the nature of the institution’s operations/activities. 36. The Board should periodically conduct a skills and competency evaluation process that is integrated with the overall Board succession plans and the desired technical and behavioural competencies of the Board chair and chairs of the Board committees.

21 Refer to Companies Act (CA) 2004 Section 179, “Removal of Directors”; and Section 180, “Court Disqualified Directors”.

| 24 37. The Board should engage external consultants or experts to assist it in periodically conducting the evaluation exercises described in paragraphs 35 and 36. 4.6 Board Meetings 38. The Board's ability to act independently of senior management can be demonstrated through practices such as regularly scheduled Board and Board committee meetings that include sessions without senior management present. The frequency of Board meetings should depend on circumstances such as the nature and size of the institution’s operations, governance structure (e.g. the number of Board sub-committees and their respective mandate, and frequency of meetings held), risk profile, as well as the current internal and external environment and its impact on its operations. The BOJ requires that, at a minimum, all deposit-taking institutions hold full board meetings at least quarterly, distinct from the more frequent meetings of various Board sub-committees. Additionally, it is expected that the Board will convene more often if risk conditions demand it, ensuring that the institution can respond proactively to emerging challenges. This flexibility allows the Board to maintain effective oversight and governance in a dynamic financial landscape. 39. The minutes of each meeting of the Board should be well documented. The minutes should provide: • an accurate and adequate record of Board deliberations, reflecting the issues discussed and the conclusions/decisions made; • a list of directors in attendance at each meeting; and • an appropriate record of the material contribution of each member of the Board, and any significant concerns or dissenting views. The minutes must indicate whether any director abstained from voting or excused himself/herself from deliberating on a particular matter. The minutes of the meetings of the Board, as well as proper records of Board papers/submissions, should be appropriately signed and made available to the BOJ examiners for review upon request. 4.7 Board Committees 40. To support the effective discharge of the responsibilities of the Board, the Board should assess whether the establishment of committees of the Board is appropriate, and will serve to maximize the effectiveness of the governance framework. At a minimum, the Board should establish audit, risk management, and corporate governance committees. It is important to note that the BSA requires the establishment of an Audit Committee, consistent with international best practices. Other committees that a Board may establish include compliance, remuneration, and

| 25 nominations 22 . The number, size, composition, and type of each committee should be in accordance with the institution’s size, complexity, and business model. 41. Where committees are appointed, they should have clearly defined mandates, working procedures (including reporting to the Board), authority to carry out their respective functions, and a degree of independence and objectivity as appropriate to the role of the committee. The Board should consider periodic rotation of its members and committee chairs, as well as tenure limits for committee service in order to avoid undue concentration of power and to promote fresh perspectives. The Board should ensure that there are no material conflict of interest issues arising from directors serving on multiple committees. 42. The size and composition of each Board committee established, must: • have at least three directors; • a majority of independent directors; • be chaired by an independent director; and • comprise directors who have the skills, knowledge and experience relevant to the responsibilities of the board committee. With the exception of the Board Nominations Committee (or combined Nominations and Remuneration Committee), Board committees must not have any executive director23 in its membership. 43. To promote robust and open deliberations by the Board on matters referred by the Board committees, the Chairman of the Board must not chair any of the Board committees. 44. The Board is fully accountable for any authority delegated to the Board committees. 45. The Board must ensure that the mandate and operating procedures for each Board committee are set out in the Board charter and clearly– • delineate the areas of authority delegated to the Board committee; and • define reporting arrangements for keeping the Board informed of the work of the committee, key deliberations, and decisions on delegated matters.

22 A financial institution may combine its Board nominations committee and Board remuneration committee. If the functions of any committees are combined, the Board should ensure such a combination does not compromise the integrity and/or effectiveness of the functions combined. Where the Board chooses not to establish a Remuneration Committee, the Board should establish and document policies and procedures to discharge its duties and responsibilities effectively in the absence of a Remuneration Committee. The Board must also ensure that a formal process is in place to review the framework for remuneration plans, processes and outcomes at least annually. 23 An Executive Director is a member of the board who also has management responsibilities within the financial institution.

| 26 4.7.1 Audit Committee 46. Bank of Jamaica requires that each DTI or FHC establish a permanent, independent internal audit function that is proportionate to the size and nature of the entity's operations. This requirement ensures that the internal audit can effectively assess and enhance the governance, risk management, and control processes of the institution. 47. The responsibilities of the Audit Committee should include the following: • support the Board in ensuring that there is a reliable and transparent financial reporting process within the institution. • approve the institution’s audit plans (internal and external). Audit plans should be risk-based and address all the relevant activities over a minimum 5-year cycle. Where part or all of the internal audit function is outsourced, the Audit Committee should still be responsible for overseeing the performance of the institution’s internal audit function as a whole. • oversee the effectiveness of the internal audit function of the entity. At a minimum, this must include– o reviewing and approving the audit scope, procedures and frequency; o reviewing key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with laws, regulatory requirements, policies and other matters identified by the internal audit and other control functions; o noting significant disagreements between the chief internal auditor and the rest of the senior management team, irrespective of whether these have been resolved, in order to identify any actual or potential impact the disagreements may have on the audit process or findings; and o establishing a mechanism to assess the performance and effectiveness of the internal audit function. • foster a quality audit of the institution by exercising oversight over the external auditor. At a minimum, this must include– o making recommendations to the Board on the appointment, removal and remuneration of the external auditor. It is important to note that the Audit Committee, not senior management, should recommend to the shareholders the appointment and removal of the external auditor. It should also recommend for approval by the Board the engagement letter and remuneration of the external auditor; o monitoring and assessing the independence of the external auditor, including approving the provision of non-audit services by the external auditor; o monitoring and assessing the effectiveness of the external audit, including meeting with the external auditor without the presence of senior management at least annually. o reporting annually to the Board on the effectiveness of the external auditor; o maintaining regular, timely, open and honest communication with the external auditor, and requiring the external auditor to report to the Board Audit Committee on significant matters; and

| 27 o ensuring that senior management is taking necessary corrective actions in a timely manner to address supervisory and external audit findings and recommendations. • review and update the Board on all related party transactions in lieu of a Board Conduct Review Committee. • discuss with senior management and the external auditor the overall results of any audit conducted, the annual and quarterly financial statements and related documents, the audit report, the quality of the financial statements and any related concerns raised by the external auditor. The Audit Committee should be satisfied that the financial statements present fairly the financial position, the results of operations and the cash flows of the institution. • meet with the Chief Internal Auditor and the Appointed (or Consulting) Actuary to discuss the effectiveness of the institution's internal controls and the adequacy of practices for reporting and determining financial reserves. • review the accuracy and adequacy of the Chairman’s statement in the directors’ report, corporate governance disclosures, interim financial reports and preliminary announcements in relation to the preparation of financial statements. • monitor compliance with the Board’s conflicts of interest policy. • meet with the External Auditor, the Chief Internal Auditor and heads of other control functions, as appropriate, with and without the CEO or other members of senior management present. • evaluate and approve internal control procedures for the institution, and review third-party findings and recommendations on the design and effectiveness of the institution’s internal control and enterprise risk management frameworks. 4.7.2 Risk Committee 48. The Board should establish an independent Risk Committee that comprises members who have experience in risk management issues and practices to oversee risk management on an enterprise￾wide basis. For small, less complex institutions, in place of establishing a separate Risk Committee, the Board should be satisfied that it has the collective skills, time and information (i.e., appropriate reporting) to provide effective oversight of risk management on an enterprise-wide basis. 49. Guided by the institution’s Risk Appetite Framework, the Risk Committee should have an understanding of the types of risks to which the institution may be exposed, and the techniques and systems used to identify, measure, monitor, report on and mitigate those risks. As part of its duty to oversee the risk management of the institution, the Risk Committee should seek assurances from the Chief Risk Officer (CRO), or equivalent, that the risk management function of the institution is independent from operational management and business lines, is adequately resourced, and has appropriate status and visibility throughout the organization. 50. The Risk Committee should receive timely and accurate reports from the CRO or equivalent officer and other relevant functions on significant risks of the institution and exposures relative to the

| 28 institution’s risk appetite (including approved risk limits). The Risk Committee should be satisfied with the manner in which material exceptions to risk policies and controls are identified, measured, monitored, reported, and controlled, as well as how exceptions/breaches are addressed. 51. Where established, the Risk Committee should at least: • provide input on material changes to the institution’s strategy and corresponding risk appetite; • advise and support the management body in its supervisory function regarding the monitoring of the institution’s risk appetite and strategy, taking into account all types of risks, to ensure that they are in line with the business strategy, objectives, corporate culture and values of the institution; • oversee and monitor the implementation of the institution’s risk appetite (and corresponding limits) and strategy, taking into account all types of risks, to ensure that they are in line with the business strategy, objectives, corporate culture and values of the institution; • oversee the implementation of the strategies for capital and liquidity management as well as for all other relevant risks of the institution, such as market, credit, operational (including legal, cyber, and IT risks), actuarial and reputational risks to ensure they are consistent with the stated risk appetite • provide recommendations on necessary adjustments to the risk strategy resulting from, inter alia, changes in the business model of the institution, market developments or recommendations made by the risk management function; • provide advice on the appointment of external consultants that senior management may decide to engage for advice or support; • review and provide advice on possible scenarios, including stressed scenarios, to assess how the institution’s risk profile would react to external and internal events; • collaborate with other Board committees whose activities may have an impact on the strategy and operations of the institution, and regularly communicate with the heads of the institution’s internal control functions, in particular, the risk management function; • oversee the alignment between all material financial products and services offered to clients and the business model and risk strategy of the institution, including assessment of the risks associated with the offered financial products and services and take into account the alignment between the prices assigned to and the profits gained from those products and services; and • assess the recommendations of internal or external auditors and follow up on the appropriate implementation of measures taken. 52. Minimum expectations regarding the responsibilities of other Board committees are summarized in the Appendix. Given the advancement in international best practices relating to the governance of DTIs and FHCs, in addition to the Audit Committee, each institution is strongly encouraged to establish a Risk Committee, especially in circumstances where the size and complexity of the institution’s operation warrant its establishment.

| 29 4.8 The Board’s Relationship with and Oversight of Senior Management 53. For purposes of this Standard, senior management comprises individuals or the body responsible, for managing the DTI or FHC on a day-to-day basis in accordance with strategies, policies and procedures approved by the Board – i.e., the Chief Executive Officer (CEO) and individuals who are directly accountable to the CEO. This group of individuals include the heads of the control functions, such as the Chief Financial Officer (CFO), Chief Risk Officer (CRO)24, Chief Compliance Officer (CCO), Chief Internal Auditor (CIA), Chief Information Security Officer (CISO)25 , and Chief Actuary (CA), as well as the heads of major business units. 54. The Board must ensure that each member of senior management, including heads of control functions, is and continues to be fit and proper and that senior management, individually and collectively, has the full range of skills needed for the effective and prudent operation of the institution. 55. Senior management of a locally incorporated deposit-taking institution, must be ordinarily resident in Jamaica. The Board and/or senior management must be available to meet with the BOJ on request. 56. The Board should immediately advise the BOJ of all proposed appointments to the senior management team, and also advise of all resignations and removals, with details of the reasons for such action26 . 57. Senior Management is responsible for implementing the Board's decisions and directing the operations of the institution within the authority delegated to them by the Board, and in compliance with applicable laws and regulations. The Board should clearly articulate and document what they delegate to senior management and the limitations and accountabilities associated with matters that are delegated, including matters reserved to the Board. A clear mandate for senior management that outlines its accountabilities and responsibilities should also be established. 58. The Board must develop and establish appropriate protocols and channels for reporting, including the exercise of judgement in escalating matters of particular significance, even if within the delegated mandate to senior management. The Board, and particularly the non-executive directors,

24 This includes an individual who may be performing the functions typically assigned to a Chief Risk Officer though he/she has not been designated with the title of Chief Risk Officer. 25 The CISO should be primarily responsible for enterprise-wide oversight and management of cyber risk and timely reporting of breaches of the institution’s cyber-risk management architecture. 26 On this point please be reminded of the provisions of section 39 of the BSA.

| 30 should hold senior management to account against the matters delegated and be able to challenge senior management effectively and promptly. 59. The Board should understand the decisions, plans and policies being implemented by senior management and their potential impact on the institution. The Board should be satisfied that the decisions and actions of senior management are consistent with the Board-approved business plan, strategy and RAF of the institution and that the corresponding internal controls are sound and effective. 60. The Board is expected to provide advice, guidance, and feedback to senior management, as appropriate, on the following: (i) operational and business policies; (ii) performance of the institution relative to the Board-approved business plan and strategy; and (iii) effectiveness of the Risk Appetite Framework, the control functions, and significant policies and plans related to management of capital and liquidity. 61. In order to fulfil its responsibilities, the Board relies on senior management to provide sound advice on the organizational objectives, plans, strategy, structure and significant policies of the institution. To manage risks effectively, the Board and senior management must understand the risks associated with the institution's business model, including each business line and product, and how they relate to the institution's strategy and Risk Appetite Framework. 62. Senior management is expected to provide material information, and recommendations to the Board in a manner that enables the Board to focus on key issues and make informed decisions in a timely manner. 63. Key Responsibilities of Senior Management include: • implementing the business plan, strategy, RAF, remuneration and other policies approved by the Board, and in accordance with directions given by the Board; • establishing a management structure that promotes accountability and transparency throughout the institution’s operations, and preserves the effectiveness and independence of control functions; • promoting, together with the Board, a sound corporate culture within the institution which reinforces ethical, prudent and professional behaviour; • addressing actual or suspected breaches of regulatory requirements or internal policies in a timely and appropriate manner; • ensuring informed decision-making while exercising the duty of care and duty of loyalty, prioritizing the institution’s interests over personal gains; and • providing relevant, accurate and timely information to the Board in order to facilitate the Board’s oversight responsibilities, particularly on matters relating to: (i) the performance, financial condition and operating environment of the institution; (ii) internal control failures, including breaches of risk limits; and (iii) legal and regulatory obligations, including supervisory concerns and recommendations and the remedial actions taken to address them.

| 31 64. In order to provide effective oversight of senior management, the Board should: • ensure that there are adequate policies and processes relating to the appointment, dismissal and succession of senior management, and be actively involved in such processes; • ensure that senior management’s knowledge and expertise remain appropriate given the nature of the institution’s business operations and risk profile; • monitor whether senior management is managing the affairs of the institution in accordance with the strategies and policies set by the Board, and the institution’s risk appetite, corporate values and corporate culture; • set appropriate performance and remuneration standards for senior management consistent with the long-term strategy and the financial soundness of the institution and monitor whether senior management is meeting the performance goals set by the Board; • regularly meet with the senior management to discuss and review critically the decisions made, information provided and any explanations given by senior management relating to the business and operations of the institution; and • have regular interaction with any senior management established as well as with other key functions, and proactively request information from them and challenge that information when necessary.

| 32 5. Group Governance 65. Within a group of companies, there can be more than one regulated entity. Effective corporate governance at the levels of parent company and subsidiaries is essential, and may help to mitigate the associated risks of carrying on businesses in complex financial conglomerates or group structures. Complex structures involving a large number of regulated and unregulated legal entities can exacerbate group-wide risks, including risks arising from operational interdependencies, intra￾group exposures, and reputational associations, including step-in risk27 . 66. In a group structure, the Board of the parent company has overall responsibility for the establishment and operation of a corporate governance framework appropriate for the structure, business, and risks of the group and its entities. The parent company may be a regulated financial institution or a financial holding company established under the BSA o, and may or may not have cross-border subsidiaries. 67. A comprehensive and consistent group-wide corporate governance framework should be designed to promote the following processes and practices: • effective assessment and consistent management of risks across the group; • timely reporting to the group level to ensure a good overview of risks across the group; • availability of adequate aggregated information about all risks at the group level; • timely reaction to risks at the group and legal entity level; • due consideration and incorporation of local circumstances and requirements at the group level; and • adequate communication of the risk management approach within the group28 . 68. The Board and senior management of the parent company should promote risk awareness and encourage open communication and discussion about risk-taking across the group and its regulated entities by: • setting clear reporting requirements to report locally identified risks (including compliance risks) in a timely and comprehensive manner at the group level; • providing for a Chief Risk Officer or other person at the entity level, who is responsible for regularly reporting to the CRO at the group level; • providing for, on an ongoing basis, the reporting by control functions at the entity level to control functions at the group level in order to make it possible for the head of the group to identify risks emerging at the entity level in a timely manner; and

27 “Step-in risk” is the risk that the regulated entity decides to provide financial support to an unconsolidated entity that is facing stress, in the absence of, or in excess of, any contractual obligations to provide such support. The main reason for step-in risk might be to avoid the reputational risk that the institution might suffer were it not to provide support to an entity facing a stress situation. The financial crisis in 2007/08 provided evidence that a bank might have incentives beyond contractual obligation or equity ties to “step in” to support unconsolidated entities to which it is connected. If step-in risk is related to reputational risk, it is distinct from operational risk. Operational risk is considered separately within the Basel framework, and its definition explicitly excludes reputational risk (See “Identification and Management of Step-in Risk”; BCBS, 2017) 28 IAIS Issues Paper on Approaches to Group Corporate Governance, Impact on control functions, Oct. 2014, para 51 b-g).

| 33 • assessing the representation of risk officers at the group level at risk committees of entities to contribute to effective communication of the group risk approach to entities. 69. The parent company's Board and senior management should ensure that the group structure does not undermine its ability to effectively oversee the activities of the subsidiary-regulated institution and enterprise-wide oversight responsibilities applicable to the institution. This must be supported by a sound understanding of risks associated with the group structure and an evaluation of whether group controls and policies are adequate to address those risks. 70. As part of the governance framework, and regardless of whether a more centralized or more decentralized approach is used, groups should have effective group control functions. Groups of varying size and complexity will have control functions of different levels of sophistication. The Board should periodically assess the appropriateness and effectiveness of the group control functions, including key persons in control functions. This assessment can be performed by the Board or an appropriate committee delegated by the Board. 71. When implementing governance policies, the Board of the parent company should ensure that robust governance arrangements are in place for each subsidiary and consider specific arrangements, processes and mechanisms where business activities are organized not in separate legal entities but within a matrix of business lines that encompasses multiple legal entities. 72. The Board of the parent company must establish a clearly defined process for approving the establishment of new legal entities and/or modifications to the group’s corporate structure, which may result in the establishment of potentially complex structures. Institutions should take into account in their decision-making the results of a risk assessment performed to ensure that any changes to the group’s corporate structure fulfils a legitimate business purpose and its associated risks are understood and managed, and whether the structure poses obstacles to effective supervision by Bank of Jamaica or conceals the identity of the ultimate beneficial owner(s). 73. The Board of the parent company, which is a non-operating financial holding company must have a minimum of five (5) directors. The majority of directors must be independent. For an operating parent company (such as a Bank), the Board should consider increasing the minimum number of directors (including independent directors), in line with a risk-based approach to board composition and international best practice. 74. The independent directors on the Board of the parent company or its other subsidiaries may also sit as independent directors on the Board of the regulated institution, subject to restrictions on significant cross-directorships, including the nature and extent of cross-directorships between the ultimate parent or holding company and other group entities.

| 34 5.1 Parent Company Boards 75. In order to fulfil its responsibilities, the Board of the parent company or financial holding company must: • ensure that the group’s corporate governance framework, including the establishment of appropriate Board committees, clearly defines roles and responsibilities for the oversight and implementation of group-wide policies, and that the framework addresses risk management across the businesses and legal entities; • ensure that the differences in the operating environment, including the legal and regulatory regime for each jurisdiction in which the group has a presence, are properly understood and reflected in the group governance framework; • have in place reporting arrangements that promote the understanding and management of material risks and developments that may affect the parent company and its subsidiaries; • ensure that the group’s risk management frameworks address risks across the group, including those arising from intra-group transactions; • ensure that there are adequate resources to effectively monitor compliance of the parent company and its subsidiaries with all applicable legal and regulatory requirements; and • establish an effective internal audit function that ensures audits are being performed at the parent company and across all its subsidiaries and affiliated companies. 5.2 Subsidiary Boards29 76. A deposit-taking institution must discharge its own legal and governance responsibilities as a separate entity, even if it is a subsidiary of another financial institution, financial holding company or a foreign entity which is subject to prudential regulation. Subsidiary boards must be capable of acting in the best interests of their depositors, shareholders, and creditors, while safeguarding the safety and soundness of the institution for which they are responsible. 77. The extent to which the BOJ believes the Boards of significant subsidiaries need to be independent will be influenced by a number of factors, including the size, scope and nature of the subsidiary’s business, its business model and the degree of strategic and operational dependence between the subsidiary and the wider group. 78. It is not good practice for key positions on the subsidiary Boards of DTIs, such as the Chair, Chair of key board sub-committees, CEO or finance director, to be occupied by executive members of the group or parent board. This does not prevent group executive and non-executive board members from sitting on the subsidiary Board as non-executive directors, so long as the overall

29 This applies to locally incorporated financial institution subsidiaries with either a local or foreign financial institution as a parent.

| 35 independent balance of the Board is satisfactory. It also does not preclude independent group non￾executive directors from chairing the Board of the subsidiary or its sub-committees. 79. Where a deposit-taking institution is part of a group, and is asked or required to adopt and/or utilize group policies or functions, the Board of the DTI must approve the use of group policies and functions and ensure that these policies and functions are appropriate for the institution's business plan, strategy and risk appetite, and comply with specific regulatory requirements. Accordingly, the Board and senior management of the subsidiary Board of the FHC must: • ensure that the objectives, strategies, plans, governance framework and other policies set at the group level are fully consistent with the regulatory obligations and the prudential management of the DTI and ensure that entity-specific risks are adequately addressed in the implementation of group-wide policies; • ensure timely engagement with the BOJ on strategic and regulatory developments at the group level that may significantly impact the local operations of the DTI; and • should take such further steps as are necessary to ensure that the subsidiary meets its own corporate governance responsibilities and the legal, regulatory and supervisory requirements that apply to it, in the event that a regulated subsidiary is significant due to its systemic importance or size relative to the parent company’s overall operation. 5.3 Outsourcing 80. Deposit-taking institutions within a group may outsource control functions to either third parties or to other financial or non-financial legal entities within the group. This latter form of outsourcing, referred to as “insourcing,” can apply downstream (e.g., with group-wide control functions conducted at entities within the group) or upstream (i.e., with control functions conducted by the group control function). 81. The Board of the DTI is required to retain at least the same degree of oversight of, and are accountable for, any outsourced material activity or function (such as a control function) as applies to non-outsourced activities or functions. Even if the relevant tasks of a control function can be outsourced, the ultimate responsibility for those control functions continues to reside with the group or Board of each institution within the group.

| 36 6. Governance and Risk Management 82. Following the global financial crisis (GFC), several international bodies, including the OECD and, BCBS have engaged in reforms to strengthen governance and risk management standards. These reforms emphasize the Board’s responsibility for the strategy and enterprise-wide risk management and conduct of their institutions30 . The control functions are expected to provide objective assessments to the Board to allow the directors to fulfil their responsibilities. The Board, with the support of senior management, should regularly assess the effectiveness of the control functions. 83. Key responsibilities of the control functions include: (i) identifying, measuring, and reporting on the institution’s risk exposures; (ii) assessing and reporting on the effectiveness of the institution’s risk management and internal controls; and (iii) determining whether the institution’s operations, results and risk exposures are consistent with the Board-approved risk appetite. 84. The heads of the control functions should: (i) have sufficient stature, and authority within the institution; (ii) be independent from the business lines31; and (iii) have unfettered access and a functional reporting line to the Board or the appropriate Board committee. The Board should ensure that the control functions (risk management, compliance, actuarial)32 and internal audit are adequately staffed with individuals with appropriate experience and qualifications to undertake their respective responsibilities objectively and effectively. 85. As part of the overall corporate governance framework and in furtherance of the safe and sound operation of the financial institution, and protection of depositors and shareholders, the Board is ultimately responsible for ensuring that the institution has in place effective systems of risk management33 and internal controls to address the key risks it faces and for the key legal and regulatory obligations to which it is subject. Senior management is required to implement these systems and provide the necessary resources and support for these functions. 86. The systems and functions established to support the institution’s Risk Appetite Framework should be adequate and aligned with the institution’s objectives, strategy, risk profile, and applicable legal and regulatory requirements. They should be adapted as the institution’s business model, and internal and external circumstances change. Business model analysis has become integral to

30 Supervision of corporate governance was introduced as a separate core principle in the BCP in 2012, incorporating lessons from the GFC. Refer to BCBS Core Principles (CPs 14 and 15) for Effective Banking Supervision, and the “Corporate Governance Principles for Banks”; BCBS, 2015. 31 The business lines, as the first line of defence, take risks and are responsible for their operational management directly and on a permanent basis. For that purpose, business lines should have appropriate processes and controls in place that aim to ensure that risks are identified, analyzed, measured, monitored, managed, reported and kept within the limits of the institution’s risk appetite and that the business activities are in compliance with external and internal requirements. 32 In the case of institutions within a corporate structure, some control functions may be outsourced to other financial institutions within the group or the parent company. Where deposit-taking institutions are considered small and non-complex, and do not have the capacity to establish a separate risk management function, it may be combined with the compliance function or outsourced to an affiliated financial institution or undertaken by the parent Financial Holding Company within the corporate group. 33 Risk management systems and practices will differ, depending on the size and complexity of the institution’s operation and business model, and the nature of its risk exposures.

| 37 supervisory frameworks in many jurisdictions, including Jamaica, to support the early identification of vulnerabilities and the supervisory dialogue on the sustainability of financial institutions. 87. The institution’s business model and strategy should be supported by a well-articulated and measurable statement of risk appetite, which is approved by the Board, and used by the Board to monitor and control actual and prospective risks, and to inform key business decisions. The Board and its relevant sub-committees should exercise effective oversight of risk management and controls, supported with meaningful and well-targeted management information used to inform Board discussions. 88. It is the responsibility of the Board to ensure that the effectiveness of the risk management framework is kept actively under review, that it remains aligned with the institution’s risk appetite, and that the Board has the management information it needs. The risk management framework should enable the institution to make fully informed decisions on risk-taking. The risk management framework should: • include policies and procedures for identifying, measuring, monitoring and reporting on the risks of the institution on an enterprise-wide and disaggregated level, independently of the business lines or operational management; • include policies, procedures, risk limits and risk controls ensuring adequate, timely and continuous identification, measurement or assessment, monitoring, management, mitigation and reporting of the risks at the business line, institution and consolidated or sub-consolidated levels; • provide specific guidance on the implementation of the business model and strategy – the guidance should, where appropriate, establish and maintain internal limits consistent with the institution’s risk appetite and commensurate with its sound operation, financial strength, capital base and strategic goal; and • be subject to independent internal review, e.g., performed by the internal audit function, and reassessed regularly against the institution’s risk appetite, taking into account information from the risk management function and, where established, the risk committee - factors that should be considered include internal and external developments, including balance-sheet and revenue changes; any increase in the complexity of the institution's business, risk profile or operating structure; geographic expansion; mergers and acquisitions; and the introduction of new products or business lines. 89. Where the Board has established dedicated risk and audit committees, the chairs of these committees will be deemed responsible for safeguarding the independence, and overseeing the

| 38 performance of the institution’s risk management function34 and internal audit function35 , respectively, including the Chief Risk Officer and head of Internal Audit. The institution should have a senior officer (CRO or equivalent)36 as the head of the institution's risk management function with responsibility for the oversight of all risks across the institution. The Board also needs to ensure that it has robust arrangements for oversight of other control functions, such as compliance37 . 90. The CRO and risk management function should not be directly involved in revenue generation or the management and financial performance of any business line or product of the institution. Additionally, the CRO's compensation should not be linked to the performance (e.g., revenue generation) of specific business lines of the institution. While the CRO and the risk management function should influence the institution’s risk-taking activities (e.g., to ensure that the institution’s strategy or business initiative is operating within the approved risk appetite), the ongoing assessment of risk-taking activities by the CRO and risk management function should remain objective. 91. The CRO should provide regular reports to the Board, the Risk Committee and Senior Management in a manner and format that allows them to understand the risks being assumed by the institution. The CRO should provide an objective view to the Risk Committee or the Board, as appropriate, on whether the institution is operating within the Risk Appetite Framework. The CRO should have unfettered access and a functional reporting line to the Board or the Risk Committee, and should meet with the Risk Committee or the Board on a regular basis, with and without the CEO or other members of senior management present.

34 The risk management function facilitates the implementation of a sound risk management framework throughout the institution and has responsibility for further identifying, monitoring, analyzing, measuring, managing and reporting on risks and forming a holistic view on all risks on an individual and consolidated basis. It challenges and assists in the implementation of risk management measures by the business lines in order to ensure that the process and controls in place at the first line of defence are properly designed and effective. 35 The independent internal audit function, as the third line of defence, conducts risk-based and general audits and reviews the internal governance arrangements, processes and mechanisms to ascertain that they are sound and effective, implemented and consistently applied. The internal audit function is expected to conduct independent reviews of the first two lines of defence. The internal audit function must perform its tasks fully independently of the other lines of defence and audited activities, and should therefore not be combined with other functions. 36 For small, less complex institutions, the CRO role can be held by another executive of the institution (i.e., the executive has dual roles). Some institutions may not have a CRO position per se, but nonetheless can clearly identify an individual within the institution that is accountable to the Board and Senior Management for the same functions. In these cases, the dual role must not compromise the independence required of the CRO. 37 The compliance function monitors compliance with legal and regulatory requirements and internal policies, provides advice on compliance to the management body and other relevant staff, and establishes policies and processes to manage compliance risks and to ensure compliance. The compliance function along with the risk management function form the second line of defence.

| 39 7. Risk Culture and Business Conduct 7.1 Risk Culture 92. Culture38 can influence sound decision-making, prudent risk-taking and effective risk management, which can materially support or weaken the resilience of the institution. In light of the impact that culture can have on the safety and soundness of deposit-taking institutions and financial holding companies and confidence in the broader financial system, the BOJ expects them to: • define a desired culture and continuously develop and improve the culture to support their purpose, strategy, effective management of risks, and resilience; and, • continuously evaluate and respond to behaviour risks that can affect the institution’s overall safety and soundness. 93. All DTIs and FHCs should develop and implement an integrated and institution-wide risk culture39 , based on a full understanding and holistic view of the risks they face and how they are managed, taking into account the institution’s risk appetite. A strong risk culture should include, but is not necessarily limited to: • Tone from the top: The Board and senior management are responsible for setting and communicating the institution’s core values and expectations, and their behaviour should reflect the values being espoused. Members of the senior management, including heads of control functions, should contribute to the internal communication of core values and expectations to staff. Staff should act in accordance with all applicable laws and regulations and promptly escalate observed non-compliance within or outside the institution (e.g. to the Bank of Jamaica through a whistleblowing process). The Board should, on an ongoing basis, promote, monitor and assess the risk culture of the institution; consider the impact of the risk culture on the financial stability, risk profile and robust governance of the institution; and make changes where necessary. • Accountability: Relevant staff at all levels should know and understand the institution's core values and, to the extent necessary for their role, its risk appetite and risk capacity. They should be capable of performing their roles and be aware that they will be held accountable for their actions in relation to the institution’s risk-taking behaviour. • Effective communication and challenge: A sound risk culture should promote an environment of open communication and effective challenge in which decision-making processes encourage a broad range of views, allow for testing of current practices, stimulate a constructive critical attitude among staff, and promote an environment of open and constructive engagement throughout the entire organization.

38 ‘Culture’ refers to the commonly held values, mindsets, beliefs and assumptions that guide both what is important and how people should behave in an organization. 39 ‘Risk culture’ refers to a subset of culture that specifically refers to the commonly held values, attitudes and beliefs about risks and risk-taking within the financial institution. This Standard focusses on an institution’s culture more broadly, which encompasses risk culture but is not limited to that scope.

| 40 • Incentives: Appropriate incentives should play a key role in aligning risk-taking behaviour with the institution’s risk appetite and risk capacity. The compensation policies approved by the Board must prioritize the long-term interest of the institution and should be consistent with the institution’s risk appetite, and must not incentivize excessive risk-taking and imprudent practices40 . In relation to the control functions, it is important that the Board routinely review their compensation packages to ensure that they are aligned with their effectiveness in exercising their duties and achieving their objectives, and are not dependent on the performance of any business line. 7.2 Corporate Values and Code of Conduct 94. The Board and senior management should develop, adhere to and actively promote high ethical and professional standards, taking into account the specific needs and characteristics of the institution, and should ensure the implementation of such standards (through a code of conduct or ethics)41 . The code of ethics should provide guidance on appropriate conduct and address issues of confidentiality, conflicts of interest, integrity in reporting, and the fair treatment of customers. The DTI or FHC must maintain a record of breaches of the code of ethics and address such breaches in a manner that upholds high standards of integrity. 95. The Board of the institution should establish a whistleblowing policy42 that sets out avenues for legitimate concerns to be objectively investigated and addressed. Individuals and staff members must be able to raise concerns about illegal, unethical or questionable practices in confidence, and without the risk of reprisal. To this end, the Board and senior management must: • clearly indicate the parties to whom concerns can be escalated within the institution; • ensure that individuals are made aware of other avenues for whistleblowing to regulators or law enforcement agencies; • communicate the whistleblowing policy to third parties such as contractors, and consultants and allow them to report their concerns; and • designate a non-executive director to be responsible for the effective implementation of the policy43 .

40 See, for example, Principles for Sound Compensation Practices, Financial Stability Forum (FSF). 41 In establishing the code of ethics, a DTI or FHC institution should consider established professional and ethical standards recommended by local and international standard-setting bodies. 42 Please be reminded of the legal obligations found in the Protected Disclosures Act, 2011. 43 This includes evaluating periodic reports that monitor and assess how concerns are escalated and dealt with, and overseeing periodic reviews of the effectiveness of the whistleblowing policy.

| 41 7.3 Conflict of Interest 96. The Board is responsible for approving and overseeing the implementation and maintenance of effective policies to identify, assess, manage and mitigate or prevent actual and potential conflicts of interest: • as a result of the various activities and roles of the institution, of different institutions within a corporate group or of different business lines or units within an institution, or with regard to external stakeholders; and • between the interests of the institution and the private interests of staff, including members of the Board, which could adversely influence the performance of their duties and responsibilities. 97. When assessing whether there are perceived, potential or actual conflicts of interest, the Board must consider elements such as economic interests, personal and professional relationships, and political influence and relationships. At a minimum, the Board must: • Ensure the institution's interest is always placed ahead of the interest of any related party. In circumstances where there is uncertainty, the Board should intervene to prevent the institution’s interest from being subordinated to that of any other party. • Ensure appropriate policies and procedures are in place to guarantee that all transactions with related parties are conducted at arm’s length. • Require full transparency from all Board members, senior management, and other key employees that may create an actual or perceived conflict of interest. • Ensure that appropriate mechanisms are in place to prohibit self-dealing, insider trading and any other activity that puts the interest of any person above the interests of the institution.

| 42 8. Disclosure and Transparency 98. The objective of transparency is to provide all relevant parties (shareholders, depositors, other relevant stakeholders and market participants) with the information necessary to enable them to assess and monitor the effectiveness of the Board and senior management in governing the deposit￾taking institution or financial holding company. 99. All DTIs and FHCs should disclose relevant and useful information that support key areas of corporate governance44 . Timely public disclosure is required and can be done via the institution’s public website, in its annual and periodic financial reports, or by other appropriate means. Such disclosure should be proportionate to the size, complexity, structure, economic significance, and risk profile of the financial institution. Disclosure should include, at a minimum: • Material information on the institution’s objectives, organizational and governance structures and policies, major share ownership and voting rights, and connected or related party transactions. Where necessary, the disclosure should include all entities within a corporate group structure. • All material developments since the last disclosure, including any change in governance or organisational structures. • Size and composition of the Board and Board committees, including their respective mandates. • Overview of the code of conduct and conflict of interest policy applicable to the institution and, where necessary, the corporate group. • Overview of the internal control framework, and business continuity management framework. • Information relating to its risk exposures, and risk management strategies, including cyber risk management without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the institution should disclose adequate information on its purpose, strategies, structures, and related risks and controls.

44 Principle 28 of the BCBS Core Principle for “Effective Banking Supervision” underscores the responsibility of the supervisory authority to ensure that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes (including compensation practices).

| i Appendix: Responsibilities of other Board Committees Nominations Committee This Nominations Committee should comprise a majority of independent directors, and provide support to the Board in carrying out its function in the following matters concerning the board, senior management and company secretary. The Nomination Committee makes recommendations to the Board on relevant matters relating to: • the review of succession plans for directors, in particular, the appointment and/or replacement of the Chairman, the CEO and senior management; • the process and criteria for evaluation of the performance of the Board, Board committees, and directors; • the review and/or supervision of training and professional development programs for the Board and its directors; and • the appointment and re-appointment of directors. The Nomination Committee should review and assess the knowledge, experience and competence of nominees for suitability of a role on the Board and their ability to discharge responsibilities in accordance with the role. Remuneration Committee This Remuneration Committee should support the Board in actively overseeing the design and operation of the institution’s remuneration system. If established, this committee should periodically review the remuneration of directors on the board, particularly to determine whether remuneration remains appropriate and consistent with the institution’s culture, long-term business and risk appetite, and performance, as well as with any legal or regulatory requirements. The Remuneration Committee should work closely with the entity’s Risk Committee in evaluating the incentives created by the remuneration system. Conduct Review Committee This committee makes recommendations for implementing procedures for reviewing transactions with connected (and related) parties, as well as mechanisms for monitoring and reporting such transactions on a continuous basis. The procedures should ensure that all transactions are conducted at “arm’s length”. Information Technology Committee This committee provides support to the Board in carrying out its function relating to reviewing and approving the institution's information technology and cyber-risk management strategy, as well as monitoring and evaluating existing and future trends and evolutions in technology, including Artificial Intelligence, and cyber-risk exposures that may impact the institution’s operations, strategic plans, and business model.