Regulation on Operational Risk Management by Non-Bank Financial Institutions, Savings and Loan Associations and Their Unions

REPUBIC OF ALBANIA BANK OF ALBANIA SUPERVISIORY COUNCIL DECISION No. 03, dated 19.01. 2011 THE APPROVAL OF REGULATION “ON THE OPERATIONAL RISK MANAGEMENT” In accordance with Article 12 “a” and Article 43 “c” of the Law No. 8269, dated 23.12.1997 “On the Bank of Albania” as amended; and Article 57, paragraph 4 and Article 58, paragraph 1 “c” and Article 126 of the Law No. 9662, dated 18.12.2006 “On Banks in the Republic of Albania”; and Article 46 and Article 47, paragraph 2 of the Law No. 8782, dated 03.05.2001 “On Savings and Credit Associations”, as amended; having regard to the proposal from Supervision Department, the Supervisory Council of the Bank of Albania, DECIDED:

1. To adopt the Regulation “On the operational risk management” and its annexes, as provided in the texture attached thereto.
2. The Supervision Department at the Bank of Albania is responsible for the implementation of this Decision.
3. The Department of Foreign Relations, European Integration and Communication is responsible for the publication of this Decision in the Official Bulletin of the Bank of Albania and in the Official Journal of the Republic of Albania. This Decision shall enter into force on the 15th day following that of its publication in the Official Journal of the Republic of Albania. SECRETARY CHAIRMAN

YLLI MEMISHA ARDIAN FULLANI

2 REGULATION 1 “ON THE OPERATIONAL RISK MANAGEMENT BY NON-BANK FINANCIAL INSTITUTIONS, SAVINGS AND LOAN ASSOCIATIONS AND THEIR UNIONS” (Approved by Decision No. 03, dated 19.01.2011 and amended by decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania) Chapter I General provisions Article 1 Purpose 2The purpose of this regulation is to determine the requirements and rules for the management of operational risk by the entities subject to this regulation. Article 2 Legal ground This regulation is issued in accordance with: a) Article 12, letter “a” and Article 43, letter “c” of the Law No. 8269 dated 23.12.1997 “On the Bank of Albania”, as amended; b) 3Article 126 of the Law No. 9662, dated 18.12.2006 “On banks in the Republic of Albania”, which shall be referred as the “Law on banks” throughout this regulation; c) 4Articles 60, 62 and 65, paragraph 4 of the Law No. 52/2016, dated 19.5.2016 “On savings and loan associations and their unions”. Article 3 Subjects

1. 5 Subjects of this regulation are non-bank financial institutions, as well as savings and loan associations and their unions, licensed by the Bank of Albania.

1 Amended the title of the regulation by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 2 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 3 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 4 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 5 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

3 2. 6The Bank of Albania, based on its supervisory assessments regarding the volume and complexity of operations, or the level of operational risk exposure, may decide that certain non-bank financial institutions or savings and loan associations, which are subjects of this regulation, to become subject to the regulation “On the operational risk management by banks, payment institutions and electronic money institutions”. 3. 7 In the cases provided in paragraph 2 of this article, the Bank of Albania notifies the non-bank financial institution or savings and loan association, and defines the timeframe within which the entity must ensure compliance with the requirements of the regulation “On the operational risk management by banks, payment institutions and electronic money institutions”. Article 4 Definitions

1. The terms used throughout in this regulation shall have the same meanings with those set forth in the Law on banks and in 8 the Law No. 52/2016, dated 19.5.2016 “On savings and loan associations and their unions”.
2. 9Repealed.
3. In addition to paragraph 1 of this article, for the purpose of implementing this regulation, the following terms shall have these meanings: a) “operational risk” – is the possibility that an entity may incur financial losses due to inadequacy or failures of internal processes and systems, human errors, or external events. Operational risk includes legal risk, but excludes reputational and strategic risk. For the purposes of the internal operational risk management system, the entities may define more specific definitions of this risk, provided they minimally include the elements of the definition of this regulation; b) “legal risk” – is the possibility that an entity may incur financial losses due to non￾compliance with or improper implementation of legal and/or contractual obligations, including other legal procedures that may negatively affect the financial result bearing the risk of financial losses in the activities of the entities; c) 10 “strategic risk” – is the possibility that the achievement of the entity's strategic objectives may be jeopardized, ultimately resulting in financial losses, due to changes in the business environment and inappropriate business decisions, improper implementation of decisions, or failure to react to changes in the business environment;

6 Added by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 7 Added by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 8 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 9 Repealed by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 10 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

4 d) 11 “reputational risk” – is the possibility that an entity may incur financial losses caused by negative perceptions from clients, counterparties, shareholders, investors, debt holders, markets, other stakeholders, regulators, etc., which may negatively impact the entity's ability to continue operating/functioning, create new business relationships, or maintain continuous access to funding sources (e.g., through interbank, capital, and debt markets, or the general public); e) 12 “third parties (outsourcing) agreement" - is an agreement of any form between the entity and a third party (service provider), under which the third party (service provider) performs a process, service, or function that would otherwise be carried out by the entity itself. Chapter II General requirements for the operational risk management Article 5 Operational risk management system

1. The entities of this regulation, notwithstanding the size and complexity of their organisation and activity, shall establish and develop an adequate internal system (policies, procedures, guidelines and 13tools) on the operational risk management. The purpose of this system is to identify, assess, control, 14report and monitor the comprehensive operational risk on an ongoing basis.
2. The operational risk management system of the institution should minimally include the following elements: a) the identification, with regard to/depending on the entity’s activity size, of the operational risk at the entity; b) the comprehensiveness of the expected events which may arise material operational 15losses to the entity, 16 considering also the examples of operational risk events outlined in annex no. 7 of this regulation; c) the policies to identify, assess, monitor, 17report and control or mitigate this risk, including and specifying (whenever possible) the allowed limits of the operational risk; d) the more priority actions for the entity in the management process of operational risk, also including the scale and the transfer way of this risk out from the entity.

11 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 12 Added by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 13 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 14 Added by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 15 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 16 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 17 Added by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

5 Article 6 18Responsibilities of the supervisory board/administration board/steering council

1. The supervisory board/administration board/steering council 19 is the responsible authority for the establishment and development of the operational risk management system, as stipulated in article 5 of this regulation.
2. The supervisory board/administration board/steering council20, in the framework of the operational risk management, is responsible for: a) the approval of respective policies21 for the operational risk management; b) the establishment of a management unit, able to implement the internal regulatory acts of the entity for the operational risk management; c) the clear assignment of responsibilities segregation and the reporting lines among the functions of the operational risk control, the business lines and the supporting functions; d) the regular review of the entity regulatory acts for the operational risk management with the purpose the operational risks management arising from the external market and other factors, as well as those operational risks associated with new products, activities or systems. The reviewing process should aim the assessment and the selection of the best operational risk management practices, appropriate with the entity’s businesses, systems and processes.
3. The supervisory board/administration board/steering council22 shall ensure that the system for the operational risk management goes through an effective and comprehensive internal control process by an independent, qualified and responsible staff. Article 7 23Responsibilities of the administrator/administrators
4. The administrator is responsible24 for the implementation of the internal regulatory acts for managing the entity operational risk, as adopted by the 25 supervisory board/administration board/steering council.

18 Amended the title of the article by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 19 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 20 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 21 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 22 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 23 Amended the title of the article by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 24 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 25 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

6 2. 26The administrator, for the purpose of the operational risk management, shall be responsible for: a) the implementation of policies, procedures and processes for managing operational risk in all services/products, businesses and systems which are important for the entity; b) the ongoing implementation of all the internal bylaws for the operational risk management from all the entity structures; c) the implementation of responsibilities and the development of reporting lines, to encourage and maintain the accountability, to provide the needed financial and human resources for effective managing of the operational risk; d) clear communication of the entity’s policy for the operational risk management to the employee of all levels, particularly in the units exposed to the operational risk; e) the conduction of 27financial activities of the entity by a qualified staff with the necessary experience and technical capabilities; f) the ensuring that staff, responsible for monitoring the implementation of operational risk management policy, is independent from the units they oversee; g) 28repealed. Chapter III Operational Risk Management Article 8 The identification and assessment of the operational risk

1. The entities shall identify and assess the operational risk in all material services/products, activities, processes and systems.
2. The entities, prior to the launch into the market of the new services/products, the conduction of various operations or processes, and/or the establishment of new systems, shall ensure the implementation of the appropriate and sufficient procedures for the prior assessment of the relevant operational risk.
3. The entities shall effectively identify the operational risk by considering both internal factors (as: entity structure, the activities nature, the quality of human resource, the organisational changes and the circulation of employees) and external factors (as:

26 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 27 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 28 Repealed by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

7 changes in the industry and technology advancements), which may unfavourably impact the achievement of the entity’s objectives. 4. The entities shall assess their exposure to identified risks, thus defining their risk profile with the purpose the efficient use of human and technical resources for the management of these risks. 5. 29The entities shall set forth their methods and techniques to identify and asses the operational risk, considering also the methods and techniques that entities may use for the operational risk management, foreseen in annex 6 of this regulation. Article 9 The monitoring and reporting of the operational risk

1. The entities shall develop a regular monitoring and reporting process of the operational risk and the exposure against this risk to quickly identify and advance the shortfalls in risk management policies, procedures and practices.
2. The entities, in conducting the ongoing and effective monitoring process of the operational risk, shall: a) set out adequate indicators to ensure the early warning of the operational risk increase, which may arise losses in the future; b) set out limits on these indicators, whenever possible, to establish an effective monitoring process, which may help to identify the main and important risks to the entity and to provide to this later the monitoring of these risks timely; c) set out the monitoring process periodicity, by considering the risk scale and the nature of changes in the environment they operate within; d) ensure the enclosure of the monitoring results within the regular reports submitted to the 30 administrator and to the supervisory board/administration board/steering council.
3. The entities shall implement internal procedures which ensure the regular reporting of operational risk management to the 31 administrator and to the supervisory board/administration board/steering council, respectively by business units, from the function/organisational unit of operational risk management and by the internal audit unit.
4. The operational risk reports, as stipulated in paragraph 3 of this article, should contain the following:

29 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 30 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 31 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

8 a) the data regarding the financial, the internal operational position and the observation of limits set out for the risk indicators, as well as the information on the market important changes to the decision-making; b) a complete statement on each identified problem and instructions for the correcting operations with regard to the unresolved issues. 5. The entities shall ensure the delivery of reports to all management levels and to the business lines representatives, which are affected by the problems reflected in the report. The entities shall analyse these reports to improve the practices and procedures and to compile new policies and procedures for managing the operational risk. Article 10 Control and mitigation of the operational risk

1. The entities shall compile and implement policies, procedures and practices to control and/or mitigate the material operational risks.
2. The entities, for the purpose of controlling and mitigating the operational risk, shall: a) design a system of controlling procedures and practices for ensuring compliance with operational risk management internal policies; b) establish an effective internal control system containing an appropriate segregation of duties; c) in addition to segregation of duties, entities should ensure that other internal practices/procedures are in place as appropriate to address operational risk, including: i. close monitoring of adherence to assigned risk limits or thresholds, ii. safeguards for access to, and use of, entities data and assets, including the insurance contracts, iii. appropriate staffing level and training to maintain expertise, iv. identification of business lines or products where returns appear to be out of line with reasonable expectations, v. termination of business line/lines with high potential exposure and loss arising from operational risk, and vi. regular verification and reconciliation of accounts and transactions; d) use tools or programs to lower the exposure to events with low probability, but which may considerably impact their financial result; e) pay special attention to the activities and/or the establishment of new products, particularly if these latter oppose their business plan;

9 f) play special attention to the introduction into unknown markets and/or the commitment of trading activities, which are geographically conducted far from the head office; g) invest in the right use and the information technology security, providing the proper attention with regard to the strengthening of services automating degree; h) establish policies on risk management that arises from the 32 transfer of processes, services or functions of the entity to third parties (outsourcing). 3. The entities shall regularly review their policies and procedures for controlling and mitigating the operational risk, aiming the employment of adequate strategies commensurate with their risk profile, as well as with the established circumstances and environment. Article 11 Business continuity plan

1. The entities shall have business continuity plans in place, which aim the operation on an ongoing basis and limit losses related to operational risk.
2. The entities shall ensure that business continuity plans are integrated part of the operational risk management system and/or of other risks.
3. The entities, to design and approve these plans, shall identify: a) critical business operations, whose conduction should be ensured even under emergency situations; b) scenarios/events, which may lead to the disruption of processes and/or of the prior activities; c) alternative solutions to secure the continuing conduction of the main activities in emergency situations; d) operations to recover the regular functioning of the activities, particularly to secure the information of electronic systems and the return of these systems in functional position; e) communication strategies in case of serious problems and/or of operations disruption.
4. The entities should periodically analyse and/or review their business continuity plans to ensure their consistence with current operations activity and their business strategies.

32 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

10 Chapter IV Reporting and supervision Article 12 Reporting to the Bank of Albania 33The entities shall report quarterly to the Bank of Albania, the data accordingly to annexes no. 1 and no. 3 of this regulation. Article 13 Supervisory and penalising measures The Bank of Albania, in case of failure to meet the obligations set forth in this regulation, shall implement the supervisory and/or penalising measures stipulated in the Law on banks and in the 34Law “On savings and loan associations and their unions”. Chapter V Article 14 Transitory provision The subjects of this regulation, shall meet all the requirements set forth in this regulation, within 6 (six) months after the entry into force of this regulation. Article 15 Final provision The annexes attached therein are an integral part of this regulation. CHAIRMAN OF SUPERVISORY COUNCIL ARDIAN FULLANI

33 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 34 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

11 35ANNEXES For the reporting of early warning indicators to the Bank of Albania, the entity shall complete annex no. 1, following the instructions provided in annex no. 2 of this regulation. 36Annex no. 1 Early warning indicators No. Indicator Value Comments 1 Number of new legal cases Number 2 Cost of legal cases Value (ALL) 3 New customers complaints Number 4 Open customers complaints Number 5 Number of fines from authorities Number 6 Value of fines from authorities Value (ALL) 7 Staff turnover Percent (%) 8 Core system failures/interruptions (hours:minutes:seconds) 9 Number of cases identified as fraud Number 10 New problem loans Percent (%)

35 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 36 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

12 37Annex no. 2 Instructions for completing early warning indicators No. Indicator Description 1 Number of new legal cases The number of new legal cases opened during the reporting period, in which the entity is involved and which contain elements of operational risk. Other legal cases, which do not contain elements of operational risk, are excluded. 2 Cost of legal cases The expected loss value estimated by the entity in relation to the legal issues of indicator no. 1. The costs of other legal issues, which do not contain elements of operational risk, are excluded. 3 New customers complaints Number of complaints filed against the entity by customers or third parties during the quarter, received through all communication channels made available by the entity (formal letter, email, social networks, etc.). All complaints received during the quarter are included, whether they were closed, rejected or open at the end of the reporting period (quarter). 4 Open customers complaints The number of complaints filed against the entity by customers, customer groups or the public, which are still open at the end of the reporting period (quarter). 5 Number of fines from authorities The number of fines imposed on the entity by various authorities during the quarter, which are related to financial activity. 6 Value of fines from authorities The value of the fines imposed by various authorities during the quarter, which are related to financial activity. 7 Staff turnover The percentage of staff turnover of all categories, during the reporting period. This includes both full-time and part￾time employees. Q=L/(P)*100, (P)=(P0+P1)/2 where: Q-staff turnover; L- number of employees dismissed during the reporting period; (P) - the average number of employees during the reporting period; P0 – the number of employees at the beginning of the reporting period; P1- the number of employees at the end of the reporting period.

37 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

13 8 Core system failures/interruptions Duration of unplanned interruptions of the entity's core system during the quarter, expressed in the format (hours:minutes:seconds). 9 Number of cases identified as fraud The number of cases identified as fraud by the entity during the reporting period. 10 New problem loans The number of new problem loans relative to the total number of new loans disbursed during the reporting period (in %). The numerator includes new problem loans for which no more than 90 days have passed since the payment date.

14 38For operational risk events reporting to the Bank of Albania, the entity fills out the register according to annex no. 3, following the instructions of annex no. 4 of this regulation. For events that have lasted for more than one reporting period and therefore have been reported in previous periods, the entity uses the same identification number in the relevant cell of the register and presents the information about the event for the reporting period. Completion of all annex fields is mandatory for each recorded event, except for the field “recovery date” and “recovered value”, which will be completed when information is available. The comments field is recommended, but it is not mandatory to be filled. The completion of the recovery date and recovery value fields must be accompanied by the mandatory completion of the fields “event identification number” and “event description”. 39Annex no. 3 Operational risk event register Identification number Description Occurrence date (d.m.y) Booking date (d.m.y) Cause (Level 1) Cause (Level 2) Gross/Initial loss value (ALL) Recovery date Recovered value Comments

38 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania. 39 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

15 40Annex no. 4 Instructions for completing the operational risk event register Column Instructions for completion Identification number The event identification number used by the entity in the internal register of operational risk events must be filled in. Description A description of each event recorded in this register is completed. The subject should not include information that is subject to the law “On the protection of personal data”. Occurrence date (d.m.y) The occurrence date or the starting date of the event must be filled in for those events that have had a prolonged effect over time. Booking date (d.m.y) The date on which the event was recorded in the entity's financial statements must be filled in. Cause (Level 1) One of the options from the “Cause of the event, as per level 1” column of annex no. 5 of this regulation must be filled in. Cause (Level 2) One of the options from the “Cause of the event, as per level 2” column of annex no. 5 of this regulation must be filled in. Gross/Initial loss value (ALL) The initial/gross loss of each event occurring in this register must be filled in. The absolute/positive value is recorded, and negative values should never be entered. Recovery date The date on which the recovery value has been accounted must be filled in. Recovered value Any value recovered from the initial loss must be filled in. The recovered value is recorded in this cell and does not affect the value recorded in the gross/initial loss cell. Comments Any relevant comments about the event must be filled in.

40 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

16 41Annex no. 5 Event classification by cause, level 1 and 2 of detailing Cause of the event, as per level 1 Cause of the event, as per level 2 People/employees Accidental causes (people) Lack of adequate training/competency Insufficient level of human resources Ineffective roles and responsibilities Miscommunication Ineffective culture Malice Process failure Procedure/process designation failure Procedure/process implementation failure Mismanagement of projects/changes Governance failure External factors Natural disaster Malice Terrorism/external attacks (excluding cyber￾attacks) Environment (excluding natural disasters) Geopolitical/economic/social instability Regulatory and legislative environment Systems Functionality issues Performance/capacity issues Lack of maintenance/unsupported legacy Unavailability Inadequate testing/development Release/deployment issues Misconfiguration Inadequate data storage/retention and destruction management Exploitation of IT security vulnerability Technology-related issues Planning issues

41 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

17 42Annex no. 6 Common methods and techniques for managing operational risk by the entity include mainly:

1. Identification and reporting of operational risk events. Each employee, upon identification of an operational event, shall report it to the responsible structure for the entity's operational risk management, providing all necessary information.
2. The operational risk events database. The structure responsible for managing operational risk maintains a database/register for all operational risk events of the entity. This database must contain at least the fields described in annex no. 3 of this regulation.
3. Early warning indicators. These are performance indicators, risk indicators and/or control indicators that are used as mechanisms for monitoring changes in the entity's internal risk factors, external factors and control environments. The entity relies on the regulatory indicators of annex no. 1, as well as in internal indicators, if deemed necessary. The indicators are accompanied by appropriate monitoring limits and escalation measures, in order to mitigate risks.
4. Mapping and risk self-assessment and controls in place. This is an important tool for operational risk management that helps to better understand the risks to which the entity is exposed. This exercise usually includes these main steps: • Risk identification: Identifying potential risks related to processes, people, systems and external factors. • Risk assessment: Assessing the probability and impact of each risk to understand its materiality. • Control assessment: Assessing the effectiveness of existing controls in place to manage these risks. • Determining mitigating measures: If the residual risk is high, additional measures are determined to reduce that risk.

42 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

43Annex no. 7 Examples of operational risk events Event type (as per Level 1) Event type (as per Level 2) Examples Internal fraud Unauthorized actions Transactions not reported (intentional) Abuse of duty, unauthorized activities Mismarking of position (intentional) Internal theft and fraud Fraud/credit fraud/deposits fraud Theft/extortion/embezzlement/robbery Misappropriation of assets Malicious destruction of assets Forgery Check fraud Corruption Account takeover/impersonation/etc. Tax noncompliance/evasion Bribes/kickbacks or failure to comply with the rules in cases of benefits (gifts and invitations given and received) Insider trading (not on firm’s account) External fraud External theft and fraud Theft/robbery Forgery Check fraud Systems security Hacking damage Theft and disclosure of confidential information Employment practices and workplace safety Employee relations Issues related to work compensation, benefits and termination Organized labour activity Safe environment General liability/responsibility related to workplace safety Employee health and safety rules problems Workers’ compensation Diversity and discrimination All discrimination types Clients, products and business practices of the activities Suitability, disclosure and fiduciary Fiduciary breaches, rules violations Issues related to suitability and disclosure of clients’ data, etc. Customer disclosure violations Breach of privacy Aggressive sales Account churning Misuse of confidential information

43 Amended by the Decision No. 52, dated 6.11.2024 of the Supervisory Council of the Bank of Albania.

19 Lender liability Improper business or market practices Antitrust Improper trade/market practices Market manipulation Insider trading Unlicensed activity Money laundering Product flaws Product defects Model errors Selection, sponsorship and exposure Failure to investigate client per guidelines/regulations/lack of knowing the client Exceeding client exposure limits Advisory activities Disputes over performance of advisory activities Damage to physical assets Disasters and other events Natural disaster losses Human losses from external sources (terrorism, vandalism, etc.) Business disruption and system failures Systems Hardware Software Telecommunications Utility outage/disruptions (energy, transport...) Execution, delivery, and process management Transaction recognition, execution and maintenance Miscommunication Data entry, maintenance, or loading error Missed deadline or responsibility Model/system misoperation Accounting error Other task misperformance Delivery failure Collateral management failure Reference data maintenance Monitoring and reporting Failed to comply with reporting requirements (financial or regulatory reporting) Inaccurate external report (loss incurred) Clients registration and documentation Client permissions/disclaimers missing Legal documents missing/incomplete Clients account management Unapproved access given to accounts Incorrect client records Negligent loss or damage of client assets Trade counterparties Nonclient counterparty misperformance Miscellaneous nonclient counterparty disputes Vendors and suppliers Vendors and suppliers disputes