Circular to Banks and Financial Institutions No. 2021-05 of August 19, 2021

---

Tunis, August 19, 2021 CIRCULAR TO BANKS AND FINANCIAL INSTITUTIONS No. 2021-05 Subject: Governance Framework for Banks and Financial Institutions. The Governor of the Central Bank of Tunisia, Having regard to Law No. 94-117 of November 14, 1994 on the reorganization of the financial market, as amended and supplemented by subsequent texts, Having regard to the Commercial Companies Code, as amended and supplemented by subsequent texts, Having regard to Law No. 2016-35 of April 25, 2016 establishing the status of the Central Bank of Tunisia, Having regard to Law No. 2016-48 of July 11, 2016 on banks and financial institutions, Having regard to Law No. 2018-35 of June 11, 2018 on corporate social responsibility, Having regard to Circular to Credit Institutions No. 2006-06 of July 24, 2006 on establishing a compliance control system within credit institutions, Having regard to Circular to Credit Institutions No. 2006-19 of November 28, 2006 on internal control, Having regard to Circular to Credit Institutions No. 2011-06 of May 20, 2011 on strengthening good governance rules in credit institutions, Having regard to Circular to Banks and Financial Institutions No. 2017-06 of July 31, 2017 on accounting, prudential and statistical reporting to the Central Bank of Tunisia, Having regard to Circular to Banks and Financial Institutions No. 2017-08 of September 19, 2017, as amended by Circular No. 2018-09 of October 18, 2018 on internal control rules for managing money laundering and terrorism financing risk, Having regard to Circular to Banks and Financial Institutions No. 2019-08 of October 14, 2019 on defining Islamic banking operations and setting the terms and conditions for their exercise, Having regard to Opinion No. 2021-05 of the Compliance Control Committee dated July 2, 2021, as provided for in Article 42 of Law No. 2016-35 of April 25, 2016 establishing the status of the Central Bank of Tunisia. Decides:

TITLE ONE: GENERAL PROVISIONS Article 1: The present circular defines the governance framework that banks and financial institutions are required to observe in order to:

• protect the interests of depositors, creditors, shareholders and staff,
• ensure sound, prudent and transparent management of the bank or financial institution, based on a solid risk and compliance culture, and
• ensure the integrity, honorability and loyalty of members of the governing body, executives and employees of the bank or financial institution.

Article 2: The present circular applies to banks and financial institutions as defined by Law No. 2016-48, excluding payment institutions. Hereinafter referred to as "the institutions". Excluded from the scope of this circular are branches of banks established in Tunisia before the promulgation of Law No. 2016-48 mentioned above and having their registered office abroad. However, these branches are required to submit an annual report to the Central Bank of Tunisia, inter alia, on the governance framework applied by the parent company to the branch as well as its risk and compliance management policy. This report must be approved by the parent company's governing body.

Article 3: For the purposes of this circular, the following terms are defined as follows: Risk Appetite: The overall level and type of risk that an institution is willing to assume to achieve its strategic objectives and business plan. Governance Framework: The set of rules governing the relationships between, on the one hand, the governance bodies (namely the governing body, the management body and committees) and, on the other hand, stakeholders. The governance framework defines in particular the powers and responsibilities of the various governance bodies as well as decision-making mechanisms within the institution. Committees: The audit, risk, and nomination and remuneration committees as referred to in Articles 49, 50 and 51 of Law No. 2016-48. Conflicts of Interest: The situation where the personal interests of a member of the governing body or management body, staff, or those with whom they have close family ties or financial and strategic interests, are not compatible with the institution's interests. Risk Culture: The set of norms, attitudes and behaviors of an institution regarding risk awareness as well as the taking and management of risks. Duty of Diligence: The obligation for any member of the governing body and management body to act, within the scope of their functions, in a reactive, responsible and prudent manner in the interest of the institution. Consolidating Entity: An institution licensed as a bank or financial institution and having one or more subsidiaries. Key Functions: Control functions and business lines. Control Functions: They include internal audit, risk management, and compliance control functions as referred to in Article 53 of Law No. 2016-48. Banking Group: The consolidating entity and all its subsidiaries. Family Ties: Includes the spouse, ascendants and descendants of the first degree. Duty of Loyalty: The obligation for any member of the governing body and management body to act solely in the interest of the institution. Governing Body: The Board of Directors or the Supervisory Board as defined by Law No. 2016-48. Management Body: The General Management composed of the General Manager and, where applicable, one or more Deputy General Managers or members of the executive board as defined by Law No. 2016-48. Stakeholders: They refer to all persons directly related to an institution's activities and who can influence or be influenced by the achievement of its objectives. Stakeholders include, in particular, shareholders, depositors, banking service users, creditors, public authorities, staff, executives and competitors. Compliance Risk: The risk of an institution being exposed to reputational risk, financial losses or sanctions due to non-compliance with applicable legal and regulatory provisions, standards and practices, its internal policy or code of ethics. Article 4: The governance framework of institutions must adhere to the following principles: The principle of proportionality: The governance framework must be adapted to the size of the institution, its systemic character as defined in Article 69 of Law No. 2016-48, its financial situation as defined in Articles 100, 101 and 102 of the same law, its risk profile as well as the nature and complexity of its activities and operations. This principle must be applied without prejudice to existing legal and regulatory provisions. The principle of balance of powers: The governance framework must enshrine the balance of powers through an appropriate system of powers and counter-powers, accountability and reporting. The principle of fair treatment of shareholders: It is particularly reflected by:

• the timely and regular receipt of relevant and significant information about the institution,
• participation and voting at general meetings,
• facilitating effective shareholder participation in major decisions regarding the institution's governance. The principle of transparency and information dissemination: The governance framework must ensure the timely dissemination of reliable and relevant information to all stakeholders on all subjects of significant importance to the institution, including its shareholding, financial situation, performance, governance, risk profile and compliance.

TITLE TWO: ON THE GOVERNING BODY CHAPTER ONE: RESPONSIBILITIES Section I: General Responsibilities Article 5: Without prejudice to the provisions of Article 48 of Law No. 2016-48, the governing body is responsible for:

• defining the institution's development strategy based on a formalized risk appetite policy,
• developing a governance framework aligned with the size, complexity and nature of the activity as well as the institution's risk profile and, where applicable, the banking group to which it belongs,
• defining and effectively applying a conflicts of interest management policy,
• monitoring the effective implementation by the management body of the institution's strategy,
• embedding a genuine risk culture in the institution's management and monitoring the effectiveness and independence of control functions,
• defining and effectively applying a compliance policy,
• defining a nomination and remuneration policy,
• defining and implementing an accountability and disclosure policy towards stakeholders,
• protecting the interests of depositors and banking service users and their personal data, and
• enshrining a genuine corporate culture valuing responsible and ethical behavior as well as respect for the principles of social and environmental responsibility.

Section II: Specific Responsibilities Article 6: The governing body adopts the institution's development strategy and intervention policies. To this end, it is called upon to:

• formally set growth and profitability objectives in line with the risk appetite policy and the preservation of the institution's financial soundness.
• regularly verify the relevance of these objectives, particularly regarding developments in banking and finance business lines as well as regulatory, economic and environmental changes. It must ensure that human, financial and technical resources are permanently aligned with the adopted strategy and intervention policies.

Article 7: The governing body, in consultation with the management body, establishes a risk appetite policy that:

• determines the overall and individual level by type of risk that the institution is willing to assume to achieve its business plan,
• defines exposure limits by type of risk,
• defines the capital and liquidity policy in line with the volume and nature of risk and in compliance with applicable legal and regulatory requirements. The risk appetite policy must be disseminated to all relevant services of the institution and must form part of the institution's risk culture. The governing body ensures the effective implementation and compliance with the risk appetite policy.

Article 8: The governing body adopts an institutional governance framework in compliance with applicable legal and regulatory provisions and the principles set out in the code of ethics referred to in Article 13 of this circular. This framework defines, in compliance with the institution's articles of association and prevailing legislation:

• the governance model,
• governance principles, policies and practices,
• governance bodies, their powers, compositions and operating rules,
• mechanisms to ensure the independence of control functions, and
• the relationships between the governing body, the management body and the institution's operational structures. The governing body ensures the effective implementation and compliance with this governance framework and regularly verifies its relevance. The governance framework must be formalized and recorded in a governance code approved by the governing body and duly signed by all its members.

Article 9: The governing body monitors the effectiveness of the management body's administration of the institution, relying inter alia on the work of control functions. It must, to this end, verify the consistency of the management body's intervention policy with the approved strategy and policies, including the risk policy. It defines, within this framework, quantitative and qualitative indicators for monitoring the institution's performance, particularly regarding solvency, liquidity, profitability, compliance and social and environmental responsibility.

Article 10: The governing body adopts a remuneration and nomination policy for its members, committees, the Islamic Banking Standards Compliance Control Committee, the management body, as well as the heads of key functions and the auditor for Islamic banking operations, in line with the institution's organization and performance. The remuneration policy adheres to the following elements:

• being consistent with the development strategy, the institution's financial soundness and its long-term interests,
• being designed to establish practices that curb excessive risk-taking incentives,
• clearly and formally establishing the remuneration regime and components according to objective criteria, and
• partially or fully revising variable remuneration when the institution records unfavorable financial performance or incurs losses, or in cases of conduct leading to significant losses for the institution or failure to meet its obligations. The governing body is required to submit a detailed report to the Central Bank of Tunisia outlining the remuneration practices of management body members and heads of key functions.

Article 11: The governing body appoints from among its peers the members of the committees referred to in Articles 49, 50 and 51 of Law No. 2016-48. It appoints:

• the heads of internal audit, risk and compliance control structures upon proposal by the management body, and
• the head of the Islamic banking operations audit structure in accordance with Article 58, first paragraph, of this circular. The governing body proposes to the institution's general assembly the members of the Islamic Banking Standards Compliance Control Committee.

Article 12: The institution's governing body ensures that all its members, management body members and heads of control functions avoid situations that could create conflicts of interest. It defines the policy on managing conflicts of interest, which must include inter alia:

• the typology of situations likely to generate conflicts of interest,
• the process for examination and approval by the governing body of any activity or transaction that one of its members or management body members intends to undertake and which could create conflicts of interest,
• the obligation for any governing body or management body member to report to the governing body any fact likely to induce a conflict of interest situation,
• the commitment of governing body members not to participate in debates on questions that may generate a conflict of interest situation vis-à-vis the institution and to abstain from voting on said questions,
• procedures governing transactions with related parties as defined in Article 43 of Law No. 2016-48, and
• the modalities by which the governing body handles cases of non-compliance with this policy.

Article 13: The governing body sets the principles and rules of professional conduct towards stakeholders. These rules are recorded in a code of ethics. To this end, the governing body implements documented policies regarding how these rules must be respected. These policies must include inter alia:

• principles of responsible professional behavior, including performing duties with integrity, loyalty, competence and due diligence while avoiding conflicts of interest,
• principles ensuring the listening to banking service users, their proper information and commercial conduct in their interest, and
• conduct rules ensuring the protection of personal data as well as respect for professional secrecy. Article 14: It is incumbent upon the governing body to:
• establish the basic principles of the compliance policy that the institution must respect in the exercise of its activities and supervise its implementation,
• ensure the management body establishes an effective and independent compliance control function,
• regularly monitor the activity of the compliance control body, ensure its proper functioning and adequacy of resources, and
• evaluate at least annually the management of compliance risk by the institution.

Article 15: The governing body ensures the establishment of a responsible finance culture. To this end, it works to integrate social and environmental responsibility principles into the institution's strategy. Actions undertaken regarding the institution's social and environmental responsibility are recorded in its annual report, which includes inter alia funded projects and their environmental and social impacts.

Article 16: The governing body establishes an alert mechanism policy and adequate procedures allowing employees to confidentially report questionable, illegal or unethical practices to the institution's compliance control function. The governing body ensures that employees reporting such practices are protected from detrimental treatment and verifies that the management body follows up on questions raised by the compliance control function. The governing body monitors the alert handling procedure and is required to be informed of alerts and their follow-up.

Article 17: The governing body conducts an annual self-assessment as well as an evaluation of its committees' work and each member's performance, taking corrective measures based on the prepared evaluations. This evaluation covers inter alia:

• the operating procedures of the governing body and its committees,
• the preparation and examination of important issues,
• the assessment of each member's qualifications, attendance and effective contribution to the work of the governing body and its committees, and
• the assessment of the structure, size and composition of the governing body and committees and their alignment with assigned powers and objectives. The governing body ensures that shareholders are informed, at the management report level, of the evaluation of the governing body's and its committees' actions and, where applicable, the follow-up given to this evaluation. This evaluation must be conducted in accordance with the methodology provided by Article 42, paragraph 4 of this circular.

CHAPTER TWO ON THE COMPOSITION AND OPERATION OF THE GOVERNING BODY Section I: Composition and Qualifications of Members Article 18: The composition of the governing body and the qualifications of its members must be adapted to the institution's development strategy, size, nature of activity and complexity of operations as well as its risk profile. The governing body must reflect a diversity of skills enabling it to effectively fulfill its responsibilities. The institution ensures the implementation of a policy aimed at establishing gender diversity within the governing body and communicates on this aspect in the public report provided for by Article 69 of this circular.

Article 19: The governing body must comprise at least two independent members and one member representing minority shareholders as defined by financial market regulations for institutions listed on the Tunisian Securities Exchange.

Article 20: Without prejudice to the provisions of Article 47 of Law No. 2016-48 and Article 237 of the Commercial Companies Code, a person is qualified as an independent member within the institution's governing body if they:

• do not hold, themselves, their spouse, ascendants and descendants of the first degree, a direct or indirect shareholding in the institution's capital,
• have not held an executive position or been a member of the governing body of this institution for at least 5 years prior to their appointment as an independent member,
• are not a member of the governing body or management body of an entity with links to the institution as defined in Article 43 of Law No. 2016- 48 for at least 5 years prior to their appointment,
• have not been employees of the institution for at least 3 years prior to their appointment as an independent member,
• do not act on behalf of a significant client, supplier or service provider of the institution,
• do not have service contracts concluded directly by themselves or through an intermediary with the institution or entities linked to it, as defined in Article 43 of Law No. 2016-48, and
• do not hold a partisan responsibility at the central, regional or local level. The governing body assesses the significance of the relationship with the institution based on criteria it sets. The criteria used for this assessment must be included in the notification file submitted to the Central Bank of Tunisia in accordance with Article 62 of this circular.