Recommendation R on Credit Exposure Classification, Estimation and Recognition of Expected Credit Losses, and Credit Risk Management

Financial Supervision Authority Recommendation R concerning the rules for the classification of credit exposures, estimation and recognition of expected credit losses, and credit risk management Warsaw, April 2021

2 I. Introduction Recommendation R was issued pursuant to Article 137(1)(5) of the Banking Law Act of 29 August 1997 (Journal of Laws of 2020, item 1896, as amended, hereinafter: the Banking Law Act) and Article 11(1) of the Act on Supervision of the Financial Market (Journal of Laws of 2020, item 2059). Recommendation R constitutes a set of rules and guidelines concerning the classification of credit exposures, estimation and recognition of expected credit losses in accordance with the accounting policy adopted and in force in the bank, as well as credit risk management. The rules and guidelines concerning the classification of credit exposures, estimation and recognition of expected credit losses, and credit risk management do not cover financial assets measured at fair value through profit or loss. The content of Recommendation R includes provisions resulting from the entry into force on 1 January 2018 of International Financial Reporting Standard (IFRS) 9 Financial Instruments (in accordance with Commission Regulation (EU) 2016/2067 of 22 November 2016). Banks should have comprehensive and proportionate risk management principles relative to the nature, scale, and complexity of their activities, including a clear organizational structure with clearly defined, transparent, and consistent scopes of responsibility, effective procedures for identifying credit risks to which banks are or may be exposed, managing such risks, reviewing and reporting on them, and appropriate control mechanisms, including internal controls, involving adequate administrative and accounting procedures and remuneration policies and practices in this regard. Recommendation R is addressed to domestic banks and branches of foreign banks within the meaning of the Banking Law Act, preparing consolidated or individual financial statements in accordance with International Accounting Standards/International Financial Reporting Standards. The guidelines contained in Recommendation R also apply to entities included in the bank's consolidated financial statements, whose primary activity generates credit risk, and to branches of domestic banks located outside Poland. Recommendation R takes into account the regulations contained in: a) Commission Regulation (EC) No 1126/2008 of 3 November 2008 adopting certain international accounting standards in accordance with Regulation (EC) No 1606/2002 of the European Parliament and of the Council (OJ L 320/1 of 29.11.2008) and Commission Regulation (EU) 2016/2067 of 22 November 2016 amending Regulation (EC) No 1126/2008 adopting certain international accounting standards in accordance with Regulation (EC) No 1606/2002 of the European Parliament and of the Council with regard to International Financial Reporting Standard 9 (OJ L 323/1 of 29.11.2016), particularly in Appendix A Definitions of terms (hereinafter: Appendix A to IFRS 9); b) Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, amending Regulation (EU) No 648/2012 (OJ L 176 of 27.6.2013, as amended, hereinafter: CRR Regulation);

c) Regulation (EU) No 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding statutory audit of financial statements of public interest entities, repealing Commission Decision 2005/909/EC (OJ L 158/77 of 27.5.2014); d) Act of 11 May 2017 on auditors, audit firms, and public oversight (Journal of Laws of 2020, item 1415, hereinafter: "Act on Auditors"); e) EBA Guidelines on credit risk management practices in credit institutions and on the recognition of expected credit losses (EBA/GL/2017/06); f) EBA Guidelines on the application of the definition of default set out in Article 178 of Regulation (EU) No 575/2013 (EBA/GL/2016/07); g) EBA Guidelines on the management of non-performing exposures and restructured exposures (EBA/GL/2018/06). This document also refers to recommendations issued by the KNF: a) Recommendation D concerning the management of information technology areas and cybersecurity in banks; b) Recommendation H concerning the internal control system in banks; c) Recommendation S concerning good practices in the management of mortgage-secured credit exposures; d) Recommendation W concerning model risk management in banks.

3 II. Definitions and Abbreviations

1. POCI assets – purchased or originated credit-impaired financial assets, i.e., financial assets that are credit-impaired at initial recognition within the meaning of the definition contained in Appendix A to IFRS 9 and taking into account the rules specified in Recommendation 19;
2. macroeconomic factors – available economic data, including forecasts regarding the future, used by the bank in estimating credit risk and expected credit losses, including e.g.: a) Gross Domestic Product (GDP) growth – year-on-year; b) registered unemployment rate – at the end of the period or average over the period; c) NBP reference rate – at the end of the period; d) NBP Lombard rate – at the end of the period; e) inflation rate – at the end of the period or average over the period; f) average monthly gross remuneration in the national economy (real or nominal) – year-on-year growth; g) average employment in the national economy – year-on-year growth; h) exchange rates; i) total investment expenditure – year-on-year growth; j) individual consumption in the household sector – year-on-year growth; k) total retail sales of goods at constant prices; l) residential/commercial property price index – at the end of the period or average over the period; m) change in the volume of consumer credit in the banking market – year-on-year; n) stock price index;
3. reporting date – the last day of each month;
4. EBA – (English: European Banking Authority) European Banking Authority;
5. effective interest rate – effective interest rate within the meaning of the definition contained in Appendix A to IFRS 9;
6. credit exposure – a component of financial assets measured at amortized cost or at fair value through other comprehensive income (excluding equity instruments), a component of assets arising from a contract within the scope of IFRS 15, a lease receivable arising from a transaction within the scope of IFRS 16, or an off-balance sheet obligation;
7. individually significant credit exposure – an exposure meeting criteria specified by the bank consistent with the approach adopted in credit risk management in the bank, adapted to the nature of the activity conducted;
8. non-performing exposures – credit exposures referred to in Article 47a of the CRR Regulation;

4 9. restructured exposures – exposures to which restructuring actions referred to in Article 47b of the CRR Regulation have been applied; 10. Stage 1 – includes credit exposures without impairment, excluding POCI assets, for which the credit risk associated with the financial instrument has not increased significantly since initial recognition on the reporting date, taking into account the rules specified in Recommendation 16; 11. Stage 2 – includes credit exposures without impairment, excluding POCI assets, for which the credit risk associated with the financial instrument has increased significantly since initial recognition on the reporting date, taking into account the rules specified in Recommendation 17; 12. Stage 3 – includes credit exposures with impairment within the meaning of the definition contained in Appendix A to IFRS 9 and taking into account the rules specified in Recommendation 18, excluding POCI assets, in the case of the existence on the reporting date of evidence/grounds for impairment; 13. homogeneous portfolio – a portfolio/pool/group of credit exposures grouped based on common credit risk characteristics; 14. audit committee – the audit committee referred to in Regulation (EU) No 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding statutory audit of financial statements of public interest entities, repealing Commission Decision 2005/909/EC and Chapter 8 of the Act on Auditors; 15. Watch List – a status assigned according to criteria defined by the bank to a client in whom a deterioration of the economic and financial situation has been observed, requiring enhanced monitoring of the client and the risk associated with their engagement in the bank; 16. business model or models – in accordance with IFRS 9, the model for managing financial assets in the bank, serving the realization of a specific business objective; 17. IFRS 9 models – models used in the bank consistent with the adopted definition of a model for risk management purposes and all components used to estimate expected credit loss in accordance with the IFRS 9 standard; 18. expected credit losses – expected credit losses within the meaning of the definition contained in Appendix A to IFRS 9; 19. 12-month expected credit losses – 12-month expected credit losses within the meaning of the definition contained in Appendix A to IFRS 9; 20. lifetime expected credit losses – lifetime expected credit losses of credit exposures within the meaning of the definition contained in Appendix A to IFRS 9; 21. allowance for expected credit losses – allowance for expected credit losses within the meaning of the definition contained in Appendix A to IFRS 9;

5 22. PD parameter – (English: Probability of Default) probability of default; 23. lifetime PD parameter (PD lifetime) – probability of default over the lifetime of the exposure (from the reporting date to the maturity date of the exposure); 24. relative threshold of change in the lifetime PD parameter – the ratio of the cumulative PD on the reporting date determined for the period from the reporting date to the maturity date to the cumulative PD at initial recognition determined for the period from the reporting date to the maturity date; 25. absolute threshold of change in the lifetime PD parameter – the difference between the cumulative PD on the reporting date determined for the period from the reporting date to the maturity date and the cumulative PD at initial recognition determined for the period from the reporting date to the maturity date; 26. 12-month PD parameter – probability of default within 12 months from the reporting date; 27. LGD parameter – (English: Loss Given Default) loss given default; 28. EAD parameter – (English: Exposure at Default) value of the exposure at the time of default; 29. restructuring – restructuring actions referred to in Article 47b of the CRR Regulation; 30. scenario – a variant estimate of expected credit losses, taking into account both the potential occurrence of a credit loss and the potential absence of its occurrence. In the case of individual valuation, the scenario should include at least 2 variants of credit loss estimates taking into account macroeconomic factors, even in the situation where a loss has been incurred. However, in the case of portfolio valuation, the estimate of expected credit losses should reflect the inclusion of at least 3 variants; 31. credit loss – credit loss within the meaning of the definition contained in Appendix A to IFRS 9; 32. validation – an assessment of the effectiveness of model operations performed by a bank unit not involved in the model building process and its use, usually in a more comprehensive manner than within monitoring, including e.g.: the appropriateness of the concept and assumptions of models to the process or decision-making mechanism in which the model is used, and the correctness of its construction and implementation from a substantive and formal perspective; 33. gross carrying amount – gross carrying amount of a component of financial assets within the meaning of the definition contained in Appendix A to IFRS 9 and taking into account the rules specified in Recommendation 23;

6 34. amortized cost of a component of financial assets or a financial liability – amortized cost of a component of financial assets or a financial liability within the meaning of the definition contained in Appendix A to IFRS 9; 35. off-balance sheet obligation – a conditional irrevocable commitment to provide financing arising from a loan agreement, a financial guarantee contract, a guarantee, and a letter of credit, excluding performance guarantees falling within the scope of IFRS 4; 36. gain or loss on impairment – gain or loss on impairment within the meaning of the definition contained in Appendix A to IFRS 9.

7 III. List of Recommendations

1. Management Board and Supervisory Board of the Bank Recommendation 1 The Management Board of the bank should develop and implement credit risk management principles, ensure that the provisions of Recommendation R are reflected in the accounting policy, and include them within the scope of the internal control system. Recommendation 2 The Management Board of the bank, within the bank's business strategy, should define the business model or models. Recommendation 3 The bank should have credit risk estimation principles developed by the Management Board and approved by the Supervisory Board of the bank. Recommendation 4 The Supervisory Board of the bank should supervise the effectiveness of credit risk management.
2. Estimation of Expected Credit Losses Recommendation 5 The bank is obliged to estimate expected credit losses on a monthly basis. Recommendation 6 The bank should implement internal regulations covering methods for estimating expected credit losses. Recommendation 7 The bank should ensure that the methods used for estimating expected credit losses reflect the way credit exposures are managed. Recommendation 8 The bank should implement internal regulations regarding the assessment of credit risk and the grouping of credit exposures based on common risk characteristics. Recommendation 9 The bank should have and apply internal regulations specifying the rules for the validation of IFRS 9 models.

8 Recommendation 10 When assessing risk in the process of estimating expected credit losses, the bank should take into account past experience in credit risk management and reasonable and supportable information regarding the future, including macroeconomic factors. Recommendation 11 The bank should use uniform processes, systems, tools, and data for measuring and assessing credit risk, estimating expected credit losses for accounting recognition purposes, and for calculating capital ratios. Recommendation 12 The bank's process of estimating expected credit losses should be subject to internal control. Recommendation 13 The Audit Committee should monitor the internal control system and the risk management system in the bank regarding the estimation of allowances for expected credit losses. 3. Classification of Credit Exposures Recommendation 14 The bank should have documentation regarding individual debtors, credit exposures, or groups of exposures. Recommendation 15 The bank should have rules for classifying credit exposures into specific stages of credit risk. Recommendation 16 The bank should classify credit exposures into Stage 1 and value them in accordance with IFRS 9 and according to the rules specified in Recommendation 15.1. Recommendation 17 The bank should classify credit exposures into Stage 2 and value them in accordance with IFRS 9 and according to the rules specified in Recommendation 15.1. Recommendation 18 The bank should classify credit exposures into Stage 3 and value them in accordance with IFRS 9 and according to the rules specified in Recommendation 15.1.

9 Recommendation 19 The bank should identify a category of POCI assets. Recommendation 20 The bank is obliged to apply criteria for identifying significant modifications leading to the derecognition of an existing component of financial assets. Recommendation 21 The bank is obliged to establish rules for the identification and classification of credit exposures with granted repayment concessions, i.e., restructured exposures. Recommendation 22 The bank is obliged to establish rules for the identification of non-performing exposures. 4. Valuation of Credit Exposures and Collateral and IFRS 9 Models Recommendation 23 The bank recognizes interest accrued from the credit exposure in accordance with IFRS 9 and these rules. Recommendation 24 In the process of valuing collateral affecting the amount of expected credit losses, the bank should make reasonable estimates based on reliable models and data subject to periodic controls and qualitative assessment. Recommendation 25 The bank makes estimates of IFRS 9 model parameters at the level of homogeneous portfolios. Recommendation 26 The bank makes an estimate of the unbiased values of IFRS 9 model parameters, taking into account information about past events, current conditions, and forecasts regarding future economic conditions. Recommendation 27 The bank conducts comprehensive analyses in the area of macroeconomic factors used for IFRS 9 models. Recommendation 28 The bank should apply a consistent definition of default.

10 Recommendation 29 The process of estimating expected credit losses should be integrated with the model risk management process and meet the requirements of Recommendation W. Recommendation 30 The bank validates IFRS 9 models. Recommendation 31 The bank conducts periodic monitoring of IFRS 9 models and takes adequate actions in the event of identifying irregularities in IFRS 9 models. Recommendation 32 In making the estimate of expected credit loss, the bank takes into account information about past events, current conditions, and macroeconomic factors. Recommendation 33 The bank should perform historical verification of the level of expected credit loss. Recommendation 34 The bank conducts regular historical verification of risk parameters used for determining the expected credit loss. Recommendation 35 The results of historical verification are subject to regular reporting within the management information system. 5. Disclosure of Information Recommendation 36 The bank should disclose information useful for external recipients (users) in a clear, consistent, and comprehensive manner so as to ensure comparability of information between banks.

11 IV. Recommendations

1. Management Board and Supervisory Board Recommendation 1 The Management Board of the bank should develop and implement credit risk management principles, ensure that the provisions of Recommendation R are reflected in the accounting policy, and include them within the scope of the internal control system. 1.1 Within the risk management system in the bank, a credit risk management system operates, taking into account the occurrence of credit risk resulting from the bank's activities and specifying the rules for managing this risk. 1.2 The Management Board of the bank ensures that the provisions of Recommendation R are reflected in the credit risk management principles, including in processes serving the identification, estimation/measurement, assessment, monitoring, reporting, and limitation of credit risk in accordance with the established and approved "risk appetite," understood as the bank's current and future willingness to take risks. 1.3 The Management Board of the bank ensures that the provisions of Recommendation R are reflected in the bank's accounting policy and in internal regulations regarding credit risk management. 1.4 The Management Board of the bank should develop and implement internal regulations specifying the role, responsibility, and subordination of individual organizational units of the bank regarding the correctness of the application of credit risk management principles, including those concerning the estimation of expected credit losses. 1.5 Credit risk management principles should be verified and updated by the Management Board at least once a year. After each change in IAS/IFRS or their interpretation by the International Accounting Standards Board, which may have an impact on the bank, the Management Board assesses the impact of this change on the bank's activities and, if necessary, updates internal regulations in the areas of credit risk management and accounting. 1.6 The Management Board of the bank is obliged, inter alia, to: a) develop and ensure the operation in the bank of processes serving the determination of allowances for expected credit losses in accordance with the accounting policy and internal regulations in the areas of credit risk management; b) develop and implement an effective internal control system to verify the results of the process of estimating allowances for expected credit losses; c) analyze the level of credit risk, including the estimated amount of allowances for expected credit losses, at least in quarterly cycles; d) submit quarterly reports to the Supervisory Board on the results of the implementation of credit risk assessment and measurement processes, including the amount of allowances for expected credit losses established, the impact of these allowances on the bank's financial result and capital ratios, and information on the degree of coverage of credit exposures by these allowances; e) develop, implement, and update appropriate procedures for informing about the credit risk assessment and measurement process all employees involved in its implementation.

12 Recommendation 2 The Management Board of the bank, within the bank's business strategy, should define the business model or models. 2.1 The bank should document the business model or models reflecting the way it manages financial assets. 2.2 The bank should review the adopted business model or models at least once a year. If, as a result of the review, the bank determines that it has a new business model or models for specific groups of components of financial assets, then newly acquired components of financial assets in these groups should be classified into this new model or new models. 2.3 In assessing its business model or models regarding the management of financial assets, the bank should take into account all evidence available on the assessment date. The classification of financial instruments should reflect the bank's business model or models, as well as provide useful information to users of financial statements, while maintaining data comparability through consistent rules for the classification of financial instruments. 2.4 The business model or models defined by the bank and assigned to specific business segments should reflect the actual operational activity related to the held financial assets. 2.5 A change in the business model or models should occur sporadically and in justified cases, in accordance with IFRS 9 and the EBA Guidelines on credit risk management practices in credit institutions and on the recognition of expected credit losses. Recommendation 3 The bank should have credit risk estimation principles developed by the Management Board of the bank and approved by the Supervisory Board of the bank. 3.1 The Management Board of the bank should develop internal regulations covering the principles of credit risk estimation, taking into account the scale, specificity, and complexity of the bank's activities, its organizational structure, and the credit portfolios held. 3.2 The bank's credit risk estimation principles

13