Regulation on Corporate Governance of Banks

Based on Article 35, paragraph 1, sub-paragraph 1.1 of the Law No. 03/L-209 on Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo No. 77 / 16 August 2010), and Part IV and Article 85 of the Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (Official Gazette of the Republic of Kosovo No. 11 / 11 May 2012), the Board of the Central Bank, in the meeting held on 29 August 2019, approved the following: REGULATION ON CORPORATE GOVERNANCE OF BANKS Article 1 Purpose and scope

1. The purpose of this regulation is to harmonize the regulatory framework regarding the best practices of corporate governance of banks, as an important factor for maintaining the sustainability and stability of the banking sector as a whole. This Regulation establishes minimum requirements for bank shareholders, the Board of Directors and Senior Managers regarding their responsibilities in corporate governance.
2. This Regulation applies to all banks operating in the Republic of Kosovo, licensed by the CBK. Article 2 Definitions
3. All terms used in this regulation are as defined in Article 3 of the Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (hereafter: the Law on Banks) and/or as defined herein for the purposes of this regulation: 1.1 Corporate governance – is a manner of managing bank’s business and activities by distributing powers and responsibilities between shareholders, boards of directors and senior management, which affects the way how they determine strategy and corporate objectives, select and supervise personnel, perform the activities of the bank on a daily basis, harmonize activities and corporate conduct code expecting that banks will operate in a safe and sound way and in compliance with applicable laws and regulations, and the manner how to set functions of control and protection of interests of depositors.

1.2 Compliance risk – is the risk of legal or regulative sanctions, material financial loss, or loss to reputation the Bank may suffer as a result of its failure to comply with laws, its own rules and regulations, code of conduct, and its own applicable standards of best practice (all together referred as the laws and regulations). Article 3 Conflicts with the laws and regulations under jurisdiction of their motherland Branches of foreign banks must notify the CBK if encounter conflicts between the implementation of these regulation and laws and regulations applicable under the jurisdiction of their motherland. Unless explicitly exempted from CBK by any regulation or other legal act, they are forced to implement the requirements specified in this regulation during their operation in Kosovo. Article 4 Corporate value and code of conduct

1. All banks operating in Kosovo must have in written the Declaration of Corporate Values and Code of Conduct, these documents shall be applicable to all parties who work for the bank, including members of the Board of Directors. Corporate culture provided in these documents, must be respected and applied to all parties, it shall be such that supports the objectives of the bank and provides appropriate rules and incentives for professional and ethical behaviour.
2. Statement of Corporate Values and Code of Conduct of the banks must comply with all the requirements and obligations under this regulation.
3. Members of the Board of Directors shall serve as an example in their leading role, which they consider as important and essential, under Statement of Corporate Values and Code of Conduct of the bank.
4. Code of Conduct of a bank shall include rules at least regarding the following matters: 4.1. Compliance with all laws and regulations applicable in Kosovo; 4.2. Handling of conflicts of interest; 4.3. External business interests, including investment activities and external employment of board members, management and staff; 4.4. Handling of confidential information; 4.5. Receipt of benefits, gifts and other favours;
5. The Statements of Corporate Values and Code of Conduct of the banks should be made available to customers of the bank upon request. Banks are encouraged to make these statements available to the public on an ongoing basis and publish them on their websites.

Article 5 Handling issues of concern Each bank should establish a clear communication process in written, through which employees may communicate to senior management or members of the Board of Directors, any legitimate concern they have about any illegal, unethical or suspicious practices and activities, even when the issue involves a member of the senior management of the bank. The process should be such as to create confidence to the employees to communicate such issues and be fully protected from any form of punishment. Article 6 Ownership of the bank

1. Good corporate governance requires that all shareholders of the banks operating in Kosovo be fit and proper. CBK under the legal framework has the authority to assess and ensure that all the main owners of a proposed bank meet this requirement.

2. The shareholders of the bank must have a strategic vision of the bank's ownership by their side and shall communicate it to the board, because without instructions from shareholders in this regard, the board and management of a bank will have difficulty in determining clear strategic direction for the bank and its management towards achieving these objectives.

3. Bank's shareholders must meet these requirements of ownership, in order to be continuously fit and proper. Under Article 37 of the Law on Banks, all key stakeholders must acquire a prior approval from the CBK, in order to ensure that any new shareholder also meets the criteria of being fit and proper. CBK examines the quality of the bank's ownership within the examination of a bank's corporate governance, in order to ensure maintenance of a high standard necessary for the bank’s owners in Kosovo.

4. Under Article 37, paragraph 4 of the Law on Banks, each bank must notify the CBK on any acquisition of shares within five (5) days after acquiring the amount of shares that equals or exceeds five per cent (5%) of bank’s capital but that does not exceed ten per cent (10%) thereof. The notification is made by providing the information required by the CBK. Article 7 Beneficial ownership

5. Pursuant to Article 7 of the Law on Banks, to be licensed by the CBK, the bank must provide a list of shareholders who hold or will hold five (5%) per cent or more of the shares, and beneficial owners of these shares, stating their names, address and relevant share possession.

6. If the CBK has reasons to doubt about the ultimate beneficial ownership of a considerable portion of shares of a bank operating in Kosovo, it will block those shares from being under management of the bank until the ultimate beneficiary ownership is established and meets the criteria of being proper and appropriate under the Banking Law. If the CBK has frequent or constant concerns about the ultimate beneficial ownership of a bank, it will take corrective action which may include, in exceptional cases, revoke of the license to the bank. Article 8 The general meeting of shareholders

7. Good corporate governance iniciates with a general meeting of shareholders. Article 24 of the Banking Law provides that general meetings of shareholders shall be held at least once a year. Extraordinary general meetings of shareholders may be held as needed under the conditions laid down in Article 24.4 of the Law on Banks.

8. Matters to be decided upon at the general meeting of shareholders are defined in Article 24.7 of the Law on Banks and among others include: 2.1. Building the initial paid in capital of the bank through issuance of shares or common share growth and issuance or increase of preferred shares; 2.2. Appointment of external auditor of the bank; 2.3. Approval of the annual financial report of the bank; 2.4. Distribution of profits and payment of dividends, or the way to cover losses if the bank has resulted in loss; 2.5. Appointing and dismissing members of the Board of Directors on an individual basis; 2.6. Allocation of allowances to members of the Board of Directors and external members of the board committees; Article 9 Responsibilities of the board of directors of a bank

9. The Board of a bank holds the main responsibility for the quality of the bank governance. The Board shall perform this duty with the objective to provide that the institution is managed in a way that preserves its safety and sustainability, by operating in a way that takes into account the interests of all stakeholders, by including shareholders, depositors and other relevant stakeholders.

10. The Board shall ensure that the institution complies with all laws and relevant regulations of Kosovo, as the Board is primarily responsible for all acts or omissions of the bank, including its compliance to legal and regulatory obligations.

11. The Board shall have sound and objective judgments, possessing appropriate qualifications and competences, being it individually and as a whole, shall follow good governance practices in view of their duties as a board and be supported by adequate management, professional and independent risk functions, compliance, audit and controls, which the board shall supervise effectively.

12. The Board is primarily responsible for the business strategy and financial stability of the bank, the main decisions related to personnel, internal organization as well as management structure and practices, and risk management and compliance. The Board may delegate some of its functions to committees of council, when such a thing is appropriate, but not the responsibilities.

13. The Board shall determine the organizational structure of the bank. This will enable the Board and senior management to meet their responsibilities and to facilitate effective decision-making and good governance. This includes a clear definition of the responsibilities and powers of the Board itself and key senior management, as well as those responsible for risk management functions and control functions.

14. The Board of Directors of a bank shall have the following specific responsibilities: 6.1. Elect the Chairman of the Board among the non-executive members of the Board; 6.2. Approve and supervise the implementation of the strategic objectives of the institution and review these strategic objectives from time to time to ensure that they remain consistent with the institution's operating environment; 6.3. Supervise the implementation of the bank governing framework and review it periodically so that it remains appropriate toward material changes it the bank size, it complexity, geographical distribution, business strategy, market and regulatory requirements. 6.4. Approves and oversees the institution's strategy for risk management, including risk tolerance limits of the institution, as well as oversight of their implementation; 6.5. Determine, together with the senior management and the chief risk officer (hereinafter: CRO), the willingness of the bank to take the risk (English: risk appetite), taking into account the regulatory framework and long-term interests of the bank, as well as risk exposure and the ability to manage risk effectively. 6.6. Define corporate values of the institution and ensure that the conduct of members of the board itself and all the officials of the institution is in compliance with these values;

6.7. Appoint and supervise competent senior managers to take responsibility for the daily management of the institution and ensure that they operate in accordance with strategic objectives, risk limits and the corporate values of the institution; 6.8. To determine the compensation package of senior management and to ensure that the incentives offered are in accordance with the objectives and values of the institution; 6.9. Draft and document the code of conduct to all management and staff of the institution and ensure that the same is applied in practice; 6.10. Review, approve and monitor annual business plans and budgets of the institution; 6: 6.11. Approve contract agreements and ensure that written agreements to the level of services shall determine the respective responsibilities of the parties prior to the agreement being in force and that they are in the best interest of the bank. This requirement applies to all contractual agreements with the bank’s related parties, including the parent banks; 6.12. Determine information to be obtained by the management in order to be able to fulfil their responsibilities effectively and analyse these reports carefully and in detail after being submitted to them; 6.13. Determine the information to be obtained from internal and external auditors of the institution and follow up and discussions of this reports when submitted to them; 6.14. Ensure transparency and professional cooperation with the CBK; 6.15. Call the general meeting of shareholders. 7. Within the general framework of corporate governance, the Board is responsible for approving and overseeing risk governance framework. Effective risk governance framework includes a strong culture on risk issues, willingness to risk well defined by policies of risk or written statements about readiness to risk as well as well-defined risk management responsibilities in particular and the functions of its controls in general. 8. The board should take an active role in determining the willingness to risk and in ensuring its alignment with strategic, capital and financial plans of the bank, as well as compensation practices. The willingness of the bank to risk should be clearly transmitted through risk policy or statement of readiness for risk, which can be easily understood by all relevant parties as the Board of Directors, senior management, employees of the bank and CBK. 9. The policy of the bank for risk willingness or readiness to risk/risk appetite statement must: 9.1 Include quantitative and qualitative elements; 9.2 Determine in advance the individual and combined level and types of risks that the bank is willing to assume, with the aim of fulfilling its business activities within its capacity of undertaking risks; 9.3 Determine the boundaries and business activities in accordance with which the bank is expected to operate in order to fulfil its business strategy;

10. Communicating effectively the risk willingness determined by the Board, to all the bank, relating it with daily operational decision-making and the set-up of effective tools and methods to raise risk issues and strategic concerns in the entire bank.
11. Individual Responsibilities of the Members of Board of Directors are: 11.1 Ensure that they work on the best interest of the bank as a whole and not only in the best interests of the main shareholder who has appointed them; 11.2 To have knowledge of the internal and external bank environment, including economic and financial developments in local, regional and international level, as well as statutory and regulatory changes that affect the bank; 11.3 To regularly attend Board meetings, be prepared before the meeting by reviewing the necessary relevant material, to participate actively in the deliberations of the Board and seek explanations for unknown or unclear materials; 11.4 To participate in reviews of the performance of the Board as a whole and performance of themselves; 11.5 Cooperating with CBK, and participate in all meetings called by the CBK; 11.6 Disclose all necessary information they possess by the legislation in force from the time they apply throughout the entire period of service as member of the Board; 11.7 Exert independent judgment and not allow themselves to be influenced unduly by one other director, management or external interests; 11.8 Avoid conflicts of interest. This includes disclosure of any personal business they have with the bank.
12. CBK has the authority under the Law on Banks to disqualify a person from the Board of the bank if the Board considers he/she does not meet these minimum requirements. Article 10 Appointment and supervision of the senior management of the bank
13. The Board of a bank operating in Kosovo must select and appoint the senior management of the institution and if necessary replace it. In the case of branches of foreign banks, this duty belongs to the Board of Directors of the parent bank.
14. In order to fulfil this role, the Board shall: 2.1. Determine the standards of being fit and proper in selection of all managers, not only to just those senior managers who need approval by the CBK; 2.2. Monitor the actions of senior managers and ensure that they are consistent with the approved strategies and risk limits of the institution; 2.3. Determine formal performance standard for senior managers. They must ensure that these performance standards are in line with long-term interests of the institution and not lead unintentionally to excessive risk taking in the short term;

2.4. Ensure that knowledge and expertise of senior managers remains at an appropriate level in the event of changes in the nature of business, changes in risk profile or operating environment; 2.5 Have adequate succession plan to ensure that loss of key or high level personnel does not adversely affect performance of the institution. Article 11 Conflicts of interest

1. The Board shall have an official formal written policy regarding conflicts of interest or have it specified in the statute of the bank, as well as an objective and rigorous process for the implementation of the policy. Board policy on conflicts of interest should at least include: 1.1. The position of director which shall avoid activities that could create a conflict of interest or present the impression of a conflict of interest; 1.2. Review or approval process that directors must apply before being involved in certain activities, such as service on another board in order to ensure that the operation will not create a conflict of interest or appearance of a conflict of interest; 1.3. The task of the Director to find all issues that could result in a conflict of interest; 1.4. The responsibility of the Director to abstain from voting on matters in which the member may have a conflict of interest or when the objectivity of a member to perform properly his duties towards the institution could be compromised; 1.5. The manner in which the Board will treat non-compliance with the policy on conflict of interest.
2. Application of the conflict of interest policy will be monitored by the CBK. All cases of non-compliance with this policy by the members of the Board should be reported to the CBK. If the CBK determines that the member does not meet the requirements of being fit and proper to be a member of the Board shall remove that member from the Board of the bank Article 12 Transactions with Related Persons
3. Banks should implement the following policies when handling transactions to related persons: 1.1. All banks must have a reliable control systems for identifying, measuring, monitoring and managing transactions with related persons, including all transactions with major shareholders or shareholders with a significant interest;
4. All transactions and business relationships with related persons shall be made in accordance with the Banking Law and Regulation on Transactions to Bank-Related Persons and Exposures to Bank Employees.

Article 13 Qualifications of the members of the Board of Directors

1. All members of the Board shall have appropriate experience, competencies and personal qualities. Requirements that CBK considers important are set out in Article 26 of the Law on Banks and CBK Regulations for Directors and Senior Managers of Banks. The regulation in question specifies that directors and senior managers of banks need to show integrity, judgment, leadership, competence and financial sustainability.
2. The Board as a group should ensure that the full spectrum of knowledge and experience needed to supervise the institution is within the Board as a whole. This means that board members should have education in different fields and different experiences;
3. The General Meeting of Shareholders must evaluate skills and experience that the Board possess among its members to structure that would be ideal for their bank. Significant gaps discovered should be used as an important foundation for future appointments to the Board;
4. Members of the Board shall be approved by the CBK under Section 34 of the Banking Law. CBK will consider the matters set out in this regulation and legislation to decide whether to approve an appointment or not. Article 14 Informing the members of the Board
5. All new members of the board, even if they have had considerable experience on the board in other institutions, should be informed at all times about the specifics of the bank that will supervise;
6. All board members should have access and be abreast of all relevant issues, including legal and regulatory requirements, related to the banking system in Kosovo;
7. Banks should have their own internal guidelines for members of the board of directors and share time, budget and other resources available for this purpose. Article 15 Structure of the Board of Directors
8. Article 26 of the Law on Banks has set minimum requirements for the structure of the Board. These minimum requirements are: 1.1. The Board is composed of an odd number of not less than five (5) members; 1.2. All members of the Board have the right to vote; 1.3. The majority of Board members must be independent and non-executive directors; 1.4. At least one member of the Board shall be permanent resident of Kosovo;

1.5. Chief Executive Officer serves on the Board ex officio and without the right to vote, as long as he or she holds the position of CEO. 2. For the purposes of this article and article 26 of the Banking Law, the directors will be considered independent if: 2.1. They are independent from the management and shareholders of the bank; and their judgment will be exercised only for the benefit of the bank; 2.2. There is no actual or perceived conflict of interest arising from their relationship with the bank and bank related parties; 2.3. They are not employed by the bank or bank’s related parties, except as a member of the Board or advisor to the Board in other group companies; 2.4. They are not employed as executive director of other companies where any of that company executives serving on the Board of the bank; 2.5. In the past six months they have not been connected or employed by the current external auditor of the bank; 2.6. CBK may also consider other facts and circumstances that they regard as relevant in deciding whether a director is independent or not. 3. An independent director must continuously meet these conditions of independency during all the time he is a member of the Board. If their circumstances change and no longer meet the criteria for being an independent director, they must immediately inform the CBK. They can remain on the Board, but will not be considered by the CBK as independent directors. In these circumstances, banks should ensure that they meet the legal requirements regarding the minimum number of independent directors on their Board. 4. An independent Director may hold shares in a bank directly in accordance with Article 5 of the Regulation of CBK for Directors and Senior Managers of Banks. 5. Any person nominated as an independent director, before his / her appointment of will have to provide to the CBK a statement that meets the requirements of this regulation regarding the independence and will act as an independent Director on the Board of the bank. This declaration form shall be signed by the proposed independent members of the Board, as determined by the CBK in Appendix 1 of this regulation. 6. The CBK in this regulation or in subsequent amendments to this regulation may impose more detailed requirements than the minimum requirements stipulated by the current legislation. 7. Composition of the Board should be adequate in order to be able to cope when a member or several members should leave the decision-making because of the potential conflict of interest.

8. The Board, at least on a two-year basis, should conduct a self-assessment and review its composition and determine the most effective composition associated with decisions and strategy.
9. The Board shall maintain proper records of discussions and decisions. These, upon request, must be made available to the CBK. Article 16 Establishment of Committees of the Board of Directors
10. The Law on Banks requires the Board of any licensed bank operating in Kosovo, except for branches of foreign banks, to establish the audit committee and risk management committee.
11. The Board of each bank may decide to establish additional committees.
12. The CBK may also request that all or some banks have additional Board committees.
13. The Board shall specify in statute or written instruction, the responsibilities, authority and accountability requirements for each committee the Board establishes.
14. Statute or instruction of the committee should distinct the issues on which the committee has the authority to act on behalf of the Board and those the committee may only review and make recommendations to the Board.
15. Minutes of each Committee meeting, will be delivered to the Board members as soon as possible.
16. Whenever the Board deems it necessary, it may use the services of independent consultants to assist certain committees.
17. Members of the management of the institution should not be members of the Board committee. However, if necessary, the management may be invited in meetings to contribute to the discussion.

Article 17 The Audit Committee

1. The Board of Directors shall establish the Audit Committee.
2. The Audit Committee shall have at least three members selected among non-executive directors and external experts.
3. The Chairman of the Audit Committee is a non-executive independent member of Board of Directors and is not the Chairman of the Board or any other committee.
4. At least one member of the Audit Committee, which is selected by the Board of Directors must be independent external expert in the field of accounting or audit with the aim of increasing the level of expertise of the Audit Committee.
5. The Audit Committee is responsible for supervising the financial reporting process of the institution, including its obligations for financial declarations and financial reporting to the CBK.
6. The Audit Committee should oversee the internal audit function, including the approval of audit plans and approval of engagement letters of external auditors.
7. The Committee shall monitor management responses to regulatory reports, audit reports and recommendations of the internal and external audit and provide appropriate and timely solutions on all the issues raised. Article 18 Risk Management Committee
8. Each bank, except branches of foreign banks, must establish the Risk Management Committee.
9. The Risk Management Committee is responsible for advising the Board on the institution’s overall current and future risk identification, policies and the strategy for risk management and overseeing senior management’s implementation of the risk strategy.
10. The Risk Management Committee should receive regular reporting and communication from the Chief Risk Officer (hereafter: CRO) or his equivalent and other relevant functions about the bank’s current risk profile, current state of the risk culture, utilization against the established risk and limits, limit breaches and mitigation plans.
11. Risk Management Committee shall:

4.1. Consist only of the members of the Board of Directors of the Bank; 4.2. Include members who have experience in risk management issues and practices; 4.3. Monitor all aspects of the bank's risk profile and recommend to the Board changes of the profile if the bank circumstances change or circumstances it is facing; 4.4. Oversee strategies for capital and liquidity management, as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk profile. 4.5. Hold meetings at least every three months, and more frequently if needed; 4.6. Monitor the effectiveness and independence of risk management functions within the bank. Article 19 Senior management responsibilities

1. Senior management is responsible for day-to-day activities of the bank.
2. Senior management should ensure the institution’s activities are carried out in a manner consistent with the institution’s business strategy, risk strategy and limits and other limits specified by the Board.
3. Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility.
4. The organization and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CRO.
5. Senior management is in particular responsible for: 5.1. Assist the Board in establishing and maintaining the culture and code of conduct; 5.2. Legality of bank operations; 5.3. Implement business strategies of the bank, risk management systems, risk culture, processes and controls for managing the risk;

5.4. Provide appropriate supervision for those who manages. The CBK does not consider the lack of information by the senior management as a defense when someone in the institution violates the laws, regulations or code of conduct; 5.5. Establishment of information management systems that will ensure that the required, timely and accurate information will be made available to the Board, regulators and other interested parties; 5.6. Advise the Board regarding the appropriate organizational structure of the bank; 5.7. Ensuring that the quantity and quality of personnel and other resources are adequate to perform all tasks of the institution; 5.8. Communicating the strategic direction, risk tolerance and reporting lines across the institution as well as the description and documentation of clear responsibilities for each staff member. Article 20 Senior Managers qualifications

1. All senior managers of banks licensed to operate in Kosovo should have the necessary experience, competencies and integrity. Requirements the CBK considers as important are specified in Articles 31 and 35 of the Law on Banks and the CBK Regulations on Directors and Senior Managers of Banks.
2. Appointment of Chief Executive Officer and Deputy Chief Executive Officer in Kosovo banks must be approved by the CBK. The CBK will consider the criteria prescribed in the Law on Banks and the Regulation on Directors and Senior Managers of Banks to decide to whether or not approve the appointment. Article 21 Corporate governance in the branches of foreign banks operating in Kosovo
3. When a bank is licensed by the CBK to operate as a branch of a foreign bank in Kosovo, these requirements apply: 1.1. Branch will not be required to establish the Board in Kosovo; 1.2. The branch senior management appointments require the prior approval of the CBK; 1.3. Senior management is expected to ensure that the policies and rules of the group are adapted to the Kosovo environment; 1.4. Senior management should ensure full compliance with Kosovo laws, regulations, guidelines and any other provision in the applicable law. Any dispute between the requirements of Kosovo and the requirements of the home country should be reported to the CBK. The branch may ignore the Kosovo requirement only in case of a specific exemption from CBK to do so;

1.5. The branch should provide the CBK with information concerning its operations and operations of its parent institution as required by the CBK, so that the CBK is satisfied with the operations of the branch that is subject to adequate oversight by parent bank and home country supervisors. 2. If the CBK concludes that the operations branch operations regarded as systemically important to the Kosovo financial system, due to their size or any other feature, the CBK has the right under Article 12 of the Law on Banks to require the bank in Kosovo to transform itself from branch to a subsidiary. 3. In preventing and managing of systemic risk as a result of operations of the foreign bank branch, at least one of the following restrictions will be implemented: 3.1. The average value of its assets during two (2) consecutive quarters exceeding ten (10%) percent of the total assets of the banking system; 3.2. The average value of its deposits during two (2) consecutive quarters exceeding ten (10%) percent of total deposits of the banking system; 4. If the foreign bank branch reaches limitations under paragraph 3 of this Article, the CBK must notify the branch of a foreign bank that it will be subject to regulatory and supervisory framework applicable to subsidiaries and on the period during which it must meet all the regulatory requirements applicable to the subsidiaries. 5. Branches of foreign banks are required to provide the CBK with detailed plans for their potential transforming into a subsidiary at the time when they reach nine (9%) percent of assets or deposits of the banking system. Article 22 Compensation

1. This Regulation establishes the obligation for banks with respect to their compensation systems: 1.1. The Board should ensure that they fully understand how the compensation and incentive systems of the bank will operate under all circumstances and to be sure that they are compatible with the interests of the bank and their risk tolerance; 1.2. The board should regularly monitor the functioning of the bank compensation systems to ensure that they are operating properly and does not encourage excessive risk-taking by the bank; 1.3. Results of compensation should be symmetric with risk outcomes of the bank to ensure the match of staff members’ interests with those of the bank. Also, they should have payment terms that are consistent with periods of risks the bank faces to avoid staff reward ahead of time; 1.4. Compensation packages of directors, senior management and staff that may affect the risk profile of the bank should not all be based on the same parameters as this

increases the risk that no one will perceive the package from the standpoint of the bank interests. 1.5. The CBK reserves the right to assess and, if necessary, to require changes to compensation systems in banks if it believes they are of systemic importance to the financial system in Kosovo, when it considers that the existing system of compensation could encourage excessive risk-taking by the bank; 1.6. Board performance in the implementation of this article will be an important element of overall performance evaluation of the Board during the examination of the bank by the CBK. Article 23 Risk management function

1. Banks should have an effective independent function of risk management under the direction of a Chief Risk Officer (CRO) or an equivalent officer, who should have the reputation, independence, resources and access to the Board.
2. The risk management function is responsible for overseeing the risk taking throughout the bank's activities and must have the authority within the bank to perform this task. Key activities of the risk management function should include: 2.1. Identifying material individual, aggregate and emerging risks; 2.2. Risks assessing and measuring the bank's exposure to them; 2.3. Subject to review and approval by the Board, developing and implementing bank’s risk governance framework, including the bank's risk culture, risk tolerance and risk limits; 2.4. Continuously monitoring the risk-taking activities and risk exposures in line with the bank's risk appetite approved by the Board, monitoring the risk limits and corresponding capital or liquidity needs; 2.5. Establishing an early warning system to monitor possible violations or risk tolerance or defined risk limits; 2.6. Influencing or challenging, when needed, the decisions that increase the bank's exposure to material risk; 2.7. Reporting to the Board of Directors, the Risk Management Committee and/or Senior Management on all these activities, including but not limited to proposing appropriate risk-mitigating actions.
3. The risk management function should be sufficiently independent of the business units and should not be involved in revenue generation. This function should have access to all business lines that are capable of generating material risks to the bank and its affiliates regarding this issue.
4. The risk management function should have a sufficient number of personnel who

possess the requisite experience and qualifications, including market and bank’s product knowledge as well as command of risk disciplines. Article 24 Chief Risk Officer

1. Banks should have a senior manager (the Chief Risk Officer [CRO] or equivalent) with overall responsibility for the bank’s risk management function.
2. The CRO has primary responsibility for overseeing the development and implementation of the bank’s risk management function.
3. The CRO is responsible for supporting the Board in its engagement for overseeing the development of statement or policy on the bank's risk appetite and determining risk limits set in accordance with the statement/policy on risk appetite. The CRO, along with Senior Management, should be constantly engaged in monitoring performance related to risk-taking and adhering to risk limits. The CRO's responsibilities also include managing and participating in the key decision-making processes (such as strategic planning, capital and liquidity planning, new services and products, compensation issues).
4. The CRO should have the organizational mandate, authority and the necessary competence to oversee the bank’s risk management activities. The CRO should be independent and have tasks which are distinct from other executive functions. However, the CRO shall have no managerial or financial responsibility with respect to any business lines or revenue generation function
5. While official reporting lines may vary between banks, the CRO should report and have direct access to the Board or its Risk Management Committee without impediment. Article 25 Compliance Function
6. The Board of Directors of a bank is responsible for ensuring that the bank is in compliance with all relevant laws and regulations.
7. To fulfil its responsibility, the Board shall ensure that the compliance function operates on a proactive basis, identify, document and assess the compliance risks associated with the bank’s business activities, including the development of new products and shall monitor potential risks from the disregard of laws and regulations in force by banks.
8. The Board of Directors is responsible to ensure that a written policy is in place for the establishment of efficient compliance function and that is established the system that will ensure its effective implementation. Policy of compliance function must be in accordance with the risk management strategy of the bank.
9. The Board of Directors shall ensure that the compliance function has the necessary authority and influence to carry out its function and is equipped with sufficient human and financial resources for effective identification of compliance risk. The Board of

Directors is obliged to supervise the risk management of the bank's non-compliance with laws and regulations. 5. Senior management will adopt procedures needed to implement adequate and effective policy compliance function. 6. The Board of Directors and senior management are responsible for ensuring the necessary structure for the creation of an independent compliance function, as follows: 6.1. Establishment of a formal status within the bank's compliance function; 6.2. Appointment of a person or the assignment of a special unit or any other organizational structure for implementation of the compliance function; 6.3. To ensure that the compliance function is placed in a position that will not cause a conflict of interest by including other duties and responsibilities; 6.4. To obtain access to necessary information on the person, entity, department, i.e. employees responsible for performing compliance function in order to enable them to carry out their functions efficiently and effectively; 6.5. Creation of a mechanism for continuous cooperation between the individual, unit or department responsible for performing compliance function and individuals responsible for risk management, financial control and legal issues; 6.6. A person assigned to the compliance function or the head of the unit or any other organizational structure in place for compliance function should inform and advise the senior management and report to the Board of Directors, which will also decide on his/her compensation; 6.7. Dismissal or resignation of the person assigned to the compliance function or the leader of the unit or other organizational structures, and the grounds for it shall be communicated to the CBK within seven working days after the dismissal or resignation. 7. The person, entity, department, i.e. the employees in the department responsible for performing compliance function should be sufficient in number and adequate to ensure that compliance risk within the bank is managed effectively. Also, banks may establish special units for specialized fields such as data protection, consumer protection, prevention of money laundering and terrorist financing. However, the compliance function will mainly perform the following duties related to compliance risk identification and monitoring: 7.1. Follow and comply with the regulations pertaining to the bank operations; 7.2. Identify and monitor the risk of non-compliance of the bank operations with the regulations; 7.3. Monitor and test the compliance function and report to the Board of Directors for the determined non-compliance and corrective measures taken; 7.4. Advise the Senior Management members and the Board of Directors constantly and efficiently on the implementation of the regulation; 7.5. Informing and advising senior management and reporting directly to the Board of Directors or a committee of the Board of Directors appointed for compliance in accordance with the policy of the compliance function;

7.6. Assess the potential influence of the regulations and amendments in the bank operations and the environment the bank operates in; 7.7. Assess new products and business processes in the bank in line with the laws and regulations in force; 7.8. Provide training and information of the staff on the manners the relevant laws and by￾laws can be implemented in their everyday operations; 7.9. Cooperation with regulative institutions; 7.10. Document its operations and submit regular reports to the senior management of the bank, in accordance with compliance function policy; 8. The scope and activities of the compliance function should be subject to periodic review by the internal audit function. Article 26 Enforcement, Remedial Measures and Civil Penalties Any violation of the provisions of this Regulation shall be subject to corrective and punitive measures, as defined in the Law on the Central Bank and the Law on Banks. Article 27 Appendix The declaration form for independent members of the Board of Directors is specified in the appendix to this regulation. Article 28 Abrogation Upon the entry into force of this Regulation, the Regulation on Corporate Governance of Banks, adopted on 29 December 2016, shall be abrogated. Article 29 Entry into force This Regulation shall enter into force fifteen (15) days after its adoption. Flamur Mrasori Chairman of the Board of the Central Bank of the Republic of Kosovo

Appendix STATEMENT OF THE INDEPENDENT BOARD MEMBER I hereby declare that I meet the following legal requirements of the Central Bank of the Republic of Kosovo for Independent Member of the Board of Directors:  I have neither direct nor indirect relationship interest with the bank in terms of employment, except of my employment as a member of the Board, or the position of advisor to the Board of another company within the group;  Neither I nor my spouse or any relative by blood to the second degree has the capital or trade or commercial relations with the bank, its affiliates, subsidiaries or any other company of the group, currently or during the past year.  I have not been previously selected in the Bank's Board of Directors as a representative of any particular group of shareholders.  I have not been employed in any company which has provided audit and consultancy services for the Bank during the past six months.  I was not previously employed by a firm that provides the bank with significant amounts of products and services and I had no leading position in any such company during the past six months.  Neither I nor my spouse or any relative by blood to the second degree has any managerial position in the bank and is not shareholder holding more than 5% of the total capital of any bank.  I am not employed in the executive position of another company where any of the company executives serves in the Board of the bank;  I have not received and will not receive any other compensation from the bank in addition to compensation as the Board Member / Advisor and benefits mentioned in the articles of Association Foundation Act;  I have no shares in any bank that exceeds 1% of the bank’s capital and I do not have nor will have preferential shares;  My judgment will be exercised for the sole benefit of the bank and there is no perceived or actual conflict of interest arising from my relationships with the bank and with bank-related parties that will impede me in acting as an independent director. Signature: Institution: Statement to be attached to the application form required by the Central Bank of the Republic of Kosovo