XYZ Bank Product Governance Policy 1. Purpose This Policy sets out the framework by which XYZ Bank (“the Bank”) governs the design, approval, launch, monitoring, amendment and withdrawal of products and services. The purpose of this Policy is to ensure that: products and services are aligned with the Bank’s strategy, values and risk appetite; customer needs and outcomes are appropriately considered throughout the product lifecycle; products are subject to effective governance, oversight and challenge; material product-related risks are identified, assessed and managed appropriately; the Bank meets applicable legal and regulatory obligations; and accountability for product decisions is clear and appropriately documented. This Policy is intended to support consistent and proportionate governance across the Bank’s retail banking activities. 2. Scope This Policy applies to: all retail banking products and services offered by the Bank; all material amendments to existing products and services; all customer distribution channels; all material product-related outsourcing arrangements; and all material digital functionality impacting customer outcomes. Products and services within scope include, but are not limited to: current accounts; savings products; fixed-term deposits; residential mortgages; unsecured lending products; payment-related services; digital banking functionality; and ancillary customer services. This Policy applies to all employees, contractors and business areas involved in the development, approval, implementation, management or oversight of products and services. 3. Regulatory Context This Policy supports the Bank’s compliance with applicable legal and regulatory obligations, including: the FCA Principles for Businesses; the Consumer Duty; PROD requirements where applicable; SMCR obligations; operational resilience requirements; financial crime obligations; data protection and privacy requirements; and applicable PRA expectations relating to governance and risk management. This Policy should be read alongside the Bank’s: Risk Management Framework; Conduct Risk Framework; Operational Risk Framework; Outsourcing Policy; Consumer Duty Framework; and Records Management Policy. 4. Governance Principles The Bank will apply the following principles to product governance activities: 4.1 Customer Focus Products and services should be designed to meet the needs of identified customer groups and support fair customer outcomes. The Bank will seek to identify and mitigate foreseeable harm throughout the product lifecycle. 4.2 Proportionate Governance The level of governance, review and challenge applied should be proportionate to: the complexity of the product; the nature of the target market; the level of customer risk; operational complexity; and potential regulatory or reputational impact. 4.3 Clear Accountability All product initiatives must have clearly identified ownership and accountability. Responsibilities for product design, risk assessment, approval and monitoring must be clearly documented. 4.4 Effective Challenge Product proposals should be subject to constructive challenge from relevant business and control functions. Material concerns should be addressed prior to approval or escalated through appropriate governance channels. 4.5 Ongoing Oversight Product governance does not end at launch. Products and services must be subject to ongoing monitoring and periodic review to assess whether they continue to operate as intended and deliver appropriate customer outcomes. 5. Governance Structure 5.1 Product Sponsor Each new product initiative or material product change must have a designated Product Sponsor. The Product Sponsor is responsible for: coordinating product development activities; ensuring required assessments are completed; preparing governance papers; coordinating stakeholder input; ensuring appropriate approvals are obtained; and overseeing implementation activities. 5.2 Product Governance Committee (“PGC”) The Product Governance Committee is responsible for: reviewing new products and material changes; challenging product proposals; assessing alignment with strategy and risk appetite; reviewing customer and conduct considerations; reviewing material risks; approving products within delegated authority; and escalating matters where appropriate. The PGC will include representatives from: Product; Risk; Compliance; Legal; Operations; Finance; Technology; and Customer/Conduct functions. The PGC may impose conditions on approvals where appropriate. 5.3 Executive Committee The Executive Committee will review and approve: products outside existing business lines; products involving heightened reputational, conduct or operational risk; strategically significant products; products requiring material investment; and proposals outside established risk appetite. 5.4 Board Oversight The Board retains overall responsibility for oversight of the Bank’s product governance framework. The Board will receive periodic reporting on: product governance activities; material product risks; customer outcomes; significant product incidents; and emerging conduct or regulatory concerns. 6. Product Lifecycle Framework 6.1 Stage 1 – Concept and Initial Assessment All proposed products and material product changes must undergo an initial assessment prior to detailed development work commencing. The initial assessment should consider: customer need; target market; strategic rationale; expected customer outcomes; conduct considerations; key product risks; operational feasibility; technology dependencies; regulatory considerations; financial crime considerations; and reputational implications. The outcome of this stage may include: approval to proceed to development; a requirement for redesign or additional analysis; or rejection of the proposal. Typical outputs include: concept paper; preliminary target market assessment; and initial risk assessment. 6.2 Stage 2 – Design and Development Products and services must be developed with appropriate involvement from relevant business and control functions. The level of analysis and documentation should be proportionate to the nature, scale and complexity of the proposal. Development activities may include: customer journey mapping; target market assessment; fair value assessment; operational readiness assessment; stress testing and scenario analysis; vulnerability assessment; financial crime assessment; legal and regulatory review; review of customer communications; data protection assessment; and technology and cyber risk assessment. Consideration should be given to: customer understanding; product complexity; operational capability; monitoring capability; customer support arrangements; and foreseeable customer harm. Where third parties are involved in product delivery or servicing, appropriate due diligence and oversight arrangements must be established. 6.3 Stage 3 – Approval Products and material changes must receive formal approval prior to launch or implementation. Approval papers should include, where appropriate: product description; strategic rationale; target market; pricing rationale; fair value assessment; customer outcome considerations; risk assessment; operational readiness assessment; legal and compliance input; implementation approach; and proposed monitoring arrangements. Approvals may be subject to conditions, including: enhanced monitoring; phased implementation; customer volume limitations; additional controls; or post-launch review requirements. Material concerns raised during the approval process should be resolved or formally escalated prior to approval. 6.4 Stage 4 – Launch and Implementation Prior to launch, the Product Sponsor must confirm that: required approvals have been obtained; implementation activities have been completed; operational processes are in place; relevant staff training has been completed; customer communications have been approved; monitoring arrangements are operational; and material risks have been addressed appropriately. Higher-risk products may be subject to enhanced post-launch monitoring arrangements. 6.5 Stage 5 – Ongoing Monitoring and Review Business areas are responsible for ongoing monitoring of product performance and customer outcomes. Monitoring should include consideration of: complaints; customer feedback; customer behaviour and outcomes; arrears and default trends; operational incidents; fraud and financial crime indicators; customer understanding; vulnerable customer impacts; conduct indicators; distribution performance; profitability and value metrics; and regulatory developments. Products should be subject to periodic review at a frequency proportionate to risk. Material concerns identified through monitoring activities must be escalated to the PGC and relevant control functions. 6.6 Stage 6 – Material Product Changes Material changes to products or services must undergo appropriate governance and review before implementation. Examples of material changes may include: pricing changes; changes to eligibility criteria; changes to customer terms and conditions; significant digital functionality changes; changes to distribution arrangements; outsourcing changes; changes to customer risk exposure; or significant operational process changes. The PGC will determine the level of governance required based on the nature and materiality of the change. 6.7 Stage 7 – Product Withdrawal and Closure Where products are withdrawn or closed, the Bank must ensure fair treatment of customers throughout the process. Withdrawal planning should consider: customer communications; customer transition arrangements; operational impacts; complaint handling; treatment of vulnerable customers; regulatory obligations; data retention requirements; and reputational considerations. Material product withdrawals should be reviewed through appropriate governance forums. 7. Risk Management Material product-related risks must be identified, assessed and managed throughout the product lifecycle. Relevant risks may include: conduct risk; operational risk; credit risk; financial crime risk; legal and regulatory risk; reputational risk; cyber and technology risk; third-party risk; and data protection risk. Products outside the Bank’s approved risk appetite should not proceed without Executive Committee approval. 8. Consumer Duty and Customer Outcomes The Bank will seek to ensure that: products are designed to meet the needs of identified target markets; customers receive fair value; customer communications support customer understanding; foreseeable harm is identified and mitigated; vulnerable customers are appropriately considered; and customer outcomes are monitored on an ongoing basis. Customer outcome considerations should form part of all significant product decisions and reviews. 9. Documentation and Record Keeping Appropriate records must be maintained in relation to: product proposals; approvals and decisions; committee papers and minutes; risk assessments; challenge and actions; conditions attached to approvals; implementation activities; monitoring activities; and periodic reviews. Records must be retained in accordance with the Bank’s Records Management Policy. 10. Roles and Responsibilities First Line Business Areas Business areas are responsible for: identifying customer needs; developing products and services; managing product risks; monitoring customer outcomes; and ensuring compliance with this Policy. Risk and Compliance Functions Risk and Compliance functions are responsible for: providing independent review and challenge; advising on regulatory and risk considerations; supporting governance processes; and escalating material concerns where appropriate. Internal Audit Internal Audit is responsible for providing independent assurance regarding the effectiveness of the Bank’s product governance framework and associated controls. 11. Breaches and Escalation Material breaches of this Policy must be escalated promptly to: the Chair of the PGC; Compliance; Risk; and the relevant Senior Manager. Appropriate remediation actions must be identified, tracked and completed. Material breaches may be reported to the Executive Committee or Board Risk Committee where appropriate. 12. Training and Awareness Relevant employees involved in product development, approval, implementation or oversight must receive appropriate training on: this Policy; conduct and customer outcome considerations; and relevant regulatory obligations. Training requirements should be proportionate to role and responsibility. 13. Policy Ownership and Review This Policy is owned by the Chief Risk Officer. The Policy will be reviewed at least annually or earlier where required due to: material regulatory developments; significant control issues; changes to the Bank’s operating model; or material changes to the Bank’s product portfolio. Material amendments to this Policy require approval by the Board Risk Committee.