XYZ Bank New Product Approval Procedure 1. Purpose This Procedure sets out the process by which XYZ Bank (“the Bank”) assesses, reviews, approves, implements and monitors new products and material changes to existing products. The purpose of this Procedure is to: support consistent and proportionate product governance; ensure that material risks are appropriately identified and assessed; support compliance with regulatory obligations, including Consumer Duty requirements; ensure appropriate governance, oversight and challenge; support effective decision-making; and establish minimum documentation and approval requirements. This Procedure should be read alongside the: Product Governance Policy; Consumer Duty Policy; Risk Appetite Statement; and Conduct Risk Framework. 2. Scope This Procedure applies to: new retail banking products and services; material changes to existing products or services; significant pricing changes; material changes to customer terms and conditions; new distribution channels; material digital functionality changes; significant outsourcing arrangements affecting products or services; and material changes affecting customer outcomes or operational risk. The Procedure applies across all business areas involved in product development, approval, implementation or oversight. 3. Governance Principles The Bank will apply the following principles throughout the product approval process: governance should be proportionate to product complexity and risk; customer outcomes should be considered throughout the product lifecycle; material risks should be identified and escalated appropriately; challenge from control functions should form part of decision-making; approvals should be supported by appropriate evidence and documentation; and product governance should continue after launch through ongoing monitoring and review. 4. Roles and Responsibilities 4.1 Product Sponsor Each proposal must have a designated Product Sponsor. The Product Sponsor is responsible for: coordinating development activities; ensuring required documentation is completed; coordinating stakeholder engagement; presenting proposals to governance forums; ensuring actions and conditions are addressed; and overseeing implementation activities. The Product Sponsor retains accountability for the proposal throughout the approval process. 4.2 Business Areas Relevant business areas are responsible for: developing product proposals; identifying customer needs; supporting risk assessments; implementing approved actions; and monitoring product performance and customer outcomes after launch. 4.3 Risk and Compliance Functions Risk and Compliance functions are responsible for: providing review and challenge; identifying material risks and regulatory considerations; supporting escalation where appropriate; and reviewing alignment with applicable policies and frameworks. Control function review does not remove first-line accountability for product risks or implementation. 4.4 Product Governance Committee (“PGC”) The PGC is responsible for: reviewing new products and material changes; considering customer outcome implications; reviewing material risks and governance concerns; approving proposals within delegated authority; and escalating proposals where appropriate. 4.5 Executive Committee (“ExCo”) ExCo is responsible for: reviewing strategically significant proposals; considering material operational, reputational or conduct risks; reviewing proposals outside existing business activities; and recommending proposals to the Board where required. 4.6 Board Board approval is required for: strategically significant products; proposals outside approved risk appetite; materially new business activities; products with significant reputational implications; or proposals otherwise escalated by ExCo. 5. Product Classification and Materiality The level of governance and review applied will be proportionate to the nature, scale and complexity of the proposal. Factors considered in determining materiality may include: customer risk; product complexity; target market characteristics; conduct risk; financial exposure; operational complexity; regulatory implications; technology dependencies; outsourcing arrangements; and reputational considerations. Higher-risk or more complex proposals may require: enhanced documentation; additional challenge; external review; enhanced monitoring; or Board approval. The PGC may determine that simplified governance is appropriate for lower-risk or non-material changes. 6. Approval Process 6.1 Stage 1 – Initial Proposal All proposals must undergo an initial assessment prior to development activities commencing. The initial proposal should include: product overview; strategic rationale; target market; high-level customer proposition; expected customer benefits; preliminary risk considerations; conduct and Consumer Duty considerations; and implementation assumptions. The outcome of this stage may include: approval to proceed; request for additional analysis; redesign; or rejection. 6.2 Stage 2 – Development and Assessment Following initial approval to proceed, the Product Sponsor must coordinate detailed assessment activities. Assessments may include: risk assessment; fair value assessment; target market assessment; customer journey review; vulnerability assessment; legal review; compliance review; operational readiness assessment; technology and cyber review; financial modelling; outsourcing assessment; and customer communication review. The level of analysis should be proportionate to product complexity and risk. Material concerns identified during development should be escalated promptly. 6.3 Stage 3 – Product Governance Committee Review The Product Sponsor must submit the proposal to the PGC with supporting documentation. The PGC will consider: strategic alignment; customer outcomes; target market suitability; fair value considerations; conduct risk; operational readiness; legal and regulatory considerations; alignment with risk appetite; and implementation risks. The PGC may: approve the proposal; approve subject to conditions; defer approval pending further information; escalate the proposal to ExCo or the Board; or reject the proposal. Conditions attached to approvals must be tracked to completion. Material unresolved concerns should be escalated. 6.4 Stage 4 – Executive Committee Review ExCo review is required for: strategically significant proposals; products outside existing business lines; products involving heightened conduct, operational or reputational risk; proposals involving material investment; or proposals escalated by the PGC. ExCo will consider: strategic fit; financial implications; operational readiness; reputational considerations; customer outcome considerations; and alignment with risk appetite. ExCo may: approve the proposal; approve subject to conditions; recommend Board approval; defer the proposal; or reject the proposal. 6.5 Stage 5 – Board Approval Where Board approval is required, Board papers should include: strategic rationale; key risks; customer outcome considerations; conduct and reputational considerations; financial implications; operational readiness; implementation approach; and key approval conditions or mitigants. The Board may: approve; approve subject to conditions; defer; or reject the proposal. 7. Required Documentation The Product Sponsor is responsible for ensuring that appropriate documentation is completed and retained. Documentation may include: product proposal paper; target market assessment; fair value assessment; risk assessment; customer journey assessment; operational readiness assessment; legal review; compliance review; financial analysis; implementation plan; governance approvals; and post-launch monitoring plan. The level of documentation required should be proportionate to product complexity and risk. 8. Customer and Conduct Considerations All proposals must consider: customer needs; target market suitability; customer understanding; fair value; foreseeable harm; vulnerability considerations; and customer support requirements. Products should not be approved where: customer outcomes cannot be adequately assessed; product complexity is disproportionate to target market needs; customer risks cannot be adequately mitigated; or fair value concerns remain unresolved. Customer outcome considerations should form part of governance discussions at each approval stage. 9. Operational Readiness Products must not be launched until operational readiness has been confirmed. Operational readiness considerations may include: systems readiness; servicing capability; complaints handling arrangements; MI and reporting capability; customer support arrangements; operational resilience; staff training; third-party readiness; and incident management arrangements. The Product Sponsor must confirm that material operational dependencies have been addressed prior to launch. 10. Launch Approval and Post-Launch Monitoring Products may be subject to: phased implementation; enhanced monitoring periods; customer volume limitations; or additional reporting requirements. Post-launch monitoring should consider: customer outcomes; complaints; operational incidents; customer behaviour; vulnerability indicators; sales quality; conduct concerns; and implementation issues. Material issues identified post-launch must be escalated promptly through appropriate governance forums. The PGC may require a formal post-implementation review for higher-risk products. 11. Fast-Track and Exceptional Approvals In limited circumstances, proposals may follow an expedited approval process where: changes are time-sensitive; delays may materially impact customers or operations; or the proposal is considered lower risk. Fast-track approvals must: remain subject to appropriate governance; include appropriate control function involvement; and be documented appropriately. The Chair of the PGC may determine whether expedited treatment is appropriate. Material or high-risk proposals should not normally follow a fast-track process. 12. Breaches and Escalation Material breaches of this Procedure must be escalated to: the Chair of the PGC; Risk; Compliance; and the relevant Senior Manager. Examples may include: implementation without approval; failure to complete mandatory assessments; failure to satisfy approval conditions; or material unapproved product changes. Remediation actions must be tracked to completion. 13. Record Keeping Appropriate records must be maintained for: governance decisions; approvals and conditions; challenge and actions; supporting documentation; implementation decisions; and post-launch monitoring activities. Records should be retained in accordance with the Bank’s Records Management Policy. 14. Policy Ownership and Review This Procedure is owned by the Chief Risk Officer. The Procedure will be reviewed at least annually or earlier where required due to: regulatory developments; material governance concerns; significant product incidents; or changes to the Bank’s operating model or governance framework. Material amendments require approval by the Product Governance Committee and Board Risk Committee.