XYZ Bank Conduct Risk Framework 1. Purpose This Conduct Risk Framework (“the Framework”) sets out XYZ Bank’s (“the Bank”) approach to identifying, assessing, managing, monitoring and escalating conduct risk. The purpose of this Framework is to: support the delivery of good customer outcomes; promote fair treatment of customers; support compliance with applicable regulatory obligations, including Consumer Duty requirements; establish governance and accountability arrangements relating to conduct risk; support consistent identification and management of customer harm risks; and embed conduct considerations into decision-making across the Bank. The Framework forms part of the Bank’s wider Risk Management Framework and should be read alongside the: Consumer Duty Policy; Product Governance Policy; Risk Appetite Statement; and Complaints Handling Policy. 2. Scope This Framework applies to: all retail products and services; all customer interactions and communications; all customer distribution and servicing activities; all employees, contractors and business areas; and all outsourced activities that may impact customer outcomes. The Framework applies throughout the customer lifecycle, including: product design; marketing and distribution; onboarding; servicing; complaints handling; collections and forbearance; remediation activities; and product withdrawal or closure. 3. Conduct Risk Philosophy The Bank recognises that maintaining customer trust and delivering good customer outcomes are fundamental to sustainable business performance. The Bank seeks to: act in good faith towards customers; avoid foreseeable customer harm; support customers in pursuing their financial objectives; communicate clearly and transparently; maintain fair and responsible business practices; and identify and address conduct concerns promptly. The Bank recognises that conduct risk may arise from: product design; pricing structures; customer communications; operational processes; employee behaviour; incentive structures; technology and digital journeys; third-party relationships; and failures in governance or oversight. The Bank has a low appetite for conduct failures and customer harm. 4. Definition of Conduct Risk For the purposes of this Framework, conduct risk is defined as: The risk that the Bank’s actions, decisions, products, services, communications or behaviours result in poor customer outcomes, customer harm, unfair treatment, or damage to market integrity or trust. Conduct risk may arise from: deliberate misconduct; poor governance; inadequate controls; weak oversight; inappropriate incentives; operational failures; poor product design; ineffective communications; or unintended consequences of business activities. The Bank recognises that customer harm may occur even where there is no deliberate misconduct or regulatory breach. 5. Governance and Accountability 5.1 Board Oversight The Board retains overall responsibility for oversight of conduct risk management across the Bank. The Board is responsible for: reviewing the effectiveness of the conduct risk framework; considering material customer outcome concerns; reviewing conduct risk trends and emerging issues; overseeing Consumer Duty implementation and effectiveness; and ensuring conduct considerations are reflected within the Bank’s strategy and culture. 5.2 Executive Management Executive Management is responsible for: embedding conduct considerations into business activities; ensuring appropriate governance and controls are maintained; reviewing material conduct risks; supporting a customer-focused culture; and escalating material conduct concerns appropriately. 5.3 Business Areas Business areas are responsible for: identifying and managing conduct risks; considering customer outcomes in decision-making; escalating material concerns promptly; monitoring customer outcomes; and ensuring products and services operate as intended. First-line business areas retain ownership of conduct risks arising from their activities. 5.4 Risk and Compliance Functions Risk and Compliance functions are responsible for: providing independent review and challenge; supporting interpretation of regulatory obligations; monitoring conduct risk trends; supporting governance reporting; and escalating material concerns where appropriate. 5.5 Internal Audit Internal Audit is responsible for providing independent assurance regarding the effectiveness of the Bank’s conduct risk management arrangements and associated controls. 6. Conduct Risk Drivers The Bank recognises that conduct risk may arise from a range of factors, including: product complexity; inappropriate target market selection; poor customer understanding; unclear or misleading communications; inappropriate pricing structures; operational friction or barriers; ineffective servicing arrangements; inadequate support for vulnerable customers; incentive structures that conflict with customer interests; inadequate employee training; excessive reliance on disclosures; weak governance or challenge; digital journey design; third-party arrangements; and unmanaged conflicts of interest. Business areas should consider potential conduct risk drivers during: product design; customer journey development; operational change; outsourcing decisions; and strategic initiatives. 7. Conduct Risk Lifecycle Conduct risk should be considered throughout the customer and product lifecycle. This includes: product design and approval; pricing and value assessment; marketing and distribution; onboarding and disclosure; customer servicing; complaints handling; collections and forbearance; remediation activities; and product closure or withdrawal. The Bank recognises that conduct risks may evolve over time and require ongoing monitoring. 8. Customer Outcomes and Foreseeable Harm The Bank seeks to identify and mitigate foreseeable harm to customers. Consideration should be given to: customer understanding; complexity and transparency; behavioural impacts; barriers to customer action; customer vulnerability; customer support arrangements; operational failures; and unintended customer outcomes. The Bank recognises that: disclosures alone may not always prevent customer harm; customer behaviour may differ from expected outcomes; and complexity may reduce customer understanding even where disclosures are technically compliant. Where foreseeable harm cannot be adequately mitigated, the Bank should consider whether a product, feature or activity should proceed. 9. Vulnerable Customers The Bank recognises that customers may experience vulnerability due to: health; life events; financial resilience; or capability. The Bank seeks to: identify vulnerable customers where appropriate; consider vulnerability within product and service design; provide appropriate support arrangements; avoid unreasonable barriers; monitor outcomes for vulnerable customer groups; and train employees on vulnerability considerations. The Bank recognises that vulnerability may be temporary, permanent or episodic. 10. Conduct Risk Monitoring and Management Information The Bank will maintain monitoring arrangements intended to support identification of emerging conduct risks and poor customer outcomes. Monitoring may include: complaints analysis; Financial Ombudsman Service referrals; customer feedback; customer attrition; operational incidents; remediation events; quality assurance activities; customer journey analysis; vulnerability indicators; call monitoring; digital analytics; sales quality monitoring; and customer behaviour analysis. The Bank recognises that no single metric is likely to identify conduct risk in isolation. Management Information should be reviewed regularly through appropriate governance forums. 11. Escalation and Remediation Material conduct concerns should be escalated promptly through the Bank’s governance framework. Examples of matters requiring escalation may include: evidence of customer harm; material complaints trends; systemic customer misunderstanding; operational failures affecting customer outcomes; unfair pricing concerns; vulnerable customer impacts; significant remediation events; or material regulatory concerns. Where conduct failures or poor customer outcomes are identified, the Bank will seek to: investigate root causes; assess customer impact; implement remediation actions; consider whether customer redress is appropriate; identify broader systemic issues; and consider regulatory notification obligations where appropriate. Remediation actions should be tracked to completion. 12. Training and Culture The Bank expects employees to consider customer outcomes as part of day-to-day decision-making. Relevant employees should receive training relating to: conduct risk; Consumer Duty requirements; vulnerability considerations; escalation expectations; and customer outcome considerations relevant to their role. The Bank seeks to promote a culture in which: customer interests are appropriately considered; challenge is encouraged; employees feel able to escalate concerns; poor behaviour is addressed appropriately; and commercial objectives are balanced with customer outcomes and risk considerations. 13. Third-Party and Outsourcing Considerations Where third parties are involved in customer-facing activities, the Bank will seek to maintain appropriate oversight arrangements. The Bank recognises that conduct risk may arise through: outsourced servicing; distribution arrangements; technology providers; customer communications managed by third parties; or operational dependencies affecting customer outcomes. Appropriate due diligence, oversight and escalation arrangements should be maintained for material third-party relationships. 14. Record Keeping Appropriate records should be maintained in relation to: conduct risk assessments; governance discussions; escalation activities; customer outcome monitoring; remediation activities; customer research and testing; and governance reporting. Records should be retained in accordance with the Bank’s Records Management Policy. 15. Framework Ownership and Review This Framework is owned by the Chief Risk Officer. The Framework will be reviewed at least annually or earlier where required due to: regulatory developments; material customer outcome concerns; significant conduct incidents; changes to the Bank’s operating model; or emerging conduct risk themes. Material amendments require approval by the Board Risk Committee.