XYZ Bank Target Market and Vulnerability Standard 1. Purpose This Target Market and Vulnerability Standard (“the Standard”) sets out XYZ Bank’s (“the Bank”) minimum requirements for: identifying and assessing target markets; considering customer characteristics and needs; assessing vulnerability considerations; defining appropriate distribution approaches; and supporting appropriate customer outcomes throughout the product lifecycle. The purpose of this Standard is to: support compliance with Consumer Duty and applicable regulatory requirements; support consistent customer-focused decision-making; reduce the risk of foreseeable customer harm; support appropriate product distribution and servicing arrangements; and establish minimum governance expectations relating to target market and vulnerability assessments. This Standard should be read alongside the: Consumer Duty Policy; Product Governance Policy; Conduct Risk Framework; Fair Value Assessment Methodology; and New Product Approval Procedure. 2. Scope This Standard applies to: all retail products and services; all new products and material product changes; all product distribution arrangements; customer communications and journeys where relevant; and periodic product reviews. The Standard applies throughout the customer lifecycle, including: product design; approval; distribution; servicing; complaints handling; remediation activities; and product withdrawal or closure. 3. Target Market Principles The Bank seeks to ensure that: products and services are designed to meet the needs of identified customer groups; target markets are sufficiently defined and understood; products are distributed appropriately; foreseeable customer harm is identified and mitigated; and customer vulnerability considerations are incorporated into product and service design where appropriate. The Bank recognises that: products may not be appropriate for all customer groups; broader distribution may increase customer outcome risks; customer understanding may vary significantly across customer groups; and customer vulnerability may affect customer ability to understand, access or use products and services effectively. 4. Governance and Accountability 4.1 Product Sponsor The Product Sponsor is responsible for: ensuring target market assessments are completed where required; ensuring vulnerability considerations are assessed appropriately; coordinating stakeholder input; and presenting assessments through governance forums. 4.2 Business Areas Business areas are responsible for: identifying target customer groups; considering customer needs and behaviours; assessing customer outcome risks; monitoring customer outcomes post-launch; and escalating material concerns appropriately. 4.3 Risk and Compliance Functions Risk and Compliance functions are responsible for: providing review and challenge; supporting interpretation of regulatory expectations; reviewing vulnerability considerations; and escalating material concerns where appropriate. 4.4 Governance Forums Target market and vulnerability assessments should be reviewed as part of: new product approvals; material product changes; and periodic product reviews. Material unresolved concerns should be escalated appropriately. 5. Target Market Assessment Requirements A target market assessment should be completed for: all new products; material product changes; and products subject to material changes in customer outcomes or distribution approach. The assessment should be proportionate to: product complexity; customer risk; distribution approach; customer vulnerability considerations; and conduct risk. 6. Target Market Assessment Criteria Target market assessments should consider: customer needs and objectives; intended product use; customer financial characteristics; likely customer understanding; customer sophistication; risk tolerance; financial resilience; behavioural characteristics; vulnerability considerations; and distribution channel suitability. The Bank recognises that target markets may evolve over time and require periodic reassessment. 7. Positive and Negative Target Markets 7.1 Positive Target Market The positive target market should identify the types of customers for whom the product is likely to be appropriate. This may include consideration of: customer objectives; expected product usage; financial circumstances; experience and understanding; risk appetite; and intended customer behaviour. 7.2 Negative Target Market Assessments should also consider customer groups for whom the product may not be appropriate. Negative target markets may include customers: unlikely to understand material product risks; with insufficient financial resilience; whose objectives are inconsistent with the product; likely to misunderstand product features; requiring simpler products or servicing arrangements; or whose vulnerability characteristics may create elevated customer outcome risks. The Bank recognises that some products may require restricted distribution or additional safeguards. 8. Customer Understanding Considerations Target market assessments should consider: whether customers are likely to understand key product features; whether communications are likely to support informed decision-making; whether disclosures are proportionate to product complexity; whether behavioural biases may affect customer understanding; and whether customers are likely to misunderstand risks, returns or limitations. The Bank recognises that: technical compliance with disclosure requirements may not ensure effective customer understanding; and complexity may reduce customer ability to assess suitability or value effectively. Where customer understanding concerns are identified, additional mitigants may be required. 9. Distribution Considerations The Bank should consider whether the proposed distribution approach is appropriate for the target market. Consideration should be given to: advised versus non-advised distribution; digital distribution; intermediary distribution; customer support availability; onboarding friction; customer disclosures; customer decision-making environment; and monitoring arrangements. Products involving elevated complexity or customer understanding risks may require: enhanced controls; restricted distribution; additional disclosures; customer testing; or enhanced governance. 10. Vulnerability Framework The Bank recognises that vulnerability may arise from: health conditions; life events; financial resilience; capability; digital exclusion; or other circumstances affecting customer ability to make or act on informed decisions. The Bank recognises that vulnerability may be: temporary; permanent; episodic; or situational. The Bank seeks to: consider vulnerability throughout the product lifecycle; identify foreseeable vulnerability-related risks; provide appropriate support arrangements; avoid unreasonable barriers; and monitor outcomes for vulnerable customer groups. 11. Vulnerability Assessment Requirements Vulnerability assessments should consider: whether product complexity may disproportionately affect vulnerable customers; accessibility of communications and servicing; customer support arrangements; digital accessibility; operational barriers; foreseeable behavioural risks; and whether vulnerable customers may experience poorer outcomes. The Bank recognises that: vulnerability considerations may vary across customer groups and distribution channels; and certain products may not be appropriate for some vulnerable customer groups without additional safeguards. Where material vulnerability concerns are identified, consideration should be given to: enhanced support arrangements; distribution restrictions; communication adjustments; additional monitoring; or whether the product should proceed. 12. Monitoring and Review Target market and vulnerability considerations should be reviewed periodically following launch. Monitoring may include: complaints analysis; customer feedback; customer behaviour analysis; customer attrition; vulnerability indicators; operational incidents; remediation activity; sales quality monitoring; and evidence of customer misunderstanding. The Bank recognises that: actual customer outcomes may differ from expected outcomes; and target markets may broaden over time through distribution practices or customer behaviour. Material concerns should be escalated appropriately. 13. Triggers for Reassessment A reassessment of target market or vulnerability considerations may be required following: material complaints trends; evidence of customer misunderstanding; changes in customer outcomes; material distribution changes; regulatory developments; operational incidents affecting customers; remediation activity; or significant changes to product structure or functionality. Products demonstrating elevated customer misunderstanding or vulnerability concerns may require enhanced governance or remediation actions. 14. Documentation and Record Keeping Appropriate records should be maintained in relation to: target market assessments; vulnerability assessments; governance discussions; customer testing; challenge and actions; approval decisions; and monitoring activities. Documentation should be proportionate to product complexity and customer risk. 15. Escalation Material concerns relating to: customer suitability; customer understanding; vulnerability impacts; inappropriate distribution; foreseeable customer harm; or inability to define the target market adequately should be escalated promptly through appropriate governance forums. Where concerns cannot be adequately mitigated, the Bank should consider whether: distribution restrictions are required; additional safeguards should be implemented; or the product or feature should proceed. 16. Standard Ownership and Review This Standard is owned by the Chief Compliance Officer. The Standard will be reviewed at least annually or earlier where required due to: regulatory developments; material customer outcome concerns; significant remediation activity; emerging conduct risk themes; or changes to the Bank’s product portfolio. Material amendments require approval by the Product Governance Committee and Board Risk Committee.