I. Assessment of the Supervisory Board of mBank S.A. on the situation of the company on a consolidated basis, including the adequacy and effectiveness of the company’s systems of internal control, risk management, compliance with standards or applicable practices and internal audit

1. Activities of the mBank Group in 2022

The Supervisory Board analysed the financial results and key indicators of the mBank Group, taking into account the specificity of 2022. The specificity derived from external conditions and one-time events that affected the Group’s profitability.

Due to a global supply shock compounded by the impact of Russia’s military aggression against Ukraine, economic conditions gradually deteriorated in 2022. Inflation reached a 25-year high, resulting in a tightening of monetary policy.

The mBank Group’s total revenue in 2022 reached PLN 7.8 billion, 28.3% higher than in 2021. As a result, the Group generated its highest revenue ever, despite the negative impact of the credit holidays, which exceeded PLN 1.3 billion.

The main driver of mBank Group’s revenue growth in 2022 was net interest income, supported by rising interest rates. It grew by 43.2% year on year and, excluding the impact of credit holidays, by 75.3%. Net fee and commission income increased by 13.5% in 2022.

In a high-inflation environment, the mBank Group maintained high cost efficiency. The mBank Group’s costs in 2022 were largely influenced by one-off charges: the contribution to the Commercial Banks Protection Scheme (System Ochrony Banków Komercyjnych S.A., SOBK) of PLN 428 million and the contribution to the Borrower Support Fund (FWK) of PLN 171 million. The normalised cost/income ratio (excluding the impact of credit holidays and the Borrower Support Fund contribution) was 34.3%.

The cost of risk was 68 basis points in 2022 compared to 76 basis points in 2021. The Group maintained the high quality of its loan portfolio. The non-performing loan ratio (NPL) was 4.0% at 31 December 2022.

As in 2021, a major drag on the Group’s financial results was the cost of legal risk related to foreign currency loans. In 2022, the prevailing case law was unfavourable to banks, combined with a high influx of new lawsuits. As a result, the mBank Group recognised legal risk costs related to foreign currency loans of PLN 3.1 billion in its profit and loss account for 2022. In the opinion of the Supervisory Board, the coverage of the CHF loan portfolio with provisions for legal risk (54.3%) and the Bank’s capital allocated to the “Foreign Currency Mortgage Loans” segment demonstrate that the Bank is well prepared for the challenges associated with the materialisation of legal risk on foreign currency loans.

The settlement programme offered by the Bank for borrowers with an active CHF- indexed loan may provide a mutually beneficial alternative to litigation. The Supervisory Board regularly monitors the progress of the programme.

Due to the cost of legal risk on the portfolio of foreign-currency mortgage loans, the above-mentioned one-off factors, as well as a higher tax on balance sheet items (up by 12.4% year on year), the mBank Group closed 2022 with a pre-tax loss of (PLN 108 million). The Group’s net loss attributable to the Bank’s shareholders in 2022 amounted to (PLN 703 million).

The Supervisory Board believes that the actual performance of the mBank Group in 2022 should be considered at the level of the financial results of the core business, excluding the “Foreign Currency Mortgage Loans” segment. Despite public charges and one-off regulatory factors, the Group’s core business generated a net profit of PLN 2,519 million in 2022. This is more than 55% higher than in 2021. The return on equity (ROE) was 22.1%. These results corroborate the Group’s strong ability to generate revenue and continue organic growth.

The mBank Group’s capital ratios were 3.4-3.5 basis points above the minimum PFSA requirements as at 31 December 2022 despite the reduction in own funds. In two securitisation transactions completed in 2022, the Bank transferred a significant part of the credit risk from the securitised corporate loan portfolio to investors. This contributed significantly to a reduction in risk-weighted assets.

The mBank Group has a comfortable liquidity position reflected by high LCR and NSFR and a net loan-to-deposit ratio of 69.0%.

In the past year, the mBank Group successfully pursued its 2021-2025 strategy “From an icon of mobility to an icon of possibility”. The Group strengthened its market share in retail loans and household deposits. It continued to digitise and automate processes, expanded the range of services available through remote channels, increased the share of digital channels in the sale of non-mortgage loans and developed solutions for e-commerce.

As a responsible financial institution, the Bank promoted sustainable products and supported entrepreneurs in green transition. The Supervisory Board appreciates the Bank’s climate efforts, including joining the Partnership for Carbon Accounting Financials (PCAF) and the Science Based Targets initiative (SBTi) and the commitment to developing a decarbonisation trajectory for the next few years. The Bank’s commitment to social and educational initiatives deserves recognition, including its collaboration with the Great Orchestra of Christmas Charity, helping victims of the war in Ukraine and promoting mathematics education among children and young people. The Bank is very well perceived by the market primarily because of the high quality of its services, the breadth of its offering, its high degree of digitalisation, qualified staff and the commitment to ESG. As a result, the Bank’s client base, both retail and corporate, is growing steadily.

Taking into account those facts, the Supervisory Board positively assesses the situation of the Bank and the Group and believes that it offers good prospects for business development in 2023 and beyond.

2. Assessment of the adequacy and effectiveness of the company’s systems of internal control, risk management, compliance with standards or applicable practices and internal audit

The Bank’s risk management system and internal control system are organised on three independent levels – lines of defence.

The internal control system supports the management of the Bank by contributing to ensuring the effectiveness and efficiency of the Bank’s operations, the reliability of financial reporting, compliance with risk management principles, and the Bank’s compliance with laws and internal regulations.

The internal control system includes:

1. The control function which aims to ensure compliance with control mechanisms relating in particular to risk management in the Bank, which includes positions, groups of people or organisational units responsible for the performance of tasks assigned to this function. The function is carried out in a systematic manner by employees at all organisational levels by means of:

§ continuous monitoring, consisting of the examination of selected operations or activities performed at the Bank,

§ periodic verification, consisting of an examination of selected operations or activities already completed in order to check the adequacy and effectiveness of the continuous monitoring.

2. The compliance function which is responsible for identifying, assessing, controlling and monitoring the risk of non-compliance of the Bank’s operations with the law, internal regulations and market standards, as well as for presenting reports in this respect. The tasks of the compliance function are performed by the Compliance Department.

3. An independent internal audit function which aims to examine and assess, in an independent and objective manner, the adequacy and effectiveness of the risk management system and the internal control system. The tasks of the independent internal audit function are performed by the Internal Audit Department.

The Audit Committee provides the Supervisory Board with its opinion on the assessment of the internal control system based on information from the Bank’s Management Board on the functioning of the internal control system, reports on the effectiveness of the control function, significant and critical irregularities and the status of recovery plans, reports on compliance risk management, the assessment from an internal audit perspective, as well as the results of audits. The Committee takes into account in its opinion information from the parent company, subsidiaries, the auditor, supervisory institutions (e.g., the Polish Financial Supervision Authority), as well as from other third parties. The Committee assesses the performance of the Compliance Department and the Internal Audit Department on the basis of annual activity reports presented directly by the Directors of the Compliance and Internal Audit Departments.

Based on the information received in 2022, the Supervisory Board did not identify any significant irregularities in the functioning of the internal control system (including the control function, the compliance function, and the internal audit function) and considers that it is adapted in the case of most processes to the scope and complexity of the Bank’s activities, organisational structure, and risk

management system. As part of the assessment of the internal control system, on the basis of an opinion of the Audit Committee, the Supervisory Board identified the strengths of the system and areas for further improvement. The Supervisory Board assessed that the units responsible for the control function, compliance risk management, and internal audit carried out their tasks in accordance with the internal regulations on a continuous basis, and that the Bank’s Management Board and Audit Committee, as well as the Supervisory Board, received adequate reports and information on the effects of such activities. The independence of the Compliance Department and the Internal Audit Department was ensured as defined in the Rules of the Compliance Department and the Audit Charter, respectively. In performing their duties, employees of those units performed their activities with independence and objectivity, did not execute processes which were subject to their controls, and did not engage in activities which could give rise to a conflict of interest with their duties.

The Directors of the Compliance Department and the Internal Audit Department took measures on an on-going basis to ensure that adequate human resources and the necessary financial resources were available to systematically improve the qualifications, experience and skills of the staff of those units.

The mBank Group’s risk management system is based on the concept of three lines of defence.

The Bank has in place risk committees for each business line: the Retail Banking Risk Committee, the Corporate and Investment Banking Risk Committee, and the Financial Markets Risk Committee, which define the risk management principles and determine the risk appetite of the business line. Risks are also an important focus of the work of other committees in the Bank chaired by members of the Management Board.

The Bank has in place methodologies and processes where risks are identified and assessed to determine their potential impact on current and future operations. The comprehensive risk management structure is complemented by a consistent system for monitoring and reporting risk levels and breaches of limits set. The reporting system covers the key management levels.

The Supervisory Board receives periodic reports presenting an assessment of the level of risk identified and the effectiveness of the actions taken by the Management Board.

In matters of risk, the Supervisory Board acts through the Risk Committee, which exercises on-going oversight of individual risks, in particular credit risk (including concentration risk), market risk, operational risk, liquidity risk, reputation risk, and business risk. The Committee makes recommendations on significant exposures with single business entity risk.

Professor Agnieszka Słomka-Gołębiowska

Chairwoman of the Supervisory Board