Intesa Sanpaolo

Governance Information • Mar 24, 2024

10) Meetings

Report of the Management Control Committee to the Shareholders' Meeting on the supervisory activities performed in 2023

pursuant to Article 153, paragraph 1, of Legislative Decree 58 of 24 February 1998, and Article 23.1, letter j), of the Articles of Association

Distinguished Shareholders,

As you are aware, the one-tier governance model adopted by Intesa Sanpaolo S.p.A. ("Bank" or "Parent Company") consists of a Board of Directors ("Board") with steering and strategic supervision duties, management duties as well as control duties performed by the Management Control Committee ("Committee" or "Control Body") appointed by the Shareholders' Meeting as part of the Board itself. The Committee currently in office was appointed by the Shareholders' Meeting held on 29 April 2022.

The Committee plays a proactive role, within its own areas of responsibility, towards the Corporate Control Functions and engages in constructive dialogue with the Management of the Bank and the Intesa Sanpaolo Group ("Group"), including on the basis of information received during board meetings and deemed worthy of further in-depth analysis. The activities carried out also take account of the indications provided by the Chair of the Committee during the periodic meetings held with the dedicated Secretariat, aimed at a mutual exchange of information deemed worthy of attention and the subsequent planning of the work of the Committee itself.

The Committee, in the fulfilment of its duties and in the interest of the best performance thereof, exchanges information of reciprocal interest and coordinates the performance of their respective duties with the Risks and Sustainability Committee, established within the Board, and with the Surveillance Body pursuant to Legislative Decree 231/2001. A Committee member usually attends meetings of the Risks and Sustainability Committee, subsequently reporting to the Control Body.

Pursuant to Article 153, paragraph 1, of Legislative Decree 58/1998, ("Consolidated Law on Finance"), the Committee is required to report to the Shareholders' Meeting, called to approve the financial statements for the period, on its supervisory activities and on any omissions or reprehensible facts recorded. This requirement is also stated in Article 23.1, letter j), of the Bank's Articles of Association. The Report was prepared taking into account the Consob recommendations on the matter and, in particular, Communication 1025564 of 6 April 2001 and subsequent updates, expressly referred to in the text.

During 2023, the following meetings were held:

• − 23 meetings of the Board of Directors;
• − 44 meetings of the Management Control Committee.

1. SUPERVISORY ACTIVITIES ON COMPLIANCE WITH THE LAW AND THE ARTICLES OF ASSOCIATION

Regulatory developments

Following the changes in the Supervisory Provisions and more generally to external regulations, the Committee examined, within its own remit, the proposals to update the following internal sets of regulations:

• − Code of Ethics;
• − Group Internal Code of Conduct;
• − Guidelines for combating money laundering and terrorist financing and for managing embargoes;
• − Group Anti-corruption Guidelines;
• − Volcker Rule Governance Guidelines;
• − Guidelines for the valuation of Balance Sheet Items;
• − Group Compliance Guidelines;
• − Guidelines on the protection of personal data of natural persons;
• − Guidelines on the governance of regulatory reporting Non-financial reporting– Financial and money markets area;
• − Guidelines on the disclosure of financial information to the market (Financial Statements and Pillar III);
• − Compliance Rulebook;

• − Group Accounting Policies;
• − Rules on the measurement of expected credit loss pursuant to standard IFRS 9 (Impairment Policy);
• − Harmonised Prudential Supervision Rules;
• − Group rules on the internal reporting system of violations (whistleblowing);
• − Integrated Internal Control System Regulation;
• − Rules on initial recognition and subsequent software management;
• − Rules governing reporting obligations to US Authorities.

The Committee also examined the proposal to update the following internal sets of regulations relating to investment services:

• − Rules for the provision of the advisory services and other investment services;
• − Conflicts of Interest Management Group Rules;
• − Rules for the distribution of OTC derivatives financial instruments of the Imi Cib Division;
• − Rules on the Marketing of Financial Instruments/Products;
• − Rules on Inducements;
• − Regulation for the transparency of banking transactions and services correctness of relations between the Bank and customers;
• − Rules on insurance distribution;
• − Execution and transmission of orders strategy.

Finally, the Committee examined the proposal for the new adoption of the following internal sets of regulations:

• − Group Guidelines for the use of artificial intelligence;
• − Guidelines on supervisory reporting;
• − Rules on obligations relating to transaction reporting, post-trade transparency and commodities derivatives positions – MiFID II area;
• − Rules on money market statistical reporting.

The Committee met with the competent company functions to examine the main changes to the 40th update of Circular 285/2013 (Supervisory Provisions for Banks) regarding ICT and security risk management.

The Committee examined the Intesa Sanpaolo's Descriptive Document for 2022, which contains the safeguards adopted by the Bank relating to the methods of deposit and sub-deposit of financial instruments and money held by customers, in accordance with regulatory provisions of the Consolidated Law on Finance – also receiving the final certification issued by the independent auditors EY ("Independent Auditors" or "EY") pursuant to the ISAE 3000 Revised certification standard.

The Committee also analysed the proposal to appoint a Top Risk Taker, providing the requested opinion.

Finally, the Committee examined the changes brought on by the New Supervisory Provisions for covered bond issues, noting the consistency of the adjustments made to the "ISP CB Ipotecario" and "ISP OBG" programmes with the new regulatory framework, as well as compliance with regulatory provisions, issuing its own assessment of the matter.

Relations with Supervisory Authorities

The Committee is promptly informed, also with the support of its dedicated Secretariat, of the main communications addressed to the Bank by the Italian and European Supervisory Authorities relating to the matters within its remit, with particular regard to the control system.

With regard to relations with the European Central Bank ("ECB"), the Committee received, amongst other things, regular updates on the preparation and development of the Supervisory Plans following the On-site Inspections, Thematic Reviews and Deep Dives by the Authority itself.

The Committee also received the required information and the consequent updates, within its own remit, regarding relations between the Bank and the other Supervisory Authorities, both Italian and of other EU and non-EU countries.

Self-assessment and verification of requirements

As required by the internal rules, the Committee performed the usual annual self-assessment of its own composition and operation that was separate to the one carried out by the Board. As is common knowledge, this exercise was also aimed at assessing the correct and effective performance of the tasks entrusted to the Committee in its capacity as the Control Body of the Bank according to criteria and methods consistent with its own attributes.

Again in 2023, in line with the previous year and with the activities carried out by the Board, the Committee

9) Opinions

availed itself of the preliminary analysis performed by an independent external consultant. The qualitative and quantitative results confirmed the Committee's adequacy and high level of overall compliance with the provisions of the Corporate Governance Code for listed companies ("Corporate Governance Code"), the guidelines of the European Banking Authority ("EBA"), the provisions of Bank of Italy Circular 285/2013 and with best practices. At the end of the process, on 23 February 2024, the Committee expressed an assessment of adequacy with regard to its own size, composition and operation. Moreover, in accordance with the requirements of the internal rules, which incorporate the guidelines issued by EBA and by the European Securities and Markets Authority ("ESMA") implementing the principles set out in the EU Directive 36/2013 ("CRD IV"), on 23 February 2024, the Committee assessed that each of its members meets the necessary requirements, including the absence of significant financial relationships with Group companies, as well as compliance with the limitation of directorships for the purpose of assessing their independence in line with the provisions of the Regulation adopted on this subject by the Board. As envisaged by the Corporate Governance Code, the members of the Committee ascertained the correct application of the assessment criteria and procedures adopted by the Board for evaluating the independence of its members.

Applications

With reference to a complaint pursuant to Article 2408 of the Italian Civil Code filed by a shareholder concerning alleged irregularities relating to the management of certain requests anticipated by the shareholder pursuant to Article 127-ter of the Consolidated Law on Finance, at the Shareholders' Meeting held on 28 April 2023, the Committee examined the facts represented and found that they were devoid of any legal basis, in addition to not presenting any element of censure.

During 2023, there were 2 protests received, addressed by customers to the Control Body and related to the Bank's business. The Committee asked the competent departments to carry out the appropriate checks on the matter which highlighted a situation of substantial regularity of the procedures carried out.

2. SUPERVISORY ACTIVITIES ON COMPLIANCE WITH THE PRINCIPLES OF CORRECT MANAGEMENT

The Committee has overseen compliance with the principles of correct management, holding regular meetings with the heads of the Corporate Control Functions, the Governance Areas and the Group Divisions as well as with the Manager responsible for preparing the Company's financial reports and the independent auditors, including in order to verify that management decisions are based on an adequate system of information flows to the Bodies and that the decision-making processes take account of the riskiness and effects of the management choices made.

The Committee verified that the flows between the corporate departments and the Managing Director and CEO, as well as between them and the Board, are continuous. Information exchange between the Committee and the Managing Director and CEO is enhanced by regular meetings, mostly focused on the Bank's and the Group's performance, the functionality and effectiveness of the internal control and risk management system as well as on the recommendations made by the Committee in this regard in its own quarterly reports to the Board.

The Committee supervised the observance of the obligations envisaged for most significant transactions in terms of economic, financial and balance sheet importance carried out by the Bank or the subsidiaries, confirming that they were performed according to law and the Articles of Association, and that they were not – as required by Consob – manifestly imprudent, hazardous, in conflict of interest, in contrast with resolutions taken by the Shareholders' Meeting, or likely to compromise the integrity of the shareholders' equity. The reports pursuant to Article 150, paragraphs 1 and 2 of the Consolidated Law on Finance were provided both as part of the information on the preparation of the financial statements given by the Manager responsible for preparing the Company's financial reports and at the regular meetings with the Managing Director and CEO.

The Committee received periodic information in accordance with the internal regulations on governance of the Most Significant Transactions, i.e. transactions that involve a potential significant change in the overall risk profile defined in the Risk Appetite Framework ("RAF").

Pursuant to the Procedures regulating the conduct of transactions with related parties of Intesa Sanpaolo, Associated Entities of the Group and Relevant Parties pursuant to Article 136 of the Consolidated Law on Banking ("RPT Procedures"), the Committee received the quarterly report on transactions with related parties and associated entities, including an assessment of the materiality of the financial relations for the purposes of the Directors' independence requirement. On such occasions, the Committee also received the report on the interests declared by the Directors in performing certain transactions pursuant to Article 2391 of the Italian Civil Code and/or Article 53, paragraph 4, of the Consolidated Law on Banking.

11) Principles of correct manageme nt

5) Complaints

6) Protests

1) Most significant transaction s

Finally, the Committee supervised the implementation and governance of the Group's Code of Ethics, which self-regulates the integration of social and environmental considerations (including those relating to ESG issues) into business processes, practices and decisions.

Given the above, no atypical and/or unusual transactions were carried out – either with third parties, or related parties or intragroup – to be understood as transactions that could give rise to doubts concerning the fairness/completeness of the financial statements, conflicts of interest, the safeguarding of company assets, or the protection of minority interests. Likewise, no management irregularities nor performance anomalies emerged.

Significant events and the main transactions with related parties of major significance (including intragroup ones) and the other significant transactions carried out in compliance with the RPT Procedures were adequately reported and illustrated in the reports on operations and the notes to the Intesa Sanpaolo S.p.A. draft financial statements as at 31 December 2023 and the Intesa Sanpaolo Group's consolidated financial statements as at 31 December 2023 (together the "2023 Financial Statements"), respectively.

3. SUPERVISORY ACTIVITIES ON THE PROCEDURES FOR EFFECTIVE IMPLEMENTATION OF THE CORPORATE GOVERNANCE RULES LAID DOWN IN THE CORPORATE GOVERNANCE CODE

The Committee examined the Report on Corporate Governance and Ownership Structures ("Report on Corporate Governance") for 2023 which was then approved by the Board of Directors on 27 February 2024, with particular reference to the information about the main features of the risk management and internal control systems in relation to the financial reporting process.

In this area, the Committee was pleased to note that the Report was prepared in accordance with the Recommendations for 2024 addressed by the Chair of the Italian Corporate Governance Committee to all the Chairs of the management bodies of Italian listed companies, the results of which indicate a general level of adequacy of the Bank's corporate governance.

The Report on Corporate Governance, which should be consulted for further details, illustrates among other things the management and control model of Intesa Sanpaolo and provides a complete disclosure of how the Bank has adopted and implemented the recommendations of the Corporate Governance Code.

4. SUPERVISORY ACTIVITIES ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE ORGANISATIONAL STRUCTURE

12) Organisatio nal structure

The Committee carried out the usual survey of the organisational structure of the Corporate Control Functions and main Divisions of the Group, focussing on the adequacy of risk monitoring processes and procedures to support the business carried out.

In 2023 the Committee analysed the following, including at its own request the results:

• − relating to the plan for the size of the second-level Control Functions, through which the Chief Operating Officer Governance Area, in line with the ECB's recent findings, analysed, in both qualitative and quantitative terms, the overall needs of the structures reporting to the Chief Compliance Officer and Chief Risk Officer Governance Areas;
• − of the Independent Review (conducted by McKinsey/Risk Dynamics) on the Validation Function, aimed at assessing – as required by the ECB – the "effective and independent challenge" on Model Development functions in the CRO environment and the organisational structure and its placement (confirmed within the CRO Area). The Committee acknowledged that the above assessment found a level of maturity of the Function overall aligned with European peers, and that these conclusions were shared by both Internal Audit and management, although some fully-addressed areas of improvement have been identified;
• − of the assessment of the suitability of the key function holders at Intesa Sanpaolo (to the extent within the Committee's purview), acknowledging that no obstacles to satisfaction of the prescribed requirements were found.

With regard to the assessments conducted by the Committee on the adequacy of Corporate Control Functions, see the chapter set out further below in this report.

In referring you to the Report on Corporate Governance for further details about the Group's organisational and operational structure, the Bank's organisational chart as at today's date is shown below.

2) Atypical and/or unusual transaction s

3) Adequacy of information

17) Complianc e with the Corporate Governanc e Code

5. SUPERVISORY ACTIVITIES ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE ADMINISTRATIVE AND ACCOUNTING SYSTEM AND OF THE ACCOUNTING AND FINANCIAL INFORMATION

The Committee – including in its capacity as Internal Control and Audit Committee pursuant to Article 19, paragraph 2, letter c) of Legislative Decree 39/2010 – examined the regular report on the activity carried on and the corrective actions prepared by the Manager responsible for preparing the Company's financial reports to support the statutory certifications and has analysed the causes and remedies of any shortcomings of the accounting structure.

The Management and Financial Governance function outlined the half-yearly reports on governance and control activities performed on the internal control system relevant for the financial reporting process, with the relative Tableau de Bord ("TdB") which summarise the main issues requiring attention and the progress of the relative mitigation actions, the report on the activities carried out in 2023 by the Balance Sheet Items Valuation Unit, as well as the activities plan for 2024.

Considering the governance and oversight activities carried out in 2023, as well as the reduced level of residual risk, the Management and Financial Governance unit expressed a positive opinion – despite the presence of some areas for further improvement for which mitigation measures are under way – on the statutory requirements of the financial reporting, allowing the Managing Director and CEO and the Manager responsible for preparing the Company's financial reports to issue the certifications required under Article 154-bis of the Consolidated Law on Finance for the consolidated half-yearly report as at 30 June 2023, the consolidated results as at 31 December 2023 sent for reporting purposes to the competent Authorities as well as the 2023 Financial Statements.

The Committee – after receiving a biannual update as at 30 June – examined the Report on tax risk oversight activities carried out by the Bank in 2023, as required by the cooperative compliance scheme, and the activities plan for 2024. The Committee, together with the Manager responsible for preparing the Company's financial reports, met with the Independent Auditors – in accordance with Article 150, paragraphs 3 and 5 of the Consolidated Law on Finance – to examine the audit plan and receive updates on the activities carried out to formulate the opinion on the 2023 Financial Statements.

As part of its supervisory activities on accounting and corporate reporting, including to contribute to the assessment on the correct use of accounting standards, the Committee met with the Manager responsible for preparing the Company's financial reports, the other relevant functions of the Bank as well as the Independent Auditors to review the procedures for the preparation of the Consolidated Interim Report as at 31 March 2023, the Consolidated Half-Yearly Report as at 30 June 2023, the Consolidated Interim Report as at 30 September 2023 and the 2023 Financial Statements.

The Committee also examined the process of preparing Pillar 3 and the Consolidated Non-Financial Statement ("CNFS") – submitted along with the Principles for Responsible Banking ("PRB") – in respect of which it verified compliance with the provisions of Legislative Decree 254/2016 and the Global Reporting Initiative Standards, as well as with the Bank's methods of management and organisation of environmental, social, personnel-related and human rights issues.

These documents were approved by the Board on 14 March 2024.

In the light of the entry into force (on 1 January 2023) of the new accounting standard IFRS 17 for the measurement of insurance contracts, the Committee took favourable note that all companies in the Insurance Division closed their accounting periods on 31 December 2023 on the Group's target systems, in accordance with the pre-established project timescales.

The Bank's financial statements and the Group's consolidated financial statements, pursuant to Legislative Decree 38/2005, are prepared in compliance with the IAS/IFRS issued by the International Accounting Standards Board and relative interpretations of the International Financial Reporting Interpretations Committee, endorsed by the European Commission, as provided for by EC Regulation 1606/2002. These documents are drawn up on the basis of the instructions issued by the Bank of Italy with Circular 262/2005 as subsequently amended.

The parent company draft financial statements as at 31 December 2023 and the Group's consolidated financial statements as at 31 December 2023 were approved on 27 February 2024 by the Board of Directors. The disclosure to the public, under the provisions of the prudential supervisory regulations, was provided on the Bank's website within the term laid down for publication of the financial statements.

On 19 March 2024, pursuant to Article 14 of Legislative Decree 39/2010 and Article 10 of EU Regulation 537/2014, the Independent Auditors issued the reports on the audit of the Intesa Sanpaolo S.p.A.'s financial statements and on the consolidated financial statements of the Intesa Sanpaolo Group for the year ended 31 December 2023. In particular, the Independent Auditors:

• issued an opinion in which they affirm that the financial statements provide a true and fair view of the balance sheet and financial position of Intesa Sanpaolo and the Group, and of the profit and loss and the cash flows for the year ended at that date;
• presented the key aspects of the audit which, in their own professional opinion, are most significant and are used in forming their overall opinion of the financial statements;
• attested that the reports on operations and some specific information contained in the Report on Corporate Governance are consistent with the financial statements to which they refer and are prepared in compliance with the law;
• declared they had nothing to report pursuant to Article 14, paragraph 2, letter e), of Legislative Decree 39/2010, based on the knowledge and understanding of the company and its context acquired during the audit;
• verified, pursuant to Article 4 of the Consob Regulation implementing Legislative Decree 254/2016, the approval by the Directors of the CNFS and provided a separate certification of compliance for that statement.

Moreover, on 19 March 2024, the Independent Auditors issued the Committee with the additional report envisaged under Article 11 of EU Regulation 537/2014, according to which no significant shortcomings were found in the financial reporting internal control system and/or in the accounting system, which should be brought to the attention of those responsible for Governance activities.

The annual confirmation of independence was issued, together with this report, pursuant to Article 6, paragraph 2, letter a) of EU Regulation 537/2014 and paragraph 17 of the International Standard on Auditing (ISA Italia) 260.

6. SUPERVISORY ACTIVITIES ON THE STATUTORY AUDIT PROCESS AND THE INDEPENDENCE OF THE INTERNAL AUDITORS

Intesa Sanpaolo has adopted specific Group Regulations governing assignments to independent auditors and their networks. Amongst the rules laid down by said Regulations – which are enforced save any different provisions of law or other mandatory regulations – mention should be made of that of the Sole Auditor for the Group, that of the uniformity of assignments to audit the financial statements awarded by Group Companies (in Italy and abroad) with respect to the assignment awarded by the Parent Company and that of the alignment of the duration of such assignments (where feasible on the basis of applicable regulation) with respect to that of the Parent Company's assignment.

The Regulations also include specific prior authorisation, monitoring and regular reporting procedures to the Committee, which are aimed at overseeing the independence of the independent auditors. For the purpose of this monitoring, the following types of appointment are defined:

• Audit, i.e. statutory audit services pursuant to Article 14 of Legislative Decree 39/2010 and Article 2409 bis of the Italian Civil Code as well as the other voluntary audit services;
• Audit-Related, i.e. activities entrusted by law or order of an Authority, as well as activities that represent an extension of the auditing assignment (issuance of certificates, review of reports, agreed auditing procedures). These assignments are normally awarded to the Auditor as, by nature, they are not detrimental to independence;
• Non-Audit, relating to services not included within the foregoing types of Audit or Audit Related types, which pursuant to the Regulations cannot be awarded to the Main Auditor, i.e. the independent auditors engaged to perform the statutory audit of the Parent Company.

Monitoring also ensures that assignments expressly prohibited by Articles 10 and 17, paragraph 3, of Legislative Decree 39/2010 are not awarded to the Main Auditor.

Reports by the Independe nt Auditors

4)

EY is the independent auditor which was assigned the role of Sole Auditor. All proposals for assignments relating to the independent auditors and parties belonging to its network have been monitored in advance and – where applicable – authorised. Based on the results of this control process, we confirm that during the 2023 financial year no further non audit assignments were granted to EY and parties connected to them by ongoing relationships.

According to the provisions of the Group Regulations, the full picture of the assignments to the independent auditors is described twice a year to the Management Control Committee by the Manager responsible for preparing the Company's financial reports, including for the purposes of the related reporting obligations in the financial statements and to the Shareholders' Meeting. A complete picture of the amounts paid to the independent auditors in 2023 is represented in the Annex to the financial statements entitled "Fees for auditing and the services other than auditing pursuant to Article 149-duodecies of Consob Regulation no. 11971", to which reference should be made.

The details of the fees for the Audit-Related assignments for 2023 are shown below.

		(millions of euro)
Type of service	Intesa Sanpaolo		Group Companies (*)
	EY	EY Network	EY	EY Network
Certification services (**)	3.21	-	3.77	-
Other services:
agreed audit procedures	0.07	-	0.37	-
non-financial statement	0.12	-	-	-
Total	3.40	-	4.14	-

(*) Subsidiary Group companies and other consolidated companies.

(**) Inclusive of auditing costs, on a voluntary basis, for "Pillar 3" disclosure.

Fees net of VAT, out-of-pocket expenses and Consob Contribution.

The fees for Audit-Related assignments mainly refer to activities attributable to the recurring obligations regarding the deposit and sub-deposit of the assets of the customers of the intermediaries (pursuant to the provisions of the Bank of Italy Regulation of 5 December 2019), checks aimed at issuing Comfort Letters in implementation of international issue programmes and other contractual activities envisaged by the commitments already assumed by the Bank.

Moreover, several additions to the audit proposals in place with EY (in line with the conditions established by those proposals) were submitted to the Committee for the purpose, among others, of preparing the financial reports and making them available to the public in the European Single Electronic Format (ESEF). Where requested, the Committee expressed a favourable opinion on the proposals for additions, after verifying the underlying motivations and their suitability to the audit proposal.

Finally, the Committee acknowledged the results of the constant monitoring by the responsible structure of the Bank of the process of awarding assignments to the Independent Auditors, observing that this process did not result in any consequences at the level of independence.

7. SUPERVISORY ACTIVITIES ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE INTERNAL CONTROL SYSTEM

The Group's Integrated Internal Control System Regulation, implementing the current Supervisory Rules, outlines the duties and responsibilities of all the stakeholders in the internal control system, the procedures for coordination and interaction between Control Functions, the guidance and coordination procedures of the Group companies and international branches, and the main information flows between the various stakeholders in the system. The internal control system is structured on three levels:

• − Level I: line controls conducted by the operating and business structures, including through units dedicated solely to control duties, and as far as possible incorporated in IT procedures, aimed at ensuring the proper conduct of operations;
• − Level II: controls aimed at ensuring the proper implementation of the risk management process, observance of operating limits and compliance of the operations with regulations. The functions assigned to such controls are separate from the ones in charge of production and contribute to the definition of governance policies and the risk management process. These controls are performed:
  • ✓ by the Chief Compliance Officer Governance Area, which has the tasks and responsibilities of the Compliance function and which includes the Anti-Money Laundering function,
  • ✓ by the Chief Risk Officer Governance Area, which has the tasks and responsibilities of the Risk Management function and which includes the Validation function;

9) Opinions

13) Internal control system

− Level III: internal audit controls to identify breaches of procedures and regulations, as well as to assess the completeness, adequacy, functionality and reliability of the internal control system and the Group's IT system, in relation to the nature and intensity of the risks. At Intesa Sanpaolo, the Chief Audit Officer reports directly to the Board of Directors and also reports functionally to the Committee, without prejudice to the appropriate sharing of information with the Managing Director and CEO.

The Group's internal control system – described in detail in the Report on Corporate Governance, to which reference should be made for further details – also sees other functions involved with control responsibilities (the Business Continuity function, the Cybersecurity function, the specialist functions) and, among others, also the Manager responsible for the Group Business Continuity Plan, the Manager responsible for preparing the Company's financial reports, the Independent Auditors and the Parent Company's Surveillance Body pursuant to Legislative Decree 231/2001.

With reference to the latter, every six months the Committee examined the report on the activities carried out noting that, according to the disclosure made, there are no facts or circumstances worthy of mention. Based on a synergistic approach, the Committee and the Surveillance Body promptly exchanged relevant data and information during the year, by coordinating during joint meetings on matters of mutual responsibility.

Below you will find a summary of the activities conducted by the parties responsible for carrying out internal controls.

Chief Compliance Officer

The Chief Compliance Officer delivered the institutional and periodic reports within his/her remit to the Committee, and in particular the half-yearly report, the annual report and Risk Assessment, with the action plan for 2024, drafted pursuant to applicable regulations; the Compliance Tableau de Bord, which provides an overview on the outlook for the most significant areas of attention, is enclosed with these reports which also provide a summary report on the progress of complaints, protests and appeals by customers. The endof-year report also includes the details of the activities carried out in 2023 and the activities planned for 2024 with reference to the central depositories and the entities managed according to the guidance, coordination and control model, the report on the Governance of the Group asset management companies, the Product Governance Report, the regulatory areas covered and details of the human and financial resources allocated to compliance macro-processes.

Pursuant to the regulations issued by Consob, the Chief Compliance Officer, aided by the Chief Operating Officer, presented to the Committee the annual report on the terms of provision of services and investing activities and ancillary services and of distribution of financial products issued by insurance companies or banks.

Furthermore, the Chief Compliance Officer submitted the following to the Committee:

• − the Group annual report on the overall situation of complaints, disclaimers, protests to Supervisory Authorities and appeals to alternative dispute resolution entities;
• − the annual report on conflict-of-interest situations recorded in the area of investment or ancillary services, investing activities and distribution of insurance-based investment products;
• − at the Committee's request, the state of progress of the work of the Compliance Next Programme, whose planned activities continue according to schedule, without particular critical issues in reaching the milestones set;
• − the results of the self-assessment process and the plan of actions prepared to reinforce and adjust the processes and practices adopted to the indications formulated by the Bank of Italy in its Guidelines on revolving credit;
• − the reinforcement plan and the related state of progress of the actions taken by the Group in application of US regulation on swap dealers (Dodd-Frank Act), with particular regard to the record-keeping obligations for business-related communications;
• − information on the results of the self-assessment required by the EIOPA and on the further inquiries requested by IVASS of Payment Protection Insurance (PPI) Policies.

To enable the Committee to adequately perform its supervisory role on compliance with the rules for combating money laundering, terrorist financing and for embargo management as well as verifying the completeness, functionality and adequacy of the relative controls system, the head of the Anti-Money Laundering department illustrated the half-yearly report and the annual report for 2023, with their respective Tableau de Bord, the annual Risk Assessment on the areas of anti-money laundering, terrorist financing and violation of embargoes, and the action plan for 2024. These reports include summary information on the progress of the training plan, as well as details of the human and financial resources allocated to compliance macro-processes with respect to anti-money laundering, anti-terrorism, embargo and anti-corruption regulation.

Also at the Committee's request, the head of the Anti-money laundering function also submitted:

− specific updates concerning the state of progress of the ENIF long-term strategic plan, with a focus on

the various areas of action identified, taking favourable note of the results obtained thus far;

− the proposal to update the Anti-Money Laundering and Counter-Terrorism Financing Programme of the Sidney branch, in accordance with Australian regulations, in view of its submission to the Board for approval.

Chief Risk Officer

The Chief Risk Officer submitted the following to the Committee: the Tableau de Bord of the critical issues in his own Governance Area on a six-monthly basis, the annual report on the activities carried out in 2023, the Risk Assessment and the plan of the activities scheduled for 2024, including those for the Validation function. In accordance with Article 13, paragraph 2, of the Regulations issued by the Bank of Italy and Consob pursuant to Article 6, paragraph 2-bis, of the Consolidated Law on Finance, he also illustrated the Report on risk management activities within the scope of the investment services to customers carried out during 2023.

The Chief Risk Officer also described the positive results of the annual assessment on the overall consistency of the ratings of the External Credit Assessment Institutions with the measurements processed independently by the Bank.

Chief Audit Officer

The Committee mainly uses the Internal Audit function to carry out its supervisory duties. The Chief Audit Officer normally participates at meetings and constantly provides information on the activities carried out – some of which at the Committee's own request – and on the progress of the remediation plans undertaken by the competent corporate functions to overcome the critical issues encountered. The priorities reported by the Committee are taken into consideration when defining the annual Internal Audit plan. In addition, the Committee, at its own request, met with the Chief Audit Officer to reach a preliminary understanding as to the main areas to be covered in 2024 and the guidelines for planning audit activities.

During the year, the Chief Audit Officer systematically and promptly reported the main findings that emerged whilst performing his own activities, to the Committee, including at the Committee's specific request, as well as the progress of the related remediation measures, where there were areas for improvement. In particular, attention is drawn to the results of the audits of the following issues:

• − critical issues identified with regard to the supplier ION Group and, more generally, the security of all critical outsourced ICT services, with a focus on i) strengthening the escalation process in the event of anomalies, ii) expanding cyber-controls of suppliers and iii) seeking out alternative solutions for increasing the Group's business resilience;
• − the Group's ability to produce the Single Customer View report, as required by the instructions of the National Interbank Deposit Guarantee Fund, with evidence of an adequately structured operating and control process for producing reports;
• − adoption of the accounting standard IFRS 17 in the insurance financial statements, the main implementations of which were found to be adequately oriented;
• − state of progress of the Loan Tape European Central Bank project relating to the Group's International Subsidiary Banks scope;
• − remediation actions taken by the Bank in response to the results of the audits conducted by the Authority with regard to transparency, found to be suited to remedying the issues identified according to the established schedule.

The Chief Audit Office also presented to the Committee, including at its specific request:

• − an update to the SAIL (Strategic Audit Innovation Line-up) development programme and the main project developments in the data-driven audit areas (implemented through massive use of databases and Machine Learning and Artificial Intelligence approaches);
• − the results of the 2022 Customer Satisfaction Survey, carried out for the Bank's Top Management and aimed at measuring the level of satisfaction of the Function for both the Parent Company and Subsidiaries.

Every three months, using the Synthetic Audit Tableau de Bord, the Chief Audit Officer reported to the Committee on the outlook for the most significant weaknesses found during the Internal Audit activities including in light of the respective remediation plans. Every six months, within the context of a specific report, he submitted his own considerations and assessments on the adequacy of the internal control system for risk management and presented, at the Committee's request, the changes in the least significant weaknesses set out in the Analytical Audit Tableau de Bord. On an annual basis, he prepared and then shared with the Committee, the final report on the activities carried out and the results of the Audit Risk Assessment and the activities plan for the following financial year. The final report on the activities carried out in 2023 also fulfils the obligations laid down by the Bank of Italy with regard to disclosures to the competent Bodies on some specific areas such as liquidity risk management, anti-money laundering,

information systems and business continuity, Parent Company governance of the Group's asset management companies, the result of the audits carried out at international branches and the internal systems for reporting violations of the rules governing banking (so-called whistleblowing).

The Chief Audit Officer also conducted the compulsory assurance activities and prepared the following regular disclosures pursuant to the current Supervisory Rules:

• − the annual report on the outsourcing of essential or important functions outside the Group;
• − the quarterly report on whistleblowing reporting;
• − the annual report on internal audit activities pursuant to Article 14 of the Joint Consob-Bank of Italy Regulations, pursuant to Article 6, paragraph 2-bis, of the Consolidated Law on Finance.

During Board meetings, the Committee examined reports from the Internal Audit function on the results of consistency checks on the operating practices followed in the actual delivery of the 2023 incentive system as well as in the quantification and approval of the 2024 incentive system with the policies and the application parameters approved by the various Bodies and with the provisions issued by the Bank of Italy on this subject in transposing EU Directives. The Chief Audit Officer expressed his opinion of adequacy.

Integrated Reporting of Corporate Control Functions

The Integrated Tableau de Bord was submitted to the Committee on a six-monthly basis; it provides a summary of the findings with the greatest impact among those highlighted by the Corporate Control Functions and the Management and Financial Governance unit in their own Tableau de Bord, with details of the progress of their respective mitigation actions. On the basis of the assessments carried out by the Corporate Control Functions in 2023, the annual summary report was drawn up which shows that overall risk management is adequate in terms of completeness, functionality and reliability of the internal control system. This opinion is supported by the Integrated Risk Assessment, the results of which were included in the 2024 RAF.

In addition, with half-yearly frequency, the Integrated Tableau de Bord of the International Subsidiary Banks, which includes a summary of the findings with the greatest impact on the international scope, was also submitted to the Committee.

In the presence of the Chief Audit Officer, the Committee constantly monitored the implementation of the remediation actions planned to resolve the critical issues identified by the Corporate Control Functions.

With regard to Intesa Sanpaolo RBM and Previmedical, the Committee met with the head of the Insurance Division, with the presence of the Chief Compliance Officer and the head of the Legal Affairs Department – Group General Counsel, for updates on new proceedings served by the Autorità Garante della Concorrenza e del Mercato (AGCM) on Intesa Sanpaolo RBM Salute and Previmedical for alleged improper commercial practices. It also received updates on previous proceedings, on the state of implementation of the Compliance Plan formulated in response to the first AGCM Proceedings and on the performance of complaints and other applications from customers.

The Committee also met with the Chief Data, A.I., Innovation and Technology Officer ("CDAITO") for an update on the state of progress of the work in the 2023-2025 IT strategic roadmap for the International Subsidiary Banks, with a focus on the results of the risk assessment conducted on their core banking systems, on the state of progress of initiatives to implement the derisking programme for the International Network Information System and on the enhancement of the structures of the subsidiary International Value Services.

The Committee periodically deepened the risk assessment conducted by the Corporate Control Functions on the progress of the macro-initiatives of the 2022-2025 Business Plan, dwelling on the main focal points – including the Bank's ESG initiatives – and on the actions identified from time to time to mitigate the related potential risks.

The Committee also met with the heads of the Corporate Control Functions and the representatives of the Banca dei Territori Division for information, at its own request, regarding the internal control framework adopted by Isybank.

The Committee was then informed about the state of progress of the proceedings commenced by AGCM and Associazione Movimento Consumatori against Intesa Sanpaolo and the Subsidiary in question, and will constantly monitor the related developments.

Assessment of the Corporate Control Functions

For the purposes of assessing the suitability of the essential elements of the risk management internal control system architecture, the Committee examined the annual disclosure on the changes in staff, costs and 9)

investments directly attributable to the Corporate Control Functions. Further details on the staffing and Target sizing of the structures of the Corporate Control Functions are provided in their respective periodic reports to the Bodies. In light of the results obtained during its activities, the Committee expressed its own positive considerations on the aspects of independence, objectivity and effectiveness of risk management actions for the annual assessment carried out by the Board regarding the adequacy of the Corporate Control Functions.

For the purpose of paying the variable component of remuneration for 2023, the Committee first met, also in the presence of the Chief Operating Officer, with the Chief Audit Officer, the Chief Compliance Officer and the Chief Risk Officer to receive the results of the activities carried out by the respective areas during 2023. During the Performance Evaluation phase, it then met with the competent structures of the Chief Operating Officer to examine the assessment proposals formulated by the latter and express its opinion to the Remuneration Committee – within the scope of its responsibility – regarding the achievement of the objectives by the Chief Audit Officer, Chief Compliance Officer, head of the Anti-Financial Crime Department, Chief Risk Officer, head of the Internal Validation & Controls Coordination Area and the Manager responsible for preparing the Company's financial reports.

For the purposes of the 2024 incentive system, during the Goal & Target Setting phase, the Committee first met, also in the presence of the Chief Operating Officer, with the Chief Audit Officer, the Chief Compliance Officer and the Chief Risk Officer to examine the activities plan envisaged by each of their respective functions for 2024, including in order to evaluate the panel of possible Key Performance Indicators with which to monitor the effectiveness of the action by the relative functions and evaluate the managers' performance. The Committee then expressed its opinion – within its own remit – to the Remuneration Committee for the purpose of defining the objectives and individual performance levels to be attributed to the said Chiefs as well as to the heads of the Internal Validation & Controls Coordination Area, Anti-Money Laundering Function and the Manager responsible for preparing the Company's financial reports. The Committee took positive note of the forecast, also for 2024, of a Group transversal KPI pertaining to ESG issues.

8. SUPERVISORY ACTIVITIES ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE RISK GOVERNANCE AND MANAGEMENT PROCESS

The Committee supervised:

• − the compliance with the provisions relating to the Internal Capital Adequacy Assessment Process and the Internal Liquidity Adequacy Assessment Process (ICAAP/ILAAP), inquiring in particular into scenarios and methodological and process aspects;
• − the completeness, adequacy, functionality and reliability of internal risk measurement systems for determining capital requirements, checking their compliance with regulatory requirements including for the purpose of the annual certification issued by the Board. The Committee examined the specific annual reports of the Internal Audit and Validation functions, as well as the Action Plan of the Risk Management function, in order to mitigate the critical issues identified;
• − the completeness, adequacy, functionality and reliability of the RAF for 2024, examining its methodological aspects, definition process and consistency with the Recovery Plan.

The Committee then examined the following periodic reports:

• − the results of the annual checks by the Asset Monitors on the Covered Bonds programmes;
• − the information flows on ICT risk and IT security for the current period pursuant to the Supervisory Provisions for banks;
• − the results of the checks and controls of the Group's business continuity plan;
• − preparation of the Group's IT security plan for the current year, included the Information Security Principles;
• − report by the Data Protection Officer on the activity carried out as at 30 June and 31 December 2023, together with the activities plan for 2024.

In light of the audits cited above, the Committee also met with the CDAITO to examine the safeguards introduced and remediation measures taken under the ION Remediation Programme to reinforce the Group's Business Resilience in outsourced Critical Services.

The Committee also met with the Chief Lending Officer to examine:

• half-yearly reporting on value adjustments applied in analytical measurement of NPL positions falling within its scope;
• issues deemed of interest, such as: i) the development of projects launched with regard to lending processes and the related regulatory compliance programmes; ii) the process of managing credit data assets within the framework of the Group's Data Governance/Data Quality model and compliance with the main regulatory developments/Supervisory requirements; and iii) the state of progress of the work of the Action Plan formulated to remedy the items of attention highlighted in the OSI "Internal Governance and Risk Management of non-IT outsourcing activities".

9) Opinions

9) Opinions

13) Internal control system

9. SUPERVISORY ACTIVITIES ON COMPLIANCE WITH THE REGULATIONS APPLICABLE TO THE BANK IN ITS CAPACITY AS THE PARENT COMPANY

The Committee – including by making use of the support of the Corporate Control Functions – found that the Bank, within the framework of the management and coordination activity of the Group, exercises control over the development of the different business areas in which the Group operates and the incumbent risks, over the maintenance of conditions of economic, financial and balance sheet equilibrium both of the individual companies and of the Group as a whole, as well as over the assessment of the various risk profiles contributed by individual subsidiaries and the total risk. The rules and procedures in place allow the Parent Company to promptly fulfil its disclosure obligations to the public in accordance with current provisions pursuant to Article 114, paragraph 2, of the Consolidated Law on Finance. The information flows between the Parent Company and its subsidiaries guarantee an effective exchange of information with regard to the management and control systems and the overall performance of the business.

Within the framework of the information flows provided for in Article 151-ter, paragraphs 1 and 4, of the Consolidated Law on Finance, the Committee met with the Board of Statutory Auditors of Intesa Sanpaolo RBM Salute S.p.A. to examine, among other aspects, the items of attention identified by the Corporate Control Functions and discuss the progress of the remediation actions identified.

Moreover, with a view to ensuring consistency at Group level in the manner of transposing and implementing Legislative Decree 231/2001, the Committee analysed the customary half-yearly report on the activities carried out by the Surveillance Bodies pursuant to Legislative Decree 231/2001, of the Italian companies of the Group.

10. CONCLUSIVE ASSESSMENTS OF SUPERVISORY ACTIVITIES CARRIED OUT

As detailed in the Report, the Committee verified the functionality of the internal procedures, which have been found fit also in 2023, to guarantee compliance with the laws, regulations and articles of association. The Committee ascertained that the decision-making process takes into due consideration the riskiness and the effects of management decisions taken and that Corporate Bodies have an adequate information flow system, including with reference to any Directors' interests. The organisational structure, the administrative and accounting system and the statutory audit of accounts process were found adequate and functional for the tasks they are expected to perform.

In particular, the Committee has reason to believe that the Bank's and Group's administrative and accounting system is such as to ensure a fair presentation of the operational events and that there are no significant shortcomings in the internal control system in relation to the financial reporting process. The Committee also found that the administrative and accounting procedures for the preparation of the financial statements and all other communications of a financial nature had been effectively applied.

The non-existence of critical elements such as to affect the governance and risk management process, and structure of the internal control system was also verified. The Committee has in fact assessed compliance with the supervisory provisions with reference to the general principles of the internal control system, the role of the Bodies, as well as the role and requirements of all the departments involved in the control system, checking their substantial adequacy, the correct performance of tasks and the proper coordination thereof. Where deemed appropriate, adoption of functional corrective measures was promoted to address any deficiencies identified.

Taking into account all the foregoing, having considered the content of the opinions issued by the Independent Auditors, and having taken note of the attestations issued jointly by the Managing Director and CEO and the Manager responsible for preparing the Company's financial reports, the Committee has not reported – in as far as it is within their remit – any impediment to the approval of the financial statements of Intesa Sanpaolo S.p.A. as at 31 December 2023 accompanied by the Report on operations and the Notes thereto, as approved by the Board on 27 February 2024.

Finally, the Committee expresses its opinion in favour of the proposal to allocate the net income for the year and the related distribution of dividends formulated by the Board of Directors.

Milan, 21 March 2024 for the Management Control Committee

The Chair – Alberto Maria Pisani

This is an English translation of the original Italian document. In cases of conflict between the English language document and the Italian document, the interpretation of the Italian language document prevails.

15) Subsidiarie s requiremen ts

14) Adequacy of the accounting system

13) Internal control system

18) Conclusive assessmen ts