Intesa Sanpaolo

Governance Information • Mar 25, 2022

Report of the Management Control Committee to the Shareholders' Meeting on the supervisory activities performed in 2021

pursuant to Article 153, paragraph 1, of Legislative Decree 58 of 24 February 1998, and Article 23.1, letter j), of the Articles of Association

Distinguished Shareholders,

It is worth mentioning that the one-tier governance model adopted by Intesa Sanpaolo S.p.A. ("Bank" or "Parent Company") consists of a Board of Directors ("Board") with guidance and strategic supervision duties, management duties as well as control duties performed by the Management Control Committee ("Committee" or "Control Body") appointed by the Shareholders' Meeting as part of the Board itself.

The Committee plays a proactive role, within its own areas of responsibility, towards the Corporate Control Functions ("FAC") and engages in constructive dialogue with the Management of the Bank and the Intesa Sanpaolo Group ("Group"), including on the basis of information received during Board meetings and deemed worthy of further in-depth analysis. The activities carried out also take into account the indications provided by the Chairman of the Committee during the regular meetings held with the dedicated Secretariat, aimed at a mutual exchange of information deemed worthy of attention and the consequent planning of the Committee's work.

The Committee, in the fulfilment of its duties and in the interest of the best performance thereof, exchanges information of reciprocal interest and coordinates the performance of their respective duties with the Risks Committee, established within the Board, and with the Surveillance Body pursuant to Legislative Decree 231/2001. A Committee member usually attends meetings of the Risks Committee, subsequently reporting to the Control Body.

Pursuant to Article 153, paragraph 1, of Legislative Decree 58/1998, ("Consolidated Law on Finance"), the Committee is required to report to the Shareholders' Meeting, called to approve the financial statements for the period, on its supervisory activities and on any omissions or reprehensible facts recorded. This requirement is also stated in Article 23.1, letter j), of the Bank's Articles of Association. The Report was prepared taking into account the Consob recommendations on the matter and, in particular, Communication 1025564 of 6 April 2001 and subsequent updates, expressly referred to in the text.

During 2021, the following meetings were held:

• − 25 meetings of the Board of Directors;
• − 46 meetings of the Management Control Committee.

The Committee was also invited on 13 occasions to attend the meetings of the Risks Committee primarily during meetings - with the Manager responsible for preparing the Company's financial reports and the independent auditors EY ("Independent Auditors" or "EY") in relation to the preparation of the financial statements and the periodic financial reports, as well as the meetings – in the presence of the Chief Financial Officer departments – relating to the preparation of the Consolidated Non-Financial Statement ("CNFS"). In 2021, due to the emergency situation related to COVID-19 and in line with the previous year, the members of the Committee attended the meetings remotly. This has not impacted the activities of the Committee, also thanks to the IT processes and tools prepared by the Group.

1. SUPERVISORY ACTIVITIES ON COMPLIANCE WITH THE LAW AND THE ARTICLES OF ASSOCIATION

Regulatory developments

The Committee examined – within its own remit and also in virtue of the changes in the Supervisory provisions and more generally of the external legislation – the proposals to update the following internal regulatory bodies:

− Compliance Rulebook;

10) Meetings

• − Conflicts of interest Management Group Rules;
• − Rules governing transactions with subjects active in the armaments sector;
• − Rules for the provision of advisory services and of other investment services;
• − Rules for the marketing of OTC financial derivative products on interest rates, exchange rates and commodities referring to the Banca dei Territori Division;
• − Rules for the marketing of OTC financial derivative products on interest rates, exchange rates, commodities, loans and indexes referring to the IMI Corporate & Investment Banking Division;
• − Group Rules on Personal Account Dealing;
• 9) Opinions
• − Group Procedures regulating the conduct of transactions with Related Parties of Intesa Sanpaolo, Associated Entities of the Group and Relevant Persons pursuant to Article 136 of the Consolidated Law on Banking ("RPT Procedures") also for the purposes of issuing the requested opinion;
• − Integrated Internal Control System Regulation, also expressing its opinion where required;
• − Regulation for the Group Controls Coordination, Operational and Reputational Risk Committee;
• − Guidelines on the disclosure of financial information to the market (Financial Statements and Pillar 3);
• − Group Guidelines for the management of complaints, petitions to Supervisory Authorities and appeals to alternative dispute resolution bodies;
• − Rules on the transparency of banking transactions and services fairness of the relations between the Bank and customers;
• − Group Compliance Guidelines;
• − Guidelines for the valuation of Balance Sheet Items;
• − Business Model Rules.

The Committee examined the proposed adoption of the following internal regulatory bodies:

• − Rules regarding disavowals of unauthorized payment transactions;
• − Rules on the distribution of supplementary pension products;
• − Guidelines for the Segment Reporting preparation and Rules on the Allocation of managerial results for the Segment Reporting preparation.

The Committee was also informed of the publication of the Rules relating to derivative instruments and the provision of the clearing service in the EMIR and MIFID II / MiFIR areas, drawn up by the Chief Compliance Officer Governance Area.

The Committee also approved the amendments to its Regulations, after sharing the possible changes to be made with the competent Bank structures and submitting the revised text for examination and opinion by the Board of Directors.

The main changes made concerned (i) the possibility that a member of the Risks Committee or the Committee for Transactions with Related Parties can be appointed as a member of the Management Control Committee, without prejudice to the provision that in this case autonomy and independence of mind are ensured and that the different functions referred to each Committee are taken into account, as well as (ii) the exclusive assignment to the Management Control Committee – from the date of renewal of the Bodies – of the activities to be carried out in the field of financial reporting, hitherto delegated to the Risks Committee, in light of the recent changes made to the supervisory provisions.

Lastly, the Committee examined the Descriptive Document of Intesa Sanpaolo and of the former UBI Banca referring to 2020 – which indicates the safeguards adopted by the Banks regarding the methods of deposit and sub-deposit of financial instruments and cash pertaining to customers, in compliance with the regulatory provisions of the Consolidated Law on Finance – also receiving the final certificates issued by KMPG pursuant to the ISAE 3000 Revised certification standard.

Relations with Supervisory Authorities

The Committee is promptly informed, by a dedicated Secretariat, of the main communications addressed to the Bank by the Italian and European Supervisory Authorities relating to the matters within its remit, with particular regard to the control system.

With regard to relations with the European Central Bank ("ECB"), the Committee received, amongst other things, regular updates on the development of the Supervisory Plans for the On-site Inspections, Thematic Reviews and Deep Dives by the Authority itself, as well as on the preparation and progress of the relative remediation plans. In particular, the Committee received the expected reports and the consequent updates about the inspections on "Internal Governance – Compliance Function" and "ICAAP Management".

The Committee also received a report on the completion of the corrective actions defined in relation to an obligation included in the ECB's authorization provision relating to the request for the adoption of substantial changes in the internal credit risk measurement systems for the Retail SME segment, as well as the results

of the analyses conducted in this regard by the Internal Validation and Controls Head Office Department and the Internal Audit function.

Finally, the Committee examined, at its own request, the action plan prepared following the assessment conducted by the Joint Supervisory Team on the framework prepared by the Bank in application of the IFRS 9 accounting standard.

With reference to relations with the Bank of Italy, the Committee examined, in particular:

• − the response to the letter from the Supervisory Authority regarding the so-called "special-purpose loans", together with the considerations of the Compliance and Internal Audit functions, also in order to express their assessments to be addressed to the Authority;
• − some letters from the Bank of Italy concerning the application of penalties for non-compliance with the rules relating to the use of the assets pledged as collateral for credit transactions with the Eurosystem, receiving reassurances regarding the marginality of the errors detected and the start-up of actions useful for their resolution;
• − the response to the letter drawn up by the Authority following the inspection investigations conducted on Fideuram-Intesa Sanpaolo Private Banking Asset Management SGR and the consequent remediation plan prepared to address the critical issues identified;
• − the response provided to the Bank of Italy's request regarding (i) the progress of the ENIF Programme ("ENabling Integrated Financial crime fight"), ii) the conclusion of the activities carried out as part of the integration with the former UBI Banca, (iii) the strengthening of the intragroup information exchange and the areas for improvement in the field of quality assurance following the inspections conducted in 2020 by the Financial Intelligence Unit ("FIU") and (iv) the strengthening of anti-money laundering measures on the international network;
• − the information on the initiation of an inspection aimed at verifying compliance with the transparency regulations on payment accounts offered to consumers;
• − the response drawn up by the Internal Audit function containing the results of the investigation conducted – with the support of the Anti Financial Crime Department – on the correctness of the due diligence process in the disbursement, to certain corporate customers, of loans attributable to the pandemic emergency;
• − following a Communication from the Supervisory Authority, which took into account the opinion published by the European Banking Authority ("EBA") on the matter, the results of the analyses conducted by the Compliance function on the possible presence of hindrances to the provision of payment services offered by third parties.

The Committee constantly monitored, at its own request, the progress of the proceeding opened by the Italian Antitrust Authority ("AGCM") against Intesa Sanpaolo RBM Salute (formerly RBM Assicurazione Salute) and the supplier Previmedical for alleged unfair business practices in the offer of insurance services as well as the progress of the remediation plan defined also following discussions with IVASS. See the next pages for more details.

As for relations with Consob, the Committee examined the preliminary results of the inspections conducted on Fideuram-Intesa Sanpaolo Private Banking with reference to (i) the state of compliance of MiFID II; (ii) the internal controls carried out on the activities of financial advisors; (iii) the reporting of transactions suspected of constituting market abuse.

The Committee received, at its own request and until their completion, information on the progress of the remedial actions defined in relation to the results of the aforementioned inspections conducted in 2020 by the FIU at Intesa Sanpaolo, Fideuram-Intesa Sanpaolo Private Banking, Intesa Sanpaolo Private Banking and Banca 5, together with an in-depth analysis of the individual positions subject to dispute.

As far as relations with foreign Supervisory Authorities are concerned, the Committee:

• − examined the results of the usual annual inspection conducted by the Federal Reserve ("FED") and the New York State Department of Financial Services ("NYSDFS") with a particular focus on the anti-financial crime controls of the New York branch, on which the Authorities confirmed their level of adequacy and full compliance with the commitments undertaken with the Authorities themselves, as well as the response drawn up by the competent corporate functions. In this context, the Committee was informed of the formal closure by the US Authorities of the Written Agreement signed by the Bank in 2007;
• − examined the results of the inspection conducted by the National Future Association on the Bank as a Swap Dealer registered with that Association, as well as the contents of the response to the Authority's final report;
• − received information on the results of the investigations conducted by the Financial Industry Regulatory Authority against Intesa Sanpaolo IMI SEC (US broker-dealer);

• − examined the results of the inspection conducted by the Federal Banking Agency on the Subsidiary Intesa Sanpaolo Bank d.d. Bosna i Hercegovina, examining the remediation plan identified to deal with the areas for improvement recorded;
• − monitored the progress of the action plan prepared to address the findings raised by the German Supervisory Authority BaFin regarding the anti-financial crime controls of the Frankfurt branch;
• − analysed the final report prepared by the Croatian National Bank following the inspection conducted on the anti-money laundering measures of Privredna Banka Zagreb, also examining the remediation plan presented by the Subsidiary to the Authority.

Self-assessment and verification of requirements

As required by the internal rules, the Committee performed the usual annual self-assessment of its own composition and operation that was separate to the one carried out by the Board. As is common knowledge, this exercise was also aimed at assessing the correct and effective performance of the tasks entrusted to the Committee in its capacity as the Control Body of the Bank according to criteria and methods consistent with its own attributes.

Again in 2021, in line with the previous year and with the activities carried out by the Board, the Committee availed itself of the preliminary analysis performed by an independent external consultant.

The qualitative and quantitative results confirmed the Committee's adequacy and its overall compliance with the provisions of Corporate Governance Code for listed companies ("Corporate Governance Code"), with the guidelines of the EBA, with the provisions of Bank of Italy Circular 285/2013 and with best practices. At the end of the process, on 16 December 2021, the Committee expressed an assessment of adequacy with regard to its own size, composition and operation.

Furthermore, during the Board's meeting, in view of the renewal of the Bodies, within the scope of its responsibility, the Committee approved a document containing the Guidelines that the Board made available to the Shareholders in order to facilitate the process of defining the best proposals for identifying candidates for the office of member of the Board of Directors and member of the Management Control Committee.

The Committee therefore examined the procedure for checking the lists of candidates for the position of Director prepared in view of the Shareholders' Meeting.

Moreover, in accordance with the requirements of the internal rules, which incorporate the guidelines issued by EBA and by the European Securities and Markets Authority ("ESMA") implementing the principles set out in the EU Directive 36/2013 ("CRD IV"), on 10 February 2022, the Committee assessed the continuing existence of the necessary requirements for each of its members, including the absence of significant financial relationships with Group companies, as well as the compliance with the limitation of directorships for the purpose of assessing their independence in line with the provisions of the Regulation adopted on this subject by the Board.

As envisaged by the Corporate Governance Code, the members of the Committee ascertained the correct application of the assessment criteria and procedures adopted by the Board for evaluating the independence of its members.

During 2021, the Committee also verified the continuing compliance with the suitability requirements of its members following their taking up of new positions in other corporate Groups.

Petitions

5) Complaints Following-up on a complaint submitted by a shareholder pursuant to Article 2408 of the Italian Civil Code regarding the aforementioned proceeding opened by AGCM against Intesa Sanpaolo RBM Salute, the checks carried out showed that the processes and controls which, following the acquisition of the Company by Intesa Sanpaolo Vita in May 2020, were implemented or are being progressively implemented – also in order to make them compliant with the Group's quality standards – are such as to guarantee the protection of the policyholders, thus appropriately addressing complaints for improper conduct, with incremental and progressive benefits over time.

For this reason, the Committee decided not to take any action in relation to the facts reported, acknowledging that the Authority's measure has been challenged before the Regional Administrative Court.

6) Protests During 2021, there were 4 protests received, addressed by customers to the Control Body and related to the Bank's business. The Committee asked the competent corporate functions to carry out the appropriate checks on the matter which highlighted a situation of substantial regularity of the procedures carried out, suggesting a number of areas for improvement.

17) Adoption of the Corporate Governanc e Code

5

11) Principles

2. SUPERVISORY ACTIVITIES ON COMPLIANCE WITH THE PRINCIPLES OF CORRECT MANAGEMENT

The Committee has overseen compliance with the principles of correct management, holding regular meetings with the heads of the Corporate Control Functions, the Governance Areas and the Group Divisions as well as with the Manager responsible for preparing the Company's financial reports and the Independent Auditors, including in order to verify that management decisions are based on an adequate system of information flows to the Bodies and that the decision-making processes take into account the riskiness and effects of management decisions.

The Committee verified that the flows between the corporate functions and the Managing Director and CEO, as well as between them and the Board, are continuous. Information exchange between the Committee and the Managing Director and CEO is enhanced by regular meetings, mostly focused on the Bank's and the Group's performance, the functionality and effectiveness of the internal control and risk management system as well as on the recommendations made by the Committee in this regard in its own quarterly reports to the Board.

The Committee supervised the observance of the obligations envisaged for most significant economic, financial and capital transactions carried out by the Bank or the subsidiaries, confirming that they were performed according to law and the Articles of Association, and that they were not manifestly imprudent, hazardous, in conflict of interest, in contrast with resolutions taken by the Shareholders' Meeting, or likely to compromise the integrity of the shareholders' equity. The reports pursuant to Article 150, paragraphs 1 and 2 of the Consolidated Law on Finance are provided both as part of the information on the preparation of the financial statements given by the Manager responsible for preparing the Company's financial reports and at the regular meetings with the Managing Director and CEO.

The Committee received periodic information in accordance with the internal regulations on governance of the Most Significant Transactions, i.e. transactions that involve a potential significant change in the overall risk profile defined in the Risk Appetite Framework ("RAF").

Pursuant to the RPT Procedures, the Committee received the quarterly report on transactions with related parties and associated entities, including an assessment of the relevance of the financial reports for the purposes of the Directors' independence requirement. On such occasions, the Committee received the report on the interests declared by the Directors in performing certain transactions pursuant to Article 2391 of the Italian Civil Code.

Finally, the Committee oversaw the implementation and management of the Group's Code of Ethics, which self-regulates the integration of social and environmental considerations into business processes, practices and decisions.

Given the above, no atypical and/or unusual transactions were carried out – either with third parties, or related parties or intragroup – to be understood as transactions that could give rise to doubts concerning the fairness/completeness of the financial statements, conflicts of interest, the safeguarding of company assets, or the protection of minority shareholders. Likewise, no management irregularities nor performance anomalies emerged.

Significant events and the main transactions with related parties of major significance (including intragroup ones) and the other significant transactions carried out in compliance with the RPT Procedures were adequately reported and illustrated in the reports on operations and the notes to the Intesa Sanpaolo S.p.A. draft financial statements as at 31 December 2021 and the Intesa Sanpaolo Group's consolidated financial statements as at 31 December 2021 (together the "2021 Financial Statements").

3. SUPERVISORY ACTIVITIES ON THE PROCEDURES FOR EFFECTIVE IMPLEMENTATION OF THE CORPORATE GOVERNANCE RULES LAID DOWN IN THE CORPORATE GOVERNANCE CODE

The Committee examined the Report on Corporate Governance and Ownership Structures ("Report on Corporate Governance") for 2021 which was then approved by the Board of Directors on 1 March 2022, with particular reference to the information about the main features of the risk management and internal control systems in relation to the financial reporting process.

In this area, the Committee has favourably acknowledged that the Report has been drawn up taking into account the Recommendations for 2022 addressed by the Chairman of the Italian Corporate Governance Committee to all the Chairmen of the management bodies of Italian listed companies, the results of which indicate a general level of adequacy of the Bank's corporate governance, and the recent changes made to the Corporate Governance Code.

1) Most significant transaction s

of correct manageme nt

2) Atypical and/or unusual transaction

s

The Report on Corporate Governance, which should be consulted for further details, illustrates among other things the management and control model of Intesa Sanpaolo and provides a complete disclosure of how the Bank has adopted and implemented the recommendations of the Corporate Governance Code.

4. SUPERVISORY ACTIVITIES ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE ORGANISATIONAL STRUCTURE

12) Organisatio nal structure

The Committee carried out the usual survey of the organisational structure of the Corporate Control Functions and main Divisions of the Group, focussing on the adequacy of risk monitoring processes and procedures to support the business carried out.

In 2021, the Committee met at its own request, also in the presence of the Chief Audit Officer:

• − the head of the International Subsidiary Banks Division, and the Chief IT, Digital & Innovation Officer, to receive information on the following topics: i) progress of the activities for the establishment of the new IT services company of the International Subsidiary Banks, International Value Services; ii) outsourcing to Mercury Processing Services International – progress of the Remediation Plan; iii) progress of Cybersecurity measures on International Subsidiary Banks; iv) progress of the works of the Horus Project;
• − the head of the Group Supervisory Strategic Steering Head Office Department to receive information on (i) the organisational chart and sizing of the Department, (ii) the evolution of the supervisory activity entrusted to it, (iii) the results of the Supervisory Survey conducted within the Department, as well as (iv) the results of the Audit checks carried out on the operation of the Department, which revealed an "immaterial" residual risk level;
• − the head of the Administration and Tax Department to investigate the organizational and process aspects underlying the guidance and coordination activities exercised by the Management and Financial Governance unit towards subsidiaries, for the purposes of financial reporting.

With regard to the assessments carried out by the Committee on the adequacy of the Corporate Control Functions, see the chapter reported below in this report.

The Committee – at its own request and within the scope of its responsibility – continued to monitor the progress of the activities envisaged by the various initiatives launched as part of the integration process of the former UBI Banca into Intesa Sanpaolo. In particular, the Committee:

• met with the Chief Audit Officer on several occasions, to examine the results of the checks carried out on the overall Integration Programme and, more specifically, on the organizational and IT integration process of the former UBI Banca as well as on the integration process of the subsidiaries of the former UBI Group within the Intesa Sanpaolo Group;
• together with the Chief IT Digital & Innovation Officer, in the presence of the Chief Audit Officer and the competent structures of the Chief Operating Officer, carried out an in-depth analysis of the overall Process of integration and migration on the target system of Intesa Sanpaolo of the IT platforms used by the former UBI Banca Group;
• examined the organizational evolution of the Administration and Tax Head Office Department, also in light of the integration.

In referring you to the Report on Corporate Governance for further details about the Group's organisational and operational structure, the Bank's organisational chart as at today's date is shown below.

5. SUPERVISORY ACTIVITIES ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE ADMINISTRATIVE AND ACCOUNTING SYSTEM

The Committee – including in its capacity as Internal Control and Audit Committee pursuant to Article 19, paragraph 2, letter c) of Legislative Decree 39/2010 – examined the regular report on the activities carried out and the corrective measures prepared by the Manager responsible for preparing the Company's financial reports to support the statutory certifications and analysed the causes and remedies of any shortcomings of the accounting structure.

The Management and Financial Governance unit outlined the half-yearly reports on governance and control activities performed on the internal control system relevant for the financial reporting process, with the relative Tableau de Bord ("TdB") which summarise the main issues requiring attention and the progress of the relative mitigation actions, the report on the activities carried out in 2021 by the Assets and Liabilities Valuation Assessment Unit, as well as the action plan for 2022.

Considering the governance and oversight activities carried out in 2021, as well as the reduced level of residual risk, the Management and Financial Governance unit expressed a positive opinion – despite the presence of some areas for further improvement for which mitigation measures are under way – on the statutory requirements of the financial reporting, allowing the Managing Director and CEO and the Manager responsible for preparing the Company's financial reports to issue the certifications required under Article 154-bis of the Consolidated Law on Finance for the consolidated half-yearly report as at 30 June 2021, the consolidated results as at 31 December 2021 sent for reporting purposes to the competent Authorities as well as the 2021 Financial Statements.

The Committee met, in the presence of the Chief Audit Officer, the Chief Financial Officer and the Chief Cost Management Officer for an overview of the Spending and Internal Pricing Governance Model currently adopted by the Group and of the initiatives being adopted, among which it records the transfer of costs from the Corporate Center to the Business Units.

The Committee – after receiving a biannual update as at 30 June – examined the Report on tax risk oversight activities carried out by the Bank in 2021, as required by the Italian Revenue Agency's cooperative compliance scheme, and the action plan for 2022.

The Committee also issued a favourable opinion on the proposal to confer an audit engagement to EY regarding the self-assessment – requested by the ECB as part of the SREP Letter 2020 – on the adequacy of controls in the process of preparing the separate and consolidated financial statements and the Segment Reporting.

As a result of the assessment, the Committee took note of the summary opinion, which confirms that the Group has an adequate governance and operational model for the processes of preparation of the Financial Statements and management reporting, even with some marginal areas for improvement.

The Committee subsequently received, as per its own request, the first work progress of the remedial actions undertaken to overcome the aforementioned areas for improvement as well as the results of the monitoring

9) Opinions

carried out on these actions by the Internal Audit function, from which it emerges how the activities proceed in line with the planned schedule.

The Committee, together with the Manager responsible for preparing the Company's financial reports, met with the Independent Auditors – even in accordance with Article 150, paragraphs 3 and 5 of the Consolidated Law on Finance – to examine the audit plan and the activities carried out to formulate the opinion on the 2021 Financial Statements. The Committee, at its own request, also met with the Independent Auditors on a second occasion to receive an update on the activities in progress.

In order to contribute to the assessment of the correct use of the accounting policies and the adequacy of the disclosure to the public, the Committee attended the meetings of the Risks Committee with the Manager responsible for preparing the Company's financial reports and the Independent Auditors to examine the instructions for the preparation of the interim consolidated statements as at 31 March 2021 and as at 30 September 2021, the consolidated half-yearly report as at 30 June 2021 as well as the 2021 Financial Statements. In particular the Committee examined the trend of non-performing loans and the results achieved in the application of the criteria and procedures for the classification, valuation and management of non-performing exposures. In addition, the Committee examined the aspects related to the implementation by Intesa Sanpaolo, starting from the 2021 Financial Statements and in accordance with the current regulatory context, of the new electronic communication format (ESEF).

As part of the aforementioned meetings, the process of preparing Pillar 3 and the CNFS of Intesa Sanpaolo was also examined, regarding which the Committee checked its compliance with the provisions of Legislative Decree 254/2016.

These documents were approved by the Board on 15 March 2022.

The Bank's financial statements and the Group's consolidated financial statements, pursuant to Legislative Decree 38/2005, are prepared in compliance with the IAS/IFRS issued by the International Accounting Standards Board and relative interpretations of the International Financial Reporting Interpretations Committee, endorsed by the European Commission, as provided for by EC Regulation 1606/2002. These documents are drawn up on the basis of the instructions issued by the Bank of Italy with Circular 262/2005 as subsequently amended.

The Intesa Sanpaolo draft financial statements as at 31 December 2021 and the Group's consolidated financial statements as at 31 December 2021 were approved by the Board of Directors on 1 March 2022. The disclosure to the public, under the provisions of the prudential supervisory regulations, was provided on the Bank's website within the term laid down for publication of the financial statements.

4) Reports by the Independe nt Auditors

16) Meetings with the Independe nt Auditors

On the 22 March 2022, pursuant to Article 14 of Legislative Decree no. 39/2010 and Article 10 of EU Regulation 537/2014, the Independent Auditors issued the reports on the audit of the Intesa Sanpaolo S.p.A.'s financial statements and on the consolidated financial statements of the Intesa Sanpaolo Group for the year ended 31 December 2021. In particular, the Independent Auditors:

• − issued an opinion in which they affirm that the financial statements provide a true and fair view of the financial position and operating results of Intesa Sanpaolo and the Group, and of the profit and loss and the cash flows for the year ended at that date;
• − presented the key aspects of the audit which, in their own professional opinion, are most significant and are used in forming their overall opinion of the financial statements;
• − attested that the reports on operations and some specific information contained in the Report on Corporate Governance are consistent with the financial statements to which they refer and are prepared in compliance with the law;
• − declared they had nothing to report pursuant to Article 14, paragraph 2, heading e), of Legislative Decree 39/2010, based on the knowledge and understanding of the company and its context acquired during the audit;
• − verified the approval by the Directors of the CNFS pursuant to Article 4 of the Consob Regulation implementing Legislative Decree 254/2016.

16) Meetings with the Independe nt Auditors

Moreover, on 22 March 2022, the Independent Auditors issued to the Committee the additional report envisaged under Article 11 of EU Regulation 537/2014, according to which no significant shortcomings were found in the internal control system as to the financial reporting and/or in the accounting system, which should be brought to the attention of those responsible for governance activities.

The annual confirmation of independence was issued, together with this report, pursuant to Article 6, paragraph 2, letter a) of EU Regulation 537/2014 and paragraph 17 of the International Standard on Auditing (ISA Italia) 260.

14) Adequacy of the accounting system

In light of the above, the Committee has reason to believe that the Bank's and Group's administrative and accounting system is such as to ensure a fair presentation of the operational events and that there are no significant shortcomings in the internal control system in relation to the financial reporting process. The Committee also found that the administrative and accounting procedures are effectively followed for the preparation of the financial statements and all other financial reports.

6. SUPERVISORY ACTIVITIES ON THE STATUTORY AUDIT PROCESS AND THE INDEPENDENCE OF THE INDEPENDENT AUDITORS

Intesa Sanpaolo has adopted specific Group Regulations for the governance of appointments given to independent auditors and their networks. Amongst the rules laid down by said Regulations – which are enforced save any different provisions of law or other mandatory legislation – the following rules should be borne in mind: a Sole Auditor for the Group; consistency of appointments with the Parent Company's indications; alignment of the duration of the statutory auditors' appointment.

The Regulations also include specific prior authorisation, monitoring and regular reporting procedures to the Management Control Committee, which are aimed at overseeing the independence of the independent auditors. For the purpose of this monitoring, the following types of appointment are defined:

• Audit, i.e. statutory audit services pursuant to Article 14 of Legislative Decree 39/2010 and Article 2409 bis of the Italian Civil Code as well as the other voluntary audit services;
• Audit Related, i.e. the tasks assigned by law or on behalf of an Authority as well as the operations which represent an extension of the audit appointment (issuance of certificates, examination of reports, agreed audit procedures). These appointments are usually conferred upon the Auditor as, by nature, they do not cause any detriment to the independence thereof;
• Non Audit, involving services not included in the previous Audit or Audit Related types, including of course those that are specifically prohibited pursuant to Articles 10 and 17, paragraph 3, of Legislative Decree 39/2010. These appointments cannot be given to the Main Auditor.

EY S.p.A. is the independent auditor which was assigned the role of Sole Auditor. Each assignment proposal that concerned subjects belonging to its network has been monitored in advance and – where required – authorised. Based on the results of this control process, we confirm that during the 2021 financial year non audit assignments were not granted to EY and parties connected to them by ongoing relationships.

According to the provisions of the Group Regulations, the full picture of the assignments to the Independent Auditors is described twice a year to the Management Control Committee by the Manager responsible for preparing the Company's financial reports, including for the purposes of the related reporting obligations in the financial statements and to the Shareholders' Meeting. A complete picture of the amounts paid to the Independent Auditors in 2021 is represented in the Annex to the financial statements entitled "Fees for auditing and the services other than auditing pursuant to Article 149-duodecies of Consob Regulation no. 11971", to which reference should be made.

				(millions of euros)
Type of service	Intesa Sanpaolo		Group Companies (*)
	EY	EY Network	EY	EY Network
Release of attestations (**)	2.90	-	3.38	-
Other services:
agreed audit procedures	-	-	0.40	-
non-financial statement	0.13	-	-	-
Total	3.03	-	3.78	-

The details of the fees for the Audit Related responsibilities for 2021 are shown below.

(*) Subsidiary Group companies and other consolidated companies.

(**) Including audit costs, on a voluntary basis, for the "Pillar 3" disclosure.

Amounts net of VAT and reimbursed expenses and Consob contribution.

The fees for Audit Related responsibilities mainly refer to activities attributable to the recurring obligations regarding the deposit and sub-deposit of the assets of the customers of the intermediaries (pursuant to the provisions of the Bank of Italy Regulation of 5 December 2019), checks aimed at issuing comfort letters in implementation of international issue programmes and other contractual activities envisaged by commitments already assumed by the Bank.

During the year, the Committee was asked to approve some integrations to the proposed audit activities envisaged with EY – in line with the conditions set out in them – as a result of circumstances that entail an increase in timescales with respect to prior estimates. These circumstances are connected to the integration of UBI Banca into the Parent Company, to changes in the scope of consolidation and to the consolidated disclosures linked to the recent acquisitions as well as to the integration of the fees envisaged for the Audit Related assignment relating to Pillar 3 of Intesa Sanpaolo, for effect of both the inclusion of UBI Group data in the Group's reporting, and of the regulatory evolution and the increased disclosures envisaged starting from the 2021 reporting. The Committee expressed a favourable opinion on the integration proposals, then approved by the Board.

During the year, the framework of the fees for the comfort letters connected to the bond issuance programmes was also submitted for approval to the Committee – broken down by type of issue and market – to be applied for the duration of the entire nine-year mandate. The fees were defined by applying the hourly rates and a professional mix provided for in the Framework Agreement.

Finally, for the sake of completeness, it should be noted that in March and June 2021 the Committee examined the proposal to grant audit appointments to EY for Audit Related activities in favour of Intesa Sanpaolo and Fideuram Intesa Sanpaolo Private Banking.

7. SUPERVISORY ACTIVITIES ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE INTERNAL CONTROL SYSTEM

The Committee assessed compliance with the supervisory provisions with reference to the general principles of the internal control system, the role of the company Bodies, as well as the role and requirements of all the corporate functions involved in the control system, checking their substantial adequacy, the correct performance of tasks and the proper coordination thereof. Where considered appropriate, the adoption of functional corrective measures was promoted to address any deficiencies detected.

The Group's Integrated Internal Control System Regulation, implementing the current Supervisory Rules, outlines the duties and responsibilities of all the stakeholders in the internal control system, the procedures for coordination and interaction between control functions, the guidance and coordination procedures of the Group companies and international branches, and the main information flows between the various stakeholders in the system. The internal control system is structured on three levels:

• − Level I: line controls conducted by the operating and business structures including through units dedicated solely to control duties – and as far as possible incorporated in IT procedures, aimed at ensuring the proper execution of transactions;
• − Level II: controls aimed at ensuring the proper implementation of the risk management process, observance of operating limits and compliance of the operations with regulations. The functions assigned to such controls are separate from the ones in charge of production and contribute to the definition of the risk governance policies and the risk management process. These controls are performed:
  • ✓ by the Chief Compliance Officer Governance Area, which has the duties and responsibilities of the Compliance function with regulations and also includes the Anti-Money Laundering function,
  • ✓ by the Chief Risk Officer Governance Area, which has the duties and responsibilities of the Risk Management function and also includes the Validation function;
• − Level III: internal audit controls to identify breaches of procedures and regulations, as well as to assess the completeness, adequacy, functionality and reliability of the internal control system and the Group's information system, in relation to the nature and intensity of the risks. At Intesa Sanpaolo, the Chief Audit Officer reports directly to the Board of Directors and also reports functionally to the Committee, without prejudice to the appropriate sharing of information with the Managing Director and CEO.

The Group's internal control system – described in detail in the Report on Corporate Governance, to which reference should be made for further details – also sees other functions involved with control responsibilities (the Business Continuity function, the Cybersecurity function, the specialist functions) and, among others, also the Manager responsible for the Group Business Continuity Plan, the Manager responsible for preparing the Company's financial reports, the Independent Auditors and the Parent Company's Surveillance Body pursuant to Legislative Decree 231/2001.

With reference to the latter, every six months the Committee examined the report on the activities carried out noting that, according to the disclosure made, there are no facts or circumstances worthy of mention. According to a synergistic approach, the Committee and the Surveillance Body promptly exchanged relevant data and information during the year, by coordinating during joint meetings on matters of mutual responsibility.

Below you will find a summary of the activities conducted by the supervisors responsible for carrying out internal controls.

Chief Compliance Officer

The Chief Compliance Officer delivered the institutional and periodic reports within his remit to the Committee, and in particular the half-yearly report, the annual report and Risk Assessment, with the action plan for 2022, drawn up in accordance with current legislation; the Compliance Tableau de Bord, which provides an overview on the outlook for the most significant areas of attention, is enclosed with these reports which provide a summary report on the progress of complaints, claims and appeals by customers. The endof-year report also includes the details of the activities carried out in 2021 and the activities planned for 2022 with reference to the central depositories and the entities managed according to the guidance, coordination and control model, the report on the Governance of the Group asset management companies, the Product Governance Report, the regulatory areas overseen, and details of the human and financial resources allocated to compliance macro-processes.

9) Opinions

13) Internal control system

Pursuant to the regulations issued by Consob, the Chief Compliance Officer presented to the Committee the annual report on the terms of provision of services and investment activities and ancillary services and of distribution of financial products issued by insurance companies or banks, with the collaboration of the Chief Operating Officer and representatives from the Banca dei Territori Division.

The Chief Compliance Officer submitted the following to the Committee:

• − the Group annual report on the overall situation of claims, disclaimers, complaints to Supervisory Authorities and appeals to alternative dispute resolution entities;
• − the annual report on conflict of interest situations recorded in the area of investment or ancillary services, investment activities and distribution of insurance-based investment products;
• − at the request of the Committee, first an information on the structure, objectives and governance of the Compliance Next Programme, which proposes, over the course of the 2022-2025 Business Plan, to implement digitalisation, efficiency and the internationalization of the Bank's compliance function, as well as, subsequently, an update on the progress of this initiative;
• − the progress of the plan identified for the implementation of the Group's procedures and policies at the subsidiary Reyl & Cie SA;
• − information on the checks carried out on the control measures in the OTC Large Trader Reporting area, resulting from the registration of Intesa Sanpaolo as a swap dealer with the US Commodity Futures Trading Commission (CFTC);
• − information on accidents that occurred to the information systems of Mercury Payments Services (MEPS), which generated critical issues for some prepaid cards of the Banca dei Territori Division managed in outsourcing by the partner.

To enable the Committee to adequately perform its supervisory role on compliance with the rules for combating money laundering, terrorist financing and for embargoes management as well as verifying the completeness, functionality and adequacy of the relative controls system, the head of the Anti-Money Laundering department illustrated the half-yearly report and the annual report for 2021, with their respective Tableau de Bord, the annual Risk Assessment on anti-money laundering, terrorist financing and violation of embargoes, as well as the action plan for 2022. These reports include summary information on the progress of the training plan, on any communications from Control Bodies pursuant to Article 46 of Legislative Decree 231/2007, as well as details of the human and financial resources allocated to compliance macro-processes with respect to anti-money laundering, anti-terrorism, embargoes and anti-corruption legislation.

Also at the Committee's request, the head of the Anti-Money Laundering function also submitted:

• − initiatives aimed at strengthening the anti-financial crime controls of the Egyptian subsidiary Bank of Alexandria;
• − the progress of the activities to further strengthen the anti-money laundering model and the anti-financial crime controls of the Intesa Sanpaolo New York branch, together with the updated version of the BSA/AML/OFAC Sanction Policy and Compliance Program;
• − specific updates on the progress of the ENIF Programme, with a focus on the various areas of intervention identified. In this context, the Committee also received the required in-depth analysis on the activities carried out by the Competence Centers, in charge of the transaction monitoring and customer due diligence (Know Your Customer) processes;
• − an in-depth analysis of the client file review carried out by PWC on the customers of UBI Trustee SA, aimed at verifying their compliance with Intesa Sanpaolo standards, as well as the remediation plan prepared to deal with the critical issues identified;
• − information on the completion of the action plan regarding the anti-money laundering profiles of the subsidiary Morval Bank & Trust Cayman, a company in liquidation, as well as on the termination of relationships with customers as part of the aforementioned liquidation.

Lastly, the Committee received a report on the aspects related to the establishment of the Anti Financial Crime Digital Hub, aimed, also through the use of artificial intelligence, at a more effective fight against criminal phenomena in the financial sector, which appear to be increasingly sophisticated and digital.

Chief Risk Officer

The Chief Risk Officer submitted the following to the Committee: the Tableau de Bord of the critical issues in his own Governance Area on a six monthly basis, the annual report on the activities carried out in 2021, the Risk Assessment and the plan of the activities scheduled for 2022, including those for the Validation function. In accordance with Article 13, paragraph 2, of the Regulations issued by the Bank of Italy and Consob pursuant to Article 6, paragraph 2-bis, of the Consolidated Law on Finance, he also illustrated the Report on risk management activities within the scope of the investment services to customers carried out during 2021.

The Chief Risk Officer also described:

• − the results of the annual assessment on the overall consistency of the ratings of the External Credit Assessment Institutions with the measurements processed independently by the Bank;
• − the first results of the assessment conducted on the spread of the risk culture, as well as its perception within the Group.

Chief Audit Officer

The Committee mainly uses the Internal Audit function to carry out its supervisory duties. The Chief Audit Officer normally participates at meetings and provides ongoing information about the activities carried out – some of which at the Committee's own request – and on the progress of the remediation plans put in place by the competent corporate functions to overcome the critical issues encountered. The high priority issues reported by the Committee are taken into account at the time of defining the annual check plan of Internal Audit.

During the year, the Chief Audit Officer systematically and promptly reported the main findings that emerged whilst performing his own activities, to the Committee, including at the Committee's specific request. In particular, the results of the checks on the following points should be noted:

• implementation status of some corrective measures required by the ECB as part of the authorization concerning the Retail SME Model Change, and in particular of the obligation relating to the IT implementation of certain modules for calculating the rating;
• Leveraged Transactions and the process of identifying these transactions.

Moreover, the Chief Audit Officer presented to the Committee, also at the request of the Committee itself:

• the results of the checks carried out on the Intesa Sanpaolo Casa control system, which showed overall adequacy, even with some areas for improvement;
• an update on the remedial actions taken to solve the critical issues highlighted by the Surveillance Body of Intesa Sanpaolo Assicura, showing how the same have come to completion;
• the results of the checks carried out at the conclusion of the Banca IMI integration process, which showed no particular critical issues;
• the results of the checks carried out on the management of cash in the branches of the Group's International Subsidiary Banks, from which a substantially positive picture emerged;
• an update on the containment actions initiated following the investigations conducted by the Internal Audit function on anti-money laundering measures at international level;
• the results of the investigations conducted on a report received through whistleblowing channels by an employee of an International Subsidiary Bank;
• an in-depth analysis of the main focus points identified on the scope of the Group's international branches;
• a report on the completion of the remedial actions carried out to solve the weaknesses that emerged from the checks conducted on Banca 5 during 2020.

Every three months, using the Summary Audit Tableau de Bord, the Chief Audit Officer reported on the outlook for the most significant weaknesses found during the internal audit activities including in light of the respective remediation plans. Every six months, within the context of a specific report, he submitted his own considerations and assessments on the adequacy of the internal control system for risk management and presented, at the Committee's request, the changes in the least significant weaknesses set out in the Analytical Audit Tableau de Bord. On an annual basis, he prepared and shared, with the Committee, the final report on the activities carried out and the results of the Risk Assessment Audit and the action plan for the following financial year. The final report on the activities carried out in 2021 also fulfils the obligations laid down by the Bank of Italy with regard to disclosures to the Bodies on some specific areas such as liquidity risk management, anti-money laundering, information systems and business continuity, Parent Company governance of the Group's asset management companies, the result of the audits carried out at international branches and the internal systems for reporting violations of the rules governing banking (so-called whistleblowing).

The Chief Audit Officer also presented to the Committee the main elements of the 2022-2025 Strategic Audit Plan currently being drafted and fully defined, called "SAIL" (Strategic Audit Innovation Line Up).

The Chief Audit Officer also conducted the compulsory assurance activities (amongst which those on the remuneration and incentives system, on transactions with related parties and on the MST) and prepared the following regular disclosures pursuant to the current Supervisory Rules:

• − the annual report on the Group outsourcing of essential or important operational functions;
• − the quarterly report on whistleblowing reporting;
• − the annual report on internal audit activities required by Article 14 of the Consob-Bank of Italy Joint Regulation pursuant to Article 6, paragraph 2-bis, of the Consolidated Law on Finance.

During Board meetings, the Committee received reports from the Internal Audit function on the results of

consistency checks on the operating practices followed in the actual delivery of the 2020 incentive system as well as in the quantification and approval of the 2021 incentive system with the policies and the application parameters approved by the various Bodies and with the provisions issued by the Bank of Italy on this subject in transposing the EU Directives. The Chief Audit Officer expressed his opinion of adequacy.

Activity carried out by the Committee in the context of the COVID-19 emergency

The Committee, at its own request, received timely information by the competent corporate functions regarding the measures adopted by the Bank in relation to the evolution of the COVID-19 emergency, also in order to continuously ascertain the effectiveness of the control measures and the functionality of corporate processes, as well as to pay close attention to the critical issues that have been identified.

In particular, the Committee examined with the Chief Financial Officer, the Chief Risk Officer, the Chief Lending Officer, each within its remit, the initiatives adopted in terms of liquidity management, Credit & Market Risk, and support to Businesses and Retail customers.

Integrated Reporting by the Corporate Control Functions

The Integrated Tableau de Bord was submitted to the Committee on a six-monthly basis; it provides a summary of the findings with the greatest impact among those highlighted by the Corporate Control Functions and the Management and Financial Governance unit in their own Tableau de Bord, with details of the progress of their respective mitigation actions. On the basis of the assessments carried out by the Corporate Control Functions in 2021, the annual summary report was drawn up which shows that overall risk management is adequate in terms of completeness, functionality and reliability of the internal control system. This opinion is supported by the Integrated Risk Assessment, the results of which were included in the 2022 RAF.

Moreover, the Integrated Tableau de Bord of the International Subsidiary Banks was also presented to the Committee on a six-monthly basis; it provides a summary of the findings with the greatest impact on the international perimeter.

To analyse the causes and remedies of the critical issues highlighted by the Corporate Control Functions and monitor the actions aimed at improving the efficiency of the internal control system, the Committee – in the presence of the Chief Audit Officer – held the following meetings at its own request:

• − with the Chief Lending Officer, to examine the following issues (i) performance of the Partnership with Intrum; (ii) progress of the remedial actions resulting from the letter from the ECB "Project M - UTP loans securitization & outsourcing"; (iii) New Sector Framework Programme; (iv) relations with second-level controls, with a focus on Single Name controls and on requests for classification as a worsening risk status; (v) methods for managing the appraisals of real estate collaterals and (vi) remedial actions regarding the reports to the Interbank Alarm Center and the notification processes of UTP positions sold;
• − with the head of the Insurance Division and the CEO of Intesa Sanpaolo RBM Salute, in the presence of the Chief Compliance Officer and the head of the Legal Affairs Head Office Department – Group General Counsel, to investigate the aspects connected to the aforementioned proceeding opened by AGCM against Intesa Sanpaolo RBM Salute and the supplier Previmedical for alleged unfair business practices in the offer of insurance services as well as the progress of the remediation plan defined also following discussions with IVASS;
• − with the Chief IT, Digital & Innovation Officer, also in the presence of the Chief Compliance Officer, the Chief Risk Officer and the head of the Banca dei Territori Division, to examine the evolution of the model for managing disclaimers and preventing fraud against customers as well as the plan of interventions to adapt the related IT and organizational procedures;
• − with the head of the International Subsidiary Banks Division and the Chief Compliance Officer, to examine the results of the checks carried out on the transaction monitoring systems used by the International Subsidiary Banks of the International Subsidiary Banks Division, as well as to receive the required update on the progress of the remediation plan prepared to resolve the critical issues identified;
• − with the Chief Compliance Officer to receive the progress of the remedial actions defined to address the compliance gaps that have been identified in the Integration Program of the Banks of the former UBI Group in the Intesa Sanpaolo Group.

Lastly, the Committee examined the results of the Risk Assessment that the Corporate Control Functions conducted on the macro-initiatives of the new 2022-2025 Business Plan, examining the main aspects to be monitored, as well as the preliminary indication of the actions identified to mitigate the related potential risks.

Assessment of the Corporate Control Functions

For the purposes of assessing the suitability of the essential elements of the risk management internal control system architecture, the Committee examined the annual disclosure on the changes in staff, costs and investments directly attributable to the Corporate Control Functions. Further details on the staffing and Target sizing of the structures of the Corporate Control Functions are provided in their respective periodic reports to the Corporate Bodies. In light of the results obtained during its activities, the Committee expressed its own considerations on the aspects of independence, objectivity and effectiveness of risk management actions for the annual assessment carried out by the Board of Directors regarding the adequacy of the Corporate Control Functions.

For the purpose of paying the variable component of remuneration for 2021, the Committee first met with the Chief Audit Officer, the Chief Compliance Officer and the Chief Risk Officer to receive the results of the activities carried out by the respective areas during 2021. During the Performance Evaluation phase, it met with the competent structures of the Chief Operating Officer to examine the evaluation proposals made by them and express its opinion to the Remuneration Committee – within the scope of its responsibility – on the achievement of the objectives by the Chief Audit Officer, the Chief Compliance Officer, the head of the Anti Financial Crime Department, the Chief Risk Officer, the head of the Internal Validation and Controls Department, the Manager responsible for preparing the Company's financial reports and the head of the Safety and Protection Department in his capacity as Data Protection Officer.

For the purposes of the 2022 incentive system, during the Goal & Target Setting phase, the Committee first met with the Chief Audit Officer, the Chief Compliance Officer and the Chief Risk Officer to examine the action plan envisaged by each of their respective functions for 2022, including in order to evaluate the panel of possible Key Performance Indicators with which to monitor the effectiveness of the action by the relative functions and evaluate the managers' performance. The Committee then expressed its opinion – within its own remit – to the Remuneration Committee for the purpose of defining the objectives and individual performance levels to be attributed to the said Chiefs as well as to the heads of the Validation and Anti-Money Laundering departments, to the Manager responsible for preparing the Company's financial reports and to the head of the Safety and Protection Department including in his capacity as Data Protection Officer. The Committee also examined, in order to identify the expected KPI to be assigned to the Corporate Control Functions, the main features of the Performance Share Plan intended for Management under the 2022-2025 Long-Term Incentive Plans.

8. SUPERVISORY ACTIVITIES ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE RISK GOVERNANCE AND MANAGEMENT PROCESS

The Committee monitored:

• − compliance with the provisions relating to the Internal Capital Adequacy Assessment Process and the Internal Liquidity Adequacy Assessment Process (ICAAP/ILAAP), analysing in particular the scenarios and methodological and process aspects, as well as the findings from the Validation function on the adequacy of the framework for the quantification of economic capital and for managing liquidity risk and the results of the Internal Audit self-assessment on the quantification and assessment processes adopted;
• − the completeness, adequacy, functionality and reliability of the internal risk measurement systems to determine capital requirements, checking their compliance with regulatory requirements including for the purpose of the annual certification issued by the Board of Directors. The Committee examined the specific annual reports by the Internal Audit and Validation functions as well as the Action Plan of the Risk Management function in order to mitigate the critical points highlighted;
• − the completeness, adequacy, functionality and reliability of the RAF for 2022, examining its methodological aspects, definition process and consistency with the Recovery Plan.

The Committee examined the following periodic reports:

• − the results of the annual checks by the Asset Monitors on the Covered Bonds programmes;
• − the results of the annual assessment of the IT risk exposure on the procedures in operation in the Group;
• − the results of the checks and controls of the Group's business continuity plan;
• − preparation of the Group's IT security plan for the current year;
• − report on the operational and security risks relating to payment services;
• − the report by the Data Protection Officer on the activity carried out in 2021 as well as the action plan for 2022.

The Committee met the Chief IT, Digital & Innovation Officer, including at its own request, to examine:

− the integration process of international branches and legal entities into the Group's IT security model,

9) Opinions

9) Opinions

9) Opinions

9) Opinions

13) Internal control system

which recorded compliance with the set objectives and the regular progress of actions aimed at achieving compliance with local regulatory requirements on cybersecurity;

• − the progress of the Data Transformation Programme;
• − an in-depth study dedicated to the prospects for applying artificial intelligence within the Group;
• − a report about the new management model of the National Cybersecurity Perimeter.

The Committee , within its area of responsibility, examined the aspects connected to the military conflict between Russia and Ukraine, also by meeting with the Group's internal Emergency Management Operations Centre. The Committee will monitor the impacts that may arise for the Group from the decisions that will be taken at EU and international level as well as from the evolution of the geopolitical context.

Finally, the Committee met with the Data Protection Officer to receive information on the completion of the General Data Protection Regulation ("GDPR") compliance programme.

9. SUPERVISORY ACTIVITIES ON COMPLIANCE WITH THE LEGISLATION APPLICABLE TO THE BANK IN ITS CAPACITY AS THE PARENT COMPANY

The Committee – including by making use of the support of the Corporate Control Functions – found that the Bank, within the framework of the management and coordination activity of the Group, exercises control over the development of the different business areas in which the Group operates and the incumbent risks, over the maintenance of conditions of economic, financial and equity equilibrium both of the individual companies and of the Group as a whole, as well as over the assessment of the various risk profiles contributed by individual subsidiaries and the total risk. The rules and procedures in place allow the Parent Company to promptly fulfil its disclosure obligations to the public in accordance with current provisions pursuant to Article 114, paragraph 2, of the Consolidated Law on Finance. The information flows between the Parent Company and its subsidiaries guarantee an effective exchange of information with regard to the corporate governance systems and the overall performance of the business.

The Committee, as foreseen inter alia by Article 151-ter, paragraph 1 and 4, of the Consolidated Law on Finance, exchanged information flows with the Boards of Statutory Auditors of the main Italian subsidiaries of the Group and, in order to examine the critical issues found by the Corporate Control Functions and to monitor the remedial actions aimed at improving the efficiency of the internal control system, met in the presence of the Chief Audit Officer, the Board of Statutory Auditors of Intesa Sanpaolo Vita and the Board of Statutory Auditors of Fideuram – Intesa Sanpaolo Private Banking.

Moreover, with a view to ensuring consistency at Group level in the manner of transposing and implementing Legislative Decree 231/2001, the Committee analysed the usual half-yearly report on the activities carried out by the Surveillance Bodies pursuant to Legislative Decree 231/2001 of the Italian entities of the Group.

10. CONCLUSIVE ASSESSMENTS ON THE SUPERVISORY ACTIVITIES CARRIED OUT

As detailed in the Report, the Committee verified the functionality of the internal procedures, which have been found fit also in 2021, to guarantee compliance with the laws, regulations and articles of association. The Committee ascertained that the decision-making process takes into due consideration the riskiness and the effects of management decisions taken and that Corporate Bodies have an adequate information flow system, including with reference to any Directors' interests. The organisational structure, the administrative and accounting system and the statutory audit of accounts process were found adequate and functional for the tasks they are expected to perform. The non-existence of critical elements such as to affect the structure of the internal control system and the risk governance and management process was also verified.

Taking into account all the foregoing, having considered the content of the opinions issued by the Independent Auditors, and having taken note of the attestations issued jointly by the Managing Director and CEO and the Manager responsible for preparing the Company's financial reports, the Committee has not reported – in as far as it is within its remit – any impediment to the approval of the financial statements of Intesa Sanpaolo S.p.A. as at 31 December 2021 accompanied by the Report on operations and the Notes thereto, as approved by the Board on 1 March 2022.

Lastly, the Committee expresses a favourable opinion on the proposed allocation of the profit for the year and the related distribution of dividends formulated by the Board of Directors.

Milan, 24 March 2022 for the Management Control Committee

The Chairman – Alberto Maria Pisani

15) Subsidiarie s requiremen ts

18) Conclusive assessmen ts

This is an English translation of the original Italian document. In cases of conflict between the English language document and the Italian document, the interpretation of the Italian language document prevails.