Enclosure 5 to Supervisory Board Resolution 334/23 dated 21 September 2023

RULES of the Risk Committee of the Supervisory Board of mBank S.A.

§ 1

Risk Committee tasks

Key tasks of the Risk Committee of the Supervisory Board of mBank S.A. ("Risk Committee", "Committee", "RCSB") arise from § 9cb (3) of the Banking Act. The tasks of the Risk Committee include, among others:

1) providing opinions on the risk appetite of mBank ("the Bank"), i.e. the Bank's overall, current and future readiness to take risk,
2) providing opinions on the risk management strategy for the Bank's activities developed by the Bank's Management Board ("Management Board") and on the information submitted by the Management Board concerning the implementation of this strategy, and presenting these opinions to the Bank's Supervisory Board ("Supervisory Board"),
3) supporting the Supervisory Board in supervising the implementation of the risk management strategy in the Bank's activities by senior management,
4) making recommendations for the Supervisory Board's approval of the strategies and policies developed by the Management Board, in particular regarding the internal capital assessment process
5) the ongoing monitoring of the risk management system, in particular the monitoring of credit risk, market risk (including interest rate risk and foreign exchange risk), liquidity risk and non-financial risks, including operational risk,
6) supervising the activities of the Management Board in managing the risk of negative impact of environmental factors on customers, counterparties or balance sheet items of the Bank,
7) verifying the adequacy of the prices of liabilities and assets offered to clients with the Bank's business model and its risk strategy and, where such prices do not adequately reflect the risks in accordance with that model and strategy, making proposals to the Management Board to ensure that the prices of liabilities and assets are appropriate to those risks,
8) issuing recommendations to the mBank Group Credit Committee (KKG) on exposures bearing the risk of a single client/group of connected clients. The criteria for the selection of exposures requiring the recommendation of the KKG and other rules for the participation of the KKG in the credit process are contained in Appendix 1.

§ 2 Risk Committee composition

1. The Risk Committee consists of at least 4 members, including the Chairman, who coordinates the Committee's activities
1. A member of the Committee who ceases to hold office should immediately hand over to the successor a written record describing any pending matters within the competence of that member so that the change does not adversely affect the Committee's work.

§ 3 Risk Committee meetings

1. The Risk Committee meetings should be convened by the Chairman at least once every calendar quarter.
1. Additional meetings going beyond the periodicity indicated in sec. 1, are convened by the Chairman on his own initiative or at the request of a member of the Committee or another member of the Supervisory Board.
1. Where the Chairperson is unable to attend, an alternate member of the Committee should be appointed as a replacement.
1. All Management Board members should be invited to the Risk Committee meetings. The attendance of the member of the Management Board responsible for the area of risk management (CRO) at Committee meetings is mandatory.
1. Other invitees may participate in the meeting or parts of the meeting.
1. Risk Committee members and members of the Management Board should receive the meeting invitation and a set of materials (including the meeting agenda) well in advance of the meeting.
1. Members of the Committee and other invited persons may participate in the meeting remotely, i.e. by means of direct remote communication, ensuring realtime communication and the identification of all participants, in line with the security rules in force at the Bank.
1. The meeting may be recorded, either as an audio recording or as a sound and video recording. The recording is used only for the preparation of the minutes of the Committee meeting and is permanently deleted after its approval by the members of the Committee.

§ 4 Risk Committee decisions

1. The Risk Committee takes its decisions at meetings or under written (circular) procedure. In either case, a draft decision with the required documentation is made available to all members of the Committee before a decision is taken.
1. Decision at the meeting requires the presence of at least half of the members of the Committee, including the Chairperson (or his/her deputy). The decision is taken by a majority of votes. In the event of an equal number of votes for and against, the Chairperson has the casting vote.

1. Decision under the circular procedure requires the voting of at least half of the members of the Committee within the specified time period, including the Chairperson. The deadline for voting is set by the Chairperson at the voting initiation. The decision is taken by a majority of votes. In the event of an equal number of votes for and against, the principle described in sec. 2 applies.
1. Risk Committee Decisions are signed by the Chairperson.

§ 5 Risk Committee meeting minutes

1. The Risk Committe meetings are minuted. The minutes include (at least):
2. 1) the date and place of the meeting, a list of Committee members present and other participants in the meeting, indicating the form of attendance (remote/on-site), the agenda for the meeting,
3. 2) the description of proceedings, significant findings and agreed actions,
4. 3) information on the conducted votings, their results, the number of votes for/against and the number of abstentions, the decision reference.
1. The draft minutes approved by the Chairperson are subject to approval at the next meeting by the members of the Committee who attended the minuted meeting. Any points of disagreement are resolved by the Chairperson. Disregarded contributions or dissenting opinions by members of the Committee are recorded in the subsequent minutes.
1. The approved minutes, signed by the Chairperson and the minutes taker, are passed on to the Supervisory Board.

§ 6 Risk Committee office

1. The Risk Committee's activities are supported by appointed staff in the risk management area ("RCSB office").
1. The RCSB office is responsible for providing operational support to the members of the Committee in the performance of their tasks, in particular for the preparation of the agenda of meetings, draft decisions, the preparation of meeting minutes and the distribution of materials to the members of the Committee.
1. The Chairperson may delegate selected activities (e.g. sending invitations to Committee meetings, conducting circular voting) to the RCSB office.

§ 7 Closing provisions

1. The Risk Committee submits annual reports on its activities to the Supervisory Board.
1. At least quarterly, the Committee informs the Supervisory Board on the supervisory activities carried out and their results.

The Rules of the Risk Committee are adapted to current needs. Any amendments to the Rules require a resolution of the Supervisory Board.

Appendix 1

to the Rules of the Risk Committee of the Supervisory Board of mBank S.A.

I. Credit exposures subject to the supervision of the Risk Committee

The Risk Committee exercises supervision over credit risk through issuing recommendations on exposures to corporate clients determined by the parameters listed below:

EL-rating	1.0 –1.8	2.0 – 2.8	3.0 – 3.8	4.0 – 4.8	5.0 – 5.8	6.0 – 6.5
mPLN	> 843,75	> 675	> 506,25	> 225	> 225	> 112,5
mEUR	> 187,5	> 150	> 112,5	> 50	> 50	> 25

1. In case of "specialized lending" exposures, values in the above matrix are reduced by 50%.
1. Exposures > 112,5 mPLN for customers with EL rating of 6.0 6.5 to which a RCSB recommendation have been issued already is not applicable for RCSB recommendation again.
1. A fixed PLN/EUR exchange rate of 4,5:1 is applied to the presented exposures denominated in EUR.
1. In all the current reports on credit portfolio, market risk, etc.(including reports to the Risk Committee), mBank S.A. converts exposures denominated in any currency at a current exchange rate (including PLN/EUR exchange rate).
1. A mezzanine finance exposures of nominal value > 5 mEUR (> 22,5 mPLN), regardless of the rating class, are also subject to the Risk Committee recommendation.

II. Procedure for supervision over credit risk exercised by Risk Committee

1. Following the approval from the KKG (initial decision), credit proposals concerning the exposures referred to above are forwarded together with a set of necessary documents to the Risk Committee.
1. Issuance of recommendations by members of RCSB is done by circulation as described in § 4 of RCSB Rules. A template for recommendation is given in Appendix 2. Voting by email notification is also accepted.
1. Upon obtaining the recommendation of the Risk Committee, each issue is reexamined by KKG which makes the final decision, taking into consideration, in particular, the remarks made by the Risk Committee.
1. The general remarks (Remarks or Pre-conditions) will be presented to mBank for information purposes before the release of the RCSB recommendation, in order to clarify any ambiguities and doubts.
1. KKG can declare a dissent to serious reservations of the Risk Committee. The final decision is announced by KKG to the Risk Committee along with suitable explanations of the KKG Chairperson.

1. The presentation period is once a year (if not defined separately). Only if there is an essential impact for the group exposure or a significant change in the risk profile, the Risk Committee will receive an application for recommendation in between the yearly review.
1. The Risk Committee and KKG must make every effort to adhere to a uniform credit culture.
III. Procedure for banks, credit institutions and international financial institutions

Banks, credit institutions and international financial institutions, within the meaning of the internal instruction "Limits of credit exposure at mBank S.A. for banks, credit institutions and international financial institutions" shall be excluded from the powers of the Risk Committee in the scope of recommending credit limits for the above-mentioned entities.

IV. Bagatelle–authority of KKG

The KKG headed by CRO has the right to make add-ons up to 10% of exposure within its own discretion, but notifying the Risk Committee.

Appendix 2

to the Rules of the Risk Committee of the Supervisory Board of mBank S.A.

RECOMMENDATION No. XX / XX of the Risk Committee of mBank Supervisory Board dated XXX taken in circular procedure

re: increase/decrease/ prolongation (tbd) of the general limit for (name of client)

Pursuant to § 1 point 8 of the Rules of the Risk Committee of the Supervisory Board, it is resolved as follows:

§ 1

the general limit for the XYZ in the amount of XXX PLN (in words: …..zlotys) prolonged / set (take accordingly) till – date – , including: