Risk Management, Internal Audit, Internal Control and Compliance

Assessments of the Audit Committee Regarding the 2025 Operations of the Internal Systems Units

At Ziraat Bank, internal systems activities are carried out under the coordination of the Internal Systems Group Head Office, with segregated duties and responsibilities, by the Head of the Board of Auditors, the Head of the Internal Control Department, the Head of the Risk Management Department, the Head of the Compliance Department, and the Information Security Management.

The organizational structure, established to cover all units and branches as well as subsidiaries subject to audit, aims to ensure the full and secure conduct of banking activities, the achievement of long-term profit targets, the preparation of reliable financial and administrative reporting, and the minimization of risks that may negatively affect the Bank’s reputation and financial stability.

ALİ ARAS

Head of Internal Systems Group

He was born in 1969 in Beyşehir. He completed his undergraduate studies at the Faculty of Political Sciences, Department of Finance, at Ankara University in 1990, and his master’s degree in Business Administration at Hacı Bayram Veli University in 2024. He began his career at our Bank in 1991 as an Assistant Auditor and served in various positions between 1998 and 2013, including Deputy Manager of Ankara Regional Foreign Transactions Branch, Branch Manager of Çorum Branch, Head of Çorum Region, Head of Konya Region, Head of Administrative and Social Services Department, Head of Procurement and Construction Services Department, and Head of the Board of Auditors. Appointed as Coordinator of Central Anatolia-2 in 2013, Aras served as Ankara Yenimahalle Regional Head between 2014-2018 and Ankara Çankaya Regional Head between 2018-2021. Between 2005-2014, he also served as a Board and Supervisory Board Member at our foreign subsidiaries Azertürk Bank, KZI Bank, and Ziraat Russia. In 2021, after serving briefly as General Manager at our subsidiary Ziraat International A.G. in Germany, he was appointed as Ankara Public Corporate Branch Manager in July 2021. He served again as Ankara Çankaya Regional Head between January 2023-September 2023. Since October 2024, Aras has been serving as Internal Systems Group Head.

Head of the Board of Auditors

In alignment with the Bank’s Sustainability Policy, the principle of banking with respect for people and the environment has also been adopted by the Board of Auditors, and activities are conducted in a manner that reflects environmental sensitivity.

Within the framework of sustainability-one of the primary agendas of both governments and institutions in recent years-the Bank’s activities were evaluated under the Sustainability Banking Process Audit. In this context, performance criteria (KPIs) required under sustainability-related syndicated loans, the Bank’s environmental credit products within the scope of sustainability, the Draft Communiqué on GAR published by the BRSA on 01.10.2023, and relevant sustainability regulations issued by the Public Oversight Authority for the financial sector were examined in terms of the Bank’s overall compliance level with national and international authorities’ strategies and policies in sustainable banking. Additionally, the Integrated Annual Reports published annually since 2019, which include the Bank’s sustainability policies, as well as general strategies and policies of national and international authorities in sustainable banking, were reviewed.

Within the audit model implemented by our Board, the preparation of all branch reports through the system has eliminated the need for physical document/report submission.

In addition to branch audits, audit reports for all Head Office units are also prepared and monitored through the system. Furthermore, to support environmental sustainability, office-wide waste management practices have been implemented. In this context, waste separation bins are used in office areas to ensure the source separation of recyclable waste, including paper waste. This practice aims to ensure effective waste management and reduce environmental impacts.

Moreover, with the use of electronic signature and virtual archive applications, all audit and inspection/investigation reports are archived digitally within the core banking system without the need for a physical document archive.

Through the transition of audit and investigation reports to the system and the virtual archive application, savings equivalent to 33,000 A4 sheets of paper have been achieved.

Operation of the Internal Audit System

The Board of Auditors conducts audits of all activities carried out at the Bank’s Head Office units, domestic and international branches, and subsidiaries to determine whether they are performed in accordance with laws and other relevant regulations, as well as the Bank’s internal strategies, policies, principles, and objectives, within a risk-based audit approach.

The Board of Auditors continues its work by informing senior management and contributing to decision-making processes.

Operating in line with international internal auditing standards, the Board of Auditors, in 2025, assessed the Bank’s activities not only in terms of compliance with the processes to which they are subject, but also by evaluating the effectiveness and efficiency of core process steps and supporting processes. In addition, processes specified in the regulations issued by the BRSA regarding information systems and business processes were also audited within the framework of Bank practices.

The activities carried out within the Board of Auditors in 2025 are summarized below:

The Centralized Audit Team, which has a deterrent effect in preventing irregularities through scenario analyses, continued its activities in 2025. The team continuously reviewed and improved the effectiveness of existing scenarios developed against potential fraud and continued system enhancements to minimize manual processes used during audits. Work initiated to integrate artificial intelligence technology into centralized audit processes is ongoing. Through this initiative, transaction types sent to branches will be incorporated into machine learning models, enabling fraud probability calculations and allowing faster and more effective detection of a greater number of potential fraud cases.

The R&D Team, which monitors international standards and practices in auditing, completed its work on updating the audit model with a dynamic approach. In the new audit structure, in addition to on-site branch audits, scenario-based dynamic audits have been initiated to centralize audits and promptly include emerging risks within the audit scope. These efforts aim to identify risks before they escalate and have enabled coverage of a broader range of branches than before. The team closely monitors laws, BRSA decisions, and changes foreseen by senior management and Head Office units, and updates audit points accordingly.

Sampling rules used in branch audits were revised, and new rule sets were developed incorporating customers’ PD data into analyses. This enabled more accurate identification of risk-based samples. Additionally, sampling rules were designed dynamically, allowing immediate action in line with economic conditions and the Bank’s risk appetite.

The Information Systems Team annually evaluates the effectiveness, adequacy, and compliance of controls established over information systems and business processes of the Bank, consolidated domestic and international subsidiaries, foreign branches, and outsourced service providers, taking into account relevant internal and external regulations, international standards, and best practices, using a risk-based approach. Work continued in 2025 within this scope.

The Data Security Team, responsible for protecting customers’ and the Bank’s confidential information, continued its activities in 2025.

In line with technological transformation brought about by digitalization, the Data Science Team-established to enhance audit efficiency by identifying process deficiencies, measuring widespread risk, filtering risk-related data from the Bank’s data pool, improving processes, and increasing efficiency through scenario development-intensified its work in 2025. Outputs from numerous studies were shared with relevant Head Office units. The team also aims to create profiles based on findings from previous audits/investigations to enable faster and more effective detection of future findings, inefficiencies, and irregularities using machine learning. In cases where historical profiling or prediction is not feasible, similar data elements within the target dataset are clustered or anomaly detection is applied.

Due to the global and local shift in audit approaches from traditional structures to dynamic models, the Board of Auditors updated its audit framework. In addition to branch audits, scenario-based audits have been initiated by the Scenario Audit Team. Within each scenario, a macro-level approach enables engagement with multiple branches, units, and personnel. Through the “Digital Auditors MÜF-IT” project initiated in 2025, real-time, risk-based automated data analysis is planned to enable early risk detection and increase digitalization and efficiency in audit processes. In 2026, further developments are planned, including the integration of new audit areas through machine learning and continuous improvement, thereby enabling the allocation of human resources to more strategic areas.

To ensure more effective and efficient use of analytical tools, members of the Board of Auditors participated in Oracle SQL and Python training programs.

Following the Assistant Auditors Entrance Examination held by the Bank in June 2025, 20 successful candidates commenced employment during the year. Additionally, 18 auditors transitioned to administrative roles in 2025, thereby sustaining the function of providing qualified human resources to the Bank.

In the coming period, the Board of Auditors will continue-within a high sense of responsibility-to execute the internal audit plan prepared based on risk assessments and in line with the objectives and policies determined by senior management, report the results to the Board of Directors through the Audit Committee, and monitor actions to be taken based on audit findings.

Operation of the Internal Control Systemi

The Internal Control Department continues its control activities at the Bank’s Head Office units, domestic and international branches, and subsidiaries in order to ensure that activities are conducted regularly, efficiently, and effectively in accordance with the provisions of the Banking Law, the regulations issued by the BRSA regarding banks’ internal systems and information systems, other applicable legislation, and the decisions of the Board of Directors, as well as within the framework of internal rules and regulations.

Activities are carried out in alignment with the Bank’s main objectives and strategies in terms of scope and methodology. Through a proactive structure, the Internal Control function contributes to ensuring that the Bank’s operations are conducted in compliance with both internal and external regulations and competitive conditions, exceeding sector norms where applicable.

Domestic branch controls are conducted on-site and centrally within a dynamic structure for each quarterly activity period, taking into account the last control/audit dates of branches and the audit plan, based on cyclical risk assessments. Control activities are designed based on technology-oriented and centralized approach, aiming to promptly and effectively address widespread deficiencies at the relevant business units.

Real-time controls are performed over operational transactions, accounting records, and credit transactions. Transactions within defined risk scenarios are reviewed during the day, and erroneous transactions are corrected. By ensuring real-time monitoring and increasing effectiveness through preventive actions, the internal control system has become an integral part of the Bank’s daily operations.

For this purpose, anomalies are detected using event and action management tools developed by internal controllers through EVAM scenarios, and criteria within credit appraisal reports prepared for customers are reviewed through the integration of artificial intelligence and machine learning solutions into control processes. This approach aims to prevent errors and deficiencies that may arise in the recording of assets and liabilities and their reflection in financial statements. These control practices also help prevent additional costs and excessive human resource usage, contributing to the sustainability-oriented development of control activities.

As of 2024, the integration of accounting and operational transaction controls performed by branches into robotic processes and the generation of related reports by robots began in pilot branches. In 2025, the robotic control process transitioned from pilot to live implementation, covering designated branches and resulting in significant time and cost savings.

Analytical control activities are conducted by internal controllers to centrally detect widespread errors or systemic deficiencies across the Bank. In the controls and analyses conducted, scenarios are developed using database programs and various analytical tools. Some of the work carried out in this context has also been recognized by global organizations.

Control programs for business units are designed and revised as needed, taking into account each unit’s functions, risk profile, job descriptions, and impact on the Bank’s balance sheet. Based on these programs, an adequate number of internal controllers conduct reviews of the business units.

Internal control activities for foreign branches are carried out and monitored in accordance with annually prepared control plans. Reports prepared for foreign branches are reviewed by the relevant internal controllers and findings are forwarded to the respective Head Office units based on subject matter.

In addition to control activities, internal controllers share process improvement recommendations with business units regarding processes carried out within the Bank, aimed at enhancing these processes and preventing potential risks. This practice aims to identify and prevent risks in advance, improve processes toadapt to the competitive environment and ensure customer satisfaction,, and implement cost-reduction measures.

With the implementation and development of projects such as centralized real-time controls for retail and corporate loans, deployment of robotic controls, and expansion of scenario-based analytical control activities initiated in 2024, on-site branch control activities have decreased. Consequently, the need for business travel, including flights, road transportation, and hotel accommodations, has declined.

Another significant project involved integrating physical reports containing findings from internal control activities conducted at the TRNC Country Management into the internal control modules of the core banking system, thereby reducing paper consumption and achieving resource savings. As a result, the reporting and follow-up process of internal controllers has become more efficient, facilitating corrective actions and process improvements at controlled units. Findings and control results are periodically shared with relevant business units and senior management.

Within the scope of Article 18 of the Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks, compliance controls are also conducted under the Internal Control function. In this context, all current and planned activities, as well as new products and transactions, are reviewed for compliance with laws, regulations, internal policies, banking practices, and standards. Additionally, regulations issued or revised within the Bank are reviewed under compliance controls, and related opinions are shared with the relevant units.

Within sustainability initiatives, 50 staff members have been certified as Internal Auditors and 2 staff members as Lead Auditors to enable the Internal Control Department to conduct internal audit activities related to the ISO 14001 Environmental Management System certification process. Accordingly, control points have been established for use in annual Head Office unit controls and branch inspections within the Department’s control program.

Information systems internal control activities are conducted at the Bank and external service providers in accordance with annual information systems internal control review plans, based on the Regulation on Banks’ Information Systems and Electronic Banking Services and generally accepted standards. In this scope, data update and service management (SM) call records, application development requests, out-of-hours access by users with remote access authorization, and database queries recorded by branches, Cash Management Centers, and Head Office units are periodically reviewed.

Preliminary review activities are conducted by Internal Controllers in response to complaints, whistleblowing records, potential loss-generating transactions, or matters considered risky or suspicious according to standard practices, whether identified internally or reported through any channel to the Internal Control Department.

Operation of the Compliance System

Activities aimed at preventing money laundering, the financing of terrorism, and the financing of the proliferation of weapons of mass destruction at the Bank are carried out in accordance with national and international regulations..

Pursuant to the amendments made to Law No. 5549 on the Prevention of Laundering Proceeds of Crime and the updated “Regulation on the Compliance Program Regarding the Prevention of Laundering Proceeds of Crime,” the Bank, as the main financial institution within the Ziraat Financial Group, follows the compliance program and the Ziraat Financial Group Compliance Policy on a group basis together with financial institutions operating domestically. In this context, the Bank’s Procedures and Principles for the Prevention of Money Laundering and the Financing of Terrorism/Proliferation of Weapons of Mass Destruction have been fully updated to ensure effective fulfillment of the responsibilities introduced by the relevant laws and regulations. Personnel and resource allocation are carefully managed, taking into account the structural characteristics of the Group.

With the rapid digitalization brought by technological developments in banking processes, criminal organizations have also increased their use of technology to finance illegal activities and have begun to adopt more sophisticated tools. Alongside its investments in financial service innovations and new products, the Bank has developed preventive control mechanisms to ensure that its products and services are not used as instruments for illegal activities. In cases where preventive controls are insufficient, the Bank is structured to ensure timely detection and proactive measures, enabling rapid action in combating proceeds of crime.

Projects aimed at establishing a system that better identifies potential risks in the areas of money laundering, financing of terrorism, and proliferation financing, and effectively manages and controls these risks, are intensifying. In addition to the knowledge and analytical skills of specialized personnel, greater emphasis is placed on digital solutions based on artificial intelligence and machine learning. The Bank will continue investing in technology-based, innovative processes to enhance the effectiveness and speed of anti-money laundering and counter-terrorism financing measures and obligations.

Systemic improvements continue to ensure that the customer onboarding process is adapted to current conditions while minimizing compliance risks.

Within the Ziraat Financial Group, an effective risk-based approach is implemented across all domestic and IFIs to combat money laundering, terrorism financing, and proliferation financing. Relevant risks are identified and classified, and effective and proportionate controls are established based on these risks. New typologies developed by criminal and terrorist networks in all operating countries and areas are closely monitored, trend analyses are conducted, and resources are allocated in line with the risk-based approach model. In this context, in addition to increasing human resources, projects aimed at more efficient use of technological capabilities are rapidly implemented. Efforts are also underway to enhance effectiveness and speed through machine learning structures.

Written policies and procedures established at the Group level and updated in line with regulatory changes ensure that the Bank’s and the Ziraat Financial Group’s products and services are not used for money laundering, terrorism financing, or proliferation financing purposes. Necessary measures are taken to prevent exposure to operational, reputational, and sanctions risks.

Preventive controls have been developed to avoid entering into business relationships with individuals and entities included in the Bank’s monitored sanctions programs, to prevent the provision of services related to sanctioned activities, and to ensure that no banking services facilitate sanctions violations.

Within the scope of the compliance program regulation, a system developed to enable information sharing within the Ziraat Financial Group, supported by the Bank’s technological infrastructure, continues to ensure secure information exchange within the Group in line with the information sharing policy.

In addition to domestic subsidiaries, regular coordination is maintained with overseas branches and subsidiaries in line with the coordinated compliance strategy within the financial group. Joint efforts are carried out, particularly in the area of AML/CFT, to ensure compliance with national and international regulations and practices. Where necessary, remote or on-site support and training are provided to relevant branches or subsidiaries.

Internal training sessions are organized to develop common standards, processes, and policy objectives regarding the 'prevention of money laundering and terrorism/proliferation financing, and to facilitate mutual information exchange'.

Furthermore, awareness-raising training programs continue to be delivered to all employees to enhance their knowledge and sensitivity regarding the prevention of money laundering and terrorism financing.

The Ziraat Bank will continue strengthening its controls by taking into account applicable laws and regulations to ensure timely identification, minimization, and prevention of compliance risks at the Group level.

Both the Bank as the main financial institution and the compliance units of financial institutions operating within the Ziraat Financial Group will continue to follow new trends and best practices in the AML/CFT field, leveraging expert personnel, analytical infrastructure, and technological capabilities to maximize efficiency and effectiveness through a risk-based approach.

Operation of the Risk Management System

Ziraat Bank’s risk management activities are conducted with the aim of embedding a risk culture across the Bank and continuously improving systems and human resources, thereby aligning the risk management function with best practices, in accordance with the Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process and other relevant regulations, as well as BRSA Good Practice Guides. Activities carried out within the risk management framework cover the following main areas: credit risk, market risk, operational risk, balance sheet risks (interest rate risk arising from the banking book and liquidity risk), internal rating-based modeling, and validation. In addition, activities are conducted to ensure compliance with local regulations by our overseas branches and subsidiaries and to monitor their risk-related ratios. Particular attention is paid to ensuring coordination among the units involved in each risk type and the related business lines.

Within the scope of credit risk management, studies are conducted to define, measure, monitor, and report credit risk using methods compliant with Basel III. Board-approved credit risk limits are monitored, and scenario analyses and stress tests are performed by applying various shocks to credit risk factors. Counterparty credit risk measurements are also carried out.

Furthermore, models developed under the Internal Ratings-Based (IRB) approach and their validation studies are used in conjunction with model outputs in TFRS 9 calculations, as well as in allocation and pricing processes.

Within the scope of market risk management, activities include risk identification, measurement, analysis, monitoring, and reporting, supported by stress testing. Risk measurements are performed both through regulatory calculations included in capital adequacy ratios and through internally reported Value-at-Risk (VaR) methods. VaR results are monitored through back-testing analyses. Market risk-weighted amounts are periodically monitored via Board-approved limits, and internally tracked limits are shared with Senior Management.

Within the scope of operational risk management, activities include identification, classification, measurement, and analysis of operational risks, and Board-approved operational risk signal and limit values are monitored periodically. The Operational Risk-Weighted Amount is calculated using the Basic Indicator Approach in accordance with the Regulation on Measurement and Assessment of Banks’ Capital Adequacy. The Bank’s operational risk exposure is effectively monitored through an operational risk loss database integrated with the Bank and aligned with the accounting system, structured in accordance with the Basel Committee’s loss event types and business lines, covering data from domestic and international branches and subsidiaries. Additionally, a self-assessment covering the Bank’s organization is conducted; information technology risks and related actions are monitored in coordination with relevant units; and risk assessments are performed for outsourced service providers. Work related to reputational risk within operational risk is also carried out, and analyses are included in reports.

Within the scope of balance sheet risks, activities related to liquidity risk and interest rate risk arising from the banking book include identification, measurement, analysis, monitoring, and reporting, supported by stress tests and scenario analyses. The consolidated and unconsolidated Liquidity Coverage Ratio and Net Stable Funding Ratio, as well as the unconsolidated Interest Rate Risk Ratio arising from the banking book, are reported periodically to BRSA. In addition, Board-approved signal and limit values for liquidity and interest rate risk are monitored regularly.

In addition to periodic internal stress test reports, Stress Test and ICAAP Reports are prepared at year-end and submitted to BRSA, and internal capital and liquidity adequacy levels are analyzed.

The accuracy, integrity, and timeliness of all data used in risk management activities are ensured by the Data and Global Risk unit. Within the framework of data governance, control of data sources and data flows is maintained, and risk management data from subsidiaries within the Ziraat Financial Group and overseas branches are collected to form the Bank’s Risk Database. This enables centralized management of data required for consolidated and unconsolidated regulatory and internal ratios prepared by the Credit Risk Analytics, Market Risk, Balance Sheet Risk, and Operational Risk units.

Furthermore, support is provided to subsidiaries and overseas branches to standardize risk management practices across the Ziraat Financial Group.

To ensure accurate measurement and management of the risks to which the Bank is exposed, the Validation Unit conducts activities to assess the accuracy, consistency, adequacy, stability, and performance of internally used rating models and other measurement methodologies, and regularly reports results to Senior Management. Through validation studies of internal models used in decision-making processes, necessary actions are taken based on identified findings, ensuring full compliance with legal requirements.

The results of analyses and risk indicators conducted within the scope of risk management activities are reported to the Audit Committee and the Board of Directors on a semi-annual basis; to the Audit Committee on a monthly basis; and to Senior Management on monthly, weekly, and daily bases.

In the upcoming operating period, activities covering all risk types will continue to be carried out based on internationally recognized advanced risk management techniques and will remain an integral part of the Bank’s strategic decision-making processes.

Information Security Management Operations

Within Ziraat Financial Group, the Information Security Management System, established in line with national regulations, international standards, and sector best practices, is effectively operated in accordance with information security policies. The defined policies provide a framework aligned with the Bank’s strategic objectives and effectively guide information security processes. Ensuring information security across the Bank is achieved through close coordination with business units. Our information security objectives are implemented in an integrated manner with our business goals. Information Security Management demonstrates a dynamic structure encompassing continuous monitoring, evaluation, and improvement processes, ensuring the uninterrupted continuation of the Bank’s operations.

In line with the implemented information security strategies and policies, an integrated IT Risk Management structure has been established. IT Risk is one of the Bank’s corporate risk components and an integral part of banking operations. A framework aligned with the Bank’s strategies is ensured for IT Risk Management, strategy and planning are defined, and activities carried out are regularly reviewed.

Comprehensive Information Security awareness programs are conducted to minimize risks to our employees. At the same time, necessary procedures for the protection and use of information are prepared, ensuring that all employees act in accordance with these rules.

Information Security Management at the Bank comprises a comprehensive set of policies, processes, and technologies to protect information assets. In line with the Regulation on Banks’ Information Systems and Electronic Banking Services published in 2020, all information assets are classified and an Information Asset Inventory is created; assets are classified based on confidentiality, integrity, and availability criteria, and appropriate protection methods are determined for each asset.

Threats and vulnerabilities related to the Bank’s information assets are analyzed, and control mechanisms are developed to minimize risks as a result of these analyses. Information security requirements are analyzed in critical projects and system changes. In this process, cooperation is carried out with all teams involved in projects to identify and reduce information security risks.

Penetration tests are conducted at regular intervals by independent third-party firms. Based on the findings obtained from these tests, action plans are developed to remediate risks. By reporting these action plans to the BRSA in a timely manner, information security processes are continuously reviewed and improved. Improvement actions are taken to mitigate the impact of identified risks related to information assets, and the effectiveness of these actions is evaluated.

At the end of the improvement process, a reassessment is performed to ensure that risks are reduced to acceptable levels. Comprehensive controls are implemented to limit the impact of threats and vulnerabilities on information assets or to reduce their likelihood of occurrence. These controls reduce risks in line with the principles of confidentiality, integrity, and availability of information assets, while also ensuring that activities are conducted in compliance with regulations and standards.

Necessary measures are taken to minimize the impact of information security incidents, and processes are regularly monitored and improved. Monitoring and reporting information security breaches is among our priorities, and a continuous monitoring mechanism is in place across information systems to prevent potential breaches. In the event of cyberattacks or data breaches, our incident management processes aim to provide rapid response and effective resolution. The Cyber Security Center, operating 24/7 at the Bank, continuously monitors and analyzes our information systems against potential cyber threats, maintaining the Bank’s security at the highest level.

Real-time threat detection and response prevent data breaches and operational disruptions.

Effective authentication and access management policies are implemented in the Bank’s information systems in accordance with segregation of duties and least privilege principles.

Access to critical systems and data is restricted to authorized individuals only, and risks of unauthorized access are reduced through methods such as multi-factor authentication and role-based access management. Access rights are ensured to be aligned solely with employees’ business needs, minimizing unauthorized access risks. Network security control systems are established to protect against threats originating from the Bank’s corporate network or external networks.

External services that may affect the confidentiality, integrity, availability, and service continuity of information systems and banking data are considered within the scope of outsourced services. To reduce supplier risks, information security requirements are included in contracts; suppliers are assessed, confidentiality agreements are signed, and compliance with contractual obligations is monitored periodically.

All necessary measures are taken to protect the integrity of transactions, records, and data in banking services and information systems. Advanced technologies such as firewalls and intrusion detection systems are effectively used against threats from both internal and external networks, data loss is prevented through regular backup processes, and data integrity is ensured. The SIEM system is used to maintain information security at the Bank, collecting detailed log records from all information systems, which are analyzed using advanced techniques. This enables early detection of potential security threats and abnormal activities, while ensuring rapid and effective response to cyber security incidents.