Banca Generali S p A : Report of the Board of Statuatory Auditors to the General Shareholders' Meeting

Report of the Board of Statutory Auditors

pursuant to Article 153 of Legislative Decree No. 58/98.

Shareholders,

The Board of Statutory Auditors (the "Board") is required to report to the General Shareholders' Meeting of Banca Generali S.p.A. (hereinafter also "Banca Generali", the "Bank" or the "Company"), convened, inter alia, to approve the Financial State-ments for the year ended 31 December 2022, on the supervisory activity performed and any omissions and censurable facts identified, pursuant to Article 153 of Legislative Decree No. 58/1998 ("TUF"). This activity was carried out in accordance with the code of conduct recommended by the Roll of Certified Public Accountants and Commercial Experts, while also taking account of the provisions issued by Consob and the Bank of Italy, the instructions set out in the Corporate Governance Code and the provi-sions of Article 19 of Legislative Decree No. 39/10. The following information also takes account of the Consob recommendations contained in Communication No. 1025564/2001.

It bears recalling that on 22 April 2021 the General Shareholders' Meeting of Banca Generali had appointed this Board of Statuto-ry Auditors until the approval of the Financial Statements for the year ending 31 December 2023, in the persons of Natale Freddi (Chairman), Flavia Daunia Minutillo and Mario Francesco Anaclerio (Acting Auditors). The Board of Directors also granted the Board of Statutory Auditors the functions attributed to the Supervisory Board pursuant to Article 6 of Legislative Decree No. 231/2001 on that same date.

During the year, the Board of Statutory Auditors met 20 times. It also took part in 19 meetings of the Board of Directors, 15 meetings of the Internal Audit and Risks Committee, 9 meetings of the Remuneration Committee, 8 meetings of the Nomination, Governance and Sustainability Committee and 9 meetings of the Credit Committee. The Board of Statutory Auditors also took part in the induction programme for members of the Bank's corporate bodies.

1. Supervisory activity concerning compliance with the law and Articles of Association

The Board of Statutory Auditors periodically obtained information from the Directors - including by participating in the meet-ings of the Board of Directors and its Board Committees - regarding the activity carried out and management acts undertaken. On the basis of the information available, it may reasonably confirm that those activities and acts were implemented in compli-ance with the law and the Articles of Association.

The material events during the year that the Board of Statutory Auditors deems appropriate for mention in light of their impor-tance include:

• › the resilience of the 2022-2024 Strategic Plan, which - despite the turbulence and uncertainties of 2022 - remained in line with the targets disclosed to the market on the 2022 Investor Day;

• › the setting up of the organisational structure of the subsidiary BG Suisse SA, incorporated in 2021, with a view to starting operations after obtaining the banking licence from the Swiss supervisory authority, expected in 2023;

• › the completion of the Bank of Italy's assessment, which focused, inter alia, on the efficiency of the governance arrangement of the Bank and the Group, as well as on their risk management and control systems;

• › the settlement of the transfer pricing tax dispute for the 2014-2019 tax periods through the framework agreement signed with the Italian Tax Authority, Regional Direction of Friuli-Venezia Giulia;

It should also be noted that, at 31 December 2022, CET1 ratio was 15.6% and Total Capital Ratio (TCR) was 16.7%, compared to the SREP minimum requirement of 8% and 12.3%, respectively. The main information on capital adequacy, risk exposure and the general characteristics of the systems implemented to identify, measure and manage said risks are illustrated in the Pillar 3 disclosures prepared pursuant to Part VIII of Regulation (EU) No. 575/2013.

With regard to the Russia-Ukraine conflict, it bears noting that Banca Generali is not exposed to the countries involved in the conflict, either with its own securities portfolio, or with the customer loans portfolio. In addition, the exposure of the Bank's cli-ents is also quite limited.

With regard to relations with the supervisory authorities, the Board of Statutory Auditors was updated by the responsible company functions regarding the requests and inquiries made and the responses given. In turn, when requested, it provided responses to the above Authorities on specific topics relating to the reports received and the audits carried out by the Board of Statutory Auditors.

2. Supervisory activity concerning compliance with the principles of sound management

The Board of Statutory Auditors acknowledged and supervised the compliance with the principles of sound management by ob-taining information from the Heads of the competent Control Functions and the Manager in Charge of preparing the Company's financial reports, as well as from meetings with the Independent Auditors as part of the mutual exchange of relevant data and information. It also met on several occasions during the year with the Chief Executive Officer and the Deputy General Manag-ers to obtain information regarding operating performance, the internal control system and main company risks. During such meetings, the Board of Statutory Auditors observed the regular, constant flow of information from the main corporate operating functions and, in the case of the Board of Directors, its constant updating.

The Board of Statutory Auditors may therefore reasonably state that the transactions carried out are inspired by the principlesof sound management, and that management decisions were made on the basis of adequate flows of information and awareness of their risk level.

In particular, as regard the most significant economic, financial and equity transactions implemented by the Bank, subject to supervisory activity, the Board of Statutory Auditors may reasonably confirm that they were implemented in compliance with the law and the Articles of Association and were not manifestly imprudent, risky, in conflict with the resolutions passed by the Shareholders' Meeting or such as to compromise the integrity of the Company's assets. The transactions in which Directors had an interest were approved in accordance with the law, regulations and Articles of Association. As part of the information pro-vided on the preparation of the annual and half-yearly financial statements, the information pursuant to Article 150 of TUF was provided by the Chief Executive Officer and also by the Manager in charge of preparing the Company's financial reports.

In addition, the Board of Statutory Auditors determined that there had been no atypical and/or unusual transactions with com-panies of the Banca Generali Group (the "Group"), third parties or related parties, i.e., transactions that, in view of their char-acteristics, may give rise to doubts as to the correctness/completeness of the information in the financial statements, conflict of interest, integrity of company assets and the protection of minority shareholders.

No critical issues came to light from the meetings held with the Chairman of the Board of Statutory Auditors of Generfid S.p.A. and the control bodies of BG Fund Management Luxembourg S.A. and BG Valuer S.A. or from the examination of the Directors' reports included in the financial statements. Moreover, at such meetings, no issues were reported relating to the activities carried out, where required, in our capacity as Supervisory Body pursuant to Legislative Decree No. 231/2001.

3. Supervisory activity concerning adequacy of the organisational structure

The Board of Statutory Auditors supervised the adequacy of the Bank's organisational structure by holding meetings with the Bank's operating functions, and in particular with the COO & Innovation Area and the Organisation Department, in order to verify the adequacy of the company structure, system of delegated powers, internal control and risk management system and information flows.

The Bank's organisational structure did not change substantially during the year, although the process of rationalising some of its internal structures continued. With regard to the operating structures, worth of mention is the setting up of:

• › the Blockchain Transformation OU within the Innovation Department;

• › the new Digital Platform Department focused on managing the Network and Customer Front End (previously divided among the WM Area and the Products Department);

• › the new Digital Marketing structure, whose mission is to coordinate, in a unified manner, the implementation of all promo-tional and communication activities on digital channels.

With regard to the organisational changes made within the control functions, worth of mention are: › the alignment of the Anti-Financial Crime Function with the new tasks identified by the EBA with respect to the Banking

Group subsidiaries and with the reporting activities required by the Assicurazioni Generali Group Anti-Financial Crime; › the setting up of the new AFC Coordination & Controls OU, whose mission is to coordinate relations with the subsidiaries and

Assicurazioni Generali, in addition to preparing the function's reports.

The Board of Statutory Auditors also supervised the proper performance of the management and coordination activities carried out by the Bank as Parent Company and has no observations to make in this regard.

In fact, the Parent Company performs its steering and governance tasks and provides support to its subsidiaries, in accordance with the Consolidated Law on Banking (TUB), supervisory regulations and Group regulations, adopting risk management proce-dures and internal control mechanisms that ensure coordinated, unified management of the various Group companies in order to:

• › ensure satisfaction of the requirements imposed by supervisory regulations at Group level;

• › safeguard the profitability and value of the equity investments of the Parent Company and all its subsidiaries;

• › avoid any harm to the integrity of the assets of each Group entity by also providing instructions through specific instruments, such as Group regulations and policies on specific subjects.

The Board of Statutory Auditors supervised the adequacy of the instructions provided by the Company to its subsidiaries pursu-ant to Article 114, paragraph 2, of TUF.

In addition, the Bank continued to keep up to date the measures adopted in the previous year to manage the Covid-19 emergency and in this context ensured security safeguards for access to offices and rules of conduct to protect health. As of 1 April 2022, following the end of the health emergency, the Bank gradually implemented plans for returning to the office according to a hybrid mode, so as to better support the new work model.

4. Corporate governance

The Board of Statutory Auditors assessed the methods whereby the Borsa Italiana's Corporate Governance Code adopted by the Bank was implemented, according to the terms illustrated in the "2022 Report on Corporate Governance and Ownership Structures" (the "Corporate Governance Report"). It bears noting that the company bodies also acknowledged the latest rec-ommendations formulated in the letter from the Chairperson of the Corporate Governance Committee of 25 January 2023, as well as of the "Guidelines on the composition and functioning of the Board of Directors in the LSIs" published on 29 November 2022 by the Bank of Italy.

In line with the legislation of reference, Banca Generali's Board of Directors, with support from the external professional Egon Zehnder - appointed as independent expert for the entire three years of the term - launched the Board Review 2022, i.e., the an-nual self-assessment on the functioning of the Board and Board Committees, as well as of their size and composition. The Board Review involved the participation of all Directors in office and the Chairman of the Board of Statutory Auditors (who shared the self-assessment exercise with the two other Acting Auditors). The Board of Statutory Auditors also performed the 2022 annual self-assessment to evaluate its functioning, size and composition. The results of the two assessments are reported in detail in the Corporate Governance Report.

Furthermore, during the year the Board of Statutory Auditors verified that the Statutory Auditors met the relevant require-ments in accordance with the MEF Decree No. 169 of 23 November 2020, as well as, in general, with the applicable legal, regula-tory and self-regulatory provisions in force.

In detail, pursuant to Article 23 of the MEF Decree, the Board of Statutory Auditors conducted new specific assessments of the continuing satisfaction of eligibility requirements and criteria, including that of independence, by its members, where superven-ing events might have affected possession of such requisites. Most recently, on 7 March 2023, pursuant to recommendation 9 of the Corporate Governance Code, the annual verification of the independence requirements and the prohibition of interlocking was carried out. In conclusion, all Statutory Auditors were found to be independent under the provisions of TUF, the MEF Decree and the Corporate Governance Code.

Additionally, during the year the Board of Statutory Auditors verified the proper application of the assessment criteria and pro-cedures adopted by the Board of Directors to assess possession of the fit and proper requirements of its members, pursuant to applicable legislation.

5. Supervisory activity concerning transactions with related and connected parties

The Board of Statutory Auditors supervised the compliance with applicable legislation of the Procedure for Related Party and Connected Party Transactions adopted by the Bank (as most recently updated on 22 June 2021 to reflect the changes in the legis-lative framework of reference) and its proper application, participating in all the meetings of the Internal Audit and Risk Commit-tee - which also functions as the Committee for the preliminary review of transactions with related and connected parties and is tasked with issuing the related opinions required by applicable legislation - set up in accordance with the relevant procedure, periodically receiving and analysing information regarding the transactions performed. The Board of Statutory Auditors has no record of related and connected party transactions undertaken in conflict with the Company's interest.

No "transactions of greater importance" were undertaken with related parties during the year. However, transactions qualifying as "moderately significant transactions" were undertaken with related parties, as illustrated in detail in the Report on Opera-tions, in addition to "ordinary or recurring transactions" effected at arm's length, the effects of which are analysed in the dedi-cated section of Notes and Comments.

The Board of Statutory Auditors verified that in the Report on Operations and the Notes and Comments the Board of Directors provided adequate disclosure of transactions with related and connected parties and intragroup transactions in light of applica-ble legislation.

Following a review of the activity carried out by the various functions involved in related party procedures and discussions with the Internal Audit Function, the Board of Statutory Auditors believes that transactions with related and connected parties are adequately supervised and, to the best of its knowledge, that the procedure has been properly applied.

6. Supervisory activity concerning the internal control and risk management system

The Board of Statutory Auditors supervised the adequacy of the internal control and risk management system through:

• › meetings with the Bank's top managers, the purpose of which included examining the internal control and risk management system;

• › periodic meetings with the Heads of the Internal Audit, Compliance and Anti-Money Laundering, and Risk and Capital Ad-equacy Functions (hereinafter the "Control Functions") in order to assess the methods of planning of the work, based on identifying and assessing the main risks present in processes and organisational units;

• › examination of periodic reports (Tableaux de Bord) of the Control Functions and periodic information on the results of mon-itoring of the implementation of the corrective actions identified;

• › acquisition of information from the Heads of other Company Functions;

• › meetings with the control bodies of the main subsidiaries pursuant to paragraphs 1 and 2 of Article 151 of TUF during which the Board of Statutory Auditors obtained information on the matters deemed material, affecting Group companies and the internal control system;

• › discussion of the results of the Independent Auditors' work;

• › participation in the proceedings of the Internal Audit and Risks Committee, acquiring information on the criticalities consid-ered of particular interest to the Board of Statutory Auditors' activity.

It also acknowledged the assessment of the internal control system by the Board of Directors, which was deemed mostly ade-quate, also in light of the Internal Audit and Risks Committee's opinion.

Banca Generali has long adopted an internal control system policy that identifies the bodies and functions involved in the defi-nition of the internal control system, the methods and tools for identifying and assessing risks, coordination between control functions, the Banking Group's internal control system and reports and flows of information. The system is structured on three levels: the first level performs line controls aimed at ensuring the proper performance of transactions; the second level concerns the monitoring of risks and compliance; and the third is aimed at identifying breaches of procedures and internal regulations.

With reference to the first-tier controls, Banca Generali has operational procedures in place (process flows) that relate to all activities carried out and identify the activities, roles, tools and line controls according to the company process tree.

These procedures are constantly updated by the Organisation Department to bring them into line with changes in regulations, internal rules, the organisational structure and operating methods and to incorporate the suggestions for improvement that emerge from the activities performed by the Control Functions. With regard to the second- and third-tier checks, the Board of Statutory Auditors engaged in constant dialogue with the Control Functions in carrying out its activities. The control system, in addition to the business functions and control functions, involves other company functions, such as the Head of the Security and Business Continuity Plan Service, who acts as the Chief Security Officer (CSO) and whose roles also include that of Chief Infor-mation Security Officer (CISO) of the Bank, and the Supervisory Body of the Parent Company pursuant to Legislative Decree No. 231/2001; the latter's activity is described in a subsequent chapter.

The Control Functions submit periodic reports to the Board of Directors and the Board of Statutory Auditors on the activities performed and their main observations. Each quarter, Tableaux de Bord are presented; these are informational documents that provide an update on the risks and state of progress of the annual plan of each Function. At the end of the year, as required by the law, the Functions submit an annual Report, which in addition to underscoring the work done during the year, conclude with a concise assessment of the adequacy of the internal control system with regard to matters within their purview. The Board of Statutory Auditors acknowledges that the annual reports of the Control Functions conclude with a mostly adequate opinion of the structure of the Company's internal control system.

The final report on the Internal Audit Function's activity during the year indicates that all activities planned had been conclud-ed at the date of this report. No significant critical issues emerged from this activity. However, the control activities performed (including at Group level) identified a need for the competent Company Functions to implement remedial actions to mitigate the risks inherent in some processes and operating practices, typical of all banking business, without jeopardising the reliability of the Internal Control System as a whole, which is thus confirmed to be mostly adequate. However, there are some areas for im-provement with regard to the outsourcing of trading processes, the management of functional relationships of some subsidiaries with the Parent Company and the updating of some regulations regarding the IT Department.

Interaction between the Board of Statutory Auditors and the Internal Audit Function is constant over the year, as the Function takes part in most meetings of the Board of Statutory Auditors. In any case, the Function informs the Board of Statutory Auditors promptly of any issues or areas of concerns emerged from its activities.

Upon the conclusion of the Compliance Function's activities carried out in the year, of both an ex-ante nature (ex-ante risk assess-ment, participation in projects and consulting support) and an ex-post nature (audits of compliance, processes and monitoring of the compliance control measures set out in the annual plan, which were all concluded, and monitoring of the state of progress of the regularisation measures established in the ex-post audits conducted), the Function found an overall medium-low exposure to non-compliance risk with regard to the overall design and effective operational development of company processes, reiterating the need to ensure constant oversight of processes deemed to be at greatest risk of non-compliance, such as investment advisory processes and the management of portfolios and new product development. The Function confirms the need for constantly and thoroughly monitoring the scheduling of remedial actions.

The Compliance Function also supported the Data Protection Officer with the activities set out in the GDPR and the external and internal data protection regulations in effect from time to time.

With regard to control activity relating to the distribution network, there continues to be a need to keep high levels of supervision, in addition to further reinforcing them to pursue constant improvement in the efficient monitoring of various risk elements that may lead to behaviour of Financial Advisors not compliant with the law and result in economic impacts on the company. In this regard, worth of mention is the strengthening of the control measures that the Bank adopted for collecting orders.

With reference to complaints - relating to both investors and consumers - each quarter the Function presents a report stating the number of complaints, those that resulted in litigation and reimbursements paid by the Bank during the period. Overall, in 2022 complaints increased on the previous period due to massive phishing phenomena, the recent complaints received from the former customers of Binck Bank, whose retail banking business unit of the Italian branch was acquired in 2021, and the theft of credentials of debit and credit cards. In light of the limited number of complaints and the absence of concentration regarding specific types, the Function does not detect any new compliance-related criticalities in the processes analysed.

Turning to the AML Function, the self-assessment conducted in accordance with the law confirmed that the risk of money laundering and financing of terrorism is MEDIUM, in line with the previous year. This assessment is attributable to several im-provement actions still underway by the Bank, and in particular with reference to the prompt updating of the KYC questionnaires and the replacement of the GIANOS suite with Netech and the additional related implementations. The strengthening of the second-tier transaction monitoring systems was completed with the introduction of the new system Faraday.

The Board of Statutory Auditors examined the Internal Capital Adequacy Assessment Process (ICAAP) documents, which quan-tify the current and prospective internal capital to be held for the risks to which the Group is exposed, as well as those for liquid-ity (ILAAP), which aim to assess the adequacy of the liquidity held by the Bank, both approved by the Board of Directors on 21 April 2022. The ICAAP and ILAAP confirm the adequacy of the Bank's capital and liquidity. The Board of Statutory Auditors formulated its observations also on the basis of the Report of the Internal Audit Function, which acknowledges compliance with regulations.

The Board of Statutory Auditors examined the new Risk Appetite Framework (RAF), which indicates the Bank's risk appetite, with effect from 2023, taking account of the recommendations of the Supervisory Authorities and regulatory indications. The structure of the RAF indicators was revised to separate strategic and tactical indicators (primary, secondary and relevant) from operating indicators, described in the internal policies/regulations. Primary and secondary indicators were integrated with indi-cators linked to the business model, customers, Financial Advisors and the network, in addition to the updating required by the amendments to the three-year Plan. The RAF governance was integrated by improving the escalation procedures. The remedial actions for operational risks and the implementation timescales were also identified with reference to risk appetite. The RAF confirms the Bank's solidity, with capital and liquidity rations above the minimum regulatory requirements.

Adequacy of Control Functions

In order to assess the internal control system, particular importance is attached to the analysis of the operational procedures and methods that the Control Functions adopt to pursue their objectives, as well as the adequacy of their staff. The Control Functions operate on the basis of procedures that are approved by the Board of Directors and kept up to date, and analyse in detail the activity to be carried out. As far as the resources are concerned, these are evaluated every year in the Annual Plan. The Board of Statutory Auditors monitored the effective implementation of the previous year's recommendations emerged from the analyses conducted by an external consultant, with particular regard to the increase in FTEs to fulfil the tasks.

The Board of Statutory Auditors oversaw the remuneration of the control functions, for purposes of the variable component payment. In concert with the Remuneration Committee, it analysed the assessment records of their qualitative performance in terms of the objectives set for 2022.

Business continuity and cyber risk

The Bank has prepared the Report on the IT risk required by the supervisory provisions in force. Banca Generali analyses and monitors the two cyber and IT risk components through three macro-activities: an operational risk self-assessment, a specific risk assessment on the IT and cyber components and monitoring of the Key Performance Indicators and Key Risk Indicators. The activities performed detected several areas for improvement, still to be defined.

The Bank also performed a cyber security assessment applying the NIST (National Institute of Standards and Technology) methodology, a market best practice, which gave a positive evaluation.

The Bank, in line with the Business Continuity Policy, which is updated every year, carried out the tests that had been planned for 2022. At group level, the tests concerned the unavailability of the IT system, of logistics and of human resources. With regard to disaster recovery, the tests focused on the main critical service providers. The tests confirmed the effectiveness of the business continuity system.

As mentioned above, in 2022, the Bank was subject to a comprehensive ordinary inspection by the Bank of Italy that focused, in-ter alia, on the efficiency of the governance arrangement of the Bank and Group, as well as on their risk management and control systems, with particular reference to operational, reputational and legal risks.

The contents of the Inspection Report was immediately examined and analysed in detail by the Bank's Board of Directors. In its response to the Bank of Italy, the Bank promptly illustrated its considerations on the inspection outcomes, the initiatives already undertaken and those planned with respect to the remarks.

The Board of Statutory Auditors constantly monitors the actual implementation of the measures in the terms and manners indicated in the said remedial plan.

Based on the work carried out, the information acquired, the content of the half-yearly and annual reports of the Control Func-tions, and particularly the overall favourable opinion expressed by the Control Functions regarding the internal control system, the Board of Statutory Auditors considers that there are no significant critical elements such as to affect the structure of the internal control and risk management system.

7. Supervisory activities regarding the administrative accounting system and the financial reporting process

The Board of Statutory Auditors, in its capacity as Internal Audit and Risk Committee pursuant to Article 19, paragraph 2(c), of Legislative Decree No. 39/2010, monitored the process and checked the effectiveness of the internal control and risk management systems with regard to financial reporting, overseeing compliance with the general principles on financial reporting adopted by the Group, based on the provisions of the Group Policy on the subject.

The financial reporting is monitored by the Manager in charge of preparing the Company's financial reports (hereinafter the "Manager in charge"), adopting models that refer to best market practice and that provide reasonable security on the reliability of financial reporting, on the effectiveness and efficiency of operating activities and on compliance with laws and internal regula-tions. The processes and controls are reviewed and updated annually.

The year 2022 saw work continue on keeping the mapping of processes up to date in line with the projects carried out, the new operating methods and organisational changes

Control of the proper functioning of the Bank's model is ensured by a series of checks carried out on a self-assessment basis by the individual process owners, supplemented by checks implemented both by the Internal Audit Function and by Independent Auditors.

The Board of Statutory Auditors met the Manager in Charge at regular intervals to exchange information on the reliability of the administrative-accounting system for purposes of representing operating events correctly and verified the Attestation of the Annual Integrated Report pursuant to Article 154-bis, issued by the Chief Executive Officer and the Manager in Charge, which certifies the adequacy and effective application of the administrative and accounting procedures for preparing the Annual Inte-grated Report during the 2022 financial year.

The Board of Statutory Auditors also examined the statements of the Chief Executive Officer and the Manager in charge in ac-cordance with the provisions contained in Article 154-bis of TUF.

With regard to the preparation of the financial statements and consolidated financial statements, it should be noted that they were prepared, in accordance with Legislative Decree No. 38/2005, according to the international IAS/IFRS standards issued by the IASB (International Accounting Standard Board) that have been endorsed by the European Commission, as established by