Large Bank Examination Workshop February 2026

M ODEL R ISK M ANAGEMENT P OLICY

I.

Purpose:

The purpose of this policy is to set forth the Bank’s guiding principles for the management of risk presented by its use of models.

II.

Scope:

This policy applies to applications used by the Bank that meet the criteria of a model or designated calculation and those with the related roles and responsibilities (see Section II.A. below). An application is software procured from a third party (with or without customization) or developed internally with support of Bank Technology or within a particular business unit, the latter referred to as an end user developed application or EUDA. An application is considered a model if it is used to calculate the value of unknown behavior and the results are used to support decision-making or risk measurement / management, or in statements of financial condition or performance. An application that is not deemed a model may also be subject to aspects of this policy if it performs complex calculations not readily transparent to the user and if the materiality of the calculation is large enough to warrant additional scrutiny (a “designated calculation”) . The determination to subject a designated calculation to this policy is made by the CRO. Model risk management activities address all stages of a model’s lifecycle, including , but not necessarily limited to, establishing a business need, development or acquisition, data assessment, implementation, change management, testing, use, model performance monitoring, validation, documentation and record retention, retirement, and replacement. Refer to Section III.C. and the Model Lifecycle Management Procedures for more information.

A.

Roles and Responsibilities:

Board of Directors •

Provides the tone from the top related to oversight and governance of risk • Sets risk appetite, reporting requirements, and clear delegations of authority

Risk Committee of the Board of Directors • Reviews information and provides direction relating to risk management generally, inclusive of model risk • Periodically reviews the model inventory (although delegates the responsibility for final decision making authority of the inventory to the Model Risk Management Committee), results of model validations, and the status of outstanding model validation recommendations • Resolves model validation recommendation impasses (for models owned by the CRO)

2

Model Risk Management Policy

March 15, 20XX

Classification: Confidential

Page 28 of 39