Risk Management

In accordance with the Bank’s Risk Management Policy, the Bank’s Board of Directors ensures that a risk management system is in place that is appropriate to the selected business model, scale of operations, types and complexity of operations, and ensures an appropriate process for identifying, measuring and assessing, monitoring, controlling and minimizing significant risks to ensure the Bank’s financial stability and stable functioning.

A key factor of the Bank’s high risk management culture is regular communication of risk-related issues, including risk management policies and procedures, to the Bank’s authorized collegiate bodies, including the Board of Directors of the Bank. The exclusive competence of the Bank’s Board of Directors in terms of risk management includes the powers regulated by the Articles of the Bank, internal documents of the Bank, as well as the Regulations on the Bank’s Board of Directors. The Bank’s Board of Directors monitors and controls risk management, internal audit, compliance with the requirements of the laws of the Republic of Kazakhstan and internal documents of the Bank through interaction with authorized collegiate bodies under the Bank’s Board of Directors, the Bank’s Management Board and the Head of Risk Management in order to effectively perform their duties. The Risk Management Committee of the Bank’s Board of Directors operates within the framework of the Regulations defining its powers, competence and principles of its work. The Risk Management Committee of the Bank’s Board of Directors regularly receives data and reports from risk management and other responsible departments on the Bank’s current risk level, risk appetite levels and risk mitigation mechanisms, as appropriate.

The Bank’s Board of Directors has developed and approved the Bank’s Risk Appetite Strategy, which defines clear limits on the volume of accepted risks inherent in the Bank’s activities within the framework of the implementation of the Bank’s general strategy, as well as defines the risk profile of the Bank’s activities in order to prevent the implementation of risks or minimize their negative impact on the Bank’s financial position.

In accordance with the Risk Appetite Strategy, the Bank’s Board of Directors approves the Bank’s Risk Appetite Statement. As part of the Risk Appetite Statement, a set of quantitative and qualitative indicators of risk appetite levels is approved for each material risk of the Bank, taking into account the Bank’s business model. Compliance with risk appetite levels in accordance with the Bank’s Risk Appetite Statement is monitored on a periodic basis and information on the results is submitted to the Bank’s authorized bodies, including the Bank’s Board of Directors, as part of risk management reporting.

The main financial risks inherent to the Bank’s operations are market risk (currency risk, interest rate risk), liquidity risk and credit risk.

Information on compliance with aggregated risk appetite levels as of 1 January 2025 (in KZT million)

Risk Name	Risk Appetite Level as of 01.01.25	Approved Risk Appetite Level for 2024	Adequacy of Risk Appetite Level
1	2	3	4 = 3 – 2
Credit risk	9,099	131,370	122,271
loan portfolio	7,379	115,938	108,559
interbank deposits	667	7,580	6,913
non-government securities	1,053	7,852	6,798
Market risk	13,434	32,766	19,332
Interest rate	13,280	29,733	16,453
Currency	150	2,970	2,820
Price	4	63	59
Liquidity risk	8,856	24,862	16,006
Operational risk	2.4	2,385	2,382.6
Aggregate risk level	31,391.4	191,383	159,991.6

The current aggregate level of credit, market and liquidity risk as of 1 January 2025 is KZT 31 _billion and is within the approved risk appetite level, which is 16 % of the approved risk appetite level for 2024.

For the purposes of capital adequacy assessment, the Bank has developed and implemented the Regulation on Internal Capital Adequacy Assessment Process (ICAAP) approved by the Board of Directors of the Bank. As part of the ICAAP, the Bank identifies, assesses and controls significant risks inherent in the Bank’s operations and plans capital based on the Bank’s strategy, the results of a comprehensive assessment of significant risks, stress testing of the Bank’s financial stability in relation to internal and external risk factors, and the Bank’s capital adequacy requirements.

Assessment of the Impact of Current Risks* on the Bank’s Capital Adequacy

Regulatory Requirement	Actual 01.01.25	Adjusted for Current Risk Level	Deviation from Actual
1	2	3	4 = 3 – 2
k1 (min. 0.055)	0.390	0.377	–0.013
k1-2 (min. 0.065)	0.390	0.377	–0.013
k2 (min. 0.080)	0.390	0.377	–0.013

*credit, market, and liquidity risk

The capital adequacy level, when adjusted for the current total risk exposure, decreases by 0.013 across all ratios. However, it remains above the minimum requirements set by the regulatory authority due to the Bank’s substantial capital base (KZT 702 billion).

Currency risk.

The Bank’s exposure to currency risk is minimal due to the specific nature of its business model. The Bank does not engage in foreign exchange operations, except for administrative and operational activities and conversion of customer funds within the framework of the National Fund for Children Project.

Interest rate risk.

The Bank’s interest rate risk represents the potential for losses due to adverse changes in interest rates.

As part of its interest rate risk management, the Bank analyzes interest-sensitive assets and liabilities whose returns and costs are affected by changes in interest rates. The Bank uses an interest rate gap analysis tool to assess exposure over time intervals and to determine the potential impact of rate changes on net interest income.

Liquidity risk.

To assess liquidity adequacy, the Bank has developed and implemented the Internal Liquidity Adequacy Assessment Process (ILAAP), which was approved by the Board of Directors. Within the ILAAP framework, the Bank carries out effective identification, assessment, monitoring, and control of liquidity risk. This includes forecasting cash flows related to assets, liabilities, and off-balance sheet instruments over various time intervals. The Bank assesses all on-balance and off-balance sheet items impacting liquidity risk, as well as market liquidity to meet potential funding needs in order to manage liquidity risk when necessary.

Given the specifics of the Bank’s business model, its funding base is stable and primarily consists of budgetary funds allocated through government programs aimed at providing affordable housing and housing savings schemes.

As part of the ILAAP, the Bank assesses liquidity risk arising from mismatches between the maturity of assets and liabilities, as well as the adequacy of liquid assets and funding sources, including under stressed market conditions.

The main objective of liquidity risk management is to define assessment methods and procedures that ensure sufficient liquidity levels are maintained. The Bank’s liquidity risk is managed by analyzing the level of liquid assets required to settle liabilities as they fall due, ensuring access to various sources of funding, having contingency plans in place in case of funding problems and monitoring liquidity ratios in accordance with the level of liquidity risk appetite and the regulator’s prudential liquidity requirements.

The main measures to minimize liquidity risk, taking into account the specifics of the Bank’s business model:

Monitoring compliance with regulatory and internal liquidity limits;
Controlling the Bank’s daily (intra-day) liquidity positions;
conducting a gap analysis of the Bank’s assets and liabilities by maturity, the purpose of which is to determine the time interval over which the Bank is exposed to liquidity risk and to assess the impact of the liquidity imbalance in a certain time interval on the Bank’s ability to meet its obligations;
Performing regular liquidity stress tests under various scenarios.

The table below shows the liquidity gap as of 1 January 2025 (in KZT million):

	On Demand	[0-7D]	[1W-1M]	[1M-3M]	[3M-6M]	[6M-12M]	[1Y-2Y]	[2Y-3Y]	[>3Y]	Balance Total
Assets	116,167	475,204	101,004	61,164	84,925	163,824	309,440	381,098	2,586,788	4,279,614
Liabilities	208,371	38,656	45,214	73,340	37,968	54,354	142,514	273,450	2,696,181	3,570,047
Contingent liabilities			3,829	7,658	11,487	15,315				38,288
Gap	–92,204	436,549	51,961	- 19,833	35,470	94,155	166,926	107,649	–109,393	671,279
Cumulative gap	–92,204	344,345	396,305	376,472	411,942	506,097	673,023	780,672	671,279
Cumulative gap / Assets	–2.2 %	8.0 %	9.3 %	8.8 %	9.6 %	11.8 %	15.7 %	18.2 %	15.7 %

Assumptions used in liquidity gap analysis:

All assets and liabilities are allocated to time buckets based on contractual maturity.
Contingent liabilities are distributed based on expected issuance of housing loans per month (excluding previously issued preliminary and interim loans).

The negative gaps observed in net liquidity in the following buckets: on demand (KZT 152 billion), 31-90 days (KZT 72 billion), and over 3 years (KZT 1,858 billion) are primarily due to the accumulation of customer funds, mainly from corporate current accounts and long-term deposits.

Nevertheless, the cumulative liquidity gap across all time intervals is positive, except for the on-demand bucket. The minimum ratio of cumulative liquidity gap to total assets occurs in the 0-7 day interval and stands at 8.0 %. The Bank remains in compliance with its internal limit on cumulative liquidity gap, which is set at no less than –2 % of total assets.

Credit risks

As part of the Decision-Making System, the following initiatives were implemented:

The SM9 strategy was developed and integrated as part of the rollout of Evaluation Indicator 5 for the issuance of interim loans;
Report PRQ006 was added to monitor certificates issued for passing the Decision-Making System.

As of the end of 2024, provisions created in accordance with IFRS accounted for 0.22 % of the total loan portfolio. The share of the Bank’s 20 largest loans was 0.06 % of the loan portfolio, indicating an absence of credit concentration risk. In the collateral structure, real estate accounted for 87.10 % of the total collateral pool. The overall weighted average loan-to-value (LTV) ratio was 43.24 %, which reflects a conservative collateral policy.

For comparison, as of the end of 2023, provisions created under IFRS amounted to 0.17 % of the loan portfolio. The share of the 20 largest loans remained at 0.06 %, again confirming the absence of credit concentration risk. At that time, real estate comprised 84.00 % of the collateral portfolio. The overall weighted average LTV ratio was 40.18 %, underscoring the Bank’s continued conservative approach to collateral management.

Operational risks

The Operational Risk Management System (ORMS) of the Bank has been developed in accordance with the laws of the Republic of Kazakhstan, the recommendations of the Basel Committee on Banking Supervision, generally accepted principles of risk management in the banking sector, and international best practices.

Risk Name	Risk Appetite Level as of 01.01.25	Approved Risk Appetite Level for 2024	Adequacy of Risk Appetite Level
1	2	3	4 = 3 – 2
Operational risk	2.4	2,385	2,382.6

The infrastructure of the Bank’s ORMS includes the following components:

Risk Identification: Identification of operational risks through analysis of both current and newly implemented internal processes, systems, products, and services offered by the Bank.
Risk Assessment: Measurement of operational risk in order to identify trends and changes in risk levels.
Strategic Operational Risk Management: Development of principles for the ongoing management of operational risk within the Bank.
Ongoing Operational Risk Management: All structural units of the Bank are involved in reducing exposure to operational risk and eliminating negative impacts of operational risk events across all departments.
Monitoring and Reporting: The Bank regularly monitors operational risk levels and ensures alignment with the established risk appetite. Regular risk assessments are conducted to address evolving circumstances and determine how risks may affect the achievement of the Bank’s objectives. Recommendations for risk management are developed accordingly. Management reporting is submitted to the Board of Director/the Management Board on a quarterly/monthly basis.
Prevention and Mitigation (Controls): A set of actions is carried out to prevent or reduce the likelihood of operational risk events and to minimize potential losses.

In 2024, the Bank enhanced its internal operational risk database used for collecting and analyzing operational risk event data.

Information Security and Information Technology Risk Management

To ensure the effective functioning of the information security (IS) and information technology (IT) risk management systems in accordance with the laws of the Republic of Kazakhstan, the following documents have been developed and are maintained in an up-to-date state:

IS and IT Risk Management Policies;
IT Risk Management Rules;
IS Risk Assessment Methodology;
Methodology for Determining Potential Losses from Information Security Risks;
Methodology for Determining Key Risk Appetite Indicators for IS and IT Risks at Otbasy Bank JSC.

In 2024, a working group led by the internal control unit carried out the classification of the Bank’s information assets and approved the list of the Bank’s critical information assets.

During the same year, the Bank’s responsible departments performed an assessment of IS and IT risk levels. The results of these assessments were presented to the Bank’s Management as part of the IS and IT risk report.

The internal control department regularly provides IT and IS risk reports to the Information Security Committee, the Management Board, and the Board of Directors.

Information Security Risk Appetite Statement for 2024

Key Risks	Parameter	Yellow Zone	Red Zone	Risk Appetite Level	Note
Information security (IS) risk	Leakage of confidential information	1	2	K1 (IS) = 3	The indicator reflects the number of recorded events/incidents related to confidentiality and integrity violations per threat type per year. UOM: number of incidents. Responsible departments: ISD, ICD
	Unauthorized access to the Bank’s IS	1	2	К2 (IS)=4
	Integrity violations and unauthorized data changes	1	2	К3 (IS)=3
	Improper use of computer equipment and the Internet by employees of the organization	1	2	К4 (IS)=3

Information Technology Risk Appetite Statement for 2024

Key Risks	Risk Indicators	Green Zone	Yellow Zone	Red Zone	Risk Appetite Level	Note
Information technology (IT) risk	Availability ratio of critical IT assets. UOM: % per quarter.	Up to 99.4 %	From 99.4 to 98.8 %	Below 98.8 %	98.8 %	Calculation formula: where: Ra – system availability ratio, % Тa – planned uptime, in minutes Тd – downtime, in minutes Responsible departments: ITD, ICD.

Key Risks

Risk Indicators

Green Zone

Yellow Zone

Red Zone

Risk Appetite Level

Note

Information technology (IT) risk

Availability ratio of critical IT assets. UOM: % per quarter.

Up to 99.4 %

From 99.4 to 98.8 %

Below 98.8 %

98.8 %

Calculation formula:

where:

Ra – system availability ratio, %

Тa – planned uptime, in minutes

Тd – downtime, in minutes

Responsible departments: ITD, ICD.

Business Continuity Management

The Bank’s business continuity management aims to ensure organizational resilience during incidents by eliminating or minimizing downtime, enabling rapid recovery of key business processes, and reducing potential losses. To support this, the following documents have been developed, approved, and are regularly updated:

the Bank’s Business Continuity Management Policy;
the Bank’s Business Continuity Management Rules;
the Bank’s Business Continuity Plans by Business Lines.
Each year, the following activities are conducted in this area:
Employee training on business continuity procedures;
Business impact analysis on critical processes and operations;
Testing and analysis of business continuity plans;
Risk analysis of unforeseen events, with the development of a response plan to address identified risks.

Compliance risk

In a broad sense, compliance control is a management and oversight system within an organization aimed at mitigating risks associated with non-compliance with legal requirements, regulatory documents, supervisory authority rules and standards, codes of conduct, and other internal regulatory documentation.

Compliance control is an integral part of the internal control function, whose main objective is to protect the interests of investors, the Bank, and its customers by monitoring employee adherence to legislation, regulatory requirements, and the Bank’s internal documents governing the provision of services and operations in financial markets.

Today, compliance is an essential component of the Bank’s operations and organizational structure.

An effective compliance risk management system, supported and maintained in a proper state, enables senior management to timely identify material risks that may impact the full realization of the Bank’s business objectives.

Responsibility for compliance is built upon the Bank’s compliance culture, which is implemented through a three-line defense model:

The first line of defense manages compliance risk within its competence and in accordance with the Bank’s internal documents on compliance risk management (first level control). The participants are the Bank’s employees and the heads of the Bank’s structural units;
The second line of defense is compliance risk management and compliance control (second level control). The participants are the Chief Compliance Officer and the Compliance Control Unit;
The third line of defense is an independent assessment of the effectiveness of the compliance risk management system (third level control). The participant is the Internal Audit Unit.

All participants of the compliance risk management system, within their competence and responsibility, manage compliance risks in strict and rigorous compliance with the requirements of the laws of the Republic of Kazakhstan, the laws of foreign countries affecting the Bank’s operations and recognized by the Republic of Kazakhstan, the Bank’s internal rules and procedures, as well as generally accepted codes of conduct.

The main objective of compliance risk management is to minimize and/or maintain at an acceptable level compliance risks, such as financial losses incurred by the Bank and application of legal sanctions to the Bank due to non-compliance with the requirements of the laws of the Republic of Kazakhstan, regulations of the competent authority, internal documents and procedures of the Bank, as well as the laws of foreign countries affecting the Bank’s operations and recognized by the Republic of Kazakhstan.

To effectively manage compliance risks, the Compliance Control Unit identifies and assesses their causes:

data on compliance risks are collected and analyzed on a regular basis. The results of audits and a unified internal database of operational losses and events are used for this purpose;
the Compliance Control Unit is involved in the introduction of new products and services;
internal audits of the Bank’s internal documents and processes for compliance with the laws of the Republic of Kazakhstan are conducted on a regular basis;
the Know Your Customer principle has been implemented;
a compliance risk register is maintained and a compliance risk map is drawn up;
training workshops are conducted in the Bank as part of strengthening compliance culture.

To ensure compliance of the Bank’s activities with the laws of the Republic of Kazakhstan, the Compliance Control Unit continuously monitors amendments to the laws of the Republic of Kazakhstan and provides further recommendations on the development of new internal documents and introduction of relevant amendments to the Bank’s internal documents and procedures.

The Bank has a financial monitoring system in place to fulfil the requirements of the laws on anti-money laundering and counter-terrorism financing (hereinafter, the AML/CFT).

The main purpose of the financial monitoring system is to minimize the risks arising from banking transactions subject to financial monitoring and other transactions with money or property related to money laundering, terrorism financing and financing of proliferation of weapons of mass destruction by ensuring compliance with the requirements of the AML/CFT laws of the Republic of Kazakhstan, preventing the Bank’s involvement in money or property related to money laundering, terrorism financing and financing of proliferation of weapons of mass destruction, maintaining the effectiveness of the Bank’s internal control system at a level sufficient to manage the risks.

The Bank implements the Know Your Customer principle, conducts due diligence procedures when establishing business relations, ensures completeness and timeliness of submission of information on transactions subject to financial monitoring to the competent financial monitoring authority.

ESG risks

Along with credit, market, strategic, operational, compliance, liquidity, information security and IT risks, the Bank’s Risk Register includes a separate group of ESG risks. ESG risks are identified taking into account the expectations of investors, staff and other stakeholders of the Bank. To take into account all possible consequences of the Bank’s activities, the following is analyzed on a periodic basis:

the needs of stakeholders;
potential conflicts that may jeopardize projects or arise at various stages of their implementation;
opportunities and relationships that may arise in the course of implementation of the Bank’s projects.

Based on an analysis of external and internal factors, the Bank has compiled a detailed list of ESG risks, which cover environmental, corporate governance, health and safety and human rights.

ESG risks in the Risk Register are subdivided into:

environmental risks: non-compliance of the Bank, its authorized bodies and employees with the requirements of the environmental laws of the Republic of Kazakhstan;
social and labor risks: violation by the Bank of labor laws in terms of occupational health and safety, resulting in temporary or permanent disability of an employee, non-observance by the Bank of the rights and legitimate interests of employees, violation of working hours and rest periods, lack of staff motivation, lack of indexation of remuneration, low level of employee involvement, lack of professional development programs;
corporate governance risks: reduction of supervision by the Bank’s Board of Directors over the efficiency of the internal control system.

The final rating of this type of risk is assessed as low.

Climate-related risks

In 2024, the Bank integrated a climate agenda into its operations, marking an important step toward enhancing resilience to climate change. Climate-related risks have been incorporated into the Bank’s overall risk management framework. During the reporting period, the Bank, in collaboration with an international consulting firm, conducted an analysis of physical and transition risks, carried out climate stress testing, approved a methodology for assessing climate-related opportunities, and developed a Roadmap for the implementation of climate-related risk assessment. In 2025, the Bank plans to set interim and long-term targets aligned with a science-based approach to reduce its carbon footprint, both from its own operations and from its financed loan portfolio. The achievement of these targets is expected to be driven by a number of developed initiatives.

Starting in 2024, the Bank began assessing its own greenhouse gas emissions under Scope 3, as well as financed emissions across its entire portfolio, with the aim of improving the management of its environmental impact and developing interim targets to achieve its overall carbon neutrality goals by 2060. The methodology for calculating greenhouse gas emissions was developed jointly by the Bank and an external expert organization.