Compliance

Management positions the strengthening of compliance and risk management as a key issue in enabling SMBC Group to fulfill its public mission and social responsibilities as a global financial group. We are therefore working to entrench such practices into our operations as we aim to become a truly outstanding global group.

SMBC Group seeks to maintain a compliance system that provides appropriate instructions, guidance, and monitoring for compliance to ensure sound and proper business operations on a group-wide and global basis. Measures have been put in place to prevent misconduct and quickly detect inappropriate activities that have occurred to implement corrective measures.

SMBC Group has established the Compliance Committee, which is chaired by the Group CCO responsible for overseeing matters related to compliance. This committee comprehensively examines and discusses SMBC Group's various work processes from the perspective of compliance.

In addition, SMBC Group formulated Compliance Program to provide a concrete action plan for practicing compliance from the perspective of groupbased management. The Board of Directors and the Management Committee annually determines the Group Program and, in principle, semiannually (twice a year) receives its progress updates from the Group CCO to which they give instructions to the entire organization when needed. Group companies develop their own compliance programs based on the Group program and take necessary steps to effectively install compliance frameworks.

The Company receives consultations and reports on compliance-related matters from Group companies, providing suggestions and guidance as necessary to ensure compliance throughout the Group.

From the perspective of global-based management, compliance departments for major overseas offices have been recognized within the Compliance Unit, which facilitated to develop an integrated group-based compliance management framework for overseas offices.

In order for companies to coexist with society and develop sustainable growth, it is crucial to take an appropriate amount of risks and to maintain appropriate risk management, including compliance. In particular, financial institutions should emphasize compliance and risk management, considering its public mission and the heaviness of the social responsibility.

Based on this recognition, management positions the strengthening of compliance and risk management as a key issue in enabling SMBC Group to fulfill its public mission and social responsibilities. SMBC Group is therefore devoted to improving its systems in these areas in order to become a truly outstanding global group.

Specifically, SMBC Group has defined the Principles of Action on Compliance and Risk to serve as guidelines for executives and employees in practicing compliance and risk management. Continuous reviews are carried out to improve compliance with these guidelines and to ensure their effectiveness.

SMBC Group recognizes the importance of preventing money laundering and terrorist financing (ML/TF) and adhering to economic sanctions regulations, and therefore, undertakes every effort to prevent ourselves and employees, from engaging in, and/or providing assistance to, the commission of ML/TF, and from violating economic sanctions regulations.

SMBC Group strictly complies with AML/CFT and economic sanctions regulations by establishing a Group Policy and by implementing effective internal control systems in each of the Group companies to ensure that our operations are sound and appropriate.

The Group Policy and systems are implemented in accordance with the requirements of the relevant international organizations (e.g. the United Nations, the Financial Action Task Force Recommendations) and the laws/regulations of relevant countries including Japan in which the SMBC Group has operations (e.g. U.S. "Office of Foreign Assets Control Regulations").

The policies and measures for AML/CFT and economic sanctions regulations implemented across the SMBC Group include, but are not limited to, the following:

SMBC Group has established a basic policy stipulating that all Group companies must unite in establishing and maintaining a system that ensures that the Group does not have any connection with anti-social forces or related individuals.

Specifically, the Group strives to ensure that no business transactions are made with anti-social forces or individuals. Contractual documents or terms and conditions state the exclusion of anti-social forces from any business relationship. In the event that it is discovered subsequent to the commencement of a deal or trading relationship that the opposite party belongs to or is affiliated with an antisocial force, we undertake appropriate remedial action by contacting outside professionals specializing in such matters.

SMBC Group has established Group policies that set forth guidelines for the entire Group regarding proper protection and use of customer information. All Group companies adhere to these policies in developing frameworks for managing customer information.

Privacy Policy of SMFG is mainly intended for personal information of shareholders, and Privacy Policy of SMBC, the core banking subsidiary of SMBC Group, is mainly intended for personal information of customers. SMBC’s Privacy Policy determines the use, collection and processes, etc., of personal information in its "Handling of a Client's Personal Information" in detail.

Other Group companies also establish and disclose privacy policies for their measures regarding the proper protection and use of customer information and customer numbers. Appropriate frameworks are established based on these policies.

Privacy Policies of SMFG and SMBC were established after the resolution of the Management Committee of both entities, and their revision/abolition are subjected to the Management Committee as well. Measures to protect personal information based on the policies are under responsibility of the head (Executive Officer) of Compliance Department. These measures are embedded in the group-wide compliance program, and when issues arise, they will be reported to and be subjected to remedial actions by the Compliance Department. When violation to the policy is discovered, disciplinary actions could be taken under internal policies. In addition, for suppliers and external vendors, how they will use personal information and its risks associated will be confirmed before deals start based on internal policies and procedures, and when deals are determined to have high risks, additional detailed memorandums concerning information management are exchanged. As such, we are strictly addressing the issue of personal information protection in our entire operation including the supply chain. Also, effectiveness of privacy policies are ensured by periodical risk assessments and audit by the Compliance Department.

Moreover, especially in SMBC, all employees are required to take a training course concerning customer information protection at least once a year.

SMBC Group has Internal Reporting Systems and whistle-blowing systems designed to promote self-correction through early detection and rectification of actions that may violate laws and regulations^*. All of our stakeholders within and beyond our company can report issues/concerns through the Internal Reporting Systems 24 hours a day, 365 days a year. These systems are introduced by displaying posters, distributing employee mobile cards, and holding training programs. Our internal stakeholders that can utilize this mechanism are all the Group employees listed below:

Employees can report issues/concerns (also anonymously) to the lawyer, designated as the external channel within our Internal Reporting System. In response to raised issues/concerns, appropriate steps are taken to maintain the confidentiality and privacy of the employees who submitted the report. Any form of retaliation against the employees as a result of a report is strictly prohibited. If any form of retaliation is confirmed, strict measures, including disciplinary action, will be taken. Furthermore, overseas branch offices have their own internal reporting systems, which allow local employees to report issues/concerns in their local languages.

Investigations are conducted mainly by designated departments such as General Affairs Dept. and Human Resources Dept. for all issues/concerns raised through Internal Reporting Systems. If a violation is found as a result of the investigation, corrective measures will be taken in accordance with laws and regulations, including disciplinary action. After some time since the corrective measures were taken, follow-up actions will be taken to assess the effectiveness of the corrective measures and to address any issues from the perspective of whistleblower protections. In addition, the SMBC Group Alarm Line has adopted a management system that gives top priority to protecting whistleblowers and strictly handles information pertaining to the reports. The results of such investigations, progress regarding corrective actions taken in response, as well as regular updates regarding the Internal Reporting Systems, are reported to the Compliance Committee, the Group Management Committee, and the Audit Committee on a regular basis. In FY2023, throughout all our Group companies, we have received 345 reports through the Internal Reporting Systems from internal and external stakeholders.

SMBC Group has developed the Anti-Bribery Compliance and Corruption risk control framework.

• ●Group CEO has presented "Management's Commitment to the Prevention of Bribery and Corruption" and informed Group executives and employees to fully and completely comply with "Policies for Anti-Bribery (the "Policies")", in which the compliance to all applicable laws and regulations, the code of conduct, and the prevention of bribery and corruption are written.
• ●SMBC Group has "Policies" to prohibit bribery and facilitation payments in any form. We also have other related rules and procedures require that the appropriateness of the circumstances, value and purpose shall be carefully considered prior to the provision or receipt of business entertainment or gifts and that the applicable approval procedures are strictly followed. Providing and offering to provide gifts (Anything tangible or intangible of economic value, such as money, goods, service, provision of Business Entertainment, or recruiting employee relatives) on purpose to effect recipient is prohibited by the Policy. Receiving and demanding to provider in convenience on purpose is also prohibited by the Policy. Moreover, Iin the event of a violation, the Policies clearly provide for disciplinary actions including punitive dismissal. The Policies require to document the business entertainment and provision/receipt of anything of value, as well as the implementation of related training, in a prompt and accurate manner. For provision of Business Entertainment Gifts, we comply with all laws, regulations and policies including FCPA and UKBA. Acts only with proper purposes and manners are acceptable. Each company has its own judgment rules and approving procedures on provision of Business Entertainment Gifts. Before the provision, the providing department examines its content and confirmation, and the Compliance Department examines the risks involved.
• ●SMFG Compliance Department conducts annual risk assessments of bribery and corruption toward main group companies, SMBC subsidiaries and branches including overseas offices. It identifies our risk profile related to our business and its business partners, also evaluates the effectiveness of control measures. All results are reported to the management. In detail, questionnaire is sent to group companies, SMBC subsidiaries and branches, then answers will be analyzed and evaluated by perspective point of bribery and corruption risk. The result is reported to the Compliance Committees, and for the group companies, SMBC subsidiaries and branches, those had high risks will have consultation with SMFG Compliance Department to execute appropriate risk mitigating measures as stipulated.
• ●The "Policy", other related rules and procedures stipulates the rules of appropriate due diligence from bribery and corruption risk perspective before, and proper management will be conducted afterwards when considering security investment including M&A.
• ●For bribery and corruption risk of business relationships with third party including intermediary and subcontractor, risk assessment and due diligence are carried out periodically when newly making a contract, or in case that contract is for a long term. In detail, prior check and contract processes when outsourcing business to them are clarified based on the third-party risk management framework.
• ●Monitoring on compliance with the "Polices" and other related rules and procedures is conducted periodically by the Compliance and other relevant departments.
• ● The Compliance and other relevant departments run compliance training including anti-bribery and corruption trainings to penetrate proper understanding of the content, purpose and operation of the "Policies" and related rules, starting with anti-bribery and corruption to all employees. To enable reference at all time, the location of policies uploaded on internal intranet is provided in the training material. The attendance rate of training for all SMBC domestic offices was full for FY2021 again. Overseas subsidiaries and branches also complete them periodically according to the risk level. Moreover, group executive and employee from overseas and domestic shall sign the attestations that they will not engage in any bribery, corruption, or fraud in accordance with the policy.
• ●The Board of Directors is responsible for overseeing the operation of overall compliance framework on a global group basis, including the compliance and the execution of the Policies, other relevant rules and regulations. Group CCO regularly report to the Board about the progress in prevention of bribery and corruption. Under the direction and responsibility of the Group CCO, the SMFG Compliance Department plans the basic policy, and undertakes check and support for business units and other Group companies to secure Compliance.

In FY 2023, there was no material case found to be in violation of the Policies, nor the cost of fine and reconciliation.

SMBC Group has been committed to fulfilling its obligations for filing tax returns, making tax payments and reporting to the tax authority, whilst ensuring compliance with all tax laws, regulations and treaties across each jurisdiction.

In order to strengthen the tax compliance framework, SMBC Group has established the group tax policy.

Under this policy, SMBC Group will continue to fulfill its obligations for filing tax returns, making tax payments and reporting to the tax authority appropriately.

This policy was established based on a resolution of Group Management Committee and a report to Audit Committee and has been implemented under the co-responsibility of Group CFO and Group CCO.