EFTA01356561.pdf

• Koy now / amended controls have boon identified and clearly described (including what the control activity is, why it takes place at the right time, adequate frequency, what its typo is (manual vs automated, detective vs preventive), how it is evidenced). These controls are operational and have an owner identified who is suitable (adequate seniority, skies as well as adequate segregation of duties). Where relevant, cover arrangement is in place to enable sustained operation in the absence of the control owner • These key controls together with additional romodiation activity of legacy conorns whore applicable fully mitigate the finding risk and address as root cause. • Where the finding owner has indicated new contra play a role in Fraud I Misconduct identification / remediation, ther effectiveness in that capacity is justified. • The new process, control or methodology have appropriately been documented to g KOP. desktop procedure or methodology document). including roles and responsibilities • Relevant policies / procedures have been approved, and the approval evidence was provided. It includes details of who (role or forum) approved the documents I new process and this seems appropriate. It has been mentioned in the template if no formal approval is required. • Amended policies / procedures where applicable have been published on the Policy Portal. The latest version has been provided. • Where finding remodation includes a model change, evidence was provided that relevant model change governance has been followed (validation approval as per the Model Risk PolloY). • Reath/ton appears to be sustainable based on the finding owner documentation. For F3- F4 findings and obligations. this is evidenced by submission of the adequate number of sample/evidence of the operation of the control as per appendix 2 for each new/materially amended key control. • Where relevant, the necessary communication / training has been given on any revised processes or controls. • Where there are new / material systems changes, the fiRDs have been signed off by appropriate SMEs, UAT has been signed off and changes are live. For any IT implemegation(s) that yet has to happen (e.g. once regulatory approval has been sought and obtained for a methodology change): budget and timeline have been agreed with IT and evidence is provided of this. For internal use only Pax 10 C" 12 CONFIDENTIAL - PURSUANT TO FED. R. CRIM. P. 6(e) DB-SDNY-0042469 CONFIDENTIAL SDNY_GM_00188653 EFTA01356561