Actions on material impacts on consumers and end-users [S4-4]

We place the customer and service quality at the centre of our attention to make contact with the Bank a positive experience. In line with the objective of our Strategy, we will:

• monitor customer experience systematically, rather than ad hoc;
• develop a service model that reflects changing customer needs;
• simplify communications and increase the intuitiveness of digital solutions so that customers choose remote channels as their first contact option with the Bank.

As a result of these actions, we expect the NPS indicator to increase to the level assumed in the Strategy. Our aspiration is therefore to be among the top three banks in the NPS ranking in mass-market segments.

At present, we focus on supporting business opportunities that foster the creation of positive value for customers. This means that we:

• increase customers’ product uptake,
• tailor the offering to customers’ needs – user-friendly in everyday use, with fewer formalities and faster processes,
• incorporate customer feedback into designed solutions and analyse customer opinions,
• simplify content, avoid unnecessary jargon, and write in plain, understandable language,
• use various customer contact channels,
• build loyalty by recognising long-standing customers,
• manage branch traffic to direct customers to the appropriate service desk,
• optimise solutions to improve the intuitiveness and accessibility of electronic banking,
• improve processes to make loan servicing more convenient and enhance the quality of ongoing loan servicing.

Ensuring accessibility is a priority for us. We want every customer to assess their experience of contact with the Bank positively. We consistently strive to ensure that people with specific needs, including people with disabilities, can use our services freely, regardless of their individual limitations. We have launched a dedicated webpage [Pekao bez barier (Pekao Without Barriers)], which provides detailed information on measures supporting people with specific needs.

Our approach to accessibility is also consistent with the assumptions of the Polish Accessibility Act, which sets the standards to which we adapt our products and services in digital and information/communication terms.

Digital accessibility

We want everyone, regardless of skills or limitations, to be able to use the services and products offered by the Bank fully. We strive to ensure digital accessibility in line with legal requirements and best practice.

At the beginning of 2025, the Bank carried out an accessibility audit of mobile and online banking, assessing compliance with the Act of 26 April 2024 on ensuring compliance with accessibility requirements for certain products and services by economic operators, and thus with the international WCAG 2.1 standard. Based on the audit results, we took actions to adapt electronic channels to WCAG requirements:

• we add descriptions to non-text content and introduce captions for deaf users in audio-video recordings,
• we ensure content is displayed correctly on different devices regardless of type, size and screen format,
• we enable text enlargement without loss of clarity and readability issues,
• we provide sufficient time to complete actions, without unexpected content changes,
• we enable easy keyboard navigation without the need to use a mouse to proceed, across many components of our subpages,
• we provide the ability to adjust the volume level of our informational materials independently of system-wide settings,
• we do not publish content that could increase the risk of epileptic seizures,
• we expanded the branch and ATM finder with additional filters for available accessibility facilities.

With a view to ensuring full accessibility, our website and the PeoPay mobile application have been designed so that every user, regardless of their abilities, can use electronic banking functions comfortably. Thanks to the implemented solutions, customers already have access to most Pekao24 service functions with the support of assistive applications such as screen readers.

To further raise accessibility standards, we have introduced additional solutions facilitating the use of our services by people with diverse needs, such as:

• consistent identification of elements used across electronic channels,
• full screen responsiveness, enabling content to be displayed without the need for two-dimensional scrolling,
• easy navigation – menu elements and other navigation mechanisms are always in the same place and in the same order,
• comfortable use of buttons and other page elements,
• no cognitive function tests during authentication.

However, we recognise that adapting our website and application is a continuous process, and we continue to work on implementing further improvements so that our solutions best meet the needs of all users.

Information and communication accessibility

Clear communication with customers is not only a standard for us, but the foundation of trust-based relationships. That is why we prepare documents relating to retail banking products and services in a transparent and accessible way, using language consistent with the plain banking communication standard.

At the Bank, we focus on simplicity and clarity of messaging. We communicate in a partner-like manner, meaning that our content is phrased so that it can be understood without additional explanation:

• we use friendly language – in documents we use language so that no one has to waste time understanding it,
• we use personal forms of address – we do not create distance; we often address customers directly,
• we write in an accessible format – we format content clearly, so it is easy to read,
• we shorten content – we remove unnecessary words and phrases that only make the text longer,
• we are specific – we provide customers with the most important information.

At the request of customers with specific needs, we make standard bank document templates available in the following formats:

• audio recording,
• video recording in Polish Sign Language,
• Braille printout,
• printout in enlarged font.

To ensure the accessibility of our services for all customers, we introduced into internal regulations special provisions governing the conclusion of loan agreements with persons who do not speak Polish. This ensures that every customer, regardless of their language skills, can fully understand the terms of the products offered.

Information on available services and the rules for their use has been described clearly and transparently in agreements and regulations, so that it constitutes a legible source of knowledge necessary for informed use of the Bank’s offering.

Accessibility also means being able to contact customers at any time, which is why our helpline is available 24 hours a day, 7 days a week at the following phone numbers:

• 519 222 222 for Retail and Premium Customers,
• 22 591 20 10 for Private Banking Customers.

Where necessary, we also provide service in Polish Sign Language in the form of a video call, on business days between 9.00 and 17.00 – [service in Polish Sign Language]. We provide alternative contact methods, such as chat or a contact form, on the Bank’s website – [contact].

Architectural accessibility

We want everyone – regardless of mobility limitations – to be able to use our branches and partner outlets. We have prepared information on the architectural accessibility of outlets, which we publish on our website: [outlets and ATMs].

Our customers can also filter the necessary facilities using the following criteria:

• accessible for wheelchair users without assistance – the immediate surroundings and service area allow a wheelchair user to move independently;
• accessible for wheelchair users with assistance – there are obstacles in the immediate surroundings or service area that mean a wheelchair user requires an assistant or support from our employee;
• parking nearby;
• parking with designated spaces for persons with disabilities.

In addition, guide dogs are allowed to enter all our branches and partner outlets.

To better identify customer expectations and present a tailored offer, we use tablets that support the needs identification process. We enable agreements to be signed via the PeoPay mobile application or by SMS, which increases convenience and service accessibility, especially for those who prefer remote forms of contact.

Our aim is to create a banking environment in which every customer, regardless of their capabilities, can count on professional, empathetic service tailored to individual needs.

ATMs and cash deposit machines

We treat access to self-service devices, such as ATMs and cash deposit machines, as an important element of ensuring full accessibility of our services. We want every customer to be able to use these solutions freely and without obstacles. On our website, we have provided a list of ATMs and cash deposit machines in the [outlets and ATMs] tab, including information on location and available facilities, and the ability to filter using the following criteria:

• accessible for wheelchair users without assistance – the immediate surroundings allow a wheelchair user to move independently;
• accessible for wheelchair users with assistance – there are obstacles in the immediate surroundings that mean a wheelchair user requires an assistant or support from our employee;
• contactless transactions – the function is activated by holding the card or phone close to the reader. The course of a contactless transaction is identical to a traditional transaction.

All our ATMs and cash deposit machines have Braille markings on the function keys, near the reader, the receipt printer and the cash dispensing area, as well as a tactile mark on the keypad on the “5” key.

Complaints about lack of accessibility

Anyone who notices that our products or services are inaccessible for any reason may report this to us in the manner described on the [dedicated webpage].

We delivered mandatory training for all Bank employees on supporting people with different needs in accessing products and services, and we implemented a procedure comprehensively regulating the Bank’s activities regarding the accessibility of the retail banking offering.

One of the key elements of building trust and positive customer experiences is ensuring full, transparent and understandable access to information. We believe that customers should be able to obtain information easily about products, services, terms of cooperation and their rights and obligations. Transparent communication not only supports informed decision-making but also strengthens a sense of security.

We base customer communication on the principles of accessibility, clarity and inclusiveness, so that everyone – regardless of age, experience or other circumstances – can use our services freely. We pay particular attention to seniors, for whom we have prepared a dedicated information space on the [Senior Zone] webpage, where we publish practical tips on getting started with online banking.

With the youngest users in mind, we offer products tailored to their age and needs, including the PeoPay Kids application for teenagers, equipped with a parental control panel. It enables young customers to learn how to manage their finances in a safe environment and build positive habits, such as saving supported by the “money box” function and an educational game available in the PeoPay app.

As part of our educational initiatives, we also developed an in-house report dedicated to financial education for children aged 6 to 13, representing our contribution to building the economic awareness of the youngest generations.

For the youngest customers of our Bank who began their journey into the world of finance, in 2025, on the occasion of the 5th anniversary of the PeoPay KIDS application, we prepared a series of six audiobooks “Bajki Oszczędzajki” (Saving Tales), combining education with engaging entertainment – [Bajki Oszczędzajki – Bank Pekao S.A.].

Together with the Universal Reading Foundation, we also developed a children’s book entitled “Porwanie Pani Złotówki” (Kidnapping of Mrs Zlotówka). It is an engaging adventure that teaches that it is worth being guided by friendship, common sense and honesty, while also explaining what money is and how saving works. The book is available both online and in print form in selected Bank branches – [Czytanie się opłaca (Reading Pays Off – Bank Pekao S.A.]. We also published the report [Finansowy świat dziecka (Financial World of a Child)], which shows how the need for children’s financial education among Poles is increasing.

We deliver services within the Pekao Group based on competence, professionalism and responsibility towards customers. The solutions we propose are designed with their real needs in mind and in compliance with consumer protection requirements. We do not use practices that could infringe the collective interests of consumers. We avoid situations in which a customer does not receive reliable, truthful and complete information, in particular information that is key to making an informed decision, such as product price or functionality. We do not allow prohibited contractual clauses, unfair market practices or actions constituting unfair competition.

We actively counteract misselling, i.e. offering financial services that do not correspond to the customer’s real needs or are presented in a manner that is inadequate to their nature. Our aim is to build relationships based on trust, transparency and responsibility, which translates into high service quality and consumer safety.

Transparent product information is our starting point for understanding the topic of “access to information” – we feel responsible for actively supporting the development of financial knowledge in society, including among our customers. Financial education is an integral part of our activities, implemented through various initiatives aimed at increasing awareness and competence in financial management. We carry out a range of initiatives such as educational programmes, seminars, workshops, information campaigns and thematic guides available on the website, supporting the development of financial competences.

These activities focus on issues related to personal finance management and household budgeting, and cover investing, saving, using banking products and applications (e.g. PeoPay), as well as matters related to financial risk. Our goal is to provide practical knowledge that enables customers to make informed financial decisions and build a stable future.

As part of the double materiality assessment, we considered potential risks that may arise in the area of cooperation with customers and consumers. In the course of this work, we identified a risk which – despite a range of measures taken – may still occur. It relates to the possibility of misleading customers, including in connection with free credit sanctions (hereinafter: FCS) and unauthorised transactions.

Recently, we have observed a gradual increase in the number of lawsuits and complaints in the FCS area, although their scale remains limited relative to the size of the portfolio. Court proceedings cover approximately 0.15% of agreements in the portfolio and, in most cases – around 88% – judgements are favourable to the Bank. Nevertheless, judgements adverse to the Bank (including, potentially, rulings of the CJEU) may increase the scale of impacts and the number of outcomes unfavourable to the Bank.

The Bank takes actions to mitigate this risk, in particular by adapting template agreements and the method of calculating the APRC to the Consumer Credit Act (Article 45 of the Consumer Credit Act – where a lender breaches consumer rights by omitting or including incorrect statutory clauses, the borrower, upon submitting an appropriate request, repays the credit without interest and other credit costs due to the lender).

To further reduce SKD exposure, we also take operational and product measures, including:

• limiting the scale of new sales with potential FCS risk – the new sales volume carrying SKD risk decreased from 73% in January 2024 to 38% in June 2025. The share of agreements with financed commission also fell from 56% to 2% (short-term small loans with a low level of FCS risk). As a result of pricing policy changes from Q3 2024, the sale of commission-free loans has become dominant.
• In addition, from 1 August 2025, we introduced new solutions resulting in discontinuation of the sale of new agreements carrying FCS risk, i.e.:
  • a CPI product with a non-financed monthly premium, which replaced CPI credit insurance withdrawn from sale,
  • a credit account model enabling commission to be charged without charging interest on it.
• refinancing agreements carrying FCS risk from the existing portfolio into new loans (the share of cash loans in the Bank’s portfolio carrying FCS risk fell from 74% in January 2024 to 55% in June 2025). We assume that the pace of the portfolio decline will accelerate in the following quarters due to measures taken to increase the scale of refinancing and the absence of growth in new agreements carrying FCS risk as a result of the discontinuation of sales of new agreements with financed CPI.

On 13 February 2025, the Court of Justice of the European Union (hereinafter: the “CJEU”) delivered a judgement in case C-472/23 concerning aspects of applying the free credit sanction. The ruling highlights the importance of properly informing consumers about the total cost of credit and the annual percentage rate of charge, which may affect the interpretation of provisions applied in domestic proceedings.

The allegations most commonly raised against banks in cases concerning consumer credit include, among others:

• breach of Article 30(1)(7) of the Consumer Credit Act – indicating an incorrect total amount payable by the consumer determined on the date of concluding the consumer credit agreement and an incorrect APRC, resulting from (in consumers’ view) the unauthorised charging by the Bank of interest on the financed commission for granting the credit (financing and charging interest on the credit granting commission), or on other financed costs;
• breach of Article 30(1)(10) of the Consumer Credit Act – failure to show the condition determining a change in credit costs resulting from early repayment of the credit or the application of the free credit sanction.

The CJEU judgement, as well as observed changes in the case law of domestic courts, may affect market practices relating to consumer credit in the future. The Bank continuously monitors the situation and implements measures to align processes, documentation and customer communication with applicable laws and consumer expectations.

Situations that may pose challenges both for customers and for the organisation are inevitable in dynamic financial services environment. Unauthorised transactions are one such threats – payment transactions to which the payer has not given consent in the manner provided for in the agreement between the payer and the payment service provider, e.g. a situation in which a third party (a fraudster) gains access to authentication data and carries out a transaction using it. Although authentication was completed correctly, due to the absence of the customer’s consent to the execution of the transaction, i.e. because third parties (fraud) were involved in carrying out the transaction, such a transaction is considered unauthorised.

To enhance customer security and reduce the number of unauthorised transactions, we continued implementing technological, system and organisational solutions in 2025, in particular:

• we carried out educational campaigns aimed at customers on threats, fraud methods and ways to avoid them;
• we implemented further transaction monitoring functionalities in systems and anti-fraud modules, including new rules identifying suspicious transactions;
• we introduced changes to the mobile app to enhance the security of the app activation process. The new process covers both activation of the app on the first device and on subsequent devices;
• we implemented a solution enabling the rapid blocking of corporate customers’ payment cards via the online banking service – both by the customer and by the system operator on the Bank’s side;
• we implemented a solution to enable strong customer authentication in e-banking for operations involving deactivation of access to internet banking channels;
• we implemented a solution to enable strong customer authentication in e-banking for operations involving deactivation of access to internet banking channels;
• we implemented a solution in e-banking to introduce access restrictions for functionalities related to cross-border transfers that are not used by customers;
• we implemented a mechanism enabling the temporary disabling or limiting of the ability to execute card transactions after “tokenisation”;
• we implemented an industry-wide behavioural biometrics solution, under which a customer using the services of one bank offering this solution can be protected across all other institutions using the same industry solution;
• observing the direction of changes in the banking sector, we made successive amendments to internal regulations to improve the process for handling unauthorised transactions.

As a result of these actions, we increased the level of security for retail and corporate customers and, by implementing more effective detection and prevention mechanisms, we optimised the number of unauthorised transactions. In addition, the initiatives undertaken contributed to improved compliance with sector regulations and recommendations of the Polish Financial Supervision Authority (KNF).

In 2025, we actively promoted insurance products — i.e. CPI PEX, CPI KH, Life Insurance and Property Insurance — which provide protection for customers, including in situations where, as a result of adverse events affecting the customer, further repayment of a loan or credit would be difficult.

We monitor the quality of the insurance products offered with great care, supported by cooperation with reputable insurance companies and regular analysis of customer complaints, refusal rates and claims ratios.

In line with the Good Practices for CPI insurance, we also began a process of periodically informing customers about the policies they hold that were purchased through the Bank. This increases customer awareness of the possibility of using the benefits arising from the insurance contracts concluded. In the past year, we introduced significant changes increasing value for the customer – in August 2025 with respect to CPI PEX Insurance, and in October 2025 with respect to Property Insurance.

In 2025, we carried out an extensive training programme aimed at increasing by approximately 1,000 the number of employees holding regulatory authorisations to offer investment funds. As a result, customers in every retail branch have access to the Pekao TFI offering, which is an important step towards improving the quality of financial advice and increasing the availability of investment services.

As part of implementing Security Strategy 7, we undertake actions to enhance customer security in the personal data protection area. We introduce solutions supporting safe use of banking services, including identity verification mechanisms and safeguards for communication with the customer, e.g. by developing functions in mobile apps that support identification of the employee and the customer, which significantly increases the security of telephone contacts with customers and minimises the risk of customers losing funds as a result of fraud.

To reduce the risk of data leakage, we implement security mechanisms aligned with current technological standards, including solutions supporting the safe use of AI technologies. These actions are tailored to the needs of different customer groups, including less digitally advanced customers, seniors and young people.

We also carry out educational and communication activities in the area of cybersecurity, including information campaigns and training for customers and employees. To increase awareness of cybersecurity, we run the cyberPEKAO educational programme, which includes, inter alia:

• training sessions and webinars for the Bank’s employees and customers, as well as workshops for children, young people and seniors as part of CSR;
• organisation of cybersecurity-related events (Cybersecurity Days in Bank branches, the cyberPEKAO Academy – a conference for customers and employees);
• sponsorship and partnership at events strengthening social resilience to cyber threats – Cyber24 Day, the IN.SE.CON International Cybersecurity Congress, the Confidence conference;
• internal communication (information published on the security portal, news updates, e-mails addressed to employees);
• external communication (e.g. CRM, the Bank’s website, social media, notifications in the mobile app, radio broadcasts);
• cooperation with the CyberDefence24 portal covering cybersecurity topics, which hosts a dedicated Bank zone;
• publication of a cybersecurity comic book for children, issued jointly with the CyberDefence24 editorial team;
• publishing cooperation in the field of society’s digital education in projects such as Scamming Out and Entrepreneur’s Educator;
• a nationwide educational campaign “cyberPEKAO – a sign that protects” (online campaign + social media);
• cooperation with the ISSA Poland Association and support for the “Digital Senior” project, as well as preparation and development of educational materials for seniors.

In 2025, we allocated more than PLN 2,900,000 gross (OPEX) to the cyberPEKAO programme. We monitor the effectiveness of the campaigns carried out, inter alia, by analysing reach and audience engagement.

We provide customers with information on the principles of data processing and the actions taken in a manner tailored to the communication channel. To mitigate the risk of improper management of customer data, we have appropriate procedures for informing Data Subjects – i.e. individuals to whom the data relate – about potential data protection breaches. We also provide customers with information on how to minimise the adverse effects of such incidents and how to avoid them in the future. In correspondence concerning complaints, we inform Data Subjects about the detailed rules for processing their personal data by the Bank or, where applicable, by BIK (Biuro Informacji Kredytowej – Credit Information Bureau). In addition, the Bank’s Information Security Section analyses feedback received from the Personal Data Protection Office in the context of personal data protection breaches or complaints submitted by data subjects.

The primary way we assess the effectiveness of our consumer‑privacy safeguards is by analysing feedback from the Personal Data Protection Office, particularly in relation to the Office’s responses to:

• data protection breaches reported by the Bank and the actions taken to remedy their adverse effects; and
• complaints submitted to the Office by data subjects and the actions taken in response.

We conduct information and awareness‑raising campaigns for customers, for example on online fraud. T The Data Protection Inspector’s Department (DPID) reviews customer communications intended to increase awareness of various forms of fraud, such as phishing.

Implementing these actions across the Pekao Group requires significant resources, including qualified staff time and the maintenance of the necessary infrastructure.