Managing impacts, risks and opportunities [S4-1]

The cornerstone of our day-to-day operations and of our values and standards is the Pekao Group Code of Conduct (the Code of Conduct), which ensures process transparency and alignment with best practices. We base all actions – internal and external – on the Code, carrying them out in line with ethical and professional standards.

The Code of Conduct sets out the principles we follow in our daily business activities. It is also our commitment to act in line with the highest standards in relations with colleagues, partners and customers. The provisions of the Code form the basis for other regulations and activities discussed in the following sections of the report. The Code itself is described in more detail in sectione [G1-1].

The Bank has a structured product lifecycle management process for customer products, covering their launch, modification and withdrawal from the offering. Its purpose is to establish a consistent framework to be met by all new and updated products, including insurance products. This process is governed by the Policy for the Process of Launching New Products at Bank Pekao S.A. (the New Product Launch Process Policy), which sets out the rules of conduct and risk areas related to bringing products to market. By applying a uniform approach, we can ensure high quality standards, compliance with applicable legal and internal regulations, and alignment with the Strategy.

Each new product and each modification require Management Board approval, and multiple organisational units are involved in the process. Under the New Product Launch Process Policy, the unit launching or modifying a product analyses it and ensures that it:

• is aligned with the Strategy, including the ESG strategy and principles;
• has a positive impact on customer experience (as determined based on customer experience impact assessment and research conducted on target customer groups);
• meets internal financial, capital, profitability and accounting criteria;
• has been assessed in terms of risks, including legal, compliance and reputational risk, operational risk (including complaint handling), credit risk, financial risk, and the risk of breaches of AML/CFT regulations and financial sanctions;
• is handled in systems that ensure data and information security and have appropriate business continuity mechanisms;
• is appropriately classified for FATCA and CRS purposes.

In accordance with European Banking Authority (EBA) guidelines, prior to:

• launching a new product on the market,
• offering an existing product to a new target market,
• modifying an existing product,

the implementing unit is required to carry out product testing. We perform such tests under various scenarios, including stress conditions, which allows us to assess product impact on customers and identify potential weaknesses in the offering. Test results are an important source of information for supervisory authorities and support efforts to protect consumers’ interests.

As part of our marketing activities, we systematically measure the quality of customer experience and customer needs, conducting research as early as the product and service design stage. This helps us better understand customer expectations and develop solutions that are attractive and easy to understand.

In designing banking products, we focus on accessibility and transparency. Customer experience in working with the Bank matters to us. That’s why we understand ESG as active customer experience management: we listen, analyse and respond to build relationships based on trust and real needs.

Customer experience management is a strategic approach to building and improving every interaction a customer has with the brand; therefore, in 2024, we implemented the Customer Experience Management Model (the Model). Its objective is to increase customer satisfaction and loyalty by delivering consistent and positive experience. The Model is based on data analysis, journey mapping and continuous process improvement based on customer feedback and needs.

The Model operates through individual modules:

• Customer experience strategy – sets the direction for our development towards becoming the market leader in customer satisfaction and loyalty in banking. How customers perceive us changes with their experiences arising from their relationship with us, which is why we regularly collect customer feedback to adjust our actions both in the short and long term to their changing expectations.
• Measuring customer experience – provides employees with information needed to make the right business decisions and identify areas requiring improvement.
• Improving customer experience – based on a model that defines the roles and responsibilities of individual Bank units in planning, monitoring and optimising processes and solutions. It involves identifying and eliminating so-called “pain points” along customer journeys. This enables better processes, products and services and helps create exceptional experiences. As a result, we increase customer satisfaction and loyalty and support the creation of competitive advantage.
• Customer-centric culture – is the foundation of the Model and an integral part of our Strategy. It focuses on building an organisational culture in which the customer is at the centre of everything we do. We aim for a lasting shift in mindset and behaviour, so that every decision is made from the perspective of value delivered to the customer.

We aspire to be a modern, dynamic bank focused on meeting customers’ needs at every stage of their lives. It is very important to us that contact with the Bank is a positive experience across all touchpoints. This means professional advice, simple procedures and fast decisions, as well as a complete and flexible range of products for all customer segments. At the same time, we pay particular attention to the quality of communication and the creation of customer-friendly, readable documentation, on the assumption that positive customer experience depends on all of us. It is customer experience that builds and strengthens the Bank’s brand.

To improve the accessibility of our services, in September 2024, we launched the Pekao without Barriers project, which prepares our organisation for the requirements of the Act of 26 April 2024 on ensuring that certain products and services meet accessibility requirements by economic operators, which have applied to us since 28 June 2025.

The project aims to:

• provide the highest quality customer service, regardless of the point of contact with the Bank – taking specific needs into account;
• remove barriers to access to banking services;
• increase the accessibility of services offered;
• raise awareness and train employees on accessibility solutions tailored to people with specific needs.

The Project covers people with specific needs who, for various reasons, must take additional actions or use special solutions to overcome barriers and participate in different areas of life on an equal basis with others. This includes, among others, persons with disabilities, seniors, pregnant women and people travelling with small children.

When designing a branch, we ensure that it:

• is equipped with all necessary facilities for persons with disabilities, including call/assistance system;
• provides unobstructed access to all rooms – without thresholds, steps or other obstacles;
• has door and corridor widths compliant with applicable regulations;
• has entrances that are easily accessible – where access requires climbing stairs, we ensure that a ramp, lift or other mechanism facilitating movement is provided.

The unit coordinating project delivery is the Key Quality Projects Section within the Customer Experience Management Department.

In the area of human rights compliance, we are guided both by applicable laws and by best market practices. In the Pekao Group, all reports, including those concerning human rights violations, are carefully analysed and handled in accordance with applicable procedures. Due to the nature of such incidents, we do not quantify them or estimate their level of materiality. Detailed information is available in section [S1-1].

We believe that every piece of information addressed to customers can shape their decisions. Responsible promotion is therefore an essential part of building trust. Every marketing message, every advertising campaign and every product communication must not only capture attention, but above all provide reliable and honest information, with full respect for the customer’s decisions.

In the Pekao Group, we carry out promotional activities based on transparent knowledge of the products we offer, taking into account potential risks arising from changing macroeconomic conditions or regulatory action. Our communications comply with applicable laws, supervisory authority guidance, the principles of fair dealing in the financial market and good practice – and we respect customers’ preferences regarding the receipt of marketing content.

The framework for these activities is provided by the Marketing Policy of Bank Pekao S.A. (the Marketing Policy), which stems from, and further elaborates on, the Marketing Strategy. The document was introduced to structure all areas of marketing activity in the Bank and to implement organisational solutions that enable marketing processes to be improved and optimised. It covers particularly areas such as brand/image communications, content marketing, digital marketing, media planning and buying, event organisation, marketing research and internal communications.

The standards for marketing communications are set by the Rules for Creating Marketing Communications of Bank Polska Kasa Opieki Spółka Akcyjna (the Rules for Creating Marketing Communications), which define the overarching principles for ensuring that messages are compliant with legal regulations, the Bank’s internal guidelines, recommendations of industry organisations of which the Bank is a member, and the values that define our identity. It should be noted that, for the Pekao Group, a document entitled the Policy for Cooperation in the Area of Communication and Marketing within the Capital Group of Bank Polska Kasa Opieki Spółka Akcyjna. Policy for Managing the Brand Architecture of the Capital Group of Bank Polska Kasa Opieki Spółka Akcyjna has been developed. This document serves an analogous purpose to the document described above; however, its provisions apply across the entire Group, ensuring consistency and a uniform approach throughout the organisational structure.

Marketing communications in the Pekao Group are addressed to all audience groups, regardless of age, gender or origin. Every message is created with full respect for diversity and the dignity of the customer. Discrimination – in any form – is unacceptable and has no place in our activities.

Our Rules for Creating Marketing Communications clearly state that no product or service may be presented as entirely risk-free, nor in a way that would suggest a lower interest rate than it actually is. As an institution whose credibility is built on transparency and honesty, we are committed to providing accurate information on the terms of the services we offer. We precisely define the information that must be included in marketing materials, and the form and content are tailored to the needs and capabilities of the audience.

To ensure compliance with applicable regulations and internal standards, all advertising materials are subject to consultation with the Compliance Department, and the assessment of non-compliance risk is an integral part of the communications development process.

With regard to investment products, in line with the Rules for Creating Marketing Communications, any information provided by the Bank to customers – including information disseminated for advertising or promotional purposes – must be presented in a reliable manner and clearly highlight the risks associated with the investment and the possibility of losing part of the invested funds. Risk information is presented in a font size at least equal to the font size used to communicate any potential benefits of the product; additionally, the layout used ensures that such information is clearly visible. These materials are addressed exclusively to customers who, on the basis of the MiFID questionnaire completed by them, fall within the target market for the relevant investment product, in order to minimise the risk of presenting a product that is not appropriate to the customer’s knowledge and expectations.

We know that customer trust is a value built over many years, and one of its pillars is a responsible approach to personal data protection. In a world where digital interaction with financial institutions is becoming everyday practice, privacy management is no longer merely a regulatory obligation, but a strategic commitment to customers.

At the Bank, we have embedded personal data protection into operational and regulatory structures as a permanent element of organisational culture. Every process and decision – from service design through to day-to-day operation of the Bank – takes into account information security principles and respect for privacy. We have clearly defined accountability for this area: from the Management Board, through unit directors, to every employee who processes data as part of their job responsibilities.

Our comprehensive approach to security management (including cybersecurity) is set out in the ICT Security Strategy for 2025–2027 (the Security Strategy), which focuses on strengthening the organisation’s resilience to digital threats and ensuring the highest level of customer data protection. The Security Strategy assumes the development of competencies relating to modern technologies and the implementation of solutions supporting the secure operation of banking services. The document plans actions in areas such as:

• Artificial intelligence and machine learning (AI/ML) – implementing security mechanisms and risk assessment principles for new technologies.
• Cloud services security – developing competencies and implementing technical and organisational solutions in this area.
• Identity and access management (IAM) – implementing systems supporting the control of permissions and access.
• Compliance with ISO standards – preparation for certification and ongoing improvement of the information security management system.
• Education and communication – activities increasing awareness among employees and customers, including ambassador programmes and information campaigns.

On the technology side, we are implementing new mechanisms to support the secure use of digital solutions. We carry out risk analysis and develop risk assessment principles that will be applied in implementation processes. We carry out these activities in a coordinated manner, taking organisational and operational needs into account.

The Security Strategy also covers the development of policies and procedures related to access management and information security, as well as preparations for implementing standards aligned with international norms. We monitor and continuously improve the solutions implemented, and we assess their effectiveness based on periodic reviews and internal reports

As part of the Security Strategy, we run an educational programme for employees aimed at increasing cybersecurity awareness. In parallel, we carry out informational and educational activities for customers, including media campaigns and initiatives designed to increase knowledge about threats and how to avoid them.

The Security Strategy in force at the Bank is universal in nature and applies to all customers. The document takes into account commitments relating to respect for human rights and compliance with international guidelines on responsible business conduct. The implementation of the Security Strategy is carried out in line with the adopted principles of oversight and accountability.

Implementation of the Security Strategy is monitored on an ongoing basis using a management information system, including periodic reports on the security status of the ICT environment. In addition, reviews of information security documents and compliance audits will be conducted against applicable regulations, including the national cybersecurity system. The results will be reported to the relevant supervisory authorities and committees, enabling progress to be tracked on an ongoing basis and improvement actions to be taken. Further information on the customer data management process is provided in section [S4-2].