NovaBank SA — Risk Management & Regulatory Compliance

The risk-management framework, SARB Prudential Authority licensing and prudential requirements, AML/KYC, and the regulatory-compliance approach.

NovaBank SA Business PlanSection 8 › Risk Management & Regulatory Compliance

Section 8 · Business Plan

Risk Management & Regulatory Compliance

The risk-management framework, SARB Prudential Authority licensing and prudential requirements, AML/KYC, and the regulatory-compliance approach.

Banking is a fundamentally regulated activity, and rigorous risk
management is the price of admission, not a competitive lever.
NovaBank’s risk and compliance function is being built to meet — and
from Year 3 onwards, to exceed — the SARB Prudential Authority’s
expectations for a Tier-2 bank, with explicit alignment to Basel III,
the Banks Act, COFI, FAIS, FICA, and POPIA.

8.1 Risk Governance Framework

Risk governance follows a Three Lines of Defence model:

  • First Line: Business units own their risks and
    execute control activities daily.
  • Second Line: Independent Risk, Compliance, and
    Information Security functions, reporting to the CRO and CCO.
  • Third Line: Internal Audit, reporting to the
    Board Audit Committee with full unrestricted scope.

8.2 Principal Risk Categories

Risk Category Description Primary Mitigant
Credit Risk Default in unsecured loan book; concentrated in lower-LSM segments Behavioural scorecard; concentration limits; ECL provisioning IFRS 9
Liquidity Risk Funding mismatch; deposit run-off in stress LCR > 110%, NSFR > 105%; diversified funding
Market Risk Interest rate repricing risk; minimal trading exposure Banking book duration limits; ALCO oversight
Operational Risk System outages; fraud; process failures RCSA; KRIs; Basel III ORSA capital allocation
Cyber Risk External attack; data exfiltration; ransomware 24/7 SOC; SARB Joint Standard 2; ISO 27001
Regulatory & Conduct FAIS, COFI, POPIA, NCA breaches Compliance Monitoring Plan; mandatory training
Financial Crime Money laundering, terrorist financing, sanctions Risk-based KYC, transaction monitoring, FIC reporting
Strategic Risk Failure to scale; competitor response Quarterly strategy reviews; scenario planning
Reputational Risk Customer complaints; social media incidents Tone-of-voice playbook; incident response team
ESG & Climate Risk Climate transition risk; loadshedding impact on cust. Climate Risk Framework aligned to TCFD/SARB CD7

Table 8.1 — Principal risk categories, descriptions, and primary
mitigants.

8.3 Regulatory Strategy

NovaBank is engaging with the SARB Prudential Authority on a Section
13 Banking Licence application. The team has held three pre-application
meetings during 2025 and has a detailed gap-and-readiness plan in place.
The licensing critical path is the binding constraint on the overall
implementation timeline.

Regulator / Body Scope NovaBank’s Engagement
SARB Prudential Authority Banking licence; Basel III prudential supervision Section 13 application T+0; target T+8 months
FSCA Conduct supervision; FAIS licensing for advice FSP application Q1 of Year 1
NCR Credit provision; NCA compliance NCR registration prior to credit launch
FIC AML/CFT compliance Risk-rated KYC framework certified
Information Regulator POPIA & PAIA Information Officer registered; PAIA Manual
Payments Association SA (PASA) Membership of payments system Application timeline aligned with launch

8.4 Capital Planning

NovaBank will hold capital substantially in excess of regulatory
minima during the early scaling phase, with capital ratios converging
toward more efficient levels as the business matures. Detailed capital
projections are provided in Section 15.

Confidential — this business plan is provided to prospective investors and lenders for evaluation purposes only and may not be reproduced or distributed without the written consent of NovaBank SA (Pty) Ltd.