Our company has established internal controls in accordance with the "Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries". The system covers all business activities and require joint compliance by the Board of Directors, management, and all employees. The Board of Directors shall be aware of the operational risks faced by the company or business, supervise its operating results and bears the ultimate responsibility for ensuring the establishment and maintenance of appropriate and effective internal control system.

To improve the internal control system and strengthen the Company's controls, we established three lines model in internal controls and clarified the roles and scope of duties of the three lines model to ensure the organization structure meets the principles of the three lines model and their effective operations.

Business units are responsible for identifying, evaluating, controlling, and reducing risks derived from business activities based on their respective functions and scope of businesses. We established internal control procedures and execute risk management procedures to ensure that the execution of business operations meet the business policies and goals. We also organize self-inspection and self-assessments for internal controls and immediately propose improvement plans when processes and control procedures prove to be inadequate. According to the Company's 2023 "Compliance Risk Assessment Report", which was submitted to the Board of Directors for review before being approved in June 2024, the Group reached 100% in terms of the rate of conducting corruption risk evaluation for its domestic and overseas business locations. In particular, AML and employees' related personal activities were evaluated to be medium-to-high risk. The subsidiary bank, securities company, investment trust company and life insurance company have all formulated related internal guidelines for control and management, in order to reduce the risk of corruption.

The second line roles include the Risk Management, Compliance, and other units with related tasks (e.g. financial control, human resources, and legal affairs) which are responsible for formulating overall risk management policies for main risks, supervising overall risk-bearing capacity and current status of risks already incurred, and reporting the risk management status to the Board of Directors or senior management.

FFHC, First Bank, First Securities, First Securities Investment Trust and First Life Insurance have all established dedicated compliance units reporting to the president in accordance of the law. Other subsidiaries also appointed the Chief Compliance Officers at their head offices. The Chief Compliance Officers are responsible for the planning, management and execution of the regulatory compliance system at their respective companies. FFHC is continuing to require all subsidiaries to enforce their compliance systems. Related developments in 2024 are as follow:

In 2024, the Company and its subsidiaries were penalized in four cases by Taiwanese and overseas competent authorities for a total sanction amount of around NT$670,000. There were no major penalty cases＊

FFHC's Board of Directors is the top policy-making unit when it comes to Group risk management. A "Risk Management Committee" has been established under it. The Chairman serves as the committee chairperson, while the President, VPs and the chairmen and presidents of subsidiaries serve as committee members. A meeting would be convened once every two months to supervise and examine the effectiveness and implementation status of the Group's and each subsidiary's risk management, which is reported to the Board of Directors on a regular basis. The Risk Management Department is responsible for carrying out various risk management policies.

The Company has imposed caps on the maximum risk undertaking for the Group's and its subsidiaries' credit extensions and investment operations in order to control the Group's large risk exposures; The subsidiaries have set their respective capital adequacy ratio (CAR) alarm levels for various industries in order to maintain the Group's CAR; The Group regularly reviews its subsidiaries' main risk monitoring indexes, including credit risk, market risk, interest risk, liquidity risk, insurance risk, operational risk and emerging risk, in order to faithfully implement the early-warning and stop loss mechanisms; Effective internal control systems are implemented to reduce possible losses caused by risks.

Each subsidiary company would formulate its own control & management procedures for credit risk, market risk, interest rate risk, liquidity risk, insurance risk, operational risk and emerging risk, based on the characteristics of its business operations, including establishing and implementing the power delegation mechanism, quota management, monitoring indicators and reporting procedures, etc. The functionality of risk management is implemented through monitoring indicators as well as regular self-evaluations. Additionally, audit units would regularly check and verify the implementation status of risk management to ensure that the risk management mechanism is operating effectively.

As the types of global emerging risk items and related incidence gradually rise, the Company has also separately formulated the "Emerging Risk Management Guidelines" so that the Group can enhance corporate governance and administer assessments of emerging risks (such as trade war, global epidemic diseases, climate emergencies, information security risk, etc). By doing so, we have established a Group-level management mechanism for emerging risk items. The Company also adds or amends various risk management regulations and monitoring indicators in accordance with regulatory requirements or changes in the economic environment. In 2024, we additionally formulated the "Directions for First Financial Group's Management of Climate Change Risks", and amended related regulations such as the "Directions for FFHC's filing for Article 46 of the Financial Holding Company Act", "Regulations Governing FFHC's and Subsidiary Companies' Credit Extension to and Transactions with Stakeholders", and "Table of Maximum Risk Undertaking for Subsidiary's Credit Extension to/Investment in Same Individual, Same Related Party, or Corporate Credit Extension to the Same Conglomerate".

After taking business plans and risk profiles into account, we would set our risk appetite in accordance with the amount and level of risks we are willing and able to accept or assume. Aside from referencing reliable risk quantitative data, we would also incorporate past experiences and decision makers' macro vision. The Group's risk appetite is presented in two ways. The first is its CAR target, and the other one is risk limits (including credit risk, market risk and operational risk).

First Financial Holding is subject to a full-scope examination by the Financial Examination Bureau, FSC once every two years, in addition to unscheduled targeted examinations. In particular, as the subsidiary bank has been designated as a domestic systematically important bank (D-SIB), it is required to file its CAR assessment results to the competent authority regularly. The competent authority also has more stringent demands with respect to the Bank's risk management process.

A. System upgrade - In response to the fact that the subsidiary bank has completed revision of its "Default Probabilities of Various Risk Grades in Corporate Finance", we have revised and added "Overdue Grades (W1 and W2), measurement methods and risk characteristics. The "Operation Directions for Credit Rating in Corporate Banking" and "Operation Directions for Grading in Specialty Financing" have also been amended accordingly.

B. Main risks - credit risks, market risks, interest rate risks, liquidity risks, insurance risks, operational risks, and emerging risks.

To enhance and ensure smooth operation of the Group's risk management mechanism and to establish a risk-oriented corporate culture, we would invite and round up various companies within the Group to discuss current financial events and related changes, evaluate and adjust various risk control indexes and frequencies, and host risk management seminars from time to time. In the meantime, we also leverage the complementary online e-Academy to help build a systemic risk awareness. We hope that each and every Group employee understands FFHC's risk culture and core ideas, and we also conduct related educational training in risk management for promoted employees on various levels. In 2024, a total of 1,190 employees completed 32.6 hours of in-person or online educational training in courses or tests relating to risk management. For those who had failed to pass the tests, we also conducted retraining and retesting until the pass rate reached 100%.

Additionally, as the formats of financial products and services have become increasingly diverse and complicated, transaction disputes and financial crimes are more likely to occur as a result. To help our employees fully understand related domestic and international regulations and avoid regulatory gaps, we conducted three hours of training titled "Corporate Governance Forum-Money Laundering Risks Associated with Emerging Technologies" in 2024. A total of 49 Group Directors and Supervisors attended the training.

The identification outcome of the Group's emerging risk includes "misinformation and disinformation created by AI" and "geoeconomic conflicts". The mitigation measures we have adopted to deal with the potential impact from such risks are indicated in the following table:

Digital networks and social media have been inundated with large amounts of misinformation and disinformation over recent years. With the rapid development of generative AI (referred to as GenAI hereafter), financial institutions have also gradually adopted it. Even though GenAI helps improve operational efficiency while providing diverse services, it is likely to entail personal data leaks, information security issues, and related legal risks. In addition, people may have concerns about truthfulness of the generated content, or whether information is made up. Some crime syndicates even use GenAI to impersonate as financial institutions to conduct fraud, undermining society's trust in the financial system while impacting financial institutions' risk management and reputation.

Whether it's Brexit, China's emphasis on self-sufficiency through internal demand and circulation, or Trump's tariff and trade war, they all represent the emergence of global protectionism, isolationism and deglobalization, as nations weaponize economy and limit products, knowledge, services or technology, in order to gain geopolitical advantages and solidify their sphere of influence. Therefore, enterprises and governments need to strengthen supply chain resilience and divert market risks, in an attempt to address uncertainties associated with geoeconomic risks.

The Company and its subsidiary bank, securities company, securities investment trust company and insurance company have all set up internal audit units that report to the Board of Directors. A general audit system has also been established, which audits and assesses the internal control system designed and executed using the first and second models as well as the effectiveness of the risk management system, based on an independent and non-partial spirit. It also offers timely improvement suggestions to reasonably ensure that the internal control system can continue to be effectively enforced. The suggestions also serve as a basis for reviewing and amending the internal control system. Furthermore, the internal audit units would continue to follow up on and re-examine review comments as well as audit faults identified by financial examination agencies and accountants, those submitted by themselves and business units, as well as items marked for further improvement in the internal control system declaration. The status of their follow-up audits and improvement, regularly submitted to the Board of Directors and Audit Committee in writing, serves as an important index for awarding or punishing related departments as well as performance assessments. The goal is to maintain the operation of an effective and appropriate internal control system.

To enhance the functionality of the second and third models such as regulatory compliance and internal audit and control, the Company would ask its various departments and subsidiary companies to be mindful, and review the completeness and effectiveness of related internal control regulations and control measures in its "Review Seminar for Improving Internal Control System Faults & Regulatory Compliance". The meeting focuses on the emphasis of financial examination noted by the Financial Supervisory Commission and the financial holding company's internal audit seminar, the annual examination emphasis announced by the Financial Examination Bureau, main faults identified in examinations of the financial industry, as well as the recent peers' fault patterns in penalty cases. The Company would ask various audit units to incorporate the aforementioned items in their annual audit focus, in order to implement the three models of internal control and facilitate sound management for the Company. To implement performance assessments, we would annually assess the results of related audit operations, including the subsidiaries' internal audit units and systems as well as their verification for internal audit and audit management, in accordance with the Company's assessment regulations governing the evaluation of subsidiary companies' audit operations. The results would be presented to the Board of Directors of each subsidiary as an important basis for the performance assessment of each audit unit.

With regard to the execution of the Company's 2024 internal audit operations and formulation of our 2025 audit plan, we would adopt a risk-weighted management approach, in addition to referencing the latest changes in regulations, the competent authority's updated examination focus, ratings for the internal control execution of various units (including subsidiaries), and the business characteristics of various units (including subsidiaries). In addition, the two models would supervise the examination outcome from the internal control system itself. After being reviewed by the audit units, the outcome, along with internal control faults and the improvement status of anomalies as identified by the audit units, would be used for evaluating the effectiveness of our overall internal control system. By doing so, we hope to consummate self-evaluation in the Group's internal control system. Additionally, subsidiary First Bank has implemented a risk-oriented internal audit system by establishing a series of risk-oriented methods and procedures to evaluate internal audits. This acts as a foundation for compiling audit plans to determine the frequency of internal audits based on the assessed risk level, thereby deploying audit resources with more effectiveness as well as reinforcing audit focus on critical risks.

In order to quickly pass the information on incidents and to grasp the timeliness of processing, the Company and its subsidiaries shall, when incidents occur, divide incidents into major incidents and general incidents according to the "FFHC Incident Reporting Guidelines", and according to the degrees of impact, divide them into three levels: A, B, and C and handle them in accordance with the "Incident Handling Notification Procedures", and follow the principles of notification, handling, follow-up, etc. prudently, so to effectively prevent the expansion of disasters and reduce the impact.

In addition, to promptly and effectively handle the business crisis of the Company and its subsidiaries (including the occurrence of bank run, robbery, theft, major malpractice, financial crisis, major investment failure, information crisis (including: data leakage, system interruption, etc.), fire, explosions, natural disasters, customer collective petitions and other major events or disasters), hoping to quickly pacify the incident or restore operations, and reduce the harm, the Company has formulated the "Crisis Response Principles for the Company and its Subsidiaries". When a crisis occurs, the business responsible unit shall promptly deal with it, and in addition to taking general contingency measures for its related business, it shall also adopt different contingency measures for business crises caused by various reasons. The Company shall set up a crisis management team when necessary, and the risk management department shall be responsible for the establishment of case files, convening meetings, case listing and tracking records, and reporting the case and handling process to the Company's supervisors at all levels at any time, until the incident subsides and the crisis is lifted.

To ensure uninterrupted operation for the financial system, and to provide people with reassuring, convenient and diverse financial services as the basis of innovative FinTech developments, the Company and its subsidiary bank, securities company and life insurance company implement and execute measures for information security and privacy protection. Please refer to the "Information Security and Privacy Protection" chapter for more details on related planning and execution status.