Sustainable Governance

Cathay Financial Holdings ("Cathay FHC," includes Cathay Life, Cathay United Bank "CUB," Cathay Century, Cathay Securities, Cathay Securities Investment Trust “Cathay SITE,” and Cathay Venture) is committed to maximizing value for our shareholders, customers, and employees and upholding our core values of "Integrity, Accountability, and Innovation." We align our business strategy with market conditions, leverage our financial competencies, drive digital transformation, and achieve group synergies in order to provide financial services that are comprehensive, convenient, and personalized. Cathay FHC will continue to focus on our three engines of growth – “Insurance + Banking + Asset Management,” and advance toward our vision of becoming a “leading financial institution in the Asia-Pacific region.”

At Cathay FHC, the board of directors serves as the highest decision-making body, with the chairman acting as its head. The chairman's role is to oversee the company's overall management operation and does not hold any senior leadership management positions. At Cathay FHC, the board of directors has established five functional committees: the audit committee, remuneration committee, corporate governance and nomination committee, risk management committee and corperate sustainability committee. These committees are responsible for reviewing important proposals. To effectively implement independent supervision and checks and balances, all proposals at Cathay FHC are reported and discussed by the board of directors. If there is a conflict of interest with the director or the institution he/she represents, the director shall recuse him/herself from the proposal discussion to maximize the benefit of all stakeholders.

At Cathay, we have established the "Guidelines for Remuneration of Senior Management." The purpose of these guidelines is to create long-term shareholder value, implement a role-based remuneration mechanism, and provide incentives to attract talented individuals. The guidelines set out standards for compensation and bonuses. The fixed compensation for senior managers is determined based on their roles, responsibilities, performance, and expertise. It is benchmarked against market standards. The variable element of senior management compensation is tied to the company's annual performance and the manager's achievement of personal targets. Both the fixed and variable parts of the compensation are established according to the "Guidelines for Remuneration of Senior Management." They are approved by the remuneration committee and the board of directors. To ensure fair and reasonable compensation for senior managers, Cathay conducts an annual remuneration competitiveness analysis and evaluates each senior manager's fixed compensation individually. Additionally, we review the "Guidelines for Remuneration of Senior Management" every three years and submit them to the remuneration committee and board for approval.

Cathay also seeks to bolster the corporate governance structure and ensure effective oversight over Cathay managers. This can further advance the company's operational capacity and serve as factors when determining remuneration, positions, rotations, and bonuses to managers. To such ends, Cathay FHC has developed the Performance Management & Development Guidelines for Cathay Managers to instruct managers to formulate personal performance targets according to annual company/department strategies, focuses, and goals; their positions and responsibilities (incl. internal control and compliance implementation results); and other spotlights for the year (e.g., Corporate Sustainability indicators). Their personal performance targets can ensure that Cathay managers' KPIs are tied to the company and their unit's strategic goals.For more information on remuneration of Cathay FHC’s CEO, please refer to 《2024 Cathay FHC's Report on Remuneration of the President 》

To link the interests of management and stockholders, Cathay FHC has set stock ownership guidelines for Cathay’s executive officers. Please refer to 《Cathay Financial Holdings Stock Ownership Guidelines.》

To ensure adequate bench strength at critical management levels and meet the talent needs for sustainable business operations, Cathay FHC has established a clear senior management succession plan that covers both planned and unplanned departures. It applies to all senior executives—including the President—and has built a comprehensive talent pool across every level. In evaluating potential successors, we consider not only their professional qualifications, experience, and leadership abilities, but also their fit with our corporate culture, familiarity with business operations, and grasp of subsidiary management. Through the Talent Development Committee, we review each level’s management talent in terms of performance, leadership potential, core competencies, and readiness of personal attributes. This enables us to maintain a robust succession pool and provide a full training and development framework for candidates at all levels. Beyond engaging top instructors and the latest learning resources—and designing programs that balance theory with practical application—we also broaden our leadership team’s business perspective and strategic insight through vertical (promotions) and horizontal (rotational) moves of internal talent. This further strengthens our bench for key management positions. These talent development initiatives are reviewed annually by the Board of Directors.

Cathay FHC has adopted “Policy and Code of Operation Integrity” We implement the following management mechanism to review the implementation status of ethical corporate governance:

Responsibilities, accountabilities, and reporting lines

The Company has established business integrity practices and preventions against dishonest conducts based on its “Policy and Code of Operation Integrity.” Preventions of dishonest conduct include operating procedures, behavioral guidelines, and training programs, for which the Company has implemented through a separate policy called “Operational Procedures and Guidelines of Ethical Corporate Management Best Practice.” The Company is bound to comply with The Company Act, Securities and Exchange Act, Business Entity Accounting Act, Political Donations Act, Anti-Corruption Act, Government Procurement Act, Act on Recusal of Public Servants Due to Conflicts of Interest and any laws that pertain to business conduct of TWSE/TPEX listed companies. These regulations shall provide the foundation for the Company's integrity management.

Furthermore, the Company’s directors, managers, employees, and controllers are prohibited from offering, committing, requesting, or accepting any illegitimate benefits, or involving in any conducts that would be construed as dishonest, illegal or in breach of trust, whether directly or indirectly, while carrying out their duties. All reported cases of violation against business integrity shall be thoroughly investigated by the audit unit; any established cases of misconduct will be referred to the Administration Department and disciplined according to the Company’s policies. The Company has created a “Sustainable Governance Panel” under the “Corporate Sustainability Committee,” the latter reports directly to the board of directors. The panel is responsible for corporate governance-related matters within the group, such as business integrity, anti-corruption, anti-bribery, and compliance; it reports progress regularly (at least once a year to) the board of directors. The board of directors of the Company will exercise the duty of care as prudent managers to supervise and prevent dishonest conducts and ensure that the integrity policy is duly enforced. Furthermore, the Audit Division is required to include compliance with the code of conduct as part of its audits, and report regularly back to the board of directors on any defects found and any steps taken to improve.

Dedicated help desks, focal points, ombudsman, hotlines

We have established clear reporting channels following our " Procedure for handling cases of reporting unethical or dishonest conduct" and the group's reporting mechanism. We have also established a response protocol to ensure that all reports are thoroughly investigated, and that the legal rights of whistleblowers and any other relevant personnel are protected throughout the process. We are committed to protecting the identity of whistleblowers and any other individuals involved in the investigation to prevent any potential retaliation or unfair treatment. In 2023, there were no reported cases of insider trading, antitrust, monopoly, and market manipulation violations.

Channels for Reporting Cases

(1) For cases that involve crimes, frauds or violations of laws, our employees may report via the Cathay FHC group-level Whistleblower System in the forms of mail, email or telephone, which is publicly disclosed on our Chinese official website:https://www.cathayholdings.com/holdings/compliance/whistleblowing_system

(2) For incidents that involve sexual harassment or other violations of the principle of gender equality, our employees may report via Cathay FHC’s sexual harassment and gender equality violation complaint channels.

(3) For other issues not mentioned above, our employees can reach out to the human resources department.

Compliance/codes of conduct linked to employee remuneration and performance appraisal systems

The results of internal control implementation and compliance implementation are integrated into the performance evaluation criteria for managers and employees. This approach aims to link employee remuneration and performance assessment with the effectiveness of our risk management system, ensuring its robust operation.

Disciplinary actions in case of breach

Cathay FHC encourages both internal and external personnel to report any dishonest or inappropriate behavior. The relevant reporting channels and handling procedures are managed according to the Company's " Procedure for handling cases of reporting unethical or dishonest conduct." If the reported misconduct is found to be true, it will be used as a reference for adjusting employee salaries, positions, and issuing bonuses according to the relevant regulations.

Furthermore, Cathay FHC “ Declaration of Sustainability Values” clearly states that “The Company strictly prohibits any behavior or events that violate professional ethics. If there is a violation of the laws of a country or of the Company’s Code of Ethics, such breaches will be subject to impartial treatment without tolerance.”

Compliance system audited by third party

Cathay FHC engages third-party auditors to review the company's codes of conduct and compliance systems for enforcing these codes, including tracking and reporting of breaches. Auditors then provide an opinion statement based on their review. Please see" Cathay FHC Systems & Procedures of Codes of Conduct Audit Opinion Report ".

Conduct regular self-evaluations and review for unethical risk behavior

We conduct an annual ethical management risk assessment. Items evaluated include offering or accepting improper benefits (offering/accepting bribes), illegal political contributions, unethical charitable contributions, violation of recusals, violation of stakeholder interests, violation of intellectual property rights and information confidentiality, etc. If the review identifies existing or potential unethical behavior, corrective and remedial action must be taken immediately.

We conducted the unethical conduct risk assessment for 2024 in 2025 and presented the assessment results to the board.

Training

Employee ethics and code of conduct training is a required annual course. The training lasts one hour. The training completion rate for 2024 was 100%.

Cathay FHC has established clear reporting channels following our “Procedure for handling cases of reporting unethical or dishonest conduct” and the group’s reporting mechanism. We have also established a response protocol to ensure that all reports are thoroughly investigated, and that the legal rights of whistleblowers and any other relevant personnel are protected throughout the process. We are committed to protecting the identity of whistleblowers and any other individuals involved in the investigation to prevent any potential retaliation or unfair treatment. In 2023, there were no reported cases of insider trading, antitrust, monopoly and market manipulation violations. Please see Cathay FHC 2024 CS Report Chapter 4.1 Workplace Empowerment for discrimination or harassment and Chapter 6.5 Service Quality & Customer Rights for customer privacy data cases.

Improvement Measures for Breaches

Discrimination or Harassment

Cathay supports a workplace of equality and inclusion. To prevent workplace discrimination and harassment, we instituted the "Regulations for Establishing Measures of Prevention, Correction, Complaint and Punishment of Sexual Harassment at Workplace" and set up a dedicated sexual harassment mailbox and the Sexual Harassment Grievance and Investigation Committee to investigate reported instances of sexual harassment. If the report is found to be true, the accused will be subject to disciplinary action in accordance with company policy, while the victim will receive all necessary support, including psychological counseling. Other colleagues will be asked to increase their education and training on sexual harassment to prevent such incidents in the future. In 2024, there were nine reported cases of sexual harassment or gender equality violation, all of which were appropriately addressed based on the procedures outlined.

Customer Privacy Data

In 2024, a total of 199 customers were affected by the 18 personal data breaches. Upon further investigation, the incident was found to be due to individual negligence during information communication and email delivery by a financial advisor and sales representative. The matter has since been properly handled with the understanding of the parties involved. Cathay Financial Holdings will continue to promote employee training and enhance internal awareness to ensure that all personnel fully recognize the importance of personal data protection. We will also continue to strengthen and monitor the use of customers’ personal data, improve relevant protection measures, and supervise third-party partners to properly manage customer information, in order to reduce the occurrence of data leakage incidents.

Money Laundering or Insider trading

In 2024, there were one reported cases of insider trading. Cathay Financial Holdings requires all employees to comply with the Securities and Exchange Act and relevant regulations. Employees are strictly prohibited from engaging in insider trading by using undisclosed information about the company or its clients, or any other information that may have a material impact on securities trading prices. Additionally, employees must not directly or indirectly disclose such information to others to prevent its misuse for insider trading.

Cathay FHC submits “Notes on Reporting of Insider's Equity Change in the Company” when the insiders such as directors, managers and others take office to comply with it, so as to avoid violations or occurrences of insider transactions. In addition, Cathay FHC also files the "Director's Manual" and the "Compliance Brochure for Directors and Supervisors of TWSE/TPEx-Listed and Emerging Market Companies", "Directions of Securities Market Regulatory for the TWSE/TPEx-Listed company and its directors, supervisors and major shareholders" and "Compliance Brochure for Independent Directors" and other information which are compiled by the Taiwan Stock Exchange Corporation when the Directors take office to assist Directors in understanding the laws and regulations related to securities transactions and listing rules and other relevant reporting matters and legal responsibilities

In addition, in order to standardize the procedures of disclosure and management mechanisms of Cathay FHC and its subsidiaries’ material information, Cathay FHC established “Guidelines/Regulations of Disclosure of Cathay FHC and its subsidiaries’ Material Information ”and “Regulations of Press Conferences Concerning Material Information of Cathay FHC and its subsidiaries” by referring to the“ Taiwan Stock Exchange Corporation Procedures for Verification and Disclosure of Material Information of Companies with Listed Securities”. Through disclosing those rules mentioned above in the rules and regulations zone of Cathay FHC’s internal website, personnel throughout all levels of the Company can enquiry at any time, so as to avoid violating or occurring insider trading.

Cathay FHC also has stipulated “Policy and Code of Operation Integrity”, “Procedures and Guidelines of Integrity Management Operation”, “Code of Ethics” and “Code of Conduct of Employees”, all of which contain the relevant provisions of “Prohibition of Insider Trading”. Cathay FHC holds educational trainings annually for directors, managers, and employees on the "Code of Integrity, Ethics, and Conduct." The 2023 education training was completed in December 2023 with 668 participants for a total of 668 person-hours.

For understanding and complying Cathay FHC’s "Policy and Code of Operation Integrity", " Procedures and Guidelines of Integrity Management Operation" and "Code of Ethics", the Company submits those rules and policies to the Directors, and publishes on the internal educational training platform for employees to check at any time. Besides to the prohibition of insider trading, the educations and trainings include the contents and cases of anti-money laundering, prohibition of getting gifts and hospitality, participation in public affairs, political contributions, etc.Cathay FHC has notified the directors not to trade the company's stocks during the closed period of 30 days before the announcement of the annual financial report and 15 days before the announcement of the quarterly financial report in accordance with " The Policy of Prevention of Insider Trading ". The date when the financial report is scheduled to be submitted to the board of directors and the closed period of the company's stock trading are notified to the directors to follow, so as to prevent the directors from violating The Policy.

Board level responsibility

Effective August 16, 2025, the scope of the Risk Management Committee was expanded to include information security, and it was renamed the “Risk Management and Information Security Committee.” The Committee comprises three independent directors appointed by the Board of Directors.All members have expertise in “risk management” and “corporate governance”, and all members have the professional skills required by the committee, and its responsibilities include:

(1) Review the Company’s risk management and information security policies and guidelines.

(2) Review the Company’s annual risk appetite or limit that needs to be approved by the Board of Directors.

(3) The Risk Management Department reviews the Company’s risk management practices and reports to the Board of Directors on a quarterly basis.

(4) Review the Company’s information security implementation status, which shall be consolidated by the Information Security Division and report to the BOD on an annually basis;

(5) Review of other risk management and information security related proposals to be reported to the Board of Directors.

(6) Carry out other matters as instructed by the Board of Directors to be handled by the Committee.

(For more details, please see:https://www.cathayholdings.com/holdings/eng/governance/committee/risk_management)

Three Lines of Defense Model

To implement robust risk management and internal control, Cathay FHC utilizes the Three Lines of Defense model to manage, monitor, and audit operational risks through structured processes and management frameworks:

(1) First line of defense: Operational and management units ensure that operating risks are effectively controlled and responded to.

(2) Second line of defense: The independent Risk Management Division, Compliance Department, and Information Security Department assist with risk system planning, assessment, management , and monitoring. Supervision and management is provided by senior management, including the Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Chief Information Security Officer (CISO), as well as the Risk Management Executive Committee and Information Security Committee.

Risk Review

The Company's main sources of risk can be categorized as market risk, credit risk, operational risk, liquidity risk, insurance risk, capital adequacy management, emerging risk, ESG and climate risk, and credit risk. Risk identification is carried out through the following methods：

(1) Impact and likelihood：Cathay FHC identifies and evaluates risks based on qualitative and quantitative assessments of their potential impact and likelihood of occurrence. This process prioritizes the material risks and assesses their potential effects on business operations, forming the basis for corresponding mitigation measures.

(2) Stress testing and sensitivity scenario analyses: In the context of market and credit risk, Cathay FHC regular conducts stress testing by performing sensitivity scenario analysis under various scenarios.

(3) Risk appetite：The Risk Management Division defines the company’s overall risk appetite based on its capacity to absorb risk and other relevant risk control factors. The risk appetite is then approved by the Board and serves as the foundation for subsequent risk assessment and response. Additionally, Cathay reviews its risk appetite annually and reports the findings to the Risk Management Committee and the Board of Directors. Based on this risk appetite, Cathay FHC sets limits and thresholds for different risk types and regularly monitors and manages key risk indicators. When these indicators reach or exceed specified risk levels, appropriate risk mitigation measures are developed and implemented.

Risk Exposure

Cathay FHC conducts monthly monitoring of group-wide exposures and risk indicators. On a quarterly basis, the results of risk management activities are reported to the Risk Management Committee and the Board of Directors to ensure effective oversight and management of the group’s overall risk level. For examples of market and credit risk exposure monitoring.

(1) Market Risk: Regularly assesses and monitors value-at-risk (VaR) and conducts sensitivity analyses of positions to strengthen market risk management.

(2) Credit Risk: Periodically reviews group-wide concentration limits—such as by country, industry, or corporate group—to effectively monitor and manage concentration risk.

Risk Management Process Audit

(1) Internal audit：The Company has developed an effective internal control system. Internal audit units are required to perform audits on employees’ compliance with the above system, including general audits at least once a year, and special audits on finance, risk management and compliance for the Company and subsidiaries at least once every six months. Half-yearly special audits can be exempted if the general audit already covers the scope of the special audit and no major defect is found.

(2) External audit：Cathay FHC engages third-party auditors every two years to review the methods, tools, and processes for identifying, assessing, controlling, monitoring, and reporting major risks. Auditors then provide an opinion statement based on their review. Please see "Cathay FHC Risk Management Process Audit Opinion Report."

Regular risk management education for all non-executive directors

To enhance the group’s overall risk awareness and management capabilities, Cathay FHC provides annual risk management training programs for all directors, including executive and non-executive members. The programs are designed to enhance the directors' understanding of current risk developments and strengthen their governance responsibilities. In 2024, Cathay FHC conducted a series of training courses covering the following topics: Cathay FHC’s risk management framework and operations, operational risk incident reporting mechanisms, business continuity management and emergency response to wartime scenarios, climate change risk management, and emerging and evolving risk landscapes.

Additionally, diverse course information from various training institutions is periodically provided to the directors, allowing them to evaluate and arrange corresponding courses based on their professional backgrounds and needs. The courses cover fields such as risk management, corporate governance, and information security, etc. According to “Directors’ and supervisors’ ongoing education in 2024” in Annual Report P.47-52. Non-executive directors of Cathay FHC have all received education and training related to risk management, trainings included “Analysis of geopolitical judgments and Taiwan Strait security situation”, “Internal ratings-based (IRB) for credit risk”, “Promoting corporate sustainability through risk management”, and “AI and the open source era - analysis of corporate legal risks”, etc.

Focused training throughout the organization on risk management principles

The Company mandates annual general education courses on risk management for all employees of Cathay FHC and its subsidiaries. In 2024, the completion rate reached 100%.

Incorporation of risk criteria in the development of products and services

Cathay FHC places significant emphasis on the potential risks during new product development. Relevant management mechanisms are established both before and after the product launch, ensuring compliance with regulatory standards and adherence to the principles of treating customers fairly. This approach aims to mitigate financial, regulatory, and operational risks. For example, in the case of life insurance products developed by Cathay Life:

(1) Financial Risk: Each year, profit standards and sales limits for products are set based on the company’s overall risk appetite. Before product launch, the profitability is assessed to ensure it meets these standards. Afterward, sales volume and claims experience are continuously tracked to ensure that expected profitability is achieved.

(2) Regulatory Risk: In accordance with the "Regulations Governing Pre-sale Procedures for Insurance Products" and the "Guidelines for the Review of Life Insurance Products" issued by regulatory authorities, products are submitted to the Insurance Product Review Committee (convened by senior executives) for review before being submitted for regulatory approval. Qualified product signatories, including actuaries, risk managers, legal advisors, underwriters, claims, policy administration, and investment personnel, review the product for legal compliance.

(3) Operational Risk: Before the sale of any insurance product, senior executives convene the Insurance Product Management Committee meeting to ensure the appropriateness of various aspects such as information disclosure, actuarial data alignment and verification, information system setup and testing, risk control mechanisms, reinsurance arrangements, and sales channel training. Additionally, post-sale, the Insurance Product Management Committee meets every six months to review compliance with relevant regulations, consumer rights protection, asset-liability adequacy, and sales quota tracking, thereby reducing the likelihood of operational risk occurrence.

Financial incentives which incorporate risk management metrics

Cathay FHC regularly identifies and assesses material risks confronting the company's future with the help of reports from authoritative organizations and benchmark companies, and then determine mitigating actions. In 2024, we identified material and emerging risks in the areas of climate transition risk, AI risk, and social isolation and loneliness risk. Cathay FHC evaluates the potential impact the risks may pose on the company's operation and establishes the mitigating actions.

The effectiveness of risk management for issues such as climate transition, AI, and social isolation and loneliness is incorporated into the KPIs of the senior executives of the responsible units and is directly linked to their variable compensation.

Facing the increasingly complex global financial operating environment, as well as the increasing issues such as technological development and population aging with rising probability of occurrence. In response, Cathay FHC regularly identifies and assesses material risks confronting the company's future with the help of reports from authoritative organizations and benchmark companies, and then determine mitigating actions. The risk exposure and risk management system are then presented to the Risk Management Committee and the Board of Directors. Cathay FHC evaluates the potential impact the risks may pose on the company's operation and establishes the mitigating actions.

In compliance with the “Financial Cyber Security Action Plan” promoted by the Financial Supervisory Commission (FSC) of Taiwan, Cathay Financial Holdings Co., Ltd. (Cathay FHC) continues to strengthen its information security and protection capabilities to deliver secure, convenient, and uninterrupted financial services. Cathay FHC and its key subsidiaries have established Chief Information Security Officers or dedicated information security units as required by regulations. These units are responsible for planning, monitoring, and implementing information security management operations, and report on the previous year’s information security performance to the Board of Directors annually.

Active Corporate Governance Measures To enforce human rights protection, Cathay FHC complies with local laws and regulations for human rights protection across all business locations and also formulated the "Cathay FHC Human Rights Policy" in compliance with international frameworks, including the UN's "Universal Declaration of Human Rights," "Guiding Principles on Business and Human rights," "United Nations Global Compact," and the International Labour Organization's regulations.

Cathay employees are also asked to comply with the "Code of Conduct for Employees" and shall not discriminate or infringe on the human rights of others. To ensure all employees understand and comply with the policies above, Cathay conducts training on the "Code of Conduct for Employees" and regulatory compliance each year. In 2022, all employees received and completed training on the "Code of Conduct for Employees." Complaint/Reporting Channels