Group Internal Control Policy
Code of Ethics Employee Code of Conduct Group Financial Consumer Protection Charter Group Internal Control Policy The Fair Advertising Policy The Fair Debt Collection Policy Anti-Corruption and Bribery Policy Reporting System and Policies for the Protection of Whistle blowers AML/CFT Policy

Group Internal Control Policy
Woori Financial Group

Chapter 1 General Provisions

Article 1 (Purpose)

The purpose of this policy, in accordance with Article 24 of the「Act on the Corporate Governance of Financial Companies」, is to set forth the standards and procedures with which executives and employees must comply when performing their duties in order to ensure that the affiliates and subsidiaries of Woori Financial Group Inc. (“the Holding Company”) (,which refers to the definition provided in Article 4(1)2 of the「Financial Holding Companies Act, including subsidiaries, sub-subsidiaries and those controlled by sub-subsidiaries; the Holding Company and all the subsidiaries altogether to be referred to as “the Group” hereinafter; those belonging to the Group to be referred to as “the Group’s affiliates” hereinafter) comply with the laws/regulations, conduct sound management, and protect the shareholders and stakeholders.

Article 2 (Definitions)

The terms used herein shall have the meanings set forth below. The meaning of any terms not defined in this policy shall be subject to the relevant laws, such as the 「Act on the Corporate Governance of Financial Companies」, the 「Financial Holding Companies Act」, etc. 1. “Internal Control Standards” refers to the standards and procedures to be complied with by executives and employees of the Group’s affiliates in order to observe the relevant laws/regulations, conduct sound management, and protect shareholders and stakeholders. 2. “Internal control” refers to having the executives and employees of the Group’s affiliates observe the Internal Control Standards in carrying out their business and to providing them with guidance and supervision so as to ensure their observance. 3. “Internal Control System” refers to a system such as the governance structure, policy, etc. designed to ensure that the executives and employees of the Group’s affiliates observe the Internal Control Standards 4. “Compliance Officer” refers to the officer who is responsible for examining whether the executives and employees of the Group’s affiliates observe the Internal Control Standards, and is also responsible for conducting an investigation and reporting the findings to the Board Audit Committee in the event of a violation. 5. “Internal Control Manager” refers to the officer responsible for assuming the role of the Compliance Officer at the Group’s subsidiaries, which are not required to appoint one under the relevant laws.

Article 3 (Scope of application; entrustment)

① This Policy shall apply to all executives and employees of the Group’s affiliates. With regard to matters related to the Group’s internal control, this policy shall take priority in application unless otherwise stipulated in the relevant laws.② The internal policies (except for the Articles of Incorporation) of the Group’s affiliates shall correspond to this policy. Where their internal policies and this policy conflict with each other, this policy shall prevail.③ Detailed matters required for the execution of this policy shall be set as the Group’s affiliates’ internal policies and business procedures, etc.

Article 4 (Enactment/amendment)

① In cases where this regulation is established or amended, the resolution of the Board of Directors (“BoD”) is required after deliberation by the Board Audit Committee.② Notwithstanding the foregoing ①, where this policy require simple changes of phrases due to an amendment to the relevant laws or internal policies or a change in the organization without changes in the substantial contents, the Holding Company’s Compliance Officer may amend it and then report it to the BoD.

Chapter 2 Internal Control Organization and Its Role

Article 5 (Allocation of business; organizational structure)

① The Group’s allocation of business and its organizational structure shall be designed in a way that clarifies the roles and responsibilities of the executives and employees, ensures business efficiency, and provides mutual checks and balances among jobs.② The Holding Company shall check the adequacy of the subsidiaries’ organizational structure, and where such check determines that their organizational structure does not correspond to the principle stated in the foregoing ①, the Holding Company may request or recommend the subsidiaries to improve their organizational structure.③ The Holding Company shall conduct business concerning subsidiaries’ management and business ancillary to it (“business concerning subsidiaries’ management, etc.”) within the scope permitted by the 「Financial Holding Companies Act」, Article 15 and the Enforcement Ordinance of the said Act, Article 11. The Holding Company shall set the internal standards concerning the execution of business concerning subsidiaries’ management, etc.④ The Holding Company and its subsidiaries shall establish a command and reporting system to ensure efficient execution of business concerning the subsidiaries’ management, etc.⑤ In carrying out business concerning subsidiaries’ management, etc., the Holding Company may give advice, recommend remedial steps, and request the submittal of relevant materials by the subsidiaries, and the latter shall comply with such request in good faith.⑥ In the event that the Holding Company’s executives and employees damage the subsidiaries’ management soundness or cause them to fall foul of the financial laws/regulations in carrying out business concerning subsidiaries’ management, etc., they shall be responsible for the consequences of such damage etc.⑦ When conducting business concerning subsidiaries’ management, etc., the Holding Company shall engage in smooth communication with the Group, listen to the opinions of the relevant subsidiaries concerning matters that require their cooperation, or mediation of interest with them, etc.

Article 6 (Internal control organization)

The Holding Company’s internal control organization shall be composed of the BoD, CEO, Internal Control Council, Compliance Officer, etc.

Article 7 (BoD)

① The Holding Company’s BoD shall set the standards for the establishment and operation of the Internal Control System of the Group, and each subsidiary’s BoD shall set the standards for the establishment and operation of its Internal Control System.② The BoD of each of the Group’s affiliates shall take final responsibility for the respective subsidiary’s internal control, approve the management strategy or policy that has an impact on internal control, and make decisions on major matters related to internal control, such as the Internal Control Standards, Internal Control System, Code of Ethics, etc.

Article 8 (CEO)

① The Group’s affiliate’s CEO shall establish and operate its Internal Control System according to the standards set by its BoD.② The CEO stated in the foregoing ① shall foster the company’s internal control environment, including the establishment of the relevant organizational structure for adequate operation of the company’s Internal Control System, and review the efficacy of the system in consideration of changes in the business environment.③ The CEO stated in the foregoing ① shall actively provide human/material resources to ensure more efficient execution of internal control.④ The CEO stated in the foregoing ① shall check the operational status of the company’s Internal Control System at least once a year either personally or through the Compliance Officer or Internal Control Manager, and report the results to the company’s BoD.

Article 9 (Internal Control Committee)

① Each of the Group’s affiliates [if it falls under the category of a financial business stipulated in Article 19(2), 「Enforcement Decree of the Act on the Corporate Governance of Financial Companies」– The same applies whenever “affiliates” appears in this Article 9] shall operate its own Internal Control Council to discuss matters related to internal control.② The Internal Control Council shall designate the CEO as its Chair. Its members shall include the Compliance Officer, Risk Manager and other executive officers related to internal control designated by the CEO.③ The Internal Control Council shall carry out the following roles.1. Share the results of checks of internal control; review methods of improvement, including having the results reflected in evaluations of executives and employees.2. Check internal control-related vulnerabilities, including vulnerabilities related to financial incidents and devising methods of dealing with them.3. Discuss major matters related to internal control.4. Strive to enhance executives and employees’ sense of ethics and compliance.④ The Internal Control Council shall report the contents discussed at its sessions to the Board Audit Committee through the Compliance Officer.⑤ The Internal Control Council shall hold its session at least once each half year and keep meeting minutes that record the results of each session.⑥ Other details about the composition and operation of the Internal Control Council shall be fixed by the CEO.

Article 10 (Compliance Officer)

① The Compliance Officer of each of the Group’s affiliates’ (including the Internal Control Manager – The same applies whenever the title “Compliance Officer” appears hereunder) shall check the status of the company’s observance of the Internal Control Standards and manage its internal control-related business, including the investigation of violations of the Internal Control Standards.② Where matters requiring improvement are identified as a result of the check stated in the foregoing ①, the Compliance Officer may ask the company to take the appropriate action and report the results of an investigation of a violation of the Internal Control Standards to the CEO and the Board Audit Committee if deemed necessary. ③ The Compliance Officer may set and execute specific guidelines within the scope of the Internal Control Standards. ④ The Holding Company’s Compliance Officer shall have general control of the Group’s Internal Control System. In this regard, the compliance-related command/reporting system shall be established between the Holding Company and its subsidiaries, and shall include an arrangement for the latter’s Compliance Officers to report periodically to the Holding Company’s Compliance Officer.

Article 11 (Executive officers and employees)

① Executive officers (except for the CEO, external directors, non-standing directors, and Compliance Officer) shall be in general control of internal control-related matters concerning the relevant organization/business in their charge, including checks to verify the status of compliance with the Internal Control Standards.② The Group’s executives and employees shall, when performing their duties, fully understand their respective roles and comply with the relevant laws and regulations, internal policies, and Code of Ethics, etc.

Chapter 3 Operation of the Internal Control System

Article 12 (Compliance procedure in carrying out business)

① The executives and employees of the Group’s affiliates shall strive to set good examples for others to follow in the establishment of fair financial order by observing the relevant laws and regulations in carrying out their business. They shall fulfill their roles and responsibilities as members of the Group’s affiliates with a view to attaining the Group’s vision, objectives, and management strategies.② Each of the Group’s affiliates shall set the procedure, method, and standards to be observed, and the matters to be noted, etc. in its internal policies, etc. so that its executives and employees may fulfill their roles and responsibilities as stated in the foregoing ① and ensure that the contents of its internal policies, etc. are conveyed effectively to its executives and employees.③ Each of the Group’s affiliates shall establish education programs designed to ensure that its executives and employees understand the purpose of the laws and policies related to prohibitions and obligations and hold educational sessions as and when required.④ The Holding Company may check whether the Group’s executives and employees fulfill their roles and responsibilities as stated in the foregoing ① in good faith according to its internal policies, etc. and may take any necessary steps depending on the results of the check.

Article 13 (Communication of information and opinions)

① Each of the Group’s affiliates shall establish a system for communicating information and opinions in order to ensure that the Group’s vision, strategies, and core values are shared with other affiliates and their executives and employees.② The system of communication stated in the foregoing ① shall be designed in a way that ensures prompt and accurate delivery of the company’s financial and management information to all its organizations, executives and employees within the scope permitted by the relevant laws and regulations.③ Where the system of communication stated in the foregoing ① is established in the form of an electronic information system, each of the Group’s affiliates shall devise a thorough security system and establish adequate emergency measures.④ The Holding Company may take adequate steps as and when required, including the improvement of any deficiencies, regarding the establishment of the communication system and its invigoration as stated in the foregoing ① and ③.⑤ Communication between the Holding Company and its subsidiaries concerning matters about the subsidiaries’ management, etc. shall be carried out efficiently and responsibly.⑥ The Holding Company’s communication about matters concerning the subsidiaries’ major management-related decisions shall be transmitted in the form of an official document (including an e-Document officially recognized by the Group).⑦ The Holding Company shall come up with specific contents of matters to be delivered in an official document as per the foregoing ⑥.

Article 14 (Ascertainment of compliance with the Internal Control Standards)

The Compliance Officer of each of the Group’s affiliates shall set the scope and cycle for checks of the company’s compliance with the Internal Control Standards in consideration of the importance of the business and risks involved, and shall check the status of compliance with the Internal Control Standards accordingly.② Subsidiaries’ Compliance Officers shall report the results of checks stated in the foregoing ① to the Holding Company’s Compliance Officer.③ The Holding Company’s Compliance Officer may ascertain the contents of the report stated in the foregoing ② by getting in touch with the company him/herself or through the internal audit department if required upon checking the contents.

Article 15 (Violation of the Internal Control Criteria)

① Upon detecting a violation of this policy or a subsidiary’s Internal Control Standards, the Compliance Officer of the subsidiary concerned shall report the facts immediately to the Holding Company’s Compliance Officer, whereupon the latter may ascertain the facts of the matter and report the result to the Board Audit Committee and the CEO.② Upon detecting a violation of the Internal Control Standards by an executive(s) or employee(s) of the Holding Company, the Holding Company’s Compliance Officer may investigate the matter and report the result to the Board Audit Committee and the CEO.③ Where it is judged that the Internal Control System needs to be improved as a result of the Holding Company’s Compliance Officer’s ascertainment or investigation as per the foregoing ① and ②, the Holding Company’s Compliance Officer may request the subsidiary or the relevant departments to improve such deficiencies, and the subsidiary or the relevant departments shall comply with such request.④ In the event of an urgent situation, including the expectation of serious losses due to an executive or employee’s perpetration of an illegal act which constitutes a serious violation, the Compliance Officer of the group affiliate concerned may request a suspension of service of the executive or employee and report the matter to the company’s CEO.⑤ Matters pertaining to executives and employees’ violations of the Internal Control Standards shall follow the company’s internal policies.

Article 16 (Pre-consultation, etc.)

① Where it is necessary to judge whether a case constitutes a violation of the Internal Control Standards while carrying out business, the executives and employees of one of the Group’s affiliates shall consult with the company’s Compliance Officer. In this regard, the details of what is subject to the pre-consultation and other procedures shall follow the company’s internal policies.② Each subsidiary’s Compliance Officer may contact the Holding Company’s Compliance Officer if necessary for pre-consultation concerning what is stated in the foregoing ①.③ Each of the Group’s affiliates shall establish a procedure that allows executives and employees to obtain adequate support and advice concerning questions related to the laws and regulations that arise while conducting company business.

Chapter 4 Internal Control-related Matters to Be Observed

Article 17 (Ethical management)

The Group’s affiliates shall enact their own Code of Ethics and encourage their executives and employees to comply with the Code and deepen their sense of ethics.

Article 18 (Acting in good faith)

The Group’s executives and employees shall fulfill their obligations in good faith concerning protection of the property of customers, shareholders, and their company while conducting company business.

Article 19 (Prohibition of concealing or covering up violations of the laws and regulations)

The Group’s executives and employees shall not attempt to cover up the facts about their or other employees’ violations of the laws and regulations during the execution of company business.

Article 20 (Confidentiality of financial transactions)

① The Group’s executives and employees shall not disclose information or materials about customers’ financial transactions to a third party without obtaining their prior consent, unless otherwise stipulated in the relevant laws and regulations.② The Group’s executives and employees shall manage financial consumers’ credit information so as to ensure that the information is accurate and up-to-date at all times and shall not dishonestly use such information, nor shall they disclose such information to any third party unless otherwise required by the relevant laws and regulations.

Article 21 (Confidentiality obligation, etc.)

① Each of the Group’s affiliates shall protect the secret information of the company or its customers under the relevant laws and regulations, this policy, and the company’s internal policies.② The Group’s executives and employees shall not ask other executives and employees to provide them with or allow them to access secret information as stated in the foregoing ① [regardless of the form of recording (e.g. memo, document, electronic file, etc.)] that is not related to their business.③ The Group’s executives and employees in charge of the management and use of secret information as stated in the foregoing ① shall not accept any request for the provision of, or access to, such information, and shall manage it strictly by distinguishing it from ordinary information.

Article 22 (Prevention of unfair acts)

① The Group’s executives and employees shall not (let others) engage in transactions of a financial investment instrument (stipulated in Article 3 of the 「Financial Investment Services and Capital Markets Act」 – The same applies whenever “financial investment instrument” appears in this document.), using information or materials (including information or materials received from other executives and employees) remaining undisclosed that they come to know while conducting company business.② The procedures and standards for reporting the details of transactions of a financial investment instrument designed to prevent the Group’s executives and employees from perpetrating unfair acts shall be fixed in the internal policies of each company.③ With regard to the foregoing ②, the Holding Company shall set the following.1. Matters pertaining to each subsidiary’s Compliance Officer’s report to the Holding Company’s Compliance Officer.2. Matters pertaining to the right of each affiliate’s Compliance Officer about steps that he/she can take concerning executives and employees’ unfair acts.④ The Group’s executives and employees shall not engage in any act that is feared to disturb the order of financial transactions, including restrictions on customers’ use of funds or deposits, etc. or acts that unjustly infringe customers’ rights and interests, unless otherwise stipulated in the relevant laws and regulations.⑤ The Group’s executives and employees shall not engage in unsound business acts by abusing their superior position or by making exaggerated claims or advertising false facts in a transaction with customers or other interested parties.

Article 23 (Prevention of money laundering)

① The Group’s affiliates shall operate a system for assessing money laundering risks that engages in differentiated level of management based on the level of risks through identification, analysis, and assessment of risks of money laundering and financing of terrorism (“money laundering, etc.”) included in financial transactions as stipulated in Article 2 subparagraph 2 of the 「Act on the Reporting and Using Specified Financial Transaction Information」and the Utilization Thereof, etc.② The Group’s affiliates shall operate an independent audit system, in which a department that is independent of the department carrying out business for the prevention of money laundering, etc. or an external expert reviews and assesses the adequacy and effectiveness of the business execution and attempts to improve any problems identified.③ The Group’s affiliates shall engage in the identification, education/training of executives and employees lest they should be involved in money laundering or be used in such an act.④ Other matters pertaining to the prevention of money laundering shall be fixed by the company’s CEO.

Article 24 (Identification, evaluation and management of conflicts of interest)

① The subsidiaries shall hold educational sessions and/or provide guidelines designed to enable executives and employees who engage in business in which conflict of interests may arise to understand the nature of conflicts of interest between customers and the company or between different customers.② The subsidiaries’ executives and employees shall assess the possibility of conflicts of interest between customers and the company or between customers concerning the business conducted by them. In such a case, the protection of customers shall be given top priority.③ The subsidiaries’ executives and employees shall provide information on the possibility of conflicts of interest and take the necessary measures to reduce the possibility of a conflict of interest as much as possible based on the results of assessment as stated in the foregoing ② before conducting the relevant business. In cases where it is difficult to reduce the possibility of a conflict of interest, they shall inform the customers thereof and stop the business.④ Where the subsidiaries’ executives and employees intend to take steps or provide information as stated in the foregoing ③, they shall consult with the company’s Compliance Officer. Where they are required to take steps promptly as required by the business handling procedure, they may take the necessary steps first and then inform the Compliance Officer thereof.⑤ The subsidiaries shall establish an adequate procedure for the prompt processing of matters such as conflicts of interest with customers, investors’ complaints, or their disputes with employees.

Article 25 (Evaluation/management of executives and employees’ holding of dual office and business entrustment)

① Departments whose executives and employees hold dual office or are entrusted with business of the Group’s affiliates shall assess whether such executives and employees fall under any of the following.1. Potential to hamper management soundness.2. Potential to cause conflicts of interest with customers.3. Potential to hamper the stability of the financial market.4. Potential to disturb the order of financial transactions.② Where the Group’s affiliates allow executives and employees to hold dual office or entrust them with business, they shall establish standards for preventing violations of the relevant laws and regulations.③ The subsidiaries shall report the status of assessment and operation stated in the foregoing ① and ② to the Holding Company’s relevant department, which shall manage it adequately.④ Where it is judged that the assessment, operation or management stated in the foregoing ① through ③ is not performed adequately, the Holding Company’s Compliance Officer may ask the subsidiaries or the relevant department to take remedial steps.

Article 26 (Matters to be observed concerning the joint use of branches, etc.)

① Where the Group’s affiliates jointly use such facilities as office spaces, branch office spaces, or computer systems, they shall establish measures to prevent conflicts of interest between them and to protect the customers.② The subsidiaries shall report the status of operation stated in the foregoing ① to the Holding Company’s relevant department, which shall manage it adequately.③ The Holding Company’s Compliance Officer may check the measures stated in the foregoing ① and the adequacy of the management stated in the foregoing ②. Where it is judged that the measures taken to protect the customers and prevent conflicts of interest between affiliates are insufficient, the Officer may ask the subsidiaries or the relevant department to take remedial steps.

Article 27 (Sharing of customer information)

① The Group’s affiliates shall not provide customer-related information to other affiliates or disclose it to a third party unless otherwise permitted by the relevant laws and regulations, including the provisions on customer-related information under the 「Financial Holding Companies Act」, Article 48-2.② The Group’s affiliates shall set the standards for the processing of relevant business, establish security measures and/or a security system to prevent the disclosure of information shared by them to a third party under the relevant laws and regulations, concerning systematic and stringent management and more efficient use of customer-related information shared among them.③ The subsidiaries shall periodically report the status of the sharing of customer-related information to the Holding Company.④ With regard to the subsidiaries’ sharing of customer-related information among them, the Holding Company shall check whether such information is used for any unauthorized purposes, along with the adequacy of the security measures and system adopted and the process of handing complaints about the sharing of information, and may ask the subsidiaries to take remedial steps if any deficiencies are detected.

Article 28 (Whistleblowing system)

① The Group’s affiliates shall appoint a person to take charge of the whistleblowing system and to operate details of operation of the system so as to ensure effective internal control.② The whistleblowing system shall include measures for maintaining the confidentiality of whistleblowers and protecting them, including the prohibition of placing them at a disadvantage, and punitive measures shall be imposed on persons who fail to report illegal/unjust acts that may have a serious impact on the Group’s affiliates despite their knowledge thereof.

Article 29 (Mandatory leave)

The Group’s affiliates shall establish the measures required to execute the mandatory leave system designed to prevent illegal or unjust acts by executives and employees, including those who are subject to it, its execution cycle, and exceptions to its application.

Article 30 (Standards for separation of jobs with high risks)

As regards single transactions with a high potential for incidents, the Group’s affiliates shall operate standards for the separation of jobs, including an arrangement in which plural executives and employees or departments take part. Where it is difficult to separate jobs due to a lack of human resources or an urgent matter, they may operate a separate supplementary/control system.

Article 31 (Procedure for business such as the development, etc. of new products)

① The subsidiaries shall establish a business procedure that must be observed in order to protect financial consumers and maintain the market order in the process of developing and selling new financial products.② The procedure stated in the foregoing ① shall include the following.1. A system for consumer protection in the process of product planning and development.2. A system for consumer protection in the sale of products.3. A system for consumer protection following the sale of products.

Article 32 (Advertisement)

① As regards the advertisement of products or services dealt with by the Group’s affiliates, they shall clearly mark the name of the Group, the contents of the products/services, and the transaction conditions so as to allow users to make rational decisions as stipulated in the relevant laws and regulations.② With regard to the production of advertisements of products and services and the relevant contents, the Group’s affiliates shall establish detailed standards and procedures to be observed.

Article 33 (Self-inspection of branches, etc.)

Subsidiaries that operate branches shall operate details about the latter’s methods of self-inspection, matters to be ascertained, cycle of execution, etc.

Chapter 5 Holding Company’s Compliance Officer

Article 34 (Appointment/dismissal)

① The Holding Company’s Compliance Officer shall be elected by the BoD from among those candidates recommended by the CEO who have sufficient working knowledge and experience of legal/financial business and who meet the requirements of the relevant laws and regulations. The Compliance Officer may be dismissed with the consent of two-thirds of the total number of directors if any one of the following is the case.1. Where the case falls under the category of dismissal under the internal policies2. Where it is judged that the person concerned is not fit to serve as a compliance officer② The Holding Company’s Compliance Officer shall be relieved of his/her position if he/she fails to meet the requirements stipulated in the Act on the Corporate Governance of Financial Companies, Article 26.③ Where its Compliance Officer has resigned or been dismissed, the Holding Company shall elect the successor at the next BoD session to ensure the continuity of its internal control business, unless there is a special reason not to.④ Upon the election or dismissal of its Compliance Officer, the Holding Company shall report it to the financial supervisory authorities under the relevant laws and regulations.

Article 35 (Appointment; term of office)

The Holding Company’s Compliance Officer shall be elected from among its internal directors or executive officers for a term of office of at least 2 (two) years.

Article 36 (Obligations and rights)

① The Holding Company’s Compliance Officer shall carry out his/her duties in good faith.② Where required to carry out his/her duties as such, the Holding Company’s Compliance Officer may access the records kept by the Group’s affiliates or express his/her opinions at the BoD, the BoD’s committee meetings, and the Management Council, and report to the CEO and the Board Audit Committee unrestrictedly as required.③ Where it is judged to be necessary to carry out his/her duties as such, the Holding Company’s Compliance Officer may request the Group’s affiliates’ executives and employees to submit materials or information and the parties concerned to attend or reply, with which the executives and employees shall comply in good faith.

Article 37 (Independence)

The Holding Company shall ensure the independence of its Compliance Officer so that he/she may carry out the duties fairly and shall not put him/her at a disadvantage in terms of personnel matters for a reason related to his/her performance of the duties.

Article 38 (Supporting organization)

① The Holding Company shall ensure that its supporting organizations are composed of and maintained with an adequate number of human resources equipped with sufficient experience and abilities in order that the internal control business may be carried out efficiently, and shall provide all support required to enable its Compliance Officer to carry out the duties adequately.② The details of the duties of the Holding Company’s Compliance Officer and the supporting organizations shall be fixed by the CEO.

Addendum(2020.07.24)

This policy shall enter into force on July 24, 2020.

Addendum(2023.03.24)

This policy shall enter into force on March 24, 2023.