THE ARCG CHARTER

Issued in March 2008

Audit Review & Compliance Group - ARCG

Index
Part A Internal Audit
Purpose Charter Mission Independence Scope & Responsibilities Authority Accountability Standards

Part B Compliance
Introduction Guiding Principles Function & Task of Compliance Scope of Compliance Organisation of Compliance Function within ARCG Reporting Lines & Communication Lines Independence Authority Standards Accountability

Page 2 of 9

Audit Review & Compliance Group - ARCG

ARCG CHARTER
This document has been divided into two parts; Part A relates to Internal Audit which comprises four Divisions, Risk Review, Retail Audit, Operations & IT Audit and Fraud & Investigation; Part B relates to Compliance.

PART A INTERNAL AUDIT PURPOSE

Internal Audit is an independent appraisal function established within the Bank to examine and evaluate its activities from a controls and risk perspective. The objective of Internal Audit is to assist members of the bank, especially management and the Board of Directors, in the effective discharge of their responsibilities by furnishing them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed and by promoting effective control at reasonable cost. The information furnished to each may differ in format and detail, depending upon their requirements, requests and the nature of the assignments. Internal Audit examines and evaluates the adequacy and effectiveness of the system of internal control provided by the Bank. The objective is to provide all levels of management with sufficient, relevant and useful information that will help them assure: The reliability and integrity of information. Compliance with policies, plans, procedures, laws and regulations. The safeguarding of assets. The economical and efficient use of resources. The accomplishment of established objectives. Reliability of structure on segregation of roles and responsibilities. In line with Mashreqs commitment and accountability to its Board of Directors, a professional, independent Audit, Review and Compliance Group has been setup (herein mentioned as ARCG) as part of being compliant to banks policies and procedures as well as local and international regulations, statutes and laws as applicable in the banking and financial industry. The purpose of this charter is to define the role and responsibilities of the Internal Auditing function within the organization, authorize their unrestricted access to all the entitys records, information, personnel, and locations needed in the performance of audits, reviews. It also defines the nature, objective and scope of internal auditing activities and to delegate to the Head of ARCG the authority necessary to achieve these objectives. ARCG has independent status in Mashreq and will not be involved in the day to day operations or internal checking systems and will also not be involved or responsible for implementation of internal control systems. ARCG may be consulted when considered necessary, in assessing the adequacy of controls when first implemented and during changes in control specifications.

Page 3 of 9

Audit Review & Compliance Group - ARCG

Internal Control is the responsibility of management. It is a process designed to provide reasonable assurance of: Control over operations; Prevention of frauds Adequate self checking mechanisms and timely detection & resolution of errors Reliable financial data; Compliance with applicable laws and regulations; Top down control culture and banks risk appetite assessed through sound and tested risk evaluation processes. The required reasonable assurance exists when all the components of management control (the control environment; risk assessment processes; control activities; information and communication systems; and monitoring activities) are present and operate effectively. Internal Audit is an independent, objective assurance and consulting activity which is managed within the bank as an integral part of its risk management, control and governance processes. It assists management in accomplishing their objectives by assessing the state of internal control. In that regard, internal audit: Assists management in understanding and assessing risks; Evaluates the adequacy of techniques and controls to manage risk; Provides an assessment of the level of comfort that risk management, control and governance processes are operating effectively and efficiently; Identifies and recommends changes that add value; In a consultative capacity advises on efficiency of controls and effectiveness of structure on new initiatives and during change processes. Through these assurance and consultative activities, Internal Audit assists management in accomplishing its objectives by bringing a systematic disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

CHARTER
The Charter serves as a guide to Internal Audit in the performance of its duties. The Charter does not include, nor is it intended to include, all of their duties or responsibilities, as they may exist from time to time. The Charter is intended to: Provide a written record of formally approved policies of Internal Audit; Provide a basis for the evaluation of the performance of Internal Audit by the management of the Bank; Serve as a basic document in the Bank for administration of Internal Audit. This charter describes the mission, independence and objectivity, scope and responsibilities, authority, accountability and standards of the Internal Audit function.

Page 4 of 9

Audit Review & Compliance Group - ARCG

MISSION
The mission of Internal Audit is to ensure that the Banks businesses are conducted according to the highest professional and ethical standards by providing an independent, objective assurance function and by advising on best practice. Through a systematic and disciplined approach, Internal Audit helps the Bank accomplish its objectives by evaluating and improving the effectiveness of risk management, control and governance processes.

INDEPENDENCE
To ensure independence, Internal Audit is directly responsible to Head ARCG who reports to the CEO. In addition, it reports regularly to both the Audit and Compliance Committee of the Leadership Forum and the Audit Committee of the Board of Directors.

SCOPE AND RESPONSIBILITIES

The scope of internal audit work includes the review of risk management procedures, internal control systems, information systems, and governance processes. This work also involves periodic testing of transactions, best practice reviews, special audits, appraisals of regulatory requirements, investigation and implementing measures to help prevent and detect fraud. To fulfill its responsibilities, Internal Audit shall: Identify and assess potential risks to the Banks business. Review the adequacy of controls established to ensure compliance with policies, plans, procedures, and business objectives. Assess the reliability and security of financial and management information and the systems and operations (in-house or outsourced) that produce this information. Assess the means of safeguarding assets. Review established procedures and systems and propose improvements. Appraise the use of resources with regard to economy, efficiency and effectiveness. Contribute to the development of projects, selected according to the risk involved, by confirming that the Banks project methodology is followed and that, in particular, adequate controls are incorporated. Follow up recommendations to make sure that effective remedial action is taken. Carry out ad hoc appraisals, audits, or reviews requested by the Management/ Audit Committee. Review specific operations at the request of the Audit Committee or management as part of the business. Carry out examination & investigation of reported willful fraudulent acts, or other suggested activities internal or external.

Page 5 of 9

Audit Review & Compliance Group - ARCG

AUTHORITY
Internal Audit aims to promote effective controls at reasonable cost. To achieve this, Internal Audit is authorised in the course of its activities, to: Enter all areas of the Bank and have unrestricted access to any documents and records, personnel, core issue analysis, investigation and determination of facts and statement of recommendations in its reports, considered necessary for the performance of its functions. Require all members of staff and Management to supply such information and explanations as may be needed within a reasonable period of time. Senior Management should inform Internal Audit immediately on any occurrence of any significant incident concerning security and/or compliance with regulations and procedures, without delay.

ACCOUNTABILITY
Internal Audit shall prepare, in liaison with the Head of ARCG, an annual audit plan. The plan is based on a risk model that identifies business risks, and on input from line managers. It provides information about the risk assessment, the current order of priority of audit projects and how they are to be carried out. The plan shall be presented to Head of ARCG and the Audit Committee for approval. In case of need, adjustments may be made to the plan during the year. Any such changes would have to be approved by the Head of ARCG and communicated to the Audit Committee. Internal Audit is responsible for planning, conducting, reporting and following up on audit projects included in the audit plan, and decides on the scope and timing of audits. The details of these processes are defined in the Internal Audit Manual. The above does not restrict Internal Audit in initiating any action and/or recommendation, including an unscheduled audit; where exceptions, risks, process gaps/efficiency, losses, near losses or other matter requiring preventive action, should they deem it necessary. Senior Management may also investigate/ highlight concern which may prompt action by internal audit. Audit fieldwork shall be conducted in a professional and timely manner. Reporting of results will include an open process to agree on the facts and the validity of audit recommendations. A detailed audit report and a letter to Management will summarise the objectives and scope of the audit as well as observations and recommendations. In all cases, follow-up work will be undertaken to ensure adequate response to audit recommendations. Internal Audit shall coordinate with external audit to ensure proper coverage and avoid duplication of effort.

STANDARDS

Internal Audit adheres to the standards of best professional practice, such as those published by the Institute of Internal Auditors and the Information Systems Audit

Page 6 of 9

Audit Review & Compliance Group - ARCG

and Control Association, and the relevant reports and recommendations of the Basel Committee on Banking Supervision.

PART B - COMPLIANCE INTRODUCTION

The Compliance function within the bank is the independent oversight on behalf of senior management of those core processes and related policies and procedures that seek to ensure that the bank is in conformity with industry-specific laws and regulations in letter and spirit, thereby maintaining the banks reputation. The Board of Directors of Mashreq is fully committed to its Corporate Values and to the preservation of the integrity and reputation of the bank by complying with laws and regulations in each of the markets it operates in. Integrity is the corner stone of the compliance function as it is the pivot of the banks Corporate Values. The following describes the role and responsibilities of the compliance function within Mashreq, its position and authority.

GUIDING PRINCIPLES
The starting point for compliance is formulated in six guiding principles: 1. Compliance is the individual and collective responsibility of each staff member in the bank within the given area of his/her responsibilities. All staff should be aware of relevant regulations and policies, be knowledgeable on how to comply and believe in the need to be compliant. 2. Business unit management is responsible for compliance and acts as role models for all staff. 3. The compliance function exercises independent oversight, enables and supports everyone to fulfill their roles, instills compliance discipline and ethical business conduct, prevents and detects violations of compliance policies. 4. The compliance approach is in principle risk-based, except where a rulesbased approach is required on a case to case basis. 5. The compliance function acts in partnership with the business with complete access to business information and strategy. 6. The compliance function encompasses industry-specific laws and regulations as well as related business conduct.

FUNCTION AND TASKS OF COMPLIANCE

The function and tasks of Compliance are the following: Identify risks and regulations relevant to the banks activities Design policies and procedures to minimize regulatory and reputation risk Advise, train and provide reports (to senior management) with regard to regulations and the compliance with these regulations Promote effective compliance and ensure or oversee follow-up in case of non-compliance Manage regulatory inquiries and incidents

Page 7 of 9

Audit Review & Compliance Group - ARCG

Build and manage ongoing relationships with key regulators

SCOPE OF COMPLIANCE
The compliance function within the bank provides independent oversight on behalf of senior management of those core processes and related policies and procedures that seek to ensure the bank is in conformity with industry-specific laws and regulations in letter and spirit, thereby maintaining the banks reputation. This includes sanctions and client acceptance and anti money laundering, the protection of clients against miss selling by the bank (e.g. personal investment policy, conflict of interest, chinese walls) and good citizenship (e.g. HRs code of conduct). The compliance scope does not include regulations and policies covering capital adequacy, accounting standards, credit administration etc. These are primarily covered by other support functions and business units, where applicable in consultation and cooperation with Compliance.

ORGANISATION OF COMPLIANCE FUNCTION WITHIN MASHREQ

Compliance is a support function of Mashreq and is a part of Audit, Review and Compliance Group (hereinafter referred to as ARCG) at the Head office. All compliance officers report, directly or via the management team of embedded compliance managers, hierarchically to the Head of Compliance ARCG, who has a direct reporting line to ARCG head. Compliance activities are predominantly performed in business-aligned groups to reflect the diverse nature of Mashreqs business and the need for a direct interface with business management. Activities that require consistency or highly specialised skills across businesses are conducted in dedicated organisational units in coordination with compliance, ARCG. For cross-cutting activities, compliance, ARCG steps in as a centre of excellence. Formal mechanisms are put in place to ensure one face to the regulator which is the Head of Compliance, ARCG on an overall level and embedded compliance managers for their respective business units.

REPORTING LINES AND COMMUNICATION LINES

The Head of Compliance, ARCG reports directly to the ARCG Head who is the member of the Leadership Forum. Thus compliance representation is at the senior most level in the overall hierarchy. The Heads of the embedded Compliance functions maintain intense and close communication with senior management within their jurisdiction and have overall responsibility for the quality of the professional practices in their department. They have a solid reporting line into the Head of Compliance, ARCG. An activity that requires overall consistency is client acceptance and anti-money laundering. Therefore, this activity is conducted by Compliance with close alignment with the embedded compliance functions within Business Units.

Page 8 of 9

Audit Review & Compliance Group - ARCG

Compliance maintains close relationships with other key divisions within ARCG. These divisions are Risk Review, Operational & IT Audit, Retail Audit and Fraud & Investigations Division.

INDEPENDENCE
Compliance is independent from the business and other line functions. Therefore the Head of Compliance reports directly to the Head of ARCG who is a member of the Leadership Forum (LF) and has representation to the Board of Directors through Chief Executive Officer of the bank and to the Audit & Compliance Committee of the LF.

AUTHORITY
The compliance function has free access to information and personnel and has the right to advise internal audit to conduct investigations of possible breaches of the compliance policy and if required to appoint outside experts to perform this task. Compliance is the principal interface with the regulators on compliance issues. All contacts with the regulators on compliance issues are managed through or in consultation with Compliance.

STANDARDS
The senior management of Mashreq is committed to preserving the integrity and reputation of the bank by complying with applicable laws and regulations in each of the markets in which it operates. Employees must adhere to all laws and regulations applicable to Mashreq and to the ethical standards set by Mashreq and those who do not may face disciplinary action. All employees are expected to observe high standards of conduct and be aware of the laws and regulations of other countries when conducting cross border transactions. In addition, Compliance represents Mashreq in external bodies / forums that focus on compliance issues and best practices (e.g. World Check, Complinet, Gulf Coop. Council, Hawkama Institute of Corporate Governance).

ACCOUNTABILITY
Compliance staff are available to provide guidance and support to the Businesses on issues related to laws and regulations. The overall Annual Compliance Plan is approved by the Head of ARCG. Compliance follows a risk based approach in addressing issues escalated to it or resulting from the monitoring conducted by Audit.

NOTE Any changes to the contents of this document require the approval of the Head of ARCG, who will communicate such changes to the Audit & Compliance Committee for their ratification.

Page 9 of 9