Non-financial risk
Operational risk
Definition
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events, including legal risks, excluding strategic risks. This is the Basel definition of operational risk, which covers a wide range of non-financial risks.
FMO adopted the Operational Risk Data Exchange Association (ORX) risk taxonomy to structure all non- financial risk types, such as people, data, model, technology, third party, information and cyber security, business continuity, statutory reporting, and transaction execution. FMO uses the terms operational risk and non-financial risk interchangeably.
Risk appetite and governance
FMO is generally cautious about non-financial risks and does not seek them as they have no direct material reward in terms of return/income generation, but they are inherent to FMO's business. Safe options are preferred with low inherent risk, even if they limit rewards or lead to higher costs. There is no appetite for high residual risk.
First - and second line functions work closely together to understand the full and varied spectrum of non- financial risks, and to focus their risk and control efforts on meaningful and material risks. Risk identification and assessment draw on multiple sources of data, such as topic-specific risk-assessments, results of half-yearly control monitoring and testing rounds, internal loss data and root cause analysis, audit results, supervisory findings, and key risk indicators. Policies and operating procedures clarify control standards and accountabilities and require training on key risks.
Management of the first line is responsible for understanding risks and implementing and operating internal controls in the day-to-day business processes. Key controls are monitored and tested twice a year. The first line performs these responsibilities in line with the risk management framework, using the methods and tools provided by the second-line Operational Risk function. The Operational Risk function challenges and advises the first line, performs oversight and maintains the Internal Control Framework.
Risk events will occur, despite the implementation of internal controls. Risk events can result in losses, non-compliance, misstatements in the financial reports, and reputational damage. Risk events are centrally registered, reviewed, and classified by the Operational Risk team. Root cause analyses of high-concern risk events require approval by the Non-Financial Risk Committee and follow-up of remediating actions is tracked and reported.
Non-financial risk metrics are reported on a monthly basis. These metrics include the amount of YTD operational loss, highest loss per quarter, timely follow-up of remediating actions by management, control effectiveness testing results, and specific metrics for all non-financial risk subtypes. Based on these metrics, all of the non-financial risk sub-types were reported as within appetite at year-end. All departmental directors evaluate the operational risks in their area of responsibility and sign a departmental in control statement at year end.
Developments
The scope and quality of the Internal Control Framework have been further improved in 2025 through two half-yearly rounds of control monitoring and testing.
Financial economic crime risk
Definition
Financial economic crime (FEC) risk is the risk that FMO, its subsidiaries, investments, customers and/or employees are involved in or used for any crime that has a financial component, even though such transactions may be hidden or not socially perceived as criminal. This includes (but is not limited to): money laundering, terrorism financing, bribery and corruption, sanction breaches, and any other predicate offences as defined by the Dutch Penal Code or any other applicable rules or regulations.
Risk appetite and governance
FMO acknowledges that as a financial institution it has been entrusted with a gatekeeper role. FMO attaches great value to this role and will always strive for full and timely adherence to FEC regulations. Given FMO's mandate, the operating environment (countries with high(er) financial crime risks) as well as the risk maturity level of its customers, FMO is aware that risks are present and incidents within customer complexes (i.e. the customer and any associated and/or third parties) may occur. FEC risk is considered within risk appetite in 2025.
Financial economic crime framework
FMO’s FEC procedures include measures to ensure compliance with applicable anti-money laundering, counter financing of terrorism and international sanctions laws and regulations and to mitigate risks of FMO being involved in FEC. Due diligence is performed on customers, which includes checks such as verifying the ultimate beneficial owners of the customers financed, identifying politically exposed persons and screening against mandatory international sanction lists. These checks are also performed regularly during the relationship with existing customers.
In FMO's continued efforts to implement learnings, the Compliance department reviews its FEC framework in cooperation with the Know Your Customer (KYC) department on an ongoing basis. The ongoing reviews take into account any monitoring results, risk analysis, incidents and updates in regulations and industry best practices. In addition, continuous risk-based quality monitoring takes place in both the first- and second line including sample-based and thematic monitoring. FMO also conducts ongoing training programs for its employees to raise awareness on topics related to FEC. In addition, FMO continues to remind its customers of the importance of integrity in business operations, including sanctions compliance.
FMO continues to work on strengthening its risk culture and creating awareness of FEC, potential unusual transactions, and anti-bribery and corruption practices. In 2025, all FMO employees were required to complete the Compliance ‘Annual Integrity refresher e-learning' covering customer and personal integrity topics, such as bribery and corruption. In 2025, DNB conducted an onsite investigation into FMO’s compliance with the Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft), as well as relevant provisions of the Wet op het financieel toezicht (Wft) and Besluit prudentiële regels Wft (Bpr). The investigation concluded that FMO's policies and procedures are generally compliant with the applicable legal requirement.
There is always a risk that a customer is involved or alleged to be involved in illicit acts (e.g., money laundering, fraud, or corruption). When FMO is of the opinion that there is a breach of law that cannot be remedied, that no improvement by the customer will be achieved (e.g., awareness, implementing controls) or that the risk to FMO's reputation is unacceptably high, FMO may exercise certain remedies under the contract. Those remedies may include the right to cancel a loan or suspend upcoming disbursements. FMO will report to the regulatory authorities when necessary. Refer to the sub-chapter 'G1 Business conduct’ in the Sustainability Statements Section for recent developments in this area.
FMO has conducted a review of the organization-wide Systematic Integrity Risk Analysis (SIRA). The review confirmed the inherent top integrity risks and assessed the effectiveness of existing mitigation measures. Based on the analysis, current mitigation strategies were found to be adequate, with targeted enhancements identified to address emerging risks.
In August 2023, FMO reported that, as a result of late notification of unusual transactions to the Dutch Financial Intelligence Unit (FIU-NL) in 2021 and 2022, DNB decided on enforcement measures. FMO is appealing these administrative measures.
General Data Protection Regulation
FMO has a strong data privacy framework. Employees increasingly recognize the importance of data privacy and their role in it. Processes have been streamlined, and privacy impact is assessed early on in projects and new applications. The focus is on continuous improvement of FMO's data protection framework taking into account regulatory requirements and internal developments.
Regulatory compliance risk
Definition
Regulatory compliance risk is the risk that FMO does not operate in accordance with applicable rules and regulations, either by not (timely) identifying applicable regulations or not adequately implementing and adhering to applicable regulations and related internal policies and procedures.
Risk appetite and governance
FMO has a minimal appetite for regulatory compliance risk. It closely monitors and assesses future regulations that apply to FMO and strives for full and timely implementation of regulations. Regulatory compliance risk is considered within risk appetite in 2025.
To ensure compliance with the EU Banking Supervisory Regulations as implemented by DNB and the ECB and other laws and regulations applicable to FMO, FMO closely monitors regulatory developments, including the supervisory authority’s guidance. Since March 2025, FMO has implemented the regulatory tool “Corlytics” to support the identification and monitoring of regulatory updates that are (potentially) applicable to FMO.
FMO has a risk committee structure, accompanied by a Regulatory Monitoring Policy that defines the internal requirements, processes, roles, and responsibilities of identifying, assessing and implementing regulatory changes.
Developments
Basel IV implementation in the EU
The new EU legislative package on the Capital Requirements Regulation (CRR3) and Capital Requirements Directive (CRD6) implementing the Basel IV standards within the EU was published on June 19, 2024. CRR3 has been applied to FMO since January 1, 2025, and its implementation follows a phase-in approach. The CRD6 takes effect following its transposition into National Law during 2026. The market risk framework (Fundamental Review of the Trading Book or FRTB) under the new legislative package is expected to come into force on January 1, 2027 or later depending on the progress of the international implementation of this framework. In addition to the implementation of Basel IV standards, the legislative package introduced new rules requiring banks to systematically identify, disclose and manage sustainability risks (ESG risks), and stronger enforcement tools for supervision of the EU banks.
Since 2024, FMO set up a bank-wide project for the timely and compliant implementation of the CRR3/CRD6 amendments, which required changes in FMO’s internal policies, systems and processes. The project is still ongoing and on track, in line with the regulatory timelines, allowing FMO to implement and comply with the required changes in time. Full implementation of the CRD6 will follow the finalization, transposition into National Law, and publication of supporting Regulatory and Implementing Technical Standards (RTS/ITS) and guidelines.
The package contains several items that have been impacting FMO’s capital since January 2025 and were already considered in the 2025 Internal Capital Adequacy Assessment process (ICAAP). Regarding credit risk, the main capital impact is expected to come from the phasing in of the treatment of equity exposures to 250 percent risk weight instead of the current 150 percent. Regarding market risk, FMO will be subject to the new alternative standardized approach for market risk (A-SA), when the new FRTB framework will be applicable. The methodology is significantly more sensitive to movements in currency composition, and its results are therefore expected to be more volatile.
Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is a European regulation designed to create a standardized and comprehensive framework for digital operational resilience across the EU financial sector. This regulation provides a unified set of rules for the use of ICT systems by financial institutions, emphasizing governance and board responsibilities, ICT risk management, security and business continuity, resilience testing, and third-party risk management. DORA, along with its underlying applicable rules, came into effect on January 17, 2025.
FMO has made substantial progress in implementing DORA. As of July 2025, the DORA project implementation was marked as 'completed,' with the remaining action items integrated into 'Business as Usual' (BAU). FMO aims to have the latest items implemented by the end of Q1 2026. FMO Investment Management B.V has updated its policy framework and organizational handbook. Intra-group arrangements with FMO are expected to be completed in Q1 2026.
ESG-related regulatory requirements
In 2025, significant regulatory developments continued to shape the way financial institutions manage and report ESG risks.
Prudential ESG requirements
The new EU legislative package amending the Capital Requirements Regulation (CRR3) and Capital Requirements Directive (CRD6) strengthens the role of ESG risks by positioning them as key drivers of traditional financial risks. In 2025, the European Banking Authority (EBA) published new Guidelines on ESG risk management and scenario analysis, applicable in 2026 and 2027, respectively. These developments require financial institutions to systematically identify, disclose, and manage ESG risks. For FMO, this introduces an additional perspective that complements its existing focus on preventing adverse environmental, social, and governance impacts in line with its policy commitments. During 2025, FMO continued aligning its internal processes, disclosures, business strategy, and risk management in line with DNB’s expectations subject to the above-mentioned EBA guidelines.
Corporate Sustainability Reporting Directive (CSRD)
The European Commission’s 2025 Omnibus simplification package introduces amendments to the CSRD and ESRS, of which the "quick-fix" amendments are applicable as of January 1, 2026. These changes may raise reporting thresholds to companies with at least 1,000 employees and €450 million in turnover, reducing the number of entities in scope. The 2025 Sustainability Statement included in this Annual Report marks FMO’s second CSRD report. FMO also considers the transitional reliefs provided through the ESRS “quick‑fix” amendments, which lighten and delay some disclosure requirements.
EU Taxonomy
The EU Taxonomy is a classification system that defines criteria for environmentally sustainable economic activities and requires banks to report their level of taxonomy alignment with the first two environmental objectives (climate change mitigation and climate change adaptation), and their taxonomy eligibility on all six environmental objectives (the two objectives above, plus sustainable use and protection of water and marine resources; transition to a circular economy; pollution prevention and control; and protection and restoration of biodiversity and ecosystems). While FMO has reported against these rules since 2021, in this Annual Report, FMO will opt out detailed Taxonomy reporting. This omission is allowed under the Delegated Act published in January 2026, which temporarily exempts financial undertakings from detailed Taxonomy reporting for financial years 2025 and 2026.
EU Pay Transparency Directive
The EU Pay Transparency Directive aims to strengthen the principle of equal pay for equal work or work of equal value with a strong focus on avoiding pay discrimination and closing the gender pay gap across the European Union. The expected implementation date of this Directive will be January 1, 2027. FMO has been reporting on the (un-)adjusted gender pay gap for several years and is preparing for implementation to ensure timely compliance with the EU Pay Transparency Directive. The gender pay gap 2025 is disclosed in the S1-16 Section of this Report.
EU AML/CFT Legislative package
In July 2021, the EU published its AML/CFT (Anti-Money Laundering and Countering the Financing of Terrorism) Legislative package, which included four legislative proposals: (i) a regulation establishing the new EU AML Authority, (ii) the revision of the 2015 Regulation on Transfers of Funds, (iii) the 6th Directive on AML/CFT and (iv) a new Regulation on AML/CFT. The Regulation on AML/CFT is relevant for FMO as it contains the majority of legal requirements currently contained in the 5th AML/CFT Directive (e.g. requirements on CDD, FIU reporting, UBO and PEP), as well as certain new legal requirements. The package was adopted in May 2024 and is expected to enter into force in 2027. FMO has started impact analyses to ensure timely compliance.
EBA Guidelines on restrictive measures
On November 14, 2024, the European Banking Authority (EBA) published its final report regarding the Guidelines on ‘internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures’. These Guidelines became applicable on December 30, 2025. The aim of the Guidelines is to ensure the effective management of legal risks relating to the violation of Union restrictive measures. FMO has conducted an impact assessment and implemented the Guidelines where required.
New fiscal qualification policy for legal forms (Wet Fiscale Kwalificatie rechtsvormen)
As of 2025 a change has been introduced in the Dutch corporate income tax regulations (Wet VPB), changing the fiscal qualification of partnership-like vehicles, resulting in a change of fiscal qualification of a large number of FMO’s investments in Private Equity (PE) Funds. The purpose of this legislation is to reduce the number of hybrid mismatches in an international context. The effect of the change is that vehicles become tax transparent, requiring FMO to report its pro rata share of the Funds’ balance sheet assets and income. As a result, a smaller number of PE Fund investments will qualify for the participation exemption. The impact of this change depends on the actual result of the PE funds and can go in either direction. For 2025, this impact is not considered to be material.
EMIR 3.0
EMIR 3.0 came into force on December 24, 2024, requiring FMO to begin preparations for implementation. FMO conducted a detailed impact assessment on its derivatives business, based on the Regulatory Technical Standards (RTS) adopted on October 29, 2025 by the EC. The assessment revealed that FMO is currently below the €3 billion threshold for the relevant interest rate categories, on an ongoing monthly and rolling 12-month basis, making it currently exempt from the Active Account Requirement (AAR). A working group is set up to address expected breach of threshold during 2026. Other action items, such as data quality control and a new reporting system for all trades cleared through non-EEA clearing houses are on hold pending publication of relevant (draft) RTS and ITS.
EU Financial Data Access (FIDA) Regulation
The FIDA Regulation, proposed by the European Commission in June 2023, is expected to be adopted in early 2026 with a phased implementation starting in 2027. It aims to expand Open Finance by allowing consumers and businesses to securely share, with explicit consent, a broad range of financial data—such as loans, savings, investments, pensions, insurance, and mortgages—with authorized third-party providers. FIDA builds on PSD2’s open banking framework, promotes innovation and competition, while ensuring robust, consent-based data protection.
Dutch Corporate Governance Code (DCGC): VOR
In March 2025, the Dutch Corporate Governance Code was amended with a statement on Risk Management (‘Verklaring omtrent Risicobeheersing’, or VOR). The VOR requires a broader statement by the Management Board on FMO's operational and compliance risks and on its sustainability reporting. It is applicable for the first time (as part of and implemented in the ‘In control statement’) for the 2025 Annual Report.
Effectiveness assessment internal risk management and control systems
In accordance with the Dutch Corporate Governance Code, the Management Board has assessed the effectiveness of the risk management and control systems that are in place within FMO to substantiate its statement on risk management (VOR).
This assessment involved the creation of an assurance map for eight categories of operational, compliance and reporting risks, covering (combinations of) all sixteen ORX risk types.
The assurance map includes the outcomes of the risk management and control systems and results of first-, second-, and third line evaluations, such as the results of the control monitoring and testing program, results of the compliance monitoring program, results from internal audits, reviews and agreed-upon-procedures, assessments and validations conducted by specialized external companies, risk events that have occurred, and yearly control statements of department directors. The assessment includes evaluations based on frameworks such as COSO ‘Internal Control Integrated Framework 2013’ and the NOREA ‘DORA In Control’ framework.
Based on abovementioned information, a scorecard was created for each of the eight topics, with a choice of four levels of comfort for five categories of first-, second- and third line evaluations. Evaluations by external auditors and supervisory bodies cannot increase the level of comfort but can reduce the overall score.
The levels of comfort used are a) minimal comfort, b) some level of comfort, c) sufficient comfort, and d) comfort with limitations.
Conclusion of the effectiveness assessment
Based on the scorecards for the eight categories of operational and compliance risks, a single and final level of comfort is concluded as the Managing Board’s statement on the effectiveness of internal risk management and control systems in relation to these risks. The Managing Board’s conclusion on the effectiveness assessment, determined at “some level of comfort”, is incorporated in the In Control Statement: The Management Board is not aware that the aforementioned systems do not provide sufficient comfort that material operational and compliance risks faced by the company are effectively controlled in line with the risk appetite.
The indicated level of comfort is based on FMO’s assessment of identified improvement areas in three of the eight operational risk and compliance topics: “sound business operations”, “operational resilience” and “model risk”. These entail the following in particular:
-
FMO established internal projects (eg, Partnerships Operations Program, Basel IV) aimed at enhancing existing business and operational processes and/or adequately implementing regulatory change. Reference is made to the External Environment section, Expanding regulations that impact FMO, which provides further details on the main regulatory changes for FMO.
-
FMO seeks to further develop and enhance the scope, comprehensiveness and quality of its Internal Control Framework, achieving further maturity. This includes further embedding the linkage between key business processes and identified key risks, optimizing key controls and connecting these, where relevant, to financial reporting line items.
-
FMO also periodically reviews the internal risk governance set-up and makes adjustments where these are deemed appropriate In model risk management this applies specifically to ECL models, model (re)development and implementation, and End-User Applications.
-
The abovementioned improvements contribute to ensuring that FMO continues to perform within the boundaries of its non-financial risk appetite parameters.
This assessment was prepared by the operational risk management team within the Risk department, and the Compliance department, and discussed with the Management Board. The Management Board presented its findings and conclusions to the Audit and Risk Committee of the Supervisory Board.