MCAN Mortgage : ERM and Compliance Committee Mandate

ENTERPRISE RISK MANAGEMENT AND COMPLIANCE COMMITTEE

MANDATE

Role

The primary purpose of the Enterprise Risk Management and Compliance Committee (the "Committee") is to assist the Board in its oversight role with respect to:

1. the identification, measurement, monitoring, reporting and mitigation of emerging or key financial and non-financial risks, including operational and reputational risks, affecting MCAN's strategy, capital, liquidity and financial position;
2. MCAN's risk and compliance culture and the effectiveness of policies, procedures and risk management practices in place throughout the organization;
3. the review and approval of the Enterprise Risk Management Framework ("ERMF"), Risk Appetite Framework ("RAF") and significant supporting policies;
4. the management of MCAN's risk profile in alignment with MCAN's Board approved risk appetite and strategic plan, including consideration of the potential risk impacts of any new business initiatives or changes to MCAN's strategy;
5. the review, approval and ongoing monitoring of the Internal Capital Adequacy Assessment Process ("ICAAP");
6. the ongoing assessment of MCAN's capacity to withstand potential adverse events;
7. MCAN's compliance with key regulatory and legislative requirements; and
8. the mandates, resources, budgets and performance of MCAN's Risk Management and Compliance functions.

Composition and Operations

1. The Committee shall consist of at least three directors appointed by the Board.
2. No member of the Committee shall be an officer or employee of MCAN, its subsidiaries or affiliates. A majority of the members of the Committee will be independent in accordance with the requirements of laws governing MCAN, the applicable stock exchange on which MCAN's securities are listed, applicable securities regulatory authorities, and MCAN's Director Independence Policy and will not be affiliated with MCAN as such term is defined in the Trust and Loan Companies Act (Canada).
3. Each member shall satisfy the applicable experience requirements of the laws governing MCAN, and the applicable stock exchange on which MCAN's securities are listed and applicable securities regulatory authorities.
4. Each member of the Committee shall have sufficient knowledge in the risk management of regulated financial institutions and have a sound understanding of the types of risks to which MCAN may be exposed and of the techniques and systems used to identify, measure, monitor, report and mitigate those risks.
5. The Board shall appoint an independent member of the Committee as the Committee Chair.

2

1. The Committee shall meet at least quarterly and as many additional times as considered necessary. The Committee shall report to the Board on its activities after each of its meetings.
2. The Committee strives for consensus, but the affirmative vote of a majority of the members of the Committee participating in any meeting of the Committee is necessary for the adoption of any resolution.

Specific Duties

Oversight of Risk Management

1. Annually review and recommend Board approval of the ERMF including MCAN's risk management structure, risk management principles, and the processes for identifying, measuring, monitoring, reporting and mitigating MCAN's major financial and non-financial risk types (including emerging risks and systemic risks) that could impact MCAN's strategy, capital, liquidity or financial position.
2. Promote a strong and effective risk management culture throughout the organization. On an ongoing basis, monitor the quality and soundness of MCAN's risk culture and reputation.
3. In conjunction with Board approval of the strategic plan, annually review and recommend Board approval of the RAF, articulating the aggregate level and types of risk MCAN is willing to accept or avoid in order to achieve its business objectives. Ensure appropriateness relative to MCAN's overall risk profile, business model, strategic plan, risk capacity and operating environment.
4. In conjunction with Board approval of the strategic plan annually review and recommend Board approval of MCAN's ICAAP demonstrating MCAN's overall capital adequacy relative to its risk profile and articulating MCAN's strategy for maintaining capital levels in the event of potentially adverse scenarios.
5. Review, on a quarterly basis or more frequently, management's assessment of MCAN's capacity to withstand potential adverse events that could negatively impact its capital, liquidity or financial position, including management's evaluation of enterprise wide stress testing results relative to specific risk metrics and the effectiveness of proposed management actions to recover from such events.
6. Review and advise the Board with respect to management's evaluation of the potential impact on MCAN's risk profile of any proposed changes to strategy, material transactions or new initiatives.
7. Periodically review and recommend Board approval of the Frameworks and Policies listed in Appendix I, including any Policy Level Limits, Guidance Metrics, exception criteria, and Board reporting requirements included therein. Ensure they are aligned with and guided by MCAN's RAF.

3

1. As required, review and recommend Board approval of any amendments proposed by management between scheduled renewal dates to the Frameworks and Policies listed in Appendix I ensuring that management has appropriately documented the supporting rationale and impact of any changes made on MCAN's risk profile and risk appetite.
2. Review, on a quarterly basis, a summary of any amendments made by management to key definitions, approval authorities, Board reporting requirements or other material requirement within Policies listed in Appendix II for appropriateness and consistency with Board approved risk appetite.
3. On a quarterly basis, review management reports relating to compliance with risk policies, procedures and guidelines, including performance against stated limits, exception levels (both material and non-material exceptions), and the results of any quality assurance or internal audit testing.
4. Review, on a quarterly basis or more frequently as required, management status reports on the effectiveness of any risk mitigation plans that have been implemented in response to identified non-compliance issues with prescribed risk policies or risk limits.
5. Annually assess the effectiveness of MCAN's RAF, ICAAP, and significant supporting policies and plans, particularly those related to the management of capital and liquidity.
6. Periodically review and approve MCAN's risk rating methodology embedded within credit risk policies. Review and monitor quarterly adherence to these guidelines and the risk profile of the Residential Lending and Construction & Commercial mortgage portfolios relative to MCAN's Board approved strategy and risk appetite.
7. Review, on a quarterly basis or more frequently as required, the effectiveness of MCAN's practices relating to the management of its third party risk management risk. At least annually review the list of Material Outsourcing Arrangements and the Risk Assessment Scoring for each arrangement noted on that list. Review any additional reports relating to outsourcer performance metrics, when appropriate.
8. Review materials and representations provided by management in assessing the effectiveness of policies, processes and practices in place to deter and detect incidents of fraud and suspected misrepresentation.
9. Review at least annually the adequacy of MCAN's insurance program, in particular its employee bonding, errors and omissions and directors and officers coverage.
10. Periodically review and assess the effectiveness of MCAN's identification, measurement, monitoring, reporting, and mitigation of non-financial risks, such as IT and Cybersecurity, Climate Change Risk, and Operational Resiliency risks.

4

Oversight of the Risk Management Function

1. At least quarterly, obtain and review a report from the Chief Risk Officer ("CRO") regarding MCAN's risk profile relative to the Board approved risk appetite (including compliance with RAF and Policy Level Limits); material exceptions to risk policies; key trends and emerging risks; adequacy of any risk mitigation plans or acceptance rationale; and the overall effectiveness of risk management practices and controls.
2. Together with the Conduct Review, Corporate Governance & Human Resources Committee ("CRCG&HR Committee"), approve decisions regarding the appointment and removal of the CRO.
3. Together with the CRCG&HR Committee perform an annual review of the role profile of the CRO, including ensuring that it provides the CRO with unfettered access and a functional reporting line to the Committee.
4. At least annually review the work plan, budget, structure, resources and independence of the Risk Management Function ensuring that the function has sufficient stature, authority, and resources to carry out its mandate.
5. Together with the CCRCG&HR Committee, ensure an annual performance evaluation of the CRO. On an ongoing basis, assess the effectiveness of the CRO and the Risk Management function.
6. Review the results of periodic internal audit, regulatory and other independent reviews of the Risk Management function. Assess and monitor the timeliness and appropriateness of management's response and any required remediation activities.
7. At least quarterly, meet separately with the Chief Risk Officer.

Oversight of the Compliance Function

1. Review at least quarterly a report from the Chief Compliance Officer ("CCO") including an opinion on MCAN's compliance with key regulatory and legislative requirements, the adequacy of management's plans to remediate any deficiencies identified, and the effectiveness of MCAN's programs relating to Regulatory Compliance Management, Fraud Risk Management, Third Party Risk Management, Records Management and Business Continuity Planning and Operational Compliance.
2. Review at least quarterly a report from the Chief Anti-Money Laundering Officer "CAMLO") on the Anti-Money Laundering and Anti-Terrorist Financing ("AML/ATF") Program, including monitoring and reporting activity, and an opinion on the overall effectiveness of the AML/ATF Program and MCAN's compliance with the AML Policy.
3. Review at least quarterly a report from the Privacy Officer on the results and overall effectiveness of the Privacy Program and MCAN's compliance with Privacy legislation (PIPEDA) and the Privacy Policy.

5

1. On a quarterly basis, monitor the effectiveness of policies, processes and practices implemented by management to monitor, manage and report on MCAN's compliance with key regulatory and legislative requirements (including AML/ATF legislation and Privacy legislation), to keep abreast of and appropriately respond to new and changing requirements, and to satisfy itself that the policies and processes are being adhered to.
2. Together with the CRCG&HR Committee, approve decisions regarding the appointment and removal of the CCO, the CAMLO and the Privacy Officer.
3. Together with the CRCG&HR Committee, perform an annual review of the role profiles of the CCO, the CAMLO and the Privacy Officer, including ensuring that these officers have unfettered access and a functional reporting line to the Committee.
4. At least annually, review the work plan, budget, structure, resources and independence of the Compliance function ensuring that the function has sufficient stature, authority and resources to carry out its mandate.
5. Together with the CRCG&HR Committee, ensure an annual performance evaluation of the CCO, the CAMLO and the Privacy Officer. On an ongoing basis assess the effectiveness of the CCO, CAMLO, Privacy Officer and the Compliance function (including more specifically the AML/ATF and Privacy Programs).
6. Review the results of periodic internal audit, regulatory and other independent reviews of the Compliance function. Assess and monitor the timeliness and appropriateness of management's response and any required remediation activities.
7. At least quarterly, meet separately with the CCO.

Other

1. Review correspondence, any notices of violation and any minutes of management meetings with regulators and other governmental agencies including, without limitation, OSFI, CDIC, FINTRAC, FCAC, and CMHC.
2. At the discretion of the Committee, retain, oversee, compensate and terminate independent advisors to assist the Committee in its activities.
3. Carry out any other appropriate duties and responsibilities assigned by the Board.

Approved: December 2023

6

Appendix I - Frameworks and Policies Subject to Board Review and Approval

Appendix II - Frameworks and Policies Subject to Management Approval, where material amendments require reporting to the Board