Record : Pillar 3 disclosures as at 31 March 2021

RECORD PLC

CAPITAL REQUIREMENTS DIRECTIVE

PILLAR 3 DISCLOSURES - JULY 2021

Background

This document sets out the Pillar 3 disclosures on risk management, capital adequacy and remuneration for Record plc and all of its subsidiary companies (together 'Record' or the 'Group') as at 31 March 2021.

The disclosures were prepared in accordance with the Capital Requirements Directive ("CRD III"), the aim of which is to reduce the probability of consumer loss or market disruption as a result of prudential failure. It does this by seeking to ensure that the financial resources held by a firm are commensurate with the risks associated with its business profile and control environment.

The CRD III framework consists of three pillars:

• Pillar 1 sets out the rules-based minimum capital requirements;
• Pillar 2 requires the Group to assess capital adequacy in relation to its actual risk profile in order to determine whether additional capital is required to cover these risks. This assessment is performed through the Group's Internal Capital Adequacy Assessment Process (ICAAP); and
• Pillar 3 requires public disclosure of the Group's risk profile, risk management, capital, and remuneration.

This document describes and discloses information in relation to Record unless such information has been determined as immaterial or of a proprietary or confidential nature, as follows:

1. Risk management;
2. Capital requirements;
3. Remuneration; and
4. Financial resources and capital adequacy.

The disclosures in this document are in accordance with the BIPRU rules and are intended to show the risks that are relevant to Record and the steps Record takes to manage such risks. In particular the document discloses how Record has satisfied itself that it has sufficient capital in respect of those risks. Record plc wholly owns a subsidiary, Record Currency Management Limited, which is authorised to undertake regulated business under the Financial Services and Markets Act 2000 (as amended by the Financial Services Act 2012 and 2016) and is regulated by the FCA. The Group is a UK consolidation group and is subject to consolidated supervision. The risk management and control framework is operated at the Group level. This report is therefore prepared on a consolidated basis for Record plc and all of its subsidiaries.

1

RECORD PLC

Basis and means of disclosure

The method of consolidation used for prudential purposes is the same as that used for the Group's consolidated financial statements. The Pillar 3 disclosures are published on the Group's website at: https://ir.recordcm.com/reports-and-accounts.

Frequency

This report will be made at least on an annual basis. The disclosures will be as at the Accounting Reference Date (ARD) of 31 March, and will be published within four months of the ARD. These disclosures are made for the Group as at 31 March 2021.

Verification

The Pillar 3 disclosures are subject to internal review procedures consistent with those undertaken for unaudited information published in the Annual Report; they have not been audited by Record's external auditors.

The disclosures have been prepared purely for explaining the basis on which Record has assessed certain capital requirements and information about the management of certain risks and for no other purpose. They do not constitute any form of financial statement and must not be relied upon in making any judgement on Record.

1. Risk management

The Board has ultimate responsibility for risk and the oversight of the risk management process within the business. Recognising that risk is inherent in all of the Group's business dealings, and in the markets and instruments in which the Group operates, it places a high priority on ensuring that there is a strong risk management culture embedded throughout the Group, and accountability at all levels within the business.

Risk management framework

Effective risk management and strong internal controls are fundamental to the Group's business model and are reflected in the risk management framework adopted by the Board. The risk management framework defines risk management objectives, responsibilities and the process for identifying, assessing and controlling risks within acceptable limits that impact the Group.

Such limits are defined in the "risk appetite statement" approved by the Board and include full consideration of the following:

• the activities of the business, and the capabilities of the firm in each of these activities;
• the objectives for the business, and the plans in place to meet these objectives;
• the regulatory environment in which the firm operates; and
• external factors that may affect the business.

The Board has delegated certain responsibilities to various Board and executive sub-committees, as follows:

2

RECORD PLC

Audit and Risk	Provides oversight and independent challenge in relation to internal controls,
Committee	risk management systems and procedures, and external financial reporting.
Executive Committee	The decision-making body for the day-to-day operation of the business and
	responsible for the identification of strategic opportunities and business
	threats (i.e. business risks) to the Group.
Investment	Responsible for assessing the risks associated with changes to the Group's
Committee	investment processes or products and for ultimate approval prior to
	implementation.
Risk Management	Continually reviews existing and new operational risks and maintains,
Committee ("RMC")	reviews and updates the Group's comprehensive risk register. The RMC
	also reviews the nature and reasons for any operational incidents with the
	objective of ensuring adequate systems and controls are in place to minimise
	and preferably eliminate such incidents and their impact on clients and the
	Group.

The Group's risk management framework is underpinned by the three lines of defence, as follows:

First Line: Risk Management

The first line of defence rests with Record's senior managers and business operations being responsible and accountable for the identification, assessment, management, monitoring and reporting of the individual risks and associated controls within their areas of responsibility.

Second Line: Risk Oversight

The second line of defence is provided by oversight functions such as Finance, Legal, Compliance and Risk, and Front Office Risk Management monitoring activity against defined policies and procedures.

Third Line: Risk Assurance

The third line of defence is independent assurance on the adequacy and effectiveness of the Group's risk management, control and governance processes, and is provided by Deloitte LLP as the Group's appointed internal auditor.

Additional external independent assurance for shareholders is gained through the annual statutory external audit, currently performed by BDO LLP, and the service auditors report on internal controls provided by RSM Risk Assurance Services LLP.

Risks are also mitigated by the recruitment and retention of highly trained staff, clear reporting lines, appropriate segregation of duties and clearly defined procedures and policies. Ownership of risks is clearly identified and the Board encourages a culture of transparency and openness in all activities. Further information on Record's risk management framework is included in Record's 2021 Annual Report at: https://ir.recordcm.com/reports-and-accounts.

Risk management process

All staff, line managers and senior management have a responsibility for identifying current or emerging risks. Once identified, the risk must be clearly defined and ownership assigned and an assessment of the gross risk is made by considering the likelihood that the risk will materialise, and the impact should the risk materialise.

3

RECORD PLC

Following review by the relevant committee of the controls established to manage the risk, the risk assessment process is repeated incorporating the changes to the control environment to establish the net risk position, which is monitored against the Board's risk appetite.

The Group maintains a Risk Register which records identified risks, risk owners and the gross and net risk positions, which is reviewed regularly by management. Risk owners are also responsible for ensuring the timely escalation to the appropriate forum where the risks are exceeding, or in their opinion are likely to exceed the Board's approved risk appetite.

Senior management receive regular management information on the Group's principal risks via Key Performance Indicators (KPIs), the Management Information Pack (MIP), the Risk Monitoring Matrix, and regular reports and updates from the Compliance and Risk, HR and IT directors.

In the event of an incident arising as a result of a risk materialising, the reasons for the incident will be reviewed in accordance with the Incident Management Policy to identify whether management needs to take any additional mitigating activity to prevent recurrence of any such incident. Furthermore, analysis of trends in risks and incidents is regularly undertaken within the Compliance and Risk department to identify patterns of risk behaviour that may require further investigation.

Risk categories

All identified risks are set out in the risk register, and the exposures to key risks as identified by the Board are analysed in detail in the ICAAP document, which confirms the capital requirements in light of that analysis.

The risks assessed by the business and included within the ICAAP document include: capital adequacy, conduct, reputational, strategic, business, market, credit, operational, investment, interest rate, liquidity, residual, securitisation and pensions obligation risk, where applicable.

In respect of this Pillar 3 disclosure, the Board's assessment of the principal risks to the business are set out in brief on the following page below. Further detail can be found in Record's 2021 Annual Report at: https://ir.recordcm.com/reports-and-accounts.

The Board also considers capital adequacy risk, conduct risk and reputational risk, and further information for each is given below:

Capital adequacy risk

Capital adequacy risk is the risk that the Group is unable to support its strategic business objectives due to its minimum regulatory capital restrictions. The Group has a capital and dividend policy, which seeks to ensure that capital retained is broadly equivalent to one year's worth of estimated future overheads (excluding variable remuneration), in addition to capital assessed as required for regulatory purposes, for working capital purposes and for investing in new opportunities for the business. This policy ensures a significant capital buffer over regulatory requirements, and consequently capital adequacy risk is not considered a significant risk in terms of the principal risks noted above.

The business is also exposed to both conduct risk and reputational risk:

Conduct risk

Conduct risk is defined as the risk of causing detriment to a client or damaging the integrity of the market because of poor systems or processes, or inappropriate judgement by staff in execution of the Group's

4

RECORD PLC

business. The conduct of our staff and the strength of our internal control systems and processes are fundamental to the effective operation of the Group's risk management framework. Conduct risk is therefore evident and managed within each individual category of risk, and when combined equates to the overall conduct risk of the Group. Consequently, conduct risk is not considered as a separate risk category within the principal risks of the Group.

Reputational risk

Reputational risk is the risk of loss or adverse impact arising from an unfavourable perception of the Group on behalf of clients, counterparties, employees, regulators, shareholders or other stakeholders. Reputational risk can manifest as a consequence of an occurrence of any of the Group's principal risks, either in isolation or together with other risks, and is therefore considered to form an integral part of each of the Group's principal risks. For this reason, reputational risk is not considered as a separate risk category within the principal risks of the Group.

Principal risks

Strategic risk	The risk that the Group is unable to meet its strategic objectives due to
	internal or external factors, such as poor business decisions, poor
	implementation, inadequate resourcing or failure to respond to changes in
	the business environment.
Business risk	The risk of failure of the business to generate fee income and control costs
	in line with business plans due to internal and external factors including
	concentration risk, people and employment risk, and the risk posed by
	regulatory change.
Operational risk	Operational risks are inherent in all activities and processes performed
	across the business and include the risk of loss or other impacts arising from
	operational flaws including fraud or error and weaknesses in systems and
	controls.
Investment risk	The risk that long-term investment performance is not delivered compared
	to benchmarks, objectives or competition.

Coronavirus ("covid-19")

Covid-19 has continued to impact economies and businesses throughout the financial year ended 31 March 2021.

Record's business responded well to the changes enforced by the covid-19 pandemic, with continuity in operational and client servicing matters, and maintaining a full team without the need for additional funding or Government assistance. The business has remained fully independent throughout the crisis, with no external debt.

A full review of the impact of covid-19 on our business including our market, clients, people, technology and operations, governance and oversight, and our business model is provided in the 2021 Annual Report on page 44: https://ir.recordcm.com/reports-and-accounts.

5