Bank of N T Butterfield & Son : 31 December 2023.

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

Contents	Page
1. Overview	3

1. Background
2. Basis of disclosures
3. Scope of applications
4. Location and verification

2. Risk Management Objectives and Policies

5

1. Risk governance
2. Risk management

3.	Prudential Metrics	7
4.	Capital Adequacy	9

1. Capital management
2. Regulatory capital framework
3. Capital structure
4. Linkages between financial statements and regulatory exposures
5. Minimum capital requirement: Pillar 1
6. Leverage ratio

5. Credit Risk Measurement, Mitigation and Reporting

15

1. Credit risk overview
2. Credit risk - retail and private banking
3. Credit risk - commercial banking
4. Credit risk - treasury
5. Exposures
6. Impairment provisions
7. Credit risk concentrations
8. Credit risk mitigation
9. Securitization

6. Market and Liquidity Risk

28

1. Market risk overview
2. Interest rate risk
3. Foreign exchange risk
4. Liquidity risk

7.	Operational Risk	33
8.	Other Information	34

1. Abbreviations
2. Cautionary statements regarding forward-looking statements

Page 2

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

1. Overview

1.1 Background

Effective January 1, 2015, the BMA implemented the capital reforms proposed by the BCBS and referred to as the Basel III regulatory framework. Basel III aims to raise the quality, consistency and transparency of the capital base, limit the build-up of excess leverage and increase capital requirements for the banking sector. We are subject to the following requirements:

• CET1 ratio of at least 7.0% of RWA, inclusive of a minimum CET1 ratio of 4.5% and the new capital conservation buffer of 2.5%, but excluding the D-SIB surcharge described below;
• Tier 1 capital of at least 8.5% of RWA, inclusive of a minimum Tier 1 ratio of 6% and the new capital conservation buffer of 2.5% but excluding the D-SIB surcharge described below;
• Total capital of at least 10.5% of RWA, inclusive of a minimum total capital ratio of 8% and the new capital conservation buffer of 2.5% but excluding the D-SIB surcharge described below;
• The Group is considered to be a D-SIB and is subject to a 3% surcharge composed of CET1-eligible capital implemented by the BMA effective September 30, 2015. This is based upon the BMA's assessment of the extent to which the Group (individually and collectively with the other Bermuda banks) poses a degree of material systemic risk to the economy of Bermuda due to its role in deposit taking, lending, payment systems and other core economic functions;
• Counter-cyclicalbuffer of up to 2.5% composed of CET1-eligible capital may be implemented by the BMA when macroeconomic indicators provide an assessment of excessive credit or other pressures building in the banking sector, potentially increasing the CET1, Tier 1 and total capital ratios by up to 2.5%. No Counter-cyclical buffer has been implemented to date;
• Leverage ratio of 5.0% or higher;
• LCR with a minimum requirement of 100%; and
• NSFR with a minimum requirement of 100%.

The minimum capital ratio requirements set forth above do not reflect additional Pillar 2 add-on requirements that the BMA may impose upon the Group as a prudential measure from time to time. As the Group's capital requirements remain under continuous review by the BMA pursuant to its prudential supervision, the Group cannot guarantee that the BMA will not seek higher total capital ratio requirements from time to time.

In December 2017, the BCBS published standards that it described as the finalization of the Basel III post-crisis regulatory reforms (the standards are commonly referred to as "Basel IV"). Among other things, these standards revise the BCBS's standardized approach for credit risk (including recalibrating risk weights and introducing new segmentations for exposures) and provides a new standardized approach for operational risk capital. Under the BCBS framework, these standards were effective on January 1, 20231, with an aggregate output floor phasing in through January 1, 20281. The BMA adopted the BCBS's revised standardized approach for operational and credit risk effective January 1, 2023 and January 1, 2025, respectively.

The requirements of the Basel III regulatory capital framework include the disclosure requirements applicable to banks and deposit-taking companies which are known as Pillar 3. These are designed to promote market discipline by providing market participants with key information on a firm's risk exposure and risk management processes. Pillar 3 also aims to complement the minimum capital requirements described under Pillar 1, as well as the supervisory processes of Pillar 2.

1.2 Basis of Disclosures

This disclosure document has been prepared by the Group on a standardized basis and in accordance with the rules laid out in the BCBS standards issued in January 2015 entitled 'Revised Pillar 3 Disclosure Requirements' and in March 2017 entitled "Pillar 3 disclosure requirements - consolidated and enhanced framework" and as adopted by the BMA. Unless otherwise stated, all figures are as at December 31, 2023 and are expressed in US dollars. Certain tables in this report may not sum due to rounding.

• In March 2020, in response to the pandemic, the BCBS deferred the implementation timeline from January 1, 2022 to January 1, 2023 and the output floor phasing in from January 1, 2027 to January 1, 2028.

Page 3

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

1.3 Scope of Application

The Bank is the parent company of The Bank of N.T. Butterfield & Son Limited group of companies and is regulated by the BMA. The Basel III Framework, therefore, applies to the Bank and its subsidiary undertakings (together referred to as both the "Bank" and the "Group").

There is a requirement to calculate and maintain regulatory capital ratios on both a consolidated and a solo basis in respect of the Group's banking businesses in Bermuda, the Cayman Islands, Guernsey and Jersey. Differences may exist between jurisdictions in the calculation of regulatory capital requirements. However, there are no differences between the basis of consolidation of the Group for accounting and prudential purposes. Full details of the basis of consolidation can be found in Note 2 of the Group's audited consolidated financial statements for the year ended December 31, 2023.

The Group is made up of the following principal operating entities, which are all wholly owned subsidiaries and fully consolidated in the Group's financial statements:

The Bank of N.T. Butterfield & Son Limited, Bermuda

Butterfield Asset Management Limited, Bermuda

Butterfield Securities (Bermuda) Limited

Butterfield Trust (Bermuda) Limited

Bermuda Trust Company Limited

Butterfield Bank (Cayman) Limited

Butterfield Trust (Cayman) Limited

Butterfield Bank (Guernsey) Limited

Butterfield Trust (Guernsey) Limited

Butterfield Bank (Jersey) Limited

Butterfield Mortgages Limited, UK

Butterfield Trust (Bahamas) Limited

Butterfield Holdings (Switzerland) Limited

Butterfield Trust (Switzerland) Limited

Butterfield Trust (Asia) Limited

All the Group's subsidiaries are included in the Pillar 3 disclosures. Each overseas operating company is regulated by its own local regulator and is subject to its own regulatory capital requirements. Further details of the principal subsidiary undertakings can be found in the Group's Annual Report on Form 20-F for the year ended December 31, 2023.

1.4 Location and Verification

Pursuant to BCBS guidance2, these disclosures have been published following Board approval.

The disclosures are not subject to external audit except where they are equivalent to those prepared under the accounting requirements for the inclusion in the Group's Audited Financial Statements.

These disclosures have been published on the Group's corporate website (https://www.butterfieldgroup.com/investor-relations/pillar-3- disclosure).

• https://www.bis.org/basel_framework/chapter/DIS/10.htm?inforce=20230101&published=20211111

Page 4

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

2. Risk Management Objectives and Policies

2.1 Risk Governance

The principal categories of risk inherent in our business are financial, compliance, operational, reputational and strategic risks.

The Board of Directors has overall responsibility for determining the strategy for risk management, setting the Bank's risk appetite and ensuring that risk is monitored and controlled effectively. It accomplishes its mandate through the activities of two dedicated committees:

The Risk Policy and Compliance Committee: This committee of the Board assists the Board in fulfilling its responsibilities by overseeing the Group's risk profile and its performance against approved risk appetites and tolerance thresholds. Specifically, the committee considers the sufficiency of the Group's policies, procedures and limits related to the identification, measurement, monitoring and control of activities that give rise to credit, market, liquidity, interest rate, operational, regulatory, compliance, climate and reputational risks, as well as overseeing its compliance with laws, regulations and codes of conduct.

The Audit Committee: This committee reviews the overall adequacy and effectiveness of the Group's system of internal controls and the control environment, including in respect of the risk management process. It reviews recommendations arising from internal and independent audit review activities and management's response to any findings raised.

Both the RPCC and Audit Committee are supported in the execution of their respective mandates by the dedicated Audit, Compliance and Risk Policy Committees for our UK, Guernsey, Jersey, Cayman Islands and The Bahamas operations, which oversee the sufficiency of local risk management policies and procedures and the effectiveness of the system of internal controls that are in place. These committees are chaired by non-executive directors drawn from the boards of directors for each segment.

The Group executive management team is led by the Chairman & CEO and includes the members of executive management reporting directly to the Chairman & CEO. The executive management team is responsible for setting business strategy and for monitoring, evaluating and managing risks across the Group. It is supported by the following management committees:

The Group Risk and Compliance Committee: This committee comprises executive and senior management team members and is chaired by the Group Chief Risk Officer. It provides a forum for the strategic assessment of risks assumed across the Group as a whole based on an integrated view of risks including credit, market, liquidity, legal, regulatory and financial crime compliance, fiduciary, operational, cybersecurity, climate, insurance, pension, investment, capital and reputational risks, ensuring that these exposures are consistent with the risk appetites and tolerance thresholds promulgated by the Board and oversees the compliance of regulatory obligations arising under applicable laws, rules and regulations. It is responsible (i) for reviewing, evaluating and recommending the Group's Risk Appetite Framework, the results of the Capital Assessment and Risk Profile and recovery and resolution planning processes (including all associated stress testing performed) and the Group's key risk policies to the Board for approval; (ii) for reviewing and evaluating current and proposed business strategies in the context of our risk appetites; and (iii) for identifying, reviewing and advising on current and emerging risk issues and associated mitigation plans; and (iv) for reviewing the Group's compliance with external regulations and internal policies. It is supported in its mandate by the Compliance and Operational Risk Committee ("CORC"), a dedicated sub-committee that is responsible for the evaluation and monitoring of non-financial risks, including compliance, reputational and operational risks, as well as the Group's policies.

The Group Asset and Liability Committee: This committee comprises executive and senior management team members and is chaired by the Group CFO. The committee is responsible for liquidity, interest rate and exchange rate risk management and other balance sheet issues. It also oversees key policies and the execution of the Group's investment and capital management strategies and monitors the associated risks assumed. It is supported in the execution of its mandate by the work undertaken by the dedicated Asset & Liability Committees in each of the Bank's segments.

The Group Credit Committee: This committee comprises executive and senior management and is chaired by the Group Chief Risk Officer. The committee is responsible for a broad range of activities relating to the monitoring, evaluation and management of credit risks assumed across the Group at both transaction and portfolio levels. It is supported in the execution of its mandate by the FIC, a dedicated sub-committee that is responsible for the evaluation and approval of recommended inter-bank and counterparty exposures assumed in the Group's treasury and investment portfolios, and by the activities of the jurisdictional Credit Committees, which review and approve transactions within delegated authorities and recommends specific transactions outside of these limits to the GCC for approval.

The Provisions and Impairments Committee: This committee comprises executive and senior management team members and is chaired by the Group Chief Risk Officer. The committee is responsible for approving significant provisions and other impairment charges. It also oversees the overall credit risk profile of the Group with a particular focus on non-accrual loans and assets. It is supported in the execution of its mandate by jurisdictional credit committees and the GCC, which make recommendations to this committee.

Page 5

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

2.2 Risk Management

We manage our exposure to risk through a three "lines of defense" model.

The first "line of defense" is provided by our jurisdictional business units, which retain ultimate responsibility for the risks they assume and for bearing the cost of risks associated with these exposures.

The second "line of defense" is provided by our Risk Management and Compliance groups, which work in collaboration with our business units to identify, assess, mitigate and monitor the risks associated with our business activities and strategies. They do this by:

• Making recommendations to the GRCC regarding the constitution of the Risk Appetite Framework;
• Setting risk strategies that are designed to manage risk exposures assumed in the course of pursuing our business strategies and aligning them with agreed appetites;
• Establishing and communicating policies, procedures and limits to control risks in alignment with these risk strategies;
• Measuring, monitoring and reporting on risk levels;
• Opining on specific transactions that fall outside delegated risk limits; and
• Identifying and assessing emerging risks

The functions within the Risk Management and Compliance groups that support our risk management activities are outlined below.

Group Market Risk - This unit provides independent oversight of the measurement, monitoring and control of liquidity and funding risks, interest rate and foreign exchange risks as well as the market risks associated with our investment portfolios. It also monitors compliance with both regulatory requirements and our internal policies and procedures relating to the management of these risks.

Group Credit Risk Management - This unit is responsible for the adjudication and oversight of credit risks associated with our retail and commercial lending activities and the management of risks associated with our investment portfolios and counterparty exposures. It also establishes the parameters and delegated limits within which credit risks may be assumed and promulgates guidelines on how exposures should be managed and monitored.

Group Operational Risk - This unit assesses the effectiveness of our procedures and internal controls in managing our exposure to various forms of operational risk, including those associated with new business activities and processes and the deployment of new technologies. It is also responsible for our incident management processes and reviews the effectiveness of our loss data collection activities.

Group Compliance - This unit provides independent analysis and assurance of our compliance with applicable laws, regulations, codes of conduct and recommended best practices, including those associated with the prevention of financial crime, including money laundering and terrorist financing. It is also responsible for assessing our potential exposure to upstream risks and for providing guidance on the preparations that should be made in advance of these changes coming into effect.

The third "line of defense" is provided by our Group Internal Audit function, by providing independent and objective assurance over the design and effectiveness of controls in place to manage the key risks impacting the Group. To enhance the independence of the function, the Group Head of Internal Audit has a functional reporting line to the Chair of the Audit Committee and administratively reports to the Chairman & CEO.

Further details on the risk management framework can be found in the Group's Annual Report on Form 20-F for the year ended December 31, 2023 under Item 5.A: Risk Management.

Page 6

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

3. Prudential Metrics

The table below provides an overview of the Group's prudential regulatory metrics for the last 5 quarters.

Table 1: Key Metrics (KM1)

		a	b	c	d	e
	(in millions of $)	Dec 31, 2023	Sep 30, 2023	Jun 30, 2023	Mar 31, 2023	Dec 31, 2022
	Available capital (amounts)
1	CET1	1,042.5	1,059.3	1,052.2	1,023.7	983.3
1a	CET1 capital as if CECL transitional arrangements had not been applied	1,040.9	1,057.7	1,050.6	1,022.1	980.2
2	Tier 1	1,042.5	1,059.3	1,052.2	1,023.7	983.3
2a	Tier 1 capital as if CECL transitional arrangements had not been applied	1,040.9	1,057.7	1,050.6	1,022.1	980.2
3	Total capital	1,151.9	1,168.6	1,161.3	1,207.6	1,167.0
3a	Total capital as if CECL transitional arrangements had not been applied	1,150.4	1,167.0	1,159.8	1,206.0	1,163.8
	Risk-weighted assets (amounts)
4	Total RWA	4,540.7	4,521.7	4,627.6	4,604.1	4,843.4
	Risk-based capital ratios as a percentage of RWA
5	CET1 ratio (%)	23.0%	23.4%	22.7%	22.2%	20.3%
5a	CET1 as if CECL transitional arrangements had not been applied	22.9%	23.4%	22.7%	22.2%	20.2%
6	Tier 1 ratio (%)	23.0%	23.4%	22.7%	22.2%	20.3%
6a	Tier 1 as if CECL transitional arrangements had not been applied	22.9%	23.4%	22.7%	22.2%	20.2%
7	Total capital ratio (%)	25.4%	25.8%	25.1%	26.2%	24.1%
7a	Total capital as if CECL transitional arrangements had not been applied	25.3%	25.8%	25.1%	26.2%	24.0%
	Additional CET1 buffer requirements as a percentage of RWA
8	Capital conservation buffer requirement (2.5% from 2019) (%)	2.5%	2.5%	2.5%	2.5%	2.5%
9	Countercyclical buffer requirement (%)	-%	-%	-%	-%	-%
10	Bank D-SIB additional requirements (%)	3.0%	3.0%	3.0%	3.0%	3.0%
11	Total of bank CET1 specific buffer requirements (%) (row 8 + row 9+ row 10)	5.5%	5.5%	5.5%	5.5%	5.5%
12	CET1 available after meeting the bank's minimum capital requirements (%)	13.0%	13.4%	12.7%	12.2%	10.3%
	Basel III Leverage Ratio
13	Total Basel III leverage ratio measure	13,777.8	13,540.3	13,899.2	14,125.7	14,774.3
14	Basel III leverage ratio (%) (row 2/row 13)	7.6%	7.8%	7.6%	7.2%	6.7%
14a	Leverage ratio as if CECL transitional arrangements had not been applied (%) (row	7.6%	7.8%	7.6%	7.2%	6.7%
2a/row 13)
	Liquidity Coverage Ratio
15	Total HQLA	5,759.5	4,723.3	4,898.9	5,482.8	5,998.7
16	Total net cash outflow	4,045.9	3,808.5	3,920.8	3,996.2	4,327.1
17	LCR ratio (%)*	142%	124%	125%	137%	139%
	Net Stable Funding Ratio
18	Total available stable funding	5,866.8	5,747.6	5,813.4	6,076.9	6,010.8
19	Total required stable funding	4,514.6	4,482.8	4,682.5	4,703.3	4,791.4
20	NSFR ratio (%)*	130%	128%	124%	129%	125%

• The LCR and NSFR ratios are shown as the actuals at the end of the relevant quarter. LCR and NSFR ratios shown in tables LIQ1 and LIQ2 under section 6 are shown as the simple averages of the 6 monthly and 2 quarterly observations respectively.

In accordance with regulatory capital guidance, the Group has elected to make use of transitional arrangements which allow the deferral of the January 1, 2020 CECL adoption impact of $7.8 million on its regulatory capital over a period of 5 years.

Page 7

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

Capital levels remained stable over the period with earnings accretion mostly offset by dividend payments and share repurchases. In addition, we recognized a new customer relationship intangible asset associated with the acquisition of trust client assets from Credit Suisse which is a deduction from capital. RWAs declined in 2H2023 due to a reduction in deposit funding levels driven by client activation of funds for investment purposes.

The leverage ratio remained flat in 2H2023.

The LCR increased in 2H2023 driven by an increase in HQLA Level 1 assets driven by both an improvement in unrealized losses on the investment portfolio and a movement of funds from the interbank market, thereby increasing the contribution of HQLA 2A assets.

The NSFR increased in 2H2023 driven by the above mentioned improvement in unrealized losses on the investment portfolio.

Page 8

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

4. Capital Adequacy

4.1 Capital Management

One of management's primary objectives is to maintain the confidence of our clients, bank regulators and shareholders. A strong capital position helps the Group to take advantage of profitable investment opportunities and withstand unforeseen adverse developments.

The Group manages its capital both on a total Group basis and, where appropriate, on a legal entity basis, through its CARP process. The Group Finance division has the responsibility for measuring, monitoring and reporting capital levels within guidelines and risk appetite limits. The management of capital will also involve jurisdictional management to ensure compliance with local regulation. In establishing the guidelines and limits for capital, a variety of factors are taken into consideration, including the overall risk of the business in stressed scenarios, regulatory requirements, capital levels relative to our peers, and the impact on our credit ratings.

4.2 Regulatory Capital Framework

The current regulatory capital framework is based on three pillars:

• Pillar 1: Sets the minimum capital requirements for credit, market and operational risk. Information is presented in Table 4-6 below.
• Pillar 2: Under the Basel framework as implemented by the BMA, the Group undertakes a CARP process, which is an internal assessment of all material risks to determine the Group's capital adequacy. This internal assessment takes account of the minimum capital requirement and other risks not covered by the minimum capital requirement (Pillar 2). Where capital is deemed as not being able to mitigate a particular risk, alternative management actions are identified and described within the CARP. The CARP is presented to the RPCC before being presented to the Board for challenge and approval and then submission to the BMA. The CARP process is performed annually or more frequently should the need arise.
  A SREP is then undertaken biennially by the BMA, which is designed to assess the Group's risk profile as documented in the CARP. This assessment is used to determine and set the Individual Capital Guidance which is the minimum level of capital the Group will be required to hold until the next SREP review is conducted.
• Pillar 3: Aims to promote market discipline through regulatory disclosure requirements.

4.3 Capital Structure

CET1 capital is comprised of common share capital, the share premium account, retained earnings and other reserves. It may also include interim retained profits that have been reviewed by external auditors, but losses must be taken into account, whether audited or not. Regulatory adjustments to CET1 capital include: unrealized gains and losses on AFS investments3, goodwill and intangible assets, the Group's defined benefit pension obligations and deferred tax. For accounting purposes, acquired customer relationships are capitalized as intangible assets where they meet certain criteria and amortized over a period not exceeding 15 years.

Tier 1 capital is comprised entirely of CET1 capital. Tier 2 capital is comprised of subordinated notes and qualifying allowances for expected credit losses4.

• One time, irrevocable election allowed by the BMA.

• Expected credit losses on fully performing loans are considered as qualifying for inclusion. See also discussion under Section 3 on adoption of CECL.

Page 9

Capital and Risk Management Pillar 3 Disclosures for the six-month period ended December 31, 2023

The tables below show the composition of capital as well as the reconciliation between accounting capital and regulatory capital:

Table 2: Composition of regulatory capital (CC1)

			Source based on
			reference numbers/
			letters of the balance
			sheet under the
	(in millions of $)	Amounts	regulatory scope of
	consolidation
Common Equity Tier 1 capital: instruments and reserves
1	Directly issued qualifying common share capital plus related stock surplus	971.3	(c)*
2	Retained earnings**	344.1	(d)*
3	Accumulated other comprehensive income (and other reserves)	(310.2)	(e)*
6	Common Equity Tier 1 capital before regulatory deductions	1,005.2
Common Equity Tier 1 capital regulatory adjustments
8	Goodwill (net of related tax liability)	(24.1)	(a)*
9	Other intangibles other than mortgage servicing rights (net of related tax liability)	(74.8)	(b)*
15	Defined benefit pension fund net assets	(26.7)
26	National specific regulatory adjustments	162.9	(e)*
28	Total regulatory adjustments to Common Equity Tier 1	37.3
29	Common Equity Tier 1 capital (CET1)	1,042.5
44	Additional Tier 1 capital (AT1)	-
45	Tier 1 capital (T1= CET1 + AT1)	1,042.5
Tier 2 capital: instruments and provisions
46	Directly issued qualifying Tier 2 instruments plus related stock surplus	100.0
50	Provisions	9.4
58	Tier 2 capital (T2)	109.4
59	Total regulatory capital (TC = T1 + T2)	1,151.9
60	Total risk-weighted assets	4,540.7
Capital ratios and buffers
61	Common Equity Tier 1 (as a percentage of risk-weighted assets)	23.0%
62	Tier 1 (as a percentage of risk-weighted assets)	23.0%
63	Total capital (as a percentage of risk-weighted assets)	25.4%
	Institution specific buffer requirement (capital conservation buffer plus countercyclical buffer
64	requirements plus higher loss absorbency requirement, expressed as a percentage of risk-weighted	5.5%
assets)
65	Of which: capital conservation buffer requirement	2.5%
66	Of which: bank-specific countercyclical buffer requirement	-%
67	Of which: higher loss absorbency requirement	3.0%
68	Common Equity Tier 1 (as a percentage of risk-weighted assets) available after meeting the bank's	588.4
minimum capital requirement.
Applicable caps on the inclusion of provisions in Tier 2
76	Provisions eligible for inclusion in Tier 2 in respect of exposures subject to standardised approach (prior to	9.4
application of cap)
77	Cap on inclusion of provisions in Tier 2 under standardised approach	56.8

* The references (a) - (e) above refer to the balance sheet components in Table 3 utilized in the calculation of regulatory capital.

** Includes the impact of the CECL transitional arrangement which allows the deferral of the January 1, 2020 CECL adoption impact of $7.8 million on its regulatory capital over a period of 5 years.

Capital levels remained stable over the period with earnings accretion mostly offset by dividend payments and share repurchases. In addition, we recognized a new customer relationship intangible asset associated with the acquisition of trust client assets from Credit Suisse which is a deduction from capital. RWAs declined in 2H2023 due to a reduction in deposit funding levels driven by client activation of funds for investment purposes.

Page 10