Annual Report of the Audit and Corporate Practices Committee

Mexico City, March 21, 2019

To the Board of Directors of Grupo Financiero Banorte, S.A.B. de C.V.

In accordance with the provisions of Articles 58 of the Law to Regulate Financial Groups, 43 of the Securities Market Law, and 34 of the Unified External Auditors’ Bulletin, the following is the annual report by the Audit and Corporate Practices Committee (the Committee) for fiscal year 2018.

The contents of this report shall refer to Grupo Financiero Banorte (GFNorte) and the following relevant entities: Banco Mercantil del Norte, S.A., Casa de Bolsa Banorte, S.A. de C.V., Arrendadora y Factor Banorte, S.A. de C.V., SOFOM ER, Sólida Administradora de Portafolios, S.A. de C.V. SOFOM ER, Sólida Administradora de Portafolios, S.A. de C.V., SOFO M ER, Seguros Banorte, S.A. de C.V., Pensiones Banorte, S.A. de C.V. and Banorte Ahorro y Previsión, S.A. de C.V.

I. As regards our audit:

• Regarding the status of the Internal Control System (ICS) and Internal Audit of GFNorte and its relevant entities, and any deficiencies and deviations detected therein, we took into account the following elements:
  1. The annual reports on Internal Control activities by the relevant entities, prepared by their Managing Directors.
  2. The reports of the Internal Comptrollers of the relevant entities of GFNorte in Mexico, along with their opinion on the operation of the ICS.
  3. The opinion of Internal Auditor regarding the condition of the ICS at the relevant entities.
  4. The reports on relevant deficiencies and observations regarding GFNorte and its Subsidiaries presented by Internal Audit, and follow-up in the form of corrective measures.
  5. Auditor’s opinion on the financial statements of GFNorte and its subsidiaries.
  6. The reports of the inspection visits by the competent authorities.
  7. The opinions of the Statutory Auditors of the relevant entities of GFNorte.
  8. The reports of other Audit Committees on any relevant events and the minutes of their meetings.
  9. Internal Audit management reports and report on compliance with the work program.
  On the basis of these elements, we report that the ICS of GFNorte and its relevant entities functions appropriately, and that any deficiencies or deviations that were found have been remedied or are in process of being remedied.
  With respect to the operation of the Internal Audit, the area has remained independent, and performed its work program reasonably according to best practices, and efficiently oversaw the implementation of actions to correct observations and areas of opportunity.
• No significant breaches of operating or accounting criteria or policies by GFNorte and its relevant entities were observed. The parties responsible were informed of the areas of opportunity identified, and measures were taken to address them, using the corresponding monitoring system to ensure their proper implementation.
• Concerning our assessment of the independence required of the legal entity that provides external audit services, we report that the external auditor meets the necessary requirement of independence to undertake these duties.
  Additionally, the contents of its opinions, communications, and reports were found to be of good quality and useful in supporting the Committee, with special mention of the fact that these results and opinions do not reflect any differences with those of Management. During the audit exercise the independent auditor did not issue any relevant observations that required further action.
  Concerning the evaluation of the performance of the external auditor, we report that in the development of its activities and in its relationship with Management and this Committee, the firm Galaz, Yamazaki, Ruiz Uriquiza, S.C. (a member of Deloitte Touche Tohmatsu) has proven its quality.
• With regard to the description and assessment of any additional or supplementary services provided by the external auditor, during fiscal year 2018 the services of the firm were engaged for the purpose of reviewing the sustainability report and some local taxes, as well as transfer prices in intercompany transactions.
  It was also engaged to carry out work relating to diagnosis and consulting on implementation of new accounting regulations contained in the Financial Reporting Standards and drafts of the new CNBV Accounting Criteria.
  In tax matters, the firm was hired to identify the tax effects that legislation in the United States (US) would have on the eventual spinoff of Banorte USA .
  In the area of technology, the same firm was engaged to contribute best practices in initiatives relating to establishment of the TRIAGE Protocol and Information Services Assessment Process, and participate as a possible supplier for conducting intrusion testing in those systems. Finally, its engagement was authorized for the purpose of analyzing and providing an opinion on the proposed payments by M&G Polímeros through administered credit in Recovery Banking.
  With respect to the assessment of these additional services, this committee is of the opinion that they were supplied in accordance with the requested objectives and scope, the resources applied to carrying them out were sufficient, the participating teams possessed the professional skill and experience needed to execute them, that they were provided within the required time period, and that those responsible for carrying out these activities maintained effective communication.
• We reviewed the financial statements of GFNorte and Subsidiaries as of December 31, 2018, and accompanying External Auditor’s opinion and confirmed that these were prepared, in all material aspects, in accordance with the applicable accounting criteria, and their approval was recommended to the Board of Directors. The Committee also reviewed on a quarterly basis the interim financial statements for the fiscal year.
• With respect to the main modifications to accounting policies and criteria applied during the fiscal year, these were made in keeping with changes in the applicable provisions described in Note 4 to the financial statements, “Main Accounting Policies,” which includes a detailed explanation of these modifications and their effects.
  During the fiscal year, the Board of Directors approved changes to the methodology for valuation of investment projects and obtained an official document from the CNBV authorizing it to apply a special book entry to recognize the result from mark-to-market valuation of housing development companies.
• No relevant observations were received during the fiscal year from shareholders, directors, senior officers, employees or any third party, with respect to accounting, internal controls or internal and external audit, or reports of any irregular event. Pursuant to best practices, there is an anonymous reporting system in the place, and the Committee monitors appropriate follow-up on all matters reported through that system.
• With respect to follow-up on of the resolutions of the Shareholders’ Meeting and of the Board of Directors, these bodies did not request that the Committee monitor any resolution in particular.
• During the fiscal year, oversight visits were made by CNBV, CNSF, COND USEF, IPAB, Banco de México and the Mexican Stock Exchange (the latter to the Brokerage Firm); it should be noted that that the CNBV requested that the Board of Directors be informed of some aspects detected in its review.
  In the months of December and January, the Authorities were presented with written responses on their observations, in some cases contributing additional information in order to address the issue, and in others indicating the corrective plan already being applied, and still other informing them that the corresponding analysis will be carried out to begin correction programs. The main findings were reported to the Board of Directors in its January 24, 2019 meeting.
• Other relevant activities conducted within the responsibilities of the Committee included following up on the progress of the merger with Grupo Financiero Interacciones and approval of modifications to the Internal Audit Work Program for the second half of 2018, which entailed new processes and companies that resulted from the merger.
  The Committee approved the materiality criteria that the internal Auditor must use in reporting on the findings of its review of the financial statements of GFNorte and its subsidiaries, and the proposed policies and limits on the engagement of additional services by the External Auditor.
  With regard to the Unified Bulletin on External Auditors, which took effect in August 2018, the Committee meet in extraordinary session with the External Auditor, Internal Comptroller, Internal Audit department and management in order to identify the responsibilities of each and identify the deliverables to be received and issued in order to comply with this Bulletin.
  Regarding the Trust area, the Committee followed up on the results of the audit in fiscal year 2017, phase II, corresponding to the work plan for the SIFE Trust System, progress toward obtaining a legal opinion on the files, and finally, a review of progress in addressing the observations identified by the Internal Audit department.
  In matters of Technology (IT), the Committee followed up on the incident involving a breach of the Interbank Electronic Payment System (SPEI) that occurred in April 2018, evaluating the corresponding remediation plan; reviewed the report on Data Security, which included an evaluation of GFNorte’s level of maturity with respect to its competitors, and details of the Quantum 2020 program, whose purpose is to maximize the scope of GFNorte’s data asset protection.
  In the Credit area, the Committee verified the results of the fiscal year 2018 Loan Review applicable to Banco Mercantil del Norte and Arrendadora y Factor Banorte, as well as the internal credit models.
  Additionally, the Committee reviewed actions to strength the segregation of application functions, and followed up on the results and corrective measures of the forensic analysis of the fraud that occurred at Casa de Bolsa Banorte in May 2017.
  Before concluding this we report, we would like to recognize the past contributions of Manuel Aznar Nicolín and Robert Chandler Edwards , former members of this Committee and Board Members of GFNorte, who played an active role in making this strengthening our institution.

II. Concerning Corporate Practices:

• In relation to observations on the performance of relevant senior executives, the Secretary of the Human Resources Committee informed that no cases were registered of senior officers acting in breach of the established policies during the fiscal year.
• Transactions with related parties approved by the Board of Directors as of December 31, 2018, the credits extended by Banco Mercantil del Norte to related parties in the same fiscal year, totaled Ps. 17.13 billion, which is below the limit established by the corresponding regulations. Intercompany transactions were carried out at market prices; these were verified by the External Auditor, who reported no findings.
  During 2018, the Committee monitored the implementation of GFNorte’s Conflict of Interest Prevention System, relying upon the Internal Audit and Controllership management reports.
• Regarding the benefit packages of the CEO and relevant senior officers, there is a Compensation System approved by the Board of Directors, which divides their compensation into ordinary and extraordinary, and rules on deferral the latter, depending on established risk indicators and compliance with policies; this system was consistently applied during the fiscal year, taking into consideration the result of the review carried out by Internal Audit area and the reports of the Human Resources Committee and Risk Policy Committee to the Board of Directors.
• During the fiscal year, the Board of Directors did not grant any dispensation to any directors or relevant senior officers to take advantage of any business opportunities.

Sincerely,,

Héctor Reyes Retana y Dahl
Chairman of the Audit and Corporate Practices Committee Of Grupo Financiero Banorte, S.A.B. de C.V.