[GRI 102-11] In accordance with its risk management strategy, the bank oversees the risk management systems for the other entities of the group. It also supports their development and takes into account the operational risk profiles of the individual entities in order to monitor and report risk at the group level. The bank's Management Board is responsible for ensuring that the risk management system functions effectively. It regularly monitors whether the system adequately reflects the size and the risk profile of the group and its external environment. An assessment of risk materiality is conducted at least once a year. The following risks are considered material at the bank: credit risk, risk of the household mortgage loans in foreign currencies, forex risk, interest rate risk, liquidity risk, operational risk, business risk, modelling risk and risk of macroeconomic changes.
Due to the cross-cutting dimension of socio-environmental risks, which are not separate risks but which form part of the classic risk categories, the Bank’s Group did not set them apart as a separate category.
In 2021, the Bank analysed the ESG risk management process and developed an operational plan for integrating ESG risks with the Bank’s risk management system. Firstly, the key elements related to ESG risk were taken into account in the Risk Management Strategy, including the impact of ESG risk in credit risk appetite.
The ESG risk is understood as the risk of negative financial implications which are the result of the impact of ESG factors on Customers and counterparties or balance sheet items. The purpose of ESG risk management is to support sustainable development and building the long-term value of the Bank through integrated management of the impact of ESG factors. The ESG risk management takes into account the perspective of double materiality: the impact of ESG factors on the activities, financial result and development of the Bank as well as the impact of the Bank’s activities on society and the environment. The Bank manages the ESG risk as part of managing other types of risk. The ESG risk is not a separate type of risk but a cross-cutting one which affects the individual risk types. The ESG risk management is supported by all committees functioning at the Bank within the scope of their activities and competences related to the ESG risk.
[GRI 102-12] For many years, the bank has been initiating and implementing social projects combining business objectives with initiatives for all stakeholder groups. In accordance with its Mission, we conducting activities whose aim is to have a positive impact on Poland, its people, companies, culture and the environment. The bank builds its capital based on the national values and traditions. It conducts and supports activities aimed at commemorating important historic events, promoting pro-social attitudes and popularizing the Polish tradition and culture. We actively involved in educational and sports projects. Its experience and leading position in the financial market also require it to promote entrepreneurship and support the Polish economy. The bank participates actively in organizing economic congresses and industry conferences enabling the exchange of experience and building Polish and international business relations. The bank carries out projects both at national and local levels, supporting initiatives that are important to local communities. Such activities facilitate the integration of communities, the development of entrepreneurship among the region’s inhabitants and its promotion.
|New sponsorship requests||Projects that received financial support||Social projects supported by donation||Volunteers|
The PKO Bank Polski Group influences the social environment and its development, we offer to our customers financing of housing needs, we support the development of local government units by financing public investments, we support the development of small enterprises, the development of education and we counteracting financial exclusion and provide access to services for customers with disabilities.
According to data provided by the Ministry of Finance, the Tax Group of the Bank was the second largest CIT payer among the tax groups in Poland in 2020.
Every employee of the Bank’s Group is important, regardless of their gender, age, health condition, sexual orientation, religion, marital status or country of origin. The bank and the entities of the Bank’s Group use their best efforts to ensure diversity among the employees at every level in accordance with the applicable internal policies.
[GRI 405-2] The global ratio of women’s salaries to men’s salaries calculated as the total weighted average salary of women to that of men was 95% at the bank and 92% in the Bank’s Group.
The gender pay gap calculated on the basis of the weighted average salary was 5% at the bank and 8% in the Bank’s Group. The gender pay gap at the bank based on the median was 3.9%. The gender pay gap level does not indicate any unfounded inequalities in the amounts of women’s and men’s salaries, and the reasons for the small deviations owing to gender are the result of the nature of the organization in which female employees are more numerous. The bank’s remuneration policy does not discriminate employees based on their gender. The process of determining the salaries at the bank is based on the valuation of positions. The salary is related to the complexity of the tasks within a given organizational structure, the level of responsibility associated with a given position and the necessary skills. The bank performs regular salary reviews for different positions, which also analyse the relationship between the salaries of women and men.
[GRI 401-2] All non-salary benefits are available to the employees irrespective of their type of contract or working time. Additional medical care: varied packages of benefits assigned to specific groups of positions. Employee Pension Programme - in the form of an agreement under which the bank makes a basic contribution (3.5% of an employee’s salary) and an additional employee contribution to the investment funds managed by PKO TFI S.A. Other major companies in the Bank’s Group also have EPPs in place. Additional benefits from the company social benefits fund: MyBenefit cafeteria system.
[GRI 102-41] A Collective Bargaining Agreement concluded with the company trade union organizations is in force at the bank. It governs, among other things, salary-related issues.
74% of women
Employment at the bank
Women in key managerial positions
The obligation of equal treatment in employment is a fundamental principle at the level of policies, regulations and processes developed and carried out at the bank. Therefore, the bank’s internal acts adopted at Management Board level include crucial commitments pertaining to:
- counteracting discrimination in employment and non-discrimination of employees, in particular due to gender, age, disability, race, religion, nationality, political views, trade union membership, ethnic origin, denomination or sexual orientation or due to employment for a limited or unlimited period or on a full-time or part-time basis,
- application of objective criteria and transparent rules at the bank in the processes of recruitment, remuneration, employee development, access to training and access to employee benefits,
- guaranteeing equal treatment of employees performing the same type of work or work of equal value,
- applying objective and fair criteria for performance appraisal.
Policy on bullying and discrimination
The bank strongly opposes any forms of discrimination that contradict the organization’s values and promotes attitudes based on mutual respect among employees. Any conduct that can suggest the presence of bullying is unacceptable.
The bank has internal regulations in place for counteracting bullying and discrimination and for handling complaints concerning the violation of employee rights. These principles guarantee counteracting unfavourable phenomena in employee relations and specify how to react to situations of interpersonal conflicts. Based on these principles, an employee of the Bank may report a complaint about any breach of the employee rights defined in the legal acts or internal regulations without worrying about the consequences. Moreover, the employee is entitled to additional support in the process of investigating the complaint.
Training in the subject of diversity
Appropriate diversity management increases team work efficiency, improves the atmosphere at work, helps retain valuable and experienced employees, enhances innovation and creativity. For these reasons, such training is organized at the bank during which managers acquire knowledge and skills in the management of diverse teams, which makes it possible to eliminate undesirable behaviour and situations and support the valuable and positive ones. In 2021, webinars were mostly dedicated to the organization of remote work, team communication, and emotions and stress management.
Cooperation with external entities
Collaboration with external entities that supports diversity in the workforce includes internship and training programmes offering the opportunity of development to students and graduates of secondary schools and universities with various profiles. Professional development programmes for people with disabilities, including the provision of workstations adapted to the needs of such people . Cooperation with universities and secondary schools.
All subsidiaries of the bank perform OHS tasks in accordance with the applicable laws. These laws are so clear that, in fact, it means applying the same OHS rules across the entire bank’s group. Entities located outside Poland operate under the rules specific to the country in which they are registered. The basic occupational health and safety management system arising from the generally applicable laws covers 100% of the employees.
[GRI 403-5] All employees participate in the system of OHS training. Such activities are organized in compliance with the law and, depending on the number of employees in a given company, they are carried out by the internal OHS service or a properly qualified external provider.
[GRI 403-9] In 2021, 69 accidents were reported (66 in 2020). As a result of the proceedings conducted, 3 of them were not classified as accidents at work, and 12 are still pending. [GRI 403-10] 5 instances of suspected work-related ill health in the bank’s employees were reported in 2021, 4 of which concerned former employees (3 in 2020). In 2021, the ruling authority issued 8 decisions concerning cases reported in prior years, including 6 decisions in which it was concluded that there were no grounds for classifying the illness as a case of work-related ill health, and 2 decisions in which the ruling authority identified the presence of an occupational disease. The other proceedings are still pending.
The nature of the business activities means that the direct impact of the Bank and the Bank’s Group on the natural environment is limited. Direct impact on the environment depends on the manner of consumption of limited natural resources. The group monitors the consumption of such resources and engages in activities aimed at reducing their consumption. In previous years, a number of entities of the Bank’s Group performed energy efficiency audits. On the basis of the results of such audits, the group entities identified the areas with the highest energy saving potential and drew up action plans which are currently being successively implemented.
The group entities have procedures and structures in place for monitoring the legal changes regarding the environment, which are significant for their operations. In 2021, none of the group entities conducted any projects that could significantly affect the environment. [GRI 307-1] No administrative proceedings relating to a breach of the environmental regulations were conducted with respect to the group that resulted in any financial penalties (in one subsidiary, waste collection fees were increased due to failure to meet the obligation of selective collection of municipal waste).
The bank's involvement in "green" industries (in total assets) ( 2020: 0.80%)
High carbon emissions energy sectors (in total assets) (2020: 0.51%)
Indirect environmental impact
One of the tools for managing credit risk for selected industries/sectors is lending policies. The Bank has the following policies: Renewable Energy Sources, Carbon Intensive Energy Sector, Real Estate, Trade, Construction and building materials, Chemistry-Oil-Gas, Car Dealers and CFM companies, Public Healthcare.
Since 30 June 2021 each time the bank assesses the impact of environmental, social and governance-related factors (the so-called ESG factors) on a customer’s creditworthiness, in the lending process for customers in the corporate segment and customers in the companies and enterprises segment evaluated using rating methods. The cank also examines the impact of lending transactions on ESG issues and classifies them into four categories, starting from transactions with a positive effect on ESG issues through to those with a significantly negative impact. In assessing the ESG factors, the Bank takes into account, among others, the risk of climate change and the impact on a Customer’s activities, the Customer’s possible effect on climate change, factors related to human capital or those relating to health and security as well as factors related to the aspects of management (including the organization’s culture and internal supervision).
In 2021, the bank introduced changes consisting of the obligation to mark each credit exposure to a corporate customer with an ESG colour, including recording this colour in the bank’s central systems. In the process of assigning an ESG colour, factors relating to the environment, society and corporate governance are taken into consideration. In the case of SME customers, the ESG colour of the lending transactions takes on the ESG colour assigned to the customer’s core Polish NACE codes.
By using appropriate tools, the Bank estimates ESG risks, assesses and controls them. The identification of ESG risks allows the identification of projects which do not meet the increasingly high environmental and social requirements. By identifying these risks the bank may support the financing of environmentally sustainable and socially responsible projects, as well as eliminate the financing of activities/projects with a negative impact on the environment.
Together with other entities of the group, the bank supports the development of the economy by financing investments in new technologies, energy-saving projects and modernization of technological lines. We influence customer attitudes by demonstrating our participation in financing pro-ecological projects such as the construction of waste incineration plants, sewage treatment plants and power generation systems using modern, pro-ecological technologies. The group continues to expand its product offer to support the environmental protection.
In the process of developing regulations, procedures and policies relating to human rights, the entities of the Bank’s Group draw on the achievements of international organizations and respect the fundamental principles set out in the International Bill of Rights which is composed the Universal Declaration of Human Rights, the UN Convention: the International Covenant on Civil and Political Rights, the International Covenant on Economic, Social and Cultural Rights.
Depending on the size and specificity of a given entity of the Bank’s Group, observing human rights is manifested both in the internal provisions, the initiatives undertaken and in everyday practice. This concerns, in particular, to the rights to recognize the identity of every employee, proclaiming one’s views and opinions, freedom of thought, conscience and religion, protection of personal rights, equal treatment, access to information, access to healthcare, respect for privacy.
Some of the entities of the group have included provisions relating to respect for human rights and the prohibition of discrimination in such documents as their working regulations or the code of ethics. The bank’s policy concerning respect for human rights is contained in its policies and principles.
No cases of employment of minors or forced labour were identified in the group entities operating in various countries. The issues of observance of human rights are reflected in the procedures and agreements signed with entities.
The bank takes action to prevent violations of human rights, including employee rights, but it is not able to eliminate all conflicts. In 2021, 21 cases concerning employment relationships ended in the final termination of proceedings (15 cases were won, 6 cases were lost).
The bank wants to achieve its business objectives by maintaining its impact on the climate change resulting from its operating and product activities and the impact of climate change on business activities at the lowest possible level. We carefully monitoring the information published on anthropogenic climate change and is aware of corporate responsibility for complying with the obligations recorded in the Paris Agreement.
As the biggest bank in Poland that sets trends for innovative banking products, we recognize the impact of our business activities on local communities and the environment. We are aware of our corporate responsibility for complying with the obligations that result from the Paris Agreement. We signed the Ecological Responsibility Charter of Polish Entrepreneus and Employers, where we obliged ourselves to work towards the principles of climate neutrality and circular economy.
In 2021, it adopted ambitious short-term objectives concerning reduction in the bank’s (Scopes 1 and 2) GHG emissions aligned with the objectives of the Paris Agreement. The bank is focused on improving the measurement of GHG emissions generated by the bank in all scopes. The bank has also made a commitment regarding the composition of its product portfolio (the relation of “green” financing to carbon-intensive financing, increasing the volume of green financing by 5% a year, eliminating the exposure to the coal-mining sector by 2030).
Key non-financial performance indicators in the area of the environment.
Reduction in the Bank’s greenhouse gas emissions (Scopes 1 and 2) of 60% by 2025 (the base year 2019)
Elimination of the exposure to the coal mining sector by 2030/ Indicator: the share of financing for the coal and lignite mining sectors in total assets
Increase in the Bank’s green financing of 5% y/y
Value of exposure to green financing at least 3 times higher than the value of exposure to high emission financing for the Bank’s Group (the data relates to the Bank only)
We are aware of the impact of our product portfolio on climate and the impact of the risk of climate change on its product portfolio. The bank has adopted lending policies for the carbon-intensive sector, RES as well as the chemical, oil and gas industries.
In 2021, the bank conducted a comprehensive gap analysis in relation to selected regulations and guidelines in the area of ESG risk management. The results of the analysis were used to prepare an operational plan for integrating ESG risk with the Bank’s risk management system. The plan is divided into tasks which will be implemented successively and will be reflected in disclosures under the TCFD (Task Force on Climate-related Financial Disclosures) recommendations. In 2021, we incorporated the management of ESG risks in the risk management strategy of the bank and the Bank’s Group. It made a disclosure in CDP Disclosure Insight Action for the second time, using TCFD recommendations and, as one of five Polish banks, it received a grade for disclosures in the climate change area.
PKO Bank Polski does not tolerate corruption and counteracts all corrupt practices. Such phenomena as nepotism and accepting or offering any physical goods in order to influence decisions or measures taken are in contradiction with the bank’s values of credibility and trust.
[GRI 205-1] Within the Bank’s Group, including the bank, the risks related to corruption are identified particular in the individual and business customer service areas, the area of the supply of goods and services to the entities of the group, including the bank, by external entities, in connection with donations and sponsorship agreements, in the area of relations of the employees of the entities of the group with state administration authorities. These areas are subject to particular attention, the processes are regulated in detail, while decisions which have significant financial consequences are accepted, in principle, through dual acceptance.
[GRI 205-3] In 2021, no cases of corruption were confirmed, as in 2020.
[GRI 102-16] As one of the largest employers in Poland, the bank undertakes to conduct and promote ethical business, build an ethical organizational culture and follow the principles of social responsibility.
The bank adopted the code of ethics in 2022. The code is set of values, principles, standards of conduct and ethical attitudes, defines the mutual relations between persons working for the bank and between the bank’s employees and persons performing actions for the bank. The code is directly related to the bank’s organizational culture, it supplements this culture and is a tool supporting the popularization and implementation of ethical values at the bank. According to the bank’s working regulations, every employee of the bank is obliged to observe the code of ethics. Initiatives are organized to promote the code of ethics and the bank’s values. In addition, training in ethics and the bank’s values was prepared for all employees.
In accordance with the regulations concerning the assessment of suitability of candidates for management board members, adopted by the bank, the supervisory board takes into account the criteria of reputation, integrity and ethical conduct of candidates for the members of the bank’s management board. If a candidate for a management board member is found unsuitable in terms of the guarantee, the candidate may not be appointed to the body or measures may be taken to dismiss a member of the body from his/her position. Similar principles apply in the policy on the assessment of suitability concerning the members of the bank’s supervisory board.
Prevention of money laundering
In 2018 the bank’s management board adopted a policy for preventing money laundering and financing of terrorism, which applies to all entities of the group. The purpose of this policy is to prevent the use of the group’s products in the activities related to money laundering or financing of terrorism. The policy defines the standards that should be observed by the bank, its subsidiaries and all persons working for them, including permanent and temporary associates, consultants, contractors, external agents and their employees.
The group identifies and verifies customers and beneficial owners, determines the risk of money laundering and financing of terrorism, monitors customers’ transactions and, in the event of identifying circumstances which may indicate money laundering or financing of terrorism or a well-founded suspicion of money laundering, it takes appropriate measures, including putting transactions on hold, blocking the account or freezing the funds.
The bank conducts its banking activities with the support of external entities. It is therefore exposed to operational risk arising from outsourcing of services to other entities. Such risk applies to all stages of outsourcing – from planning through selection of an entity to perform the activities for the bank, conclusion of the outsourcing contract, monitoring the cooperation and ending the cooperation. As part of the operational risk management related to outsourcing, the bank:
- evaluates the contractor at the stage of selection of an external entity, in particular his credibility and financial situation, and the possibility of ensuring continuity of the outsourcing agreements,
- maintains and regularly updates the records of agreements concluded in the past, including the information about external entities entrusted with a particular task for the bank,
- ensures that the interests of the bank and its customers are appropriately secured in agreements with contractors (incl. data security due to the bank secrecy),
- has contingency plans to ensure continuity of operations that are covered by the outsourcing contract and keeps them up to date,
- evaluates the risk of outsourcing of activities at their planning stage, at the time of every material contractual change and during an annual assessment of operational risk to assess the performance of the outsourcing contract,
- supervises the performance of contracts, reports any irregularities in their execution, and calculates and monitors the key risk indicators (KRIs) that reveal the scale of breaches in cooperation with the external entities,
- performs an annual assessment of cooperation with the outsourcing entities and reports on the results to relevant bodies.
The operational risk management related to outsourcing of activities also takes place at PKO Bank Hipoteczny that – as the bank's wholly-owned subsidiary – applies its best practices for management of such risk. The procedures implemented at PKO Bank Hipoteczny correspond to standards applied at the bank.
Cooperation with suppliers of goods and services
PKO Bank Polski is convinced that responsible management of the supply chain may increase the commitment of suppliers to the concept of sustainable development and corporate social responsibility. This is why the bank requires suppliers to provide declarations about their key activities related to social responsibility, at the time of sending inquiries to potential suppliers of products or services.
PKO Bank Polski adopted a set of ESG metrics and integrated them with the non-financial objectives of the Bank's Capital Group for the following years. The fulfilment of objectives will be verified using reliable and fully measurable data. The bank updated the Procurement Policytaking into account ESG principles and conducted ESG surveys among all its key suppliers, prepared and implemented the Supplier Code of Ethics in 2022 which obliges suppliers and bidders cooperating with the bank to apply this code in procurement procedures.
Suppliers that are interested to cooperate with the bank may register themselves on a dedicated procurement platform (the so-called PKO Zakupy). The task of the bank's Procurement Department is the supervision of the supply process for necessary materials and services of required quality. In addition to the bank's broad interest, the department oversees compliance of the procurement processes with the ethical principles, including the principle of equal treatment of all participating parties. When selecting a supplier, the bank also takes into account certain non-price criteria such as compliance of the supplier with business ethics, with the aim of building transparent relationships with suppliers.[GRI 414-2] No negative social impact was identified in the supply chain in 2021.
All new suppliers were verified in
|Share of overdue invoices in total value |
of invoices in 2021 (2020: 0.017%)
The bank builds its supplier relationships on the basis of honesty, transparency of action, mutual respect and professionalism by: honouring the accepted arrangements and obligations, settling payments and other liabilities on time and in accordance with the agreed contractual terms (the standard payment term is 30 days), resolving difficult and conflict situations through dialogue, verifying suppliers on substantive and business grounds, and informing them about standards of conduct. The value of overdue invoices in 2021 constituted a marginal percentage of all invoices paid.
In 2021, the bank renewed the Corporate Certification issued by the Chartered Institute of Procurement and Supply (CIPS), which confirms that the certified organization has implemented the highest procurement standards. It also certifies the bank's compliance with the principles of ethics and global trends in Corporate Social Responsibility (CSR). The certificate is a proof that PKO Bank Polski is a reliable and solid business partner for its customers and suppliers, and that it strives to continuously improve its operating processes. PKO Bank Polski is the only financial institution in Poland and the entire CEE to hold this prestigious certificate.
We make every effort to ensure that the products we offer comply with the applicable provisions of law and market standards. Our efforts focus on ensuring that products are adequate to customer needs, while the form of a purchase offer is adequate to the product's nature. Before concluding an agreement, we provide reliable, transparent and comprehensive information to our customers about the product, in particular regarding the risks and benefits resulting from the purchase and all costs related to the conclusion, performance and possible early termination of the agreement.
The bank manages the risk of product misseling at the stage of each product's creation and introduction and then at the stage of offering the product to customers. Every product is subject to a pre-implementation analysis for risks that it generates and for identification of the target customer groups. The bank also identifies the groups of customers that should not be offered a given product because of its inadequacy to meet their needs or for other reasons (the so-called anti-groups). In instances where anti-groups have been identified, the control mechanisms are implemented to mitigate the risk of product misseling. Such risk is also mitigated by conducting an additional assessment of product adequacy directly before offering the product to customer. This approach enables us to eliminate cases for example of selling unemployment insurance to pensioners or long-term investment products to elderly customers. Additionally, the Bank always provides reliable and exhaustive information to Customers about the products offered so that they can make an informed choice in this regard.
Procedures for processing complaints
Any irregularities reported by the bank's customers, in particular in the form of complaints, are considered within timeframes specified by the existing provisions of law. Depending on the results of the findings, the bank takes steps to eliminate irregularities, prevent their future occurrence and improve the quality of its services. Similar solutions to manage the risk of product misselling (while respecting the principle of proportionality) are also in place at other entities of the group that are involved in financial product creation or sales.
|Complaints received by entities of the group handled within 14 days (2020: 80%)||Complaints fully or partly |
settled in customer's favour (2020: 58%)
The handling of complaints is conducted on two lines: (1) the first line consists of a review by the responsible bank units in accordance with their tasks of first-time complaints of customers and reports concerning personal data violations from the President of the Personal Data Protection Office, (2) the second line is the customer's Ombudsman and the associated Office of the Ombudsman that consider the customer appeals against the bank's decision in the first line of the complaint process, as well as the reports filed by the PFSA or external institutions vested with protection of customer rights. The solution proposed by the Ombudsman is the final position of the bank in a given matter.
In our dialogue with customers regarding the offered products, customer satisfaction surveys are conducted in the bank for two main segments: retail and corporate. All complaints or appeals are dealt with promptly and thoroughly, with due care and diligence. While considering complaints, the bank applies its Code of Ethics, the Code of Banking Ethics (Principles of good banking practice) by the Association of Polish Banks and the highest standards for customer service. The processing of complaints or appeals involves analysing and assessing their validity, taking appropriate steps to eliminate any irregularities and providing a comprehensive response to customer.
As part of relational surveys, in 2021 internal relational surveys of Personal Banking Customers and SME Customers were carried out for the first time
The most important threat to security of the group's customers as identified by the bank and by PKO Towarzystwo Funduszy Inwestycyjnych are the potential criminal activities of third parties that target customers who access banking and investment services in electronic channels. For this reason, we deploy the latest ICT security solutions, which guarantee secure access to funds held by our customers. The bank constantly improves security of its IT systems, in particular security of applications used by the customers. We actively combat phishing websites that pretend to be the bank's websites, track development of malware attacking customer devices, develop mechanisms for detecting infected devices, improve the existing rules and extend the monitoring scope for electronic transactions.
The initiatives regarding ensuring a stable and secure infrastructure made it possible to achieve very high reliability indicators for the operation of the IT infrastructure.
The bank attaches great importance to providing security information to customers and raising their awareness of the safe use of electronic banking services and payment cards, given that security in this respect depends to a large extent on the user's actions. These activities include mass educational campaigns, ongoing responses and explanations to customer enquiries, publication of the bank's positions regarding false e-mails, and distribution of information about secure logging and best principles for using electronic banking.
This concerns, among other things, combating actively phishing websites pretending to be the Bank’s websites, identifying criminals intentions and ability, taking into account tactics, techniques and procedures (standardization and structuring of information about threats within a single data model), tracking the development of malware attacking the Bank’s Customers, developing mechanisms of detecting infected Customers’ computers, as well as improving the rules and extending the scope of monitoring of electronic transactions.
CERT of PKO Bank Polski
The high level of organizational maturity for handling cybersecurity incidents is particularly important in the light of the PFSA's decision in 2018 to acknowledge PKO Bank Polski as an operator of the key services as defined in the Act on the National Cybersecurity System. The specialist CERT unit that operates within the bank's structures executes the IT security strategy for services that the bank provides. The CERT of PKO Bank Polski is a member of the global Forum of Incident Response and Security Teams (FIRST). It also belongs to the task force of the European responding teams (TERENA TF-CSIRT) and the associated Trusted Introducer organization. The membership in these international organizations enables the bank's CERT team to respond faster and more effectively to cybersecurity threats thanks to the operational collaboration between the organizations, and exchange of experience and knowledge with similar entities throughout the world. Our membership is also a confirmation of the high quality of services rendered and recognition of the professionalism and skills in ensuring the IT security at the bank. In addition, the bank's representatives also engage in the works of the domestic Banking Cybersecurity Centre (BCC) operating within the Association of Polish Banks.
In 2021, the Bank completed the project CyberSecurity Operations Center as part of which the processes of the Cybersecurity Department were streamlined and a strategy was drawn up for providing services to the Group companies. Moreover, as part of the project a SOAR class system was implemented, which allows the servicing of security incidents to be automated.
Unauthorized access to customer information
The risk of unauthorized access to customer information is managed according to the Security policy of PKO Bank Polski. The principles for ensuring security of protected information regulate the issues such as confidentiality of information and maintenance of the bank secrecy, and personal data security including liability of the bank's employees for personal data protection. In accordance with these principles, the access to protected information at the bank is only given to employees within the scope of their corporate tasks and duties. Each employee undergoes a training on security of protected information before starting to process such information. A non-disclosure agreement is signed between the parties if any materials containing protected information are provided to external entities. Complying with the General Data Protection Regulation (GDPR), incidents of breach of personal data protection that risk breaching personal rights and freedoms are reported to the President of the Personal Data Protection Office (UODO).
Each of the other entities in the group that processes personal data and is required to adopt appropriate regulations, has such regulations in place and applies them in practice. In managing security at the group level, a number of strategic companies have been identified. They have been required to sign agreements introducing the security standards that address the following issues: personal data protection, business continuity management, ICT security, counteracting money laundering, security incident management, principles of outsourcing and security reporting. The group also has a policy in place specifically for counteracting money laundering.
There are also policies in place that require notifying customers about any violations of security of their data, collected in accordance with the applicable legal requirements (including the principle of data minimization). The customers receive an unambiguous and clear information about their rights to access, change, withdraw, supplement and update their information. Steps for ensuring data security are taken with the participation of the bank's Management Board and implemented in line with the best policies and system security solutions. Such solutions are subject to constant evaluation, auditing and improvement in accordance with the best market practices.
[GRI 417-1] The PKO Bank Polski Group fulfils the requirements for correct labelling of the deposit, investment, loan and insurance products by providing customers with all necessary information about those products, in particular at the pre-contract phase. The scope of the provided information is covered under the applicable provisions of law and PFSA's recommendations. The highest level of protection is granted to the retail customers, while the scope of information passed onto the financial institutions and other professional recipients of financial products and services is respectively narrower.
PKO Bank Polski operates in accordance with the internal regulations on principles for conducting marketing activities, which define features of an appropriate advertising message and list undesirable marketing actions. The bank implements mechanisms that prevent creation of unethical or unreliable messages in its marketing activities. Correctness of communication is consulted each time with the units responsible for verifying the compliance of messages with the generally applicable laws. The ethical principles in marketing and the adopted mechanisms for preventing the risk of unethical communications also apply to the promotional materials prepared by external entities (advertising agencies, event agencies) at bank's request. [GRI 417-3] No incidents of non-compliance concerning marketing communications were identified in 2021.
In addition to the internal regulations for its marketing communications, the bank follows the Code of Banking Ethics (Principles of good banking practice) by the Association of Polish Banks, the Good Practices in consumer credit advertising standards developed in cooperation between the Association of Polish Banks, the Conference of Financial Enterprises and the Association of Lending Companies, the PFSA's Principles of advertising banking services and the Canon of good financial market practices prepared by entities in the financial and insurance sectors.
According to Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability-related disclosures in the financial services sector (Sustainable Finance Disclosure Regulation), in 2021 PKO TFI S.A. and the Bank’s Brokerage Office published their strategies for integrating sustainability risks and considering adverse impacts in their investment decision-making processes.
According to article 8 of Regulation (EU) 2020/852 of the European Parliament and of the Council and Commission Delegated Regulation (EU) 2021/2178 (Article 10), the Bank’s Group is obliged to disclose its indicators for 2021 as regards two objectives of the taxonomy for sustainable activities: climate change adaptation and climate change mitigation.
Since the taxonomy for sustainable activities is still being developed (some of the delegated acts have not yet been adopted) and the disclosures of non-financial enterprises on the compliance of their activities with the taxonomy are very limited, the Bank’s Group has only just begun working on incorporating the criteria of compliance with the taxonomy into its business strategies, the establishing of objectives, into product building processes and into the principles of cooperation with its customers and counterparties.