We make every effort to ensure that the products we offer comply with the applicable provisions of law and market standards. Our efforts focus on ensuring that products are adequate to customer needs, while the form of a purchase offer is adequate to the product's nature. Before concluding an agreement, we provide reliable, transparent and comprehensive information to our customers about the product, in particular regarding the risks and benefits resulting from the purchase and all costs related to the conclusion, performance and possible early termination of the agreement.

The bank manages the risk of product misseling at the stage of each product's creation and introduction and then at the stage of offering the product to customers. Every product is subject to a pre-implementation analysis for risks that it generates and for identification of the target customer groups. The bank also identifies the groups of customers that should not be offered a given product because of its inadequacy to meet their needs or for other reasons (the so-called anti-groups). In instances where anti-groups have been identified, the control mechanisms are implemented to mitigate the risk of product misseling. Such risk is also mitigated by conducting an additional assessment of product adequacy directly before offering the product to customer. This approach enables us to eliminate cases for example of selling unemployment insurance to pensioners or long-term investment products to elderly customers.

[GRI 417-2] In 2020, the bank was a party to three administrative proceedings conducted by the Office of Competition and Consumer Protection (UOKiK) in previous years, which are discussed in Note 48: Legal claims, in the Consolidated Financial Statements for 2020. The bank is a party to the proceedings initiated by the UOKiK's President regarding anti-competitive practices on the market of card payments in Poland and a party to court proceedings concerning mortgage loans in convertible currencies and reimbursement of commission in the event of an early loan repayment. None of the other entities of the group had pending administrative proceedings in the course of 2020 but two entities participated in explanatory proceedings and exchanged correspondence concerning the action taken by the UOKiK's President.

Procedures for processing complaints

Any irregularities reported by the bank's customers, in particular in the form of complaints, are considered within timeframes specified by the existing provisions of law. Depending on the results of the findings, the bank takes steps to eliminate irregularities, prevent their future occurrence and improve the quality of its services. Similar solutions to manage the risk of product misselling (while respecting the principle of proportionality) are also in place at other entities of the group that are involved in financial product creation or sales.

The handling of complaints is conducted on two lines: (1) the first line consists of a review by the responsible bank units in accordance with their tasks of first-time complaints of customers and reports concerning personal data violations from the President of the Personal Data Protection Office, (2) the second line is the customer's Ombudsman and the associated Office of the Ombudsman that consider the customer appeals against the bank's decision in the first line of the complaint process, as well as the reports filed by the PFSA or external institutions vested with protection of customer rights. The solution proposed by the Ombudsman is the final position of the bank in a given matter.

In our dialogue with customers regarding the offered products, customer satisfaction surveys are conducted in the bank for two main segments: retail and corporate. All complaints or appeals are dealt with promptly and thoroughly, with due care and diligence. While considering complaints, the bank applies its Code of Ethics, the Code of Banking Ethics (Principles of good banking practice) by the Association of Polish Banks and the highest standards for customer service. The processing of complaints or appeals involves analysing and assessing their validity, taking appropriate steps to eliminate any irregularities and providing a comprehensive response to customer.

[GRI 417-1] The PKO Bank Polski Group fulfils the requirements for correct labelling of the deposit, investment, loan and insurance products by providing customers with all necessary information about those products, in particular at the pre-contract phase. The scope of the provided information is covered under the applicable provisions of law and PFSA's recommendations. The highest level of protection is granted to the retail customers, while the scope of information passed onto the financial institutions and other professional recipients of financial products and services is respectively narrower.

PKO Bank Polski operates in accordance with the internal regulations on principles for conducting marketing activities, which define features of an appropriate advertising message and list undesirable marketing actions. The bank implements mechanisms that prevent creation of unethical or unreliable messages in its marketing activities. Correctness of communication is consulted each time with the units responsible for verifying the compliance of messages with the generally applicable laws. The ethical principles in marketing and the adopted mechanisms for preventing the risk of unethical communications also apply to the promotional materials prepared by external entities (advertising agencies, event agencies) at bank's request. [GRI 417-3] No incidents of non-compliance concerning marketing communications were identified in 2020.

In addition to the internal regulations for its marketing communications, the bank follows the Code of Banking Ethics (Principles of good banking practice) by the Association of Polish Banks, the Good Practices in consumer credit advertising standards developed in cooperation between the Association of Polish Banks, the Conference of Financial Enterprises and the Association of Lending Companies, the PFSA's Principles of advertising banking services and the Canon of good financial market practices prepared by entities in the financial and insurance sectors.

The most important threat to security of the group's customers as identified by the bank and by PKO Towarzystwo Funduszy Inwestycyjnych are the potential criminal activities of third parties that target customers who access banking and investment services in electronic channels. For this reason, we deploy the latest ICT security solutions, which guarantee secure access to funds held by our customers. The bank constantly improves security of its IT systems, in particular security of applications used by the customers. We actively combat phishing websites that pretend to be the bank's websites, track development of malware attacking customer devices, develop mechanisms for detecting infected devices, improve the existing rules and extend the monitoring scope for electronic transactions.

The bank attaches great importance to providing security information to customers and raising their awareness of the safe use of electronic banking services and payment cards, given that security in this respect depends to a large extent on the user's actions. These activities include mass educational campaigns, ongoing responses and explanations to customer enquiries, publication of the bank's positions regarding false e-mails, and distribution of information about secure logging and best principles for using electronic banking.

CERT of PKO Bank Polski

The high level of organizational maturity for handling cybersecurity incidents is particularly important in the light of the PFSA's decision in 2018 to acknowledge PKO Bank Polski as an operator of the key services as defined in the Act on the National Cybersecurity System. The specialist CERT unit that operates within the bank's structures executes the IT security strategy for services that the bank provides. The CERT of PKO Bank Polski is a member of the global Forum of Incident Response and Security Teams (FIRST). It also belongs to the task force of the European responding teams (TERENA TF-CSIRT) and the associated Trusted Introducer organization. The membership in these international organizations enables the bank's CERT team to respond faster and more effectively to cybersecurity threats thanks to the operational collaboration between the organizations, and exchange of experience and knowledge with similar entities throughout the world. Our membership is also a confirmation of the high quality of services rendered and recognition of the professionalism and skills in ensuring the IT security at the bank. In addition, the bank's representatives also engage in the works of the domestic Banking Cybersecurity Centre (BCC) operating within the Association of Polish Banks.

As part of the cooperation for the exchange of information related to threats, in 2020 the bank used information on malware, incidents and phishing attacks, in particular data on new threats from the Computer Incident Response Center Luxembourg (CIRCL) and the NATO Industry Cyber Partnership (NICP), of which PKO Bank Polski is the only member bank from Poland.

The risk of unauthorized access to customer information is managed according to the Security policy of PKO Bank Polski. The principles for ensuring security of protected information regulate the issues such as confidentiality of information and maintenance of the bank secrecy, and personal data security including liability of the bank's employees for personal data protection. In accordance with these principles, the access to protected information at the bank is only given to employees within the scope of their corporate tasks and duties. Each employee undergoes a training on security of protected information before starting to process such information. A non-disclosure agreement is signed between the parties if any materials containing protected information are provided to external entities. Complying with the General Data Protection Regulation (GDPR), incidents of breach of personal data protection that risk breaching personal rights and freedoms are reported to the President of the Personal Data Protection Office (UODO).

Each of the other entities in the group that processes personal data and is required to adopt appropriate regulations, has such regulations in place and applies them in practice. In managing security at the group level, a number of strategic companies have been identified. They have been required to sign agreements introducing the security standards that address the following issues: personal data protection, business continuity management, ICT security, counteracting money laundering, security incident management, principles of outsourcing and security reporting. The group also has a policy in place specifically for counteracting money laundering.

There are also policies in place that require notifying customers about any violations of security of their data, collected in accordance with the applicable legal requirements (including the principle of data minimization). The customers receive an unambiguous and clear information about their rights to access, change, withdraw, supplement and update their information. Steps for ensuring data security are taken with the participation of the bank's Management Board and implemented in line with the best policies and system security solutions. Such solutions are subject to constant evaluation, auditing and improvement in accordance with the best market practices.

The bank conducts its banking activities with the support of external entities. It is therefore exposed to operational risk arising from outsourcing of services to other entities. Such risk applies to all stages of outsourcing – from planning through selection of an entity to perform the activities for the bank, conclusion of the outsourcing contract, monitoring the cooperation and ending the cooperation. As part of the operational risk management related to outsourcing, the bank:

• evaluates the contractor at the stage of selection of an external entity, in particular his credibility and financial situation, and the possibility of ensuring continuity of the outsourcing agreements,
• maintains and regularly updates the records of agreements concluded in the past, including the information about external entities entrusted with a particular task for the bank,
• ensures that the interests of the bank and its customers are appropriately secured in agreements with contractors (incl. data security due to the bank secrecy),
• has contingency plans to ensure continuity of operations that are covered by the outsourcing contract and keeps them up to date,
• evaluates the risk of outsourcing of activities at their planning stage, at the time of every material contractual change and during an annual assessment of operational risk to assess the performance of the outsourcing contract,
• supervises the performance of contracts, reports any irregularities in their execution, and calculates and monitors the key risk indicators (KRIs) that reveal the scale of breaches in cooperation with the external entities,
• performs an annual assessment of cooperation with the outsourcing entities and reports on the results to relevant bodies.

The operational risk management related to outsourcing of activities also takes place at PKO Bank Hipoteczny that – as the bank's wholly-owned subsidiary – applies its best practices for management of such risk. The procedures implemented at PKO Bank Hipoteczny correspond to standards applied at the bank.

Cooperation with suppliers of goods and services

PKO Bank Polski is convinced that responsible management of the supply chain may increase the commitment of suppliers to the concept of sustainable development and corporate social responsibility. This is why the bank requires suppliers to provide declarations about their key activities related to social responsibility, at the time of sending inquiries to potential suppliers of products or services.

Suppliers that are interested to cooperate with the bank may register themselves on a dedicated procurement platform (the so-called PKO Zakupy). The task of the bank's Procurement Department is the supervision of the supply process for necessary materials and services of required quality. In addition to the bank's broad interest, the department oversees compliance of the procurement processes with the ethical principles, including the principle of equal treatment of all participating parties. When selecting a supplier, the bank also takes into account certain non-price criteria such as compliance of the supplier with business ethics, with the aim of building transparent relationships with suppliers. [GRI 414-2] No negative social impact was identified in the supply chain in 2020.

The bank builds its supplier relationships on the basis of honesty, transparency of action, mutual respect and professionalism by: honouring the accepted arrangements and obligations, settling payments and other liabilities on time and in accordance with the agreed contractual terms (the standard payment term is 30 days), resolving difficult and conflict situations through dialogue, verifying suppliers on substantive and business grounds, and informing them about standards of conduct. The value of overdue invoices in 2020 constituted a marginal percentage of all invoices paid and declined significantly at the group level.

In February 2021, the bank renewed the Corporate Certification issued by the Chartered Institute of Procurement and Supply (CIPS), which confirms that the certified organization has implemented the highest procurement standards. It also certifies the bank's compliance with the principles of ethics and global trends in Corporate Social Responsibility (CSR). The certificate is a proof that PKO Bank Polski is a reliable and solid business partner for its customers and suppliers, and that it strives to continuously improve its operating processes. PKO Bank Polski is the only financial institution in Poland and the entire CEE to hold this prestigious certificate.

Certain types of business activities create a significant negative socio-envionmental impact due to the effect they exert on the natural environment or the society at large (employees, customers or local residents). Examples of industries characterized by such negative impact include: tobacco, alcohol, gambling, fuel, mining and arms industries. Financing operations of entities in those sectors requires identifying the various types of environmental and social risks, and managing them already at the initial stage of project preparation and financing.

In its credit assessment process, the bank takes into account the impact of the particular business activities on the environment, in compliance with the formal regulations on environmental permits and geo-environmental conditions. In the process of assessing the business model of borrowers and identifying specific risks, we take into account the principles of sustainable business development and the benefits of a given project for the local community and natural environment. The group's extended environmental policy is included in the policy for financing activities of the business and public entities.

Based on the assessment of the sectoral economic outlook, the bank creates a list of industries subject to sectoral limits and sets their nominal limits in the overall loan portfolio structure by industry. The bank does not have any capital exposure (shares) to entities operating in the carbon-intensive energy sector. When granting or reviewing its financing, the bank analyses the impact of climate change risk, as well as the related legal and regulatory changes on each entity’s ability to service debt. A synthetic measure of creditworthiness is a customer's internal rating, which reflects (among others) the exposure to climate change risk. The bank performs stress tests for deterioration of the risk profile of the entire loan portfolio subject to various types of risks.

As the biggest bank in Poland that sets trends for innovative banking products, we recognize the impact of our business activities on local communities and the environment. We are aware of our corporate responsibility for complying with the obligations that result from the Paris Agreement. This is why in 2019 we signed the Ecological Responsibility Charter of Polish Entrepreneus and Employers, where we obliged ourselves to work towards the principles of climate neutrality and circular economy.

We want to achieve our business objectives while keeping the impact of the bank's operating and product activities on climate change at the lowest possible level. In 2020, we conducted the first attempt to identify the main risk factors for the bank associated with climate change. We identified the transmission channels of climate risks into traditional risks, which are already managed by the bank. We also made an assessment of the different sectors of the economy that are most exposed to climate risks. The results of those analyses will be used to develop a comprehensive climate risk management system at the bank.

We also disclosed information as part of the global initiative CDP Disclosure Insight Action for the first time in 2020 and presented a preliminary assessment of risks and opportunities resulting from climate change, in line with the classification by TCFD (Task Force on Climate-related Financial Disclosures). The opportunities identified by the bank include the new possibilities for financing low emission products and services, and the financing of energy transition. In terms of risks, we distinguished:

• regulatory risk associated with the prices of emission rights and extension of the ETS system to other sectors,
• regulatory risk associated with the extension of the scope of reported emissions and making the reporting of greenhouse gas emissions obligatory rather than voluntary across the supply and value chain,
• risk associated with the financing of investment projects that use new eco-friendly technologies that may not succeed on the market,
• risk of an increase in the frequency and severity of unusual weather conditions.