Compliance risk is defined as the risk of legal sanctions, incurring financial losses or losing reputation or reliability due to failure of the Group, its employees or entities acting on its behalf to comply with the provisions of the law, internal regulations, standards adopted by the Group, including ethical standards.
The objective of compliance risk management is to ensure the Group’s compliance with law and adopted standards and the Bank’s acting as a entity that is reliable, fair and honest, through mitigating compliance risk, reputation risk or risk of the Group’s credibility and mitigating the risk of occurring financial losses or legal sanction risk resulting from breach of regulations and ethical standards.
Appropriate organisational units or designated employees are responsible for finding systemic solutions in the area of ensuring the Group’s entities comply with the binding regulations and operating standards. Compliance Department is responsible for finding such solutions, development of the method for evaluation, monitoring and reporting compliance risk. The Compliance Department is a unit which was granted independence and which reports directly to the President of the Bank’s Management Board.
The rules concerning the process of compliance risk management adopted by all Group entities are inherent within the PKO Bank Polski SA Group.
Compliance risk management involves in particular:
- preventing involvement of the Group in illegal activities,
- ensuring data protection,
- development of ethical standards and monitoring of their application,
- conflict of interest management,
- preventing situations where the Group’s employees could be perceived as pursuing their own interest in the professional context,
- professional, fair and transparent formulation of product offers, advertising and marketing messages,
- prompt, fair and professional consideration of complaints, requests and quality claims of clients.
In order to identify and assess compliance risk, information on cases of non-compliance and their origins is being used, including information based on internal audits results, functional control and external controls.
Identification and assessment of compliance risk is mainly based on:
- estimating the most probable number of typical cases of non-compliance arising during the year,
- estimating the severity of the potential cases of non-compliance,
- assessing the existence of any additional factors of compliance risk.
While performing an assessment a character and potential losses are defined together with methods of reducing or eliminating compliance risk. Assessment is held through workshops.
Monitoring of compliance risk is conducted with the use of information submitted by the Companies and consists of:
- the analysis of non-compliance events in the Group and in banking sector, the reasons for their occurrence and their effects,
- the assessment of amendments in key legal regulations which have an impact on the Bank’s and the Group’s activity,
- the assessment of actions taken by the Group in respect of managing compliance risk.
Reporting of information concerning compliance risk includes both the Bank, and Group’s entities. Reports prepared quarterly contain information, including cases of non-compliance, passed by the Group’s entities. Reports are addressed to the Bank’s Management Board, the Bank’s Supervisory Board, and the Supervisory Board’s Audit Committee. Reports contain among others:
- the results of identifying and assessing compliance risk,
- the non-compliance events,
- the key amendments in regulatory environment.
The Group has adopted a zero tolerance policy against compliance risk, which means that the Group focuses its actions towards eliminating this risk.