65. Compliance risk management

Compliance risk is defined as the risk of legal sanctions, incurring financial losses or losing reputation or reliability due to failure of the Group, its employees or entities acting on its behalf to comply with the provisions of the law, internal regulations, standards adopted by the Group, including market standards.

The objective of the compliance risk management is ensuring the Group proper application the provisions of the law, adopted market standards and functioning the Bank as a reliable, fair and honest institution through elimination compliance risk, preventing the possibility of losing reputation or reliability of the Group and preventing the risk of occurring financial losses or legal sanction risk, which may result from breach of regulations and standards of conduct.

Appropriate organisational units or designated employees are responsible for finding systemic solutions in the area of ensuring the Group entities compliance with the binding regulations and market standards. Compliance Department is responsible for finding such solutions and development of the methods for evaluation, monitoring and reporting the Bank’s compliance risk. The Compliance Department is a unit which was granted independence and which, in the area of compliance risk management, reports directly to the President of the Bank’s Management Board.

In all entities in the PKO Bank Polski SA Group consistent principles of compliance risk management exist.

Compliance risk management involves in particular the following:

  • preventing involvement of the Group in illegal activities,
  • ensuring data protection,
  • development of ethical standards and monitoring of their application,
  • conflict of interest management,
  • preventing situations where the Group’s employees could be perceived as pursuing their own interest in the professional context,
  • professional, fair and transparent formulation of product offers, advertising and marketing messages,
  • prompt, fair and professional consideration of complaints, requests and quality claims of clients.

To identify the compliance risks, information on cases of non-compliance and the reasons for their occurrence, including information as a result of an internal audit, a functional internal control and external controls is used.

Identification and assessment of compliance risk is based mainly on:

  • estimation of the severity of possible cases of non-compliance,
  • assessment of the presence of additional factors of risk of compliance with the law.

Making the assessment, a character and potential losses scale are determined, and the way in which the compliance risk can be reduced or eliminated is indicated. Assessment is carried out in the form of workshops.

65.1 Monitoring of compliance risk

Monitoring of compliance risk is carried out with the use of the information provided by the Companies and consists of:

  • analysis of cases of non-compliance in the Group and banking sector, their origins and effects caused,
  • the assessment of the changes in the key provisions of the law affecting the Bank's and the Group’s operations,
  • the assessment of the activities taken by the Group in its compliance risk management.

The Group prepares reports concerning compliance risk of both the Bank and the Group entities on a quarterly basis. The reports include information provided by the Group entities, including these concerning the cases of non-compliance. The reports are addressed to the Management Board, the Supervisory Board and the Risk Committee of the Supervisory Board. The reports include information i.a. on:

  • the results of identification and assessment of compliance risk,
  • the observed cases of non-compliance ,
  • the most significant changes in the regulatory environment of the Bank,
  • the most significant activities undertaken as regards to system-based compliance risk management.

The Group has adopted a zero tolerance policy against compliance risk, which means that the Group focuses its actions on eliminating this risk.