Corporate Risk Management and Internal Controls Policy

Click here to access the PDF.

 

Review History

Version: Date of Review: History:
01 04/20/2017 Preparation of the Document.
This policy replaces the former PLT_007 Corporate Risk Management.
02 02/20/2018 Title changed from “Integrated Management of Corporate Risks, Internal Controls and Compliance” to “Corporate Risk Management and Internal Controls”;
Updating of the entire policy in line with Cielo’s current practices.
03 02/19/2020 Inclusion of Servinet Serviços Ltda, Aliança Pagamentos e Participações Ltda and Stelo S.A in the scope of this Policy. Inclusion of guidelines 1.4 of internal controls, 3.5 and 3.6 of operational risk, 5.1 and 5.2 of strategic risk, 6.1 and 6.2 of reputational risk. Inclusion of item 8 on the risk of money laundering and financing terrorism and item 9 on compliance risk. Textual revision of guidelines 1.1, 1.3, 1.5, 2.1, 2.3, 2.4, 2.5, 3.1, 3.5, 3.6, 4.1, 4.2, 5.6 and 6.4. Review of the responsibilities item.
04 02/25/2021 Adjustments to the wording of the following items: Purpose (I), Scope (II), Guidelines (III), Responsibilities (V), Supplementary Documentation (VI) and Concepts and Acronyms (VII). Relevant adjustments to the following items: Guidelines (III): Inclusion of guideline 1 on risk appetite management; addition of non-financial risks to guideline 4; addition of the guidelines and responsibilities present in the Credit, Liquidity and Market Risk Management Policy. Responsibilities (V): inclusion of new responsibilities for the Risk, Compliance, Prevention and Security Board. Supplementary Documentation (VI): Inclusion of the Anti-Corruption Policy and removal of the Credit, Liquidity and Market Risk Management Policy. Concepts and Acronyms (VII): Inclusion of the definitions: risk committee; non-financial risks; default; liquidity contingency plan; financial reserve; emerging risks and opportunities; credit risk, liquidity risk; market risk; controls system; affiliated companies; subsidiaries; sub-accreditor; and, deferred sales.
05 04/08/2022 Update of items: I. Purpose, II. Scope, III. Guideline sub-items 1, 1.2, 1.3, 2, 2.1, 2.2, 3, 3.1, 3.2, 3.3, 4, 4.1, 5.6, 6.5, 6.6, 6.7, 6.8, 6.9, 7.4, 8.8, 10.1, 11.1, 12.1, 13, 13.1, 14, 14.1, V. Consequence Management, VI. Responsibilities, VII. Supplementary Documentation, VIII. Concepts and Acronyms and IX. General Provisions
06 03/29/2023 Update of items: I. Purpose, II. Scope, III. Guideline sub-items 1.1, 1.3, 1.4, 2.1, 2.2, 3.1, 3.2, 3.3, 3.4, 4.1, 5.1, 5.2, 5.3, 5.6, 6.1, 6.5, 6.6, 6.8, 7.1, 7.4, 8.1, 8.4, 8.5, 8.8, 9.1, 13, 13.1, 14, 14.1, V. Consequence Management, VI. Responsibilities, VII. Supplementary Documentation, VIII. Concepts and Acronyms.
07 03/27/2024 Reordering of topics in item III. Guidelines and updating items: II. Scope, III. Guidelines of sub-items 1.1, 1.3, 1.5, 2, 2.1, 3.2, 3.5, 4.2, 4.3, 5.6, 7.3, 7.4, 9.1.1, 16, V. Consequence Management, VI. Responsibilities, VII. Supplementary Documentation and VIII. Concepts and Acronyms

 

I. Purpose

Establish the main guidelines related to corporate risk management and internal controls, in compliance with applicable regulations and good market practices, in order to protect and perpetuate business and preserve the value and liquidity of the electronic currencies issued.

II. Scope

All members of the Board of Directors, Advisory Committees and Executive Board (“Officers”); members of the Fiscal Council; employees, including contractors, interns and young apprentices (“employees”) of the companies Cielo S.A. – Instituição de Pagamento (“Cielo”), Servinet Serviços Ltda. and Stelo S.A., hereinafter jointly referred to as “Company”.

All the Company’s Subsidiaries must define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

With respect to the Affiliates, the Company’s representatives who act in managing its Affiliates must make every effort to define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

III. Guidelines

1. Regarding corporate risk management, the Company:

1.1. Conducts an annual review of its risk appetite statement, with the flexibility to do so extraordinarily when necessary. This review encompasses an evaluation of the metrics utilized to define the established limits, alongside the meticulous monitoring and reporting of risk appetite and tolerance indicators to the Risk Management Governance bodies.

1.2. Conducts an annual review, of its corporate risk inventory, with the flexibility to do so extraordinarily when necessary. This review takes into account internal and external factors that could potentially impede the achievement of strategic objectives.

1.3. Conducts an annual assessment of corporate risks, with the flexibility to do so extraordinarily when necessary, and at a minimum every six months, focusing on risks deemed most pertinent to the company in terms of probability and potential impact. This approach ensures the ongoing maintenance of an up-to-date risk inventory, which includes identifying any previously unaddressed risks that may have emerged.

1.4. Seeks the continuous improvement of its practices and respective actions related to the identification, measurement and evaluation, monitoring, mitigation and reporting of corporate risks.

1.5. Promotes risk management awareness.

2. Regarding items 3, 4, 5, 7, and market risk management, the Company:

2.1. employs an internal methodology rooted in models and reputable market practices (“methodology”), which serves as a framework for (a) identifying, (b) evaluating and measuring, (c) mitigating, (d) monitoring, and (e) reporting on risks and opportunities encountered by the Company. Such reporting may be for informative or deliberative purposes, depending on the context.

2.2. Maintains documentation of its risk management policies and strategies, ensuring accessibility to regulatory bodies as required.

3. Regarding the management of Internal Controls, the Company:

3.1. structures its internal controls system in a way that is compatible with the operational nature of the Company and maintains its products and services at the level of complexity of its business, ensuring the necessary segregations and controls to mitigate possible conflicts in conducting its strategy.

3.2. Identifies and evaluates controls and risks inherent in its processes utilizing both qualitative and quantitative criteria. These criteria encompass considerations such as reputation, regulatory compliance, financial implications, operational efficiency, customer satisfaction, and impacts on other stakeholders.

3.3. Continuously assesses the risks in the control environment for potential impact aspects and, based on the vulnerability assessment of the control environment (which comprises the risk probability analysis), defines the residual risk.

3.4. addresses mitigating action plans to reduce the risks identified in the processes.

3.5. Monitors and reports the outcomes derived from the assessment of its internal control environment to the Risk Management Governance bodies. This reporting serves either informational or deliberative purposes, depending on the context and the nature of the results obtained. The outcomes are formalized into reports, which are maintained and made available to regulatory bodies as required.

4. Regarding credit risk management, the Company:

4.1. identifies and assesses the credit risk of card issuers, sub-accreditors, and any other participants or merchants under the terms of the brands’ rules, defining the volumes of guarantees that must be presented.

4.2. Identifies and evaluates the credit risk associated with customers, whether they have deferred sales or not. This evaluation includes defining advance payment limits and determining eligibility for contracting the Acquisition of Sales Receivables (“ARV“) product and the Quick Receipt service.

4.3. Undertakes the necessary actions to recover credits in accordance with the following rules:

  • Executes the guarantees in case of default of the card issuer, as well as acts with the intervenor of card issuers under intervention, in order to recover any defaulted values.
  • executes the guarantees of sub-accreditors, as well as other participants or merchants in situations of lack of liquidity.
  • Recovers values from the financial investment portfolio by engaging the Credit Guarantee Fund, the intervenor and/or the liquidator of the issuer in default, as the case may be.
  • performs the other applicable procedures for credit recovery from defaulting clients.

5. Regarding liquidity risk management, the Company:

5.1. performs the cash flow assessment against the main metrics defined in the Liquidity Contingency Plan.

5.2. respects the indebtedness limits established by the Board of Directors.

5.3. respects the liquidity targets for the financial investments in accordance with the Financial Investment Policy.

5.4. ensures an adequate level of liquidity to meet the Company’s obligations and for continuity of the operations of the ARV product and the Receba Rápido service at the levels offered to clients, including the prior contracting of immediate access credit lines.

5.5. ensures grid settlement by brand, domicile, issuers and the appropriate currencies for liquidity risk management, as well as capturing possible contingent and unexpected exposures in its measurement.

5.6. Maintains an up-to-date Liquidity Contingency Plan, which is approved by the Risk Management Governance bodies. This plan is engaged in accordance with the rules established in the Liquidity Risk Management Standard.

5.7. Monitors and preserves the value and liquidity of e-currencies issued.

6. Regarding the management of the minimum reference equity requirements, the Company:

6.1. Monitors the level of sufficiency of its reference equity according to current regulations.

7. Regarding non-financial risk management, the Company:

7.1. manages operational risk by monitoring the established limits and the evolution of operational losses, for the purpose of addressing action plans to adjust the control environment and reduce exposure to this risk.

7.2. assesses, manages, and monitors the risk arising from outsourced data processing and storage and cloud computing services relevant to its regular operation, according to the specific regulations on the subject.

7.3. Manages social, environmental and climate risks and opportunities. The risks and opportunities are linked to Environmental, Social, and Governance (ESG) factors, including those related to climate change and human rights.

7.4. It employs a non-financial risk management methodology to assess the social, environmental, and climate aspects and impacts of its processes, operations, products, and services. These impacts extend to various stakeholders within its value ecosystem, in accordance with the identification and prioritization outlined in the Stakeholder Relations Policy. The Company strives to achieve the objectives and principles outlined in its Sustainability Policy, Diversity and Inclusion Policy, and Code of Ethics.

7.5. approves, hires and assesses the performance (Vendor Performance Program), and the supplier risks considering the rules established in the Vendor Risk Program, in which information security and data protection, business continuity, financial, labor, social-environmental and reputational aspects are analyzed that may represent potential risks for Cielo and its clients. The outcomes of the evaluations are monitored and reported to the Executive Board.

7.6. conducts annual strategic planning review cycles to identify key risks and strategic opportunities for the Company.

7.7. Identifies, monitors and reports emerging long-term risks and opportunities that may affect the achievement of its strategy and business objectives.

7.8. continuously monitors its image and reputation risk, by means of an internally developed methodology, to capture exposures related to the topic in social media and press outlets, establishing a communication plan and/or brand positioning according to the criticality of the brand’s negative exposure, if any.

8. Regarding Cybersecurity, the Company:

8.1. keeps the Information Security and Cybersecurity Policy that establishes the guidelines, roles, and responsibilities for managing this risk revised and updated.

8.2. Maintains a corporate governance structure to provide guidance to the Executive Board (“Information Security and Fraud Prevention Management Forum” and “Privacy and Data Protection Forum“).

9. Regarding the disclosure of relevant information to investors and stakeholders, the Company:

9.1. Keeps the guidelines, roles and responsibilities in the following policies reviewed and updated.

9.1.1. Stakeholder Relations Policy (Stakeholders);

9.1.2. Policy for Disclosure of Material Acts or Facts and Securities Trading;

9.1.3. Communication Policy;

9.1.4. Policy on Transactions with Related Parties and Other Situations Involving Conflicts of Interest.

10. Regarding the management of the risk of money laundering and terrorism financing (MLTF), the Company:

10.1. Maintains a revised and updated Policy for the Prevention of Money Laundering and Terrorism Financing that establishes the guidelines, roles, and responsibilities for managing these risks.

11. Regarding compliance risk management, the Company:

11.1. Keeps the Compliance Policy that establishes the guidelines, roles, and responsibilities for managing this risk revised and updated.

12. Regarding corruption risk management, the Company:

12.1. Keeps the Anticorruption Policy that establishes the guidelines, roles, and responsibilities for managing this risk revised and updated.

13. Regarding risk management in products and services, the Company:

13.1. has a process to identify and assess risks in products and services (new or under maintenance), as well as the need to implement minimum controls for their proper functioning.

13.2. Maintains a corporate governance structure to advise the Executive
Board (“Products and Services Forum“)

14. Regarding the management of business continuity, the Company:

14.1. Maintains a revised and updated Corporate Business Continuity Management Policy, which establishes the guidelines, roles and responsibilities for this risk management and business continuity management process

15. Regarding Crisis Management, the Company:

15.1. keeps the Crisis Management Standard revised and updated, an internal document that establishes rules for the identification, assessment, monitoring, and management of crises, and defines communication procedures to ensure that the Company is able to act promptly, in an organized and effective manner, in any event that can harm its business or impact its reputation among stakeholders.

16. Regarding the risk management process, the Company:

16.1. Maintains approval level rules for the extension of the term for mitigation and definitive assumption of the identified risks, observing the level of risk incurred, and assures the submission of the referred risks to the competent governance bodies for deliberation.

16.2. Assesses the application of penalties in case of failure to comply with the agreed upon deadlines and reports to risk management governance instances.

16.3. Has a methodology for reporting aspects related to the evolution of the mitigation of high-level risks to the Executive Board and, through the Risk Committee, to the Board of Directors, for informative or deliberative purposes, as the case may be.

IV. Consequence Management

Employees, vendors or other stakeholders who observe any deviations from the guidelines of this Policy may report the fact to the Ethics Channel through the channels below, with the option of anonymity:

Internally, non-compliance with the guidelines of this Policy gives rise to the application of accountability measures to the agents that fail to comply with it, according to the respective severity of the non-compliance and as per internal regulations, and is applicable to all persons described in the item “Scope” of this Policy, including the leadership and members of the Executive Board.

V. Responsibilities

The Company adopts the concept of 3 (three) lines of responsibility to operationalize its Corporate Risk Management and Internal Controls structure, in order to ensure compliance with the defined guidelines.

    • 1st line of responsibility: Represented by all managers of the business and support areas, who must ensure effective risk management within the scope of their direct organizational responsibilities, including improving or implementing new controls to mitigate identified risks and timely communication to the appropriate governance of: (i) problems in the operation, (ii) situations of non-compliance with defined standards of conduct, and (iii) violations of the institution’s policies or legal and regulatory provisions.
    • 2nd line of responsibility: Represented by the Vice Presidency of Risks, Compliance, Prevention and Security, which acts in an advisory and independent manner along with the business and support areas, with the direct report to the CEO. The assessment of the risk management, compliance, business continuity management, crisis management, information security, prevention of money laundering, fraud and terrorism financing, as well as the quality of the control environment, are reported to the CEO and the Risk Committee, who in turn report to the Board of Directors. The performance of the 2nd line of responsibility is segregated and independent from the activities and management of the business and support areas and Internal Audit.
    • 3rd line of responsibility: Represented by Internal Audit and its purpose is to provide independent opinions to the Board of Directors, through the Audit Committee, about the risk management process, the effectiveness of internal controls, and corporate governance.
    • Board of Directors:
      – Ensure the segregation and definition of functions, attribution of responsibilities, and delegation of authorities that support the effective administration of the risks;
      – Approve risk management guidelines, strategies and policies;
      – Approve the risk limits and levels established in the Risk Appetite Statement;
      – Authorize, when necessary, exceptions to the strategies, guidelines, policies, and risk levels set forth in the Risk Appetite Statement;
      ­- Deliberate on high impact risks in the situations defined in the risk resolution governance;
      – Ensure that the compensation structure adopted by the Company does not interfere with the independence of the areas and encourages behavior not aligned with the risk appetite levels considered acceptable by the Company;
      – Ensure that the internal control systems are implemented and maintained and monitored in accordance with BCB Resolution 260/2022; and
      – Promote the dissemination of the risk management culture and the commitment to ethics and integrity at the Company.
    •  Executive Board:
      – Ensure the Company’s adherence to risk management strategies, guidelines and policies, as well as to the risk limits and levels established in the Risk Appetite Statement, approved by the Board of Directors;
      – Deliberate on medium and high impact risks in the situations defined in the risk resolution governance;
      – Ensure appropriate and sufficient resources for risk management activities;
      – Implement the guidelines related to the internal controls system and monitor the adequacy and effectiveness of the Company’s controls; and
      – Disseminate and endorse the risk management culture at the Company.
    • Exclusively of the Vice President of Risks, Compliance, Prevention and Security:
      ­- Oversee the development, implementation, and performance of the risk management framework, including its constant improvement;
      ­- Oversee and propose adjustments to policies, processes, reports, systems and models used at the Company, pursuant to the Risk Appetite Statement and strategic objectives;
      – ­Oversee the appropriate training of the employees of its Vice Presidency on the policies, processes, reports, systems and models of the risk management framework, even when developed by third parties;
      ­- Support and participate in the strategic decision making process related to risk management.
    • Executive Vice Presidency of Risks, Compliance, Prevention and Security:
      ­- Monitor and supervise compliance with the guidelines established herein, review it annually, keep it updated to ensure that its content reflects any changes in the Company’s direction or risk appetite and supports any doubts regarding the content and its application;
      ­- Monitor the compliance, development and implementation of the risk appetite, review it annually, keep it updated to reflect in its content any changes in the Company’s direction and support any doubts related to the content and its application, as well as report the appetite and tolerance indicators to the risk management governance instances;
      – Monitor the compliance, development and implementation of the risk appetite, review it annually, keep it updated to reflect in its content any changes in the Company’s direction and support any doubts related to the content and its application, as well as report the appetite and tolerance indicators to the risk management governance instances;
      – Propose methodologies for risk management, and participate in the strategic decision making process related to risk management;
      – Identify, measure and assess, monitor, mitigate and report in an integrated and periodic manner the corporate risks, ensuring the governance of the topics of the 2nd line of responsibility and subsidizing the strategic decision making process;
      – Evaluate and certify the sufficiency and effectiveness of internal controls, considering the strategic objectives and internal and regulatory standards, as well as keeping the risk and control matrix updated;
      – Keep the list of the main corporate risks up to date, as well as evaluate and monitor the impacts and probability to support their prioritization and treatment;
      – Execute the guarantees, together with the Executive Vice Presidency of Legal and Government Relations, in case of default of the Card Issuers, and act with the intervenor of the Card Issuers, in order to recover the defaulted amounts;
      – Execute the guarantees, together with the Executive Vice Presidency of Legal and Government Relations, of sub accreditors in situations of lack of liquidity;
      – Prepare, review and request the activation of the Liquidity Contingency Plan;
      – Develop and report annually on corporate risk management;
      – Develop and report annually on Internal Controls;
      – Identify and assess risks in the Company’s products and services (new or changing), systems and processes;
      – Carry out the contagion risk assessment process by subsidiaries and affiliates;
      – Disseminate the culture of Risk Management, Internal Controls, Compliance, Prevention, Information Security and Business Continuity at the Company, by maintaining an employee training program.
    • Executive Treasury Superintendency:
      ­- Carry out and control the Company’s financial applications in accordance with the Financial Investment Policy;
      – Control and monitor the Company’s liquidity levels, observing the limits defined in the Company’s Risk Appetite Statement, ensuring the existence of sufficient funds and immediate credit lines to cover its financial obligations and mitigating exposure to liquidity risk at different time horizons;
      – Monitor indexes linked to the financial instruments held by the Company for risk management purposes;
      – Engage the Liquidity Contingency Plan.
    • Collections and Projects Management:
      ­ – Perform collection and credit recovery procedures for clients who have outstanding debts with the Company (defaulters).
    • Executive Management of Sustainability, Diversity and Impact:
      Subsidize analyses and participate in the process of identifying social, environmental, and climate risks incurred by the Company, considering guidelines established in the Sustainability Policy and the Diversity and Inclusion Policy;
      – Support and participate in the strategic decision making process related to the management of social, environmental, and climate risks; and
      ­-      Ensure the governance of the management of social, environmental and climate aspects through periodic reporting to the competent authorities, as established by the Sustainability Policy and Diversity and Inclusion Policy.
    • Strategic Planning Department:
      -Support and participate in the strategic decision making process related to strategy management; and
      -Ensure the governance of the strategy follow-up through periodic reporting to the competent bodies.
    • Executive Marketing Superintendency:
      -Monitor social media and identify potential detractors to the image of the Company and its monitored subsidiaries;
      -Monitor publications in the press, mediate contact with journalists, influencers, or other media opinion makers in crisis management situations, in addition to supporting the construction of positioning and monitoring all the repercussion of the topic in real time to contain damage to the image.
      -Support and participate in the strategic decision making process related to image management and reputation; and
      -Ensure the governance of image management through periodic reporting to the competent bodies.
    • Executive Vice Presidency of Legal and Government Relations:
      -Report to the BCB, together with the Vice Presidency of Risks, Compliance, Prevention and Security, the cases involving default by card issuers or other participants and merchants that represent credit and liquidity risks.
      -Execute extrajudicial and/or judicial guarantees of card issuers in case of non-compliance with their obligations, after engaging the Vice Presidency of Risks, Compliance, Prevention and Security.
      -Work, in conjunction with the Vice Presidency of Risks, Compliance, Prevention and Security, together with the intervenor, the Credit Guarantee Fund and/or the liquidator of card issuers under intervention, in order to recover the defaulted amounts.
      -Execute extrajudicial and/or judicial guarantees of the sub accreditors and any other participants or merchants in case of default, after the engagement of the Vice Presidency of Risks, Compliance, Prevention and Security, in situations of lack of liquidity.

VI. Supplementary Documentation

VII. Concepts and Acronyms

  • Controls environment: Consists of a set of representative controls for a given risk.
  • Central Bank of Brazil (BCB): Body responsible for governing the constitution, operation and supervision of payment institutions, as well as the discontinuity in the provision of their services.
  • Audit Committee: A statutory body with operational autonomy, directly linked to and advising the Company’s Board of Directors, operates independently of the Statutory Executive Board. Its mission is to advise the Board of Directors, with a focus on enhancing the quality and efficiency of the Company’s activities related to accounting policies, issuance of financial reports, internal controls, and risk management. This advisory body, which complements the functions of the Risk Committee, oversees the work conducted by Internal Audit and Independent Audit. It may also provide recommendations to the Board of Directors to promote accountability within the Executive Board, ensuring that activities are conducted to safeguard and enhance the Company’s value, while upholding its social objectives and values in alignment with key corporate governance principles such as transparency, fairness, accountability, and corporate responsibility.
  • Corporate Governance Committee: Body directly linked to and providing guidance to the Company’s Board of Directors. Its mission is to advise the Board of Directors by advocating for the adoption of optimal corporate governance practices, taking into consideration the unique characteristics of the Company. Its overarching goal is to ensure that the Company’s activities are conducted in a manner that safeguards and enhances the Company’s value, while also upholding its social objectives and values. These efforts are guided by fundamental principles of corporate governance, including transparency, fairness, accountability, and corporate responsibility.
  • Risk Committee: Body directly linked to and providing guidance to the Board of Directors, its mission is to advise the Board, with a primary focus on enhancing the quality and efficiency of risk management practices and ensuring compliance with minimum equity requirements applicable to the Company. Its overarching aim is to align the Company’s social objectives and values with fundamental principles of corporate governance, including transparency, fairness, accountability, and corporate responsibility.
  • Sustainability Committee: Body directly linked to and providing guidance to the Company’s Board of Directors. Its primary mission is to advise the Board of Directors in fulfilling its responsibilities pertaining to sustainability. This includes establishing corporate guidelines and initiatives aimed at reconciling economic development objectives with those of social responsibility. The overarching goal is to ensure the long-term success of the business while fostering a healthy environment, promoting social equity, and contributing to the economic and social development of Brazil.
  • Board of Directors: Collegiate decision-making body that aims to satisfy the duties of guiding and supervising the management of the Executive Board and deciding on major business issues, including making strategic, nvestment, and financing decisions, among other matters provided for in article 142 of the Brazilian Corporation Law and/or the Company’s Bylaws.
  • Counterparty: In the context of this document, they are the card issuers, merchants, Sub-accreditors and Financial Institutions, and the like.
  • Internal controls: Policies, standards, procedures, methods and mechanisms created for the purpose of providing a reasonable degree of confidence in the effectiveness and efficiency of operations, in the financial reports and in the compliance with regulatory requirements, in addition to the achievement of business objectives, preventing or detecting and correcting undesirable events.
  • Default: A situation where the counterparty fails to fulfill its obligations; includes total or partial default.
  • Risk Appetite Statement (RAS): Document that contemplates the formalization of the risk levels that the Company supports to achieve its strategic and business objectives.
  • Risk Management Governance: The term “governance bodies” in this policy refers to the following: (i) The Executive Board; (ii)The Risks Committee; (iii) The Board of Directors. Additionally, it includes other Company bodies that may be engaged for informational and deliberative purposes concerning risk management, such as the Audit Committee, the Corporate Governance Committee, the Sustainability Committee etc.
  • Vendor Risk Program: Vendor relationship program that encompasses and measures several levels of interaction, such as Financial, Labor, Performance, Information and Cyber Security, Business Continuity, Reputational, and Socio-environmental.
  • Significant Influence: the power to participate in the financial and operational decisions of an entity, but that does not necessarily characterize control over these policies. Significant Influence can be obtained through ownership interest, statutory provisions, or a shareholders’ agreement. When an investor directly or indirectly holds twenty percent or more of the voting power of an investee, it is presumed to have significant influence, unless it can be clearly demonstrated otherwise. The existence of significant influence by an investor is usually evidenced in one or more of the following ways: (a) representation on the board of directors or executive board of the investee; (b) participation in policy-making processes, including in decisions about dividends and other distributions; (c) material transactions between the investor and the investee; (d) exchange of directors or managers; (e) provision of essential technical information.
  • Limit for anticipation: Amount in value or in percentage, calculated according to specific methodology and registered in the ARV system, for the purpose of preventing the ARV from being contracted beyond the pre-established value, as a form of protection against eventual chargebacks/sales cancellations that may occur on the operations carried out.
  • Occurrence of Risks: Incident or event related to failures in processes, systems or people that occurred at the Company, with negative impacts (direct or indirect) on the operation such as financial, strategic, reputational, regulatory, security, environmental, labor and continuity.
  • Liquidity Contingency Plan: a document jointly prepared by the Treasury Superintendency and the Executive Vice Presidency of Risks, Compliance, Prevention and Security, approved by the Board of Directors, which presents a set of procedures with the following main objectives: i) ensure the non-interruption of the Company’s cash flow and mitigate losses arising from liquidity risk; ii) define Liquidity Contingency procedures, prioritizing sources and uses of funds that value financial efficiency; iii) restore the level of liquidity desired by the Company; iv) establish a clear division of roles and responsibilities for the objectives described in the document; and v) define the financial composition of the Liquidity Reserve.
  • Vendor Performance Program: Periodic evaluation of vendors’ performance, carried out by management and the Efficiency and Purchasing Superintendency, used as a tool for continuous improvement of services rendered.
    Vendor Risk Program: Supplier Relationship Program comprising a comprehensive framework that evaluates and measures various dimensions of interaction. These dimensions include financial aspects, labor practices, performance metrics, information and cybersecurity protocols, business continuity measures, reputational considerations, and social-environmental factors, under the governance of the Efficiency and Purchasing Superintendency.
  • Risk: Possibility that events may occur and impair the achievement of the Company’s strategy and objectives.
  • Inherent risks: risk the Company is susceptible to, regardless of its internal control environment.
  • Non-financial risks: non-financial risks, in the context of this Policy, are composed of (i) operational risk; (ii) social, environmental and climate risk; (iii) strategic risk; (iv) emerging risk; and (v) reputation risk.
  • Operational risk: Possible negative outcomes from the following events below: (a) failure in protecting and safeguarding sensitive data, including end-user credentials and other information exchanged for payment transactions; (b) failure in identifying and authenticating end-users; (c) failure in authorizing payment transactions; (d) internal fraud; (e) external fraud; (f) labor claims and workplace security; improper practices regarding end-users, payment products, and services; damage to physical assets owned or in use by the institution; (i) occurrences that result in the interruption of the payment institution’s activities or the discontinuation of the payment services provided; (j) failure in information technology systems, processes or infrastructure; (k) failure in the execution, compliance with deadlines and management of the activities involved in payment arrangements; and (l) failure in the initiation of payment transactions. Operational risk includes legal risk associated with inadequacy or deficiency in contracts signed by the payment institution, sanctions due to non-compliance with legal provisions and compensation for damages to third parties arising from activities involved in payment arrangements.
  • Social risks: possible losses arising from events associated with human rights violations, as outlined in the Code of Ethics: (a) acts of harassment, discrimination, or prejudice based on ethnicity, race, color, nationality, age, sexual orientation, gender identity, religion, belief, or disability; (b) practices related to working conditions akin to slavery (forced or compulsory labor); (c) Irregular, illegal, or criminal exploitation of child labor; (d) sexual exploitation of children and adolescents; (e) non-compliance with social security or labor legislation; (f) irregular, illegal, or criminal acts negatively impacting traditional peoples or communities. Social risk also includes the occurrence of events that may violate the legislation in force with regard to accessibility, as well as the commitments established in the Company’s Diversity and Inclusion Policy, and that characterize harmful acts or exclusion of under-represented social groups.
  • Environmental risks: possible losses arising from events linked to environmental degradation caused by the company’s activities, including: (a) excessive use of natural resources; (b) deforestation; (c) ignition of forest or woodland fires; (d) degradation of biomes or biodiversity; (e) sudden or gradual pollution of air, water, or soil; (f) non-compliance with legal requirements and inadequate waste management practices; (g) environmental disasters resulting from human intervention.
  • Climate risk: defined under two aspects: a) transition climate risk, which are those with the possibility of losses caused by events associated with the process of the transition of the regulatory and technological environment to an environment driving the low-carbon economy and are related to regulation on carbon emissions, operational restrictions and requirements, and pressures for accelerated technological changes; and b) physical climate risk, which are those with the possibility of losses for the institution directly or indirectly caused by events associated with frequent and severe weather or long-term environmental changes, which can be related to changes in weather patterns.
  • Social, environmental and climate risks and opportunities: those associated with Environmental, Social and Governance (ESG) factors, in addition to factors associated with climate change.
  • Opportunity: favorable situation for the realization of something that may be associated with the internal or external environment in which the company operates, or has the possibility of operating, and may be of an economic, technological, operational, regulatory, social, environmental, or climatic nature, among other aspects that can generate or protect value for the business, and in a shared manner, for the other stakeholders.
  • Strategic risk: Risk arising from adverse changes in the business environment or the use of inadequate assumptions in decision making.
  • Emerging risks and opportunities: These risks stem from uncertain and unforeseen phenomena that could subject the organization to an entirely novel set of circumstances. Insufficient information is available to adequately assess and measure their impact on the future of the business.
  • Reputational risk: Risk arising from the long-term negative perception of the Company’s image by clients, partners, vendors, shareholders, subsidiaries, media, social influencers, investors, regulators, etc.
  • Credit risk: Refers to the possibility of losses associated with the failure by the counterparty to comply with its respective financial obligations under the terms agreed upon, the reduction of gains or compensation, the advantages granted in the negotiation and the recovery costs, including:
    -Default of the bearer before the issuer of a postpaid payment instrument;
    -Default of the issuer before the accreditor; and
    -Default of the payment institution debtor to another payment institution as a result of interoperability agreement between different arrangements.
  • Liquidity risk: Refers to the possibility that the Company may not be able to efficiently honor its expected and unexpected, current and future obligations without affecting its daily operations and without incurring significant losses, as well as not being able to convert e-currency into physical or scriptural currency at the time of the user’s request.
  • Market risk: Refers to the possibility of losses resulting from fluctuations in the market values of instruments held by the Company, as well as revenue and expenses that may be impacted by variations in interest rates, share prices and exchange rate variations.
  • System controls: Consists of a set of representative controls for a given risk.
  • Affiliates: These are companies over which the Company exercises significant influence, as defined by current legislation.
  • Subsidiaries: Companies in which the Company, directly or indirectly, holds partner or shareholder rights that assure it, on a permanent basis, preponderance in corporate deliberations and the power to elect the majority of the officers, under the terms current legislation.
  • Stakeholders: Stakeholders are all relevant audiences, whether internal or external, consisting of people, groups, organizations, associations and other actors who influence or are influenced by the company’s activities, products and services, and who may be impacted by its decisions, actions and performance. Examples of Stakeholders include, but are not limited to: suppliers, investors, Employees, local communities, the press and civil society organizations.
  • Sub-accreditor: Participants in payment arrangements that enable merchants not directly affiliated to the Company to accept a payment instrument, being responsible for the settlement of payment transactions to such merchants by transferring the financial resources received by the Company.
  • Deferred sales: Credit card sales made by clients with delivery of the goods/services at a future date.

VIII. General Provisions

The Company’s Board of Directors is responsible for altering this Policy whenever necessary.

This Policy takes effect on the date of its approval by the Board of Directors and revokes any documents to the contrary.