Compliance Policy

Click here to access the PDF.

Review History

Version: Date of Review: History: 
1 04/19/2018 Preparation of the Document.
2 04/25/2019 Update of items I. Purpose, II. Scope, V. Consequence Management, VI. Responsibilities, VII. Supplementary Documentation, VIII. Concepts and Acronyms;
Update of sub-items 1.2, 1.3, 1.7, 1.8 and 1.9;
Inclusion of item IV. Exceptions and sub-items 1.4, 1.6 and 1.10 in item
III. Guidelines.
3 04/23/2020 Update of items I. Purpose, II. Scope, III. Guidelines sub-items 1, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, V. Consequence Management, VI. Responsibilities, VII. Supplementary Documentation, VIII. Concepts and Acronyms.
Inclusion of sub-items 2, 2.1, 2.2, 2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5 and
2.3.6.
4 05/27/2021 Inclusion of item 1 Severability and changes in items 2 Purpose and scope of the compliance function and 3 Cielo Compliance Program (“Program”) in item III Guidelines;
Update to items II Scope, VI Responsibilities, VII Supplementary Documentation, and VIII Concepts and Acronyms.
5 03/29/2023 General document update.

 

I. Purpose

Establish the main guidelines and responsibilities related to the Compliance function, aiming to disseminate the practice at all levels of Cielo S.A. – Instituição de Pagamento (“Cielo”), demonstrating the importance of complying with regulatory standards, internal standards and the Code of Ethics, for purposes of Compliance risk management, in addition to presenting the structure of the Cielo Compliance Program.

II. Scope

All members of the Board of Directors, Advisory Committees and Executive Board (“Officers”), members of the Fiscal Council; employees, including contractors, interns and young apprentices (“Employees”) of the companies Cielo, Servinet Serviços Ltda. and Stelo S.A., hereinafter jointly referred to as “Company”.

All the Company’s Subsidiaries must define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

With respect to the Affiliates, the Company’s representatives who act in managing its Affiliates must make every effort to define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

III. Guidelines

1.  Severability:

1.1. The Vice Presidency of Risks, Compliance, Prevention and Security is responsible for the Compliance function at the Company and reports directly to the CEO, who ensures its severability in relation to the business and support areas, as well as periodically communicates the matters related to Risk Management, Compliance, Prevention and Security to the Risks Committee, an advisory body to the Board of Directors.

1.2. The Vice Presidency of Risks, Compliance, Prevention and Security has teams dedicated to the Compliance function, including the Compliance and Money Laundering Prevention Department which, together with the other teams of the Vice Presidency, has its own resources and employees duly trained and with the necessary experience to carry out the activities related to the Compliance function.

1.3. The employees of the Vice Presidency of Risks, Compliance, Prevention and Security act in a segregated and independent manner from the activities and management of the business and support areas and of Internal Audit, so as not to generate conflicts of interest, with free access to the information necessary for the exercise of their duties related to the Compliance function.

1.4. The Compliance and Money Laundering Prevention Department reports directly to the Vice President of Risks, Compliance, Prevention and Security, who, in turn reports directly to the Company’s Chief Executive Officer, which ensures the independence of the Department from the business areas and the appropriate authority of those responsible for the activities related to the Compliance function.

1.5. The compensation of the employees of the Vice Presidency of Risks, Compliance, Prevention and Security is determined independently of the performance of the business areas, so as not to generate a conflict of interest.

1.6. The Vice Presidency of Risks, Compliance, Prevention and Security has communication channels with the competent governance bodies for the timely reporting of the results of the activities related to the Compliance function, and of possible irregularities or failures identified.

1.7. The annual planning of the activities of the Vice Presidency of Risk, Compliance, Prevention and Security is monitored by the Risk Committee, including activities related to the Compliance function and risk management, while the Audit Committee monitors the activities of Internal Audit.

2. Purpose and Scope of the Compliance Function:

2.1 To have a Compliance Program, which aims at the Company’s responsible and citizen-like performance, in addition to meeting the requirements of regulatory and inspection agencies, external self-regulatory agents, as well as considering the suggestions of its administrators.

2.2. Ensure the annual preparation of the Compliance Report, containing a summary of the results of the activities related to the compliance function, its main conclusions, recommendations and measures taken by Cielo’s management, in accordance with the regulations in force of the Central Bank of Brazil on the subject.

2.3. Disseminates the culture of Compliance at Cielo, through communications and training in matters related to Compliance.

2.4. Conduct its operations and make business decisions in compliance with the legislation in force, regulations, and provisions sanctioned by regulatory and inspection agencies and external self-regulatory agents.

2.5. Test, assess and monitor the Company’s adherence to the legal framework, infralegal regulations, the recommendations of the supervisory bodies, the Code of Ethics, the normative instruments and other regulations that the Company is obliged to observe, as established in the annual planning.

2.6. Provide support to the Board of Directors and the Executive Board regarding compliance and correct application regarding item 2.5, including keeping them informed of relevant updates regarding these items.

2.7. Support the investigation of reports received through the Ethics Channel, when applicable.

2.8. Identify, assess, report and keep updated the list of compliance risks to which the Company is exposed.

2.9. Ensure the necessary resources for timely identification, assessment, measurement, response and reporting of Compliance risk-related issues.

2.10. Review and monitor the resolution of the points raised in the report of non- compliance with legal and regulatory provisions prepared by the independent auditor, according to specific regulations.

2.11. Report, in a systematic and timely manner, the results of Compliance function- related activities to the Board of Directors.

2.12. Assist the Board of Directors in informing and training all Employees on compliance issues.

3. Cielo’s Compliance Program (“Program”):

3.1. The Vice Presidency of Risks, Compliance, Prevention and Security is responsible for the Cielo Compliance Program, supported by other areas that have attributions in the operation of the Program.

3.2. The purpose of the Program is to expand the operations beyond the specific scope of Compliance, creating a synergy to enable a culture of ethics, integrity, risk management, and compliance as a whole.

3.3. Considered to be a system, by directing efforts, enabling communication between the Company and its different stakeholders, it allows the maintenance of a robust compliance environment in the Company.

3.4. The Program is a set of internal processes, controls and procedures related to integrity and compliance, which ensure that the Company: (i) maintains ethical and transparent conduct in all relations with its stakeholders, for the purpose of preventing, detecting, mitigating and reporting/denouncing deviations, fraud, irregularities and illicit acts, including acts of corruption and bribery against the private sector and against the Public Administration, domestic or foreign; (ii) is in compliance with the regulatory framework, the infralegal regulations, the recommendations of regulatory bodies, the operational regulations established by the Payment Arrangement Institutions (“Brands”), the Code of Ethics and the Company’s normative instruments.

3.5. The Program is based on 6 (six) elements, which permeate the processes conducted mainly by the 2nd (second) and 3rd (third) lines of responsibility, encompassing activities from different areas of the Company, as follows: (i) Senior Management Support; (ii) Risk Management; (iii) Normative Instruments; (iv) Awareness and Acculturation; (v) Monitoring and Prevention, and (vi) Remediation and Reporting.

3.6. The elements are permeated by the conceptual and normative framework that supports all the processes, materialized in the form of the Company’s Purpose, Vision and Cultural Attributes, the regulatory requirements, and the Brand rules.

Figure: Graphical representation of the Cielo Compliance Program.

3.7. The Company conducts its activities related to compliance and integrity through these six elements:

3.7.1. Support from Senior Management: Top Management influences and inspires the conduct of Employees and other stakeholders, and their example is fundamental as a model to be followed by the Company in conducting its activities. Senior Management, composed of members of the Board of Directors, Advisory Committees and the Executive Board, is aware that its support is indispensable for the implementation of a robust Compliance Program, thus, it is at the forefront of the actions and decisions of the Program, as well as responsible for enabling the independent performance of activities such as compliance, risk management, internal audit and corporate governance. The Board of Directors is responsible for approving the Cielo Compliance Program and the policies, which formalize the Company’s performance guidelines.

3.7.2. Risk Management: The Company relies on a Corporate Risk Management and Internal Controls Policy, which establishes the main guidelines related to corporate risk management and internal controls, in compliance with the applicable regulations and good market practices, with a view to protecting and perpetuating the business and preserving the value and liquidity of the electronic currencies issued. In line with the Policy, the Company has a methodology and processes to identify, assess, measure, monitor, mitigate and report the risks to which the Company is exposed. The response to the identified risks is addressed by registering the events in the corporate risk management tool as risk occurrences and the respective action plans, with deadlines, impact, and those responsible for implementation, which aim to ensure the maintenance of these risks at levels acceptable to the Company.

3.7.3. Normative Instruments: Aware of its risks, the Company focuses its efforts on the evolution of its processes. To this end, it promotes the standardization, organization, preparation and updating of normative instruments to ensure the establishment and retention of the Company’s knowledge, as well as compliance with internal and legal requirements. There are 3 (three) types of normative instruments in the Company: Policies, Standards and Procedures.

3.7.4. Awareness and Acculturation: The success of a Compliance Program depends on the dissemination and promotion of the Company’s rules and expectations of conduct to its target audiences. One cannot expect a certain behavior or action in a process or in the Company’s relationships if the parameters to be followed are not known. Aware of this, the Company conducts communication and training actions to make its target audiences aware of their prerogatives and responsibilities. All the Regulatory Training Track training sessions are part of the Cielo Compliance Program.

3.7.5. Monitoring and Prevention: Continuous movement by which the Company assesses its activities in line with the applicable internal and external rules. This element has the objective of verifying the need for evolution/improvement of the established processes to prevent occurrences and verify deviations. Due diligence procedures such as Know Your Customer, Know Your Supplier, Know Your Partner and Know Your Employee, regulatory adherence assessment, Brand rules monitoring, sub-accreditor assessment, periodic testing and audits are examples of actions that make up this element.

3.7.6. Remediation and Reporting: Some situations generate the need to establish action plans for remediation and/or accountability for deviations that occurred. Such plans are monitored and reported, allowing the exposed weaknesses to be worked on, promoting the continuous improvement of the processes. The Company is committed to transparency in its reports to internal management instances and external bodies, such as regulators, self-regulators, and Brands, evidencing the occurrences, findings, action plans, implementations, and improvements generated.

3.8. The Ethics Channel is the channel provided by the Company to its Employees, vendors, service providers, partners or other stakeholders to provide, anonymously or in an identified manner, reports or information on any deviations practiced byEmployees, Officers and other stakeholders, from the guidelines of the Code of Ethics, the Company’s normative instruments, current legislation, including the Anti-Corruption Law, as well as acts of private corruption.

3.9. The complaint must be made, preferably, through the Ethics Channel, without excluding any means or channel available to the complainant in the event of an impossibility of accessing said channel.

IV. Exceptions

Exceptions in the handling of situations not foreseen in this Policy, when applicable, will be evaluated according to applicable approval levels.

V. Consequence Management

Employees, vendors or other stakeholders who observe any deviations from the guidelines of this Policy may report the fact to the Ethics Channel through the channels below, with the option of anonymity:

  • www.canaldeetica.com.br/cielo
  • Toll free: 0800 775 0808Internally, non-compliance with the guidelines of this Policy gives rise to the application of accountability measures to the agents that fail to comply with it, according to the respective severity of the non-compliance and as per internal regulations, and is applicable to all persons described in the item “Scope” of this Policy, including the leadership and members of the Executive Board.

VI. Responsibilities

  • Officers and Employees:
    ­- Observe and ensure compliance with this Policy as well as the provisions of the Code of Ethics and, when necessary, call the Vice Presidency of Risks, Compliance, Prevention and Security regarding situations that conflict with the guidelines described herein.
    – Report to the Ethics Channel any deviations from the guidelines of the Code of Ethics, the Company’s normative instruments, current legislation, including the Anti- Corruption Law, as well as acts of private corruption involving the Company’s Employees or Officers, if they become aware of them.
  • Third Parties, Vendors, Service Providers and Partners:
    ­- Observe and ensure compliance with this Policy as well as the provisions of the applicable Code of Ethics and, when necessary, use the available channels at the Company for consultation on situations involving conflict with this Policy, or upon the occurrence of situations described herein.
    ­- Report to the Ethics Channel any deviations from the guidelines of the Code of Ethics, the Company’s normative instruments, current legislation, including the Anti- Corruption Law, as well as acts of private corruption involving the Company’s employees or Officers, if they become aware of them.
  • Business Area Managers:
    ­- Disseminate published laws and regulations, and define action plans and deadlines for adherence and to inform the Vice Presidency of Risks, Compliance, Prevention and Security.
    ­- Report to the Vice Presidency of Risks, Compliance, Prevention and Security events that may bring compliance risks to the Company, as well as establish procedures and internal controls to mitigate such risks.
    ­- Apply the guidelines of the Cielo Compliance Program, in order to prevent, detect, interrupt and remedy the occurrence of irregularities, fraud, corruption and other deviations.
  • Superintendency of Efficiency and Purchasing:
    ­- Keep the registration updated, approve the vendors, as established in the internal processes, and request formal acceptance acknowledgement from all relevant vendors for the guidelines established in the Code of Ethics, Anti-Corruption Policy and other applicable Normative Instruments.
    ­- Perform the Know Your Supplier process at the time of prospecting, selection, hiring and monitoring with quality and suitability criteria, according to internal standards and procedures.
    ­ – Notify the Vice-Presidency of Risks, Compliance, Prevention and Security of any evidence of corruption by vendors and service providers, when identified.
  • Vice-Presidency of Legal and Government Relations:
    – ­Monitor and interpret the applicability of legislation and standards issued by regulatory agencies BACEN, CVM and CMN to Cielo, as well as prepare information bulletins and forward them to the areas of interest.
    ­- Maintain the relationship with regulatory and governmental bodies and class associations (ABECS, AFRAC and AMCHAM), acting as Cielo’s representative before the demands established by such bodies.
    – ­Support the Vice Presidency of Risks, Compliance, Prevention and Security to keep the regulations matrix updated for the purpose of evaluating and monitoring the Company’s adherence to the legal framework, based on the regulations established by federal, state and municipal legislation, as well as by the regulatory bodies BACEN, CVM and CMN applicable to Cielo.
  • Vice Presidency of Risks, Compliance, Prevention and Security (Compliance and Money Laundering Prevention Department):
    – ­Define and evaluate, independently from the Company’s business and support areas, compliance with the guidelines established in this Policy, keep it updated, and clarify doubts concerning its content and application, in compliance with the regulations of the Central Bank of Brazil in effect on the matter.
    – ­Keep the Cielo Compliance Program updated and monitor it, with support from the other areas that have duties in the operation of the Program.
    – Coordinate Compliance activities with the business and support areas, acting independently from these areas in the performance of their functions.
    – Register the publication of a new applicable regulation in the Normative Inventory, while the involved areas will verify whether there is a need to adapt the processes, products, or services, according to the guidelines of the internal Regulatory Governance Standard.
    – Identify the compliance risks in the course of its activities of monitoring the Company’s adherence to internal normative instruments, changes in the external regulatory environment and the rules established by the Brands, enabling compliance of products and processes to the internal and external standards in force.
    – Record the risk occurrence of regulatory demands and the respective action plans in the corporate risk occurrence management system.
    – Assess whether the action plans sent by the responsible area mitigate the risks and if they are adequate, according to the guidelines of the internal Occurrence Management Standard.
    – Monitor the solution of the points presented in the report of non-compliance with legal and regulatory provisions prepared by an independent auditor.
    – Support the investigation of reports received on the Ethics Channel, when applicable.
    – Prepare an annual report on the Cielo Compliance Program, containing the results of the compliance activities, in accordance with the regulations of the Central Bank of Brazil in effect on the matter. This report is archived for a minimum period of 5 (five) years and covers the main conclusions, recommendations and actions taken by the Compliance structure in the reference year.
    – Support the preparation of the evaluation report on the Internal Controls System in compliance with BCB Resolution 260/2022.
    – Report to the Board of Directors and the Executive Board on the levels of adherence to the regulations in force and on the results of the risk assessment work and compliance activities.
    – Assess and issue an opinion about the risks arising from the launching of new products and services, in relation to Compliance, Anticorruption and Money Laundering Prevention issues, considering the regulations issued by regulatory agencies, BACEN, CMN, CVM and the rules established by the Brands.
    – Prepare the training content on the Code of Ethics, anti-corruption and money laundering prevention, update it annually, and request an annual publicity campaign from the Marketing area.
    – Monitor the completion of the Regulatory Training Track and prepare reports for the Executive Board on the training completion rate.
    – Act proactively in the dissemination of the culture of ethics, Compliance, integrity and anti-corruption.
    – Prepare content and approve communications relating to the Cielo Compliance Program, including topics on ethical culture and anti-corruption.
  • Vice Presidency of Risks, Compliance, Prevention and Security (Risk and Internal Controls Superintendency):
    – ­Coordinate Risk Management and Internal Controls activities with the business and support areas, acting independently from these areas in the performance of their functions.
    – ­Manage Compliance Risk, aiming at its identification, assessment and measurement, response and timely reporting, considering the guidelines of the Corporate Risk Management and Internal Controls Policy.
    – Identify compliance risks during the evaluation of the control environment, which has its process formalized in the internal standard on Internal Controls.
    – Identify compliance risks in the monitoring of operating losses when identifying fines for non-compliance with regulations from Brands or regulatory agencies.
    – Prepare the evaluation report on the Internal Controls System in compliance with BCB Resolution no. 260/2022.
    – Evaluate and issue an opinion on the risks arising from the launching of new products and services, in relation to issues pertaining to Risk Management and Internal Controls, considering the regulations issued by regulatory agencies (BACEN, CMN, CVM) and the rules established by the Brands.
    – Develop the content of the Risk Management training and update it annually.
  • Audit Superintendence:
    – ­Identify compliance risks during the independent evaluation of the control environment, which has its process formalized in the internal standard on Internal Audit.
    ­- Manage the cases received in the Ethics Channel and ensure that the reports are investigated in a timely, independent, impartial and confidential manner and, if applicable, ensure the appropriate disciplinary measures are applied.
    – ­Report to the Ethics Forum, the Audit Committee and the Board of Directors the volume of cases registered in the Ethics Channel, their nature, and the verified cases where disciplinary measures needed to be applied.
  • Ethics Forum:
    – Ensure that the precepts of the Code of Ethics and the normative instruments are observed by the Company and that there is dissemination and training of the employees on their contents, and guarantee the application of the Consequences Standard.
    – ­Analyze and deliberate, as the final instance body, on situations that are identified as deviations from the precepts contained in the Code of Ethics and in the Company’s normative instruments and, if applicable, the respective disciplinary sanctions to be applied to the cases analyzed.
    – Analyze and issue a recommendation to the Board of Directors when deviations involve Company employees directly subordinate to the Board of Directors or, at the Forum’s discretion, people considered key or strategic, are identified, for deliberation on the disciplinary sanctions to be applied to the case.
    – Track, on a quarterly basis, the volume, reports received, and the progress of the Ethics Channel investigations.
  • Audit Committee:
    ­- Monitor compliance with the Code of Ethics, the volume of reports received through the Ethics Channel, the outcome of investigations, and the management of the consequences applied to founded complaints.
  • Risk Committee:
    ­- Supervise the Cielo Compliance Program through the receipt and assessment of periodic activity monitoring reports.
    – Position and periodically report to the Board of Directors the assessment of the results related to the risk management process, business continuity, internal controls, Compliance and minimum asset requirements, as well as the degree of adherence of the risk management structure to the Company’s current Normative Instruments, providing a comprehensive and integrated perspective on the risks and their impacts.
  • Board of Directors:
    ­- Analyze, alter and approve this Policy in accordance with the periodicity provided for in the Company’s internal rules, and whenever it deems necessary.
    – Ensure that the Executive Board disseminates the standards of integrity, ethical conduct and compliance culture as part of the Company’s culture, as directed by the Board of Directors.
    ­- Ensure that the Compliance Policy and the Cielo Compliance Program are compatible with the Company’s nature, size, complexity, structure, risk profile and business model, so as to ensure effective compliance risk management.
    ­- Promote the necessary means so that the activities related to the Compliance function are adequately performed, under the terms of the regulations of the Central Bank of Brazil on the matter, with the allocation of resources and personnel in sufficient quantity, adequately trained and with the necessary experience for the performance of the activities related to the function, mainly in the Compliance and Money Laundering Prevention Department.
    ­-  Ensure that corrective measures are taken when compliance failures are identified.
    ­- Ensure that the Executive Board carries out the management, effectiveness and continuity of the application of this Policy, as well as its communication to all relevant employees, vendors and service providers.
    – Analyze and deliberate, as the final instance body, on situations that are identified as deviations from the precepts contained in the Code of Ethics and in the Company’s normative instruments, involving Employees directly subordinate to the Board of Administration or people considered key or strategic and, if applicable, the respective disciplinary sanctions to be applied to the cases analyzed.
    ­-  Supervise the Cielo Compliance Program through the receipt and assessment of periodic activity monitoring reports.
  • Risks Committee:
    ­- Analyze the Annual Compliance Report, prepared pursuant to the regulations of the Central Bank of Brazil on the matter.
    ­- Update and report to the Board of Directors, on a quarterly basis, the evaluation of results regarding management of risks, business continuity, internal controls, compliance and minimum equity requirements, as well as the level of adhesion of the risk management structure to the Company’s applicable Normative Instruments in force, providing a broad and integrated view of the risks and their impacts.

VII.  Additional Documentation

VIII. Concepts and Acronyms

  • Public administration: the set of agencies, services, and entities of the direct and indirect public administration (foundations, autarchies, public companies, and mixed- economy companies), and their respective officials. This concept, for the purposes of this Policy, encompasses the entire State structure, at all its levels (Federal, State and Municipal) and powers (Executive, Legislative and Judiciary) to provide public services, manage public assets and community interests, as well as their respective representatives.
  • Public Official: Every individual who represents the public power, being a public employee or not, paid or unpaid, exercising temporary or permanent It includes everyone who exercises, even if temporarily or without remuneration, by election, nomination, designation, contracting or any other form of investiture or relationship, a mandate, position, job, or public function. Those who work for a private company hired or contracted for the execution of activities that are typical of the Public Administration are considered Public Officials.
  • Senior Management: Composed by the members of the Board of Directors, the Advisory Committees, and the Executive Board.
  • Code of Ethics: Document that establishes the principles that should guide the relationships and activities related to the different stakeholders involved in the Company’s business, addressing the principles of integrity, transparency, compliance with the desired legislation and conduct. It also establishes the relationship with stakeholders, including public authorities, and provides for disciplinary sanctions in situations of violation of conduct.
  • Advisory Committees: Advisory bodies to the Board of Directors, of a technical nature, which are instruments of support and which increase the quality and efficiency of the performance of the Company’s Board of Directors. The Advisory Committees have no deliberative power and their recommendations are not binding on the Board of
  • Compliance: It derives from the verb “to comply”, which means the duty to fulfill, that is, to conform and enforce laws, decrees, standards, regulations and instructions applicable to the Company’s activities, which, in the event of non-compliance, may generate sanctions, financial loss and damage to reputation/image.
  • Board of Directors: Collegiate decision-making body that aims to satisfy the duties of guiding and supervising the management of the Executive Board and deciding on major business issues, including making strategic, investment, and financing decisions, among other matters provided for in article 142 of the Brazilian Corporation Law and/or the Company’s Bylaws
  • Corruption: The act or effect of corrupting oneself, offering something to a Public or Private Official for the purpose of obtaining an undue advantage for oneself or for The action of corrupting can also be understood as the result of bribing, giving money or undue advantages to someone in exchange for special self-interest benefits. Corruption is an illegal means of achieving something.
  • Executive Board: the body responsible for managing the company’s business, executing the strategy and general guidelines approved by the Board of Directors. Through formalized processes and policies, the Executive Board enables and disseminates the organization’s purposes, principles, and values.
  • Regulatory Agencies: These are the bodies responsible for regulating, controlling and supervising the activities of certain economic sectors. Cielo, as a Payment Institution authorized to operate by the Central Bank of Brazil (BACEN), is subordinate to the provisions issued by this body and by the National Monetary Council (CMN) inherent to its activities, and must also follow the legislation and competition guidelines issued by the Administrative Council for Economic Defense (CADE). Additionally, as a publicly traded company, Cielo must comply with the regulations issued by the Brazilian Securities and Exchange Commission (CVM) and, within the scope of self-regulation, the regulations of the B3 – Bolsa, Balcão, Brasil S/A.
  • Stakeholders: All relevant target audiences with interests pertinent to the Company, as well as individuals or entities that assume some type of risk, direct or indirect, with respect to the company. Among others, the following are highlighted: shareholders, investors, employees, society, clients, vendors, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of electronic means of payment, and non-governmental organizations.
  • Compliance Risk: Representa a possibilidade da Companhia sofrer sanções legais ou administrativas, perdas financeiras, danos de reputação e outros danos, decorrentes de descumprimento ou falhas na observância do arcabouço legal, da regulamentação infralegal, das recomendações dos órgãos reguladores, dos códigos de autorregulação aplicáveis, dos normativos internos, do Código de Conduta Ética e demais diretrizes estabelecidas para o negócio e atividades da organização.
  • Affiliates: companies in which the Company has significant influence, whereby, pursuant to article 243, paragraph 4 and paragraph 5 of the Corporation Law, (i) there is significant influence when the Company holds or exercises the power to participate in the financial or operating policy decisions of a company, without, however, controlling it; and (ii) significant influence will be presumed when the Company holds 20% (twenty percent) or more of the voting capital of the corresponding company, without, however, controlling it.
  • Subsidiaries: companies in which the Company directly or indirectly holds partner or shareholder rights that assure it, on a permanent basis, preponderance in the corporate deliberations and the power to elect the majority of the officers, under the terms of article 243, paragraph 2 of Law 6.404/16 (Brazilian Corporation Law).
  • 1st line of responsibility: represented by all business and support area managers, who must ensure effective risk management within the scope of their direct organizational responsibilities.
  • 2nd line of responsibility: represented by the Vice Presidency of Risks, Compliance, Prevention and Security, which acts in an advisory and independent manner with the business and support areas, with assessment and reporting on risk management, Compliance, business continuity management, crisis management, money laundering prevention, fraud prevention, information security and control environment to the Presidency and the Risk Committee, which in turn reports to the Board of Directors. The performance of the 2nd line of responsibility is segregated and independent from the activities and management of the business and support areas, as well as Internal Audit.
  • 3rd line of responsibility: represented by Internal Audit, the purpose of which is to provide independent opinions to the Board of Directors, through the Audit Committee, about the risk management process, the effectiveness of internal controls, and corporate governance.

IX. General Provisions

Cielo’s Board of Directors is responsible for altering this Policy whenever necessary.

This Policy takes effect on the date of its approval by the Board of Directors and revokes any documents to the contrary.