|Version:||Date of Review:||History:|
|2||04/25/2019||Update of items I. Purpose, II. Scope, V. Outcome Management, VI. Responsibilities, VII. Additional Documentation and VIII. Concepts and Acronyms;
Update of sub-items 1.2, 1.3, 1.7, 1.8 and 1.9;
Inclusion of item IV. Exceptions and sub-items 1.4, 1.6 and 1.10 in item III. Guidelines.
Set forth the main guidelines and responsibilities related to compliance, aiming at disseminating its practice at all levels of Cielo S.A. (“Cielo” or “Company”), evidencing the importance of complying with regulatory rules, internal rules and the Code of Ethical Conduct, for the purposes of compliance risk management, as well as presenting the Compliance Program structure.
All Management (Statutory Officers, members of the Board of Directors, Fiscal Council, Advisory Committees of the Board of Directors) and employees of Cielo S.A., Servinet Serviços Ltda. and Aliança Pagamentos e Participações Ltda., as well as all of their respective managers, employees and related representatives.
In addition, the Company expects that subsidiaries, associated companies and investees define their guidelines based on this Policy, considering specific needs, legal and regulatory aspects to which they are subject.
1. Regarding Compliance, Cielo:
1.1. Maintains an Integrity Program aimed at the responsible and citizenship performance of the Company, besides complying with the requirements of regulatory and inspection authorities and self-regulator external agents.
1.2. Maintains communication channels with Management, Board of Directors, Audit Committee and Risks Committee to report the results of compliance-related activities, and eventual irregularities or failures identified.
1.3. Disseminates a culture of Compliance at Cielo, through the training of employees and relevant outsourced workers in compliance-related issues.
1.4. Conducts its operations and makes business decisions observing the current laws, regulations and provisions sanctioned by the regulatory and inspection authorities and self-regulator external agents.
1.5. Assesses and monitors the Company’s adhesion to the legal framework, the non-statutory rules, the advice issued by the oversight bodies, the Code of Ethical Conduct, internal rules and other regulations to which the Company is bound.
1.6. Supports the assessment of reports received through the Ethics Channel.
1.7. Identifies, assesses, reports, and keeps updated a list of compliance risks to which the Company is exposed.
1.8. Has a qualified and organizational unit, separate from business areas and audit, aiming at ensuring the performance of its activities at the Company, in order not to generate conflict of interests.
1.9. Ensures the resources necessary to identify, assess and measure, respond and timely report on compliance risk-related issues.
1.10. Ensures the preparation of the Compliance Report, at least once a year, with the Integrity Program attached to it.
Exceptions not foreseen in this Policy, when applicable, will be evaluated according to the Company’s Corporate Governance model.
V. Outcome Management
Employees, suppliers or other stakeholders who notice any deviations from this Policy’s guidelines, may report the fact to the Ethics Channel (www.canalconfidencial.com.br/cielo or 0800 775 0808), anonymously or not.
Internally, non-compliance with this Policy’s guidelines implies the application of measures for agents’ liability who fail to comply therewith, according to the respective seriousness of such non-compliance, and pursuant to internal rules.
- Management and Employees:
– Comply and ensure compliance with this Policy, and when necessary, consult the Risk Management and Compliance Executive Board on situations conflicting with the guidelines described therein.
- Managers of the Business Areas:
– Disseminate published legislation, as well as define action plans and deadlines for adhesion and report to the Compliance Management.
– Report to the Compliance Management events that may lead to compliance risks to the Company, as well as establish procedures and internal controls to mitigate them.
– Apply the Integrity Program guidelines in order to avoid, identify and stop irregularities, fraud and corruption.
- Compliance Agents:
– Identify and compile the inherent risks in the activities of their respective areas.
– Evaluate and discuss with the Compliance Management preventive actions to minimize risks and implement actions.
– Report to the Compliance Management events that may bring risks to the Company.
– Support the Risk Management and Compliance Executive Board in disseminating a culture of Risk Management, Internal Control and Compliance.
- Legal Executive Board:
– Monitor and interpret the applicability of laws and rules enacted by regulators such as BACEN (Brazilian Central Bank), CVM (Brazilian Securities and Exchange Commission) and CMN (Brazilian National Monetary Council) to Cielo, and prepare an information bulletin to be submitted to the areas of interest.
– Maintain a relationship with regulators, government agencies, and trade associations – ABECS, AFRAC, AMCHAM – acting as Cielo’s representative in demands established by such regulators.
– Support the Risk Management and Compliance Executive Board to keep the matrix of regulations updated, based on the rules set forth by BACEN, CVM and CMN applicable to Cielo.
- Risk Management and Compliance Executive Board:
– Independently define and assess compliance with the guidelines set forth in this Policy, keep it updated and clarify doubts relating to its content and application, in accordance with BACEN Circular No. 3,865/2017.
– Implement and keep updated the Integrity Program, as well as annually issue a report on the adhesion to the current regulatory requirements that govern the subject, in accordance with Law No. 12,846/2013 and Decree No. 8,420/2015.
– Coordinate the Compliance, Risk Management, and Internal Control activities together with business and support areas, acting independently in the performance of its duties.
– Prepare and keep updated, supported by the Legal Executive Board, the matrix of regulations and compliance risks, based on the rules set forth by BACEN, CVM, and CMN applicable to Cielo.
– Assess Cielo’s adhesion to the regulatory framework, non-statutory rules, the regulators’ recommendations, operational regulations established by Brands, the Code of Ethical Conduct and normative instruments.
– Monitor the solution of issues presented in the report of non-compliance with legal and regulatory provisions prepared by an independent auditor.
– Support the assessment of the reports received in the Ethics Channel, when applicable.
– Prepare an annual report on the Compliance Program, containing the results of compliance activities, according to BACEN Circular No. 3,865/2017. This report is filed for a minimum period of five years, encompassing main conclusions, recommendations and measures taken by the Compliance structure in the reference year, as well as diagnosis regarding the Integrity Program.
– Support the preparation of an assessment report of the Internal Controls System in compliance with CMN Resolution No. 2,554/98.
– Conduct the compliance risk management, aiming at its identification, assessment, and measurement, response and timely reporting, based on the guidelines of the Corporate Risk Management and Internal Controls Policy and adhesion to the requirements of Circular BACEN No. 3,681/2013.
– Report to the Board of Directors and to the Board of Executive Officers the levels of adhesion to current legislation and the results of compliance and risk assessment activities.
– Assess and issue opinions on the risks deriving from the launch of new products and services, in relation to Compliance, Anticorruption, Risk Management and Internal Controls, considering the rules issued by BACEN, CMN, CVM and the rules established by the Brands.
– Prepare training materials and normative instruments referring to the following issues: Compliance, Anticorruption and Code of Ethical Conduct, as well as proactively disseminate a culture of compliance.
- Procurement Executive Board
– Keep updated the registration and ratification of suppliers and request, at least, the formal acceptance of all relevant suppliers to the guidelines set forth in the Suppliers’ Code of Ethical Conduct and in PLT 001 Anticorruption.
- Board of Directors:
– Approve and review the Compliance Policy whenever necessary.
– Ensure adequate dissemination of standards of integrity and ethical conduct as part of the Company’s culture.
– Ensure that the compliance structure and policy are compatible with the nature, size, complexity, risk profile and business model of the Company, with the allocation of personnel in sufficient number, properly trained and with the experience necessary to perform the activities related to their role.
– Ensure that corrective measures are taken when compliance failures are identified.
– Ensure proper management and dissemination of the Compliance Policy to all employees and relevant third-party service providers.
VII. Additional Documentation
- CMN Resolution No. 2,554/1998.
- BACEN Circular No. 3,681/2013.
- Circular BACEN 3.865/2017.
- Law No. 12,846/2013.
- Decree No. 8,420/2015.
- Code of Ethical Conduct
- Suppliers’ Code of Ethical Conduct
- PLT 001 Anticorruption
- PLT 019 Corporate Risk Management and Internal Control
- PLT_024 Risk Management Governance
- Internal rules, which are constantly improved, approved by competent bodies and available to all employees.
VIII. Concepts and Acronyms
Compliance: Derives from the verb “to comply”, which means to act in accordance with and abide by the laws, decrees, rules, regulations, and instructions applicable to Cielo’s activities, which, in the assumption of non-compliance, may result in sanctions, financial losses, and damages to reputation/image.
- Regulators: Agencies in charge of regulating, controlling and inspecting the activities of certain economic sectors. Cielo, as a Payment Institution authorized to operate by the Central Bank of Brazil – BACEN, shall comply with the provisions issued by BACEN and the Brazilian National Monetary Council – CMN inherent to its activities, and shall also comply with laws and antitrust guidance issued by the Brazilian Administrative Council for Economic Defense – CADE. In addition, as Cielo is a publicly-held company, with its shares traded on the stock exchange, it shall observe the rules issued by the Brazilian Securities and Exchange Commission – CVM and the regulations of B3 – Bolsa, Balcão, Brasil S/A.
- Compliance Program: Set of internal processes, controls and procedures that ensure that the Company’s adhesion to the regulatory framework, non-statutory rules, the regulators’ recommendations, operational regulations established by Brands, the Code of Ethical Conduct and normative instruments.
- Integrity Program: Set of internal processes, controls and procedures of compliance, integrity, audit, promoting the report of irregularities and application of the Code of Ethical Conduct, corporate governance guidelines, policies and standards aiming the prevention, detection and mitigation of deviations, frauds, irregularities and illegal acts practiced against the public, domestic or foreign administration.
- Compliance Risk: Represents the possibility of the Company suffering legal or administrative sanctions, financial losses, damages of reputation and others due to the failure to comply with legal framework, non-statutory regulations, recommendations of the regulators and applicable self-regulation codes, internal rules, the Code of Ethical Conduct and other guidelines laid down for the organization’s business and activities.
- Stakeholders: The Company’s interested parties, or also, individuals or entities assuming any type of direct or indirect risk towards the Company. Among others, we highlight: shareholders, investors, employees, society, customers, suppliers, creditors, government bodies, regulators, competitors, press, union associations and entities, users of electronic means of payment, and non-governmental organizations.
- Compliance Agents: Employees designated as focal points of the business areas for aspects related to compliance.
It shall be incumbent upon the Company’s Board of Directors to amend this Policy whenever necessary.
This Policy takes effect on the date of its approval by the Board of Directors and revokes any contrary rules and procedures.