|Version:||Date of Review:||History:|
|2||04/25/2019||Update of items I. Purpose, II. Scope, V. Outcome Management, VI. Responsibilities, VII. Additional Documentation and VIII. Concepts and Acronyms;
Update of sub-items 1.2, 1.3, 1.7, 1.8 and 1.9;
Inclusion of item IV. Exceptions and sub-items 1.4, 1.6 and 1.10 in item III. Guidelines.
|3||04/23/2020||Updating Items I. Purpose, II. Scope, III. Guidelines Subitems 1, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, V. Management of Consequences, VI. Responsibilities, VII. Additional Documents and VII. Concepts and Acronyms.
Including Subitems 2, 2.1, 2.2, 2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5 and 2.3.6.
Set forth the main guidelines and responsibilities related to Compliance, aiming at disseminating its practice at all levels of the Company, evidencing the importance of complying with regulatory rules, internal rules and the Code of Ethical Conduct, for the purposes of Compliance risk management, as well as presenting Cielo’s Compliance Program structure.
All members of the Management (officers, members of the Board of Directors and members of the Advisory Committees), members of the Fiscal Council and employees of the companies Cielo S.A., Servinet Serviços Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter (“Cielo” or “Company”).
All the Company’s Subsidiaries must establish their directives based on the guidance provided in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
Regarding the Affiliated Companies, the Company’s representatives working in the Management of Affiliated Companies should make efforts to set their directives based on the guidance provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
1. About the purpose and scope of the compliance:
1.1. Has a Compliance Program, which brings together the Company’s Compliance and Integrity programs, aimed at the responsible and citizenship performance of the Company, besides complying with the requirements of regulatory and inspection authorities and self-regulator external agents, as well as considering the management’s suggestions.
1.2. Ensures the annual preparation of the Compliance Report.
1.3. Disseminates the culture of Compliance at Cielo, through communications and training in matters related to Compliance.
1.4. Maintains communication channels with Management, Board of Directors, Audit Committee, and Risks Committee to report the results of Compliance-related activities, and eventual irregularities or failures identified.
1.5. Conducts its operations and makes business decisions observing the current laws, regulations, and provisions sanctioned by the regulatory and inspection authorities and self-regulator external agents.
1.6. Assesses and monitors the Company’s adhesion to the legal framework, the non-statutory rules, the advice issued by the oversight bodies, the Code of Ethical Conduct, internal rules, and other regulations to which the Company is bound.
1.7. Supports the assessment of reports received through the Ethics Channel.
1.8. Identifies, assesses, reports, and keeps updated a list of compliance risks to which the Company is exposed.
1.9. Has a qualified and organizational unit, separate from business areas and audit, aiming at ensuring the performance of its activities at the Company, in order not to generate a conflict of interests.
1.10. Ensures the resources necessary to identify, assess, and measure, respond, and timely report on Compliance risk-related issues.
2. Cielo’s Compliance Program (“Program”)
2.1 Cielo’s Compliance Program concatenates the efforts made within the scope of the Company’s Compliance Program and Integrity Program. The purpose is to expand operations beyond the specific scope of Compliance, creating a synergy that enables the ethical, risk, and compliance culture as a whole.
Directing efforts, enabling the communication between the Company and its different audiences, is what allows the development of a robust compliance environment at Cielo.
2.2 The Program is based on six elements, going through processes carried out mainly by the 2nd and 3rd lines of defense, encompassing activities from different areas of the Company. Through these six elements, Cielo carries out its activities related to compliance and integrity.
2.3 The elements are permeated by the conceptual and regulatory framework that supports all processes, materialized in the Company’s Purpose, Vision and Cultural Attributes, regulatory requirements, and rules from payment arrangement institutes (card brands), with:
Graphical representation of Cielo’s Compliance Program
2.3.1. Support from the senior management: Influences and inspires the conduct of employees and stakeholders, with a key role as an example to be followed by Cielo in its activities. The Company’s senior management is ahead of the actions and decisions of Cielo’s Compliance Program.
2.3.2. Risk Management: Cielo continuously identifies, maps, and acts to mitigate the risks to which the Company is exposed. With a dedicated team and structured risk management program, it is possible to report results, allowing the Company to prioritize activities, optimizing the use of available resources.
2.3.3. Regulatory Instruments: Cielo formalizes the commitments and guidelines of its business practices, which guide ethical and technical conducts in the Company’s activities. Through its policies, rules, and procedures, they guide all employees regarding the necessary actions, decisions, and reports.
2.3.4. Awareness and Acculturation: The promotion of the Company’s rules and expectations regarding the conduct is carried out through communication and training on its prerogatives and responsibilities. This work is continuous, and the use of different tools is key for the success and promotion of an ethical culture and integrity in the Company.
2.3.5. Monitoring and Prevention: Continuous movement through which the Company evaluates its activities in line with the applicable internal and external rules. This element has the purpose of verifying the need to evolve/improve the established processes to prevent occurrences and assess deviations. Activities such as “Know your Client”, monitoring reports from the ethics channel, business continuity management, evaluation of subsidiaries and affiliates, periodic tests and audits are examples of actions that make up this element.
2.3.6. Remediation and Reporting: Some situations generate the need to establish action plans for remediation and/or accountability regarding deviations occurred. Such plans are monitored and reported, allowing exposed weaknesses to be addressed, promoting the continuous improvement of processes. The Company is committed to transparency in reports to internal management bodies and external bodies, such as regulators, self-regulators, and card brands, showing the events, assessments, action plans, implementations and improvements generated.
Exceptions not foreseen in this Policy, when applicable, will be evaluated according to the Company’s Corporate Governance model.
V. Outcome Management
Employees, suppliers, or other stakeholders who notice any deviations to this Policy’s guidelines may report the fact to the Ethics Channel, through the channels below, anonymously or not.
- Telephone, toll-free: 0800 775 0808
Internally, non-compliance with this Policy’s guidelines implies the application of measures for agents’ liability who fail to comply therewith, according to the respective seriousness of such non-compliance, and pursuant to internal rules.
- Management and Employees:
- Comply and ensure compliance with this Policy and, when necessary, consult the Risk, Compliance and Prevention Board on situations conflicting with the guidelines described therein.
- Managers of the Business Areas:
- Disseminate published legislation, as well as define action plans and deadlines for adhesion and report to the Compliance Management.
- Report to the Compliance Management events that may lead to compliance risks to the Company, as well as establish procedures and internal controls to mitigate them.
- Apply Cielo’s Compliance Program guidelines to avoid, identify, and stop irregularities, fraud, corruption, and other deviations.
- Budget, Performance and Procurement Board:
- Keep updated the registration and ratification of suppliers and request, at least, the formal acceptance of all relevant suppliers to the guidelines outlined in the Suppliers’ Code of Ethical Conduct and Anticorruption Policy.
- Legal Board:
- Monitor and interpret the applicability of laws and rules enacted by regulators such as BACEN (Brazilian Central Bank), CVM (Brazilian Securities and Exchange Commission), and CMN (Brazilian National Monetary Council) to Cielo, and prepare an information bulletin to be submitted to the areas of interest.
- Maintain a relationship with regulators, government agencies, and trade associations (ABECS, AFRAC, AMCHAM) acting as Cielo’s representative in demands established by such regulators.
- Support the Risk, Compliance, and Prevention Board to keep the matrix of regulations updated, based on the rules set forth by BACEN, CVM, and CMN applicable to Cielo, to assess and monitor the Company’s compliance to the legal framework.
- Risk, Compliance and Prevention Board:
- Independently define and assess compliance with the guidelines outlined in this Policy, keep it updated and clarify doubts relating to its content and application under BACEN Circular 3865/2017.
- Implement and keep updated Cielo’s Compliance Program, as well as annually issue a report on the adhesion to the current regulatory requirements that govern the subject, under Law 12846/2013 and Decree 8420/2015.
- Coordinate the Compliance, Risk Management, and Internal Control activities together with business and support areas, acting independently in the performance of its duties.
- Prepare and keep updated, supported by the Legal Executive Board, the matrix of regulations and compliance risks, based on the rules set forth by BACEN, CVM, and CMN applicable to Cielo.
- Monitor the solution of issues presented in the report of non-compliance with legal and regulatory provisions prepared by an independent auditor.
- Support the assessment of the reports received in the Ethics Channel, when applicable.
- Prepare an annual report on Cielo’s Compliance Program, with the results of activities, according to BACEN Circular 3865/2017. This report is filed for a minimum period of five years, encompassing main conclusions, recommendations, and measures taken by the Compliance structure in the reference year.
- Support the preparation of an assessment report of the Internal Controls System in compliance with CMN Resolution 2554/98.
- Conduct the compliance risk management, aiming at its identification, assessment, and measurement, response, and timely reporting, based on the guidelines of the Corporate Risk Management and Internal Controls Policy and adhesion to the requirements of Circular BACEN 3681/2013.
- Report to the Board of Directors and the Board of Executive Officers the levels of adhesion to current legislation and the results of compliance and risk assessment activities.
- Assess and issue opinions on the risks deriving from the launch of new products and services, concerning Compliance, Anticorruption, Risk Management, and Internal Controls, considering the rules issued by BACEN, CMN, CVM and the rules established by the Brands.
- Prepare training materials and normative instruments referring to the following issues: Compliance, Anticorruption, and Code of Ethical Conduct, as well as proactively disseminate a culture of compliance.
- Board of Directors:
- Approve and review the Compliance Policy whenever necessary.
- Ensure adequate dissemination of standards of integrity and ethical conduct as part of the Company’s culture.
- Ensure that the compliance structure and policy are compatible with the nature, size, complexity, risk profile, and business model of the Company, with the allocation of personnel in sufficient number, properly trained, and with the experience necessary to perform the activities related to their role.
- Ensure that corrective measures are taken when compliance failures are identified.
- Ensure proper management and dissemination of the Compliance Policy to all employees and relevant third-party service providers.
VII. Additional Documentation
- BACEN Circular 3681/2013;
- BACEN Circular 3865/2017;
- Code of Conduct/Ethics;
- Code of Ethics and Conduct of Suppliers;
- Decree 8420/2015;
- Law 12846/2013;
- Law 6404/1976;
- Internal standards constantly improved, approved by the competent authorities, and made available to all employees.
- Anti-Corruption Policy;
- Policy on Corporate Risk Management and Internal Controls;
Corporate Governance Policy;
- CMN Resolution No. 2,554/1998.
VIII. Concepts and Acronyms
- Compliance: Derives from the verb “to comply”, which means to act under and abide by the laws, decrees, rules, regulations, and instructions applicable to Cielo’s activities, which, in the assumption of non-compliance, may result in sanctions, financial losses, and damages to reputation/image.
- Regulators: Agencies in charge of regulating, controlling, and inspecting the activities of certain economic sectors. Cielo, as a Payment Institution authorized to operate by the Central Bank of Brazil (BACEN), shall comply with the provisions issued by BACEN and the Brazilian National Monetary Council (CMN) inherent to its activities, and shall also comply with laws and antitrust guidance issued by the Brazilian Administrative Council for Economic Defense (CADE). Also, as Cielo is a publicly-held company, with its shares traded on the stock exchange, it shall observe the rules issued by the Brazilian Securities and Exchange Commission (CVM) and the regulations of B3 – Bolsa, Balcão, Brasil S/A.
- Compliance Program: Set of internal processes, controls, and procedures that ensure that the Company’s adhesion to the regulatory framework, non-statutory rules, the regulators’ recommendations, operational regulations established by Brands, the Code of Ethical Conduct and normative instruments.
- Integrity Program: Included in the set of activities making up the Compliance Program, represented by processes, controls, and procedures that have the purpose of encouraging the report of irregularities and application of the Code of Ethical Conduct, corporate governance guidelines, policies and standards aiming the prevention, detection, and mitigation of deviations, frauds, irregularities and illegal acts practiced against the public, domestic or foreign administration.
- Stakeholders: They represent all relevant stakeholders of the Company, or also, individuals or entities undertaking any type of direct or indirect risk with the company. Amongst others, we point out: shareholders, investors, employees, society, customers, suppliers, creditors, governments and regulatory agencies, competitors, press, professional associations and entities, users of electronic means of payment, and non-governmental organizations.
- Compliance Risk: Represents the possibility of the Company suffering legal or administrative sanctions, financial losses, damages of reputation and others due to the failure to comply with the legal framework, non-statutory regulations, recommendations of the regulators and applicable self-regulation codes, internal rules, the Code of Ethical Conduct and other guidelines laid down for the organization’s business and activities.
- Affiliated Companies: companies in which the Company has significant influences, under Article 243, Paragraph 4 and 5 of the Brazilian Corporation Law, (i) there is a significant influence when the Company holds or exercises power to participate in the decisions of a company’s financial or operating policies, without, however, controlling it; and (ii) the significant influence will be assumed when the Company owns twenty percent (20%) or more of the voting capital of the said company, without controlling it.
- Controlled Companies: are companies in which the Company, or indirectly, holds the rights of a partner or shareholder that permanently assures it preponderance in corporate resolutions and the power to elect the majority of managers, in the terms with article 243, Paragraph 2 of the Brazilian Corporation Law.
- 1st Line of Defense: Represented by all business areas and support managers, who must ensure the effective risk management within the scope of its direct organizational responsibilities.
- 2nd Line of Defense: Represented by the Risk, Compliance and Prevention Board, which works on a consulting and independent basis with business and support areas, assessing and reporting the management of risks, compliance, management of business continuity, crises management and control environment to Cielo’s Executive Board and Board of Directors, through the Risk Committee. The activities under the 2nd line of defense are separate and independent from the activities and management of the business and support areas and Internal Audit.
- 3rd Line of Defense: Represented by the Internal Audit and has the purpose of providing independent opinions to the Board of Directors, through the Audit Committee, on the risk management process, the effectiveness of internal controls, and corporate governance.
IX. General Provisions
Cielo’s Board of Directors is responsible for changing this Policy whenever necessary.
This Policy takes effect on the date of its approval by the Board of Directors and revokes any rules and procedures to the contrary.