|Version:||Date of Review:||History:|
Set forth the main guidelines and responsibilities related to compliance, aiming at disseminating its practice at all levels of Cielo, evidencing the relevance of complying with regulatory rules, internal rules and the Code of Ethical Conduct, for the purposes of compliance risk management.
All Management (Statutory Officers, members of the Board of Directors, Fiscal Council, advisory committees of the Board of Directors) and employees of Cielo S.A.
1. Referring to Compliance, Cielo:
1.1. has an Integrity Program aiming the responsible and citizenship performance of the Company, besides complying with the requirements of regulatory and inspection authorities and self-regulator external agents.
1.2. has communication channels with Management, Board of Directors and Audit Committee to report the results of compliance-related activities, and eventual irregularities or failures identified.
1.3. disseminates a culture of Risk Management, Internal Controls, and Compliance at Cielo, by maintaining a training of employees and relevant outsourced workers in compliance-related issues.
1.4. assesses and monitors the Company’s adhesion to the legal framework, the non-statutory rules, the advice issued by the oversight bodies, the Code of Ethical Conduct, internal rules and other regulations to which the Company is bound.
1.5. identifies, assesses, reports, and keeps updated a list of compliance risks to which the Company is exposed.
1.6. has a qualified and independent organizational unit, separate from business areas and audit, aiming at ensuring the performance of its activities at the Company.
1.7. ensures the resources necessary to identify, assess and measure, answer to the risks and appropriate report on the compliance risk-related issues.
IV. Outcome Management
Employees, suppliers or other stakeholders who notice any deviation to this Policy’s guidelines, may report the fact to the Ethics Channel (www.canalconfidencial.com.br/cielo or 0800 775 0808), anonymously or not.
Internally, the failure to comply with this Policy’s guidelines implies the application of measures for agents’ liability who fail to comply therewith, according to the respective seriousness of such non-compliance.
- Management and Employees:
Observe and ensure the compliance with this Policy, and when necessary, consult the Risk Management and Compliance Executive Board on situations conflicting with the guidelines described therein.
- Legal Executive Board:
Monitor and interpret the applicability of laws and rules enacted by regulators, BACEN (Brazilian Central Bank), CVM (Brazilian Securities and Exchange Commission) and CMN (Brazilian National Monetary Council) to Cielo, and prepare an information bulletin and forward it to the areas of interest.
Maintain a relationship with regulators, government agencies, and professional associations – ABECS (Brazilian Association of Credit Card and Services Companies), acting as Cielo’s representative in demands established by referred regulators.
- Risk Management and Compliance Executive Board:
Independently define and assess the compliance with the guidelines set forth herein, keep it updated and clarify doubts relating to its content and application.
Implement and keep updated the Integrity Program.
Coordinate the Compliance, Risk Management, and Internal Control activities together with business and support areas, acting independently in the performance of its duties.
Prepare and keep updated, supported by Legal Executive Board, the matrix of regulations and compliance risks, based on the rules set forth by regulators BACEN, CVM, and CMN applicable to Cielo.
Assess Cielo’s adhesion to the regulatory framework, the non-statutory rules, the regulators’ recommendations, operational regulations established by Brands, the Code of Ethical Conduct and normative instruments.
Monitor the solution of issues presented in the report of non-compliance with legal and regulatory provisions prepared by an independent auditor.
Prepare an annual report containing the results of compliance activities, encompassing main conclusions, recommendations and measures taken, and file referred reports, for at least, five years.
Support the drawing up of an assessment report of the Internal Controls System in compliance with CMN Resolution No. 2.554/98.
Conduct the compliance risk management, aiming its identification, assessment, and measurement, answer and appropriate reporting.
Provide support and report, at least, yearly, to the Board of Directors and Board of Executive Officers the levels of adhesion to prevailing rules and the results of compliance activities and risk assessment.
Assess and issue opinions on the risks deriving from the launch of new products and services, considering the rules issued by regulators, BACEN, CMN, CVM and the rules established by the Brands.
Prepare training materials and normative instruments referring to the following issues: Compliance, Anticorruption and Code of Ethical Conduct, and act proactively to disseminate a culture of compliance.
- Procurement Executive Board
Keep updated the registration and ratification of suppliers and request, at least, the formal acceptance of all relevant suppliers to the guidelines set forth in the Suppliers Code of Ethical Conduct and in PLT_001 Anticorruption.
- Board of Directors:
Approve and review the compliance policy whenever necessary.
Disseminate honesty and ethical conduct standards as part of the institution’s culture.
Ensure that the compliance structure and policy are compatible with nature, the size, the complexity, the risk profile and institution’s business model, with the allocation of personnel in sufficient number, properly trained and with the experience necessary to perform the activities related to their role.
Ensure that corrective measures are taken when compliance failures are identified.
Ensure a proper management and communication of the compliance policy to all employees and relevant outsourced workers.
VI. Additional Documentation
- CMN Resolution No. 2.554/1998.
- BACEN Circular No. 3.681/2013.
- BACEN Circular No. 3.865/2017.
- Law No. 11.795/2008, Articles 6 and 7, item III.
- Law No. 12.865/2013, Paragraph 9, items II and IX, and 15.
- Code of Ethical Conduct
- Suppliers Code of Conduct
- PLT_019 Corporate Risk, Internal Controls, and Compliance Integrated Management
- Internal rules continuously improved, approved by the appropriate authorities and made available to all employees.
VII. Concepts and Acronyms
- Compliance: it derives from the verb “to comply”, which means to act in accordance with and abide by the laws, decrees, rules, regulations, and instructions applicable to Cielo’s activities, which, in the assumption of non-compliance, may result in sanctions, financial losses, and damages to reputation/image.
- Regulators: These are agencies in charge of regulating, controlling and inspecting the activities of certain economic sectors. Cielo, in the capacity of Payment Institution is authorized to operate by Brazilian Central Bank – BACEN shall comply with the provisions issued by the Brazilian Central Bank – BACEN and Brazilian National Monetary Council – CMN inherent to its activities, and shall also comply with laws and antitrust guidance issued by the Brazilian Administrative Council for Economic Defense – CADE. In addition, as Cielo is a publicly-held company, with its shares traded on the stock exchange, it shall observe the rules issued by the Brazilian Securities and Exchange Commission – CVM.
- Integrity Program: Set of internal processes, controls and procedures of compliance, integrity, audit, stimulating the denunciation of irregularities and applying the Code of Ethical Conduct, corporate governance guidelines, policies and standards aiming the prevention, detection and mitigation of deviations, frauds, irregularities and illegal acts practiced against the public, domestic or foreign administration.
- Compliance Risk: it represents the possibility of the company suffering legal or administrative sanctions, financial losses, damages of reputation and others due to the failure to comply with legal framework, non-statutory regulations, recommendations of the regulators and applicable self-regulation codes, internal rules, the Code of Ethical Conduct and other guidelines laid down for the organization’s business and activities.
It shall be incumbent upon the Company’s Board of Directors to amend this Policy whenever necessary.
This Policy takes effect on the date of its approval by the Board of Directors and revokes any contrary rules and procedures.