Click here to access the PDF.
|Version:||Date of Review:||History:|
|2||04/25/2019||Update of items I. Purpose, II. Scope, V. Outcome Management, VI. Responsibilities, VII. Additional Documentation and VIII. Concepts and Acronyms;
Update of sub-items 1.2, 1.3, 1.7, 1.8 and 1.9;
Inclusion of item IV. Exceptions and sub-items 1.4, 1.6 and 1.10 in item III. Guidelines.
|3||04/23/2020||Updating Items I. Purpose, II. Scope, III. Guidelines Subitems 1, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, V. Management of Consequences, VI. Responsibilities, VII. Additional Documents and VII. Concepts and Acronyms.
Including Subitems 2, 2.1, 2.2, 2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5 and 2.3.6.
|4||05/27/2021||Inclusion of item 1. Independence, and changes to item 2. About the Purpose and Scope of the Compliance Role, and item 3. Cielo Compliance Program (“Program”) in item III. Guidelines;
Update of items II. Scope, VI. Responsibilities, VII. Additional Documentation, and VIII. Concepts and Acronyms.
Establish the main guidelines and responsibilities related to the Compliance role, aiming at disseminating its practice at all levels of the Company, evidencing the importance of complying with regulations, internal rules and the Code of Ethical Conduct, for the purposes of Compliance risk management, as well as presenting Cielo’s Compliance Program structure.
All members of the Board of Directors, Advisory Committees and Executive Board (“Management”), members of the Fiscal Council members and employees, regardless of position or function held, of Cielo S.A., Servinet Serviços Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter referred to as “Cielo” or the “Company”.
All Company Subsidiaries must define their guidelines based on the guidelines provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
Regarding its Affiliates, the Company’s representatives acting as management members of the Affiliates must spare no effort for said companies to define their guidance based on the guidelines provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
1.1. The Risk, Compliance and Prevention Board is responsible for the Company’s Compliance function and reports directly to the Chief Executive Officer, in addition to periodically reporting on issues regarding Risk Management, Compliance and Prevention to the Company’s Risks Committee, an advisory committee to the Board of Directors, ensuring its independence.
1.2. The members of the Risk, Compliance and Prevention Board act separately and independently from their activities and the management of their business divisions and supporting areas, as well from the Internal Audit, so as to not generate conflicts of interest, with free access to the documentation necessary for the exercise of their duties related to the Compliance function.
1.3. The Risk, Compliance and Prevention Board has resources and adequately trained members with the necessary experience to carry out activities related to the Compliance function.
1.4. The compensation for the members of the Risk, Compliance and Prevention Board is determined independently from their activities in their business areas, so as to not generate conflicts of interest.
1.5. The Risk, Compliance and Prevention Board has communication channels with the Executive Board, the Audit Committee, and the Board of Directors, through the Risk Committee, to report timely results arising from activities related to the Compliance function, possible irregularities or identified failures.
1.6. The annual planning of the activities to be carried out by Risk, Compliance and Prevention Board must be approved and monitored by the Risk Committee, evidencing the coordination of activities related to the Compliance function with risk management functions, as well as by the Internal Audit.
2. About the purpose and scope of the compliance role:
2.1. Has a Compliance Program, which brings together the Company’s Compliance and Integrity programs, aimed at the responsible and citizenship performance of the Company, besides complying with the requirements of regulatory and inspection authorities and self-regulator external agents, as well as considering the management’s suggestions.
2.2. Ensures the annual preparation of the Compliance Report, containing a summary of the results achieved by activities related to the compliance function, as well as the key conclusions, recommendations and measures taken by Cielo’s management, in accordance with current regulations issued by the Central Bank of Brazil on the matter.
2.3. Disseminates the culture of Compliance at Cielo, through communications and training in matters related to Compliance.
2.4. Conducts its operations and makes business decisions observing the current laws, regulations, and provisions sanctioned by the regulatory and inspection authorities and self-regulator external agents.
2.5. Tests, assesses and monitors the Company’s adhesion to the legal framework, non-statutory rules, recommendations issued by supervisory bodies, the Code of Ethical Conduct, normative instruments and other regulations to which the Company is bound, as established in the annual planning.
2.6. Provides support to the Board of Directors and Executive Board regarding compliance and the correct application of aforementioned item 2.5, including keeping these management bodies informed on relevant updates related to said matters.
2.7. Supports the assessment of reports received through the Ethics Channel, as applicable.
2.8. Identifies, assesses, reports and keeps an updated list of compliance risks to which the Company is exposed.
2.9. Ensures the resources necessary to identify, assess, measure, respond, and timely report on Compliance risk-related issues.
2.10. Reviews and monitors solutions on the matters raised in the non-compliance report for legal and regulatory provisions prepared by the independent auditor, in accordance with specific regulations.
2.11. Systematically and timely reports the results from activities related to the Compliance function to the Board of Directors.
3. Cielo’s Compliance Program (“Program”):
3.1. Cielo’s Compliance Program seeks to concatenate the efforts made within the scope of the Company’s Compliance Program and Integrity Program. The purpose is to expand operations beyond the specific scope of Compliance, creating a synergy that enables the ethical, risk, and compliance culture as a whole.
3.2. It is established to operate as a system, directing efforts, enabling communication between the Company and its different audiences and allowing the development of a robust compliance environment at Cielo.
3.3. The Program is based on six (6) elements, going through processes carried out mainly by the second (2nd) and third (3rd) lines of defense, encompassing activities from different areas of the Company, namely: (i) Support from Senior Management; (ii) Risk Management; (iii) Normative Instruments; (iv) Awareness and Acculturation; (v) Monitoring and Prevention, and (vi) Remediation and Reporting.
3.4. The elements are permeated by the conceptual and regulatory framework that supports all processes, materialized in the Company’s Purpose, Vision and Cultural Attributes, regulatory requirements, and rules from payment arrangement institutes (”card brands”).
Figure: Graphical representation of the Cielo Compliance Program.
3.5. Through these six elements, Cielo carries out its activities related to compliance and integrity:
3.5.1. Support from Senior Management: Through its example, Senior Management influences and inspires the conduct of employees and stakeholders, with a key role as an example to be followed by Cielo in its activities. The Company’s Senior Management understands that its support is essential for a robust Compliance Program to be implemented and, therefore, is ahead of the actions and decisions of Cielo’s Compliance Program, as well as responsible for enabling the independent performance of activities such as compliance, risk management, internal audit and corporate governance. Without this support, the performance of these areas becomes ineffective for the Company and for the sustainability of the business.
3.5.2. Risk Management: Cielo continuously identifies, maps, and acts to mitigate the risks to which the Company is exposed. With a dedicated team and structured risk management program, it is possible to report results, allowing the Company to prioritize activities and optimizing the use of available resources.
3.5.3. Normative Instruments: Cielo is aware of its risks and thus focuses its efforts on the evolution of its processes. To achieve this, the Company formalizes the commitments and guidelines of its business practices, which guide the ethical and technical conducts of its activities. Through its Policies, Rules, and Procedures, the Company guides all employees regarding the necessary actions, decisions, and reports.
3.5.4. Awareness and Acculturation: The success of the Compliance Program relies on the dissemination and promotion of the rules and expectations regarding the Company’s conduct with its audiences. It is not possible to expect certain behavior, or action, in front of a process without knowing which parameters are to be followed. Communication and training are the most effective and efficient tools for the Company to make its audiences aware of their prerogatives and responsibilities. All training sessions carried out through the Regulatory Training Trail is part of the Cielo Compliance Program.
3.5.5. Monitoring and Prevention: A continuous movement through which the Company evaluates its activities in line with the applicable internal and external rules. This element has the purpose of verifying the need to evolve/improve the established processes to prevent occurrences and assess deviations. The Know Your Customer, Know Your Supplier, Know Your Partner and Know Your Employee due diligence procedures, in addition to the assessment of regulatory compliance, monitoring of brand rules, assessment of sub-accreditors, and periodic tests and audits are examples of actions that make up this element.
3.5.6. Remediation and Reporting: Some situations generate the need to establish action plans for remediation and/or accountability regarding deviations occurred. Such plans are monitored and reported, allowing exposed weaknesses to be addressed, promoting the continuous improvement of processes. The Company is committed to transparency in reports to internal management bodies and external bodies, such as regulators, self-regulators, and card brands, evidencing the events, assessments, action plans, implementations and improvements generated.
Exceptions for treatment of situations not foreseen in this Policy, when applicable, shall be evaluated according to the Company’s Corporate Governance model.
V. Outcome Management
Employees, suppliers or other stakeholders who become aware of any non-compliance with the guidelines of this Policy may report it to the Ethics Channel, either anonymously or not, at:
- Toll free: 0800 775 0808
Internally, those who do not comply with the guidelines of this Policy shall be subject to accountability measures based on the seriousness of such non-compliance and in accordance with internal rules.
- Management and Employees:
- Comply and ensure compliance with this Policy and, when necessary, consult the Risk, Compliance and Prevention Board on situations conflicting with the guidelines described therein.
- Managers of the Business Areas:
- Disseminate published legislation and regulations, as well as define action plans and deadlines for adhesion and report to the Risk, Compliance and Prevention Board.
- Report to the Risk, Compliance and Prevention Board events that may lead to compliance risks to the Company, as well as establish procedures and internal controls to mitigate them.
- Apply Cielo’s Compliance Program guidelines to avoid, identify, and stop irregularities, fraud, corruption, and other deviations.
- Efficiency and Procurement Board:
- Maintain an updated registration and ratification of suppliers and request, at least, the formal acceptance of all relevant suppliers to the guidelines outlined in the Suppliers’ Code of Ethical Conduct, the Anticorruption Policyand Other Applicable Normative Instruments.
- Carry out and monitor with quality and suitability criteria the Know Your Supplier assessment, according to internal rules and procedures. Additionally, communicate to the Risk, Compliance and Prevention Board evidences of corruption by suppliers, when identified.
- Legal and Governmental Relations Board:
- Monitor and interpret the applicability of laws and norms enacted by regulators such as the Brazilian Central Bank (”BACEN”), the Brazilian Securities and Exchange Commission (”CVM”), and the Brazilian National Monetary Council (”CMN”) to Cielo, and prepare an information bulletin to be submitted to the areas of interest.
- Maintain a relationship with regulators, government agencies, and trade associations (ABECS, AFRAC, AMCHAM) acting as Cielo’s representative in demands established by such regulators.
– Support the Risk, Compliance, and Prevention Board to keep the matrix of regulations updated, based on the rules set forth by BACEN, CVM, and CMN applicable to Cielo, to assess and monitor the Company’s compliance to the legal framework
- Risk, Compliance and Prevention Board:
– Independently define and assess compliance with the guidelines outlined in this Policy, maintain it updated and clarify questions relating to its content and application, pursuant to regulations in force issued by the Central Bank of Brazil on the matter.
- Implement and maintain Cielo’s Compliance Program updated, with the support of other areas that have attributions in the Program’s operations.
– Coordinate the Compliance, Risk Management, and Internal Control activities together with business and support areas, acting independently in the performance of its duties.
– Prepare and maintain updated, supported by the Legal and Governmental Relations Board, the matrix of regulations and compliance risks, based on the rules established by BACEN, CVM, and CMN applicable to Cielo.
- Monitor the solution of issues presented in the report of non-compliance with legal and regulatory provisions prepared by an independent auditor.
– Support the assessment of the reports received in the Ethics Channel, as applicable.
– Prepare an annual report on Cielo’s Compliance Program, with the results of activities, pursuant to regulations in force issued by the Central Bank of Brazil on the matter. This report is filed for a minimum period of five (5) years, encompassing main conclusions, recommendations, and measures taken by the Compliance structure in the reference year.
– Support the preparation of an assessment report of the Internal Controls System in compliance with CMN Resolution 2.554/98.
– Conduct the compliance risk management, aiming at its identification, assessment, and measurement, response, and timely reporting, based on the guidelines of the Corporate Risk Management and Internal Controls Policy and adhesion to the requirements of Circular BACEN 3,681/2013.
– Report to the Board of Directors and the Board of Executive Officers the levels of adhesion to current legislation and the results of compliance and risk assessment activities.
– Assess and issue opinions on the risks deriving from the launch of new products and services, concerning Compliance, Anticorruption, Risk Management, and Internal Controls, considering the rules issued by BACEN, CMN, CVM and the rules established by the Brands.
– Monitor the completion of the Regulatory Training Trail and indicate the need to prepare and/or review training according to new regulations.
- Revise and update annually, as necessary, as necessary, training materials for the Regulatory Training Trail: Anticorruption, Money Laundering Prevention, Code of Ethical Conduct, Information Security and the General Law for the Protection of Personal Data (”LGPD”).
– Pro-actively disseminate an ethical, Compliance, integrity and anti-corruption culture.
- Board of Directors:
- Approve and review the Compliance Policy, as necessary.
– Ensure adequate dissemination of standards of integrity, ethical conduct and compliance as part of the Company’s culture.
– Ensure that the Compliance Policy and the Cielo Compliance Program are compatible with the nature, size, complexity, risk profile, and business model of the Company for an effective management of compliance risk.
– Promote the necessary means for the activities related to the Compliance role are properly carried out, in accordance with the regulations of the Central Bank of Brazil on the matter, with the allocation of personnel in sufficient number, properly trained, and with the experience necessary to perform the activities related to their role.
- Ensure that corrective measures are taken when compliance failures are identified.
- Ensure proper management and the recurring application of the Compliance Policy, as well as its dissemination to all employees and relevant third-party service providers.
- Risks Committee:
- Analyze the Annual Compliance Report, prepared pursuant to the regulations of the Central Bank of Brazil on the matter.
- Update and report to the Board of Directors, on a quarterly basis, the evaluation of results regarding management of risks, business continuity, internal controls, compliance and minimum equity requirements, as well as the level of adhesion of the risk management structure to the Company’s applicable Normative Instruments in force, providing a broad and integrated view of the risks and their impacts.
VII. Additional Documentation
- BCB Resolution 65/2021;
- BACEN Circular Letter 3,681/2013;
- Code of Ethical Conduct;
- Supplier’s Code of Ethical Conduct;
- Decree 8,420/2015;https://www.cielo.com.br/fornecedores/
- Internal regulations constantly improved, approved by the competent levels and made available to all employees;
- Anticorruption Policy;
- Policy on Corporate Risk Management and Internal Controls;
- Corporate Governance Policy;
- CMN Resolution 2,554/1998
VIII. Concepts and Acronyms
- Compliance: Derives from the verb “to comply”, which means to act under and abide by the laws, decrees, rules, regulations, and instructions applicable to Cielo’s activities, which, in the assumption of non-compliance, may result in sanctions, financial losses, and damages to reputation/image.
- Regulators: Agencies in charge of regulating, controlling, and inspecting the activities of certain economic sectors. Cielo, as a Payment Institution authorized to operate by the Central Bank of Brazil (”BACEN”), shall comply with the provisions issued by BACEN and the Brazilian National Monetary Council (”CMN”) inherent to its activities, and shall also comply with laws and antitrust guidance issued by the Brazilian Administrative Council for Economic Defense (”CADE”). Also, as Cielo is a publicly-held company, with its shares traded on the stock exchange, it shall observe the regulations issued by the Brazilian Securities and Exchange Commission (”CVM”) and the regulations of B3 – Bolsa, Balcão, Brasil S/A.
- Compliance Program: Set of internal processes, controls, and procedures that ensure that the Company’s adhesion to the regulatory framework, non-statutory rules, the regulators’ recommendations, operational regulations established by Brands, the Code of Ethical Conduct and normative instruments.
- Integrity Program: Included in the set of activities making up the Compliance Program, represented by processes, controls, and procedures that have the purpose of encouraging the report of irregularities and application of the Code of Ethical Conduct, corporate governance guidelines, policies and standards aiming the prevention, detection, and mitigation of deviations, frauds, irregularities and illegal acts practiced against the public, domestic or foreign administration.
- Stakeholders: All relevant public with interests relevant to the Company or individuals or entities that take some type of risk, direct or indirect, before society. These include, among others: shareholders, investors, employees, society, customers, suppliers, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of electronic payment methods and non-profit organizations.
- Compliance Risk: Represents the possibility of the Company suffering legal or administrative sanctions, financial losses, damages to reputation and other damages arising from the failure to comply with legal framework, non-statutory regulations, recommendations of the regulatory bodies and applicable self-regulation codes, internal rules, the Code of Ethical Conduct and other guidelines established for the Company’s business and activities covered by the Compliance Policy.
- Affiliated Companies: companies in which the Company has significant influences, of which, pursuant to Article 243, Paragraph 4 and 5 of the Brazilian Corporation Law, (i) there is a significant influence when the Company holds or exercises power to participate in the decisions of a company’s financial or operating policies, without, however, controlling it; and (ii) the significant influence shall be assumed when the Company owns twenty percent (20%) or more of the voting capital of the said company, without controlling it.
- Subsidiaries: companies in which the Company, directly or indirectly, holds rights as a partner or shareholder that permanently ensure it preponderance in social resolutions and the power to elect the majority of managers, pursuant to Article 243, Paragraph 2, of Brazilian Corporation Law.
- 1st Line of Defense: Represented by all business areas and support managers, who must ensure the effective risk management within the scope of its direct organizational responsibilities.
- 2nd Line of Defense: Represented by the Risk, Compliance and Prevention Board, which works on a consulting and independent basis with business and support areas, assessing and reporting the management of risks, compliance, management of business continuity, crises management, money laundering prevention, fraud prevention, information security, and control environment to Cielo’s Executive Board and Board of Directors, through the Risk Committee. The activities under the 2nd line of defense are separate and independent from the activities and management of the business and support areas, as well as the Internal Audit.
- 3rd Line of Defense: Represented by the Internal Audit, which is responsible for providing independent opinions to the Board of Directors, through the Audit Committee, on the risk management process, the effectiveness of internal controls, and corporate governance.
IX. General Provisions
Cielo’s Board of Directors is responsible for amending this Policy, as necessary.
This Policy takes effect on the date of its approval by the Board of Directors and revokes any contrary documents.