Corporate Risk Management and Internal Controls Policy
|Version:||Date of Review:||History:|
This policy replaces the former policy PLT_007 Management of Corporate Risks.
|2||02/20/2019||Title changed from “Integrated Management of Corporate Risks, Internal Controls and Compliance” to “Management of Corporate Risks and Internal Controls”;
Updating the entire content of the policy in compliance with the Cielo’s current practices.
|3||01/23/2020||Including Servinet Serviços Ltda, Aliança Pagamentos e Participações Ltda, and Stelo S.A within the scope of this Policy. Including Guidelines 1.4 for Internal Controls, 3.5 and 3.6 for Operational Risk, 5.1 and 5.2 for Strategic Risk, 6.1 and 6.2 for Reputation Risk. Including Item 8 on money laundering risk and financing of terrorism and Item 9 on compliance risk. Proofreading Guidelines 1.1, 1.3, 1.5, 2.1, 2.3, 2.4, 2.5, 3.1, 3.5, 3.6, 4.1, 4.2, 5.6 and 6.4. Proofreading the Item Responsibilities.|
|4||02/25/2021||Wording adjustments in the items: I. Purpose, II. Scope, III. Guidelines, V. Responsibilities, VI. Additional Documentation, VII. Concepts and Acronyms. Relevant updates in the items: III. Guidelines: Inclusion of guideline 1 about risk appetite management; joining non-financial risks in guideline 4; joining of the guidelines and responsibilities present in the
Credit, Liquidity and Market Risk Management Policy. V. Responsibilities: Inclusion of new responsibilities for the Risk, Compliance and Prevention Board. VI. Additional Documentation:
Inclusion of the Anti-Corruption Policy and removal of the Credit, Liquidity and Market Risk Management Policy. VII. Concepts and Acronyms: Inclusion of definitions: risk committee; non-financial risks; default; liquidity contingency plan; financial reserve; emerging risks and
opportunities; credit risk, liquidity risk; market risk; control system; Affiliated Companies; Subsidiaries; sub-accreditor; and deferred sales.
Establishing the main guidelines regarding the management of corporate risks and internal controls, in compliance with the applicable regulations and good market practices, with a view to protecting Cielo’s business and financial situation.
All members of the Management (officers, members of the Board of Directors and members of the Advisory Committees), members of the Fiscal Council and employees of the companies Cielo S.A., Servinet Serviços Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter (“Cielo” or “Company”).
All of the Company’s Subsidiaries must establish their directives based on the guidance provided in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
Regarding the Affiliated Companies, the Company’s representatives working in the Management of Affiliated Companies should make efforts to set their directives based on the guidance provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
1. Regarding the management of appetite and risk tolerance, Cielo:
1.1. Annually reviews its risk appetite statement, including the metrics used for the established limits, as well as monitors and reports the risk appetite and tolerance indicators to the Executive Board and the Board of Directors, through the Risk Committee.
2. Regarding the management of internal controls, Cielo:
2.1. Has an internal method based on models and guides to good market practices (“method”) that provides information to identify, evaluate, answer, monitor and report to the Executive Board, the Board of Directors through the Risk Committee and the regulatory bodies, as appropriate, the state of its control environment.
2.2. Aligns the structure of internal controls to its purposes, internal regulations, business strategies, complexity and risks of the operations carried out.
2.3. Prioritizes the identification, assessment and mitigation of operational risk in processes based on qualitative and/or quantitative criteria, which consider aspects related to image, regulatory requirements, financial impact, impact on clients and operational impacts.
2.4. Focuses on organizing its structure in a manner compatible with its activities, ensuring the necessary segregations to mitigate any conflicts in the conduct of business.
2.5. Continuously assesses the risks in the control environment regarding aspects of impact and vulnerability of the controls environment, to allow its prioritization for treatment purposes, promoting an effective internal controls system.
2.6. Manages the occurrences of risk and addresses mitigating and/or corrective action plans for the risks identified.
3. Regarding the business continuity and crisis management, Cielo:
3.1. Has a method that provides information to identify, assess, answer, monitor and report events of business discontinuity and crises to the Executive Board, the Board of Directors through the Risk Committee and the regulatory bodies, as the case may be.
3.2. Identifies internal and external threats that may compromise the continuity of the Company’s operations, as well as potential impacts on the operation deriving from the materialization of these threats.
3.3. Has contingency plans and mechanisms to ensure the continuity of payment services provided.
3.4. Has a crisis management and response structure, supported by adequate levels of authority and competence, which ensure effective and timely communication to stakeholders, including the Central Bank of Brazil (BACEN), when there is an indication of relevance for such, in compliance with the current regulations and with the internal rules (NRM_105 Crisis Management).
3.5. Implements and keeps an evolutionary process of Business Continuity Management, focused on ensuring the maintenance of its critical activities in an acceptable service level, during the recovery after unavailability, monitoring and protecting its image and the consequent reputational risk, according to the internal rule (NRM_034 Management of the Business Continuity).
3.6. Holds training sessions, tests, and analyses that ensure the maintenance and good operation of the business continuity plans.
4. Regarding the management of non-financial risks, Cielo:
4.1. Has a method that provides information to identify, assess, answer, monitor and report events of operational risk to the Executive Board, the Board of Directors through the Risk Committee and the regulatory bodies, as the case may be.
4.2. Identifies and assesses the operational risks in products, services, systems, and processes, and keeps an updated list of main operational risks to which the Company is exposed.
4.3. Has a database of operational losses incorporating the main attributes of the loss events, according to objective and transparent criteria.
4.4. Manages the operational risk by monitoring the limits established and the evolution of operational losses focused on addressing action plans to adjust the control environment and reduce the company’s exposure to such risk.
4.5. Monitors risks related to Information Technology and, among others, applies assessment questionnaires, which are based on decision criteria regarding the outsourced data processing and storage and cloud computing services, to select its suppliers, in compliance with the guidelines established in the Procurement Policy and in line with the regulations in force.
4.6. Evaluates, manages and monitors the operational risk arising from outsourced data processing and storage and relevant cloud computing services, for its regular operation.
4.7. Regarding social, environmental and climatic risk, it manages the social, environmental and climatic aspects and impacts of its processes, operations, products and services, including employees, customers, suppliers and partners, seeking to achieve the objectives described in the sustainability policy, Code of Ethical Conduct and Suppliers Code of Ethical Conduct.
4.8. Approves, contracts and evaluates critical suppliers, considering social, environmental and climatic aspects that may represent potential risks for Cielo and its customers.
4.9. Carries out cycles of strategic planning every 3 (three) years and annually reviews the previously planned cycle in order to monitor and reduce strategic risk.
4.10. Identifies and monitors the long-term emerging risks and opportunities that may affect the fulfillment of your strategy and business objectives.
4.11. Continuously monitors your image and your reputation risk through a tracking survey of your brand and through mentions and publications on social networks, in the press and on specialized websites.
5. Regarding the management of credit risks, Cielo:
5.1. Has a methodology that provides subsidies to (a) identify, (b) assess, (c) mitigate, (d) monitor and (e) report aspects related to credit risk to the Executive Board and the Board of Directors, through the Risk Committee, for informational or deliberative purposes, as the case may be.
5.2. Identifies and assesses the credit risk of card issuers, sub-accreditors and any other participants or commercial establishments under the terms of the credit brand rules, defining the volumes of guarantees that must be presented.
5.3. Identifies and assesses the credit risk of customers with or without deferred sales, defining the financial reserve and eligibility for contracting the “Aquisição de Recebíveis de Venda” (“ARV”) product and the “Receba Rápido” service.
5.4. Assesses the exposure to credit risk in new or changing products and services.
5.5. Practices the acts that are necessary in order to perform the recovery of credits, according to the rules below:
5.5.1. Executes the guarantees in case of default of a card issuer, as well as acts with the intervener of card issuers under intervention, in order to recover any defaults.
5.5.2. Executes the guarantees of sub-accreditors, as well as other participants or commercial establishments in situations of lack of liquidity.
5.5.3. Performs the recovery of values of the financial investments portfolio, triggering the Credit Guarantee Fund, the intervener and / or the issuer liquidator in default, as the case may be.
5.5.4. Performs other applicable procedures for recovering credits from defaulting customers.
6. Regarding the management of liquidity risk, Cielo:
6.1. Has a methodology that provides subsidies to (a) identify, (b) assess, (c) mitigate, (d) monitor and (e) report aspects related to liquidity risk to the Executive Board and the Board of Directors, through the Risk Committee, for informational or deliberative purposes, as the case may be.
6.2. Performs the cash flow assessment in relation to the main metrics defined in the Liquidity Contingency Plan.
6.3. Respects the indebtedness limits established by the Board of Directors.
6.4. Respects the liquidity targets for financial investments included in the internal standard for Financial Investments.
6.5. Guarantees an adequate level of liquidity for the fulfillment of the Company’s obligations and for the continuity of operations of the ARV product and the Receba Rápido service at the levels offered to customers, including with the prior contracting of immediate access credit lines.
6.6. Ensures the settlement of the grid by brand, domicile, issuers and the appropriate currencies for the management of liquidity risk, as well as capturing possible contingent and unexpected exposures in its measurement.
6.7. Assesses exposure to liquidity risk in new or changing products and services.
6.8. Keeps the Liquidity Contingency Plan updated and approved by the competent corporate governance bodies and activates it in accordance with the rules previously established in the internal Liquidity Risk Management standard.
7. Regarding management of market risks, Cielo:
7.1. Has a methodology that provides subsidies to (a) identify, (b) assess, (c) mitigate, (d) monitor and (e) report aspects related to market risk to the Executive Board and the Board of Directors, through the Risk Committee, for informational or deliberative purposes, as the case may be.
7.2. Assesses exposure to market risk in new or changing products and services.
8. Regarding the management of the risk of Money Laundering and Financing to Terrorism (LD/FT), Cielo:
8.1. Has a revised and updated Policy to Prevent Money Laundering and Financing to Terrorism, which establishes the guidelines, roles, and responsibilities to manage these risks.
9. Concerning the management of Compliance risks, Cielo:
9.1. Has a revised and updated Compliance Policy, which establishes the guidelines, roles, and responsibilities to manage these risks.
10. Regarding the management of corruption risks, Cielo:
10.1. Keeps the anti-corruption policy that establishes the guidelines, roles and responsibilities for the management of this risk reviewed and updated.
IV. Management of Consequences
- Employees, suppliers and other stakeholders that see any deviations from the guidelines of this Policy may report this deviation through the Ethics Channel (www.canaldeetica.com.br/cielo or 0800 775 0808), anonymously, if they so wish. Internally, the non-compliance with this Policy will lead to actions under the management of consequences, which may vary from a guidance on how to proceed to cancel or at least minimize any issues created, to the dismissal for just cause of those responsible.
Cielo adopts the concept of three (3) lines of defense to operationalize the management structure of its Corporate Risk and Internal Controls, to ensure the compliance with the guidelines defined.
1st Line of Defense: Represented by all business areas and support managers, who must ensure an effective risk management within the scope of its direct organizational responsibilities.
2nd Line of Defense: Represented by the Risk, Compliance and Prevention Board, which works on a consulting and independent basis with business and support areas, assessing and reporting the management of risks, compliance, management of business continuity, crises management and control environment to Cielo’s Executive Board and Board of Directors, through the Risk Committee. The activities under the 2nd line of defense are separate and independent from the activities and management of the business and support areas and Internal Audit.
3rd Line of Defense: Represented by the Internal Audit and has the purpose to provide independent opinions to the Board of Directors, through the Audit Committee, on the risk management process, the effectiveness of internal controls and corporate governance.
- Board of Directors:
- Approves the guidelines, strategies and risk management policies.
- Approves the limits and risk levels established in the Risk Appetite Statement.
- Authorizes, when necessary, exceptions to strategies, guidelines, policies and risk levels defined in the Risk Appetite Statement.
- Resolves on undertaking risks with high or very high impact;
- Ensures that the compensation structure adopted by Cielo does not interfere with the independence of areas’ work and foments behaviors compatible with the risk appetite levels considered acceptable by Cielo;
- Ensures proper and sufficient funds to carry out the risk management activities;
- Promoting the dissemination of the risk management culture at Cielo.
- Executive Board:
- Ensures that Cielo’s compliance with strategies, guidelines and risk management policies, as well as the limits and risk levels set forth in the Risk Appetite Statement;
- Resolves on undertaking risks with high or very high impact;
- Ensures proper and sufficient funds to carry out the risk management activities;
- Promoting the dissemination of the risk management culture at Cielo.
- Risk, Compliance and Prevention Board
- Monitors the compliance with the guidelines set forth herein, reviews and updates the policy to reflect any changes in Cielo’s guidance and to support any doubts regarding the content and its application;
- Identifies, assesses, monitors, mitigates and reports corporate risks in an integrated and periodic manner, ensuring the governance of the 2nd line of defense issues and subsidizing the strategic decision-making process;
- Promotes the development, implementation, and performance of the risk management structure, including its improvement;
- Identifies and assesses risks in Cielo’s products, services, systems, and processes.
- Has an updated list of the main risks to which Cielo is exposed, as well as continuously evaluates and monitors these risks in terms of impact and probability, to allow their prioritization when addressing such risks;
- Monitors the operational losses incurred, as well as certifies the sufficiency and effectiveness of the internal controls, considering the internal regulatory and strategic purposes;
- Supports the Business and Support Areas to develop compensatory and/or final action plans to answer to the identified risks, as well as monitors these plans, including those originated by the Audit and Regulators;
- Manages Business Continuity and Crisis;
- Ensures the governance of Risk Management, Internal Controls, and Business Continuity Management, periodically reporting to the competent bodies;
- Executes the guarantees, together with the Legal Superintendence, in case of default of Card Issuers, as well as act with the Card Issuer intervener, in order to recover the defaulted amounts;
- Executes the guarantees, together with the Legal Superintendence, of the sub-accreditors in situations of lack of liquidity.
- Prepares, reviews and requests the activation of the liquidity contingency plan;
- Develops and reports an annual report about corporate risk management;
- Subsidized the strategic decision-making process with information on risks, the environment of internal controls and business continuity;
- Carries out the risk assessment process in controlled companies;
- Articulates and translates the Risk Appetite, making it relevant, for the business and support areas through tolerance limits and indicators;
- Monitors the compliance with the Risk Appetite and reports to the Executive Board and the Board of Directors, through the Risk Committee;
- Disseminates the culture of Risk Management, Internal Controls and Compliance and Business Continuity at Cielo, through a training program for employees.
- Sustainability Management
- Identifies social and environmental risks incurred by Cielo, considering the goals adopted in the corporate sustainability program;
- Subsidizes and participates in the strategic decision-making process regarding the management of social and environmental risks;
- Ensures the governance of social and environmental management by periodically reporting to the competent bodies;
- Strategic Planning Board:
- Subsidizes and participates in the strategic decision-making process related to strategy management;
- Ensures the governance of strategy monitoring by periodically reporting to the competent bodies;
- Marketing Board
- Monitors the social media and identifies potential detractors to the image of Cielo and its monitored subsidiaries;
- Subsidizes and participates in the strategic decision-making process related to image management;
- Ensures the governance of image management by periodically reporting to the competent bodies;
VI. Additional Documents
- BACEN Official Letter 3681/13.
- BACEN Official Letter 3909/18.
- CMN Resolution 2554/98.
- Corporate Governance Policy.
- Sustainability Policy.
- Policy to Prevent Money Laundering and Financing to Terrorism.
- Compliance Policy.
- Procurement Policy.
- Anticorruption Policy
- Internal rules continuously improved, approved by the appropriate levels of authority and made available to all employees.
VII. Concepts and Acronyms
- Control Environment: Set of controls representing a given risk.
- Central Bank of Brazil (BACEN): Body responsible for disciplining the incorporation, operation, and inspection of payment institutions, as well as the discontinuity of their services.
- Risk Committee: Advisory body of the Board of Directors whose objective is to monitor the quality and efficiency of risk management and the minimum equity requirements applicable to the Company, ensuring its social objectives and values in line with the basic principles of corporate governance.
- Internal Controls: Policies, rules, procedures, methods and mechanisms created with the goal to provide a reasonable degree of confidence in the effectiveness and efficiency of operations, financial reporting, and compliance with regulatory requirements, as well as achieving the business purposes, preventing or detecting and correcting undesirable events.
- Default: Total or partial defaulting situation of the counterparty.
- Business Continuity: Activity integrated to risk management, which uses the business impact analysis tool (BIA) as a guide to mitigate discontinuity risks. Provides a framework to develop organizational resilience, making it possible to identify in advance and answer to impacts caused by the interruption of Cielo’s main processes.
- Risk Appetite Statement (RAS): Document that formalizes the levels of risk that Cielo supports to achieve its strategic and business purposes.
- Risk Occurrence: Incident or event related to failures in processes, systems or people that occurred at Cielo, with negative impacts (direct or indirect) for the operation such as financial, reputational, regulatory, safety, environmental, labor and continuity.
- Risk: Possibility of events that happen and hinder the fulfillment of Cielo’s strategy and purposes.
- Liquidity Contingency Plan: it is a document prepared jointly between the Treasury Superintendence and the Risk, Compliance and Prevention Board, approved by the Board of Directors, which presents a set of procedures whose main objectives are: i) Ensure the non-interruption of Cielo’s cash flow and mitigate losses arising from liquidity risk; ii) Define Liquidity Contingency procedures, prioritizing sources and uses of resources that value financial efficiency; iii) Restore the level of liquidity desired by Cielo; iv) Establish a clear division of roles and responsibilities for the objectives described in the document; v) Define the financial composition of the Liquidity Reserve.
- Financial reserve: Amount in value or in percentage, calculated according to specific methodology and registered in the ARV system, in order to prevent the contracting of ARV beyond the pre-fixed amount, as a way of protecting against any chargebacks / sales cancellations that may occur on the operations carried out.
- Non-financial risks: non-financial risks, in the context of this policy, are composed of (i) operational risk; (ii) social, environmental and climatic risks; (iii) strategic risk; (iv) emerging risk; and (v) reputation risk.
- Operational Risk: Possibility of losses resulting from the following events: a) failure to protect and secure sensitive data related to both the credentials of end-users and other information exchanged for the purpose of making payment transactions; b) failure to identify and authenticate the end-user; c) failure to authorize payment transactions; d) internal fraud; e) external fraud; f) labor demands and poor safety in the workplace; g) inadequate practices regarding end-users, payment products, and services; h) damage to physical assets owned or used by the institution; i) occurrences that lead to the interruption of the payment institution’s activities or the discontinuity of the payment services; j) failures in information technology systems, processes or infrastructure; and k) failures to execute, comply with deadlines and manage the activities involved in payment transactions. Operational risk includes the legal risk related to the inadequacy or deficiency in agreements signed by the payment institution, sanctions due to a non-compliance with legal provisions and compensation for damages to third parties resulting from activities involved in payment transactions.
- Social and Environmental Risk: Possibility of financial, operational and image losses resulting from social and environmental damage, such as pollution, damage to human health, security, transparency, impacts on communities, threats to biodiversity, among others.
- Strategic Risk: Risk arising from adverse changes in the business environment or the use of inadequate assumptions in the decision-making process.
- Emerging risks and opportunities: Emerging risks and opportunities are related to changes in social or public perceptions or to new scientific knowledge that can become a risk or an opportunity that impact the strategy and the future of the business.
- Reputation Risk: Risk arising from the negative perception of Cielo by customers, counterparties, shareholders, investors or regulators.
- Credit risk: Refers to the possibility of losses associated with the non-compliance by the counterparty of its respective financial obligations under the agreed terms, the reduction of gains or remuneration, the advantages granted in trading and the recovery costs, including:
– Default by the bearer before the issuer of a post-paid payment instrument;
– Default by the issuer before the creditor; and,
– Default by a payment institution that owes another payment institution due to an interoperability agreement between different arrangements.
- Liquidity risk: Refers to the possibility that the Company will not be able to efficiently honor its expected and unexpected, current and future obligations without affecting its daily operations and without incurring significant losses.
- Market risk: Refers to the possibility of losses resulting from the fluctuation in the market values of instruments held by the Company, as well as revenues and expenses that may be impacted due to changes in interest rates, share prices and exchange variation.
- Controls system: Consists of a set of controls representative for a given risk.
- Stakeholders: Represent Cielo’s stakeholders, namely: employees, the Executive Board, investors, members of the Board of Directors, customers, regulators, suppliers, and society. The stakeholders involved may vary depending on the level of confidentiality of the information shared.
- Affiliated Companies: companies in which the Company has significant influences, pursuant to Article 243, Paragraph 4 and 5 of the Brazilian Corporation Law, (i) there is a significant influence when the Company holds or exercises the power to participate in the decisions of a company’s financial or operating policies, without, however, controlling it; and (ii) the significant influence will be assumed when the Company owns twenty percent (20%) or more of the voting capital of the said company, without controlling it.
- Subsidiaries: Companies in which the Company, directly or indirectly, holds rights as partner or shareholder, which permanently guarantee to the Company the preponderance in business resolutions and the power to elect the majority of the members of the Management, pursuant to Article 243, Paragraph 2 of the Brazilian Corporation Law.
- Risk Occurrence: Incident or event related to failures in processes, systems or people that occurred at Cielo, with negative impacts (direct or indirect) for the operation such as financial, reputation, regulatory, safety, environmental, labor and continuity.
- Sub-accreditor: Participants in payment arrangements that enable establishments not affiliated directly with Cielo to accept payment instruments, being responsible for the settlement of payment transactions to such establishments, by transferring the financial resources received by Cielo.
- Deferred sales: Credit card sales made by customers with delivery of goods / services at a future date.
VII. General Provisions
Cielo’s Board of Directors is responsible for changing this Policy whenever necessary.
This Policy shall take effect on the date of its approval by the Board of Directors and revokes any rules and procedures contrary thereto.
Barueri, February 19, 2020.