GROUP COMPLIANCE POLICY
Purpose
This Group Compliance Policy (the Compliance Policy) lays out the compliance and management principles and standards of compliance risks in Payjeezy (the Group).
The objective of this Compliance policy is to guarantee that compliance risks are well-identified, and adequately mitigated. The Group aims to reduce compliance risks with regard to the nature, scale and complexity of the business. This is aligned with the strategy of the Group, which sets the vision of the Group to be recognized as the most trusted financial partner, and is deeply linked to fair treatment of customers and conducting high integrity business.
This Compliance Policy is designed to meet the requirements of US Bank Security Act and additional applicable legislation. It is also acted in respect to all Financial Crimes Enforcement Network FinCen requirements as to Bank Secrecy Act (BSA), Anti-Money Laundering (AML) and KYC (Know Your Customer) laws.
Scope and application
This Compliance Policy applies to all staff, all roles, all divisions within the Company, and all controlled legal entities once adopted by Senior Management.
If the Compliance Policy conflicts with local requirements, the subsidiary's senior management may approve deviations to the Compliance Policy. Any material deviations from the Compliance Policy must be reported to the Board of Directors of National Bookkeeping & Management Systems, Inc., as well as the administrator of the Information Management Policy, and informed to Group Compliance
Definitions
Compliance is defined as compliance with laws, including the spirit of law, regulations, generally accepted practices, standards, and codes of conduct of the financial industry.
Compliance risk is defined in this Compliance Policy as the risk of legal or regulatory sanctions, material financial loss or loss of reputation that may result from the Group's failure to comply with laws, including the spirit of law, regulations, generally accepted practices, standards, and codes of conduct applicable to Group activities.
Governance
The Board of Directors is responsible for the Group's overall governance and regulatory risk management. The Board of Directors and the Executive Board must ensure that enough internal policies and structures are in place to provide effective and efficient support. Identifying compliance risks, their assessment and appropriate risk management are elements to be considered in any process and form the basis for a risk-based approach when appropriate and applicable countermeasures are established to mitigate the risk.
The Group has established three lines of defense and control governance model to ensure appropriate risk management:
Business units and group functions represent the first line of defense and are primarily responsible for identifying, managing and mitigating the Group's compliance risks through adequate controls.
Group Compliance is an independent risk control function led by Group Compliance Head and constitutes the second line of defense of compliance risk. Group Compliance is responsible for independent monitoring of the Compliance Risks of the Company, through risk assessment, tracking, consulting work and external reporting to senior management. Moreover, Group Compliance functions as the Group Data Protection Officer (DPO) and the Designated Group Conflicts Officer (DGCO).
The Internal Audit Group is the 3rd line of defense and is responsible for auditing the 1st and 2nd line of defense in terms of validating that a robust framework is in place, being adequately implemented and evaluating the effectiveness of internal controls.
Compliance risk and risk tolerance
Compliance risks exists as an inherent part of doing business. Accordingly, compliance risk management in the Group is considered to be of key importance. Identifying compliance risks, their evaluation and effective risk management are elements that must be considered in any system and form the basis for a risk-based approach when determining necessary and relevant countermeasures to mitigate the risk; including the escalation of problem cases according to the Escalation Policy of the Group. Monitoring complaints handling processes in the Group and using complaints as a relevant source of information for compliance reporting is one of the elements for the basis of risk based approach.
Group Compliance must oversee the development and periodic review of the product governance arrangements. In this regard, information about products that are manufactured and distributed by the Group, including their distribution strategies, shall be systematically included in the compliance reports to the management body and made available to National Competent Authorities on request. The relevant Product Committee must assist Group Compliance by providing information about all products when they are developed or reviewed. To the extent required by applicable legislation, subsidiaries must allocate necessary resources to monitor relevant product governance arrangements.
Compliance with the laws on data protection is enabled by the terms of this Compliance Policy and implements them. Group Compliance will supervise compliance with the General Data Protection Regulation (GDPR) and relevant national data protection laws in its capacity as DPO.
The Group does not tolerate infringements of applicable laws, including the spirit of law, regulations, generally accepted practices and standards and codes of conduct applicable to the activities of the Group, substantial fines or other significant enforcement actions.
Compliance Framework
The Group’s Compliance framework and strategy is distributed across three security sides. The Compliance Policy outlines the criteria of compliance risk mitigation to provide a comprehensive overview of the compliance framework of the Company. Other governing documents within, but not limited to, financial crime, conflicts of interest, market abuse, data protection, whistleblowing and code of conduct should be considered.
As the control function, Group Compliance is responsible for designing, implementing and maintaining a group wide framework for compliance risk identification, assessment, monitoring and reporting. Group compliance follows a risk-based approach to identify, and prioritize the monitoring activities.
In addition, Group Compliance is responsible for providing advice to business units and group functions related to compliance risk management and mitigation.
Reporting
Group Compliance must provide to the Executive Board, to the Audit Committee and to the Board of Directors a semi-annual compliance report. As a minimum, the compliance report must include findings of non-compliance.
The Head of Group Compliance has a day-to-day reporting line to the Chief Financial Officer, and escalation lines to the Executive Board and the CEO of the Executive Board. In the event of need for escalation outside Group compliance reporting period, the Head of Group Compliance will escalate in the appropriate channels. The Head of Group Compliance has a right and an obligation to escalate any material or systemic breaches to the Audit Committee.
Review
Group Compliance manages and updates the policy and the Board of Directors approves it. At least annually, the policy needs to be reviewed and updated. Any policy changes must be endorsed and approved by the Board of Directors by the Audit Committee.
INFORMATION SECURITY POLICY
Purpose
The purpose of this Policy is to safeguard information within a secure environment belonging to National Bookkeeping & Management Systems, Inc. (the Group) and its stakeholders (third parties, customers or customers and the general public).
This policy informs the Group's staff, all roles, all divisions within the Company, and all controlled legal entities entitled to use Group facilities, of the principles governing information holding, use and disposal.
It is the goal of the Group that:
•Information will be protected against unauthorized access or misuse.
• Confidentiality of information will be secured.
• Integrity of information will be maintained.
• Availability of information / information systems is maintained for service delivery.
• Business continuity planning processes will be maintained.
• Regulatory, contractual and legal requirements will be complied with.
• Physical, logical, environmental and communications security will be maintained.
• Infringement of this Policy may result in regulatory sanctions or criminal prosecution.
• When information is no longer of use, it is disposed of in a suitable manner.
• All information security incidents will be reported to the Director of Information and Communication
•Technology (ICT) Systems, and investigated through the appropriate management channel.
Information relates to:
• Electronic information systems (software, computers, and peripherals) owned by the Group whether deployed or accessed on or off site.
• The Group’s computer network used either directly or indirectly.
• Hardware, software and data owned by the Group.
The Policy
The Group requires all users to exercise a duty of care in relation to the operation and use of its information systems.
a. Authorized users of information systems
All users of Group information systems must be formally authorized by appointment as a staff member, with the exception of information published for public consumption. Authorized users will have a unique identity for the user. It is not appropriate to reveal any password associated with a user identity to any other person.
Authorized users will pay due care and attention to protect Group information in their personal possession. Confidential, personal or private information must not be copied or transported without consideration of:
• Permission of the information owner
• The risks associated with loss or falling into the wrong hands
• How the information will be secured during transport and at its destination.
b. Information System Owners
Head/Directors who are responsible for information systems are required to ensure that:
1. Systems are adequately protected from unauthorized access.
2. Systems are secured against theft and damage to a level that is cost-effective.
3. Adequate steps are taken to ensure the availability of the information system, commensurate with its importance (Business Continuity).
4. Electronic data can be recovered in the event of loss of the primary source. I.e. failure or loss of a computer system. It is incumbent on all system owners to backup data and to be able to restore data to a level commensurate with its importance (Disaster Recovery).
5. Data is maintained with a high degree of accuracy.
6. Systems are used for their intended purpose and that procedures are in place to rectify discovered or notified misuse.
7. Any electronic access logs are only retained for a justifiable period to ensure compliance with the data protection, investigatory powers and freedom of information acts.
8. Any third parties entrusted with Group data understand their responsibilities with respect to maintaining its security.
c. Personal Information
No privacy rights are granted to authorized users of information systems in relation to their use of Group information systems. Group officers who are properly licensed can access or track personal data contained in any group information system (mailboxes, web access logs, file stores, etc.).
d. Individuals in breach of this policy are subject to regulatory actions (staff) at the instigation of the Director with responsibility for the relevant information system, including referral to the Police where appropriate.
The Group will take legal action to ensure that its information systems are not used by unauthorized persons.
Ownership
a. The Director of ICT Systems has direct responsibility for maintaining this policy and providing guidance and advice on its implementation.
Information system owners are responsible for the implementation of this Policy within their area, and to ensure adherence.
