ING Group Compliance Risk Management Charter and Framework

Transcription

1 ING Group Compliance Risk Management Charter and Framework Corporate Compliance Risk Management

2 ING GROUP COMPLIANCE RISK MANAGEMENT CHARTER AND FRAMEWORK Information sheet Target audience: All employees and Management of all ING businesses Approved and Issued by: ING Groep, N.V. Executive Board 26 August 2008 For further information: ING Corporate Compliance Risk Management, Policy & Advice team Tel Version: 2.0 Replaces: ING Group Compliance Policy, dated 1 July 2005 Valid from: 29 August 2008 Date of update: 3 December 2009 In the event of any discrepancies between the English version of this document and a translated version, the English document is binding.

3 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework IN THIS DOCUMENT Section PART 1. ING GROUP COMPLIANCE RISK MANAGEMENT CHARTER 1.0 ING S COMPLIANCE RISK MANAGEMENT STRATEGY 1.1 MISSION OF THE COMPLIANCE RISK MANAGEMENT FUNCTION 1.2 PURPOSE OF THE COMPLIANCE RISK MANAGEMENT FUNCTION 2.0 DEFINITION AND SCOPE OF COMPLIANCE RISK 2.1 COMPLIANCE RISK 2.2 INTEGRITY AND REPUTATION RISK 2.3 COMPLIANCE RISK: FOUR CONDUCT-RELATED INTEGRITY RISK AREAS 2.4 OUTSIDE THE SCOPE OF COMPLIANCE RISK 3.0 COMPLIANCE RISK MANAGEMENT RESPONSIBILITIES 3.1 RESPONSIBILITIES OF MANAGEMENT 3.2 RESPONSIBILITIES OF EVERY EMPLOYEE 3.3 RESPONSIBILITIES OF LOCAL COMPLIANCE OFFICERS 3.4 RESPONSIBILITIES OF BUSINESS LINE COMPLIANCE OFFICERS 3.5 RESPONSIBILITIES OF THE HEAD OF CORPORATE COMPLIANCE RISK MANAGEMENT 3.6 RESPONSIBILITIES OF THE CHIEF COMPLIANCE OFFICER 4.0 AUTHORITY AND CAPABILITIES OF COMPLIANCE RISK MANAGEMENT FUNCTION 4.1 INDEPENDENCE 4.2 INVESTIGATE AND CHALLENGE 4.3 ESCALATION 4.4 ACCESS 4.5 LIAISON AND PARTNERING 4.6 CAPABILITIES, EVALUATION AND REMUNERATION 4.7 APPOINTMENTS AND TERMINATIONS 5.0 REPORTING 5.1 REPORTING LOCALLY 5.2 REPORTING REGIONALLY AND BY BUSINESS LINE 5.3 REPORTING AT GROUP LEVEL Page

4 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework IN THIS DOCUMENT CONTINUED Page PART 2. ING GROUP COMPLIANCE RISK MANAGEMENT FRAMEWORK 1.0 ING BUSINESS PRINCIPLES THE FOUNDATION FOR ING S FRAMEWORK 2.0 THE THREE LINES OF DEFENCE TO MANAGE COMPLIANCE RISK 3.0 THE FRAMEWORK IN OUR BUSINESS 4.0 THE KEY COMPONENTS OF FRAMEWORK AND THE KEY ACTIVITIES OF THE CHART 4.1 THE CHART AND THE FIVE KEY ACTIVITIES IDENTIFICATION OF COMPLIANCE OBLIGATIONS RISK ASSESSMENT COMPLIANCE RISK MITIGATION COMPLIANCE RISK MONITORING COMPLIANCE RISK MANAGEMENT REPORTING 4.2 COMPLIANCE RISK MANAGEMENT ADVISORY SERVICES 4.3 SCORECARD PART 3. ADMINISTRATIVE MATTERS PART 4. RELATED DOCUMENTS

5 ING GROUP COMPLIANCE RISK MANAGEMENT CHARTER AND FRAMEWORK A key component of ING s vision is to be a company that stakeholders and the communities we operate in can trust. Good compliance risk management is our licence to operate. It builds trust and protects our brand. Effective compliance risk management means meeting our compliance obligations and protecting ING from loss or damage. It improves the way we do business for our stakeholders. It is vital for sustainable business. ING has adopted the ING Group Compliance Risk Management Charter and Framework ( Charter and Framework ) to help businesses effectively manage their Compliance Risks. The Charter states the roles and responsibilities for compliance risk management. The Framework outlines the tools that ING employees, Management and Compliance Officers use to manage Compliance Risk. 05

6 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework PART 1 ING GROUP COMPLIANCE RISK MANAGEMENT CHARTER The Executive Board of ING Group 1 approved the Charter on 26 August It replaces the previous Charter that was part of the ING Group Compliance Policy dated 1 July The Charter must be reviewed and approved at least every two years by and may be amended at any time with the approval of the Executive Board. The Charter must be available to all ING employees. The purpose of the Charter is to state the organisation, operation and governance of compliance risk management for ING Group. The Charter applies to all employees and Management of ING Group. With the Charter the Executive Board emphasises the importance of having a clear mandate to manage Compliance Risk. The Charter requires the establishment and maintenance of a compliance risk management framework and Compliance Risk Management Function (Compliance Officers and those fulfilling compliance responsibilities) and describes the roles and responsibilities for compliance risk management in all ING businesses. 1 ING Groep N.V. 06

7 1.0 ING S COMPLIANCE RISK MANAGEMENT STRATEGY Effectively managing Compliance Risk maximises ING s opportunities in the market and enhances our competitive position by building trust. Integrating a strong compliance risk management programme into the daily management of business and strategic planning gives us a strategic competitive advantage. It helps us to protect our reputation, lower the cost of capital, reduce costs and helps us to minimise the risk of investigation, prosecution and penalties because we do the right things the right way. 1.1 MISSION OF THE COMPLIANCE RISK MANAGEMENT FUNCTION Together with the business build sustainable competitive advantage by fully integrating compliance risk management in daily business activities and strategic planning. 1.2 PURPOSE OF THE COMPLIANCE RISK MANAGEMENT FUNCTION The Compliance Risk Management Function operates within the context of ING Group s Risk Management strategic framework. Within the strategic framework, the purpose of the Compliance Risk Management Function is to: RISK MANAGEMENT STRATEGY RISK UNDERWRITING RISK REPORTING/ CONTROLLING RISK STRATEGY RISK DISCLOSURE COMPLIANCE RISK MANAGEMENT PURPOSE Understand and advocate the rules, regulations and laws and the effective management of Compliance Risk and proactively work with and advise the business to manage Compliance Risk throughout our products life cycle to meet stakeholder expectations Develop and Enhance Tools to strengthen the three lines of defence to detect, communicate, report and manage Compliance Risks in order to limit surprises Support Group Strategy by establishing clear roles and responsibilities to help embed good compliance risk management practice throughout the business by using a risk based approach to align business outcomes with ING s risk appetite Deepen the Culture of Compliance by partnering with the business to increase the culture of trust, accountability, transparency and integrity in evaluating and managing Compliance Risk 07

8 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework 2.0 DEFINITION AND SCOPE OF COMPLIANCE RISK 2.1 COMPLIANCE RISK Compliance Risk is the risk of impairment of ING s integrity. It is a failure (or perceived failure) to comply with our Business Principles and the Compliance Risk-related laws, regulations and standards that are relevant to the specific financial services offered by a business or its ensuing activities, which could damage ING s reputation, lead to legal or regulatory sanctions and/or financial loss. 2.2 INTEGRITY AND REPUTATION RISK Compliance Risk is also referred to as integrity risk because integrity is the focus in managing Compliance Risk. Compliance Risk may sometimes be referred to as reputation risk; however, reputation risk is only one possible second order effect of Compliance Risk, in addition to (direct) financial loss, as it includes loss of new or future business, existing clients and/or trust in ING s integrity. 08

9 2.3 COMPLIANCE RISK: FOUR CONDUCT-RELATED INTEGRITY RISK AREAS ING categorises Compliance Risk into four conduct related integrity risk areas. CLIENT CONDUCT RELATED INTEGRITY RISK PERSONAL CONDUCT RELATED INTEGRITY RISK FINANCIAL SERVICES CONDUCT RELATED INTEGRITY RISK ORGANISATIONAL CONDUCT RELATED INTEGRITY RISK EXAMPLES OF COMPLIANCE/INTEGRITY RISK Money laundering Terrorist financing Political or reputational exposed person Client engagements or transactions with sanctioned countries Market abuse and personal trading Breaches of the ING business principles or local code of conduct Outside positions held by ING officers Gifts or entertainment given or received; bribery External incident reporting 3 Marketing, sales and trading conduct Organisational conflicts of interest, market abuse and insider trading Conduct of advisory business Anti-trust/Competition Law 2 Transparency of product offerings (e.g. costs, disclosures) Complaint handling New or modified products and services (e.g. customer base, design) and governance changes Agreed sector/industry standards Regulatory registration and reporting requirements Third party intermediaries as representatives of ING 2 Shared responsibility with Legal. 3 Risk that staff will report internal violations externally instead of through the internal Whistleblower procedure. 09

10 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework 2.4 OUTSIDE THE SCOPE OF COMPLIANCE RISK Outside the scope of Compliance Risk is compliance with laws, regulations and standards that relate to the following ING support functions: RISK TYPE Credit Market Insurance Employment Accounting Tax Operational (including Fraud, Information Technology, Security) Legal SUPPORT FUNCTION Credit Risk Management Market Risk Management Insurance Risk Management Human Resources Finance and Control Tax Operational Risk Management Legal 10

11 3.0 COMPLIANCE RISK MANAGEMENT RESPONSIBILITIES 3.1 RESPONSIBILITIES OF MANAGEMENT Management is the owner of compliance risk management and must set a good example by considering stakeholders expectations, knowing and applying the rules, encouraging a culture where people are trusted and accountable and effectively managing Compliance Risk. The Executive Board Charter states, The Executive Board is responsible for compliance by ING with all relevant laws and regulations, for managing the risks associated with the business activities of ING and for financing ING. The Executive Board must report on these issues and must discuss the internal risk-management and control systems with the Supervisory Board and the Audit Committee. 4 To meet this obligation the Executive Board appoints one of its members as Chief Risk Officer ( CRO ). 5 The CRO maintains a Compliance Risk Management Function at the ING Group level led by the Chief Compliance Officer ( CCO ). The CCO reports to the CRO. The CCO may appoint a Head of Corporate Compliance Risk Management to manage the Corporate Compliance Risk Management department. Each ING Group Executive Board member must establish and maintain a Compliance Risk Management Function. For each business line, a Business Line Compliance Officer ( BLCO ) must be appointed and must hierarchically report to the Executive Board member or a member of the Executive Board team. The CCO is the functional head for all BLCOs. The BLCO and regional or business line Management may together appoint a Regional Compliance Officer ( RCO ) for a specific region. At the Local level, Management must establish and maintain a Compliance Risk Management Function and, together with the BLCO (or RCO), appoint a Local Compliance Officer ( LCO ) to fulfil compliance risk management to support the business. If Local level Management anticipates fulfilling this duty without a dedicated full-time or onsite LCO, Management must first obtain the BLCO s permission. The BLCO or RCO is the functional head for all LCOs. 4 Section 2.2 ING Groep NV Executive Board Charter 6 November Section 16.1 ING Groep NV Executive Board Charter 6 November

12 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework Chief Risk Officer (CRO) Chief Compliance Officer (CCO) Lid Executive Board (EB)/TEAM ING Business At all levels Management must create an environment of individual and collective accountability in which the importance of meeting compliance obligations, including ING Business Principles, is well understood. Management achieves this in part by providing sufficient resources (training, budget, staffing, etc.) to its Compliance Risk Management Function to ensure effective compliance risk management in the business. Head of Corporate Compliance Risk Management Business Line Compliance Officer (BLCO) The specific responsibilities of Management are outlined in the Framework Part II of this document. 3.2 Hiërarchische rapportage Functionele rapportage Local Compliance Officer (LCO) RESPONSIBILITIES OF EVERY EMPLOYEE Managing Compliance Risk and complying with applicable laws, regulations and standards in both personal and business conduct is the responsibility of every employee. Management is responsible to identify and communicate minimum compliance requirements that each employee must fulfil in day-to-day business activities (established at the departmental or organisational level) and to reward or sanction employees performance against the requirements. Employees must find out what compliance obligations impact their day-to-day business activities and must make sure they understand and meet them. 12

13 3.3 RESPONSIBILITIES OF LOCAL COMPLIANCE OFFICERS To effectively support the business, LCOs must develop a clear understanding of the Local level business practices and strategy. LCOs must act within the scope of the Framework and must review and continually improve the effectiveness of the Local level compliance risk management framework. Further details of LCO responsibilities are outlined in the Framework Part II of this document. 3.4 RESPONSIBILITIES OF BUSINESS LINE COMPLIANCE OFFICERS BLCOs (or RCOs, if delegated) must: In conjunction with Management, ensure that Local and regional levels are staffed with LCOs or compliance risk management representatives who have sufficient knowledge and experience; Manage and coach LCOs (and RCOs), on assessment and remediation of and reporting on Compliance Risks and Local level frameworks and support with compliance risk management advice; Draft regional and/or business line policies or procedures, when appropriate; Create and execute a visit plan for Local levels to monitor that Local level frameworks (refer to Part 2) and Group policies are implemented, maintained, effective and consistent and that compliance controls, including monitoring, relate to the risks identified by the business; Monitor that Local levels have incorporated in Compliance Charts, as appropriate, compliance obligations identified by policies issued by ING Group; Provide compliance risk management reporting at regional, business line, Group, Board and Committee levels; Advise and support regional or business line product, service and change projects including (new) product review processes and merger and acquisition activities; Represent the regional and/or business line for ING Corporate Compliance Risk Management projects, participate in the development of policies issued by ING Group and support business impact assessments; Liaise with and advise regional and business line Management; Communicate, at least quarterly, with LCOs and RCOs to ensure issues, best practices and lessons learned are being tracked and exchanged in the regional and business lines; Facilitate, at least quarterly, communications between solo Compliance Officers to ensure issues, best practices and lessons learned at the Local level can be discussed with other compliance experts; Participate in exchange of issues, best practices and lessons learned across regional/business lines and other risk management functions. 13

14 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework 3.5 RESPONSIBILITIES OF THE HEAD OF CORPORATE COMPLIANCE RISK MANAGEMENT The Head of Corporate Compliance Risk Management must: Manage the day-to-day operations of the ING Corporate Compliance Risk Management department; Oversee ING Netherlands Board compliance risk management activities in accordance with its governance manual; Develop, maintain and advise on ING Group policies and minimum global standards; Advise and support Group level product, service and change projects including (new) product review process and merger and acquisition activities; Liaise with other Risk Management functions as well as CAS and Legal to ensure an integrated approach to risk management; Ensure compliance risk management communications and training support to the business lines as required; Manage consolidated internal and external reporting on the status of Compliance Risks and compliance risk management frameworks across ING Group; Act as Deputy for the Chief Compliance Officer RESPONSIBILITIES OF THE CHIEF COMPLIANCE OFFICER The Chief Compliance Officer must: Drive the ongoing evolution of the Framework to ensure relevance and strategic competitive advantage; Keep abreast of regulatory and industry trends to manage Compliance Risk and advise relevant stakeholders and the Compliance Risk Management Function; Maintain an ongoing relationship with regulators relevant to ING; Advise and support Group level product, service and change projects including (new) product review processes and merger and acquisition activities; Liaise with other Risk Management functions as well as CAS and Legal to ensure an integrated approach to risk management; Represent the Corporate Compliance Risk Management department for ING Group projects; Endorse and communicate new policies and guidance documents issued by ING Corporate Compliance Risk Management to the Executive Board; Oversee the development, and monitor implementation, of ING Group Compliance Risk Management policies throughout ING; Monitor compliance with and sign off of Executive Board members compliance with ING Group Corporate Compliance Risk Management policies; Ensure accurate and timely reporting to the CRO, Executive Board and Supervisory Board Audit Committee; Provide hierarchical management to the Head of Corporate Compliance Risk Management and functional management to the BLCOs.

15 4.0 AUTHORITY AND CAPABILITIES OF COMPLIANCE RISK MANAGEMENT FUNCTION 4.1 INDEPENDENCE To avoid potential conflicts of interests Compliance Officers must be independent of the business activities of their business (unit), region or business line and report directly to General Management of their business and functionally to the next higher level Compliance Officer. A direct reporting line to General Management must be a direct reporting line to the CEO, CRO or at least a General Manager at first echelon of the business provided that any conflicts of interest are mitigated. Following notification to Management, Compliance Officers have the authority to request ING Corporate Audit Services to perform a specific audit. 4.2 INVESTIGATE AND CHALLENGE When Compliance Officers perceive a Compliance Risk or when a Management decision may give or has given rise to a significant financial or reputational risk for the business or ING they must investigate and challenge any actions or concerns without influence from the business. If the matter is not promptly resolved, the Compliance Officer and Management must follow the escalation process. 4.3 ESCALATION Where a matter is escalated the Compliance Officer and next higher level Compliance Officer must jointly decide whether to advise Management that the course of action would result in an unacceptable Compliance Risk and Management cannot proceed. Management must postpone execution of the initial decision until the issue has been resolved. The next higher level Compliance Officer has the right of immediate veto of the proposed action while a dispute is resolved at the next higher level. 4.4 ACCESS Compliance Officers must, at all times, have unfettered and direct access (in accordance with local laws and regulations) to all activities in their area of responsibility. This includes all documentation, systems (e.g. complaints register, whistleblower reports and files), employees, the CEO, Management, executive and non-executive board members that Compliance Officers reasonably believe are necessary to execute their responsibilities effectively. Compliance Officers must have the opportunity to attend relevant Board and Committee meetings (e.g. Operational Risk Committee, Management Team meetings) to raise any matters (either orally or in writing) that are reasonable and necessary. 15

16 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework 4.5 LIAISON AND PARTNERING Compliance Officers must liaise with regulators and industry bodies and must participate, where possible, in industry meetings to ensure knowledge exchange about regulations and to improve compliance risk management knowledge. Compliance Officers must partner with Legal, other Risk Management functions, employees, Management, relevant boards and committees to ensure integrated risk management efforts without duplication. In addition, Compliance Officers shall participate in exchange of issues, best practices and lessons learned with the next higher level Compliance Officer, across regional/business lines and other Risk Management functions as well as participate in the development of policies issued by ING Group and business impact assessments. 4.6 CAPABILITIES, EVALUATION AND REMUNERATION Individuals who execute Compliance Risk Management Function responsibilities must have the necessary qualifications, experience and professional and personal skills to enable them to carry out their responsibilities effectively. They must have an overall understanding of ING Group and the commercial operation of their business. They must understand the obligations, legislation and standards that impact their business. Compliance Officers must coach and train new Compliance Risk Management Function representatives. Compliance Officers must have the opportunity to develop their skills. Together, the next higher level Compliance Officer and Management set performance and development objectives, including training and education targets, and evaluate the Compliance Officer on these. Management takes the lead for these tasks. The next higher level Compliance Officer has the right to access documentation and other information relating to the Compliance Officer s performance and development objectives and has the right to challenge Management to obtain the information required to obtain a fair outcome. The next higher level Compliance Officer and Management, together, decide on the Compliance Officer s starting pay, appraisals and, if appropriate, bonus. Management takes the lead; however, the next higher Compliance Officer has the right to challenge remuneration, appraisals and, if appropriate, a bonus. 16

17 4.7 APPOINTMENTS AND TERMINATIONS Together, the next higher level Compliance Officer and Management decide whether to appoint or terminate a Compliance Officer, as the Compliance Officer s role is two-way both to the business and to the Chief Compliance Officer of ING Group. Management takes the lead for appointments and must seek advice from the next higher level Compliance Officer to ensure that the candidate meets the education, skill and experience requirements set out in the job description. Management also takes the lead for terminations. However, the next higher level Compliance Officer has the right to propose and veto candidates for appointment and has the right to terminate or veto a proposed termination of a Compliance Officer. 17

18 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework 5.0 REPORTING 5.1 REPORTING LOCALLY LCOs must report at least quarterly to Management, relevant boards and committees on the effectiveness of implementation and embedding of the Charter and Framework and policies against ING s guidelines in addition to other relevant compliance risk management topics that may be required by ING. Each LCO must ensure reports are accurate, current, and on-time. Reports must also be sent to the RCO or BLCO. In addition, the LCO must also report incidents and issues to regulators, Local level Management and the next higher level Compliance Officer, as necessary or required. The LCO is the Reporting Officer for the Whistleblower procedure, unless another Officer has been appointed to perform this duty. 5.2 REPORTING REGIONALLY AND BY BUSINESS LINE RCOs and BLCOs must report at least quarterly to the next higher level Compliance Officer on the effectiveness of implementation and embedding of the Charter and Framework and policies for the Local levels (within the region and business line) against ING guidelines in addition to other relevant compliance risk management topics that may be required by ING. Each RCO and BLCO must, as part of assurance activities, inquire as to the accuracy and currency of the Local level reports and must retain supporting evidence of the inquiry and response. RCOs and BLCOs are responsible for consolidating the reporting and presenting to the next higher level Compliance Officer and the relevant board or regional/business line committee. 5.3 REPORTING AT GROUP LEVEL Compliance Risk Management in conjunction with other risk functions must report at least semi-annually to the Executive Board and Risk Committee on the effectiveness of implementation and embedding of the Charter and Framework and policies across ING as well as other relevant compliance risk management topics required by ING. Quarterly, Compliance Risk Management is responsible for consolidating the reporting by business line and for analysing and clarifying the content. It is responsible, as far as practical, for ensuring that each BLCO has the opportunity to review the report prior to it being presented to the Executive Board and/or Supervisory Board Risk Committee. Compliance Risk Management, as part of its assurance activities, review the BLCOs supporting evidence and inquire into the accuracy and currency of the reporting provided. 18

19 PART 2 ING GROUP COMPLIANCE RISK MANAGEMENT FRAMEWORK The ING Group Compliance Risk Management Framework ( Framework ) comprises the principles, processes and tools that ING Management and Compliance Officers use to manage Compliance Risk; it is essentially a risk management programme. The Framework is the key tool for senior Management, business managers and ING employees to understand and apply our approach to managing Compliance Risk. It also creates transparency for our external stakeholders. The important topics in managing Compliance Risk are: 1. ING Business Principles the Foundation for ING s Framework (section 2) 2. The Three Lines of Defence to Manage Compliance Risk (section 3) 3. The Framework in Our Business (section 4) 4. The Key Components of the Framework and the Key Activities of the Chart (section 5) The Framework complements, and should be read with, the Charter. Modifications to the Framework must be aligned with the scope of the Charter. 19

20 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework 1.0 ING BUSINESS PRINCIPLES THE FOUNDATION FOR ING S FRAMEWORK ING BUSINESS PRINCIPLES The ING Business Principles express what ING holds dear, what ING believes in and what ING aims for. Individually, each principle is equally important, and taken as a whole, they form ING s collective conscience. As such, they are the foundation of ING s strategy, culture, day-to-day work and of this Framework. The ING Business Principles: [1] We act with integrity: showing fair, honest and lawful behaviour so we continue to earn our stakeholders trust; [2] We are open and clear: saying what we mean, meaning what we say and listening carefully; [3] We respect each other: we value diverse thinking and respect human rights; [4] We are socially and environmentally responsible: we will do no harm and seek positive change through our products, people and activities. 20

21 2.0 THE THREE LINES OF DEFENCE TO MANAGE COMPLIANCE RISK Both internal and external regulation shapes the risk environment in which ING operates. Our three lines of defence risk management model helps us mitigate these risks it applies to all businesses across ING. This model is essential for the effective operation of the Framework. ING manages its Compliance Risks using three lines of defence: Business Management, the Compliance Risk Management Function and Corporate Audit Services. The three lines of defence model distinguishes among functions that own and manage risks, functions that oversee risks and functions that provide independent assurance. 1. Business Management, the first line of defence, develops and implements mitigation activities, including monitoring and reporting, for managing Compliance Risks in business activities. Local level managers manage risk day-to-day; they bear the consequences of losses. 2. The Compliance Risk Management Function, the second line of defence, partners with Legal to identify relevant Compliance Risk-related laws, regulations and standards. It translates the laws into compliance obligations and assists Management to identify its Compliance Risks. It helps Management to identify activities to mitigate the risk based on the Executive Board s risk appetite, monitors Local level Management s control of Compliance Risks and advises Management on compliance risk management matters. It works with other second line of defence functions to provide objective challenge and support, escalating matters when necessary to help optimise the trade-off between risk and reward. The second line of defence serves in an advisory role as the business designs, implements and embeds business procedures, tracks internal mitigation activities and plans and executes training and executes other Framework activities. 3. ING s Corporate Audit Services, the third line of defence, provides Management with independent, objective assurance on the overall effectiveness of the design and operation of internal controls (mitigation activities and tracking and monitoring activities performed by the first and second lines of defence). 21

22 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework 3.0 THE FRAMEWORK IN OUR BUSINESS ING Group operates in a complex, international regulatory environment with local and international compliance obligations. ING aims to comply with the letter and spirit of our obligations, in our employees conduct and in our systems and processes. To achieve this ING utilises a framework to manage Compliance Risk. COMPLIANCE RISK MANAGEMENT FRAMEWORK The Framework consists of three key components: the Compliance Chart, Advisory Services and Scorecard. The Compliance Chart reflects the key activities performed by a business unit to understand and manage its Compliance Risks. Advisory Services, which impacts all components and activities of the Framework, is the mechanism that ensures that the business receives specialised support and advice to help manage its Compliance Risks more effectively. The Scorecard is a tool that allows a business to measure its progress towards effective compliance risk management. The Framework documents must be translated from the local language into English (if applicable). Compliance Risk Reporting ADVISORY & SCORECARD Compliance Risk Monitoring Identification of Compliance Risk Obligations E D A The Chart C B Risk Assessment Compliance Risk Mitigation 22

23 4.0 THE KEY COMPONENTS OF FRAMEWORK AND THE KEY ACTIVITIES OF THE CHART 4.1 THE CHART AND THE FIVE KEY ACTIVITIES For Local levels, the Compliance Chart ( Chart ) is a vital part of the Framework as it is a snapshot of the compliance obligations and risks arising from local and international laws and ING Group requirements that apply to its business. It also outlines how the business manages those obligations and risks. The Chart is an output from five key activities carried out in accordance with the requirements of the Framework. The Chart provides an overview of the relevant local and international laws, regulations and standards as they relate to a business operations. It also outlines, in terms of Compliance Risk, how compliance risk mitigation activities are embedded in business processes. In other words, how compliance with the laws, regulations and standards is embedded and ensured. It helps a business meet its compliance obligations to customers, regulators, shareholders and employees because it centralises important information. ACTIVITIES [A] Identification of Compliance Obligations [B] Risk Assessment [C] Compliance Risk Mitigation (includes Training and Education) [D] Compliance Risk Monitoring (includes Action Tracking) [E] Compliance Risk Reporting (includes Incident Management) 23

24 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework The Chart must contain the following: 1. Reference to the key compliance-related laws, regulations, industry standards and ING policies and standards; 2. Concise statements that capture the relevant internal and external compliance obligations and the risks arising from those obligations; 3. Inherent and managed risk assessment (critical, high, medium, low) of the identified obligations; 4. The business processes to which the compliance obligations are linked or on which they have an impact; 5. Specific compliance risk mitigation activities and compliance risk monitoring for managing the compliance obligations; 6. To whom and how frequently compliance-related results and findings are reported; 7. Clear ownership of the processes, activities and obligations outlined in the Chart. The Chart must be as practical, brief and concise as possible, and it must link specifically to existing and newly identified business activities. MANAGEMENT MUST COMPLIANCE OFFICERS MUST 1. Help the Compliance Officer develop and update the Chart by clearly identifying the principle business activities and relevant processes affected by the obligation(s); 2. Identify the individuals having managerial accountability for and accountability for executing the activities outlined in the Chart; 3. Formally approve the Chart; 4. Notify the Compliance Officer of any changes to products, activities or governance structures. 1. Develop and maintain a Chart for the business with assistance from Local level Management; 2. Demonstrate that all components of the Chart have been discussed with and formally approved by the business; 3. Report material changes to Local level Management and to the next higher level Compliance Officer and regulators where required. 24

25 4.1.1 IDENTIFICATION OF COMPLIANCE OBLIGATIONS The Chart must be kept up to-date. The Chart must reflect the compliance obligations and associated risks that arise based on policies issued by ING Group, international and local laws, regulations and standards that apply to a business activities. Obligations communicate to the business what it should or should not do. Inclusion of obligations should be risk-based. Where there is a policy issued by ING Group, research must be conducted to identify whether additional or different local or international obligations exists. If a conflict between policies issued by ING Group, local law and/or international law arises, the appropriate obligation must be identified and the conflict must be resolved. Where the obligations of local laws or regulations impose greater or more stringent requirements than those included in a policy issued by ING (or if the opposite situation exists), the more stringent obligations must prevail. LEGAL FUNCTION MUST MANAGEMENT MUST COMPLIANCE OFFICERS MUST 1. Proactively identify new and changed relevant local laws, regulations and standards in addition to those laws, regulations and standards identified by ING s Legal functional line, and advise the Compliance Officer of these in writing; 2. Review compliance-related policies issued by ING Group and determine whether additional or different obligations, local or international regulations or standards apply and communicate any additional requirements to the Compliance Officer in writing; 3. Work together when there is a conflict between policies issued by ING Group, local law and/or international law to identify the relevant obligations; approve, in writing, the agreed upon resolution and identified compliance obligation(s); 4. Confirm by signature, at least annually, that the relevant laws and regulations are accurately reflected in the Chart; 5. Review the validity of the compliance obligations in the Chart and sign off at least annually and more frequently, if required. 1. Identify, with the Compliance Officer, Compliance Risks that arise from the compliance obligations. 1. Translate compliance-related rules, laws and regulations into compliance obligations; 2. Enter compliance obligations in the Chart; 3. Identify, with Management, the Compliance Risks that arise from the compliance obligations; 4. Work with Legal when there is a conflict between policies issued by ING Group, local law and/or international law to identify the correct Compliance obligation(s); 5. Ensure agreed upon Compliance obligation(s) and resolution(s) appear in the Chart. 25

26 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework INTEGRATED RISK ASSESSMENT Integrated Risk Assessment Process (IRAP), an ongoing process, follows identification of compliance obligations. The first step includes risk ranking the obligations identified for inclusion in the Chart to determine if there are current or anticipated critical, high, medium or low Compliance Risks for the business. This includes an analysis of both the inherent and residual Compliance Risks of the identified compliance obligations. There are two types of risk assessments that can be performed. The outcomes of the risk ranking determine the type of risk mitigation, first line tracking and second line monitoring to effectively manage the Compliance Risk. DETAILED RISK ASSESSMENT HIGH LEVEL RISK ASSESSMENT The risk ranking and the detailed risk assessment results are required inputs for the annual integrated high level risk assessment conducted by Operational Risk Management ( ORM ). To ensure that the business operates effectively and efficiently, current and anticipated critical and high Compliance Risks must be included in the high level risk assessment process. The outcome of the risk assessment is the high level risk assessment report. Reports from the detailed and high level risk assessments must include key Compliance Risks, with existing or approved risk mitigation activities. Reports must be discussed and signed off in accordance with the ORM procedure 6. Risk assessment techniques can be a combination of desk assessments, interviews and/or workshops; however they should be aligned with the ORM procedure. To ensure that risk is properly rated and mitigated, a detailed risk assessment may be appropriate, particularly when further input is needed from either support functions and/or to manage certain current and anticipated critical and high risk areas. To avoid duplication, this process should be aligned with assessments initiated by other Risk Management functions. 6 Risk Assessment requirements and procedure is only available internally. 26

27 MANAGEMENT MUST COMPLIANCE OFFICERS MUST 1. Participate in all high level risk assessments and, on request, detailed risk assessments; 2. Work with the Compliance Officer and the Legal function to rate the current and anticipated critical and high Compliance Risks and mitigation activities for inclusion in the assessments; 3. Work with the Compliance Officer to prioritise the current and anticipated Compliance Risks for discussion in the high level risk assessment; 4. Approve the proposed risk assessment technique(s) to be used; 5. Approve the outcome of risk assessments; 6. Inform the Compliance Officer of any changes that may impact Compliance Risks in the business. 1. Ensure, on behalf of Management, Compliance Risks are included in the risk assessment process; 2. Participate in all high level risk assessments and, when appropriate, detailed risk assessments; 3. Rate and rank, in cooperation with the Legal function and Management, the current and anticipated critical and high Compliance Risks and mitigation activities for inclusion in the assessments; 4. Approve the proposed risk assessment technique(s) to be used; 5. Participate in or conduct detailed risk assessments when further input is required or when needed; 6. Ensure reports from risk assessments include required compliance-related information; 7. At least annually, review, update or confirm the Compliance Risks accepted in previously executed high level risk assessments and determine if further detailed risk assessments should be undertaken. 27

28 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework COMPLIANCE RISK MITIGATION Compliance risk mitigation is the process of developing and implementing controls such as standards, policies, procedures and guidelines to prevent or minimise Compliance Risks. From time to time, ING Group or the business line or regional may issue a policy that must be implemented at the Local level. If an ING Group, business line or regional policy does not encompass local obligations, a local policy to facilitate the effective management of the identified Compliance Risk must be developed. Framework components, policies and procedures must be developed and communicated so employees understand their obligations (e.g. Whistleblower, complaints handling, gifts, entertainment and anti-bribery procedures, etc.). All documentation must be easily accessible to employees. Maintenance of the material can be in the form of a manual, handbook or other physical or electronic means. MANAGEMENT MUST COMPLIANCE OFFICERS MUST 1. Within the time agreed with the Compliance Officer, establish and implement specific, appropriate activities to mitigate Compliance Risk in business processes; 2. Ensure that procedures and processes are drafted and distributed; 3. Ensure that the business meets its obligations and embeds activities to mitigate risk in business activities; 4. Work with the Compliance Officer to ensure that Framework components, policies and procedures are presented in a way that employees at all levels can access and understand; 5. Take the measures necessary to ensure that employee behaviour conforms to the Framework (compliance related policies and procedures, including the ING Business Principles); 6. Include in all job descriptions and conditions of employment that the employee is responsible and will be held accountable for meeting their compliance obligations. 1. Advise Local level Management about compliance obligations; 2. Assist Management to identify risk mitigation activities; 3. Assess any Group, business line or regional Compliance Policy, particularly its appropriateness, to determine whether the policy encompasses local obligations; 4. Develop a local policy when a Group, business line or regional Compliance Policy does not include local obligations; 5. Raise issues to Management that may have an impact on the suitability of existing mitigation activities; 6. Monitor that Framework components, policies and procedures are developed and communicated so employees understand their obligations; 7. Establish and maintain compliance department information and procedures that the Compliance Officer uses, such as a department organisation chart and Compliance Officer responsibilities; such information may be integrated into the Chart, incorporated in the form of a manual or maintained in other physical or electronic means. 28

29 TRAINING AND EDUCATION A strong compliance risk management training and education programme reinforces ING s compliance culture. It builds awareness and understanding of compliance risk management standards, procedures, guidelines and issues. Specifically, it should build awareness and understanding of: ING s Framework, including the four conduct-related integrity risk areas; Roles and responsibilities outlined in the Charter and Framework; Critical and high compliance obligations identified in the Chart; The process for addressing compliance issues and reporting concerns; Consequences of failing to meet compliance obligations. An annual plan for compliance-related training and education must be developed and updated, as necessary. Compliance risk management training programmes should, to the extent possible, be integrated into existing training programmes and plans. Plans for compliance training and education programmes include: 1. Concise statements that capture the relevant internal and external compliance obligations and the risks arising from those obligations; 2. The business processes to which the compliance obligations are linked or on which they have an impact; 3. Brief description of the training or education activity; 4. Target audience (refresher for existing employees, induction for new employees, or ad-hoc when required); 5. Frequency of training or education activity; 6. Whether an assessment is required; and 7. Person to Act (PTA). Updates to the training programme or materials must include Lessons Learned. MANAGEMENT MUST COMPLIANCE OFFICERS MUST 1. Develop training programmes and an annual plan for compliance-related training and education; 2. Ensure delivery of compliance-related training at entry, and regularly refresh knowledge, including new subjects, so all employees receive the training and education they need to fulfil their roles; 3. Ensure the execution of compliance-related training and education, and maintain attendance and assessment records. 1. Assist the Training department and/or other department identified by Management in developing, maintaining and executing an annual plan for compliance risk management training and education; 2. Serve as a content expert for compliance-related training material; 3. Monitor the quality and frequency of the training. 29

30 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework COMPLIANCE RISK MONITORING Compliance risk monitoring makes it possible for the business to test if its risk mitigation activities are working properly and to identify new or changed risks. The plan for monitoring must be documented and updated annually and more frequently based on other Framework activities and monitoring results. The plan must address: Critical and high Compliance Risks, focusing on inherent and managed risk levels; Key compliance risk mitigation activities; Routine business transactions to which compliance obligations or risks are associated; The implementation/embedding of the Framework and all policies issued by the ING Corporate Compliance Risk Management department; Compliance with the laws, regulations and standards included in the Chart, including the ING Business Principles; Monitoring obligations that have been delegated to the Compliance Risk Management Function (e.g. Outsourcing-related obligations). 7 The plan for monitoring must include: 1. Concise statements that capture the relevant internal and external compliance obligations and the risks arising from those obligations; 2. The business processes to which the compliance obligations are linked or on which they have an impact; 3. Specific compliance risk mitigation activities for managing the compliance obligations; 4. The first line tracking (ongoing tracking as part of the normal course of business activities), second line monitoring (health check performed by Compliance Officers) and third line assurance (independent review performed by CAS) for efficiency and/or effectiveness of first and second line activities); 5. Brief description of tracking and monitoring activities; 6. Frequency of tracking and monitoring activities; 7. Recipient(s) of the tracking and monitoring reports; and 8. Persons to Act (PTA). 7 A list of the delegated obligations can be found in the ING Group Compliance Risk Management Delegated Responsibilities Register is only available internally. 30

31 The plan may be integrated into the Chart or may be a stand alone-document. MANAGEMENT MUST COMPLIANCE OFFICERS MUST 1. Establish and execute first line of defence (business) tracking and report deficiencies to the Compliance Officer; 2. Provide to the Compliance Officer a document that outlines the first line tracking activities and the persons accountable for executing the tracking activities for inclusion in the monitoring plan; 3. Work with the Compliance Officer to ensure appropriate evaluation of the first line tracking activities; 4. Within the time agreed with the Compliance Officer, address issues that arise out of first line of defence (business) tracking and second line of defence (compliance) monitoring; 1. Work with the business to document an annual plan for monitoring (updated as required and based on other Framework activities and monitoring results); 2. Establish second line of defence monitoring activities; 3. Submit the plan for monitoring to Management and the next higher level Compliance Officer for approval; 4. Execute second line of defence monitoring and report deficiencies to Management and the next higher level Compliance Officer. 5. For all lines of defence, ensure adequate resources for executing an appropriate plan. 31

32 ING Group Compliance Risk Management ING Compliance Risk Management Charter and Framework ACTION TRACKING Action tracking is a process used to ensure the visibility and resolution of compliance incidents and other compliancerelated findings and issues. Compliance-related findings and issues include: Actions identified by Management in its day-to-day operations and from first line of defence (business) tracking; Actions coming from second line of defence monitoring and other Framework activities; Internal/external audit or regulatory findings and related actions. In accordance with the Operational Risk Management procedure 8, internal/external compliance-related audit or regulatory findings and related actions must be recorded in AO Scan. Action tracking in AO Scan may be delegated to Operational Risk Management. All other findings and issues can also be recorded in AO Scan. However, if AO Scan is not used for other findings and issues, a process must be created for managing the additional findings and issues. The process must include: 1. Recording the finding or issue; 2. The mitigation activity (or activities) to be corrected or implemented; 3. The person to act (PTA); and 4. Due Date. MANAGEMENT MUST COMPLIANCE OFFICERS MUST 1. Ensure compliance-related items are recorded in AO scan or by means of other tracking process; 2. Resolve identified issues in a sustainable manner within agreed deadlines; 3. Provide the Compliance Officer with status updates on open compliance-related items until the issues are resolved; 4. Incorporate, with the Compliance Officer, lessons learned into the components and activities of the Framework (e.g. risk mitigation, Chart, etc.) 1. Monitor all compliance-related findings and issues until they are resolved; 2. Verify that items and issues delegated to ORM for tracking in AO Scan have been appropriately resolved; 3. Create a process for tracking and managing other types of issues and findings when AO Scan is not used; 4. Incorporate, with Management, lessons learned into the components and activities, as appropriate, of the Framework (e.g. risk mitigation, Compliance Chart, etc.); 5. Ensure resolution of, or escalate to Management and the next higher level Compliance Officer, unaddressed or overdue items. 8 Only available internally. 32