Corporate governance

GRI:[

102-18
102-11
205-1
205-3
417-1
417-2
102-43
417-3

]

PKO Bank Polski strives for continuous improvement of corporate governance and ensures transparency in the management of the company. The management structure of the bank and its subsidiaries is based on standard, market-based management principles that reflect the areas of the bank's activities.

PKO Annual
Report Online
2020

Statement of compliance with corporate governance

Best Practices for WSE Listed Companies 2016
Compliance with the Best Practices

The bank has adopted for application the principles and recommendations contained in the set of Best Practice for WSE Listed Companies 2016, with a reservation that recommendation IV.R.2., which concerns enabling shareholders to participate in the General Shareholders’ Meeting by means of electronic communication, will not be applied. The bank applies recommendation IV.R.2 only in part concerning the real-time broadcast of General Shareholders’ Meetings.

The bank publishes information on the application of recommendations and principles included in the Best Practices. Such information is prepared on the form provided by the Warsaw Stock Exchange and shows the detailed status of compliance or non-compliance with each of the recommendations and principles of the Best Practices. The bank also discloses reports related to possible and incidental non-application of any of the rules contained therein.

In 2020, the bank incidentally violated rule II.Z.11 of the Best Practices, which indicates that the Supervisory Board must consider and give its opinion on matters to be the subject of resolutions of the General Shareholders’ Meeting.

In connection with this fact, pursuant to § 29 section 3 of the WSE Rules, the bank published a report regarding an incidental breach of the above-mentioned rule. The bank indicated that the breach consisted in the bank Supervisory Board’s failure to express an opinion on the draft resolutions of the bank’s General Shareholders’ Meeting in connection with the drafts sent by the bank’s shareholder two days before the meeting. It became impossible to express an opinion on the drafts sent, due to the very short time for the Supervisory Board to make a formal decision.

Compliance with the recommendations contained in the Best Practices

The bank’s overriding aim regarding information activities is to guarantee high standards of communication with the participants of the capital market, which are a sign of respect for the principles of universal and equal access to information. To achieve this aim, the bank pursues its information policy in a manner that ensures proper, reliable and complete access to information about the bank for all investors, with no preferences as regards any of them. The bank has formally adopted these rules in the “Principles of the information policy of PKO Bank Polski regarding contacts with investors and customers”.

While implementing this policy, the bank takes special care to enable investors and analysts to ask questions and obtain explanations on issues of interest to them. To this end, cyclical individual meetings of investors with bank representatives are organized, as well as conferences connected with the presentation of the bank (among investors and capital market analysts) and conferences and teleconferences every time immediately after the publication of interim reports of PKO Bank Polski (in 2020 due to the pandemic mainly in electronic form using available applications). Answers to investors' questions are provided on an ongoing basis in writing, by e-mail or by telephone.

In order to inform the market about the situation of PKO Bank Polski as soon as possible, the financial results are promptly published after the end of the reporting period. The successive shortening of publication deadlines in this respect was disrupted in 2020 by the need to determine the impact of the pandemic on the results of the bank and the group. The bank also has recommended internal regulations with regard to providing explanations and rectifications relating to untrue, imprecise or harmful information in the media. Within the framework of its widely understood information policy, the bank describes the major policies in respect of its sponsorship and charitable activities in the annual Directors’ Report.

As a confirmation of the quality of the bank’s information activities, the bank was ranked third according to institutional investors and analysts in the largest survey of investor relations that communicate best with the market among WIG30 companies in Poland, prepared by Parkiet magazine and the Chamber of Brokerage Houses according to institutional investors and analysts, communicate best with the market.

Members of the bank’s Management Board and Supervisory Board are appointed in a manner allowing for the selection of persons having high qualifications and experience. It is reflected in the suitability assessment policies for members of both these authorities adopted by the bank in 2020. These policies are implemented at the bank taking into account the principle of diversity of members of both the Management Board and the Supervisory Board. The diversity principle is designed to ensure that members of the Management Board or the Supervisory Board are appropriately selected to obtain a broad range of competences, knowledge and skills that are adequate for the position and guarantee that the members of the Management Board or the Supervisory Board, individually and as a body, issue independent opinions and decisions on the whole range of the bank’s activities. The principle of diversity of selection is based on objective substantive criteria in terms of education and professional experience. Should the need arise, the bank provides the Supervisory Board with professional, independent advisory services.

Both members of the Management Board and Supervisory Board devote the necessary amount of time to perform their duties. Attendance at meetings of the Supervisory Board is high, and absences are justified in resolutions of the Supervisory Board. Serving on the bank’s Management Board is the main area of activity for the members of this body, while membership on the bodies of other entities mainly involves supervisory functions in the companies of the group.

The bank’s Supervisory Board, as part of succession management, makes decisions regarding the selection of new members of the Bank’s Management Board keeping in mind the objective to ensure continuity in decision making with regard to the area of the bank’s operations supervised by a given member of the bank’s Management Board and the entire Management Board of the bank. Following this principle, due to the fact that the term of office of the Board of Executives expires in mid 2020, the Supervisory Board selected the members of this body well in advance.

The bank’s statutory obligation to maintain the composition of the Supervisory Board is the need to convene the General Shareholders’ Meeting in order to supplement the composition of the Supervisory Board in the event that the number of members of this body decreases below 5.

The bank has separated in its organizational structure, units responsible for the performance of tasks in particular systems and functions, especially units dealing with internal control, risk management and compliance. The main assumptions of the internal control system and risk management rules at the bank are available on the Investor Relations website under Auditor and internal control.

The bank aims to hold annual general meetings as soon as possible after the publication of the annual report. Over the past five years, this period has shortened by approximately one month. The exception is the date of the 2020 Annual General Meeting of the bank, which due to the pandemic fell at the end of August 2020. Each General Meeting is broadcasted in real time.

The internal regulations of PKO Bank Polski guarantee compliance with the recommendations and principles included in the Best Practices. The bank has internal regulations regarding the management of conflicts of interest. According to those regulations, both a member of the Supervisory Board and a member of the Management Board should refrain from any professional or non-professional activity that could lead to a conflict of interests or otherwise have an adverse effect on his reputation as a member of the supervisory or management body. There are also rules regarding the obligation to disclose conflicts, abstaining from making decisions and excluding members of these bodies from participating in the consideration of issues with which a conflict of interest is connected.

The bank has a remuneration policy for members of the Supervisory Board and the Management Board currently adopted by the General Shareholders’ Meeting in 2020. According to the policy, the total remuneration of a member of the bank’s Management Board consists of a fixed part and a variable part. The variable remuneration depends on the level of achievement of management objectives such as: achieving the net financial result of the bank and the group, achieving the indicated economic and financial indicators, implementing the strategy of the bank and the group and maintaining the market position of the bank.

PKO Bank Polski also adopts rules on the remuneration of employees whose activities have a significant impact on the bank’s risk profile. The remuneration of key managers is directly linked to the bank’s financial situation and the growth of its value. The level of remuneration of members of the bank’s authorities and key managers is adequate to the scope of tasks entrusted to particular persons. The work in committees of the bank’s Supervisory Board is taken into account in the remuneration of the members of these committees.

The Nomination and Remuneration Committee, established within the bank’s Supervisory Board, operates in line with the conditions described in Annex I to the European Commission Recommendation 2005/162/EC on the role of non-executive or supervisory directors of listed companies and on the committees of the (supervisory) board.

PFSA's corporate governance principles for supervised institutions

The bank accepted for use the Principles of Corporate Governance for Supervised Institutions (adopted by the PFSA on 22 July 2014) with respect to the competences and obligations of the Management Board – managing the bank’s affairs and its representation, in compliance with the provisions of the law and the bank’s Articles of Association. Nevertheless, the bank assumed that paragraph 8, clause 4 of the Principles, insofar as it relates to allowing the shareholders the possibility of participating in the meetings of the decision-making authority. Chapter 9 of the Principles, concerning the managing of assets at the customer’s risk, will not be applied due to the fact that the Bank does not conduct such activities.

The bank’s Supervisory Board adopted for use the Principles concerning the responsibilities and obligations of the Supervisory Board – supervising the conduct of the bank’s affairs in compliance with the generally binding laws and the bank’s Articles of Association.

In its resolution of 2015, the General Shareholders’ Meeting of the bank declared that, acting in line with its competences, it will follow the Principles, although it ruled out the application of the principles set out in:

§ 8 clause 4 of the Principles on ensuring the possibility of the electronic participation of shareholders in meetings of a decision-making body,
§ 10 clause 2 of the Principles on the introduction of personal rights or other special rights for shareholders,
§ 12 clause 1 of the Principles on the responsibility of shareholders for immediate recapitalization of the supervised institution,
§ 28 clause 4 of the Principles on assessing by a decision-making body whether the determined remuneration policy promotes the development and security of the supervised institution.

Waiving the application of the principle set out in § 8 clause 4 was in line with the prior decision of the General Shareholders’ Meeting of PKO Bank Polski of 30 June 2011. The decision was reflected in not adopting the resolution on amendments to the Articles of Association of the bank, the aim of which was to enable participation in the General Shareholders’ Meeting through electronic means of communication. The decision not to apply this principle was taken because of the legal and organizational-technical risks, which could jeopardize the proper conduct of the General Shareholders’ Meeting. The application of other Principles specified in the resolution of the General Shareholders’ Meeting was waived based on these proposals by an eligible shareholder of the bank – the State Treasury.

In accordance with the justification presented by the State Treasury together with the proposed draft resolution of the General Shareholders’ Meeting, waiving the application of the principle specified in §10 clause 2 and §12 clause 1 of the Principles was justified by the incomplete process of the bank’s privatization by the State Treasury.

Waiving the application of the principle set out in § 28 clause 4 was justified, in accordance with the motion of the State Treasury, by the excessive scope of the remuneration policy in question, subject to the assessment of the decision-making authority. In the opinion of the above-mentioned shareholder, the policy for remunerating employees who perform key functions but who are not members of the supervisory and management authorities, should be assessed by the employer or the principal (the bank represented by the Management Board, whose are supervised by the Supervisory Board).

In 2021, an Evaluation of the Remuneration Policy’s Functioning in PKO Bank Polski in 2020 will be submitted to the General Meeting.

Management structure

The management structure of PKO Bank Polski and its subsidiaries is based on standard, market principles of management. The bank’s organizational structure is divided into 9 areas, which reflect the bank’s areas of operations:

102-18

A new organizational unit was set up in the Finance and Accounting Area in 2019 – the Group’s Integrated Reporting Office, whose tasks include collecting, analysing and disclosing information on social and environmental topics. This means that the environmental and social issues gained recognition in the management structure of the bank. At the beginning of 2020, the bank launched the ESG project. Its aim is to improve the quality of non-financial reporting and the bank’s reputation as an institution whose objectives are not limited to financial matters but also address the social, environmental and corporate governance areas. The project work is coordinated by the steering committee consisting of three Management Board members.

Principles for remunerating Management Board members

The system for remunerating members of the bank’s Management Board is regulated by:

Remuneration Policy for members of the Supervisory Board and the Management Board of the bank, approved by the resolution No. 35/2020 of the General Shareholders’ Meeting of the bank on 26 August 2020,
Remuneration Policy for employees of the bank and the PKO Bank Polski Group, approved by resolution No. 41/2020 of the bank’s Supervisory Board on 21 May 2020,
Principles of employment and remuneration of Members of the bank’s Management Board, adopted by the bank’s Supervisory Board in 2017 and amended by the resolutions of the bank’s Supervisory Board dated 12 August 2019 (No. 71/2019) and 25 June 2020 (No. 65/2020); the principles implement the provisions of the Act of 9 June 2016 on the terms of setting the remuneration of managers of certain companies (Journal of Laws of 2016, item 1202, as amended).

In accordance with these principles, members of the Management Board are entitled to:

fixed remuneration in the amount specified in the resolution of the Supervisory Board, separately for the President of the Management Board, member of the Management Board in charge of the risk management area who substitutes the President of the Management Board and the remaining Management Board members,
variable remuneration – additional remuneration awarded and paid after the performance appraisal period, in particular: bonuses, awards for special professional achievements, severance pay (excluding fixed remuneration and benefits awarded based on the applicable legal regulations).

Remuneration of Management Board members

Remuneration of members of the Management Board paid by PKO Bank Polski (in PLN thousand)

	Fixed remuneration paid in 2020	Variable remuneration for 2015-2019 paid in 2020		Other benefits¹⁾	Total remuneration paid and benefits provided in 2020
		Benefits paid in cash	Share-based payments settled in cash
Zbigniew Jagiełło	793	388	632	63	1,876
Rafał Antczak	740	172	187	39	1,138
Rafał Kozłowski	740	159	204	39	1,142
Maks Kraczkowski	740	263	317	46	1,366
Mieczysław Król	740	266	329	47	1,382
Adam Marciniak	740	171	216	39	1,166
Piotr Mazur	766	316	496	55	1,633
Jakub Papierski	740	303	477	53	1,573
Jan Emeryk Rościszewski	740	255	313	46	1,354
Management Board of the bank	6,739	2,293	3,171	427	12,630
Members of the Management Board who ceased to perform their functions in previous years	–	281	729	28	1,038
Total	6,739	2,574	3,900	455	13,668

1) Payments to the Employee Pension Programme (PPE).
Values shown do not include refunds of overpaid Social Security contributions, which were disclosed under “Other received in 2019” in the report for 2019 as part of cash benefits.

Remuneration of the members of the bank’s Management Board from related entities (in PLN thousand)

	2020	2019
Rafał Kozłowski¹⁾	188	453
Jan Emeryk Rościszewski	29	85
Total	217	538

1) Presented values include the variable remuneration for 2016-2017 and 2015-2017 respectively for performing the function of the President of the Management Board of PKO Bank Hipoteczny.

The bank updates the rules for determining the variable components of remuneration on an ongoing basis. This is performed in accordance with the requirements of CRD IV and the Commission Delegated Regulation (EU) No 604/2014 of 4 March 2014 supplementing Directive 2013/36/EU of the European Parliament and of the Council with regard to regulatory technical standards with respect to qualitative and appropriate quantitative criteria to identify categories of staff whose professional activities have a material impact on an institution’s risk profile. Variable remuneration components are awarded primarily based on bonus targets set within the framework of the Management by Objectives (MbO) programme.

Forms of variable remuneration:

Amount of variable remuneration (gross)	Non-deferred variable remuneration 50% cash / 50% phantom shares	Deferred variable remuneration 50% cash / 50% phantom shares
Up to PLN 700 000 (inclusive)	60% of the basic variable remuneration – in the first year following the assessment period	40% of the basic variable remuneration – in equal instalments over the next years after the first year following the assessment period
Over PLN 700 000	PLN 420 000 plus 40% of the amount exceeding PLN 700 000	PLN 280 000 plus 60% of the amount exceeding PLN 700 000

The purpose of the targets set is to guarantee that the risk related to the activities of the bank is taken into account. Risk is reflected both by determining the appropriate risk-sensitive criteria for assessing the effectiveness of work, and reducing or withdrawing the variable remuneration component in the case of deteriorated financial results, loss or deterioration in other ratios. Variable remuneration components for a particular assessment period (calendar year) are awarded after settling the bonus targets. The deferral period for which the phantom shares are awarded equals 5 calendar years. Each of the components of accrued variable remuneration may be reduced as a result of:

breach of the obligations arising from the contract,
lack of compliance with the legal regulations or customer service standards,
improper performance of professional duties,
attitude towards other employees breaching social coexistence rules.

The bonus amount for a member of the Management Board (MBM) can be adjusted positively or negatively by a certain ratio, depending on the results achieved by the bank, as specified in the bank’s Annual Note (a set of key management indicators specified for a given calendar year). For an MRT (Material Risk Taker), who is not a member of the Management Board, it can be adjusted only positively by a certain ratio, depending on the results achieved by the bank, as specified in the bank’s Annual Note. The bank’s Supervisory Board or the Management Board respectively may apply a malus solution reducing the amount of the variable remuneration component due, deferred in subsequent settlement periods. This is possible due to:

a significant deterioration in the bank’s results,
a significant adverse change in equity,
MRT breaching the law or making serious errors,
adjustment of the achievement and degree of achievement of the results or targets of MRT,
deterioration in the performance of the areas supervised or managed by the aforementioned persons,
granting the variable remuneration component based on incorrect or misleading information or MRT fraud.

The remuneration policy for members of the bank’s Supervisory Board and Management Board does not provide for an obligation to pay back awarded and already paid out variable remuneration. The policy empowers the Supervisory Board to adopt additional provisions, inter alia, regarding the bank demanding the return of the variable remuneration (clawback). In the years 2019-2020, no such demand occurred.

In the case of severance pay related to dismissal (other than resulting from generally applicable laws), the amount reflects the performance assessment for the last three years of employment. The bank’s internal regulations stipulate the maximum amount of severance pay. A member of the Management Board shall be entitled to severance pay subject to fulfilling the function of member of the bank’s Management Board for at least twelve months before termination of the aforementioned contract. An MRT can receive the severance pay subject to being employed as an MRT for at least twelve months before termination of the employment contract.

Members of the Management Board and certain MRTs are additionally subject to non-competition agreements. These agreements provide for payment of compensation equivalent of up to 100% of the basic salary arising from the contract for refraining from employment in a competitive firm after termination of employment with the bank, for no more than six months.

In the first half of 2020, the bank amended the Rules for employment and remuneration of members of the bank’s Management Board, the Remuneration Policy for employees of the bank and the PKO Bank Polski Group, and the Rules for remunerating the bank’s employees whose activities have a material impact on the bank’s risk profile – Material Risk Takers in the bank. The bank did so in connection with the announcements of the European Banking Authority (EBA) of 31 March 2020 and the Polish Financial Supervision Authority (PFSA) of 17 April 2020 regarding the expected actions of banks and insurance companies in response to a pandemic outbreak, including those relating to the payment of variable remuneration components.

Changes in the proportion and dates of payment of variable remuneration

Description	Amount arising from internal regulations			Amount arising from extraordinary resolutions adopted in 2020:
Proportion between non-deferred and deferred variable remuneration for 2019	Non-deferred 60%¹⁾			Non-deferred 40%
	Deferred 40%			Deferred 60%
Proportion between variable remuneration for 2019 in cash / in the form of financial instruments	Cash 50%			Cash 40%
	Financial instrument 50%			Financial instrument 60%
Date of payment of the amount arising from converting the phantom shares to cash amount for non-deferred remuneration for 2019 in the form of a financial instrument	MBM	2 January 2021		MBM	1 July 2021
	MRT	15 November 2020		MRT	31 May 2021
Date of payment of deferred variable remuneration with reference to outstanding instalments for the years 2016-2019	MBM	Cash	1 July	MBM	Cash	1 July (unchanged)
		Financial instrument	2 January		Financial instrument	1 July
	MRT	Cash	30 April	MRT	Cash	31 May
		Financial instrument	15 November		Financial instrument	31 May of the next year

1) In accordance with internal regulations, up to the amount of PLN 700 000 the proportion is 60% to 40%, and above this amount 40% to 60%.

In particular, the Remuneration Policy for employees of the bank and the PKO Bank Polski Group was amended. In the event of extraordinary and unforeseen circumstances requiring a conservative approach to variable remuneration, the bank may temporarily:

change the proportion of deferred and non-deferred variable remuneration in favour of increasing the deferred variable remuneration,
extend the deferral periods for payment of variable remuneration and extend the dates from which the base value of the variable remuneration is converted into the value of financial instruments, while the value of financial instruments will be the basis for the conversion of a financial instrument into cash to be paid,
change the proportion between variable remuneration in the form of cash and in the form of a financial instrument to increase the portion of variable remuneration in the form of a financial instrument.

In May 2020, the bank’s Management Board adopted a resolution regarding the payment in 2020 of variable remuneration components awarded to Material Risk Takers in the bank. In June 2020, the bank’s Supervisory Board adopted a resolution on approval of the amount of variable remuneration components to be paid to the Members of the bank’s Management Board in 2020. The resolutions of the Management Board and the Supervisory Board (in connection with the announcement of the COVID-19 epidemic in the country and the above-mentioned EBA and PFSA announcements) decided to change the proportion and payment dates of variable remuneration.

Since 1 July 2017, the principles for employment and remuneration of members of the bank’s Management Board have been adapted to the provisions of the Act of 9 June 2016 on the terms of setting the remuneration of managers of certain companies (Journal of Laws of 2016, item 1202, as amended). Following the change, members of the Management Board are not entitled to non-financial remuneration components.

Remuneration of Supervisory Board members

Monthly remuneration for the members of the bank’s Supervisory Board is determined by the Remuneration Policy for Members of the bank’s Supervisory Board and Management Board. Monthly remuneration of members of the Supervisory Board is determined as a product of the base salary referred to in Art. 1 (3) (11) of the Act of 9 June 2016 on the terms of setting the remuneration of managers of certain companies and the following multiplier: for the Chairman of the Supervisory Board – 2.75, for the Deputy Chairman of the Supervisory Board – 2.5, for the Secretary of the Supervisory Board – 2.25, for the remaining members of the Supervisory Board – 2.

The remuneration shall be increased by 10% if a member of the Supervisory Board sits on at least one standing committee of the Supervisory Board. In addition to their remuneration, members of the Supervisory Board shall be entitled to reimbursement for the costs incurred in connection with their function. This comprises in particular travel costs from the place of residence to the location of the Supervisory Board’s meeting and back, costs of accommodation and food.

Remuneration of members of the Supervisory Board (in PLN thousand)

	Fixed remuneration paid in 2020	Fixed remuneration paid in 2019¹⁾
Mariusz Andrzejewski	115	116
Mirosław Barszcz	86	116
Adam Budnikowski	86	116
Grzegorz Chłopek	30	–
Grażyna Ciurzyńska²⁾	139	145
Dariusz Górski	19	65
Zbigniew Hajłasz	137	131
Marcin Izdebski	38	–
Wojciech Jasiński	115	116
Andrzej Kisielewicz	115	116
Rafał Kos	30	–
Elżbieta Mączyńska-Ziemacka	86	116
Krzysztof Michalski	115	23
Janusz Ostaszewski	–	50
Piotr Sadownik	147	160
Total	1,258	1,270

1) In relation to the data published in the Directors’ Report of the PKO Bank Polski Group for 2019, the presentation of the Supervisory Board’s remuneration has changed. The report for 2019 presented remuneration received for the reporting year, while the current report presents remuneration received in the reporting year.
2) Other benefits not included in fixed remuneration: use of a company car for private purposes, incl. PLN 17 thousand in 2020 and PLN 19 thousand in 2019.

Risk management

102-11

The risk management system is adapted to the nature, scale and complexity of the group’s operations, as well as the regulatory, social and natural environment. The bank’s Management Board is responsible for the functioning of an effective risk management system. The Management Board regularly monitors whether the methods of identifying, measuring or estimating risk, controlling, monitoring and reporting risk are adjusted to the size and risk profile. The Management Board guarantees the functioning of the risk management system, monitors and evaluates its functioning and informs the Supervisory Board thereof.

[102-11] In accordance with the risk management strategy, the bank oversees the risk management systems at the other entities of the group and supports development of these systems, as well as takes into account the risk profile of the operations of the individual entities in the monitoring and reporting of risk at the group level. The principles and method of assessment of the individual types of risk in other entities of the group are specified in the internal regulations developed taking into account the opinions and recommendations formulated by the bank, as well as the provisions of the risk management strategy.

The group identified risks which are to be managed, and considered some of these risks to be material: credit risk, risk of mortgage loans in foreign currencies for households, forex risk, interest rate risk, liquidity risk (including financing risk), operational risk, business (strategic) risk, risk of macroeconomic changes and model risk (the group of material risks does not include any social or environmental risks). The group manages these risks while taking into account the social aspects. Other entities in the group may consider other types of risk to be material.

The bank monitors the process of introducing new ESG risk regulations and takes actions to comply with the European Banking Authority’s (EBA) requirements, in particular with respect to taking climate factors into account in the processes of managing different risks. [102-11] As the first step in preparing the non-financial statement, the bank reviewed the social and environmental risks in the group, which were identified in 2019. The list of key risks remains unchanged and comprises:

risk of non-compliance of products with the applicable norms, including the risk of misselling,
risk of the incorrect marking of products,
risk of unauthorized access to customer funds through electronic banking.

risk of unauthorized access to customer information,
risk related to outsourcing services,
risk of financing operations of entities whose products or services present a threat to the natural environment or to the society.

Risk management is one of key internal processes, both in PKO Bank Polski and in other entities of the group. Risk management is aimed at ensuring the profitability of business activities while ensuring control over the risk level and maintaining it within the system of limits and risk tolerance limits adopted by the bank and the group in the changing macroeconomic and legal environment.

The primary objective is to ensure adequate management of all types of risk related to its business. As part of the risk management system, the group identifies, measures and assesses, controls, forecasts, monitors and reports risk, and performs management actions. The risk management system covers: the organizational structure, allocation of duties and responsibilities, the internal regulation system, and the tools, including information databases. Regularly, at least annually, the bank assesses the materiality of the identified risks. Some of them have a material impact on the profitability and capital necessary to cover such exposures. Internal capital is assessed for risks that are regarded as material. All risks classified as material for the bank are also material for the wider group. In 2020, the catalogue of risk types regarded as material was not extended.

Credit risk – the risk of incurring losses due to the customer’s default in payments to the group or as a risk of a decrease in the economic value of amounts due to the group when the customer’s ability to repay amounts due to the bank deteriorates.
Currency risk – the risk of incurring losses in connection with exchange rate fluctuations. The risk is generated by maintaining open positions in various foreign currencies.
Interest rate risk – the risk of incurring losses on the group’s statement of financial position and off-balance sheet items sensitive to interest rate changes, in connection with changes in interest rates on the market.
Liquidity risk – the risk of the inability to regularly settle liabilities due to a lack of liquid assets; liquidity risk comprises financing risk.
Operational risk – the risk of losses being incurred due to the failure or unreliability of the internal processes, people and systems or due to external events. This risk includes legal risk, i.e. the risk of losses being incurred due to a lack of knowledge and understanding, failure to comply with legal norms and accounting standards, inability to enforce contractual provisions, unfavourable interpretations or rulings issued by courts or public administration bodies. Operational risk excludes reputation risk and business risk.
Risk of foreign currency mortgage loans for households – the risk of incurring losses due to the customer’s default in payments to the bank related to a foreign currency mortgage loan.
Business (strategic) risk – the risk of failing to achieve the assumed financial targets, including incurring losses, which results from adverse changes in the business environment, making bad decisions, incorrectly implementing the decisions made, or not taking appropriate actions in response to changes in the business environment.
Macroeconomic risk – the risk of deterioration in the group financial situation as a result of an adverse change in macroeconomic conditions.
Model risk – the risk of incurring losses resulting from incorrect business decisions made based on the models in place.

A detailed description of the principles of managing material risks, including risk mitigation techniques, hedges used and the hedging accounting policy is provided in the financial statements of the group for the year 2020 (in the section on the risk management principles and objectives, and in Note 29 on hedge accounting) and in the Capital adequacy and other information subject to disclosure of the PKO Bank Polski Group as of 31 December 2020.

the group manages all identified types of risk,
the risk management process is appropriate from the perspective of the scale of operations and materiality, scale and complexity of a given risk, and adjusted on an on-going basis to take account of the new risks and their sources,
risk management methods (especially models and their assumptions) and risk management measurement or assessment systems are tailored to the scale and complexity of individual risks, the current and planned operations of the group and its operating environment, and are periodically verified and validated,
the area of risk management remains organizationally independent from business activities,
risk management is integrated into the planning and controlling systems,
the level of risk is monitored and controlled on an on-going basis,
the risk management process supports the implementation of the bank’s strategy in compliance with the risk management strategy, in particular with respect to the level of risk tolerance.

PKO Bank Polski monitors the situation of its customers on an ongoing basis and adjusts its credit policy to mitigate the effects of COVID-19 for the customers and to secure good quality of the bank’s loan portfolio. In 2020, the bank:

developed the tools and techniques for credit risk management:
- implemented a new tool for assessing the quality of the branches’ work, based on the loan portfolio quality, audit results and verification of the quality of processes,
- implemented a Stability Rating, which evaluates the individual customers on the basis of daily behavioural data,
- digitalized lending processes,
- calibrated the credit risk models, also in connection with COVID-19 pandemic,
- in connection with a new credit risk factor (COVID-19), increased the frequency of monitoring and adjusted the lending policy on an ongoing basis,
introduced special solutions in credit processes in connection with COVID-19, in particular concerning simplifications in risk assessment processes (automatic or semi-automatic extensions or suspensions of loan repayments); in the third quarter of 2020, these solutions were gradually phased out,
maintained a safe level of liquidity, allowing for a quick and effective response to potential threats,
with respect to interest rate risk, the bank entered into IRS hedging transactions and shaped the structure of assets and liabilities accordingly,
in the area of operational risk management, it put emphasis on counteracting risks resulting from the pandemic:
- appointed a Crisis Management Board, which coordinated all activities of the group on an ongoing basis during the COVID-19 pandemic to ensure the safety of customers and employees and the continuity of business processes,
- identified risks related to COVID-19 on an ongoing basis, and these risks were periodically monitored and reported to the Operational Risk Committee,
- took actions to mitigate the identified risks, in particular with regard to the mode and conditions of work, ensuring adequate resilience of the IT infrastructure and its security; implemented: new methods of monitoring cybersecurity directed towards threats arising from remote work, reviewing the existing safeguards in order to adapt to the new working conditions, penetration tests related to remote work, periodic scanning of vulnerabilities of stations connected via VPN and analysing the effect of the vulnerabilities on maintaining the acceptable level of security,
periodically conducted educational campaigns for customers and employees in the area of cybersecurity, which is particularly important in connection with the growing use of remote channels in customer service processes.

Features of the lending policy
Comprehensive stress testing

The credit policy of the bank and the group consists of a set of principles and guidelines contained in credit regulations and procedures, which together form the credit risk management process. The bank’s credit risk management takes into account external factors, including compliance with external regulations and recommendations of the supervision and inspection authority, as well as internal factors, including in particular the level of strategic limits and credit risk parameters.

The priority of the risk management activities is the balanced relation of risk and the assumed profitability level, within the specified risk appetite limits. Comprehensive risk measurement is ensured by using a wide range of qualitative and quantitative methods, which are supported by appropriate IT systems and analytical tools. The credit risk management model is adjusted to the current business activity and market conditions in the individual customer segments. Credit risk assessment of exposures is separated from the sales function thanks to an appropriate organizational structure, independence in developing and validating tools supporting an assessment of credit risk and independence of decisions approving departures from the recommendations of these tools.

The financing terms offered to the customer depend on the assessment of credit risk level of the customer. As part of the credit risk assessment of corporate customers, ESG risks are assessed to identify projects that do not meet the growing environmental, social and corporate governance requirements. The bank’s subsidiaries with a material level of credit risk manage credit risk individually. Their credit risk assessment and measurement methods are adapted to those applied at PKO Bank Polski. They take into account the specific nature of the entity’s activities.

In 2020, the bank continued its credit policy attempting to mitigate the negative effects of adverse market and economic conditions. The objective was to maintain the expected level of profitability and value of the loan portfolio. At the same time, the bank has implemented ESG risk assessment into its corporate lending process to support the financing of environmentally sustainable and socially responsible projects.

[102-11] Comprehensive stress tests (CST) are used to determine the sensitivity of the bank’s capital adequacy measures and the group’s results to a negative scenario of changes in the environment and functioning of the group. They are conducted jointly for credit risk and concentration risk, market risk, liquidity risk, operational risk, business risk, excessive leverage risk and capital inadequacy risk. Calculations are made using the bank’s internal models, and taking into account the macroeconomic assumptions.

Comprehensive stress tests include periodic tests and supervisory tests. Periodic tests are carried out once a year and are used to evaluate the risk of macroeconomic changes, and for the purposes of preparing recovery plans. Supervisory tests are carried out at the request of external supervision authorities, in accordance with their assumptions.

Reverse stress tests (RST) complement the results of the comprehensive stress tests and are aimed at assessing the bank’s resilience to macroeconomic changes. Reverse stress tests have the form of sensitivity analyses and consist in defining potential adverse scenarios, and then identifying events which contribute to their materialization.

In 2020, the bank carried out periodical tests, supervisory tests and reverse stress tests. As part of the periodical tests, the bank analysed:

a baseline scenario resulting from the bank’s forecasts, financial plans and Strategy,
stress scenario constructed on the basis of guidelines from the PFSA.

As part of the supervisory tests performed, the bank analysed two scenarios:

reference scenario, which was based on the central macroeconomic projection path developed by the central bank (NBP),
a shock scenario assuming a significant deterioration in the economic outlook in Poland and globally as a result of a strong increase in COVID-19 infections.

Both types of stress tests conducted in 2020 demonstrated the strong capital resilience of PKO Bank Polski and the group to potential adverse changes in the macroeconomic environment.

Cybersecurity

The bank has a security policy, which also includes the principles of cybersecurity. The policy was approved by the Management Board in 2015. The bank has a Cybersecurity Department, which performs tasks associated with:

ensuring security of the bank’s IT system,
development of systems and monitoring of cybersecurity parameters and critical services,
servicing cybersecurity events and incidents, including the events and incidents in the area of electronic banking.

The function of controlling the current level of infrastructure security is performed by the Department director, who also supervises the Security Operations Centre (SOC). The Cybersecurity Department director is responsible for implementing the policy and controlling cybersecurity. The vice-president of the Management Board responsible for the IT is responsible for supervising the performance of these functions. The President of the Management Board supervises the implementation of the policy. For the purposes of improving the methods of counteracting fraud at the bank, the Cybersecurity Department prepares analyses and presents their results to the Management Board and the Supervisory Board of the bank along with the recommendations for the implementation or modification of specific solutions.

The monitoring of and responding to incidents are performed by a specialist CERT unit of the bank. In order to ensure IT security of the services provided, incident response operates 24/7/365. The CERT of PKO Bank Polski is a member of an international forum of responders – FIRST, and belongs to the task force of European responding teams – TERENA TF-CSIRT and the related Trusted Introducer organization.

As part of the exchange of information on threats, in 2020 the bank used information on malware, incidents or phishing attacks, including in particular data on trends and new threats, from CIRCL (the Computer Incident Response Center Luxembourg) and NICP (the institutions participating in the NATO Industry Cyber Partnership), of which PKO Bank Polski is the only bank from Poland to be a member.

The bank regularly educates its employees in ICT environment security and security of information processed in this environment. The bank’s employees are offered training in the threats associated with:

using mobile devices,
using personal computer hardware for professional purposes and using equipment provided by the bank for private purposes,
publication of information concerning the bank by employees in the Internet (in particular on social media),
social engineering attacks.

Such a training package is obligatory for every newly hired employee. The bank carries out the training in accordance with an agreed schedule and all employees must participate. The participation training is monitored by the bank on an ongoing and periodic basis as part of independent monitoring of controls.

In accordance with the bank’s policy, the cybersecurity principles must be complied with not only by employees, but also by third parties (contractors). The security requirements for the providers of IT services, understood as the standard requirements of the bank with respect to the protection of the bank’s information, access to the bank’s buildings and facilities, SIB safety, constitute an integral part of the contract and the terms and conditions of its execution.

The bank identifies threats to cybersecurity on an ongoing basis, monitors the sources of information, implements protection against potential threats and develops incident response plans. The bank has a formalized process in place for verifying the security and sensitivity of new or modified systems and applications before the launch of their production. The said process is performed in two dimensions: in connection with the process of software implementation and modification at the bank and in connection with the project process. Every new project which changes a key system from the perspective of the of business processes is subject to an IT security audit.

An internal audit of the IT processes is performed at least once every 3 years. The selection of IT processes to be audited in a given year depends, among other things, on the following factors: the results of the internal audits preformed, changes in the ICT environment, risks associated with identified internal and external fraud and changes in internal and external regulations affecting the bank’s functioning and operating activities. Internal audits of IT processes are performed by the Audit IT and Security Team of the bank in accordance with a predefined schedule. External cybersecurity audits are outsourced to the audit firms, with whom the bank has signed framework agreements.

The most important threat to the security of customers identified by the bank and PKO TFI is associated with potential criminal activities of third parties targeted at customers using electronic channels of access to banking and investment services.

First, the bank uses the latest ICT security solutions guaranteeing secure access to funds held by customers. The bank is constantly improving the quality of IT systems security, in particular regarding the applications used by the bank’s customers. This applies, among others, to actively combating phishing websites pretending to be bank’s websites, tracking the development of malware attacking the bank’s customers, developing mechanisms of detecting infected customer computers, improving the rules and extending the scope of monitoring of electronic transactions.

Second, the bank attaches a great deal of importance to informing and raising customer awareness of the safe use of electronic banking services, as well as payment cards, as security in this respect depends to a large extent on the user’s actions. These activities include in particular:

mass educational campaigns, e.g. initiating texts on the safe use of electronic banking (the educational portal Bankomania),
ongoing provision of responses to customer enquiries (e-mail, social media),
ongoing communication of the bank’s views on various issues and provision of educational materials on cyber crime and the principles of security to the media,
ongoing response to other signals regarding threats,
communication of information on cybersecurity to the customers through the bank’s websites, the transactional service and e-mail.

In 2020, the bank was improving systems for incident, anomaly and advanced malware detection and a large number of actions relating to incident handling was automated. The technology stack of solutions used for computer forensics purposes was replaced.

Representatives of the bank also engage in the works of the Banking Cybersecurity Centre (BCC) operating by the Polish Bank Association. The purpose of BCC is to take comprehensive and long-term actions, which are aimed at improving the safety of mobile and electronic banking and preparing crisis management tools (structures, procedures, information exchange mechanisms) in case of e.g. a massive attack.

The bank does not have an ISO 27001 certificate. However, its cybersecurity processes and regulations are based on this standard. The high organizational maturity in the area of handling cybersecurity incidents is particularly important in the light of the PFSA decision issued in 2018 on recognizing PKO Bank Polski as a key service operator as defined in the Act on the national cybersecurity system.

Preventing corruption and money laundering

205-1
205-3

PKO Bank Polski does not tolerate corruption and counteracts all corrupt practices. Such phenomena as nepotism and accepting or offering any physical goods in order to influence decisions or actions taken are in conflict with the bank’s values of credibility and trust. The bank has a number of regulations regarding the prevention of corruption, including accepting benefits, presents or gifts:

the Code of Ethics of PKO Bank Polski,
the Code of Banking Ethics (Principles of Good Banking Practice) by the Polish Bank Association,
the Principles of compliance risk management and procedural risk management at the bank.

[205-1] Within the group, including in the bank, the risks related to corruption are identified in particular: in the customer service areas (individual and business), in the area of the supply of goods and services to the group entities, including the bank, by external entities, in connection with donations and sponsorship agreements and in the area of relations of the group’s employees with state administration authorities.

These areas are subject to particular attention, the processes are regulated in detail, while decisions which have significant financial consequences are accepted, in principle, through the so-called “second hand” (they require dual acceptance). The internal regulations of the bank on the prevention of corruption with regard to the Bank’s employees and people acting on behalf of the bank they include:

prohibition to accept benefits, presents or gifts intended for personal use from customers and potential customers, as well as representatives of entities cooperating with the bank or seeking to start cooperation with the bank, which could: result in an informal obligation to a given customer or person cooperating with the bank, cause a conflict of interest, otherwise negatively affect the manner in which the bank’s employee performs their corporate duties,
this prohibition applies, in particular, to cash or cash equivalents, physical donations (presents and gifts) and other material benefits (in particular financing of travel, leisure or training expenses, participation in an event, or lending an asset for use), as well as the acceptance by any person involved in the procurement proceedings organized by the bank of any gifts and benefits from entities which are bidders or potential bidders in these proceedings,
exclusion of the possibility of circumventing the above prohibition, in particular by persuading other people to accept the gift on their behalf,
under exceptional circumstances, it is acceptable to accept a benefit or gift in business relations, on the terms and conditions set out in the bank’s internal regulations,
prohibition to offer on behalf of the bank to Customers, trading partners, representatives of public administration authorities and other entities any benefits, presents, gifts or incentives which are not a part of the bank’s offer of products and services in order to persuade those persons to behave in a particular way, especially to take steps which are inconsistent with the provisions of the law or good practices.

If the bank’s employees have doubts as to whether the acceptance of a benefit, present or gift is admissible in a given situation, they are required to consult their supervisor or the organizational unit at the bank, which manages compliance risk. Every new employee of the bank receives information on the principles regarding this matter. Corrupt behaviour is treated as non-compliance and reported to the bank’s Management Board and Supervisory Board. The risk of corruption is an element of the compliance risk assessment process.

In the remaining entities of the group, each of the subsidiaries whose business is associated with the risk of corruption has appropriate regulations in place to prevent corrupt practices. Every employee is required to read and apply these regulations. Each entity formulates appropriate regulations taking into account the nature of its activities and its own assessment of the areas of risk of corruption and bribery, and therefore the group does not have a common policy in this respect.

No critical events in this area were identified in 2020 and no corruption activities were identified in the group entities, which would result in disrupting the operations of the bank or of the other entities belonging to the group. The bank and the other group entities also apply their anti-corruption activities to their potential trading partners as part of the procurement procedure.

The bank has an anonymous system for reporting breaches introduced by resolution of the Management Board and Supervisory Board (the institution of whistle-blower is applicable to all unethical or illegal acts). Additionally, under the internal regulations, every employee of the bank is obliged to report every suspected crime committed in connection with the bank’s activities. A report regarding a member of the Management Board is addressed to the Supervisory Board and all other reports are addressed to the President of the bank’s Management Board. The bank has internal regulations, which define the procedures performed in such cases. There is a requirement at the bank to report all identified cases of fraud to the Management Board on a regular basis, including those involving corrupt activities.

In the case of a breach by an employee of the bank of the generally applicable provisions of the law or the bank’s internal regulations (including those regarding corruption), the bank applies the solutions specified in the provisions of the labour law. If a particular case is qualified as grounds for instituting disciplinary proceedings, the bank conducts such proceedings and – depending on their outcome – applies the list of consequences provided for in the above regulations, including the right to terminate the employee’s employment contract.

Reporting persons are protected. Nobody can be fired or punished otherwise for reporting a breach. Anonymous reports are verified by a limited number of persons appointed by the President of the bank’s Management Board.

The bank conducts introductory and regular trainings for its employees on reporting breaches and cases of non-compliance (including those showing signs of corruption) and gives them access to the necessary information and internal regulations in this area (also in an electronic form in the intranet). Every employee of the bank is required to undergo training in the principles for counteracting any corrupt practices. Information on the reported breaches and the results of their verification is reported to the Management Board and Supervisory Board of the bank. Similar solutions are applied at the selected companies of the group adequately to the scale and scope of their activities.

[205-3] No cases of corruption were confirmed in 2020 and 2019.

On 1 October 2018, the bank’s Management Board adopted a policy for preventing money laundering and financing of terrorism, which applies to all entities of the group. The purpose of this policy is to prevent the use of the group’s products in the activities relating to money laundering or financing of terrorism. The policy defines the standards that should be observed by the bank, its subsidiaries and all persons working for them, including permanent and temporary associates, consultants, contractors, external agents and their employees

Access questionnaire: Wolfsberg Group Correspondent Banking Due Diligence Questionnaire 2020

The policy constitutes one of the internal procedures defining the scope of transfer of data, regulations, obligations, standards and measures applied to prevent money laundering and financing of terrorism. The bank and the group companies develop, implement and execute internal AML provisions, which comprise in particular:

customer identification and verification,
monitoring of transactions in order to verify whether customers’ transactions are consistent with the known customer profile and the intended nature of business relationship,
monitoring of sanctions to prevent prohibited contacts by checking whether the customer features on a sanctions list,
the method of exchange and protection of information,
archiving,
conducting training.

The group applies financial security measures before the commencement of a business relationship with a customer and during the relationship at appropriate intervals adequate to the risk of a specific customer. The bank applies special mitigating measures in the form of freezing funds and not providing assets to persons or entities entered in the following lists:

the lists published by the General Inspector based on the resolution of the United Nations Security Council passed under Chapter VII of the United Nations Charter, concerning threats to international peace and security caused by terrorist attacks, in particular the lists referred to in section 3 of resolution 2253 (2015) of the United Nations Security Council or section 1 of resolution 1988 (2011) of the United Nations Security Council,
the list of persons and entities subject to special mitigating measures, published by the General Inspector of Financial Information,
the lists published on the basis of the regulations of the Council of the European Union,
the lists published by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).

The persons performing AML duties participate in training programmes concerning the execution of such duties. Within their respective organizational structures, the bank and its subsidiaries appoint AML officers responsible for the exchange of information among the group entities. The bank performs periodic reviews of the group policy at least annually. It also prepares quarterly information on counteracting money laundering and the financing of terrorism, which is presented by the Security Department Director to the President of the Management Board of the bank.

Product safety and customer security

417-1
417-2

In terms of the products offered, the group pursues a policy which has the objective of ensuring: compliance of the products with the applicable regulations, their correct labelling, and customer security while using the products. The scope of this policy at the bank and in the group encompasses the stage of formulating the product offer, its presentation to the customer, the purchase (signing the contract) and the stage of using the product by the customer. The principles and mechanisms of pursuing the compliance policy and appropriate labelling of products apply to the bank and the whole group.

The group make every effort to ensure that the products offered meet the requirements set out in the provisions of the law and the accepted market standards. These efforts focus on ensuring that: (i) the products offered are adequate to the needs of the customers to whom they are addressed, (ii) the manner and proposed form of the purchase of products is adequate to their nature, (iii) before concluding the agreement, customers were provided with reliable, transparent and comprehensive information about the product, in particular its nature, design, conditions, benefits and risks, as well as fees, commissions and other costs related to the conclusion, performance and potential early termination of the agreement (in a form understandable to an average person). These rules apply to all entities from the group, but also to companies to which the bank has entrusted the performance of specific operations related to product sales or handling.

Compliance of products with applicable standards

As part of ensuring compliance of the products with the regulations, the bank manages the misselling risk at the stage of product development and launch, and then at the stage of offering the product to customers. Each product undergoes a pre-implementation analysis with regard to the risks it generates and the identification of target customer groups. The bank also identifies the groups of customers to which the bank should not propose the purchase of a given product because of its inadequacy to the customer’s needs or for other reasons (the so-called anti-groups). If there are any anti-groups, control mechanisms are implemented to mitigate the risk of misselling. The risk of misselling is also mitigated at the stage of commencing the sales activity -– before proposing the purchase of a product to a customer it is assessed whether a given product is adequate to the needs of this type of customer (in order to eliminate the cases, for example, of selling unemployment insurance to pensioners or long-term investment products to elderly persons). Additionally, the bank always provides reliable and exhaustive information to customers about the products offered so that they can make an informed choice. The bank informs customers about both benefits and risks arising from the purchase of the individual products.

The bank considers any irregularities reported by the bank’s customers (including in particular complaints) within the deadlines arising from the provisions of the law. Depending on the findings, the bank takes steps to eliminate such irregularities, prevent their future occurrence and improve the quality of service. Similar solutions concerning the misselling risk management, while keeping with the principle of proportionality, are also in place in the remaining entities of the group that develop or sell financial products.

[417-2] In 2020, the bank was a party to three administrative proceedings conducted before the Office of Competition and Consumer Protection (UOKiK) in previous years. One of them resulted in a fine being imposed on the bank and creating of a provision. The proceedings are discussed in Note 48 (Disputes: proceedings conducted before the UOKiK President, in the Consolidated Financial Statements for 2020).

The bank is a party to the proceedings initiated by the UOKiK President regarding anti-competitive practices on the market of card payments in Poland and a party to court proceedings concerning mortgage loans in convertible currencies and reimbursement of commission in the event of early loan repayment. No administrative proceedings were pending in the other entities of the group. Two entities participated in explanatory proceedings and exchanged correspondence concerning the action taken by the UOKiK President.

[417-1] The capital group, including the bank, fulfils the requirements concerning correct labelling of the bank and investment products by providing the customers with all the necessary information about them, especially at the pre-contract stage. The scope of information provided about the products is specified in the applicable provisions of the law and the recommendations of the PFSA. The general rule is that the highest level of protection is available to retail customers – consumers. This information is formulated in such a way that it is understandable to the so-called “average consumer” within the meaning of the Act on counteracting unfair market practices – a consumer who is sufficiently well-informed, attentive and cautious. However, the scope of information provided to financial institutions and other professional recipients of financial products and services is narrower.

The proper product labelling also applies to the bank’s advertising messages, which support its sales activities and shape its brand image. All marketing materials published by the bank take into account the specific obligations arising from the provisions of the law (e.g. the Consumer Credit Act –within the scope of advertising this type of loans) as well as market standards and the PFSA’s guidance formulated in the „Rules of advertising banking services”.

One of the bank’s priorities is to set the highest security standards. Customer security in the process of using the bank’s and the group’s products primarily includes security of the customers’ funds and physical security of customers in the bank’s facilities. The matter of security is regulated by the internal regulations of the bank, including the Security Policy at PKO Bank Polski and – in detail – the provisions regarding specific areas of security: (i) protection of people and property, (ii) IT System security, (iii) managing security incidents.

Security of customer funds

The activities of the bank and other entities of the group related to ensuring the security of customer funds apply to the assurance of security of both the funds entrusted and the funds invested with the use of the products offered. The initiatives implemented regarding the assurance of a stable and secure infrastructure made it possible to achieve very high reliability indicators for the operation of the IT infrastructure.

Security of invested funds: The bank makes every effort to ensure that its products do not generate the risk of a loss of funds by the customers. This is particularly important in case of investment products. Therefore, within the framework of the obligations imposed by the MiFID, the bank informs customers before conducting a transaction on whether the given product is suitable for them.

Security of entrusted deposits: The main mechanism guaranteeing security of funds entrusted by customers is the stability of the bank’s financial result and the results of the other entities belonging to the group. An additional mechanism is the bank’s involvement in the obligatory deposit guarantee system, operating under the Act on the Bank Guarantee Fund, the deposit guarantees system and special resolution.

Physical safety of customers

The bank and the other entities of the group ensure the highest quality of direct customer service in their locations, among other things, by ensuring proper standards of comfort and safety. They use state-of-the-art technical solutions in the area of physical security of customers, employees, funds and protected information, including bank secret and personal data. Security is provided in the form of:

physical protection (construction, mechanical and electronic, including burglary and attack signalling systems, surveillance TV and access control),
continuous direct physical protection of selected sites of the bank,
monitoring of alarm signals by certified security firms and arrival of intervention groups after receiving alarm signals.

Moreover, in the interest of customers’ and employees’ security, the bank provides training courses, including on „Counteracting robberies and dealing with security threats”. All employees of branches and agencies participate in such courses.

Privacy protection

PKO Bank Polski follows the generally applicable regulations:

Regulation (EU) 2016/679 of the the Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR),
the Personal Data Protection Act of 10 May 2018,

and its own internal personal data protection regulations.

These regulations apply to the principles of personal data processing at the bank, in particular the method of processing and the technical and organizational measures ensuring security of the process.

In addition, the bank applies internal regulations regarding in particular:

security of protected information,
IT system security,
protection of people and property,
management of security incidents where the method of management of personal data protection violations has been defined,
conducting explanatory proceedings,
preparation and implementation of security mechanisms.

Data privacy and security
Managing risk of unauthorized access to customer information

The group’s Security Standards address the following issues: personal data protection, business continuity management, ICT security, counteracting money laundering, security incident management, outsourcing principles and security reporting principles. Furthermore, the group has a policy in place for counteracting money laundering and financing of terrorism.

The bank processes personal data in compliance with the generally applicable laws and data transparency requirements, the principle of purpose limitation, the principle of data minimisation, and the principle of maintaining the accuracy and integrity of data. In order to achieve these objectives, the bank applies mechanisms comprising both procedural regulations and technological solutions, which are designed to observe the personal data processing principles defined in General Data Protection Regulation (GDPR). The bank has appointed a Data Protection Officer (DPO) whose tasks comprise supervision over the correctness of personal data processing.

As required by the GDPR, the bank has prepared and provides the Information on personal data processing to customers. They are informed about the principles of personal data processing, the purpose of its processing and their rights, including the right to access, rectify and delete data. If data is processed on the basis of the consent of the data subject, the data subject is informed about the right to withdraw consent. The bank has also defined the principles for informing customers about a breach of their data security based on generally applicable laws. The bank’s customers also have specific complaint paths at their disposal for expressing doubts concerning data security.

Ongoing exchange of information and improvement of security on the basis of the best practices are permanent features of cooperation and agreements within the group. Any irregularities are addressed in compliance with the law, which includes informing the competent authorities, as required by the internal regulations and the generally applicable laws.

The risk of unauthorized access to customer information is managed in accordance with the “Security Policy of PKO Bank Polski”. At the same time, the “Principles of protected information security at PKO Bank Polski” regulate the issues of confidentiality of information and the maintenance of bank secrecy, as well as personal data security, including the liability of the bank’s employees regarding personal data protection. Every employee is obliged to complete appropriate training in personal data protection in accordance with formal procedures. Such trainings are also organized in cycles. Actions aimed at ensuring data security are taken with the participation of the Management Board. For this purpose, the best policies and system security solutions are implemented. Such solutions (in terms of both systems and policies) are constantly evaluated, audited and improved in accordance with the best market practices. The Security Department supervises the performance of duties associated with the protection of information at the bank and prepares information on the state of security for the bank’s Management Board and Supervisory Board in the form of semi-annual reports. The activities of the Security Department also include carrying out internal security inspections in the bank’s organizational units, which also cover information security, and giving opinions on new solutions and projects implemented at the bank in the area of the protection of information.

In accordance with these principles:

access to protected information at the bank is only given to employees within the scope of their corporate tasks and duties,
the employees undergo training on security of protected information before starting to process protected information;
if materials containing protected information are provided to external entities, a non-disclosure agreement is concluded between the parties, whereas, in the case of entrusting the processing of personal data, an agreement is concluded on entrusting the processing of personal data, including among other things the obligations of the entities cooperating with the bank to protect the entrusted data, use it exclusively for the purposes of performing the agreement and inform about any security breaches. The bank defines the requirements concerning the security of the processed data in accordance with the generally applicable laws. The bank may also control the security of the processed data at the cooperating entities.

The bank is obliged to maintain banking secrecy as defined by the Banking Law. Any information containing bank secret, including the personal data of the bank’s customers, may only be made available in compliance with the generally applicable laws. Enquiries from entities authorized to demand access to the information constituting bank secret (e.g. government institutions) are considered by the bank in accordance with the law. The information constituting bank secret is provided only in the situations specified in the above-mentioned act, after the conditions giving the bank the right to make such information available have been satisfied.

Each of the other group entities processing personal data has such regulations in place and applies them in practice. The companies have signed and implemented the Security Standards, including the standards relating to personal data protection, forming a part of the “Security Standard Guidelines for the PKO Bank Polski Group”. They are in line with the generally applicable regulations and standards applied at the bank and, to the extent necessary, contain specific regulations, which are adequate to the specific nature of the particular entity’s business.

In the event of a violation of personal data protection, the bank takes actions in accordance with the Principles for security incident management at PKO Bank Polski and GDPR. In the event of identifying a violation, immediate action is taken to analyse it and mitigate its adverse effect, if any. Any violations of personal data protection resulting in a risk to the personal rights and freedoms are reported to the President of the Personal Data Protection Office. Moreover, if a violation of personal data protection could result in a high level of risk to the personal rights or freedoms, the data subject is immediately notified about the violation.

Relations with customers

102-43
417-3

Complaints process at the bank

The complaints process is an important part of building the positive experience of customers and their satisfaction from cooperation with the group entities. Every complaint brought by a customer is considered individually, and every problem reported is carefully analysed and explained. The submission of complaints or appeals by customers may take various forms, depending on the customer’s decision: written, oral or electronic. The complaint handling process is conducted along two lines:

the first line consists of organizational units dealing with the first complaints of customers (in accordance with organizational tasks they perform), and reports concerning personal data protection addressed to the President of the Personal Data Protection Office,
the second line is the Customer’s Ombudsman and the Office of the Customer’s Ombudsman, which consider the appeals of customers against the decision of the bank’s first line in the complaints process, and the reports concerning the customers filed by the PFSA, external institutions dealing with the protection of customer rights, or individual cases.

Complaints or appeals are dealt with with due care and diligence, fairly, thoroughly and within the shortest time possible. The bank’s Code of Ethics, the Code of Good Banking Practice and the standards of customer service quality are applied when considering complaints. Consideration of a complaint or appeal involves in particular: analysing and assessing its validity, taking appropriate steps to eliminate the irregularities identified, and providing a clear and comprehensive response that should contain:

a factual and legal justification, unless the complaint is resolved in line with the customer’s wishes,
information about the position of the bank with regard to the customer’s objections, including an indication of the respective parts of the agreement or the product regulations,
specification of the date on which the customer’s claim, which has been accepted by the bank, will be fulfilled.

The solution proposed by the Customer’s Ombudsman constitutes the final position of the bank in a given matter. The response deadlines are in line with the provisions of the law, in particular with the above-mentioned Act and the agreements concluded with the customers.

The complaints process is regularly monitored and reported about to the Operational Risk Committee and the bank’s Management Board and Supervisory Board. The process of handling customer complaints is supplemented by an initiation of positive changes at the bank.

Każda jednostka w banku rozpatrująca reklamacje i odwołania klientów analizuje zgłoszenia, aby zidentyfikować ewentualne nieprawidłowości, ich przyczyny i miejsce wystąpienia oraz możliwe zmiany w produktach, usługach lub procesach, które podniosłyby jakość usług banku oraz inicjuje działania naprawcze lub usprawnieniowe. Przekazuje także do Biura Rzecznika Klienta oraz do jednostki rozpatrującej zgłoszenie informację o podejmowanych działaniach oraz terminie i sposobie ich wdrożenia. To podejście do procesu reklamacyjnego sprawia, że pojedyncze zgłoszenia prowadzą do wdrożenia korzystnych rozwiązań nie tylko dla zgłaszającego, ale także innych klientów. Biuro Rzecznika Klienta monitoruje wdrażanie działań naprawczych.

Every unit at the bank that considers complaints and appeals of the customers analyses the reports received to identify possible irregularities, causes and places of their occurrence and to identify possible changes to products, services or processes whose implementation would contribute to an improvement in the quality of the services provided by the bank, and takes remedial or improvement actions. It also provides information on the undertaken actions and the date and method of its implementation to the Office of the Customer’s Ombudsman and to the organizational unit handling the complaint. This approach to the complaint process means that individual reports lead to the implementation of solutions that are beneficial not only for the person filing the report, but also for other customers. The implementation of remedial action is monitored by the Office of the Customer’s Ombudsman.

Complaints process at the group entities

The bank’s subsidiaries manage complaints on their own and implement and follow their own procedures for receiving and considering customer complaints. These procedures have been adopted in the form of internal procedures or regulations of the entities, are included in the regulations and contained in the agreements with customers or arise from the provisions of the generally applicable law. Complaints are handled reliably and objectively, taking into account all the information and documents related to the problem reported by the customer and in accordance with the provisions of the law and concluded agreements. Most subsidiaries of the bank are subject to the Act on handling complaints by financial market entities and on the Financial Ombudsman, which regulates this process in detail.

In 2020, the group entities received nearly 320.5 thousand complaints (2019: 271 thousand), of which approx. 80% were handled within 14 days (2019: 86%). Around 58% of all cases were fully or partly settled in the customer’s favour (2019: 61%).

The bank’s policy is regulated by the “Principles for conducting marketing and public relations (PR) activities by PKO Bank Polski”, which were adopted by resolution of the Management Board in December 2019. The principles comprise the “General requirements for creating advertising messages regarding trading in financial instruments” (appendix no. 3 to the Principles). The bank’s internal regulations concerning the principles for conducting marketing activity define the features of the appropriate advertising message, as well as the list of undesirable actions. According to these principles, an advertising message in particular:

should be designed in a reliable manner, not be misleading, and should feature respect for the generally applicable laws, principles of fair trading and good practices,
must not present benefits in such a way that would diminish the significance of costs and risks associated with the purchase of a product or service.

In addition to the bank’s internal regulations, in its marketing communication the bank follows:

“The Code of Banking Ethics” prepared by the Polish Bank Association as part of the Principles of Good Banking Practice,
“Good Practices in consumer credit advertising standards” developed jointly by the Polish Bank Association, the Conference of Financial Enterprises and the Association of Lending Companies,
“The principles for advertising banking services” by the Polish Financial Supervision Authority,
“The canon of good financial market practices” prepared by entities from the financial and insurance sector.

In its marketing activities, the bank has mechanisms that prevent the creation of unethical and unreliable messages. Each time, the correctness of the communication is consulted with the units whose tasks include verifying the compliance of messages with the generally applicable laws. The principles of ethics in marketing communication and the mechanisms for preventing the risk of unethical communications also apply to materials prepared at the request of the bank by external entities (advertising agencies, event agencies). The same standards apply to all customer groups. Each message should be formulated in a comprehensible, reliable, credible way, regardless of the customer to whom it is addressed.

The bank’s subsidiaries also have internal regulations, which oblige them to design messages in compliance with ethical standards (this does not apply to entities that do not actively conduct marketing operations). These standards coincide with those adopted by the bank. In addition, the bank’s subsidiaries which have signed agency agreements with the bank for the provision of marketing services for the group are required to apply the internal regulations on marketing communications in force at the bank. With regard to their marketing activities, all subsidiaries of the bank have control mechanisms to prevent the risk of irresponsible or unethical communication from the company. The marketing communication is appropriately approved by the company’s supervisory units respectively, or additionally – in the case of companies that have agreements with the bank concerning commissioning of marketing services for the group – by the bank’s relevant departments.

[417-3] In 2020, as part of the marketing activities conducted by the group and the bank, no administrative proceedings concerning violation of the ethics regulations in marketing communication were pending and no inconsistencies were noted in marketing communication.

[102-43] The bank evaluates the stakeholders’ commitment based on regular customer satisfaction surveys.

Retail customer satisfaction surveys

In 2020, the Customer Satisfaction Index (CSI) and the NPS (Net Promoter Score) indices for the first time had been taken into account in the objectives of most organizational units of the bank, including of the Management Board. In this way, the principle of customer satisfaction became a key component for the bank’s actions, particularly in the area of product and solution design and implementation and ongoing customer service, was established. With regard to retail customers, the bank continued to conduct two types of satisfaction surveys:

relational research – conducted in all customer segments, including firms and enterprises, measuring the strength of the relationship with the bank and satisfaction with the cooperation, encompassing the whole of the customer’s experience;
transactional research – performed at the key points of contact between the customer and the bank, immediately after the event, measuring satisfaction with a given interaction, which is defined in space and time, also including surveys for the needs of process design and implementation.

At the same time, given the changing circumstances of the bank’s operations, the bank adjusted the methods of obtaining the customers’ opinions to the new and even more digital reality. As a result, remote surveys (questionnaires in iPKO) were launched for the first time, the works on the launch of IKO surveys are advanced and the customer satisfaction measurement with the use of a voicebot was implemented for testing. The surveys conducted by e-mail and text messages, which were first implemented in 2019, were also continued in 2020.

Overall, in 2020, the bank held more than 230 thousand interviews with retail customers using various methods (more than 220,000 interviews in 2019). The plans include a further increase in the number of processes (products and sales channels) monitored for customer satisfaction, as well as a development of techniques for obtaining information. Customer satisfaction measurement was continued in 2020 in the other entities of the group as well.

Corporate customer satisfaction surveys

The number of “contact points” (interactions with customers) where customers were asked for their opinions about the bank tripled in 2020. Such surveys covered both the digitization of the existing processes (e.g. adding new electronic banking users) and new solutions which had to be implemented under the present circumstances (e.g. filing applications for Polish Development Fund’s subsidies). Fast communication of the collected information to product owners and taking it into account in the subsequent activities were of key importance.

The bank constantly monitors the response rate (in 2020 it was 65%). In 2020, the group implemented 13 new initiatives addressing the problems and needs reported by the customers. Among these initiatives, the following ones had the biggest effect on customer satisfaction: digitization of the processes which were previously executed by the advisors on paper and changes in the customer service system at PKO Faktoring. In total, 112 initiatives have been implemented in total as part of the programme since 2016.

ESG Social

ESG GRI Standards index