Corporate Governance
From the perspective of the impact on issues related to social, employee, environmental, human rights and prevention of corruption, compliance risk and operational risk are of special importance. Accordingly, the PZU Group has implemented an operational risk management system under which it prevents operational risk incidents and reduces operational losses. The operational risk management principles and structure in PZU are based on the adopted operational risk management policy. Operational risk is controlled on multiple levels in the organization. Supervision over the operational risk management system is exercised by an independent, dedicated unit within the Risk Department structure.
The key tool used to monitor operational risk is the key risk indicator system, covering areas with special exposure to operational risk. The indicators are subject to regular reviews: at least once a year.
As part of compliance risk and operational risk, employee, environmental, social, ethical, including interactions with clients and prevention of corruption issues have been identified. Detailed references to these risks and methods of mitigating them are described in the following sections of this report:
Corporate governance | |
Risk | Detailed information |
Corruption risk | Key non-financial risks/Counteracting corruption |
The risk associated with insurance crime and frauds | Key non-financial risks/Fraud prevention and counteracting of money laundering and terrorism financing |
Environment | |
Risk | Detailed information |
Climate risks associated with transformation of the insurance portfolio | The product offer as a response to climate challenges |
The physical risk of pollution of natural environment and natural disasters resulting from climate changes | The product offer as a response to climate challenges/The PZU Group’s efforts to adapt to climate change and prevent environmental risks: gaining a better grasp of risk factors |
The reputation risk and the compliance risk in connection with the direct environmental impact | Direct environmental impact |
Social responsibility | |
Risk | Detailed information |
The risk associated with the difficulty of hiring qualified staff | Employer of first choice |
The risk of overrunning the personnel budget | Employer of first choice/Working conditions and employee compensation |
The risk of failure to respect employee rights by unequal treatment of employees, discrimination of employees and cases of mobbing and discrimination | Employer of first choice/Inclusive organizational culture |
Risk of failure to ensure a safe and healthy work environment | Employer of first choice/Occupational safety and health during the COVID-19 pandemic |
Risk related to the lack of effective dialog with the trade unions (collective dispute) | Employer of first choice/Dialogue with trade unions |
The risk associated with quickly changing regulations and necessity to update the knowledge about prevailing regulations, obligatory operating methods and the rules of work organization. | Employee training and development |
The risk pertaining to disclosure of personal data and data subject to insurance secrecy to unauthorized persons | Key non-financial risks/Information security |
The risk of dishonest communication with clients regarding the PZU Group’s offers to purchase products that do not meet their needs or do so in a manner that is not suitable to their nature. | Responsible sales/Straight-forward products |
Compliance risk concerning the generally prevailing laws and guidelines of state authorities and reputational risk. | PZU Group's social commitment/COVID-19 |
“One of the priorities that we have adopted in the PZU Group is to ensure security of information, in particular confidentiality of personal data that we process. In order to meet this challenge, we make sure to follow the highest security standards of IT systems. We believe that protecting the information entrusted to us is our obligation to customers, who show their trust in us on a daily basis by choosing the PZU Group as their service provider.”
Area-specific risk: the risk pertaining to disclosure of personal data and data subject to insurance secrecy to unauthorized persons.
Approach to management: PZU and PZU Życie have implemented principles for client identification and provision of information depending on the client’s requests. In addition, access to personal data and data subject to insurance secrecy is granted only to authorized persons using the Central Information Security Management System (CSZBI). Additionally, PZU has implemented a DLP class monitoring system, which comprises appropriate rules minimizing the risk of disclosure of information, including personal data, to unauthorized persons. The companies regularly implement procedures and safeguards in electronic channels of communication with clients, thereby minimizing the risk of unauthorized disclosure of legally protected information.
Key regulations: Security Policy
Active existence within any global network is associated with a number of threats; therefore, in order to successfully face the constantly changing challenges, the fundamental units responsible for ensuring the Group’s IT security keep getting reinforced. For 2022, production deployment and expansion of solutions addressing the need for defense against new threats, incident analysis and identity management are scheduled. Among the key elements of the strategy adopted with a view to solidifying PZU’s IT security is the introduction and improvement in 2022 of the process of proactive search for potential threats and threat mitigation modeling. In 2022, educational activities for PZU employees and agents will also be continued, including exercises in identifying phishing attempts.
“Security Policy in PZU SA and PZU Życie SA”
The main document that governs the security of information protected in PZU and PZU Życie, including personal data, physical security, security of IT systems and business continuity, is the Security Policy. It also pertains to the area of counteracting insurance crime, money laundering and the financing of terrorism as well as occupational safety and health.
“Information Security Procedure of PZU SA and PZU Życie SA”
Activities following from the Procedure in the area of information security include ensuring the protection of all information in conformity with the relevant security level, ensuring information access control and the integrity and availability of information, and preventing theft and unauthorized outflows of information. The document defines the rules for protecting and sharing information protected by law and for managing security risks.
Cybersecurity management system
IT security is considered one of the most significant challenges faced by in the domain of modern technologies. Efforts focused on prioritizing the strategic objectives in this area within the PZU Group are aimed at responding to new threats, in terms of both organization and technology. Appropriate policies, procedures and detailed requirements are in place in all Group companies in order to ensure an adequate level of protection for clients’ information and data. A comprehensive multiple-layer system to protect against cybersecurity threats functions in PZU and PZU Życie and is being constantly developed – new tools and competences are acquired on an ongoing basis.
Security tests
Rolling out and selling products and customizing the offer to evolving client needs is an enormous challenge for the Group’s information systems. For these changes to proceed smoothly and not to disrupt client service, the organization has crafted a recurring information procedure embracing a broad set of tests and verification methods. This procedure guarantees early detection of threats and possible problems and supports the appropriate management thereof.
Vulnerability assessment tests are conducted by the Group on the company's systems. Infrastructure vulnerability detection is an ongoing and automated process in which dedicated Vulnerability Assessment solutions are used. Security tests form part of the change, release and project management processes.
Security training
Information security and cybersecurity are not just efficient systems and adequate procedures. Threat awareness and the knowledge of rules among employees and associates are of no less importance. For this reason, newly employed persons participate in onboarding training during which they are acquainted with security principles and then undergo obligatory e-learning training. Refresher training courses are also conducted on an ongoing basis, along with internal information campaigns on information security, personal data protection and cybersecurity. These issues are most frequently raised jointly, as they complement one another. In 2021, dedicated refresher training courses on these issues were conducted for employees and agents of particular units, mainly in the form of webinars. Their participants were, among others, employees of branches, exclusive agents, and operation centers and centers for handling claims and benefits (in particular, individuals involved in data processing operations). In June 2021, an internal information campaign was held, entitled “Cyberthreats come in different colors”. Cybersecurity was also among the topics of the fall campaign “We care for super security”. As part of the campaign, in addition to the publication of useful articles and pieces of advice, on-line meetings with external cybersecurity experts were held, devoted in particular to some of the most common threats and attacks currently experienced.
In 2021, employee training programs continued on GoPhish platform launched in 2018. Such actions are taken to improve the awareness among employees of the threats following from suspicious messages, including those containing malicious elements and prompting people to open suspicious pages or attachments.
In 2021, one GoPhish training campaign was conducted, in which employees who accidentally clicked the link in a specially prepared e-mail were shown a training video produced by the Security Department presenting information on how to avoid such threats in the future. Compared to the previous year, the number of reckless clicks on suspicious links decreased by roughly a half. At the same time, many more people react properly: as many as 23% of recipients reported their receipt of a suspicious message (compared to 0.2% in 2018, when we launched these activities). Despite the observed significant increase in awareness, it is still necessary to keep the anti-phishing efforts up and running. Also, since 2020, special e-learning training has been provided under the name Phishing quiz, showing how to distinguish between safe and unsafe messages. The training is mandatory for all staff who have clicked on the links in fake e-mails.
Procedures to manage the security of information processes were implemented in PZU and Pekao Group companies as well as in all foreign companies.
A package of regulations pertaining to personal data processing, including security policies containing requirements pertaining to IT processes, was implemented in the PZU Zdrowie Group. In turn, PTE PZU introduced the guidelines issued by the KNF (Polish Financial Supervision Authority) concerning the management of areas involving information technology and ICT environment security in universal pension fund management companies.
In Bank Pekao, in order to ensure that comprehensive actions are taken in the area of personal data protection, a number of internal regulations have been implemented related to the various areas of the bank’s business. They include, among others, the “Information Security Policy along with Information Security Policy Documents”, the “Security policy for applications in Bank Polska Kasa Opieki Spółka Akcyjna”, the “Procedure to be followed by Bank Polska Kasa Opieki Spółka Akcyjna when examining requests from data subjects under the GDPR”, the “Procedure for managing personal data protection breaches in Bank Pekao S.A.” and the “Protection of electronic information in Bank Polska Kasa Opieki S.A.”.
Stringent security procedures ensuring confidentiality, integrity and availability of processed information are also in place throughout the Alior Bank Group. The security policy in place and all procedures in this area are updated on an ongoing basis in response to the changing market circumstances in the cybersecurity area as well as new requirements and guidelines issued by the regulatory authorities. Alior Bank, as a key service operator, pursuant to the Act on the National Cybersecurity System (implementing the requirements of the European NIST Directive), meets the high cybersecurity requirements following from the provisions of law and the recommendations of KNF. In 2021, all of Alior Bank’s key IT systems involved in the processing of client data and participating in the processing of financial transactions were subjected to in-depth security tests. Additionally, the systems monitoring and protecting clients' financial assets in mobile banking (e.g. the FDS and Malware Shield - a proprietary solution developed by the bank's experts dealing with cybersecurity) were expanded in 2021.
GDPR
The PZU Group ensures the security of the processed information and the protection of the personal data of its clients. It understands the complexity of the obligations following from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and makes sure all of its processes are compliant with the Regulation and local personal data protection regulations. The PZU Group expects an equally mature approach from its business partners.
The responsibility for the area of security in PZU and PZU Życie rests on the Director of the Security Department who answers directly to a Management Board member. Moreover, the Data Protection Officer (DPO) was appointed in PZU and PZU Życie. Security structures for the processing of information, including personal data, have been established within the Security Department, which support the performance of the tasks of the Data Protection Officer (DPO).
Internal regulations are in place in PZU and PZU Życie which support the effective management of information security and of personal data protection. Their purpose is to minimize the risk of security incidents and reduce their effects. The addressees of these regulations are the employees, Management Board members and associates of PZU and PZU Życie.
The fundamental document governing the issues of personal data protection in PZU SA and PZU Życie is the “Personal Data Protection Procedure”. The document defines, in particular, the rules for handling requests from data subjects, responding to security incidents, assessing and reporting breaches and selecting and auditing processors, as well as the role and tasks of the Data Protection Officer.
Additionally, in PZU and PZU Życie, this area is governed by a number of procedures and rules, in particular:
PZU and PZU Życie act with all diligence in taking care of information security and data protection in compliance with the GDPR. Client personal data is collected, processed and transmitted in PZU and PZU Życie in compliance with law. Data which is subject to insurance secrecy is made available on the basis of Article 35 of the Insurance and Reinsurance Activity Act which provides the list of the entities and institutions to which data may be made available. External entities are entrusted with personal data processing on the basis of an agreement for entrusting the processing of personal data. Where third party entities are provided with protected information, it is a standard practice to enter into a confidentiality agreement. The content of such an agreement includes, among other things, an undertaking to implement at least the same measures to ensure the protection of information, as well as a provision guaranteeing a possibility of conducting an audit.
GDPR – access to data
In order to maintain the highest privacy of clients, each person whose data is processed is entitled to access data and to erase, rectify, complete or modify his or her personal data, as well as has a possibility to ask questions concerning privacy. Appropriate processes have been put in place for this purpose, which ensure the exercise of the rights of data subjects, as defined in Articles 12 to 22 of the GDPR.
GDPR – management information
The management information concerning the security of the processed data in terms of the identified risks and vulnerabilities is reported to the Management Board of PZU and PZU Życie on a periodic basis and includes information on the carrying out of the obligations set forth in Article 33 (Notification of a personal data breach to the supervisory authority) and Article 34 (Communication of a personal data breach to the data subject) of the GDPR. The companies monitor the data processing operations and the applied technical and organizational measures on an ongoing basis to identify possibilities for improving the level of security of the processed data.
GDPR - audits
Audits of entities that have been entrusted with personal data processing are conducted by PZU and PZU Życie on a regular basis. During an audit it is verified whether the processing of the entrusted personal data by the processor complies with the GDPR and the agreement for entrusting personal data processing. PZU and PZU Życie also conduct audits of the processors in the case of which security incidents have occurred. Recommendations for changing processes or systems for particular business owners are issued on the basis of audits.
Personal data protection officers
Fulfilment of the duties of a personal data controller (PDC) and a data protection officer (DPO) set forth by law, monitoring of information security incidents, in particular relating to personal data and breaches reported to the President of the Personal Data Protection Office (PUODO), periodic data reporting to the Management Board of PZU and PZU Życie.
Having regard to the security of processed personal data and in order to guarantee the compliance with the GDPR, a practice of periodic data reporting to the Management Boards of PZU and PZU Życie has been established, encompassing data concerning information security incidents, in particular relating to personal data and breaches reported to PUODO. The ongoing data monitoring, analysis and reporting guarantee the transparency and accountability of the process. With the use of the established mechanisms, the areas requiring the implementation of changes are identified and recommendations concerning the improvement of personal data processing security in these areas are issued.
The obligations imposed on the personal data controller and the data protection officer are complied with in the daily activity, which ensures compliance of the personal data processing with the laws.
The PZU Group works on a continuous basis for the strengthening of the functioning data protection system. In view of the above, steps will be taken in the future to maintain the quality of the processes carried out.
Data protection impact assessment (DPIA)
Following the obligations set forth expressly in the GDPR, processes have been implemented in PZU and PZU Życie which guarantee a documented process relating to the carrying out of the provisions of Article 35 (Data protection impact assessment) of the GDPR, requiring companies to assess the data protection impact in order to estimate, in particular, the source, nature, specifics and seriousness of the risk.
With a view to complying with the GDPR, the following procedures have been introduced: Rules for personal data processing risk management in PZU and PZU Życie and the Instruction (methodology) for identifying and assessing personal data processing risks in PZU and PZU Życie. Moreover, periodic reporting to the Management Boards of PZU and PZU Życie has been introduced, encompassing data concerning the conducted DPIA analyses. Processes are monitored on an ongoing basis and the fulfilment of the issued recommendations is checked. With the use of established mechanisms, the areas requiring the implementation of privacy by design and privacy by default are identified and recommendations concerning the improvement of personal data processing security in these areas are issued. DPIA analyses are conducted also for the existing processes and the changes made and their impact on the personal data processing are checked on a periodic basis.
The undertaken measures have made it possible to establish, with the use of the Jira system, a regulated and tightened DPIA analysis process imposed on the controller under Article 35 (Data protection impact assessment) of the GDPR. Project product assessments in terms of the impact on data protection have been introduced for the Jira system. Having regard to data security, the implementation of topics which have not been assessed for compliance with the GDPR is blocked. A multi-track assessment of the impact of processing on data protection ensures the compliance of personal data processing with laws. 2,081 elements of distinct processes were assessed in 2021, including the assessment of 823 initiatives/topics, 1,235 sub-topics, 8 proof-of-concept operations and 42 full DPIA tests, including 10 DPIA analyses of ongoing processes.
Opinion issuing process
Internal documents, contracts and processes are reviewed in terms of compliance with the applicable provisions on the protection of personal data, judicial rulings, administrative decisions, regulations adopted by PZU and PZU Życie and best market practices.
The implementation of the opinion issuing process by PZU and PZU Życie has contributed to ensuring compliance of the Group’s data processing operations with the applicable laws, accountability and the implementation of the privacy by design principle. It allows to identify irregularities at an early stage and to adapt actions to the standards in force.
The implemented opinion issuing process encompasses the rollout of new functionalities or changes in the existing functionalities of IT systems, internal documents, processes and contracts in which a personal data related element is or may be present. For this process to be carried out in the best possible way, a dedicated e-mail box has been set up to which queries from business units are sent. Matters are assigned to employees specializing in various data protection areas. The opinion issuing process ends with the issuing of a recommendation in compliance with the applicable provisions on the protection of personal data, judicial rulings, administrative decisions, regulations adopted by PZU and PZU Życie and best market practices. All matters on which opinions are issues are entered in a register in order to ensure accountability.
In 2021, opinions were issued in PZU and PZU Życie on more than a total of 1,768 matters. The process of issuing opinions enables the identification and correction of irregularities, if any, and contributes to raising awareness of personal data protection and personal data processing security among employees.
Breaches and complaints
In 2021, 816 personal data protection breaches in the PZU Group were reported to the President of the Personal Data Protection Office (PUODO), of which 404 breaches were recorded in PZU, 186 in PZU Życie, 23 in the Alior Group, 27 in Bank Pekao, 138 in LINK4 and 38 in PZU Zdrowie.
Counteracting corruption
Area-specific risk: the risk of corruption associated with inappropriate implementation in the Group’s structure of anti-corruption procedures, including the lack of protection for whistleblowers.
Approach to management: there is zero tolerance for any form of corruption in the PZU Group. Therefore, the Group companies have in place corruption prevention policies and rules for acceptance and giving of gifts. Additionally, PZU and PZU Życie have implemented a Whistleblowing Procedure and an Anti-Corruption Program which serves as the basis for establishing and supporting preventive and educational solutions in the field of counteracting corruption and defines a breakdown of responsibilities to control the risk of corruption.
Key regulations: Anti-Corruption Program; Whistleblowing Procedure
There is zero tolerance for corruption in the PZU Group. The organization’s implemented solutions define the method of corruption risk management, including identification, mitigation and monitoring.
The Group’s companies have in place internal regulations to prevent corruption, including, inter alia, rules for accepting and giving gifts, conflict of interest management, and ethical principles to be followed by members of the company’s statutory bodies. Relative to the entity in question, these rules have been covered by a range of implemented documents, regarding, inter alia, prevention of corruption, whistleblowing, conflict of interest management, and procurement. Those issues are also discussed during internal employee training.
The rules for Group employees to accept and give presents and the rules for registering them have been strictly defined. Gifts and entertainment, exclusively of low value, may be offered or received in the course of typical business practices. Under no circumstances can money or its equivalent be offered or received. Giving and receiving gifts cannot be so frequent, excessive or generous as to represent an actual or perceived risk of corruption, or breach local statutory or executive regulations,
The “Best Practices of the PZU Group” constitute the model for the standards, values and principles for all Group employees and they outright forbid corruption in companies. They obligate employees to act in compliance with the law and defined ethical standards: “We do not tolerate corruption. We act ethically and in accordance with the law when performing our business tasks and cooperating with our business partners”. All of the PZU Group companies implemented the “Best Practices”, except for the Alior Bank Group, which has in place the “Code of Conduct in Alior Bank” and except for the Pekao Group, which has in place its own “Code of Conduct in the Pekao Group”. In turn, LINK4 has in place its “Corruption Prevention Compliance Policy”.
Corruption risk is part of the ongoing management of compliance risk in various areas of activity. PZU has therefore implemented solutions imposing an obligation to identify and assess corruption risk. The 2021 corruption risk assessment confirms that the system solutions work correctly in PZU and that actions aimed at managing this risk were taken with due diligence.
It is a direct or indirect demand, acceptance, provision or promise to provide a material benefit or a personal favor in exchange for taking or not taking an action in connection with a function in PZU.
Gratification is a form of corruption. It involves making small and unofficial payments or some other types of benefits to procure the accelerated execution of a routine activity, which the party delivering the gratification has the right to receive.
In turn, a bribe, which is also a form of corruption involves giving or receiving a present, loan, fee, award or some other material or personal benefit to or from another person as an incentive for a dishonest or illegal action or breach of trust in the course of the company’s business activity.
Material benefit
This is a material benefit given or received by an employee in connection with his or her position or function in the company net of his or her salary and other benefits due in connection with acting in this function and souvenirs given customarily whose unit value is not subject to personal income tax.
Personal benefit
This is an immaterial benefit augmenting the standing of an employee, his or her loved ones or persons or organizations with whom or with which he or she closely cooperates or cooperated on a professional, business or personal footing.
Anti-Corruption Program
PZU and PZU Życie have in place the “Anti-Corruption Program in PZU SA and PZU Życie” which lays down the standards of conduct to reduce corruption risk. The master rules described therein for managing corruption risk form the basis for introducing detailed internal regulations in the various areas of the company’s business. This “Program” aims to uphold the company’s reputation as an honest company in terms of its managerial practices and business activities. The Management Boards of PZU and PZU Życie oversee the execution of this Program. Non-compliance with the provisions of the Program constitutes a breach of employee duties and is subject to the sanctions provided for in the provisions of labor law.
According to the rules prescribed by this Program, companies conduct business in accordance with the law in an honest manner and counteract any and all forms of corruption, which may be linked to their business. In turn, their employees are obligated to act ethically and in compliance with the law in favor and on behalf of PZU and to avoid factors increasing corruption risk. Employees are prohibited from proposing, promising, giving or demanding any material or personal benefits in order to manipulate a pending decision, including the usage of gratification. The “Anti-Corruption Program in PZU and PZU Życie” defines the business areas in which corruption risk is potentially the greatest and specifies symptoms of unethical employee conduct. Mechanisms to identify and monitor corruption risk function in those areas of business that are particularly susceptible to corruption risk.
Regular risk assessments
The “Anti-Corruption Program in PZU and PZU Życie” introduces mandatory, regular and periodic corruption risk assessments. It includes, among other things, corruption risk self-assessment questionnaires conducted among employees, registered notifications of irregularities in specific areas, results of internal inspections and reports of non-governmental organizations dealing with corruption. Intensified educational activities for employees – training sessions, publications and consultations are performed for the purpose of effectively controlling corruption risk. All PZU and PZU Życie employees have been obligated to familiarize themselves with the Anti-Corruption Program and comply with its provisions and submit the pertinent representations in this respect.
In the other PZU Group entities, the potential corruption risk analysis or assessment is carried out as part of the analysis of the notifications or inquiries related to a conflict of interest or accepting or giving gifts.
The “Anti-Corruption Program” lays down the standards of conduct to mitigate corruption risk. The rules for managing conflicts of interest and the principles for accepting and giving gifts are in line with the Program.
Communication and training
These actions are supplemented by anti-corruption training and campaigns executed in the corporate communication channels, attracting the employees’ attention to the corruption risk.
The training course pertaining to the “Anti-Corruption Program in PZU and PZU Życie” is one of the mandatory training courses for all of the employees in these companies. PZU and PZU Życie employees submit declarations in the HR system that they have familiarized themselves with the “Program” and undertake to adhere to it and also that they are aware of the criminal liability for corruption. Every amendment to the “Program” will necessitate the submission of an updated declaration. 530 employees completed this training course in 2021.
Tower Inwestycje has adopted the “Anti-Corruption Program in Tower Inwestycje sp. z o.o.”. PZU CO has adopted the “Anti-Corruption Policy”. PZU Zdrowie has in place its own “Anti-Corruption Program”.
In Bank Pekao, in compliance with the guidelines of the “Corruption Prevention Policy in the Bank Pekao S.A. Group”, the “Corruption Prevention Program” has been adopted and includes rules and procedures regarding cooperation with intermediaries, the provision of gifts and entertainment activities, the recruitment process, cooperation with contractors, donations and sponsorship (including donations to political parties), mergers and acquisitions, significant investments and the bank’s participation in public procurement procedures. The program also includes training and information courses for employees devoted to counteracting corruption and ensuring safe and easily accessible communication channels through which bank employees or other persons may confidentially report corruption attempts or activities bearing the characteristics of corrupt practices.
In the area of counteracting corruption, Pekao Group companies follow the Code of Conduct and the same principles as those adhered to by Bank Pekao. The vast majority of companies have appropriate anti-corruption regulations in place, in line with the size and specific nature of their business. Some companies have established specialized coordinating positions or teams in charge of anti-corruption duties.
In turn, Alior Bank, with a view to counteracting corruption, has implemented control mechanisms to identify the areas most exposed to risk. Strictly regulated rules and conditions have been adopted for the ethical giving and acceptance of gifts or benefits, which are laid down in the bank’s internal regulations. The bank’s gift policy permits accepting and giving gifts solely for purposes of building good business relations or as a token of courtesy in relations with counterparties. Employees may only accept gifts that are permitted, in compliance with the guidelines described in the bank’s Manual on Managing Conflicts of Interest. Any breach of the rules in this area constitutes grounds for the enforcement of formal consequences and, in special cases, for notifying pertinent law enforcement authorities.
Corruption Prevention Officer
To elevate the rank of this area in the Compliance Department in Bank Pekao, a Corruption Prevention Officer has been appointed. Information regarding attempts involving corruption and actions bearing the marks of corruption should be reported to this person.
The “Corruption Prevention Policy” defines the specific tasks of the Corruption Prevention Officer, including the drafting, implementing and supervising of an effective Corruption Prevention Program and conducting the legislative process on the Bank’s internal regulations on preventing corruption.
The Corruption Prevention Officer is authorized to investigate suspicious or factual acts bearing the marks of corruption, including the power to demand that a person suspected of engaging in actions involving corruption must produce documents and to browse through these documents and report such cases in accordance with the contemplated procedure.
Confirmed incidents
In 2021, 734 cases of corruption and fraud were identified in the entire PZU Group. Four situations were reported in PZU and PZU Życie that may have involved corruption. As a result of an investigation, in three cases no irregularities were found that would suggest corruptive conduct. In one case, however, it was confirmed that the counterparty offered a bribe to the client. In these circumstances, the client submitted an oral notification of a crime having been committed, and the Companies discontinued any cooperation with this counterparty.
Management of a conflict of interest
A conflict of interest arises, for example, when an employee:
The “Rules for managing conflicts of interest” are in force in PZU and PZU Życie. This regulation aims to ensure professional, reliable and fair treatment of all clients and persons related to the company in a conflict of interest situation. According to this regulation an employee should report a potential conflict of interest to his or her boss and the compliance unit in a given company for that unit to be able to analyze that situation thoroughly from the standpoint of risk.
A conflict of interest may assume various forms. These are usually situations in which there is or may be a discrepancy between:
Rules for managing conflicts of interest are in force in all of the PZU Group companies.
Rules for acceptance and giving of gifts
The rules in PZU and PZU Życie regulate in transparent and very detailed terms the categories and types of gifts, including permissible and impermissible gifts and they prescribe the procedure for accepting or offering gifts and the rules for registering gifts. These rules are in force regardless of the position held or function discharged in the company. Rules of acceptance and giving gifts are in force in all the PZU Group companies..
Topics concerning conflicts of interest, potentially risky situations and the rules of conduct if they are detected, are part of the e-learning training course on compliance. A newly developed e-learning course was introduced in 2020. In 2021, the training was addressed to newly-hired employees. At the same time, the training is available for employees of PZU and PZU Życie. These topics are also discussed during on-boarding training courses for newly-hired employees. Furthermore, employees submit declarations on adhering to the “Rules for Managing Conflicts of Interest”.
Compliance-related issues are regularly described in the Compliance Bulletin. Employees receive it quarterly by e-mail or in printed form. The Compliance Bulletin plays an educational role - it enriches the knowledge gained during training sessions thanks to the readily understandable manner of presenting information (in the form of tables and figures).
An important information tool is Compliance Alerts, i.e. e-mail messages describing planned changes to the law, new guidelines, communications and decisions made by regulatory authorities, as well as court decisions of significance from the viewpoint of the business conducted by PZU and PZU Życie. Compliance Alerts are sent to employees in selected areas and several hundred more people who have reported their interest in receiving this type of information. These alerts are critical to procure the company’s compliance with the legal regulations. They make it possible for them to obtain information quickly about the projected changes to the law and the regulator’s expectations and adapt to them on a timely basis.
We do not accept gifts from clients, business partners or associates if those gifts could:
For the purposes of conflict of interest management, the Alior Bank Group has adopted the “Instructions for managing conflicts of interest”. In this document employees will find responses to questions on how a conflict of interest is defined and how its potential and actual outcome are determined and how they should conduct themselves to avoid a conflict of interest. These instructions govern material elements such as the rules for employees to deal with relatives, accept gifts and invitations and conduct gainful activity outside the Group. This document also clearly specifies the rules pertaining to the official ties between relatives while emphasizing the elimination of the risk of nepotism.
The Pekao Group applies the Conflict of Interest Management Policy in the Pekao Group, which specifies the rules for managing conflicts of interest and defines the circumstances that trigger or may trigger a conflict of interest in the Bank’s operations.
Fraud prevention and counteracting of money laundering and terrorism financing
Area-specific risk: the risk of improper design and implementation of solutions in the area of fraud prevention and counteracting of money laundering and terrorism financing in the organization and a failure to execute these solutions correctly.
Approach to management: the PZU Group has in place special security procedures in the fraud prevention area, which includes counteracting of money laundering and terrorism financing. The PZU Group designates a single owner of the insurance fraud prevention and counteracting money laundering and terrorism financing area, who is responsible for the entire process, monitoring its quality and effectiveness, as well as for adhering to the prevailing procedures. This area contains the Team for Insurance Fraud Prevention (ZPPU) and the Team for Security Incident Management (ZZIB). The Team for Insurance Fraud Prevention fulfills tasks in the area of analyses of fraud prevention and operational activities undertaken to investigate the actual course of a given fraud event. The Team for Security Incident Management fulfills tasks in the area of counteracting in-house crime. In discharging these tasks both Teams are supported by the Fraud Management System - the most advanced system on the Polish market that profiles internal and external fraud, supports their analysis and provides for smooth and effective case workflow.
The money laundering and terrorism financing counteracting processes are executed in the Security Threat Analysis Team (ZAZB), while the standards of activities and the target process, including implementation of the IT system, is created within the AML Project. The Compliance Area is responsible for the observance of international sanctions.
Key regulations: The Security Procedure for the fraud prevention area and the Security Procedure for counteracting money laundering and terrorism financing, the Sanction Policy
Financial crime, money laundering and financing of terrorism are challenges that evince serious consequences for the financial markets across the globe. For many years the PZU Group has been taking legally required actions to prevent situations in which its transactions are used for unlawful purposes.
Security Procedure
The PZU Group has special security procedures in the fraud prevention area. PZU SA and PZU Życie SA have in place the Fraud prevention Security Procedure. The procedure includes:
PZU Życie has implemented the „Security procedure for counteracting money laundering and terrorism financing”. The regulation applies to Management Board Members, company employees and sellers as well as external entities that collaborate with companies on the basis of concluded agreements. According to this document, the security standards in the area of counteracting money laundering and terrorism financing in PZU Życie are as follows:
PZU and PZU Życie SA operate a “Joint Sanctions Policy”, which defines management standards forsanction risk, in order to adhere to the relevant requirements under international sanctions in the business operations conducted by PZU and PZU Życie SA”.
Counteracting money laundering and terrorism financing in PZU Życie
The “Security procedure for counteracting money laundering and terrorism financing in PZU Życie SA” contains guidelines concerning actions to be taken in the case of suspicious transactions and if a client is listed on sanction lists.
Actions performed as part of the “Procedure” and the AML act:
The “Security procedure for counteracting money laundering and terrorism financing in PZU Życie SA” describes not just the roles and tasks of persons involved in the AML process but also their responsibility. The Management Board Member overseeing the Security Department is responsible for implementing the obligations for counteracting money laundering and terrorism financing prescribed by the AML Act. In accordance with the “Security Policy” of 2015 the PZU Management Board designated the Management Board Member overseeing the security area in PZU Życie to exercise this oversight. Employees and associates, including PZU Życie agents undergo regular training on preventing money laundering and financing terrorism.
PZU Życie analyzes the insurance contracts they conclude and the transactions they execute to do a risk assessment of money laundering and financing terrorism. The company applies financial security measures to its clients. It conduct a risk assessment of money laundering and financing terrorism related to the establishment of business relations or a transaction related to an insurance agreement.
The Act of 1 March 2018 on Combating Money Laundering and Financing of Terrorism (Journal of Laws of 2018, item 723) referred to as the AML (Anti-Money Laundering) Act imposed new duties on PZU. One of the basic obligations following from the new Act is the multi-dimensional assessment of the money laundering and financing of terrorism risk in PZU Życie, taking into account internal and external factors, including clients, countries or geographical areas, products, services, transactions, supply channels. Legally required internal procedures were implemented, including a group procedure addressed to all obligated institutions in the PZU Group (institutions belonging to the Group and subject to the AML Act) and the relevant internal procedures were updated. PZU is not subject to the regulations of the AML Act, but as the parent company in the PZU Group, it adopts a group procedure for the Group entities which are obligated institutions. The group procedure defines the standards prevailing in the PZU Group and the rules for exchange and protection of information for the needs of performance of AML activities.
To ensure compliance with these regulations, PZU launched the AML project. Its purpose is to devise solutions to facilitate the implementation of the Act in business and operational processes while taking into account the requirements ensuing from the bill to amend the act on counteracting money laundering and terrorism financing.
PZU Życie's declaration:
Prevention activities and training
Risk awareness is a crucial part of the company's security system functioning correctly; that is why all employees and intermediaries should be trained and have up-to-date knowledge of the applicable internal regulations and other necessary internal rules on fraud prevention, counteracting money laundering and terrorism financing. The head of the organizational cell or unit in which the employee is employed is responsible for overseeing training. The head of the organizational cell or unit of the Head Office supervising a given structure is responsible for supervising the employees of local structures of divisions and tied intermediaries.
Detailed information on prevention and prophylactic security measures is set forth in the “Instructions regarding prevention and prophylactic security measures in PZU and PZU Życie”. It spans actions to raise the awareness of security risks in the following areas:
In TUW PZUW, the “Procedure for fighting crime in TUW Polski Zakład Ubezpieczeń Wzajemnych” formalizes the process of identification, management and protection of the company against crime, in particular insurance crime and fraud.
As an obliged entity under the AML Act, PZU Finanse operates the “Procedure of counteracting money laundering and terrorism financing in PZU Finanse Sp. z o.o.” and the “Procedure of anonymous reporting breaches of the regulations in respect of counteracting money laundering and terrorism financing committed by employees or other individuals in PZU Finanse Sp. z o.o.”.
In 2021, there were 250 incidents in the PZU Group related to insurance fraud (184 in PZU, 20 in PZU Życie, 26 in LINK4, 5 in TUW PZUW and 15 in its international companies). These cases were handed over to the law enforcement authorities.
In 2021, there were 794 pending fraud cases in the Alior Bank Group. Irregularities involving internal fraud were identified in 481 instances. The level of losses was PLN 113 thousand, of which PLN 50.1 thousand was recovered.
Alior Bank operates the “Program of counteracting money laundering and of terrorism financing in Alior Bank S.A.”.
Bank Pekao has in place a Fraud Management Process regulation which introduces the Official Instructions entitled Fraud Management Process in Bank Polska Kasa Opieki. The Official Instructions define the following:
In addition, there are defined obligations and powers of the Financial Security Office in the Bank Pekao's Security Department, which performs the tasks associated with central coordination of prevention of financial crime in the bank.
The Fraud Management Process and the Official Instruction imposed on each bank employee the obligations and powers associated with prevention of financial crime threatening the organization and the bank's clients.
In 2021, the amount of fraud operations in Bank Pekao was PLN 63.7 million (4,699 fraud operations).
Whistleblowing system
In all Group companies, Polish and foreign alike, separate whistleblowing procedures are in place. Employees are advised of the prevailing standards of conduct, inter alia at onboarding training for new hires, during e-learning and during on-site and online training courses.
The Whistleblowing System functions in PZU and PZU Życie. It allows employees and entities cooperating with PZU to report irregularities of an ethical nature. Information may be transmitted in name or anonymously. In every instance confidentiality, discretion and protection of personal data are guaranteed. An employee who reports a potential irregularity in good faith is not at risk of any sanctions; nor does he or she incur any consequences pertaining to his or her employment relationship due to that report. The Whistleblowing System supports the application of PZU’s ethical standards as cited above and the management of the accompanying risks.
Reports transmitted by clients are subject to examination in accordance with separate internal regulations defining the organization of the complaints handling process.
In 2021, roughly 140 suspected irregularities were reported in PZU and PZU Życie, which confirms that the Whistleblowing System actually functions. All reported cases were examined in accordance with the applicable regulations, including the “Whistleblowing Procedure in PZU and PZU Życie”.
Whistleblowing Procedure
Employees learn about the “Whistleblowing Procedure in PZU SA and PZU Życie” at mandatory training sessions on compliance available, inter alia, on the in-house educational platform. It is also discussed at training sessions for newly hired employees. Information concerning the standards of dignity, including precisely how to report irregularities is also regularly disclosed to external entities cooperating with PZU, among others, to agents and business partners.
Pursuant to the “Whistleblowing Procedure in PZU SA and PZU ŻYCIE SA”, all the aforementioned information on irregularities may be reported via the following communication channels operated by the Compliance Department:
Thanks to the various forms of contact with the compliance unit an employee may file a report in the most convenient form and time 24 hours a day, 7 days a week.
In accordance with the “Procedure” in force, Compliance Department employees run the proceedings on reported irregularities in PZU and PZU Życie. The person conducting a given case coordinates the actions taken during the explanatory proceedings; he or she also analyzes the factual circumstances and the legal status specified in the notification.
The person overseeing the Compliance Department is notified in every instance of the outcome of the proceeding concerning cases of significant importance to the company’s interests, while if the notification pertains to that person – then the President of the Management Board of the company is notified. The execution of the recommendations given after completing proceedings is subject to monitoring by the Compliance Department and is reported to the company’s Management Board and Supervisory Board as part of regular reporting on compliance risk.
Following amendment of the Act of 1 March 2018 on Combating Money Laundering and Financing of Terrorism, the scope of the “Whistleblowing Procedure in PZU SA and PZU ŻYCIE SA” has been extended to incorporate the requirements of the act as regards new categories of persons under protection, and the extent of this protection. Furthermore, in view of the on-going legislative process designed to implement Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, the “Procedure” will be adapted to the requirements of the domestic act, by the date set out therein.
The companies belonging to the Group have independent mechanisms for reporting information concerning the suspicion, possibility or occurrence of irregularities or abuse. However, the basis for their creation was linked to the rules in force in PZU and PZU Życie. Therefore, similarly, the employees of these entities learn about the whistleblowing procedure during training courses, while cases are examined by the compliance unit.
PZU LAB, PZU Pomoc TFI PZU and PZU Finanse operate the “Rules for Classifying, Documenting and Reporting Irregularities Detected by the Internal Control System”. This regulation is supposed to provide for homogenous standards of conduct if irregularities are identified that affect the achievement of targets. Furthermore, the companies: LINK4, PZU CO, PZU Finanse, TFI PZU, Tower Inwestycje and TUW PZUW operate their respective whistleblowing procedures.
An expression of Bank Pekao’s engagement in promoting corporate culture that supports ethical behavior, in keeping with the law and the Bank’s ethical standards and procedures, is the “Whistleblowing Policy in Bank Pekao S.A.”.
The purpose of the “Whistleblowing Policy in Bank Pekao S.A.” is to create safe channels for communicating about practices observed in the bank that are inconsistent with the prevailing law, internal regulations, unfair and unethical or unjustified suspicions about their occurrence and ensure that the reported problems are accepted, analyzed and duly managed, while the person reporting them in good faith will be protected against vengeance. In 2021, 8 breach reports were filed in the Bank Pekao via the whistleblowing mechanism. No such reports were filed in the Pekao Group.
Alior Bank attaches enormous importance to properly organizing the whistleblowing system so that employees may easily and without any concerns transmit information or share their doubts. To this end, the Bank has introduced a Policy of irregularity reporting and whistleblower protection. The Policy defines the procedures reporting and examination of irregularities in the workplace, and the rules of protection of the whistleblowers against vengeful responses. The Policy of irregularity reporting and whistleblower protection is supplemented by the Policy of workplace environment free from undesirable conduct, which is a Procedure defining steps to be taken to report undesirable conduct in Alior Bank S.A., and providing detailed rules of actions to be taken by the employer if an irregularity in the workplace has been reported. Alior Bank provides its employees with many communication channels available for this purpose. A report can be made orally, in writing or by e-mail to dedicated e-mail addresses, or directly to the Members of the Management Board or of the Supervisory Board. The adopted whistleblowing system facilitates the maintenance of anonymity. The bank absolutely rules out the application of any repressive or discriminatory means or any other unfair treatment against an employee who has submitted a whistleblowing report and it also ensures confidentiality if the whistleblower reveals his or her identity or if it is possible to ascertain his or her identity.
In all of the PZU companies in the health segment a compliance regulation package has been implemented, comprising, among others, a whistleblowing procedure.
PZU’s foreign insurance companies also have whistleblowing systems in place. Breaches can be reported by e-mail, in writing or in person to a compliance unit employee.
Employees of PZU Ukraine and PZU Ukraine Life learn about the “Whistleblowing Procedure” at an e-learning course entitled “Learn about Compliance”. Importantly, this document has been drafted in two languages: Ukrainian and Polish. In turn, Lietuvos Draudimas operating in Lithuania has a 24/7 hotline to report irregularities.
e-mail: IR@pzu.pl
Magdalena Komaracka, IR Director, tel. +48 (22) 582 22 93
Piotr Wiśniewski, IR Manager, tel. +48 (22) 582 26 23
Aleksandra Jakima-Moskwa, tel. +48 (22) 582 26 17
Aleksandra Dachowska, tel. +48 (22) 582 43 92
Piotr Wąsiewicz, tel. +48 (22) 582 41 95