Non-financial risk management

The Group, including the Bank, manages these risks, including social aspects (with regard to customers and the products offered to them and the employees) and environmental aspects (with regard to property management activities). The methods of managing types of risks related to social and environmental aspects have been discussed later in the Report. The key risks related to social and environmental aspects arising from the Group’s activities include:

Managing the risk of non-compliance of products with the applicable norms (including misselling) 

An example of the concern for ensuring compliance of the products with the applicable regulations is the elimination of the risk of misselling, performed at the stage of creating and introducing the product, and then at the stage of offering the product to customers. In accordance with the principles applied at the Bank of creating and introducing products into the Bank’s product range, each product introduced to the range is analysed for the risks it generates and the identification of target customer groups for the given product. PKO Bank Polski SA also identifies the group
of customers to which the Bank should not propose the purchase of a given product because of the risk of misselling, the lack of adaptation of the product to the customer’s needs or for other reasons (the so-called anti-group). In such a case, the Bank implements actions, including systemic solutions reducing the risk of misselling. The next stage of eliminating the risk of misselling is during direct customer contact. Before presenting the product offering to a given customer, the Bank assesses the customer’s needs with regard to a given product, so that there is no risk of misselling (e.g., the sale of unemployment insurance in connection with a cash loan to pensioner). Additionally, the Bank always provides reliable and comprehensive information to customers so that they can make an informed choice of a specific product. The bank acquaints customers with the benefits as well as the risk arising from the purchase of individual products.

The Bank considers any irregularities reported by its customers, in particular in the form of a complaint, forthwith and, depending on the findings, takes steps to fix them, prevent them from taking place in the future and improving the quality of service (more in subchapter 3.3).

The risk of misselling products to customers is also managed by the Group’s entities: PKO Życie Towarzystwo Ubezpieczeń SA, PKO Bank Hipoteczny SA and the PKO BP Finat sp. z o.o. group.

Managing the risk of the incorrect labelling of products

The labelling of banking and investment products boils down to providing information to the customer about them.
In the process of managing the risk of improper product labelling, the PKO Bank Polski SA Group, including PKO Bank Polski SA provides customers with access to all important information about the products offered, especially
at the pre-contractual stage.

Managing the risk of unauthorized access to customer funds through electronic banking 

The most important threat identified by PKO Bank Polski SA and PKO TFI SA to the security of customers benefiting from the Group’s products are potential criminal activities of third parties targeted at customers using electronic channels of access to banking and investment services.

First, the Bank uses the latest ICT security solutions guaranteeing secure access to funds held by customers, while the Bank is constantly improving the quality of IT systems security, in particular, regarding the applications used by the Bank’s customers. This applies, among others to actively combating phishing websites pretending to be the Bank’s websites, tracking the development of malware attacking the Bank’s customers, developing mechanisms of detecting infected customer computers, improving the rules and extending the scope of monitoring of electronic transactions.

Second, the Bank attaches a great deal of importance to informing and raising customer awareness of the safe use of electronic banking services, as well as payment cards, as security in this respect depends to a large extent on the user’s actions. These activities include, in particular:

  • mass educational campaigns, e.g. by initiating texts on the safe use of electronic banking (Bankomania magazine distributed in a paper version in over 1200 branches (i.e. in almost 2/3) and the educational portal;
  • ongoing provision of responses and explanations to customer enquiries (e-mail, social media);
  • ongoing provision by the mass media of the Bank’s position regarding false e-mails containing educational elements;  
  • ongoing response to other signals regarding threats;
  • publication of information on the Bank’s website, in the transaction website and distributed to customers by e-mail on securely logging in and the principles of using electronic banking.

Since 2016, the Bank has been implementing its proprietary program Cyberstrażnik [Cyberguard], through which it monitors the internet for content disclosing personal data and warns internet users on making it public on the web. The Cyberstrażnik message reached approximately 4 million internet users by the end of 2017.

The Bank was the first in Europe to start working with Microsoft, the objective of which is to raise the level of security by exchanging information on potential threats. The agreement facilitates a faster and more effective response to dangerous events appearing in the network. The cooperation was continued in 2017.

In addition, the Bank’s representatives are involved in work conducted as part of the Banking Cybersecurity Centre (BCC) operating within the framework of the Polish Bank Association. BCC’s objective is to implement comprehensive and long-term activities at several levels: intrasectoral, intersectoral (including cooperation with institutions from the telecommunications sector), national (cooperation with state administration and law enforcement agencies) and international, with the aim of increasing the level of mobile and electronic banking security and preparing tools (structures, procedures, information exchange mechanisms) enabling the management of crisis situations (e.g. in the event of a massive cybercriminal attack on the banking sector).

Managing the risk of unauthorized access to customer information

The risk of unauthorized access to customer information is managed in accordance with the Bank’s security policy. This policy regulates the principles of confidentiality of information and the maintenance of bank secrecy, as well as personal data security, including, in detail, the liability of the Bank’s employees regarding personal data protection. In accordance with these principles:

  • Access to protected information at the Bank is only given to employees within the scope of their corporate tasks and duties.
  • The employees undergo training on security of protected information before starting to process protected information.
  • If materials containing protected information are provided to external entities, a non-disclosure agreement is concluded between the parties, whereas, in the case of entrusting the processing of personal data, an agreement is concluded on entrusting the processing of personal data.

Each of the Group’s entities processing personal data, which is required to have appropriate regulations on this, has such regulations and applies them in practice. They are in line with the generally applicable regulations and standards applied at the Bank and, to the extent necessary, contain specific regulations which are adequate to the specific nature of the particular entity’s business.

None of the Group’s entities, including the Bank, recorded a case of a “leak” or unauthorized use of personal data processed in these organizations in 2017 and no administrative procedures were conducted in this area (e.g. by the Inspector General for Personal Data Processing), which could result in the imposition of a fine. 

Operational risk related to outsourcing banking activities to external entities

The Bank conducts banking activities with the support of external entities as a result of which it is exposed to operational risk arising from outsourcing services to other entities.

In accordance with the Bank’s internal regulations regarding:

  • operational risk management;
  • contracting for the performance of activities for the Bank to external entities other than agents and intermediaries (outsourcing);
  • cooperation with agents, brokers and online brokers,

the risk management related to outsourcing activities to external entities at the Bank applies to all stages of outsourcing, starting from planning the outsourcing of activities, through the selection of the entity that will perform the activities, the conclusion of the outsourcing contract, monitoring cooperation and ending the cooperation.

Within the framework of the operational risk management related to outsourcing services to external entities, the Bank, in particular:

  • evaluates the contractor at the stage of selection of the external entity;
  • ensures that the interests of the Bank and its customers are appropriately secured in contracts with contractors (including securing data which is subject to bank secrecy);
  • ensures that the Bank and the contractor have contingency plans in place to ensure the continuous and uninterrupted operation of the activities encompassed by the outsourcing contract;
  • supervises the performance of contracts, reports irregularities, calculates and monitors the KRI (Key Risk Indicator) index providing information about the scale of breaches of outsourcing contracts;
  • evaluates the risk related to entrusting activities at the stage of planning the outsourcing of activities in the case of every material change in the contract and during the annual assessment of operational risk related to the performance of the outsourcing contract.

Operational risk management related to outsourcing services to external entities also takes place at other entities of the Group.