Internal control, external audit and compliance policy

The Bank has an internal control system adjusted to the organisational structure which scope covers the organisational units of the Bank’s head office, outlets and subsidiaries. This system comprises internal control procedures defined in the form of internal control bylaws for particular units of the Bank, and internal control mechanisms which cover, among others, control principles, limits and procedures, and any other types of operations which purpose is to control the quality and correctness of the tasks implemented at the Bank.

Functioning in the Bank, the internal control system takes into account the regulatory requirements arising from amended in 2015 the Banking Law, extending the objectives of the internal control system, the implementation of which have to be ensured by the banks. These objectives include: the effectiveness and efficiency of the Bank’s operations, reliability of financial reporting, observance of the principles of risk management in the Bank, compliance of the Bank’s operations with the law, internal regulations and market standards.

The Internal Audit Department is a specialized unit of institutional control which purpose is an independent and objective assessment of adequacy, correctness and effectiveness of the internal control and management systems, including risk management. In particular, this is connected with the assessment of quality, correctness and security of running banking operations. In implementing its mission Internal Audit takes into account strategic objectives and tasks of the organisation specified by the Management Board and Supervisory Board of the Bank. The audit process is implemented according to the Internal Audit Methodology fostering international standards of internal audit and good banking practices.

The activity of Internal Audit is planned and based on an annual audit plan. The basis of the planning process is the assessment of risk of particular areas and processes at the Bank in order to identify increased risk and support the specification of priorities and resources for the implementation of tasks. The planning process takes into account consultations with higher level management and owners of key processes. The annual audit plan is approved by Bank’s Supervisory Board and implemented on a quarterly basis by experienced and highly qualified professionals.

Internal audit provides opinions on regulations being implemented and updated at the Bank, independently and objectively assesses and advises particular units with respect to the audited area and builds positive relations with audited units in order to work out common added value to streamline the Bank’s operations. Advisory activities can be provided, if they do not undermine the objectiveness and independence of the internal auditor.

In 2016, the Internal Audit Department implemented audit tasks at the Bank, the Bank’s subsidiaries, external entities to which the Bank, to the extent permissible by regulations, outsourced banking and bank-related operations, as well as within the BCP Group. The planned activity of the Department covered among others audits of key business and support processes, as well as financial audits, outlet audits and those of compliance with external regulatory environment. The tasks performed by the Internal Audit Department also include investigations and spot checking (prevention). The Internal Audit Department is an independent unit reporting to the Chairman of the Management Board of the Bank and the results of its activities are reported to the Audit Committee of the Supervisory Board and the Supervisory Board of the Bank. The results of a review of the entire internal control system, as well as its selected elements, are also periodically presented and subject to evaluation by the Audit Committee of the Supervisory Board of the Bank.

Solutions described above regarding internal control system protect to a significant extent the Bank against financial reporting errors and provide the Bank Management with information facilitating evaluation of preparation of financial reports or its correctness, efficiency and security in order to ensure the highest possible effectiveness in managing identified type of risks accompanying the process.

The internal control system, introduced by the Management Board of the Bank and incorporating the financial report preparation process, has been designed to facilitate the controlling of process risk while maintaining appropriate supervision of correctness of the gathering, processing and presentation of data necessary for preparation of financial reports in keeping with effective laws.

According to effective laws, the Bank’s reports (non-consolidated) and those of the Bank Capital Group (consolidated) are subject to, respectively: review (semi-annual statements) or audit (annual statements), performed by an independent entity authorised to audit financial statements – i.e. the External Auditor. The External Auditor is selected by the Supervisory Board on the basis of a recommendation issued by the Audit Committee of the Supervisory Board. In addition, considering the quality of financial data presented in remaining published quarterly reports, the Bank, jointly with the External Auditor, implemented cooperation procedures ensuring the consultation of important issues connected with recognition of economic events in the Bank accounts and financial reports, on a current basis. At the meetings of the Audit Committee of the Supervisory Board the External Auditor presents key findings relative to financial reporting. Furthermore, the external auditing firm also performed, in 2016, a review of the adequacy and effectiveness of a part of the Bank’s internal control system supporting the financial information preparation and publication process (financial reporting) and issued relevant opinions. In 2016 the Bank’s External Auditor was PricewaterhouseCoopers Sp. z o.o. In December 2016, the Bank Supervisory Board decided to select PricewaterhouseCoopers Sp. z o.o. to be the Bank’s External Auditor in 2017. The Bank is covered by the consolidated financial statement of the BCP Group. Therefore, the annual review of the Bank’s system of internal control in support of the process of preparing and publishing financial information is also subject to the terms and requirements of consolidated supervision, which is performed by the Bank of Portugal and the European Central Bank.

In 2016 the audit of Bank’s financial statements was performed by PricewaterhouseCoopers sp. z o.o. On 22 October 2015 the Supervisory Board of the Bank adopted a resolution on selection of PricewaterhouseCoopers sp. z o.o. to perform audits of annual financial statements of Bank Millennium and Bank Millennium Group for 2016. The audit agreement was concluded on 8 April 2016.

Remuneration received by auditor on account of services provided to the Capital Group of Bank Millennium S.A under concluded agreements:

Scrollbar is
below the table

download xls

Auditor’s Remuneration (in PLN ‘000)	2016	2015
Examination of annual financial statement	916	613
Certification services, including review of financial statement	577	729
Tax advisory services	0	0
Other services	0	0

Lack of legal compliance of internal regulations and the ensuing risk of legal or regulatory sanctions, material losses or reputation risk is one of the areas threatening the activity of every bank. Therefore Bank Millennium has the Compliance Department, the task of which is to ensure compliance with Acts of Law, secondary legislation, rules, related self-regulatory organisation standards as well as codes of conduct, relating to banking activity. Monitoring compliance with both internal as well as external regulations, Bank Millennium Group considers the following to be particularly important:

• Preventing money laundering and financing of terrorism;
• Ensuring consistency of Bank Millennium’s internal normative acts with generally binding laws as well as recommendations issued by supervisory authorities,
• Managing conflicts of interest,
• Observance of ethical principles,
• Restricting personal transactions and protecting confidential information related to Bank Millennium, financial instruments issued by the Bank as well as information connected with purchase/sale of such instruments.
• monitoring and ensuring compliance of the investment products covered by MiFID.

Companies from Bank Millennium Group undertake appropriate actions for the purpose of ongoing and continuous tracking of changes occurring in generally binding legal regulations as well as recommendations and guidance given by supervisory authorities, both national as well as of the European Union.

For the purpose of ensuring compliance of internal normative acts with generally binding legal regulations the solutions adopted by Bank Millennium Group reflect the need for periodic reviews of all internal normative acts, binding in the Group.

The scope of actions undertaken by the Group may generate a conflict of interest between these actions and the interests of Customers. The Group’s main principle is to take all reasonable steps to identify a conflict of interest between the Group and its Customers, as well as between individual Customers, and also to establish rules ensuring that such conflicts have no adverse impact on Customers’ interests.

Companies from Bank Millennium Group undertake also appropriate actions to ensure conduct concerning personal transactions, which is compliant with standards and laws. These actions and measures are meant to, according to the circumstances, to restrict or prevent performance of personal transactions by Relevant Persons in situations, which may cause a conflict of interest or be involved with access to confidential information or to data about Customers’ transactions. Shares of Bank Millennium are admitted to public trading on the Warsaw Stock Exchange. Such status requires special attention and observance of the obligation to maintain highest standards for transparency of financial markets. It is the policy of Bank Millennium Group to maintain strict control as regards protection of the flow of Confidential Information. The Bank forbids use and disclosure of Confidential Information in whatever form. Purchasing and selling the Bank’s shares, derivative rights concerning the Bank’s shares or any other financial instruments thereto related is forbidden during closed periods.

The Anti-Money Laundering and Counter Terrorism Financing Programme (AML/CTF), applied by Bank Millennium, is a comprehensive system of identification of threats related to money laundering crimes.

Actions launched under this programme include in particular:

• application of financial security measures to Customers, depending on the degree of risk and based on „Know your Client” or KYC principle – the key concept of the programme,
• transaction registration and reporting,
• identification of suspected transactions,
• cooperation with the General Inspector of Financial Information.

Bank Millennium adjusts its reports to the analysis of suspected transactions on the on-going basis, taking into account up-to-date patterns (sectors, cash-flow routes, Customer behaviour)  for effective identification and reporting of transactions suspected of money laundering.

Our internal procedures, organisational solutions and employee training programmes ensure efficient operation of the Programme.

Bank Millennium with view to protecting Clients who invest their funds in investment products with varied degree of risk strictly monitors compliance of these products, their offering and handling process with relevant internal regulations, laws and external guidelines – on the domestic and European Union level (MiFID).

Consumer loans and insurance products directed to consumers are also subject to the special programme of compliance monitoring.

In 2016 the Bank implemented the requirements of Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (Market Abuse Regulation – MAR), which entered into force in Poland on 3rd of July 2016. The implementation consisted among others in introducing changes in the principles of reporting confidential information by the Bank as an issuer and reporting on insider transactions. In particular, there have been adopted individual standards of reporting by the Bank as an issuer, criteria of qualifying events as reportable, there was established the principle of maintaining the list of insiders and notification by them of transactions on forms following the model adopted by the European Commission pursuant to MAR.

An internal regulation was introduced specifying the principles and guidelines pertaining to managing information subject to current reporting, including confidential information, covering issues regarding the management of confidential information, criteria of identifying information and principles of notification by persons discharging managerial responsibilities and persons closely associated with them with respect to transactions in shares and other financial instruments of the Bank. In particular, there was also implemented the principle of running the list of confidential information and of persons who have access to it in electronic form.