Fraud prevention

The Fraud Risk Management Program has been created to effectively fight and prevent abuses and is the basis for the currently existing and continuously updated fraud prevention system.

The system enables coordination of actions taken by the Bank’s units involved in fraud prevention in the area of fraud detection, analysis and prevention, while providing professional tools to ensure effective protection of the Bank.

One of the elements of the program is Branch employee training, since branch employees have ongoing contact with clients and have the opportunity to identify suspicious behavior. In addition to training for new branch employees (459 people trained in 2016), a site is available on the Bank’s Intranet containing all the necessary information and materials; new information is also sent out to employees about new procedures and methods used by criminals.

Another element of the program is an e-mail account created especially for this purpose and an alert hotline operating 24/7/365 to ensure that any Bank employee could immediately clear up any doubt related to a suspicion of abuse. This solution has proven effective in particular when an employee identifies a “grandson fraud” since it has allowed the Bank to react quickly in such cases.

459 people trained in 2016

Anti-Money Laundering and Combating Terrorism Financing +

The Bank’s Anti-Money Laundering and Combating Terrorism Financing (AML/CTF) Program is a comprehensive system to identify risk areas related to the money laundering crime.

The activities taken in the program involve, among others the use of financial security measures depending on the evaluation of money laundering risk, registration and reporting of transactions, selection of suspicious transactions, cooperation with the Inspectorate General of Financial Information (GIIF).

Bank Millennium has adjusted its reports on an ongoing basis to the results of analysis of suspicious transactions, by adding the schemes operating in the given period (sectors, money flow directions, client behavior) in order to effectively identify and report transactions that may be related money laundering operations.

Efficient operation of the Program is ensured through internal procedures, organizational solutions in place and the employee training programs.

20%   employees trained on the AML/CTF program


Anti-Money Laundering Program
 Anti-Money Laundering Program 2016 2015 2014 2013 2012
Number and % of employees trained 1093 (20%) 1259 (22%) 1256 (22%) 1539 (28%) 1346 (22%)
Number of Suspicious Activity Reports (SARs) sent to GIIF* 148 152 134 155 187
Number of clients reported in SARs 450 472 502 640 844

Anti-corruption regulations +

The anti-corruption regulations described in the internal compliance policies and the Code of Ethics of the Bank Millennium Group pertain to the acceptance and offering of benefits by Bank employees, rules for contacting people discharging public functions, public institutions and political parties. These regulations also apply to the Bank’s suppliers and business partners. Every supplier taking part in a tender procedure must undertake to observe the rules included in the Bank’s Code of Ethics, by signing a representation to that effect.

Employees may voice questions and observed irregularities concerning the breach of law, regulations and ethical norms via a dedicated telephone line or e-mail inbox or they may contact their immediate supervisor or the person running the Compliance Department.

However, during the internal audits, the vulnerability of bank processes to various types of threats and possible abuse, including corruption, is examined.

[GRI 103-2] [GRI 103-3]

Risk of corruption
Risk of corruption 2016 2015 2014 2013 2012
Number and % of organizational units analyzed for corruption risk It is difficult to specify the number of audited units, since audits concern processes and several organizational units may be involved in each process.
Actions taken after corruption cases are found No corruption
cases found
1 No corruption
cases found

[GRI 205-1] [GRI 205-3]

Information security +

The information security system in place in the Bank is modeled after the international ISO/IEC 27001 standard,

which defines the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management in the organization.

The accepted information security management model determines the comprehensive system for protecting all information processed in the Bank, including information on clients, employees and transactions. In order to achieve this goal, the Bank uses a broad range of organizational, IT, telecommunication measures and in particular device protection mechanisms, systems, applications, databases and communication channels.

The data and resources of Bank Millennium clients are under constant oversight of a dedicated specialist team ensuring security of all the channels used to access the Bank’s services and products. We attach particular importance to the security of our customers using electronic channels to access banking products and services and we continue to improve technical and operational security measures. We have been using tested and safe methods to confirm identity of IT system users and we continue to develop them to ensure safe and convenient access to the Bank’s systems. We allow our clients to use innovative identification methods such as biometric fingerprint data.

We have been continuously analyzing new threats and methods employed by criminals, to be able to prevent them effectively. We have also been actively collaborating with other financial sector entities in Poland and internationally, sharing its knowledge about contemporary threats, trends and the evolving methods of abuse.

Special care is exercised to ensure continuity of the services provided by the Bank. By establishing the Business Continuity Management System, we make sure that the key processes and IT systems are available regardless of any chance events. The dispersed architecture of our information technology environment increases its resistance to threats and reduces the risk of unavailability of services.
The Bank’s initiatives in the area of security are recognized by independent experts.

The Bank received a distinction for Best practices in security of IT systems in the 2016 Golden Banker contest.

In 2016, the Bank also topped the independent security ranking of largest Polish banks prepared by BitSight.

Internal audit +

Internal audit opines any regulations introduced or amended in the Bank and conducts an independent and objective assessment and provides advice to the units regarding the audited domain. Advisory activity may be performed if its character does not compromise the principle of the internal auditor’s objectivity and independence.

The Internal Audit Department is an independent unit reporting to the Chairman of the Bank’s Management Board, which delivers results of its activities to the Audit Committee of the Bank’s Supervisory Board and to the Supervisory Board itself.

Results of the operating review of the entire internal control system and of its selected elements are presented regularly and evaluated by the Audit Committee of the Bank’s Supervisory Board. [GRI FS9] [GRI G4 DMA]

Internal Audit – activities in 2016
Process audits 59
Financial audits 4
Audit of outlets 160
Compliance audits: IRF / MiFID 9
Additional unscheduled audits 11
ICP review, inspections from KNF, BION 6
Total 249
Preventive inspections 58
Explanatory proceedings 198

External audit +

In 2016, PwC was the Bank’s External Auditor.In addition to the cooperation in performing the basic tasks of the External Auditor, such as review and audit of semi-annual and annual financial statements, respectively, the Bank cooperates with PwC in implementing the program of ongoing monitoring and consulting economic events in the context of their correct presentation in other financial statements. As a result of this approach, information in interim statements is presented in the same manner as in the annual statements.
[GRI 102-17]

Previous page Compliance policy
Next page Risk management