Non-finacial risks

We understand operational risk as the risk of a loss caused by incompatible or defective internal processes, people and systems or the external occurrences, including legal risk. Operational risk includes the subcategories defined below. It does not cover reputational risk, which is a separate risk category, or strategic risk, which is part of business risk.

According to mBank Group’s Risk Catalogue, operational risk includes the following permanently significant and significant subcategories:

• legal risk
• IT risk
• cyber risk
• conduct risk
• performance, delivery and process management error risk
• external fraud risk
• outsourcing risk
• HR and organisational risk
• physical security risk.

The rules for mBank’s operational risk management are defined in the mBank Group Operational Risk Management Strategy. The Strategy is updated on an annual basis and approved by the bank’s management board.

The operational risk management system is based on the following:

• identification and assessment of operational risk,
• monitoring of losses,
• mitigation of factors causing operational events,
• reduction of the probability of future loss,
• mitigation of the impact of materialised losses.

Details concerning operational risk management tools, measures, and strategies are described in chapter Operational risk.

Legal risk is understood as the risk of loss caused by:

• legal defects in internal regulations,
• contracts with clients and third parties,
• declarations of the bank,
• changes in case law,
• unfavorable court decisions,
• changes in legal regulations.

Details concerning proceedings pending before courts, arbitration bodies, and public administration bodies are presented in note 32 to the mBank S.A. Group IFRS Consolidated Financial Statements 2020.

IT risk is understood as risk arising from inadequate application of information technology and from the unavailability or insufficient quality of services based on information technology and any errors in ICT environments caused by internal factors and external events. IT risk is linked with the development, use and selection of IT solutions which support the execution of the bank’s business processes.

Technological progress is a factor that increasingly determines the way customers communicate with financial institutions. Digital banking services are among the fastest growing. They are characterized by innovation, creativity and openness to new technologies. The main challenge with such a rapid development of services, constant regulatory changes and unpredictable environment is to ensure the highest quality and availability of services.

In the past years, we have taken a number of initiatives which significantly mitigate the risk that our IT services could be unavailable:

• we have invested in Evidence Base Management and advanced monitoring,
• we have implemented and end-to-end failure management process including continuous review and elimination of root causes,
• we have migrated the IT infrastructure to two state-of-the-art data centers
• we have implemented Active/Active architecture for critical IT systems.

Such initiatives have largely mitigated the risk that our IT services could be unavailable. We pursue advanced efforts to improve the quality of software and the stability of our systems. We continue to upgrade the bank’s main transactional and accounting systems with a view to future use of cloud solutions.

The outbreak of COVID-19 in early 2020 forced us to revise some of the plans for that part of the year. Our top priority was to manage the crisis caused by COVID-19. We managed the risk of mass infections and unavailability of employees by switching most of the bank to remote work (home office). The key challenges included:

• to ensure high capacity of the bank’s connectivity;
• to protect the performance of VPN and remote communication tools;
• to provide secure remote system access for the bank’s employees.

We activated a Crisis Management structure due to the pandemic. It operates uninterruptedly since March 2020. We reorganised our crisis regulatory framework. We are also updating the bank’s Business Continuity Management System (BCMS). In particular we have integrated remote work into the Business Continuity Plans. The bank follows the mBank S.A. IT Policy to ensure superior performance of our IT area. The IT Policy and the related standards have been approved by the IT Architecture Committee chaired by
the Vice-president of the Management Board: Head of Operations and Information Technology. In accordance with the IT Policy, we strive to ensure a consistent and transparent management model of IT services, ICT environment components and related activities.

Cyber risk is understood as the risk of digital fraud targeting the bank and its clients, their IT systems and data processed in the systems, in particular compromising the security of client information or their assets.

To protect client data, cyber risk management is increasingly important to banking and financial institutions. IT incidents may generate huge losses and expose banks to reputational risk. Cyber risks may cause a contagion effect, hurting many financial service providers at the same time. This is why mBank places a very strong emphasis on security of IT systems and data based on adequate organisational and technical solutions. We promote cybersecurity among our employees. E-learning and in-class training raises employees’ awareness and knowledge of cybersecurity. For several years we have been running educational campaigns for clients “Bądź bezpieczny w sieci” – “be safe online”: https://www.mbank.pl/uwazniwsieci/strona-glowna. The theme of our social campaign run in 2020, for the second year in a row, was “Ludzie są niesamowici” (“People are amazing”). We offer emergency support services to our clients, provided by our company Cyber Rescue. We also offered a number of information campaigns addressing new threats targeting electronic banking clients.

We work to mitigate cyber risks. As a leader of digital banking solutions, we use adequate, state-of-the-art security monitoring systems from renowned vendors. We counteract new types of cyberattacks based on specialised systems and the knowledge and experience of the Security Operations Center team. Our SOC operates 24/7, all year around. Employees and clients may report all cybersecurity matters to the SOC, including identified incidents, attempted attacks, infections, and suspicious transactions. As a result, we are able to quickly and efficiently take measures adequate to emerging new threats., We have also set up a dedicated team mBank CERT, co-operating with other teams of this type all over the world as a member of an organisation Trusted Introducer. mBank CERT holds the Accredited status.

Measures mitigating cyber risks rely mainly on the mBank Cybersecurity Policy which is a part of the mBank S.A. Information Security Policy. The bank has appointed a Security Committee as a platform for the exchange of ideas concerning all aspects of the bank’s security. The Committee issues decisions, opinions and recommendations which concern among others:

• physical and technical security,
• bank crime,
• protection of information including protection in IT systems,
• the bank’s business continuity.

The Cybersecurity Policy defines a vision of security, continuity and stability of our activities, and ways of mitigating risks arising from currently identified threats. According to the Policy, a secure information exchange system should ensure protection of company secret, bank secret, the achievement of business goals, protection of reputation, and other fundamental values. According to the Policy:

• We align the required cybersecurity levels with our innovative business;
• We secure resources necessary for security processes and implement new cybersecurity measures;
• We identify legal requirements concerning security;
• We raise the cybersecurity awareness of employees and clients;
• We manage events through early detection, reaction, lessons learned, and risk assessment;
• We manage suppliers and work with business partners;
• We regularly develop and improve our expertise.

All employees of mBank work towards those objectives.

It is our priority to protect the security of information. The relevant framework is laid down in mBank’s Information Security Policy, which defines the objectives and measures necessary to protect confidentiality, integrity, accessibility, and authenticity of processed information and to ensure business continuity of services provided to clients. All employees of mBank work to implement the Policy by ensuring accessibility of services while protecting interests of mBank and its clients.

In the era of countless hacker attacks and corporate network security breaches, it is increasingly important to mitigate risks of IT system vulnerability. The bank’s IT Infrastructure Security Vulnerability Monitoring Policy defines the measures necessary to identify security vulnerabilities of IT environment components, ensures their elimination with required security fixes, and sets out the monitoring and reporting procedures.

In 2020, we continued to focus on cyber security of our clients and their services as well as employees and internal systems they use. With the outbreak of the COVID-19 pandemic, many institutions have been forced to switch from traditional office work to remote work. mBank promptly enabled a “home office” working system of nearly all employees while protecting the necessary security of implemented solutions. The new work format and the resulting restructuring of the architecture of IT solutions necessitated far-reaching measures in many areas including formal risk rating, appropriate mitigating mechanisms and their review in practical security tests. With active participation of our cybersecurity team, we soon added new services offered to online banking clients. Introduction of new services for clients in remote mode required additional security audits and tests.

Established several years ago, the bank’s Security Operations Center and mBank CERT remain the key operational link of the Information Security Management System. It ensures active security monitoring and efficient resolution of occurring security incidents. As a Key Service Operator within the meaning of the National Cybersecurity System Act of 5 July 2018, the bank complied with the requirements of the Act and worked closely with the competent authorities. We continued to develop our security monitoring systems and ensure adequate response to new threats and vectors of attacks. We work to mitigate risks by improving our capacity of quick and effective elimination of system vulnerabilities with necessary security fixes.

We focus on the security of services and systems which rely on computing cloud solutions. We have established a security framework defined in Security Standards and recommendations for cloud solutions. We improve our security competences which cover cloud solutions. We implement technologies to ensure security of such services and monitor any security breaches.

Conduct risk is understood as the risk generated by malpractice in the distribution of banking products or provision of financial services. In particular, conduct risk includes:

• the risk of misselling of banking products/transactions, i.e., misleading and careless selling of products and services or distortion of characteristics of products and services, resulting in selling of products or services which do not match the client’s needs;
• the risk of manipulation of reference interest rates, exchange rates or other financial instruments or benchmarks.

mBank Group follows a policy of zero tolerance for misselling of transactions/products as well as products which do not comply with applicable laws or are designed to evade taxation.

The bank has established the mBank Code of Conduct, a set of guidelines all employees are required to follow. The Code of Conduct defines the course of action regarding lawful and unlawful business practice, financing of clients, as well as rules applicable at the place of work. Employees are expected to follow the Code of Conduct in the office and in relations with clients, suppliers and partners. We strive to avoid any situations where employees would be in breach of the internal code of best practice. Conduct risk is managed according to an operational model of three lines of defence.

We mitigate conduct risk with:

• controls and their independent monitoring by competent units in processes as a part of a continuous control function;
• identification of non-compliances, monitoring of the implementation of corrective action plans defined for identified non-compliances, including in-depth analysis of non-compliances, defining improvements and designing appropriate controls;
• the process of implementation/modification of products and services, the important component of which is gathering opinions;
• on-going recording of operational events and losses, risk analysis based on the operational loss register, and loss reporting processes;
• on-going monitoring of the key risk indicators KRIs (in particular, complaints-related KRIs); whenever a warning or alarm threshold is reached, corrective actions are taken as defined for each risk, typically including an analysis of the root cause and reporting the clarifications and recommended corrective actions to the head of the responsible unit;
• in-depth review of external complaints and improvement of processes;
• review of any disputes;
• issuing opinions on motions tabled to the Risk and Business Forum including products, regulations, and limits;
• implementation of specific compliance policies and procedures including AML, fraud, and sanctions,
• employee training.

In 2020, we embedded the process of product and service implementation and modification in a standardised IT tool which will facilitate the process from design to roll-out. The process involves sales, support, risk, and compliance units. The tool supports:

• identification of risks which may materialise in connection with product implementations and modifications;
• each step of the process (including gathering opinions, review of terms before live roll-out);
• product portfolio management based on efficient records of product information and key characteristics (including key product risks).

Moreover, in 2020 we improved the control function process, raising employee awareness and ensuring informed identification of non-compliances and effective corrective measures.

Risk of errors in performance, delivery and process management is understood as the risk of:

• failed transaction service,
• data entry errors,
• delayed performance,
• process management issues,
• issues affecting business partner relations.

Risk of errors in performance, delivery and process management is managed according to an operational model of three lines of defence. The bank has established a Data Quality & IT System Development Committee/ Its mission is to create conditions necessary to establish, maintain and develop and effective system supporting data quality management across the organisation and IT system development according to procedures and internal regulations.

We mitigate the risk of errors in performance, delivery and process management by:

• implementing the Information Management & Data Governance Programme Strategy;
• pursuing the Data Management Policy and Standards;
• on-going monitoring and regular reporting of data quality;
• handling quality incidents in a four-level network of data stewards (including approximately 90 data stewards allocated to thematic areas) including automated or manual reports processed in a dedicated application;
• in-depth analysis of internal and external complaints and process improvement;
• controls and their independent monitoring as a part of a continuous control function;
• identification of non-compliances, monitoring of the implementation of corrective action plans defined for identified non-compliances, including in-depth analysis of non-compliances, defining improvements and designing appropriate controls;
• on-going recording of operational events and losses, risk analysis based on the operational loss register, and loss reporting processes;
• on-going monitoring of the key risk indicators KRIs (in particular, KRIs related to timely performance and availability of services); whenever a warning or alarm threshold is reached, corrective actions are taken as defined for each risk, typically including an analysis of the root cause and reporting the clarifications and recommended corrective actions to the head of unit.

In 2020, we worked to improve the quality of client data and develop a system for automated measurement of data quality.

The risk of external fraud is understood as the risk of crime committed by a third party. The key categories of external fraud include: credit fraud, payment or payment card fraud, online banking fraud, data theft.

The risk of fraud materialises whenever specific criteria defined in internal regulations are met. The key mitigating measure is prevention. Fraud prevention is managed comprehensively, from effective identification of fraud to mitigating its impact. As a key element of mBank’s fraud risk management system, we have defined and we are implementing a programme raising the fraud awareness of the bank’s employees combined with advanced fraud risk controls across the selling channels.

Payment security is our priority. To prevent fraud, we use advanced systemic solutions which aim at monitoring of suspected payments. mBank’s Online Payment Security Policy ensures the necessary security of online transactions and protects the bank’s processes. It provides a framework necessary to secure online payments. The integral supplement for the Policy is the mBank Payment Security Standard, which defines online payment security rules and requirements for designing and upgrading IT products supporting payment services. The Policy defines among others the procedures of risk assessment and prevention, as well as incident monitoring and reporting. The Policy sets requirements regarding strong client authentication, monitoring of transactions, protection of sensitive payment data, as well as education of the clients and communication with them. The bank continuously alerts clients to new threats, in particular affecting online banking, as well as new methods of internet fraud.

In 2020, our priority in external fraud prevention was to prevent fraud in the context of COVID-19. We identified new fraud methods and mitigated them to a large extent based on the effective approach described above.

We implemented new fraud prevention tools by integrating the retail loan application system with the BIK (Biuro Informacji Kredytowej – Credit Information Bureau) Antifraud Platform. It improved the level of protection of the bank and its clients against fraud thanks to additional fraud verification based on data collected by other participants of the national fraud prevention system.

Outsourcing risk is understood as the risk of adverse influence of a third party which operates under an agreement and performs:

• banking activities
• factual activities related to banking activity,
• executes processes, provides services or functions to the bank and its clients,

which would otherwise be performed, executed or provided by the bank. Outsourcing risk may affect the continuity, integrity or quality of the mBank Group’s operations, assets, employees and clients.

The Management Board of the bank is responsible for regulatory compliance of outsourcing agreements and oversees their implementation. In particular, the Management Board is responsible for any decisions to outsource critical functions.

The Management Board has made the Compliance Department responsible for the management and co-ordination of outsourcing across the bank, including the foreign branches.

We manage outsourcing risk based on a model of three lines of defence:

1. the first line of defence includes organisational units which are owners or administrators of outsourcing agreements, outsource functions, and remain responsible for operational relations with third parties;
2. the second line of defence includes:
   1. the Outsourcing Co-ordinator who oversees the outsourcing process and reports to the bank’s authorities,
   2. other units of the second line (risk, security) which participate in the conclusion and implementation of outsourcing agreements;
3. the third line of defence is the Internal Audit Department which provides the independent internal audit function.

Organisational units of the bank which are owners or administrators of outsourcing agreements remain responsible for the management of risks of such agreements including among others:

• analysis of the purpose and effectiveness of agreements;
• analysis of function risk including assessment of function criticality;
• analysis of counterparty risk (due diligence);
• monitoring and controlling the quality of functions provided under agreements;
• regular (at least once per year) monitoring of the effectiveness of active agreements.

We follow the principle of maximum mitigation of outsourcing risk, which is why we regularly evaluate the standing of contractors and monitor the implementation of outsourcing agreements.

In 2020, we implemented the EBA outsourcing guidelines. We appointed a project team for that purpose. Key deliverables are as follows:

• we aligned our internal regulations with the EBA guidelines;
• we developed an IT tool to support the management of outsourcing agreements.

HR and organisational risk is understood as the risk that the organisation would be unable to operate efficiently due to unavailability or a shortage of employees with the necessary professional profile, or due to instability, changes or deficiencies in the organisation’s structure and way it is established. The risk includes:

• disruption of relations between employees or between employees and the employer,
• discrimination at work,
• safety at work.

The bank follows a Corporate Governance Policy, which defines common standards for the development, documentation and maintenance of an integrated organisational structure. The policy was defined on the basis of the bank’s general principles and the mBank S.A. By-laws which lay the foundation of governance in the bank and its units.

The organisational structure of the bank is a responsibility of the management board. It ensures that the organisational structure is aligned with the bank’s strategy, business model, risk level and profile, and financial plans. The organisational structure of the bank is based on the principle of clear allocation of responsibilities. Any change of the organisational structure of the bank is analysed and reviewed by competent units. On that basis, the management board of the bank issues relevant decisions depending on the merits of such change.

The management board defines the organisational structure of the bank taking into account:

• the bank’s areas which generate significant risks to its activity and estimations of probable losses resulting from the potential materialisation of such risks;
• the bank’s business continuity plans;
• effective implementation of functions by ensuring adequate numbers of employees with the requisite competences and expertise;
• ensuring that the bank’s business targets are achieved;
• effectively and promptly addressing changing external conditions and sudden or unexpected events.

We mitigate the HR risk of unavailability or shortage of employees with the necessary professional profile by applying a range of preventive measures. In particular, we strive to keep employee rotation low by creating an engaging work environment and fostering a strong organisational culture. We regularly survey employee engagement in anonymous Pulse Checks and on that basis address any potentially demotivating factors. In 2020, we carried out special Pulse Checks of employees relating to:

• the announcement of Commerzbank of the intention to sell its stake in mBank in September 2019 (afterwards withdrawn in 2020),
• the needs of employees working remotely or in the hybrid mode after the pandemic,
• the reorganisation of positions following the liquidation of the financial markets area.

We have established a succession plan for selected positions, in particular key management positions. We focus on the development of employees’ competences, including both current positions and potential internal transfers. Whenever a vacancy needs to be filled, we always look for internal candidates first. If we cannot identify an employee who could fill a vacancy, we seek candidates on the job market.

The bank is very strict about discrimination and mobbing at work. We do not tolerate any behaviour which could violate human rights and employee rights. We have established a system of addressing negative employee behaviour and implemented the mBank Policy against mobbing, discrimination and other unacceptable behaviour. We have carried out an information campaign addressed to employees in order to promote the principles laid down in the Policy.

The bank has established an Employee Remuneration Policy which defines the principles for the bank employees’ remuneration. The first pillar of the Policy is an approach to remuneration based on the concept of total pay (including both fixed and variable remuneration). The second pillar, which plays a key role in the remuneration process, is a dialogue between managers and employees aiming to provide comprehensive feedback and grounds for remuneration decisions.

The bank’s remuneration management system is designed to:

• protect the rights and interests of the bank’s clients and prevent conflicts of interest – we remunerate employees and appraise their performance to ensure that monetary and non-monetary rewards do not encourage them to favour own interest or the bank’s interest to the detriment of the bank’s clients;
• support appropriate and effective risk management in the mBank Group without encouraging excessive risk taking beyond the risk appetite approved by the supervisory board;
• build strong employee engagement by providing a market-based remuneration package adequate to the workload (with a focus on the future and competition, where remuneration is based on the concept of total pay)
• retain best performers (by creating optimum work conditions) and attract new talent (intern and trainee programmes);
• ensure that the remuneration budget is cost efficient (by enabling flexible management of remuneration in order to optimise the use of the available budget).

As an important part of the bank’s remuneration management system, we have established a dedicated Risk Taker Remuneration Policy (risk takers are managers who have significant influence on the bank’s risk profile). The Policy supports the mBank Group management system and encourages risk takers to protect the Group’s long-term interest and to avoid excessive risk exposure.

In connection with the COVID-19 pandemic, we have taken a number of measures to enable effective work of employees and give them support in those trying times. Those initiatives are described in details in chapter Support for the employees.

Physical security risk is understood as the risk of potential breaches of physical security, security of assets of the bank/subsidiary or persons entering the premises of the bank/subsidiary, integrity, confidentiality or availability of information processed by the bank/subsidiary. The risk also includes the inability to ensure the continuity of services for clients and other interested parties. Physical security risk may materialise due to:

• actions taken by persons inside the bank/subsidiary,
• actions taken by persons outside the bank/company,
• acts of nature, as well as disasters (including natural and man-made disasters).

The risk also includes the risk of damage, unavailability or destruction of elements of the bank’s physical infrastructure due to direct attacks targeting the bank’s facilities or acts of terror, threats to the life and health of employees.

Our physical and technical security policy defines the organisational framework of security in the bank’s head office, branches of the sales network, as well as other infrastructure elements (buildings) of the bank, including data centers. Dedicated teams skilled in physical security management are responsible for:

• risk analyses of the bank’s projects and issuance of recommendations for the bank’s projects;
• defining the physical security architecture across the organisation;
• monitoring legal amendments concerning physical/technical security requirements and implementation of necessary modifications;
• development of the technical security concept of new facilities under construction;
• regular maintenance of electronic security systems;
• physical/technical security audits of facilities;
• issuing security opinions for the bank’s infrastructure projects;
• handing physical security incidents.

In 2020, we carried out a project which migrated the bank’s head office to the bank’s new headquarters, the mBank Tower. The project required a risk analysis of the new head office building (including RIA, terrorist threat analysis, BCP analysis). We developed a number of security requirements during the project. We implemented many innovative solutions in electronic security systems across the facility based on state-of-the-art technology.

During the project we have:

• defined the requisite security level of the innovative building;
• developed and implemented an electronic security system across the building;
• secured the necessary resources and technology for the building’s security process;
• developed employee training in the building’s security standards;
• upgraded our unique access control system based on mobile applications supporting traffic across the facility;
• implemented an innovative system integrating electronic security and a guest hosting system using mobile technology.

As an institution of public trust, mBank must protect its image and reputation. We define reputational risk as the risk of negative perception of mBank or its subsidiaries by stakeholders. Reputational risk management identifies, assesses, and mitigates reputational risk in special processes in order to protect and strengthen the reputation of mBank and mBank Group.

mBank has in place an mBank Group Reputational Risk Management Strategy approved by the management board and the supervisory board, which defines the reputational risk management framework. The Strategy covers those areas of mBank’s activity which are sensitive to ESG factors.

We use three lines of defence. The first line of defence includes all units of the bank, its foreign branches and subsidiaries, which are directly responsible for reputational risk in their operations. The second line of defence includes specialised units: Compliance, Communications and Marketing Strategy, and Risk. The third line of defence is the Internal Audit Department.

We protect mBank’s reputation according to:

• mBank Group Code of Conduct,
• compliance policies and
• other policies (e.g. Policy of servicing sectors sensitive to mBank’s reputation risk, Credit policy regarding industries relevant to the EU climate policy).

We monitor press reports, online comments, and social media posts, and react whenever they pose a risk to mBank’s reputation. We monitor the image of mBank in an annual employee engagement survey. We focus on long-term customer relationships, speak and write to customers in a friendly and understandable language, and offer products matching their needs and abilities. We analyse satisfaction survey results and clients’ complaints. We consider reputational risk in product development. A dedicated team monitors threats to reputation. In the event of a crisis, the team mitigates or eliminates its adverse impact on the reputation of mBank.

In 2018, mBank appointed an Ethics Officer responsible for drafting guidelines, issuing opinions, and supporting employees in the event of ethical dilemmas. We raise employees’ awareness of reputational risk by communicating internally any lessons learned and by providing annual e-learning on anti-bribery and corruption, fraud prevention, anti-money laundering, and other compliance training. We educate the general public. We have for years run a social campaign focusing on cybersecurity, which highlights cyber risks and explains how to handle them. A special section of our website is dedicated to security matters. We act responsibly in all relations with clients, employees, the environment, and local communities. The area is governed by the corporate responsibility and sustainable development strategy, the sponsorship policy, and the Statute of the mBank Foundation.

Compliance risk is understood as the risk of non-compliance with laws, internal regulations and market standards in processes executed by the bank.

The objective of compliance risk management is to mitigate the risk of non-compliance of the Bank’s internal regulations with laws, internal regulations, and market standards accepted by mBank. The compliance function is an element of an effective internal control system.

Compliance risk is managed in a model of three lines of defence:

1. the first line of defence is risk management and the control function in operations;
2. the second line of defence includes as a minimum:
   1. compliance risk management and the control function performed by the Compliance Department;
   2. risk management by employees in dedicated positions and in organisational units where certain compliance risk identification and assessment functions are delegated to other units in the first or second line of defence;
3. the third line of defence is provided by the Internal Audit Department.

In all three lines of defence, employees of the bank execute controls and/or independently monitor such controls to ensure compliance of the bank with laws, internal regulations and market standards.

mBank’s management board is responsible for effective management of compliance risk. The supervisory board oversees compliance risk management.

The Compliance Department is responsible for co-ordinating, controlling and overseeing all functions necessary to ensure the bank’s compliance with laws, internal regulations and market standards.

We mitigate compliance risk with:

• implemented and updated policies;
• mandatory employee training;
• monitoring legal amendments;
• regular assessment of compliance risk;
• the control function;
• the advisory function – we issue opinions on products and operating process regulations in the dedicated application Axiom.

All employees of the bank are responsible for the implementation of the compliance policy according to their responsibilities and powers.

The bank has dedicated units (Compliance Control Units) which are advisory centres supporting compliance processes in the first line of defence. They are responsible among others for raising awareness and building knowledge of compliance in business units and for supporting the execution of processes in full compliance with regulatory requirements.

All cases of non-compliance and fraud can be anonymously reported in the electronic whistleblowing system which is accessible on all internet-enabled devices.

In 2020, we improved the compliance process to bring it closer to the bank’s current business profile in line with the regulatory requirements, which ensured more effective management of the bank’s compliance risk. As a result, we implemented an extended approach to:

• compliance risk management assessment;
• the control function.

We updated the Compliance Policy and other internal regulations accordingly.

We implemented a tool designed to provides comprehensive support to organisational units in the monitoring of laws and their implementation in internal regulations. The tool will support the Compliance Department in co-ordinating and overseeing the bank’s compliance with applicable laws, internal regulations and accepted market standards.

In 2020, we established a dedicated unit responsible for prevention of financial crime including:

1/ anti-money laundering and combatting the financing of terrorism;

2/ compliance with sanctions and embargoes;

3/ compliance with the Foreign Account Tax Compliance Act (FATCA), CRS (Common Reporting Standard) for automated international tax information exchange, and the Anti-Tax Evasion Facilitation (ATEF) guidelines on prevention of tax evasion by employees, external personnel and business partners.

FX loan portfolio risk is understood as an actual or potential risk to the bank’s profits and equity related to foreign currency mortgage loans granted to unsecured borrowers up to 2012 (unsecured borrowers are retail borrowers in the household segment who are exposed to an FX gap between the currency of the exposure and the currency of the borrowers’ assets which secure the loan or the currency of the majority of the borrowers’ income). Such risk may arise in particular from the materialisation of credit risk, operational (legal) risk and reputational risk relating to such borrowers.

Details concerning proceedings pending before courts, arbitration bodies, and public administration bodies are presented in note 32 to the mBank S.A. Group IFRS Consolidated Financial Statements 2020.

Threats arising from adverse environmental change (mainly climate change) and their long-term impact are analysed at mBank Group horizontally. It implies that we review their impact on the bank’s operations across the broadest possible spectrum. In particular we refer it to the other risks categories, including reputational risk and credit risk.

Environmental change, fast technological development, and resulting legal changes increasingly impact more and more business sectors. As a result, many clients have to redirect or align the profile of their activity. Reorganisation or alignment of clients’ businesses affects their relationship with the Group, which is exposed to client transition risk. We regularly monitor regulatory changes which address climate change and we assess their potential impact on the Group.

We have analysed the risk of mBank’s adverse impact on the climate and the risk of adverse impact of the climate on the bank. Our analysis was prepared on the best effort basis and with the use of currently available interpretation of the new regulation. We have prepared these disclosures with use of the non-binding EU Guidelines on non-financial reporting: Supplement on reporting climate-related information (2019/C 209/01),

The functioning of the bank has no material direct impact on the climate. The bank’s industry does not generate significant greenhouse gas emissions. In the opinion of the bank, its impact is mainly indirect through financing provided to clients. The bank’s impact on the climate derives from decisions to grant financing to clients in different industries. We can reduce the impact mainly by reducing financing for clients in industries relevant to the EU climate policy.

According to the Supplement on reporting climate-related information, the risk of adverse impact of the climate on a company is either physical risk or transition risk.

Physical risks are risks to the company that arise from the physical effects of climate change, e.g., weather-related events or longer-term changes in the climate, such as rising sea levels. Thanks to mBank’s business model, where the key customer service channels are remote channels, i.e., online and mobile banking, mBank is exposed only to the minor extent to direct impact of physical risks, which are typical rather for the manufacturing companies. Energy blackouts constitute potential physical risk identified. At mBank we manage this risk with use of adequate technical solutions, meaning redundancy of power supply and generators. For data center objects, mBank applies requirements of at least TIER III level, ensuring constant energy delivery from two independent sources, also linked to the generator. We manage this risk at mBank according to the Business Continuity Management System.

The geographic location of our offices and branches in Poland, the Czech Republic and Slovakia, in a moderate climate, limits the physical risk to a service provider’s operations. This implies an insignificant risk to the functioning of the bank’s branches and head offices. However, physical risks may have an indirect impact on the bank by affecting our clients. In particular:

• flood, fires, and rising sea levels may hurt the real estate industry (retail and commercial mortgage loans),
• floods and heatwaves may hurt agriculture,
• low water levels in rivers may hurt the chemical industry.

Climate change results in extreme weather events, including increasingly frequent strong storms and intensive rainfalls. In 2020, we reviewed the potential impact of flood on mBank Group clients from the perspective of our portfolio structure. We analysed the impact on our profits and equity under a broad macroeconomic scenario including a sharp long-term economic recession caused by COVID-19 combined with additional events such as flooding. We tested the impact of flooding of the place of business of our major corporate clients as well two residential areas financed by the mBank Group, whose location may potentially be at risk. The flooding of the place of business combined with the potential difficulties of insurance claims and falling real estate prices would affect the repayment pattern of loans. That, in turn, would require additional loan provisions and higher capital requirements.

According to our analysis, the bank is mainly exposed to transition risks. Our analysis uses the definition of transition risk provided in the Supplement on reporting climate-related information. According to the Supplement, transition risks are risks to the company that arise from the transition to a low-carbon and climate-resilient economy. mBank’s transition risks mainly include climate risks related to our clients, particularly the corporate segment that we finance mainly with loans, leasing, and debt origination and investment. Companies in industries with a significant impact on the climate may carry higher credit risk, i.e.:

• the risk of loss caused by counterparty default and
• the risk of impairment of credit exposures due to the counterparty’s deteriorating financial position, for instance, driven by rising costs of mandatory environmental investments.

Risks related to financing of companies in industries relevant to the EU climate policy may involve mainly higher impairment on loans and advances at amortised cost and negative value change of loans and advances measured at fair value through profit or loss, as well as attrition of some income.

The table below presents transition risks identified at mBank.

The first step towards limiting the bank’s exposure to high-carbon industries was the decision of the Corporate and Investment Banking Risk Committee of April 2019. It excluded, among others the possibility of financing the construction of a coal mine and limited the possibilities of financing coal energy. An extension of this decision was the introduction, from November 1, 2019, of the „Credit policy for industries relevant to the EU climate policy”. This policy further limited the possibility of financing high-emission projects and indicated areas preferred for financing at the bank. These include renewable energy installations and electric vehicle charging stations. This policy describes the principles that we apply at mBank to identify and assess climate-related risk. It is part of the credit process. It defines the principles of financing projects from industries with a particularly significant impact on the climate, such as:

• energy and heat;
• chemicals;
• cement and lime;
• ceramics and glass;
• pulp, paper and cardboard;
• coke manufacturing and processing;
• oil refineries;
• coal mining;

The policy prohibits financing of construction of hard coal and lignite mines and expansion of the production capacity of existing mines. In the energy and heat industry, we are not allowed to finance:

• construction of new coal fired energy units or boilers;
• investments in construction and development of nuclear power plants;
• shale gas exploration and production;
• new clients whose share of electricity from hard coal or lignite (measured by production capacity) is more than 50%.

We give preference to projects which significantly reduce greenhouse gas emissions, where we recommend preferential pricing.

Climate change provides not only risks but also opportunities for mBank. The key opportunity related to climate protection is the opportunity to expand the bank’s offer to address changing needs of clients. For example, we finance projects involving renewable energy sources. mBank’s credit policy of financing of renewable energy sources (RES), introduced in 2018, provides PLN 4 billion for wind farms and photovoltaics (the initial target was PLN 0.5 billion, raised to PLN 4 billion in 2020). We were one of the first banks to credit wind energy. We are currently seeing a growing role of photovoltaics in the energy mix, which can be followed by offshore wind energy. The decision to increase the financing limit for renewable energy projects results, inter alia, from high interest in financing and good loan repayments, as well as promising prospects for the industry. We work, among others, on projects based on PPA (Power Purchase Agreement) contracts. In this model, an investor planning to build a green source, most often wind, first signs a ten-year contract for the sale of energy, e.g. with a production company.

To align its product range with changing needs of clients, mLeasing launched financing of photovoltaic panels in 2019. mBank’s leasing subsidiary finances companies’ photovoltaic systems worth up to PLN 250 thousand with a capacity up to 50kW. The leasing period is up to 6 years and the client’s required contribution is at least 10% of the value of the project. In 2020, mLeasing completed 198 transactions with a total volume of PLN 20 million. Clients whose photovoltaic systems are financed by mLeasing have access to preferential financing conditions under the EBI Climate Action programme.

Since 2019, mBank private banking clients are the first in Poland to invest responsibly in line with the ESG standards. With mBank’s ESG Balanced Strategies, private banking clients can invest in portfolios of equity and debt from issuers with a positive ESG track record. ESG strategy assets accounted for 45% of assets in investment strategies with a comparable investment risk level as at December 31, 2020.

The bank may also gain access to new forms of funding, including green bonds and other ESG-related debt.