Operational Risk Management Training PDF

Operational Risk Management Africa’s Global Bank Outline 01 OPERATIONAL RISK & OPERATIONAL RISK MANAGEMENT 02 INCIDENT REPORTING AND CONSEQUENT MANAGEMENT 03 POLICY & POLICY GOVERNANCE DOCUMENTS Operational Risk Management Training Pag 2 e Preamble Whether crossing the road, carrying out house chores, investing in financial products or choosing your lunch, even choosing a life partner, life is full of risk. You can't remove it, but you can contain or mitigate it. Issues like skills shortages caused by a failure to fill vacancies; drop in currency value caused by market uncertainties; Fines and financial risk caused by a failure to comply with regulations etc are few examples. Risk is inherent in everything we do. After all, whole industries such as ours are founded on risk management. Because of its evolutionary nature, levels of risk can change, as can our perceptions of it. Operational Risk Management Training Pag 3 e Risk Governance in UBA Risk Governance in UBA is operated along Three Lines of Defense model. 1st line – establishment of management controls by Process Owners. The Business units and support functions are the first line of defence in our operational risk management process. They own, manage and are accountable for the operational risks and controls in their respective areas. 2nd line – This is oversight functions by Market Risk, Operational Risk Mgt., Group Compliance, Credit Risk Mgt. and Internal Control 3rd Line – This is independent assurance role that Process Owners comply with policies requirements First Line of Defense Second Line of Defense Third Line of Defense Process Owners Risk Management Assurance Role ❑ Business Offices ❑ Operational Risk Mgt. ❑ Internal Audit. ❑ Front-line staff ❑ Compliance ❑ CFC ❑ Market Risk ❑ Customer Facing ❑ Internal Control functions ❑ Credit Risk Mgt. Operational Risk Management Training Pag 4 e Operational Risk & Operational Risk Management The Bank defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events” This definition includes legal risk, but excludes strategic and reputational risk. Simply put, they are risks that can arise from the day-to-day operations of the Bank. Operational risk is inevitable in any business. Although Basel II definition excludes reputational risk from Operational Risk Management concept, UBA Group shall identify, assess, control, monitor and report on all risk which may result in unavailability of service, information deficiencies, financial loss, increased costs, loss of professional reputation, poor customers service delivery rating and failure to keep or increase market share as component of reputational risk exposures. Operational risk management (ORM), however, is an ongoing and recurring process involving risk assessment, decision-making, and implementation of risk controls enabling risk mitigation. Simply put, it is the process put in place primarily to manage the risks in our everyday operations. Operational Risk Management Training Pag 5 e Operational Risk & Operational Risk Management While operational risks can pose significant challenges to a company’s assets and reputation, an effective risk management capability can help mitigate these risks. This involves a robust understanding of the different types of risks, diligent monitoring, and compliance with regulatory requirements. By doing so, companies can ensure the smooth functioning of their operations and contribute to their long-term success. While other risk disciplines, including ERM, emphasize optimizing risk appetite for balanced risk-take and potential rewards, the ORM processes largely focus on controlling and eliminating risk. As operational risks are ubiquitous, the aim of Operational Risk Management is to limit and manage all risks reasonably. Operational Risk Management seeks to reduce risks by identifying and measuring risk assessments, reducing them, and monitoring the operating risk management system. Operational Risk Management Training Pag 6 e People What is Operational Risk Employee mistakes, Leadership gaps, Unethical Work Culture/practices, cash and cheque suppression, cash theft etc. Process Data capturing error, missed deadline, wrong accounting entry, delivery failure, collateral management failure, “The risk of loss resulting inaccurate returns rendition resulting to a loss etc. from inadequate or failed internal processes, people System and systems or from Systems down time, security, Hardware and software external events” This failure etc. definition includes legal risk but excludes strategic and reputational risk. External Events Environmental Risk – Pandemic, Card pin compromise and theft, Card skimming, forged/cloned cheques, armed robbery. Disasters, Civil unrest etc. The effective management of operational risk is therefore an important component of reputational risk management. It is the responsibility of all stakeholders to ensure that the Bank’s reputation is protected from adverse consequences of control failures. Operational Risk Management Training Pag 7 e Risk Champions and their importance to risk culture Who is an Operational Risk Champion? In order to implement an effective ERM structure in the Bank, the process, tools and procedures, along with risk knowledge, decisions and behaviours all need to be communicated and integrated at every level. A Risk Champion is a great option for achieving this goal. They are employees in the Bank who do not have Operational risk management as a primary role, but rather, have the responsibility of supporting their own department or divisions with identifying, developing and reporting risks. They provide feedback on an employee's view of operational risk management process. They essentially communicate risk information and influence risk culture and behaviours in their jurisdictions. In addition, they can report back to the Operational risk management team on areas for improvement such as what frustrates staff in relation to the operational risk management approach, and help overcome some of the challenges faced. Operational Risk Management Training Pag 8 e Risk Champions and their importance to risk culture (contd.) One risk champion will hardly be enough in the Bank looking to identify risk across all their departments, and so a risk champion network allows a better spread across the Bank. It allows departments to take ownership of risk, something which is otherwise difficult because people just look at the operational risk management unit and assume the responsibility for it sits with the operational risk management function, bringing a sense of risk “ownership” to the front line. The risk champion framework puts the responsibility for assessment and mitigation back on departments and risk owners and having a risk champion within each department or area enhances and strengthens ownership of the risk process. Operational Risk Management Training Pag 9 e Roles of Operational Risk Champions includes: 1. Providing feedback on an employee’s view of the operational risk management process 2. Supporting identification and reporting of risk 3. Communicating the operational risk management vision to staff 4. Acting as intermediary between operational risk management team and their units/department 5. Support to building a risk-aware culture within their unit/department including appropriate education 6. Coordinates and ensure all operational risk management processes in their units/departments are implemented. 7. Ensure periodic update/review of all procedural guidelines/desk manuals/process guides/product papers in use by the unit/department at all times. 8. Ensures that all changes in process(es), product(s) and system(s) are reported to the Operational Risk Management Team for appropriate review. Operational Risk Management Training Pag 10 e UBA Principal Controls Reconciliations Processing control Proofs and control folders Established turn around time Segregation of duties Prepayment verifications Transaction confirmations Maker checker Independent position re-valuations Documented and tested procedures Third party confirmations Established policies Physical Access Controls Documented SLAs with counterparties Logical Access Control Contingency plans Systems Access Right External mitigations, e.g. insurance Dual controls Security sweep Independent call over Integrity Test Approval limits Authorization limits Operational Risk Management Training Pag 11 e Addressing Risks The traditional view of risk is that companies should work to avoid it. In today's corporate world, risks are prevalent, complex and deeply interconnected. In particular, cyber risk poses a huge threat to companies today, and there are a host of other risks to consider as well. However, the principles below should be put in mind: 1. Accept risk when benefits outweigh the cost. 2. Accept no unnecessary risk. 3. Anticipate and manage risk by planning. 4. Make risk decisions at the right level. Operational Risk Management Training Pag 12 e Addressing Risks Transfer: Transferring shifts the risk to another organization. The two most common means for transferring are outsourcing & insuring. When outsourcing, management cannot completely transfer the responsibility for controlling risk. Insuring against the risk ultimately transfers some of the financial impacts of the risk to the insurance company Avoid: Avoidance prevents the Bank from entering into a risk-rich situation or environment. For example, when choosing a vendor for a service, the organization could choose to accept a vendor with a higher-priced bid if the lower-cost vendor does not have adequate references. Risk Accept: Based on the comparison of the risk to the cost of control, management could accept the risk & move forward with the risky choice. As an example, there is the risk an employee will burn themselves if the company installs new coffee makers in the break room. The benefit of employee satisfaction from new coffee makers outweighs the risk of an employee accidentally burning themselves on a hot cup of coffee, so management accepts the risk and installs the new appliance Mitigate: Mitigating risks involves implementing action plans and controls that reduce the likelihood of the risk and/or the impact it would have if the risk were realized. Pag 13 e INCIDENT REPORTING & 02 CONSEQUENT MANAGEMENT Operational Risk Management Training Pag 14 e Incident reporting includes but not limited to documenting workplace disruption(s) or situation(s) that may have or could have negatively Incident Reporting & impacted the Bank’s business or process. An incident report includes investigative information and event analysis to help determine how it happened and what the Bank can do to prevent a similar event in the Management future. The objective is ensuring full disclosure of all incidences as well as critical analysis of all such incidences with focus on minimizing operational disruptions/risks/losses as well creating process improvement across the UBA Group. Incidence reporting will be the responsibility of all staff irrespective of function or nomenclature and non-reporting will be viewed as a clear case of service failure. Reporting will be done through an automated process – Incidence Reporting and Management Portal Incident management reporting is crucial to running operations as intended and underpins the continuous improvement of control systems, preventing disruption to business operations and harm to the bank’s human capital and customers. It also enables controls to be dynamic in adapting to the prevailing circumstances in the business environment. Operational Risk Management Training Pag 15 e Incident Reporting The purpose of an incident report is to state the cause of the problem along with corrective actions that can be taken to minimise the risk of a future occurrence. All incidents logged must adequately answer What, When, Where, Who, How and Why questions. Being aware of what risks are in place and the strategies for overcoming them assist senior management to better manage operational risk. An operational risk incident is defined as an event which has had or could have had (“near miss”), a negative financial, business or reputational impact on the Bank. Pag 16 e What constitute a disruptive incident? Huge financial loss due to An incident that can result in fraud or other incidents, which negative reputational risk that impact is above the bank’s may impact the going risk appetite concern of the Bank. Crisis event or disaster that Prolonged downtime of the may negatively impact the Bank’s core banking operations of the Bank application or other critical IT infrastructure Processing error(s) that may erode customers’ confidence, create loss to the Bank as well as reputational damage. Failure that may result in regulatory risk Major litigation against the Prolong service failure. Bank Operational Risk Management Training Pag 17 e Benefits of incident management reporting Minimize Increased Reduction in Visibility and Smooth business disruption and or efficiency and downtime with transparency in operations adverse impact team quick return to the Group on business productivity normal service operations as in events of any well prevention downtime. of future incidents. Every reported incident has the opportunity to provide insights into potential future events. Therefore, theEvery bankreported aims to incident has the reporting encourage opportunityof to all provide insightsincluding incidents into potential nearfuture events. misses. Therefore, With the bank detailed aims incident to encourage reporting of all incidents including near misses. With detailed incident reports, reports, the bank can identify patterns and trends that may be causing incidents. This can thus be the bank can identify patterns and trends that may be causing incidents. This can thus be used to develop more effective solutions and used to develop more effective solutions and prevent similar incidents from occurring in the future, prevent similar incidents from occurring in the future, minimize loss to the Bank, minimize or prevent misconduct or minimize loss to the abuse, minimize Bank, impact avoidable minimize or prevent on people misconduct or abuse, minimize avoidable impact on and environment. people and environment. Operational Risk Management Training Pag 18 e When should I report an incident? Questions to ask yourself: ∙Did/could the incident have a negative financial, business or reputational impact on the Bank? ∙Did/ could the incident affect your Units’ deliverables (e.g. delay, outage, reduced quality)? ∙Did/ could the incident gain visibility externally in terms of media coverage? ∙Did/could the incident create customer dissatisfaction or service issue? ∙Did/ could an incident occur because of the failure of a control measure? ∙Did/could the incident create business disruption? ∙Were any controls in place to prevent the incident from happening? ∙If the incident happened again under different circumstances could the impact be greater? Pag 19 e When should I report an incident? If you have answered YES to any of the questions in the previous slide, enter the details of the incident into the Incident Reporting Portal - https://incidentportal.ubagroup.com/ OR liaise with your risk coordinator or Group Operational Risk Management Team([email protected] ) regarding how to proceed. Incidents should be reported in a timely manner and should be viewed as a learning opportunity. All staff members are actively encouraged to report them. Directorates/Divisions/Departments/Units/Business Offices should report incidents in terms of the (potential) impact on their deliverable(s) to be assessed according to the ORM Impact Grading Scales. Pag 20 e Real-life incidents that should have been reported on the portal Incident 1: Erroneous Posting Incident 4: ATM Scam At one of our business offices, a man attempted to A processor erroneously posted a transaction scam an elderly customer at the ATM gallery. meant for a debit to a customer, "Company A" to Thankfully, our Security and Safety Officer (SSO) "Company B." The error/wrong posting has intervened in time and prevented the scam. implications of creating customer dissatisfaction. Incident 5: Elevator Malfunction Incident 2: Electrical Failure In another case, employees faced issues with a On a Friday evening, a business office's staff left malfunctioning elevator. The elevator skipped floors their wall sockets, on, and extension boxes and posed safety risks. Our maintenance team plugged for the entire weekend. This negligence managed the situation. resulted in an electrical incident that damaged a network device, causing network failure. Incident 6: Network Failure Downtime Operations Staff the BO were unable to access Finacle Incident 3: Customer Robbery and other applications due to network downtime. A customer visiting our business office was followed Customers; transactions could not be processed. by thieves who targeted him for robbery. They Network Support Team intervened and resolved the effortlessly stole cash from his car parked within our issue. premises. How incidents are categorized Pag 22 e CONSEQUENT MANAGEMENT FRAMEWORK To promote full disclosure of incidents, Executive Management has approved a framework with sanctions for staff who fail to report incidents. UBA Group Policy & Policy Governance Documents Strictly Private & Confidential 24 UBA Group Policy and Governance Definition A policy can be defined as a set of principles, guidelines and standards designed to align various actions and behaviors, processes, systems and activities towards achieving specific goals and objectives in an effective and efficient manner in order to manage risk exposures Objective of Policy Governance ▪ Policies and frameworks outline an organization's management strategy and objectives; articulating roles, responsibilities, accountabilities and authorities that support the approach and processes adopted to achieve those objectives ▪ Shows Management’s commitment, direction, guidance in developing controls ▪ Provides standard for compliance ▪ Spells out consequences for non-compliance Strictly Private & Confidential 25 Group Governance Documents UBA Group utilizes three (3) general governance document categories as follows: Policy is a written statement, which defines the Bank’s position or strategy in regard to the Matter(s) the policies addresses. A Policy answers the question “what are we going to do about X” and defines the parameters for decision-making and clarifies compliance issues for staff. It is a planned line of conduct in the light of which individual decisions are made and coordination achieved. Framework is a structure that outlines the way a policy will be implemented within the Bank making explicit the systematic, interrelationships between different issues that the policy addresses. Procedures/Guidelines describe the steps to be performed to obtain a specified outcome or output, setting boundaries that establish the purpose of the activity and who is responsible for what action. Strictly Private & Confidential 26 Governing Laws The Governance Documents must comply with the applicable statute and regulation in operating jurisdictions of UBA Group. Statutes are laws passed by a legislature body or any other law-making body that declares, proscribes, or commands something. Regulations are the set of rules designed to control or govern conduct and are usually industry-driven All governance documents must be approved by the Board of UBA Plc and its sub-committees and where applicable, ratified by the relevant Subsidiary Boards. Strictly Private & Confidential 27 Governance Corporate Governance is the system and processes by which power is managed in UBA Group and the means by which UBA Plc and its subsidiaries are directed and controlled. Operating Governance in contrast, refers to the way managers within the business make decisions and the ways they delegate decision-making vertically into the organization (driven by structure, policy and process). Additionally operating governance reflects the way that decision rights are allocated horizontally across functions and business units. Thus all governance documents must be recommended by Executive Management Committee to the Board of UBA through relevant committees of the Board for approval. The respective Board Committees may also initiate governance documents for approval or ratification by the Board. Strictly Private & Confidential 28 UBA Group Policy and Governance - Governance Model This model provides a basis for policy development, ownership, implementation and monitoring in the UBA Group Policy Owners Policy Oversight Assurance Committee Board Audit Committee Risk Committee Chief Risk Officer Internal Audit Risk Management Business Units Function External Audit Strictly Private & Confidential 29 UBA Group Policy Governance Family Risk Management, IT, Operations & Expense Governance Policies: Policies, Compliance frameworks, guidelines, and procedures Policies, frameworks, guidelines, and pertaining to expense and procurement procedures pertaining to Operational Risk process management Management, Market Risk Management IT Risk Management, IT Governance, Operations and Compliance. Accounting, Finance & Business Policies Third Party Related Policies Policies, frameworks, guidelines, and Policies, frameworks, guidelines, and procedures relating to accounts, finance, procedures pertaining to the Bank’s treasury, investments, taxes, expansion relationships with third parties related strategy, benefits and business related imperatives. imperatives HR Governance Policies Credit Risk Management Governance Policies, frameworks, guidelines, and Policies procedures pertaining to Human Resources Policies, frameworks, guidelines, and management procedures pertaining to credit risk management Board and Executive Governance Policies Policies, Frameworks, guidelines and procedures pertaining to Board and Executive Governance within the Group Strictly Private & Confidential 30 Below are policies every Staff in the Bank should be familiar with: the provisions, roles, responsibilities, applicability and empowerment. Strictly Private & Confidential 31 UBA Group Brand Policy Policy Code - RCG:021 Strictly Private & Confidential 32 UBA Group Brand Policy - Introduction The framework describes the brand promise, brand architecture, pay-off line, brand tone and personality, advertising style and Corporate Identity standards and it is applicable to all brand-related conception and execution across geographies, products and channels. Objectives i.To protect the integrity of the brand and ensure consistency in the manifestation of the brand. ii.To set corporate identity standards that govern the way in which UBA Group presents itself in all forms of marketing and communication materials and ensure that in an acquisition or merger arrangement, the cost implication of branding and re-branding are well dimensioned and factored into the cost of the acquisition and merger. Strictly Private & Confidential 33 UBA Group Brand Policy – Key Provisions i. Provide clear and unequivocal guidelines on the roles and responsibilities of all stakeholders in projecting and protecting the UBA Group brand. ii. All employees are brand ambassadors and should live the brand at all times and ensure that all business units, subsidiaries, regions and countries must conduct business, marketing and communications in accordance with the Group’s branding and brand manifestation. Strictly Private & Confidential 34 Group Staff Handbook Policy Code - HRG:001 Strictly Private & Confidential 35 Group Staff Handbook - Introduction The HR Policy is designed to ensure that all Line Heads and Line EDs play a key role in the recruitment, redeployment, promotion and disengagement process in order to promote staff happiness and motivate them to be at their productive best. The Group Staff Handbook is applicable to all employees of UBA Plc and its subsidiaries. The Employee Handbook is an internal confidential document, intended to promote a common understanding of UBA’s key human capital policies and the terms and conditions of employment. Objective The Group Staff Handbook is a policy document which sets out the terms and conditions of employment and guides the conduct of employees in the Group. Strictly Private & Confidential 36 Group Staff Handbook - Key Provisions The minimum entry requirement shall be a second class Minimum (Lower Division) University Degree for Pre-Leadership 2 or Educational Ordinary National Diploma for Pre-Leadership 1 or its Requirement equivalent in other countries. Recruitments across UBA Group shall be in line with the organizational structures as approved by the Board of Directors and manning levels for the various entities as approved by EMC. Group HR shall, during the Budget planning cycle collate Recruitments and present to EMC for approval, the manpower plan for the Group. The manpower plan shall at the minimum contain vacancies, maximum levels, cost implication, etc. This will be approved finally BAGC along with the annual budget. Strictly Private & Confidential 37 Group Staff Handbook - Key Provisions Redeployments across UBA Group shall be in line with the approved organizational structures and manning levels for the various entities. An employee may only be redeployed a maximum of 2 times in one Financial Year. However, for business exigencies, the Line Head/ED/DMD and the GH HR may jointly approve an additional redeployment for staff in the same Financial Year. Redeployment All redeployments shall be effective the first day of the new month. All redeployment letters across UBA Group shall be centrally produced electronically by the Group Human Resources. All redeployments shall be approved in line with the authority limits as defined in the HR Empowerment Framework. Strictly Private & Confidential 38 Group Staff Handbook - Key Provisions UBA shall establish and maintain a structured and objective approach to promotion and upward movement. Promotion shall be regarded as the vertical progression from one job grade/level into higher job grade/level of higher authority and responsibility. Promotion Committee (PC) shall be established to make promotion recommendations for UBA Nigeria, UBA Africa + ROW and UBA Non-Bank Subsidiaries in line with agreed parameters. The GH-HR shall, based on agreed promotion eligibility criteria, during the budget planning session, present to EMC, an estimated number of promotes Promotion for the FY and attendant cost implication. This shall be approved by the BAGC along with the Budget. Promotion eligibility criteria shall be as advised annually by the EMC and BAGC. This shall include parameters such as performance rating, tenure on grade, exceptional achievements, etc. Promotion Committee shall at the end of the cumulative year end appraisal, based on the defined eligibility criteria and the promotion budget approved by the Board at the Budget Planning phase, identify those to be considered for promotion. Strictly Private & Confidential 39 Group Staff Handbook - Key Provisions Resumption/Assump tion of Duty The 1st & 15th of every month shall be resumption dates in UBA Group. Where this falls on a weekend or holiday, the next working day shall be taken as resumption date. Annual vacancies in the Group shall be approved along with the Vacancies budget annually by the Board Appointment of Executive Directors/DMDs for all entities including Appointment of the GMD/CEO and MDs for all entities shall be approved by the management Staff Board of UBA Group and Central Bank of Nigeria/ other Regulators /Tenure or the equivalent in other countries as provided by regulations. UBA’s recruitment policy shall permit the employment of more than Recruitment of one member of a family (including parents, siblings, spouses and Related Parties children). Strictly Private & Confidential 40 Group Staff Handbook - Key Provisions Leave shall be approved by first line supervisor in line with the approved leave plan. However HR must notify the second level supervisor before formally advising the staff to proceed on leave Annual Vacation When a public holiday is declared whilst an employee has commenced leave, he shall be required to resume work on his approved resumption date. The public holiday shall be recognized in the Leave accounting. The recall of any staff must be approved by GH-HR. 50% of leave allowance shall be paid as inconvenience allowance. No allowance shall be paid for improper handover or unfinished assignments. Leave Recall The round trip transport cost shall be reimbursed for staff recall approved by GH-HR/Country Head, HR and respective SSG/SBG Head. The employee shall be entitled to the outstanding leave period. Strictly Private & Confidential 41 Group Staff Handbook - Key Provisions A sick employee may stay away for 24 hours but must notify his/her supervisor. After 24 hours, an employee is required to submit a certificate Sick Leave of illness from a registered medical practitioner. Where an employee is not eligible for annual leave (due to qualifying criteria stated above), he may on application and recommendation by his line supervisor, be exceptionally granted casual leave by Group Head Casual Leave HR (not exceeding 10 working days, which cannot be taken at once). These days shall be deducted from the employee’s annual leave entitlement. A confirmed female employee, who has put in twelve (12) months of service, shall be entitled to maternity leave for a maximum period of Maternity twelve weeks of which six weeks may be taken before and six weeks after Leave confinement. An employee shall not be entitled to both maternity and annual leave in the same calendar year. Strictly Private & Confidential 42 Group Human Resources Disciplinary Process and Sanction Grid Policy Policy Code - HRG:002 Strictly Private & Confidential 43 HR Disciplinary Process & Sanction Policy - Introduction The HR Disciplinary Process & Sanction Policy is applicable to all employees of UBA Plc and its subsidiaries. All existing policies on disciplinary procedures shall conform to the policy framework except where such is mandated by a legislative or regulatory provision in a local law or regulation of any relevant country or jurisdiction. This policy is also to help clarify an employee’s rights as well as give guidance and support where it may be needed. Objective The Group HR Disciplinary Process & Sanction Policy is aimed at building a disciplinary process that conforms with the basic tenets of justice, fairness and equity; protects employees against abuses or victimization; enables the institution maintain discipline and orderliness in its operations; prompt dispensation of disciplinary issues; and strengthens our internal control and core values Strictly Private & Confidential 44 HR Disciplinary Process & Sanction Policy - Key Provisions Section 3: Promptness/Timeliness Investigation of disciplinary cases shall be concluded within one (1) week since justice delayed is justice denied. Extension of the investigation period can be granted by the Head, Fraud Prevention & Investigation on sufficient justification, which shall not exceed One (1) working day. The concurrence of Group Head Human Resources shall be obtained by Investigation Team and this shall be promptly communicated to Head, Industrial Relations & Work Ethics. Any further extension of time shall be approved by line GH HR, which shall not exceed one week. All Disciplinary Committee meetings shall be convened regularly. The Disciplinary Appeal Process All manner of appeals shall end at BAGC – Board Governance Committee. Suspension Administration There are 3 types of suspension namely: Credit Suspension Fraud-Related Suspension Suspension as Sanction for Misconduct Strictly Private & Confidential 45 HR Disciplinary Process & Sanction Policy - Key Provisions Related Fraud suspension Staff shall be placed on suspension in cases of suspected misapplication, misappropriation, conversion, insubordination, severe negligence and integrity issues, or where the suspension is necessary to allow for unimpeded investigation of an allegation. A thorough investigation by the Investigation Team shall be carried out and report submitted to HR within 1 week. Where investigation cannot be concluded within 1 week due to the involvement of external parties in the investigation process, the concurrence of GH, HR shall be obtained by Investigation Team through the Head, Industrial Relations & Work Ethics. In all cases of fraud-related suspensions, staff shall not be expected to report for duty, but shall report weekly to Investigation Unit to sign an attendance register, for effective monitoring. Where a staff fails to report after two weeks, such staff shall be deemed to have abandoned duties and shall be summarily dismissed in line with policy. Strictly Private & Confidential 46 HR Disciplinary Process & Sanction Policy - Key Provisions Related Fraud suspension During the period of suspension, except where the staff has confessed to the fraud (which shall be zero pay), staff shall be entitled to 50% remuneration for the first three months. In the event that the suspension exceeds three months, staff shall be placed on zero pay Where a staff is completely exonerated either at the instance of Investigations or DC decision, the suspension shall be withdrawn and such staff shall be reimbursed with his/her withheld salaries for the period on suspension. Where a staff has spent more than three months on suspension and the case cannot be decisively concluded, EMC shall review such case and take appropriate decision. Strictly Private & Confidential 47 HR Disciplinary Process & Sanction Policy - Key Provisions Suspension as a sanction for misconduct A staff may be placed on suspension for misconduct based on the decision of a duly constituted DC or based on the recommendation of a supervisor. In addition, the Group’s disciplinary policy empowers the following category of officers to suspend staff as sanction for misconduct. – GMD – DMDs/EDs/SBG/SSG Heads – RCEOs/Country CEOs – RBH/COOs/DHs, The suspension of a staff by a supervisor without a DC shall however be limited to a period of one month. Upon resumption from the suspension, staff shall be counselled as follows: – ET –Mgr - HRBP – SM – GM - GH, HR – GM – ED - DMD/GMD In all cases the advice placing staff on suspension shall be issued by HR Strictly Private & Confidential 48 HR Disciplinary Process & Sanction Policy - Key Provisions Impact of Sanctions on Staff Performance Appraisal Sanctions shall have the following negative appraisal scoring (i.e. deduction from the staff’s gross appraisal score) within the appraisal cycle: Type of Sanction Appraisal Deduction Caution Letter 2 marks each First Warning Letter 3 marks each Final warning 4 marks each Suspension 5 marks each Offence Category Dismissal Summary Dismissal Termination Advice to Resign Strictly Private & Confidential 49 Code of Professional Conduct and Ethics Policy Code - HRG:005 Strictly Private & Confidential 50 Code of Professional Conduct & Ethics - Introduction This Code of Professional Conduct & Ethics is applicable to all employees of UBA Plc and its subsidiaries. This Code of Professional Conduct and Ethics serves as a guideline to the standards that should govern all employee dealings with customers, suppliers, colleagues and the general public. The Code does not cover every possible subject or potential situation but formulates the broad policies and principles that should guide employees in their daily activities. The Code applies to the Directors and employees of the Group, its subsidiaries and affiliates. All employees and Directors are expected to adhere to the standards of conduct and ethics outlined in the Code at a level well above the minimum standards required by law. Copies of the Code shall be circulated to all employees and Directors and to new staff when they join the service of the Group. All employees and Directors shall be required, annually, to certify that they have read and understood the Code of Professional Conduct and Ethics and shall report any concerns appropriately. Strictly Private & Confidential 51 Code of Professional Conduct & Ethics – Key Provisions All employees and Directors must comply with the Code of Professional Conduct and Ethics and all other corporate policies, as well as with all relevant laws and regulations. Compliance with the Code Where there are questions about the meaning or interpretation of any of the items in the Code or about their application to specific situations that may arise, the advice of Legal Services Division, Compliance Division or Human Resources should be sought. The internet and e-mail facilities provided by the Group are for business use only. Messages composed, sent or received on the Internet and Group’s electronic mail system shall remain the property of the e-mail Group and may at any time be subject to review by the system administrators or the Management of the Group. Receiving The Group strictly prohibits the acceptance of any form of Gratification, gratification, commission or bribe by any employee or Director, for Commissions or the performance of official duties. Bribes Strictly Private & Confidential 52 Code of Professional Conduct & Ethics – Key Provisions Specifically employees or Directors of the Group shall not Accepting Gifts and solicit for private purposes any gift in connection with their other inducements official function and duties Employees are encouraged to maintain their accounts with the Group, unless otherwise approved by the Human Staff Accounts Resources. These accounts extend to those accounts staff may hold in a fiduciary capacity such as under a trust or as a nominee. Employees and Executive Directors shall not accept any appointment, nomination or election into any office in any Political Activities organisation that cannot be categorised as civic, cultural, Employees religious or charitable without the express permission of the Group. The framework provides powers for the Board of Directors to Powers of the Board approve Political Appointments through the Board Audit & of Directors Governance Committee. Strictly Private & Confidential 53 Continuity of Business Policy and Policy Standards Policy Code - RCG:011 Strictly Private & Confidential 54 CONTINUITY OF BUSINESS What is Continuity of Business (CoB) This is proactive planning process to effectively continue business processes after crisis event. It is the ability of an organization to ensure continuity of service and support for its customers and to maintain its viability before, during and after disaster CoB components This is made up of the following: 1. Development of Business Impact Analysis 2. Crisis Management Plan 3. Business Recovery Plan 4. Testing 5. Maintenance 6. Monitoring & Reporting 7. Training & Awareness Continuity of Business Policy and Policy Standards - Introduction The Continuity of Business (CoB) Policy and Policy Standards in the UBA Group provides a governance framework for crisis management and orderly restoration of business activities upon the occurrence of an adverse event (e.g. a natural disaster or man-made disaster or technological failures). It also describes the methodologies to be used by the Business for risk assessment, risk analysis, risk mitigation, monitoring and reporting while providing for consistent program administration. Objectives i. Providing safety standards for staff by partnering with UBA Properties and UBA Corporate Services ii. Ensuring business continuity in a cost effective manner iii. Providing methodology for analyzing business impacts of adverse events. iv. Providing framework for UBA Continuity of Business Program v. Comply with statutory and regulatory provisions. Strictly Private & Confidential 58 Continuity of Business Policy and Policy Standards – Key Provisions i. Development of Business Impact Analysis- Risk assessment for each business function is developed to identify the criticality of the business function. Each business is rated and categorized on premise of recovery in the event of disruption. ii. Crisis Management Team - Crisis Management for impact levels defined is based on the severity of a Crisis Event and the appropriate Crisis Management Team or teams to support mitigation. This include crisis notification, damage assessment, crisis event documentation, crisis management plan and crisis correction plan iii. Business Recovery Plan - All Continuity of Business Entities shall create Business Recovery Plan for all recoverable sub-processes and reference all other non-recoverable sub-processes identified in their Business Impact Analysis. The assigned Business Unit Head shall approve Business Recovery Plans annually. Business Recovery Plans (BRPs) are prioritized based on their Criticality Ratings. v. Test of Plan: All Continuity of Business Entities shall test their Business Recovery Plans and Crisis Management Plans annually on a date to be determined by Regional /Subsidiary/Country Crisis Management Team. This is to ensure that: the plans are functional, fully documented and current, Staff, equipment and system are in place, The test can be successfully audited Strictly Private & Confidential 59 Continuity of Business Policy and Policy Standards – Key Provisions vi. Monitoring and Reporting: Accurate measurement and reporting of key Continuity of Business Metrics aligns the Business Continuity Planning Program with UBA Operational Risk initiatives and facilitates adherence to regulatory requirements including CBN, Basel II as well as reporting appropriate outcome of operational risks to GRC, EMC and the Board of Directors vii Training: All Continuity of Business Entities in the Continuity of Business Tracking database shall complete a minimum of one training activity per year. It is recommended that all other personnel with Continuity of Business related responsibilities complete a minimum of one training activity per year viii. Awareness: As part of the Corporate Awareness Program, the Business Continuity Management shall provide enterprise-wide awareness information on a regular basis. Business may develop their own Awareness Programs using content that is consistent with the Corporate Awareness Program to deliver Business Level Awareness Programs Strictly Private & Confidential 60 Crisis Management What is Crisis This is sudden and unexpected event that threatens or disrupt the Bank’s operations, poses financial, non-financial and reputational threats that would require rapid & high-level decision making. Crisis Management Crisis management is a series of processes to identify and set specific ways that would enable the Bank to prevent or cope with crisis. The total crisis management effort focuses not only on what to do in the heat of crisis, but what can be done to prevent them and to effectively manage those that do occur Incident Warning In some instances, incident warning precedes crisis in which case warning about impending crisis is available in the local news or social media. Credible information of potential crisis can be as a result of below threats: (i) Civil unrest due to elections, fuel scarcity etc. (ii) Potential pandemic situation (iii) Environmental risks such as flood, sandstorm etc. Operational Risk Management Training Pag 61 e Response to Crisis In responding to crisis, the Bank shall adhere to six key principles of effective crisis communication to stakeholders in line with crisis & emergency risk communication protocol, which includes: ❑Be First - Crises are time sensitive. Timely communication to stakeholders is almost always important; A word out to the stakeholders within the 1st one hour of crisis is important. Hence, timely escalation by staff to Executive Management is equally as important (Refer to Incident Escalation Framework for details on incident escalation) ❑Be Right - Make available information known regarding the crisis to stakeholders’ and the information not known and what the Bank is doing to address the issues. ❑Be Credible - Honesty and truthful communication should not be compromised when disseminating information during crisis. ❑Express Empathy - Crisis create customers frustration and suffering; thus, this should be acknowledged in our address to affected customers, people or stakeholders. Addressing what people are feeling, and the challenges they face, builds trust and rapport. ❑Promote Action - Providing information on what the Bank is doing. This would calm anxiety, helps restore confidence, and promote sense of control. ❑Show Respect - Respectful communication is particularly important when people feel vulnerable. Respectful communication promotes cooperation and rapport Operational Risk Management Training Pag 62 e Incident Management Reporting Incident reporting is documenting workplace disruption(s) or situation(s) that may have or could have negatively impacted the Bank’s business or process. An incident report includes investigative information and event analysis to help determine how it happened and what the Bank can do to prevent a similar event in the future. Have you ever experienced an interruption while working on a project and run into disorganization as a result? Most of us have been there, unfortunately. But thankfully, there’s a way to resolve these issues in real time without sacrificing team productivity. Incidence reporting is the responsibility of all staff irrespective of function or nomenclature and non-reporting will be viewed as a clear case of service failure. What is an Incident report? An incident report is the formal documentation of specific details that describe the events of a workplace incident which are outside normal work norms. Its purpose is to discover the causes and events occurring in a disruptive incident with the goal of preventing such in the future. The information in the reports might be used in order to plan strategies and discuss risk mitigation efforts with relevant stakeholders and staff members. The information can also be used Operational to develop Risk Management Trainingfurther controls as well as training programs for employees. Pag 63 e What constitute a disruptive incident? An event is considered disruptive to the operations of the Bank, if it constitutes one or a combination of but not limited to the following: ✔An incident that can result in negative reputational risk that may impact the going concern of the Bank. ✔Failure that may result in regulatory risk ✔Major litigation against the Bank ✔Prolonged downtime of the Bank’s core banking application or other critical IT infrastructure ✔Prolong service failure ✔Major negative impact on staff ✔Huge financial loss due to fraud or other incidents, which impact is above the bank’s risk appetite ✔Crisis event or disaster that may negatively impact the operations of the Bank ✔Processing error(s) that may erode customers’ confidence. Operational Risk Management Training Pag 64 e Benefits of incident management reporting ✔Increased efficiency and team productivity ✔Prevention of future incidents ✔Reduction in downtime ✔Improved customer experience ✔Visibility and transparency in the Group ✔Smooth business operations ✔Quick return to normal service With a good plan to tackle and eliminate current and future incidents, the Group will be much stronger and responsive. Operational Risk Management Training Pag 65 e Introducing the New Incident Management and Reporting Portal A new Incident Management and Reporting Platform is currently being developed by the Bank. This platform would warehouse all incidents in the Group reported by staff, irrespective of their functions or locations. This will encompass all operational, business, and governance issues and mitigants put in place to address the incidents. Incident reporting is an important practice that promotes efficiency in the workplace, identifies areas of improvement and prevents reoccurrence of disruptive incidents. Employees are required to promptly report all incidents regardless of the severity or outcome. Failure to log any incident is tantamount to service failure. Operational Risk Management Training Pag 66 e Communication in Crisis Procedures that include pre-established line numbers for communication during Crisis Event. This is emergency contact numbers staff and personnel of UBA can call in the event of crisis. This number will be managed by Customer Fulfilment Centre (CFC) which runs 24 hours service. S/N EMERGENCY CONTACT NUMBERS 1 +234 (0) 1 2808 UBA or +234 (0) 1 2808 822 2 +234 (0) 700CALLUBA or +234 (0) 700 2255 822 3 +234 (0) 1 6281 UBA or +234 (0) 1 6281 822 5 +234 (0) 800 000 0919 In addition, the Bank’s emergency numbers are printed on our identity card: Crisis or Disaster information received can also be communicated to Corporate Communications or Business Continuity Management (Operational Risk Mgt). See details below: S/N Details Contact No. 1 Business Continuity Mgt. +234 (0) 1 – 280 8418 +234 (0) 703 412 5824 2 Corporate Communications +234 (0) 803 535 4570 +234 (0) 1 2807 095 Operational Risk Management Training Pag 67 e Group Gift Policy Policy Code - HRG:005 Strictly Private & Confidential 68 Group Gift Policy - Introduction Definition A Gift represents any tangible or intangible item given or received by an employee, contractor or consultant, in the course of the person’s official duties over and above the person’s normal salary and entitlements. UBA Group shall continue to maintain its core value of integrity and avoid any potential conflict of interest that may arise in the conduct of its business It is in this context that the bank has instituted this policy to provide a framework for the acceptance and reporting of gift items. Objective To lay down an explicit framework for the offer and acceptance of gifts To develop procedures that ensure that reportable gifts are properly managed and disclosed. Strictly Private & Confidential 69 Group Gift Policy – Key Provisions None Acceptance of Gifts: Employees and Directors shall not: Solicit for private purposes any gift in connection with their official function and duties; Solicit any gift in return for doing for any business, service or confidential information of the bank Accept any gift for any official function or duties, performed or not performed, which could create a conflict of interest or be seen to create such conflict; Accept any gift where the monetary value is in excess of N10,000 [Ten thousand naira] or its foreign currency equivalent Accept any form of cash payment or equivalent Note: Where there is any doubt as to the value of the gift, the Corporate Services department should be contacted to estimate the value of the gifts. However, where the employee in receipt of the gift is from the Corporate Services Division, the audit department would be contacted to estimate the value of the gifts Strictly Private & Confidential 70 Group Gift Policy – Key Provisions Accepting Gifts: Employees and directors may accept gifts or benefits where They are gifts of a promotional nature e.g. paper weights, diaries, calendars The monetary value is less than N10,000 [Ten thousand naira] or its foreign equivalent The gift is made during festive period e.g. Christmas, Ramadan, Easter, etc. Refusal of the gift is impractical. In this instance, the employee/director should accept the gift and lodge with the Human Resources who would donate all such gifts to selected charities through UBA Foundation. Offering of gifts: – Employees and directors shall not offer gifts to government officials, customers, suppliers or any other party for the purpose of securing business. – Gifts can however be offered where: They are gifts of a promotional nature e.g. paper weights, diaries, calendars. The gift is made during festive period e.g. Christmas, Ramadan, Easter, etc. Strictly Private & Confidential 71 Group Gift Policy – Key Provisions Enforcement Upon receipt of a gift and in instances were a gift cannot be declined, an Employee or director is required to fill out a gift disclosure form which is hoisted on the intranet and forward to [email protected]. Honorariums received from public or private speaking shall be accepted but entered in the gift register. Where there is an uncertainty as to whether a gift should be accepted or declined, such query should be forwarded to [email protected]. Sanctions Any Employee in breach of this policy shall be issued with letters of displeasure in the first instance. For subsequent breaches, caution and warning letters shall be issued respectively; and in the final instance erring staff shall proceed on a two week working suspension. Where a director is in breach of this policy, the Board of Directors shall prescribe an appropriate sanction. Strictly Private & Confidential 72 Group E-mail Policy Policy Code – ITP:001 Strictly Private & Confidential 73 Group E-mail Policy – Introduction E-mail policy provides the framework for the management of channel for dissemination of information among UBA Staff Objectives The objectives of the e-mail policy include providing clear provisions to address the following: i.E-mail authenticity and integrity ii. Confidentiality of e-mail messages iii. Non repudiation of e-mail messages iv. Group network is not compromised through the E-mail infrastructure v. E-mail services do not propagate virus in the Group’s network and systems vi. Compliance with regulatory provisions – copyright laws, defamation, the creation of contractual obligations, and criminal laws Strictly Private & Confidential 74 Group E-mail Policy – Key Provisions i.UBA e-mail facilities shall not be used for purposes such as sending and receiving unsolicited mails including distribution of any disruptive or offensive messages, including offensive comments about race, gender, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. ii. Clear roles and responsibilities of stakeholders iii. E-mail policy administration iv Offences and sanctions over breach of the provisions of the Group E- mail Policy Strictly Private & Confidential 75 UBA Group Customer Complaint Management Policy Policy Code – OGP:004 Strictly Private & Confidential 76 UBA Group Customer Complaint Management Policy - Definition UBA Group defines customer complaint as, any oral or written statement of grievance, a cause of distress or dissatisfaction or protest over products and services offered and rendered by UBA Group in its diverse markets whether justified or not, from, or on behalf of a client about the provision of or failure to provide a banking service. An increase in customer complaints is indicative of the quality of products and services delivery at various delivery points. Strictly Private & Confidential 77 UBA Group Customer Complaint Management Policy - Objectives i.Establish and institutionalize best practice customer complaints management systems and processes in UBA Group ii. Ensure speedy resolution of customer complaints through efficient tracking, reporting and management of customer complaints thus improving customer satisfaction iii. Reduce customer complaints to the barest minimum through detailed root cause analysis/after-action-review (AAR) and implementation of required solutions to prevent re-occurrence iv. Maintain adequate records of customer complaints for future reference (Group Response Portal) v. Creation of awareness among staff on the proper handling of customer complaints (address upfront legal & branding issues if any) vi. Transformation of complaints into positive customer experience (moments of truth) for enhanced customer satisfaction and brand protection Strictly Private & Confidential 78 UBA Group Customer Complaint Management Policy – Process i.Log under right category on Group Response Portal (for assignment & escalation) ii. Respond within 24hours max. using standard response iii. Give TAT for reverting to Customer per SLA in line with regulatory requirements iv. Give Customer periodic updates v. Escalate properly vi. AAR/root cause analysis mandatory and proper closure comment on GRP vii. Refunds of any category shall be processed in line with the provisions of the UBA Group Policy requirements. Strictly Private & Confidential 79 UBA Group Customer Complaint Management Policy – Rewards & Sanctions REWARDS: Commendation Letter/CS Quality Award/Cash: i. Speedy & consistent exceptional service ii. Retention of lost Customer iii. Customer Commendation SANCTIONS: Caution Letter/Monetary Fine/Suspension or Dismissal i. Not logging, or responding to a Complaint within 24hours max. ii. Concealing a Complaint iii. Solicitation (bribe) before rendering services Strictly Private & Confidential 80 Internal Communication Policy Policy Code - RES:003 Strictly Private & Confidential 81 Internal Communication Policy- Introduction This document seeks to deliver a new strategy for Internal Communications in UBA Group. It is therefore a blueprint that spells out the steps for transforming Internal Communications in the Group. The new strategy underscores communication as a vital step in our cultural transformation. UBA Group recognizes that effective communication is key to the success of the Group. Objectives i.To ensure that employees are well informed, and understand the issues and the planned strategic direction of UBA Group; ii. To ensure overall integration and belongingness across the Group and ensure that views and concerns of employees are encouraged, listened to and understood by Management; iii. To encourage an environment of openness, honesty, consistency and clarity of communication, where official messages are trusted, and to reduce reliance on rumours. Strictly Private & Confidential 82 Internal Communication Channels Team Meetings / Briefings Group Weekly Newsletters Quarterly Lion King Magazine Email Mobile Phone Intranet etc. Strictly Private & Confidential 83 Internal Communication Policy- Key Provisions i.English is the official language for all Group communication. However, for very strategic and direction-setting Group communication, a simultaneous communication will be made in French/Portuguese language or any other language where UBA Group is in operation. ii The Corporate E-mail system is meant for only official mails iii. UBA websites (group, subsidiary and geographies) are compliant with the standard frameworks/format defined by the Group web team and satisfy all mandatory quality assurance and risk assessment tests before going live in line with global best practice. Strictly Private & Confidential 84 External Communication Policy Policy Code - RCG:023 Strictly Private & Confidential 85 External Communication Policy - Introduction As a listed company, UBA is subject to certain obligations imposed by regulations regarding the disclosure of information to the public. Unauthorized disclosure of information, particularly material non-public information, relating to UBA Group could adversely affect UBA’s image and in some cases result in liability for the Group. Objectives i.To ensure employees are well informed, and understand the issues and the planned strategic direction of UBA Group; ii. To ensure overall integration and belongingness across the Group. iii. To encourage an environment of openness, honesty, consistency and clarity of communication, where official messages are trusted, and to reduce reliance on rumours. Strictly Private & Confidential 86 Rules for Media Engagement ▪ All Media contacts should be managed through Corporate Communications. ▪ All Media queries must be referred immediately without comment to Corporate Communications. ▪ All approved media spokespersons must undergo media and communications training including EMC members. ▪ All approved media spokespersons must confine their comments to their agreed area of expertise. ▪Only a limited number of individuals (i.e. EMC members only) are authorised to comment on behalf of the Group or Group Subject matter experts on their areas of expertise only. ▪ Only Country EXCO members are authorized to comment as it concerns their local operations or local function experts as it affects their functions. ▪ Unauthorized comments should be avoided at all times. Strictly Private & Confidential 87 Rules for Media Engagement ▪ If you are an approved media spokesperson, prepare the message thoroughly. Consider the likely reaction of delivering the message directly to any/all of the Group's key audiences. ▪ Consult Corporate Communications to agree on all messages before talking to the Media; ▪ Never give any information to the Media unless: ✔ you are authorized to do so; and ✔ you are absolutely sure the information you are relaying is accurate AND is authorized for release. ▪ Restrict yourself only to the matter at hand to which you are authorized to speak on. Strictly Private & Confidential 88 External Communication Policy – Key Provisions i.The official spokespersons for UBA Group are the Chairman, GMD/CEO, and the Group Head, Corporate Communications. ii This policy applies to all Directors of UBA Group, all employees, consultants, vendor staff, contractors of UBA Group Strictly Private & Confidential 89 Anti-Money Laundering [AML] Policy Policy Code - RCG:002 Strictly Private & Confidential 90 Anti-Money Laundering [AML] Policy Introduction UBA Group shall maintain the highest standards of integrity to be one of the most competent and profitable financial services providers in its league. To achieve this integrity, it is imperative that as best as possible we know the true identity of our customers including their sources of funds. Objective of AML Policy The primary objective of this policy is to protect the brand and reputation of UBA Group and to secure its premises and systems, and guard against misuse as a vehicle for money laundering, terrorist financing and other illegal activities. Strictly Private & Confidential 91 Anti-Money Laundering [AML] Policy – Key Provision i.To comply with applicable money laundering laws, e.g. Money Laundering (Prohibition) Act 2019 in Nigeria. ii. To comply with the Countries Central Bank KYC Manual, e.g. Central Bank of Nigeria (CBN) KYC Manual and the Advance Fee Fraud and other Fraud related Offences Act 2006, as well as the recommendations of the Financial Action Task Force (FATF). iii. To define minimum standards for information required at account opening to be collected and maintained in respect of the customers. iv. To define persons with whom UBA Group is prohibited from doing business with e.g. sanctioned persons and entities as defined by Office of Foreign Asset Control “OFAC” as well as UBA Group’s own internal list of known fraudsters. v. To ensure a structure is in place for identifying and reporting unusual, suspicious or criminal activities to the AML Unit. vi. To ensure UBA Group as a whole reflects best industry practices taking the practical, competitive realities of the financial industry into consideration. vii. To ensure adequate record retention procedures are in place, in line with the Group Document Management policy. Strictly Private & Confidential 92 Anti-Money Laundering [AML] Policy – Key Provision Role of UBA Employees, UBA Group and the Business Units Employees should remember that money laundering laws apply not just to the criminals who try to launder their ill-gotten gains, but also to financial institutions and their employees who participate in those transactions if the employee knows that the property is “criminally” derived. “Knowledge” includes “willful blindness” Under no circumstances should a UBA employee knowingly or otherwise participate or assist another in the laundering of funds or the funding of terrorist financing. Where a staff member is aware of such activities or of any violation of this Policy, it should be referred to group Compliance Anti-Money Laundering [AML] Policy – What is Money Laundering Money laundering is the criminal act of filtering ill-gotten funds through financial institutions to conceal its source/origin. A way of making “dirty” money “clean” Terrorism may be financed with legal funds however the methods of effectively Combating the Financing of Terrorism (CFT) are largely identical with those applied to Anti Money Laundering (AML). Money laundering involves three independent stages namely Placement, Layering and Integration. i. Placement - The idea being to move the money from the cash economy into the non-cash economy. This is the physical insertion of cash into the financial system. The launderer may combine legitimate funds with criminal proceeds and subsequently purchase monetary instruments. ii. Layering - The idea being, to use different types of complex transactions (e.g. wire transfers, letter of credit, money orders, real estate, stock) to make the money impossible to trace to its source. iii. Integration - The idea being, to place the proceeds back into the economy to create the perception of legitimacy. At this stage, it is extremely difficult to distinguish legal and illegal wealth. Anti-Money Laundering [AML] Policy – What is Money Laundering Anti-Money Laundering [AML] Policy – Terrorist Financing Terrorism can be defined as the use of violence for the achievement of political ends. It is common to state and non-state groups whilst terrorist financing can be described as funding, sources and infrastructure used by terrorist groups Terrorist financing extends to any person who willfully provides or collects funds by any means, directly or indirectly with the unlawful intention that they should be used in full or in part to carry out a terrorist act. The funds used for terrorist financing could be from a legitimate or illegitimate source. An attempt to finance terrorism is an offence in itself. There are two fundamental differences between money laundering and terrorist financing: i. With regards to terrorist financing, the transactions tend to be in small amounts whilst with money laundering the money launderer is interested in laundering huge amounts. ii. With regards to terrorist financing, the funding can come from either illegal or legal activities whereas with money laundering the origin of the funds is always from criminal activities. Anti-Money Laundering [AML] Policy – Summary of Nigeria Legislation EFCC Establishment Act 2004 This Act establishes the Economic and Financial Crimes Commission (EFCC) and the Nigerian Financial Intelligence Unit (NFIU). These bodies are charged with the responsibility of investigating financial crimes and co-coordinating the related laws on money laundering activities Money Laundering Prohibition Act MLPA 2016 This Act creates and prohibits the offence of Money laundering. It also provides adequate penalties for its violation. Advance Fee Fraud Act and Other Related Offences Act 2006 This Act prohibits fraud and provides penalties for its violation. The Act places the responsibility of proper due diligence on the bank and its employees. CBN AML/CET Regulation 2019 In addition to the above there is the CBN AML/CFT Regulation 2009 which financial institutions use as a guide to best practice. Countries should obtain the relevant Acts in their countries and comply. Anti-Money Laundering [AML] Policy – Obligations, Offenses & Penalties UBA as an institution has created the policy, conducted training programs and made the policies available to all staff through the Intranet--- therefore satisfying the regulatory obligations. Employees Obligations Comply with this Policy and all applicable AML/CFT laws, rules and regulations & report any suspicious customers/transactions to Compliance Offenses – assistance, tipping off, and failure to reports Penalties - imprisonment term; individual financial penalty & financial institution financial penalty; indefinite ban Know Your Customer [KYC] Policy Policy Code - RCG:003 Strictly Private & Confidential 99 Know Your Customer [KYC] Policy – Introduction UBA Group shall comply with existing banking legislation, regulations and guidelines in countries where we operate with regard to ‘knowing your customer’. As Africa’s Global Bank, we recognize the importance of prescribing minimum guidelines to be followed before establishing a relationship with a customer. To this end, we are fully committed to combating Money Laundering, Terrorist Financing and other financial crimes. Objective of KYC Policy The objective of this policy is to protect the brand and reputation of UBA Group and to secure its premises and systems against misuse as a vehicle for money laundering, terrorist financing and other financial crimes. Strictly Private & Confidential 100 Know Your Customer [KYC] Policy – Key Provisions i.Explicit criteria for the acceptance of customers. ii. Guidance on account opening requirements by customer facing staff to enable them discharge their regulatory responsibilities. iii. Procedures for identifying customers iv. Measures for conducting due diligence in respect of customers. v Procedures for recognizing and reporting suspicious transactions. vi. Practical solutions for the challenges faced in our environment in respect of address and identity verification documentation within the spirit and letter of the law especially to avoid financial exclusion for the socially and financially disadvantaged individuals. Strictly Private & Confidential 101 Other Key Provisions Religious organizations are expected to be registered. Charities/NGO’s and Religious organizations’ accounts are required to have a minimum of two signatories For school accounts, the requisite approval from the relevant educational authority and certificate of registration (where applicable) shall be required. Account should not be opened for Charities, Religious Organizations, NGOs , Bureau de Change/Money Service Bureaus and FI (MFBs) until compliance approval is sought and obtained Accounts should not be opened for a Political Party until approval is sought and obtained from the respective SBG Head and advise is obtained from the Compliance Head DMD’s approval - PEP accounts Minimum of two signatories - Religious organizations & NGO accounts Whistle Blowing Policy Policy Code - RCG:005 Strictly Private & Confidential 103 Whistle Blowing Policy - Introduction The Whistle Blowing Policy is a rule/guiding principle that establishes a channel for every employee/stakeholder, to freely comment constructively on issues concerning UBA Group or report any act that has or will have negative consequences to the organization without fear of disclosure of his or her identity. To foster a healthy Corporate Governance environment within any institution, it is important that there are robust policies around Ethics, Professional Conduct and Corporate Governance which are well documented and communicated. Strictly Private & Confidential 104 Whistle Blowing Policy - Introduction Objective of Whistle Blowing Policy The objective of this policy is to provide a framework for every employee/stakeholder, to freely comment constructively on issues concerning UBA Group or report any act that has or will have negative consequences on the organization without fear of disclosure of his or her identity across the Group. i.To encourage well-meaning employees and stakeholders of UBA Group to feel confident in raising serious concerns in the workplace, particularly with respect to issues bordering on corporate governance, professional conduct and ethics. ii. To provide avenues by which these concerns could be raised without fear of reprisals. Strictly Private & Confidential 105 Whistle Blowing Policy - Introduction Objective of Whistle Blowing Policy iii. To provide adequate processes and procedures which would be followed to investigate and dispose of the concerns raised. iv. To provide feedback on actions taken by Management. Human Resources: To set aside the sum of N5m on a monthly basis to reward staff members who blow the whistle. To lay down the qualification criteria and guidelines for the determination of the reward payable to whistle blowers on a monthly basis. To establish the payment procedure for the reward scheme. Strictly Private & Confidential 106 Whistle Blowing Policy - Key Provisions Key provisions in Whistle Blowing policy includes the following: Call to a hotline as posted on our website, www.ubagroup.com. This can also be done via SMS and WhatsApp. By clicking on the “blow a whistle” link hoisted on the bank’s website or sent directly to [email protected]; or by sending an email to CBN via: [email protected]. – Encourage well-meaning employees and stakeholders of UBA Group to feel confident in raising serious concerns in the workplace, particularly with respect to issues bordering on corporate governance, code of professional conduct and ethics. – Avenues by which these concerns could be raised without fear of reprisals. – Processes and procedures which would be followed to investigate and dispose of the concerns raised. – Feedback on actions taken by Management. Strictly Private & Confidential 107 Whistle Blowing Policy - Key Provisions Reward Criteria i.Only substantiated acts which are reported using any of the whistle blowing channels shall be rewarded. ii. A whistleblower who upon investigation is found to be a perpetrator or one of the perpetrators of the whistle blowing act shall not be rewarded. iii. A whistleblower shall be rewarded where the disclosure is substantiated and leads to the protection of the bank’s asset. iv A committee shall be constituted to review all whistle blowing cases received during the month and make appropriate recommendations to the GMD/CEO. Strictly Private & Confidential 108 Whistle Blowing Policy - Key Provisions Reward Recommendation In arriving at the recommendation, the following shall be considered: a) Accuracy and the quality of information provided to aid prompt investigation of the case b) Timeliness of the Whistle blowing report(gap between the date of occurrence of the incidence and when it was escalated) c) Amount of Potential or Actual loss involved d) Weight of the Potential or Actual loss involved. The reward should be weighed against the actual savings made either Financial or otherwise Strictly Private & Confidential 109 Anti-Bribery & Corruption Policy Policy Code - RCG:009 Strictly Private & Confidential 110 Anti-Bribery & Corruption Policy - Introduction Anti-Bribery & Corruption policy provides minimum guidance regarding UBA Group’s corporate conduct which ensures that all employees act professionally, fairly and with integrity. Objective of Anti-Bribery & Corruption Policy The objective of this policy is to set out the responsibility of all employees in observing and upholding UBA Group’s position on bribery and corruption. Definition If an individual corruptly requests, offers, accepts or attempts to request, offer or accept for himself or for any other person, any gift/consideration as an inducement for doing any act in relation to the Banks affairs, he shall be guilty of the offence of official corruption. What is prohibited Any offer, promise, authorization to pay money or anything of value to another knowing that all or a proportion of the same will be used for the purpose of influencing the other to act in violation of their duties or reward a person for the improper performance of their duties, i.e. to say that the: i. Payment must be corrupt i.e. made with the intent to influence an act or a decision of a public person in his/her official capacity or to secure an improper advantage for UBA Group; and ii. Must assist in obtaining or retaining business for UBA Group Strictly Private & Confidential 111 Anti-Bribery & Corruption Policy – Key Provisions The key decisions being empowered in Anti-Bribery & Corruption policy include the following among others: i.Explicit framework for the Anti-Bribery & Corruption policy. ii. Procedures to prevent an employee from bribing another with the intention of obtaining or retaining business for the Group or advantage in the conduct of business for another. iii. Functions or activities that relate to bribery. iv Definition of what constitutes a felony or misdemeanor, which is an offence under the laws in force and the applicable punishment for an offender, e.g. the offender shall be liable to imprisonment for 3 years. v. Procedures to prevent an employee from being involved in bribery and corruption. vi. Comprehensive and fully implemented compliance program that meets legal and regulatory requirements. Strictly Private & Confidential 112 UBA Group Document Management Policy Policy Code - RCG:012 Strictly Private & Confidential 113 UBA Group Document Management Policy - Introduction This document outlines the policy for the management of records to enable UBA Group create and retain only those records that are required for the conduct of its business and to ensure that they are managed at least cost commensurate with legal and statutory requirements, operational effectiveness and information needs. Objectives Document management defined: Record management is the application of controls to the creation, maintenance, use and disposal of all formats of records, elements of which include correspondence and forms, records classification, files, identification of the staff member responsible for the records, retention schedule, disaster planning, vital records protection, the administration of inactive records storage, record conversion program, archival preservation activities and destruction of records Strictly Private & Confidential 114 UBA Group Document Management Policy - Purpose Section 2: Purpose To provide a statement of intent declaring records management standards for the management of UBA Group records. To implement records management procedure; and to create retention and disposal schedules for UBA Group’s records To propose the development of guidelines to accompany this policy including retention and disposal schedules for general records common to all departments and business offices in UBA Group To develop policies and guidelines for the use of electronic media in the

Operational Risk Management Training PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue