Whistleblowing procedure and Compliance Policy

On December 26, 2023 the Whistleblowing Procedure at Bank Pekao S.A. (hereinafter: “Whistleblowing Procedure”) came into force, which replaced the existing Whistleblowing Policy of Bank Pekao S.A. The Whistleblowing Procedure is an expression of the Bank’s commitment to promoting a corporate culture that supports ethical behavior. Its purpose is to create secure channels for signaling any unlawful acts or omissions or those intended to circumvent the law, violating the Bank’s internal regulations or ethical standards, covering both existing and potential violations that have occurred or are likely to occur at the Bank, including attempts to conceal such violations.

Any early discovery of a violation and remedial actions taken in consequence of that violation contribute to the reduction or elimination of the Bank’s reputation risk. The culture of openness and honesty, contrary to the “culture of silence”, contributes to the growth of trust in the Bank’s transparent operation and constitutes a clear message that the Bank does not tolerate any illegal or unethical conduct.

According to the Whistleblowing Procedure, a whistleblower can be an individual who, in a work-related context, has obtained knowledge of a violation.

The work-related context is construed to mean: past, present, or future work-related actions arising out of an employment or other legal relationship underpinning the rendering of work or services, or the performance of functions in or for the Bank, in the course of which information about the violation has been obtained, and thereby there is a chance of suffering retaliation.

The whistleblowing process implemented at the Bank allows reports to be made through special and independent communication channels. In case of reasonable suspicion that a violation has occurred, the designated member of the Management Board should be contacted, and in special cases (when the report concerns a member of the Management Board) the Supervisory Board. Submissions can be made verbally, electronically or in writing through special communication channels, such as an anonymous telephone hotline, a special email box, a meeting with a Compliance Department employee or traditional correspondence. All submissions are treated with the utmost care by the Bank and are reviewed in accordance with the Whistleblowing Procedure. The notice of violation can be submitted anonymously or not.

If the applicant reveals his identity, the data are protected. The information concerning the filed report of a violation is classified as “Confidential” and stored with the use of appropriate security measures in accordance with applicable laws and the Bank’s information classification and management principles. The verification officer, while informing the person to whom the report pertains – in accordance with the Whistleblowing procedure – about the report, at the same time reminds the person of the Bank’s rules on not tolerating retaliation and the obligation to apply them.

As a result of the verification of notifications, repair and disciplinary measures are taken. Reports of violations are a source of important information on how to improve or seal the various processes implemented at the Bank.

As required by law, which is reflected in the Whistleblowing Procedure at Bank Pekao S.A., the Management Board of the Bank is responsible for the adequacy and effectiveness of the procedures for anonymous reporting of violations by employees, and the Supervisory Board evaluates their adequacy and effectiveness, as required, at least once a year. The member of the Management Board to whom, in accordance with the established internal division of powers, violations are reported, who is responsible for the day-to-day operation of the procedures for anonymous reporting of violations, provides, at least once every six months, the Supervisory Board with information on significant reports of violations received.

With regard to negative impacts and the occurrence of compliance risks, the Bank has and applies Bank Pekao S.A.’s Compliance Policy (hereinafter: “Compliance Policy”). Responsibility for ensuring compliance is borne by the Bank’s statutory bodies, all organizational units of the Bank, as well as all Bank employees, in their areas of operation. The Management Board actively promotes a culture (hereafter referred to as compliance culture) in which every employee of the Bank will feel responsible for the compliance of their actions with laws, internal regulations and market standards. The Management Board makes the Bank’s business units aware of the importance of this issue and supports the activities of the Compliance Department. If irregularities are found in the application of the Policy, the Management Board takes corrective or disciplinary measures.

In any case concerning the possible application of disciplinary measures referred to in separate internal regulations, the Human Resources Division is the organizational unit competent to apply such measures.

The Compliance Coordinator reports on a quarterly basis on the quality of the compliance risk management processes (self-assessment), applicable internal regulations, and actions taken to cover compliance risks in the Bank’s unit or organizational unit. Reports are sent to the Compliance Department by the tenth day of the first month of the quarter following the quarter covered by the reporting period, regardless of whether compliance risk events occurred in the quarter.

Pursuant to the Compliance Policy, any employee of the Bank who has come into possession of information about the possibility of a material compliance risk is obliged to promptly communicate such information to the Compliance Department. A Bank employee who has become suspicious of the possibility of a compliance risk in the intended conduct or event should consult the Compliance Department.