Criminal Compliance Corporate Policy

1. Introduction

Banco BPI S.A. (hereinafter "Banco BPI", the "Entity", "Institution" or "Bank") is a credit institution of CaixaBank Group that develops banking business activities, including any ancillary, related or similar transactions compatible with said business and to the extent permitted by law, and adopts CaixaBank's corporate policies, with the due adaptations.

CaixaBank has a Criminal Compliance Corporate Policy which, with the due adaptations, applies to all the Group entities, including its subsidiaries, and where the key action principles on Corporate Criminal Management are defined.

Notwithstanding the above, Banco BPI's determination to raise its standards of rigour and transparency, coupled with the need to strengthen its Policies and procedures and harmonise them with those of the other CaixaBank Group's entities, has led to the drafting of this Policy.

This Policy aims to create and implement a prevention programme that reduces the risk of crimes being committed, through the implementation of a Bank-wide Policy that intensifies the surveillance and control duties referred to in Article 11 of the Portuguese Penal Code, thus outlining clear compliance procedures, with appropriate control mechanisms, that prevent the misconduct of one or more Employees and/or Directors from involving the bank in criminal liability.

Law No. 59/2007 of 4 September introduced changes to the Portuguese Penal Code regarding the criminal liability of legal and equivalent persons, expressly enshrining the criminal liability of legal persons in respect of certain crimes, when committed by persons who hold leading positions therein or who act under their authority, due to the breaching of their surveillance or control duties, in the name and in the interest of the legal person or equivalent entity (Article 11 (1) and (2)).

In addition to the Criminal Code, other legislation bearing on criminal and administrative offences also enshrine the liability of legal persons for the practice of unlawful acts, notably the Securities Code (Article 401), the General Law on Credit Institutions and Financial Companies (Article 203), the General Regime of Tax Infractions (Article 7), Law No. 52/2003 of 22 August on Combating Terrorism (Article 6), Law no. 20/2008 of 21 April on criminal liability for corruption crimes in international trade and in the private sector (article 4) and Law no. 83/2008 of 18 August, establishing measures to combat money laundering and the financing of terrorism (Article 162).

In this context, this Policy aims to set up adequate systems to prevent and monitor compliance with the various applicable rules in criminal matters, in order to prevent the Bank from incurring in such contingencies.


2. Scope of application

This Criminal Compliance Corporate Policy (hereinafter, "the Policy") applies to all the Employees and members of the Corporate Bodies of Banco BPI.

It also applies to all the Associated Persons, as per the definition given in an Appendix hereto, including, in particular, intermediaries and agents acting in the name or on behalf of the Bank.


3. Objectives

This Policy has the following objectives:

  • Convey to all Employees and Members of the Corporate Bodies of Banco BPI, as well as to the Associated Persons to whom this Policy applies, the message that the institution seeks to ensure that its activity is based on respect for the law and regulations in force at any given time, by promoting and upholding its corporate values and principles of action, provided for in its Code of Business Conduct and Ethics. Therefore, underlined by its ethical values, Banco BPI reaffirms its firm commitment to act in strict compliance with and respect for the law, namely with regard to criminal matters.
  • Establish a general framework for the Bank's Crime Prevention Model, based on the legal provisions in force and on best practices. The Model comprises the set of measures aimed at preventing, detecting and responding to any criminal behaviours, and identifies the associated risks and controls.
  • To provide assurance to investors, customers, suppliers, judicial bodies/entities and society in general, that Banco BPI fulfils its duties of supervision and control of its activity by establishing appropriate measures to prevent or reduce the risk of crimes being committed, and ensuring that this Policy is complied with by the Members of its Corporate Bodies, its Employees, and all other Associated Persons.

This Policy also describes the different types of criminal offences which, in accordance with the provisions of the Penal Code and other legislation on the matter, may be imputable to legal persons in Portugal, distinguishing between, on the one hand, crimes whose practice, given the Bank's corporate object and regular activity, risk having a serious impact on the reputation and activity of Banco BPI, and on the other, all others whose criminal relevance is more general in nature.


4. General Principles

The principles that govern this Policy and, consequently, the Crime Prevention Model, are as follows:

i. To act in accordance with current legislation, the Code of Business Conduct and Ethics, and other internal standards and policies.

ii. To promote a corporate culture of prevention and zero tolerance for the practice of unlawful or fraudulent acts, in addition to the application of principles of ethics and responsible behaviour.

iii. To ensure that efficient, permanent and updated control systems are in place at all times.

iv. To implement internal action and decision-making standards and procedures aimed at preventing Affected Persons from taking decisions that are not subject to control.

v. To make sure that the adequate resources and means are in place to apply this Policy and hence prevent or detect the practice of any crimes.

vi. To conduct training activities that are adequate, and provided when necessary, and often enough to ensure the updating of knowledge in this area and the development of a culture of business ethics and compliance with the Law.

vii. To instil in all natural and legal persons subject to the scope of application of this Policy their responsibility for watching out for any potentially unlawful behaviours from a criminal perspective. This shall apply in particular to persons with employees or work teams under their responsibility, who shall ensure the prevention of unlawful conduct and make sure that any such behaviours are promptly and diligently reported to the relevant bodies, and act in accordance with the established procedures as soon as they detect any behaviour defined as criminally reprehensible.

viii. To inform all those under the scope of this Policy about their obligation to report any event that potentially constitutes a crime, fraud or irregularity that has come to their knowledge, in particular when there are signs or suspicions that such event is related to money laundering or the financing of unlawful activities.

ix. To transmit and maintain a culture of compliance that, with the appropriate guarantees of confidentiality and protection of the whistle-blower, promotes the reporting of potential risks and instances of non-compliance with criminal implications through the internal channels set up for this purpose to the body responsible for applying and overseeing the operation of the prevention model.

x. To investigate as soon as possible the events detected that are presumed to be criminal, guaranteeing in all cases the rights of the persons investigated, as well as those of the whistle-blower, if one exists.

xi. To apply the disciplinary procedures provided for in the internal policy and applicable legal regulations in case of non-compliance with this policy and the regulations that make up the prevention model.


5. Crime prevention model

In this context, it is therefore essential to ensure that there is an organisational and management model in place for the prevention of crime, using adequate control systems, so as to forestall and prevent any acts being committed that may entail criminal liability for Banco BPI.

The following are the main elements of this Model:

i. BPI has a Delegate officer in the Corporate Criminal Management Committee, responsible for, in liaison with this Committee, ensure control and oversight of the operation of and compliance with the Prevention Model implemented;

ii. Identification of Banco BPI's activities where the crimes that should be prevented may be committed;

iii. Implementation of the organisational measures and procedures enabling the process of formation of corporate intent and decision-making by Banco BPI. Said measures and procedures are set out in the Crime Prevention and Response Standard, which is the text that develops them so as to make this Policy effective;

iv. Definition of the procedures to follow in case of a conflict of interest;

v. Appropriate resources to stop crimes that should be prevented from being committed;

vi. The obligation to report any possible risks and instances of non-compliance detected to the body responsible for overseeing the operation and compliance with the prevention model;

vii. Whistle-blowing channels and/or other means to detect and report possible criminal infractions;

viii. Application of a disciplinary sanctioning regime for internal infractions of a criminal nature, in accordance with the internal Policy and the local legislation in force;

ix. Regular verification of the model and introduction of amendments thereto whenever there are changes in the legislation, organisation, or the business or when otherwise justified.

This Model comprises five (5) different phases that are developed in more detail in the Bank's internal standards:

  1. Prevention phase: identification of behaviours that may imply criminal risk for Banco BPI's activity, and ascertaining whether there are applicable controls to deal with such behaviours.
  2. Detection phase: detection of potentially criminal acts through the various channels and methods in place.
  3. Response phase: Intervention of BPI's Delegate officer in the Corporate Criminal Management Committee, in coordination with the Committee, when faced with indications or suspicions that a crime has been committed in Banco BPI, immediately developing strategies to mitigate as far as possible any damages of losses that may result therefrom..
  4. Reporting phase: BPI's Delegate in the Corporate Criminal Management Committee shall regularly report and provide information to the Corporate Criminal Management Committee. This Delegate shall also report to Banco BPI' management and supervisory bodies.
  5. Monitoring phase: Regular monitoring of the Model and of its adjustment to both the evolution of Banco BPI's circumstances, and to legislative evolutions and jurisprudential and doctrinal understandings related to crime prevention at and criminal liability of legal persons.


6. Governance Framework

The Crime Prevention Model is framed by the control policy implemented, which is based on three Defence Lines:

  • First line: responsible for knowing and enforcing the obligations under this Policy.
  • Second line: responsible for advising, reviewing and controlling the first line to ensure that this Policy is correctly adopted within the organisation.
  • Third line: responsible for establishing, implementing, maintaining and reporting an audit plan that assesses the level of implementation and the effectiveness of the requirements set out in the Policy.

The governance structure, functions and responsibilities of the various stakeholders involved in this Policy are as follows:

Board of Directors of Banco BPI: as the ultimate body responsible for defining Banco BPI's overall strategies and policies, it is responsible for approving this Policy, the purpose of which is to ensure that the Bank develops its activity in strict compliance with the law and the principles set out in its Code of Business Conduct and Ethics, thus drawing on its ethical concerns and reaffirming the Bank's resolve to ensure that its activity is conduct in strict compliance with all laws on criminal matters. The Board of Directors of Banco guarantees that all its Directors have the necessary skills, knowledge and experience to carry out their duties, as well as the adequacy requirements at any time prescribed in internal and external regulations.

Risk Committee: Advisory and support committee to Banco BPI's Board of Directors, which, among others, has the following responsibilities:

  • Advises the Board of Directors on the Bank's current and future overall risk propensity, and on its strategy in this area, reporting on the risk appetite framework, monitoring the application of this strategy to ensure that the Bank's actions are consistent with the level of risk tolerance previously decided, and monitoring whether the risks assumed are consistent with the established risk profile.
  • Examines the Bank's information and risk control processes, as well as its information systems and indicators.
  • Assesses the risk of regulatory compliance within its scope of action and decision, understood as the management of the risk of criminal or administrative sanctions, or financial, material or reputational losses in which the Bank may incur as a result of non-compliance with laws, regulations, regulatory standards and codes of conduct, detecting and following up on any risk of non-compliance and analysing any possible misalignments with the principles of conduct.

Global Risk Committee: responsible for the overall management, control and monitoring of credit, market, operational, concentration, and reputational risks and any other risk affecting Banco BPI, as well as their implications on solvency and capital consumption management. To do so, it analyses the Bank's global risk positioning and establishes policies for optimising the management of risks in line with its strategic objectives.

Corporate Criminal Management Committee:The Corporate Criminal Management Committee is a high-level committee of CaixaBank with autonomous powers, responsible for corporate supervision over the operation of and compliance with the Crime Prevention Model, which, on behalf of Banco BPI's Delegate to the Committee, may for the purpose raise questions, request information, propose measures, initiate investigation proceedings or request any procedures to be carried out, as it deems necessary for the prevention of infractions and the management of the Crime Prevention Model. This Committee has a multidisciplinary nature and depends hierarchically on CaixaBank's Global Risk Committee, to which it reports, although the areas comprised in this Body may report directly to the governing and management bodies, in accordance with the functions entrusted to each of them.

Where appropriate, the Corporate Criminal Management Committee shall report to CaixaBank's Risk Committee.

This Committee is the body with ultimate responsibility for the implementation of the Criminal Prevention Policies. Its overall functions may be summarised as follows:

  • Adopt and execute the organisation and management model for crime prevention;
  • Promote the dissemination of the model;
  • Supervise the effectiveness of the legal entity's internal controls;
  • Coordinate the periodic assessment of the model and any changes thereto when its maintenance so requires or when there are changes in the organisation, the control structure or the activity carried out;
  • Implement the periodic fine-tuning and monitoring plans drawn up as a result of the assessment of the Model's design and effectiveness;
  • Document and report the results and recommendations for improvement.

Its specific functions, as well as aspects related to its operational management, are set out in the Rules of Procedure of the Corporate Criminal Management Committee.

BPI's Delegate to the Corporate Criminal Management Committee: BPI’s Delegate to the Corporate Criminal Management Committee shall be appointed by the Executive Committee of the Board of Directors (ECBD), and this appointment shall be communicated to the Corporate Criminal Management Committee.

The Delegate will assume this role as the ultimate responsible for monitoring and managing the Bank's crime prevention model. His duties include: (i) reporting on any possibly unlawful activities that come to his knowledge, both internally, in accordance with the internal regulations, and in any case to the ECBD, and to the Corporate Criminal Management Committee, when such activities are liable of affecting CaixaBank or the CaixaBank Group; and (ii) advising the Corporate Criminal Management Committee, when requested to do so.

The Corporate Criminal Management Committee has the obligation to provide assistance to BPI’s Delegate to the Corporate Criminal Management Committee, clarifying and assisting him with any questions or concerns regarding the performance of his duties.


7. Criminal risks inherent to BPI's activity

From the list of crimes the practice of which is circumscribed by the Penal Code and other relevant legislation to possible criminal and administrative offences by a legal person, Appendix I lists those that were selected based on the likelihood of their occurrence in Banco BPI and CaixaBank Group and their impact on their activity.

As a result of the above-mentioned assessment, the final matrix of risks and controls includes the types of crimes that are liable to occur, based on rational criteria, as they are related, even if in different degrees, to the activity developed.

Following the same reasoning, APPENDIX II to this Policy summarily presents the list of unlawful activities unrelated to the regular activity of Banco BPI, and the practice of which is difficult to imagine in normal operating conditions. However, it is worth noting that there are high-level controls and specific recommendations for all unlawful activities, including the latter.

The description of behaviours concerning the various crimes is neither a detailed nor closed listing, and there may be other ways of carrying out the types of crimes referred to in this Policy.

Notwithstanding the above, in case of doubt as to the content of this Policy, the Employees and remaining Affected Persons of Banco BPI should request clarification from BPI's Delegate to the Corporate Criminal Management Committee.


Appendix I


CaixaBank Group: Refers to CAIXABANK, S.A., as well as to all CaixaBank investee companies. Banco BPI is an integral part of CaixaBank Group.

Banco BPI: A company incorporated under Portuguese law, whose corporate purpose is the exercise of banking and other related activities permitted by law, together with other companies directly or indirectly controlled by it.

Associated Persons: Natural or legal persons that maintain a business/trading relationship of whatever nature with Banco BPI. Among others, intermediaries, agents, brokers, external consultants or other natural or legal persons contracted to supply goods or provide services. These Persons must comply with the General Principles set out in paragraph 5 of this Policy, although their literalness does not apply to them.

Affected Persons: All the Employees of Banco BPI, including temporary workers and members of the Corporate Bodies.

Criminal Compliance Corporate Policy: Set of provisions contained in this text, hereinafter simply referred to as "the Policy".

Crime Prevention and Response Standard: The text that develops the organisational measures and procedures aimed at giving effect to the Criminal Compliance Corporate Policy.

Crime Prevention Model: Organisation and management model for crime prevention, which includes the Bank's existing set of procedures, measures and controls. Its main purpose is to structure a system of prevention and response to possible criminal behaviour applicable to legal persons in Portugal, through actions and controls aimed at reducing the risk of their being practised.

Corporate Criminal Management Committee: High-level committee of CaixaBank with autonomous powers of initiative and control, and the capacity to investigate, make consultations, request information, propose measures, request additional measures, initiate investigation procedures or carry out any other necessary procedures related to the prevention of unlawful acts and the management of the Crime Prevention Model.

BPI's Delegate to the Corporate Criminal Management Committee: Officer in charge of the Crime Prevention Model at Banco BPI. The duties of this Delegate are to report to the Corporate Criminal Management Committee any well-founded suspicions or the actual occurrence of potentially unlawful activities taking place at Banco BPI and to take the crime prevention steps defined by this Committee.