Standard Bank Group has a robust and stringent conflicts of interest control framework in place to ensure that conflict of interest risk is adequately managed.
The framework provides for processes, procedures and mechanisms to identify, prevent and manage conflicts of interest to:
The group has implemented a number of policies and procedures under the framework, including the group’s conflicts of interest policy which aims to ensure that the group and all our employees comply with the applicable statutory and regulatory obligations by ensuring that all reasonable steps have been taken to prevent or fairly manage potential conflicts of interest, and thereby mitigate the effect that such conflicts could have on our clients and the group. The policy reflects the minimum requirements that need to be adhered to, to ensure that all reasonable steps are taken to prevent conflicts of interest from constituting or giving rise to a material risk of damage to the interests of our clients. Employees are furthermore required to adhere to the group’s gifts and entertainment policy; outside business interests policy; and personal account trading policy.
Conduct risk is the risk of failure to act in accordance with clients’ best interests, fair market practice and codes of conduct.
It extends to all conduct and behaviour in our daily business activities with all our stakeholders, internally and externally. Standard Bank places our clients at the centre of our business. We provide products and services based on our clients’ needs. We do not promote products or services to meet sales or incentive targets. We have zero risk appetite for unfair customer outcomes arising from inappropriate judgement and conduct in the execution of our business activities, or wilful breaches of regulatory requirements.
Executive and senior management are responsible for championing a culture that delivers fair client outcomes and embedding conduct standards. We monitor conduct through business conduct committees, the group executive committee, social and ethics management committee and social and ethics board committee. The group board and social and ethics committee are ultimately responsible for ensuring that conduct risks are adequately identified, measured, managed and monitored and that governance arrangements are upheld.
We identify and manage conduct risk proactively using a combination of leading and lagging indicators. Each area in the group is required to complete a monthly conduct dashboard. Conduct dashboards monitor a range of indicators through eight conduct pillars, and provide a universal set of metrics across key conduct risk areas, which include, among others, conduct, culture and governance. They are an important mechanism to assess non-financial risk and identify appropriate responses. Metrics include operational, technology, compliance, regulatory and human capital risks. The dashboards are submitted to the group executive committee on a quarterly basis, and subsequently to the social and ethics management committee and social and ethics board committee. We’ve introduced a number of automated solutions across our countries of operation to improve efficiency in money laundering control and declaring of outside business interests.
All business units and corporate functions reported operating within acceptable tolerance levels for conduct risk throughout 2019. Tolerance is assessed by the various lines of business through key conduct risk indicators which are aggregated and provide an overall conduct culture rating (positive, negative or neutral). No material product or service-related issues materialised during 2019.
Looking ahead, we will continue to strengthen our control environment and approach to conduct risk through driving good business practices and reinforcing appropriate behaviours that are aligned to the values of the group and will continue to identify areas for enhancement through periodic diagnostics and ongoing metrics monitoring. We’re increasing first-line accountability through communication campaigns and conduct training awareness. We’re strengthening second line of defence by developing tools and methodologies to help improve oversight and monitoring of conduct risks.
We track fines and penalties issued against the group to assist us to identify problem areas that need attention and to implement appropriate remedial action.
The group seeks to maintain the highest standards of professional conduct when undertaking financial market transactions, communicating with market participants and when handling confidential information. Our market abuse control framework aims to ensure that the group and its employees support the orderly, fair and transparent functioning of the financial markets, encourage its integrity and contribute to the enhancement of financial stability in the markets within which the group operates. The framework specifically seeks to ensure that there are adequate and effective controls in place to prevent, manage and/or mitigate market abuse risk.
Group policies and frameworks to combat financial crime include:
Our AML/CFT structures and framework are informed by Financial Action Task Force recommendations and designed to comply with statutory and regulatory obligations in all our countries of operation. They ensure that:
AML/CFT legislation in the countries in which we operate is continuously evolving. Our operations align their AML/CFT risk management and compliance programmes to these changes as they occur.
In South Africa, the Financial Intelligence Centre Act has been amended to incorporate a risk-based approach to compliance in respect of the AML/CFT regulatory framework. These amendments include the requirement to develop, document, maintain and implement a risk management and compliance programme that must demonstrate the group’s ability to effectively identify and mitigate money laundering and terrorist financing risk.
Group Financial Crime Compliance participates in a forum comprising multiple regulators and other industry stakeholders, which is designing strategies to enhance the fight against the illicit flow of funds. Work is also being conducted to enhance control measures for facilitation of cross-border transactions between related parties, to guard against potential efforts to evade tax.
During 2019, Standard Bank Group was issued with administrative sanctions relating to AML/CFT deficiencies identified in some of our countries of operation. The group is in the process of enhancing the enablement of our AML/CFT frameworks in these jurisdictions, with programmes of work overseen by senior executives.
In South Africa, the South African Reserve Bank Prudential Authority imposed an administrative sanction of R30 million on Standard Bank South Africa (SBSA) in December 2019, for failure to comply with prescribed suspicious and unusual transaction reporting timelines, as contained in the Money Laundering and Terrorist Financing Control Regulations. R7.5 million of the administrative sanction was suspended for a period of three years, conditional upon SBSA not being found guilty of a similar offence during that time period. Standard Bank was also directed to take remedial action to address and enhance processes for reporting suspicious and unusual transactions timeously. SARB acknowledged in its press release that the administrative sanction is not an indication that SBSA has in any way facilitated transactions involving money laundering or the financing of terrorism. Standard Bank took immediate action to address the issues identified by the SARB and progress is being tracked and reported to the SARB on a regular basis.
We manage our anti-bribery and corruption risk in accordance with the Organisation for Economic Co-operation and Development’s Guidance for Multinational Enterprises and other applicable statutory and regulatory obligations. The group’s ABC policy commits us to:
All employees receive ABC general awareness training. Areas of the group that are perceived as being more susceptible to the risk of bribery and corruption receive specialised training.
The group prevention of the facilitation of tax evasion policy is designed to regulate the development, implementation and integration of procedures to prevent the facilitation of tax evasion by associated persons of the group.
The policy aims to protect the group and its employees from legal, regulatory and reputational risks and penalties that may result from the failure to implement reasonable procedures to prevent the facilitation of tax evasion. All employees receive prevention of the facilitation of tax evasion training.
We have measures in place to mitigate fraud risk and are committed to continuous improvement of these.
We define fraud as the unlawful and intentional misrepresentation committed to secure an unfair or unlawful gain. Fraud includes, but is not limited to, application fraud, card fraud, procurement fraud, employee fraud, digital fraud, insurance fraud and transaction fraud.
Group investigations and fraud risk provides fraud risk advisory services to the group, oversees fraud risk activities, escalates material fraud incidents and investigations in line with risk appetite, provides recommendations on fraud controls to be considered by the first line of defence and conducts internal and external investigations. All employees, associated persons and third-parties must raise concerns and report all attempted, suspected, and actual fraud via reporting channels defined in the policy directly to a line manager, to group investigations and fraud risk, or via the anonymous whistleblowing line or the FraudStop process. We allow for anonymous reporting. We prohibit victimisation and protect anyone who reports fraud from suffering prejudice.
We are committed to protecting the personal information of clients, third-parties and employees, and adhere to the relevant codes and regulations, including South Africa’s Code of Banking Practice.
We dedicate extensive focus to management of cyber risk. We continue to invest in enhancing cyber resilience across the group, including investing in improved capabilities to predict, prevent, detect and respond to cyber incidents.
These measures, together with other relevant policies, inform the security safeguards necessary to protect personal information from unlawful and unauthorised access, use, destruction or loss. These measures cover all processing activities within the group.
The data privacy consent and notification framework enables the free flow of information within the group. This allows each group entity to align itself with one consistent commitment to the customer in terms of protecting their information. Where we become aware of privacy incidents, we investigate the incidents, and immediately take steps to mitigate any risks to clients. Our privacy statement can be found here. Standard Bank South Africa’s privacy statement is published here.
Cyber incidents are a major threat to companies globally, and to financial services companies in particular, which are commonly targeted.
Standard Bank is committed to safeguarding clients’ data, money and time from cyber threats. Cyber risk receives extensive focus at various governance and management committees across every level of the organisation.
Standard Bank Group board has delegated the management of cyber risk to the group chief information security officer (CISO), who is responsible for creating and executing the cybersecurity strategy and programme. The strategy and programme are aligned to security frameworks such as ISO27001, the US National Institute of Standards and Technology, and Information Security Forum’s Standard of Good Practice for Information Security and has been ratified by the group board. In 2019, the group certified the Africa shared core banking platform against ISO27001. The CISO provides regular updates to the board on the group’s cyber risk posture. The board also gets assurance through an annual independent assessment of the strategy by a cybersecurity expert.
As part of the cybersecurity programme, the group employs a continuous testing, continuous monitoring strategy. Testing includes technology testing (vulnerability scanning, penetration testing), people testing (training and awareness) and response testing (cyber incident simulations, disaster recovery testing) to stress test security capabilities. Monitoring includes using machine learning, big data and robotics to detect suspicious behaviour, as well as continuously measuring the effectiveness of security controls.
The group maintains dedicated cyber insurance cover for additional protection against common cyber threats. During 2019 the group detected and successfully mitigated several attempted cyber threats, leading to zero material or client impacting incidents for the year.
Cyber security skills shortages are a growing risk to cybersecurity strategies across the globe, with almost two million security vacancies worldwide. In response, the group has created a Cybersecurity Academy to develop cybersecurity skills. In 2019, the academy trained 75 group technology employees on various aspects of cybersecurity.
Work to improve the availability and reliability of our transaction channels is ongoing.
In 2019, we experienced five priority one incidents in South Africa and 14 such incidents in Africa Regions. A priority one incident refers to extensive impact and critical urgency incidents.
Standard Bank endeavours to respond timeously to all customer complaints.
In South Africa, the Ombudsman for Banking Services named Standard Bank overall winner for ‘large’ banks in terms of: Quality of the written response of the bank to the office in response to a specific complainant, response time, and overall fairness of the response. We also received an award for innovation in dispute resolution resulting in a noticeable decrease in consumer disputes and an engagement award for our dealing with the Ombudsman.