The Company is a regulated entity under supervision from the Danish FSA and compliance with regulatory requirements and internal rules is an essential prerequisite for the company's operations and its license to operate.
The purpose of this privacy policy is to establish the overall framework for internal controls, and compliance in the company. The purpose is to create a solid foundation for the company's governance structure to create efficient processes that help detect non-compliance with regulatory requirements and at the same time can help create transparency and knowledge of internal processes for all employees.
Compliance risk: Compliance risk is a part of the operational risk in the company. Compliance risk is the risk of the company's non-compliance with regulatory rules, standards or internal regulations that apply to the company.
Compliance Risk Catalogue: The risk catalogue is based on the company's business model. The risk catalogue is a comprehensive catalogue of the specific risks that may affect the company's operations with an indication of the consequences and likelihood that the risk may occur. The risk catalogue includes the strategic risks, financial risks incl. credit risks as well as the operational risks incl. compliance risks and IT risks.
The compliance risk can be identified as the risk of failure to comply with relevant regulation. Failure to comply with financial regulation or other regulation to which the company is subject may result in risk of supervisory reactions and penalties in the form of fines or restrictions on the ability to do business. Supervisory reactions or failure to meet requirements that may affect customers can also result in poor reputation and inability to attract or retain customers and employees.
The regulatory landscape is changing continuously and at high speed. The company has no risk appetite for compliance risk that can result in supervisory reactions from the Danish FSA or other supervisory reactions that can impair the ability to continue operations or result in fines or significant customer churn or inability to attract or retain customers or employees.
To minimize the compliance risk and to avoid exceeding the company's risk appetite on compliance risk the company must implement the following measures:
The company shall have a compliance officer, who has sufficient knowledge of the legal requirements which the company is subject to. The compliance officer shall oversee regulatory requirements, risk factors and compliance with the regulation based on this policy with the purpose of creating transparency on compliance risks and giving advice to management prior to management decisions. The compliance officer shall be independent of the operations covered by compliance controls. If the compliance officer has been directly involved in the operational activities within an area of scope of control, the control shall be performed by another person appointed by the management to avoid the conflict of interest.
Establishment of a legal inventory specifying the regulatory requirements that the company is subject to including financial legislation, legislation on Anti Money Laundering and Counter terror Financing as well as regulation on Information security, Data privacy laws, Marketing and good practice and accounting rules.
Establish an ongoing monitoring and identification of changes to the legal inventory which can be used to update the legal inventory on an on-going basis and foresee the operational consequences of such change.
Establishment of a procedure for the on-going monitoring and minimum annual up-date of policies and procedures to secure implementation of new or changed regulatory requirements.
Minimum once a year the company shall identify and assess the compliance risk. The identification and assessment shall be based on the business model, the legal inventory, and the actual activities in the company. The assessment of the compliance risk shall be based on the likelihood and consequence of non-compliance with regulation based on the model in appendix 1.
Establishment of a compliance program based on the risk assessment covering a list of controls to be performed including follow up on internal controls, update of policies and procedures, implementation of new or changed regulatory requirements and follow up on observed incidents, need for training and regulatory advice.
Establishment of a register for compliance incidents with documentation for handling and follow-up incl. compliance risks and IT risks.
Establishment of a program for all new employees with training concerning general governance and internal controls including information about needed actions in case of observance of non- compliance as well as information about new regulatory requirements that affect the operations and training in new procedures being a result of new activities or changed procedures and follow-up for all employees planned from a risk-based point of view covering the compliance risk for each specific group of employees minimum every second year.
Roles and responsibilities shall be clearly defined for all main activities and an organizational chart shall be established, maintained and accessible for all employees.
The compliance officer can also be appointed as MLRO but shall be independent from other business activities and shall secure that any possible conflicts of interest related to compliance controls of AML and TCF will be mitigated.
The result of the compliance monitoring program shall be reported on an on-going basis and minimum once a year to the Board of Directors. Any observed non-compliance in the risk scale of red (appendix 1) shall be escalated to the managing director without undue delay and the Board of Directors shall be informed of any risk in the red scale (appendix 1) without undue delay.
The Executive Management shall ensure that the Company, in accordance with this Policy will establish internal controls and compliance procedures and specifically:
The Executive Management shall ensure ongoing and minimum annual reporting to the Executive Board of Directors on compliance with this policy. The reporting responsibility may be delegated to the key person appointed as compliance officer.
This policy and management instruction shall be reviewed when deemed relevant and at least once a year at the time specified in the annual plan.