Compliance, Enterprise Risk Management and Internal Control

This ensures that, across the entire spectrum of our areas of activity, the Bank and its stakeholders are protected as comprehensively as possible from business risks. We value most our reputation and the fact that we are trusted by our shareholders, our clients, our employees, our business partners, and members of the communities we serve.

Business or compliance risk, which can be defined as the risk of regulatory or legal sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities, is addressed and managed within the Bank through its compliance function and its component system and program.

Under Monetary Board Resolution No.116 dated January 20, 2011, BSP Circular 747 Series of 2012 on the Revised Compliance Framework for Banks, effective implementation of the compliance function requires establishment of a robust, dynamically-responsive, distinctly-appropriate compliance system, and a formal, defined compliance program.

The compliance system is critically important to identify, evaluate, and address regulatory and reputational risk. The enterprise-wide compliance program helps the Bank to look at and across business lines as a whole, and to consider how activities in one area of the Bank may affect the business or compliance risks of other business lines and the entire group/enterprise.

The compliance program also helps management to understand where in the organization such risks are concentrated, to provide comparisons of the level and changing nature of risks, and identify control processes that need most enhancement.

The Board of Directors, through the Audit Committee, provides oversight of the management of the Bank's business risk and the implementation of its compliance function. At management level, the compliance function is carried out by the Compliance Office, led by our Chief Compliance Officer.

Read the full biography of the Chief Compliance Officer.

The Compliance Office oversees the implementation of the Bank's enterprise-wide compliance programs. These programs take into account the size and complexity of the Bank, the relevant rules and regulations that affect its operations, and the business risks that may arise due to non-compliance. By using regulatory and self-assessment compliance matrices, measures are formulated to mitigate identified risks and tested to ensure effectiveness.

The Compliance Office is currently organized to cover Regulatory Compliance, Corporate Governance, Anti-Money Laundering Compliance, FATCA Compliance, and the Data Privacy Office. Considering rapid regulatory developments and the growing complexity of bank products, services, and transactions, the Compliance Office evolves in its coverage of compliance practice areas to anticipate and meet forward challenges. Enhancement of our compliance function’s scope and domain is redefined for new and emerging sources of compliance risk.

The Compliance Office applies a three-layered compliance testing and monitoring process, which includes unit self-assessment testing; independent random testing, performed by the compliance office; and independent periodic review by the Bank’s Internal Audit unit.

The Compliance Office promotes adherence through a compliance database accessible to all employees, and ensures the prompt dissemination of new regulations and other developments through continued dialogue with regulators.

Corporate Governance oversees the compliance aspect of the Bank’s corporate governance framework and requirements externally and internally, with respect to the laws, regulations, policies relevant and applicable to BPI and group entities, as well as manages regulatory compliance risk of BPI subsidiaries/affiliates by monitoring compliance exposures, tracking updates on actions taken on BSP directives and ensuring alignment with the Bank's compliance program.

Subsidiaries regulatory Oversight is primarily responsible for overseeing group-wide regulatory compliance risk management within the BPI Group of Companies by:

• monitoring the compliance exposures of BPI subsidiaries/affiliates
• tracking updates on actions taken on BSP directives
• alignment of the subsidiaries/affiliates’ compliance program/policy with BPI

BPI's commitment

As a financial institution that caters to millions of customers in the Philippines and abroad for various banking and investment needs, BPI is well-prepared and committed to support the fight against money laundering and terrorist financing. It acknowledges its obligations to unite with the government and with organizations of financial institutions, local and foreign, to close the channels that are being used by money launderers and terrorist organizations for their unlawful objectives. To achieve this commitment, the bank adopted a comprehensive and risk-based Money Laundering/Terrorism and Proliferation Financing Prevention Program (MTPP) geared towards the promotion of high ethical and professional standards and the prevention of BPI being used for money laundering and terrorist financing/Proliferation Financing (ML/TF/PF).

Objectives

This MTPP shall ensure consistent and effective compliance with the Philippine’s Anti-Money Laundering Act (AMLA), as amended, the Terrorism Financing Prevention and Suppression Act (TFPSA), their respective Implementing Rules and Regulations (IRR), and Part 9 of the Manual of Regulations for Banks (MORB) and its amendments as issued by the Bangko Sentral ng Pilipinas or BSP (Central Bank of the Philippines). It also aims to protect the Bank and its employees from being used for the ML/TF/PF activities of criminals.

Policies

To achieve these objectives, BPI adopted a comprehensive and risk-based MTPP which includes policies, controls and procedures to enable the Bank to manage and mitigate the risks that have been identified in the risk assessment, including taking enhanced measures for those classified as high risks. The MTPP is consistent with the AMLA, as amended, the TFPSA, their respective IRR and the provisions set out in Part 9 of BSP’s MORB. 

The MTPP is in writing, approved by the Board of Directors, through its Executive Committee and Audit Committee, and well disseminated to all officers and staff to implement the same.   For its subsidiaries and offices located outside the Philippines, there is a consolidated ML/TF risk management system to ensure the coordination and implementation of policies and procedures on a group-wide basis, taking into account local business considerations and the requirements of the host jurisdiction.

The MTPP is anchored on the following four (4) pillars:

1. Risk Management System 

A sound anti-money laundering and counter-terrorism/proliferation financing (AML/CTPF) risk management system that identifies, assesses, monitors and controls risk associated with ML/TF was adopted and implemented. This aims to avoid being used as channel of these criminal activities through adequate and active Board and Senior Management oversight, appropriate policies and procedures embodied in the MTPP, appropriate monitoring, reporting and comprehensive internal controls and audit.

2. Customer identification Process

The true identity of all customers including their beneficial owners, if applicable, seeking to avail of BPI’s products and services are determined and verified. Customers are risk profiled, which will dictate the level of customer due diligence to be applied during onboarding and periodic revalidation/refresh.  Customer profiled as high risk are subjected to enhanced due diligence and senior management approval.  All customers are screened against sanctions lists, watchlists and lists of high risk jurisdictions to identify those who should be rejected and those who should be subjected to deeper scrutiny prior to onboarding and during the existence of the business relationship with the bank.

3. Reporting of Covered and Suspicious Transactions

Appropriate measures required by law are taken if there are reasonable grounds for suspecting ML/TF, including investigation and reporting and suspicious transactions, and cooperating with investigations or complying with requirements of authorized body.   In addition, all single transactions amounting to more than P500,000 or its equivalent are reported to the AMLC through covered transaction reports.

4. Training 

A comprehensive training program was designed to cover all parts of the MTPP to ensure that all employees are well informed and trained to adequately comply with the policies which included customer due diligence, risk profiling, sanctions screening, and ongoing monitoring, among others.  All employees are required to complete this training at least once a year and must pass the test given at the end of the training program.

Ongoing thrust

Financial institutions can fight the evil effects of ML/TF/PF following the standards set by government and international organizations. BPI, for its part, has done and is continuously doing the following, in conformity with the standards set by the local banking authority and international organizations:

1. Formation of an adequately manned Anti-Money Laundering (AML) Department, headed by a senior-level management officer, which will be the “watch dog” in preventing and detecting potential money laundering and suspicious financial activities of clients.

2. Strict implementation of the Bank’s MTPP in accordance with local and international standards.

3. Conscientious observance of strict customer due diligence (CDD) and “know-your-customer” (KYC) policy as the first line of defense against ML/TF/PF and as an ongoing customer relations concern.

4. Investment in state of the art technology and other automated tools that can help identify and monitor financial transactions and activities that appear to be suspicious.

5. Adequate screening and recruitment process to ensure that only qualified personnel who have no criminal record/s are employed to assume sensitive banking functions.

6. Reliance on the training, accountabilities and responsibilities of our front-line employees, i.e. branch managers, relationship managers and customer service people, in identifying fully the parties with whom BPI is doing business and in ensuring that all transactions conducted by the customers are proper.

7. Maintenance of customers’ identification and transaction documents in compliance to the existing rules and regulations.

8. AML Department’s monitoring of transactions and periodic compliance test checks of all business units, and the reporting of violations, if any, to senior management for appropriate action.

9. Regular updating of the Bank’s MTPP at least once every 2 years, or when there are changes in regulations, whichever comes first, to incorporate changes in AML policies and procedures, latest trends in ML/TF typologies, and latest pertinent regulatory issuances.

10. Recognition that deterrence of ML/TF/PF is an ongoing concern that requires due diligence and vigilance to keep pace with the evolving schemes adopted by money launderers and terrorist organizations.

Continued Vigilance

Money launderers and terrorist organizations will not be deterred until their ill objectives have been accomplished. They will find new ways and means to continue their illicit activities. In order to put a stop and close the channels of their evil ways, BPI will not rest its guard and will, instead, continue to explore the schemes that these criminals may adopt. BPI fully commits to continue to educate its personnel and evaluate its policies, procedures and systems and update these, as needed. BPI will constantly invest its resources and boost its efforts to prove its dedication in combating ML/TF/PF.

We recognize global movements to widen tax regimes across borders such as the enactment into law by the United States government of the Foreign Account Tax Compliance Act. We also value our ability to promote greater international tax transparency and discourage tax abuses and, in support, have a FATCA Compliance unit to ensure the consistent and effective compliance with FATCA regulations throughout the bank and its subsidiaries.

A significant number of countries worldwide have signed the Inter-governmental Agreements (IGAs) relating to FATCA compliance with the United States government. These IGAs will result in the FATCA legislation becoming part of these countries’ local laws. Governments that have signed a Model 1 Intergovernmental Agreement (IGA) with the US have implicit and explicit responsibilities to enable their local Financial Institutions (FIs) to comply with the Foreign Account Tax Compliance Act (FATCA). A Model 1 IGA requires the competent authority or its delegate to collect account holder information, perform a data quality check on the data and then submit consolidated information of certain clients to the Internal Revenue Service (IRS) in a secure manner. On an annual basis, Banks and other Financial Institutions will be required to report information on financial accounts held directly or indirectly by US Persons.

As required under the rules of FATCA, we have appointed a responsible officer to oversee the bank’s compliance with regulations and establish a program to ensure its effective implementation. Our FATCA compliance program provides for additional requirements on customer due diligence and documentation and new reporting guidelines to the relevant tax authorities.

The Bank appears in the U.S. internal revenue service official list of participating financial institutions with the bank’s Global Intermediary Identification Number (GIIN) of CUC04I.00000.LE.608.

Type of Financial Institution (FI): Lead of an Expanded Affiliated Group

FATCA Classification and Date of Registration:
• Participating Foreign Financial Institution: April 23, 2014
• Registered Deemed-Compliant Financial Institution/Reporting Financial Institution under a Model 1 IGA: March 23, 2015

The Digital era has created unprecedented opportunities to conduct banking and deliver financial products and services in the digital space. Globally, financial institutions must collect, store, process and exchange large volumes of information in order to serve clients in this digital space and must also face increasing challenges in the areas of data security, maintaining data privacy and meeting related compliance obligations.

Privacy is Important to Us

Republic Act No. 10173, known as the Data Privacy Act of 2012, requires government and private sector entities to apply the principles of Transparency, Legitimate Purpose and Proportionality in their processing of personal data so that the data is only used in relevant and specifically stated ways, is not stored for longer than necessary, is kept safe and secure, is used only within the confines of the law and is stored following people’s data protection rights.

We are committed to protecting and respecting individuals’ privacy and rights to control information about themselves and to decide how and to what extent such information is shared with others.

Data Privacy Policy

We have a strong Data Privacy Policy in place, which describes to whom the policy applies to, what personal data we collect and how such data is collected, how we may use personal data for core business and marketing purposes, how we may disclose and share such personal data, how such personal data is stored and retained, and how such data can be accessed or corrected.

BPI’s Data Privacy Policy may be read here.

Governance for Privacy, Confidentiality, Security and Compliance

Our Data Privacy Policy is supported by a comprehensive Data Privacy Program utilizing a combination of policies, organizational structure, access controls and technologies designed for risk reduction.

We have a Data Privacy Office, headed by a Board-appointed Data Privacy Officer (DPO), a lead senior management officer. The key focus of the DPO is to oversee data privacy compliance and manage data protection risks for the organization consistent with the Data Privacy Act rules and regulations, issuances by the National Privacy Commission and other applicable laws. Management has also appointed Compliance Officers for Privacy (COP) for major business units of the Bank.

Security of personal data is critical to the Data Privacy Program. We have in place safeguards that help ensure that personal data stored with us are secure and are protected in accordance with our Data Privacy Policy. We maintain strict security standards and procedures with a view to preventing unauthorized access to personal data by anyone, including our staff. We use leading technologies such as (but not limited to) data encryption, firewalls and server authentication to protect the security of personal data. All BPI employees are required to observe our privacy standards and are audited for compliance.

Ultimately, our Board of Directors is responsible for ensuring that data privacy is a fundamental element in the over-all corporate governance, responsible for overseeing implementation of the Bank’s strategic objectives and risk strategies for data privacy. At the Board level, apart from oversight through its Risk Management and Audit Committees, directors focus on key issues of cyber security and data privacy at board meetings in order to execute the Board’s compliance and managerial oversight as well as to mitigate risk.