Applies to all directors, employees, temporary staff, contractors, and third-party service providers of IBCBanking. Jurisdiction: Lithuania and applicable EU law.
This Policy sets minimum standards for ethical conduct, regulatory compliance, customer protection, information security, and risk management at IBCBanking. Departmental procedures must meet or exceed these standards.
The Board approves this Policy and sets risk appetite. Executive Management implements controls and reports to the Board. The CRO oversees enterprise risk; the CCO oversees regulatory compliance and AML/CFT; the DPO oversees GDPR; the CISO oversees cybersecurity. All staff must read, understand, and comply with this Policy.
Act with integrity, avoid conflicts of interest, and never engage in bribery, corruption, fraud, harassment, or discrimination. Gifts/hospitality must be modest and recorded where required. Confidential information must not be disclosed, including on social media.
Comply with Lithuanian and EU regulations and supervisory expectations of the Bank of Lithuania and EU authorities. Consult Compliance when in doubt.
Apply risk-based CDD/KYC, verify UBOs, monitor transactions, and screen against sanctions/PEP lists. Escalate and report suspicious activity. Retain records as required and complete mandatory AML/CFT training.
Treat customers fairly with clear, not-misleading communications. Ensure suitability, transparent terms/fees, and robust complaints handling. Provide enhanced care to vulnerable customers.
Process personal data lawfully for specified purposes, minimise data, and maintain accuracy. Enable data-subject rights, manage international transfers, report suspected breaches to the DPO, conduct DPIAs where needed, and follow retention/disposal schedules.
Use a risk-based security framework with least-privilege access (MFA), asset inventory/classification, encryption where appropriate, secure SDLC, vulnerability management, logging/monitoring, and third-party/cloud controls. Follow the Incident Response Plan.
Identify, measure, monitor, and control key risks within Board-approved appetite/limits. Report breaches immediately. Maintain and test BCP/DR; validate and monitor models independently.
Identify and disclose conflicts to Compliance; manage via recusal, segregation of duties, and customer disclosure where appropriate. Outside business activities require prior approval.
Ensure equal opportunity, a safe and respectful workplace, proportionate background screening, mandatory training, and confidential whistleblowing with no retaliation.
Keep accurate, complete, and retrievable records. Follow retention schedules and secure destruction protocols.
Conduct vendor due diligence (financial, compliance, security, sanctions). Include confidentiality, data protection, audit rights, and termination/exit clauses in contracts. Perform risk-based oversight.
Protect premises with appropriate access controls, visitor management, and lawful CCTV. Apply clean-desk practices for sensitive information.
Only authorised spokespeople deal with media, regulators, and investors. Regulatory notifications must be prompt, accurate, and complete. Pre-approve marketing materials.
Breaches may lead to disciplinary action up to termination, civil/criminal referrals, and contractual remedies. Report suspected breaches promptly to a manager, Compliance, HR, or via whistleblowing channels.
All personnel must complete mandatory training on hire and annually and acknowledge compliance with this Policy.
Owner: Compliance (with Risk, Legal, HR, IT Security). Review at least annually or upon change. Latest version is kept in the policy repository.
CDD/KYC: identify and verify customers and understand their activities. PEP: Politically Exposed Person. Personal Data: data relating to an identifiable person. Incident: event that compromises confidentiality, integrity, availability, or safety.
This Policy is a general template for IBCBanking in Lithuania and does not constitute legal advice. Local laws and supervisory requirements may impose additional obligations. Consult Legal/Compliance before deviating.