About report

ING Bank Śląski S.A. Group has compiled the annual report in line with the best global practices of integrated reporting. To help readers use the interactive tools, we prepared a user guide with key features. We encourage you to watch a short animated video before reading the report.

Choose your path Client Staff member Market and media

Integrated Annual Report
of ING Bank Śląski S.A. 2019

Non-financial risks

Non-financial risks cover management functions of operational and compliance risk based on a common framework, setting forth clear principles and standards of risk identification, assessment, monitoring, mitigation and reporting. The Bank manages non-financial risks in compliance with the Strategy and Risk Appetite Statement for Non-financial Risks approved by the Bank's Management Board that set forth risk limits and tolerance.

warszawa_ing_01-2020_rk_1965 warszawa_ing_01-2020_rk_1965

Compliance with the declared risk appetite is monitored in a periodic report on non-financial risks (NFRD). Additionally, the Bank operates the Non-financial Risk Committee appointed by the Bank's Management Board – the Committee advises the Bank's Management Board with respect to the management of non-financial risks. The Supervisory Board supervises the management of operational risk by the Management Board and minimum on a yearly basis reviews the effectiveness of the related activities.

The common management framework of non-financial risks support the Bank in active identification of core hazards and gaps and the related risks which may result in undesirable events. The framework supports such processes as self-assessment of risks and controls, scenario analyses, monitoring of key risk indicators or testing of key controls. The results of analyses of internal and external events keep improving the adequacy and effectiveness of the internal control system functioning in the Bank.

The Bank is convinced that an effective control environment is required to development and maintenance of sustainable business as well as maintains and improves the trust of customers, employees and shareholders.

Operational risk

The Bank defines the operational risk as a possibility of occurrence of a direct or indirect loss resulting from misalignment or failure of internal processes, people, and systems or from external events. The Bank identifies legal risk as an element of operational risk.

The definition of operational risk is broad and covers the following areas:

  • Risk of errors in control,
  • Risk of disallowed activities,
  • Risk of errors in processing,
  • Risk of irregular personnel practices and safety at work,
  • Risk of breach of people and resource safety,
  • IT risk,
  • Risk of business disruption,
  • Risk of internal and external fraud.

Definitions of the above risks were presented in the Consolidated Financial Statement of ING Bank Śląski S.A. Group for the year 2019.

katowice_ing_01-2020_rk_1179 katowice_ing_01-2020_rk_1179

The Bank's objective in operational risk management is to ensure regular improvement of the safety of the Bank and its customers, reduction of operating costs and improvement of operating effectiveness.

The Bank's Management Board – subject to approval of the Supervisory Board – has developed a strategy of operational risk management. The Bank has implemented a consistent package of internal normative documents. The documents regulate the scope, principles and duties of organisational units and employees to mitigate the effects and likelihood of financial and reputational losses in that respect. The Bank's management strategy of operational risk provides for legal and regulatory requirements and relies on good practices of the ING Group.

Additionally, the Management Board – also in agreement with the Supervisory Board – in its risk appetite statement defined the maximum acceptable loss limits, capital limits and risk scope that it is willing to accept in the pursuance of the planned business objectives – subject to full compliance with the law and regulations. The level of limit utilisation is monitored and periodically submitted to the Management Board, Risk Committee and the Supervisory Board.

The operational risk management system applies to all business spheres of the Bank and the activity of the Group, cooperation with customers, providers and partners. It is a cohesive, regular practice that covers the following elements:

  • risk identification and assessment,
  • mitigation or risks and monitoring of mitigation activities,
  • performance of inspections,
  • quality monitoring and assurance.

The management of operational risks in the Bank relies on the following general principles:

  • we maintain a complete, consistent and transparent management structure of operational risk with explicitly assigned tasks and responsibilities.
  • we recognise the nature of the internal and external environment – including limitations and weaknesses – we draw conclusions from external and internal events to identify root reasons and to identify potential irregularities in the control environment or identify unrecognised risk exposures.
  • we identify the reasons, types and levels of risk that we are ready to accept. We set standards of control and mitigation activities that provide for risk transfer to the insurance market.
  • we have an efficient and consistent identification and control or risks for all products, activities, processes and systems functioning in the Bank.
  • we monitor and report the volume of the required capital, risk profile and risk exposure.
  • we are focused in improving the awareness of employees and managers. We ensure that the employees have adequate qualifications to perform activities related to management of non-financial risks and are provided with adequate tools.

Our priorities include the effectiveness of risk management processes and high quality of the used data.

We recognise the following as core factors affecting risk levels:

  • staff expertise and qualifications,
  • working conditions,
  • an adequate split of duties and supervision over compliance therewith,
  • information security level,
  • integrity of business processes and IT and technical systems,
  • outsourcing,
  • quality of internal and external documentation,
  • external events related to changes in the business environment,
  • natural calamities, failures and catastrophes.

In 2019 we continued the enhancement of the operational risk management system while focusing on ensuring compliance with new regulatory requirements, including inter alia:

  • we have reinforced control mechanisms and scope of monitoring in the area of internal and external fraud prevention.
  • we have analysed risk factors providing for business measures investigating their mutual relationships,
  • we keep extending the use of stress tests in compliance with the EBA Stress tests guidelines.
  • we have been optimising the Internal Control System by an appropriate selection of control mechanisms for key processes on the basis of a period effectiveness assessment
  • we have reviewed risk management processes for optimisation of the first and second lines of defence and the use of the designed data management tools
  • we have implemented an integrated calculation method of business continuity risk level;
  • we have commenced work on ensuring compliance with EBA requirements concerning outsourcing.
  • we have continued work of the security of the Bank's functioning after implementation of the PSD2 directive;
  • we have enhanced the methods of crisis communication;
  • we have introduced new or updated existing regulations, including the operational risk management policy, information security policy, policy concerning the internal control system, procedures concerning data management, risk assessment and testing of key controls.

We keep caring about the quality of the used data, we enhance our qualifications and we extend the possibilities to use advanced data analysis methods in the risk identification and monitoring processes. We also have been automating operations related to risk management with the use of RPA (Robotics Process Automation) tools.

We keep raising the Bank's employee awareness and that of our customers indicating current hazards and appropriate conduct. We draw lessons from events that occur. We clarify reasons thereof and implement solutions mitigating their recurrence.

Compliance risk

The Bank's mission in the area of ensuring compliance is to develop a cultural function relying on knowledge and compliance with law, internal regulations, market standards and ING Values and Conduct as specified in the Orange Code.

The Bank's Supervisory Board oversees the management of compliance risk at the Bank and the Bank's Management Board is responsible for effective management of compliance risk, including for: implementation of organisational solutions, regulations and procedures, supporting effective compliance risk management and for ensuring adequate resources and funds required to carry out the tasks.

The Compliance unit acts as a compliance risk management unit and is responsible for the organisation and functioning of the compliance risk management process understood as a process of identification, assessment, control and monitoring of compliance risk in the Bank's business in accordance with the law, internal regulations and market standards and submission of related reports.

Last year, the Compliance unit adjusted its organisation to the changing external environment in order to better manage compliance risk relying on activities of employees in all areas and responsibilities, focusing on its effective mitigation. The organisational change with a simultaneous reinforcement of employee competences will be translated into a reduction of errors in process designing and in risk identification in similar business processes in order to identify risks that remain omitted in single processes.

In order to effectively manage compliance risk, the Compliance unit continued independent inspections, designed and monitored training programs, issued recommendations in providing its opinion on product and legislative changes and marketing materials.

In 2019 the Bank continued work to implement regulatory requirements: MiFID II Directive and Polish secondary regulations, Directive on payment services and secondary regulations (PSDII), Act on counteraction to money laundering and terrorism financing as well as regulations concerning counteraction to abuse of the financial sector for treasury fraud (STIR and Split Payment) and regulations relating to reporting tax schemes and tax avoidance (MDR).

The Bank's Supervisory Board oversees the management of compliance risk at the Bank and the Bank's Management Board is responsible for effective management of compliance risk, including for: implementation of organisational solutions, regulations and procedures, supporting effective compliance risk management and for ensuring adequate resources and funds required to carry out the tasks.

The Compliance unit acts as a compliance risk management unit and is responsible for the organisation and functioning of the compliance risk management process understood as a process of identification, assessment, control and monitoring of compliance risk in the Bank's business in accordance with the law, internal regulations and market standards and submission of related reports.

Last year, the Compliance unit adjusted its organisation to the changing external environment in order to better manage compliance risk relying on activities of employees in all areas and responsibilities, focusing on its effective mitigation. The organisational change with a simultaneous reinforcement of employee competences will be translated into a reduction of errors in process designing and in risk identification in similar business processes in order to identify risks that remain omitted in single processes.

In order to effectively manage compliance risk, the Compliance unit continued independent inspections, designed and monitored training programs, issued recommendations in providing its opinion on product and legislative changes and marketing materials.

In 2019 the Bank continued work to implement regulatory requirements: MiFID II Directive and Polish secondary regulations, Directive on payment services and secondary regulations (PSDII), Act on counteraction to money laundering and terrorism financing as well as regulations concerning counteraction to abuse of the financial sector for treasury fraud (STIR and Split Payment) and regulations relating to reporting tax schemes and tax avoidance (MDR).

Transaction security and IT system stability

The security of our and our customers’ and partners’ funds is a key issue on which we focus in our daily activity. We keep observing hazards and analyse their impact on the ITC infrastructure (applications, systems, networks) and on our business processes, processes of our partners and their potential impact on customers. On that basis, we design and implement appropriate organisational and technical solutions in the areas of prevention, detection and response.

Our ITC systems are protected with multi-layer mechanisms and cybersecurity systems.

To this end, we pursue various actions such as:

  • ensuring an adequate change management process in IT systems that guarantee adequate tests of impact of changes in system operation;
  • ensuring an adequate system architecture of critical systems guaranteeing complete redundancy of component and resilience to failures,
  • implementation of a mechanism monitoring correct system operation, supporting early detection of symptoms of incorrect operation of components and fast error diagnosis,
  • implementation of a management process of increased demand for resources guaranteeing the adaptation of hardware and software resources to changes in business volumes and changes to customers’ behaviour.

We approach the management of IT security in a systemic and regular way, starting from an appropriate delegation of tasks and attributed responsibility for execution. The security is ensured not only with the dedicated units and processes and additionally its aspects are embedded in all processes and operating actions of our Bank. Processes and roles are designed and organised in compliance with the best and recognised international standards (such as COBIT).

The ICT Environment Security Council operates in our Bank. The Council is composed inter alia of managers from business units, IT, cybersecurity, operational risk, data security, fraud prevention. The Council issues directional technological and procedural decisions ensuring an adequate cybersecurity level of our Bank. Daily, the tasks related to cybersecurity, including monitoring of security on an ongoing basis, lie within the responsibility of a dedicated unit.

At the level of technical solutions, first we design and update standards and security architectures in force at the Bank. On that basis, ICT systems are designed, developed and implemented in compliance with the principle to ensure security at the earliest possible time. During development, before implementation and cyclically after implementation, the systems are subject to various tests, including penetration tests.

For each ICT technology at our Bank, we develop model security requirements and their effectiveness and correct functioning are regularly verified within security tests and reviews as well as internal and external audits. Such audits and tests are carried out by renowned expert entities.

Components of our Bank's ICT systems are subject to an ongoing scanning process in order to detect all vulnerabilities and to eliminate them immediately. Additionally, the banking systems (network, infrastructure and applications) are monitored for security to detect anomalies, undesirable actions and security incidents.

The processes aimed at ensuring security are subject to ongoing review of effectiveness thus supporting regular enhancement of our processes and procedures related to counteraction, detection and responding to hazards as well as taking actions eliminating their potential effects (e.g. unavailability of banking services). Consistently, we have implemented additional authentication mechanisms and monitoring of activity of ICT system users and we have sealed the protection layer against malware (such as e.g., ransomware).

We apply solutions acquired from leading providers of cybersecurity tools and services and unique solutions developed by our own specialists. Additionally, we cooperate with ING Group entities and other companies and organisations in Poland (banks, sectoral associations, Police). As a result, we can follow trends, detect new vulnerabilities and prevent hazards in IT security in advance.

We also require an adequate security level from our cooperating Partners – in appropriate contractual provisions related to IT security and by verification of compliance therewith by cooperating companies in regular audits.

In our Internet banking, we apply the following security solutions:

  • Transaction authorisation with one-off codes – the method provides for authorisation of instructions in the Internet banking system with an authorisation code. Users receive codes in an SMS message. The code is generated for one particular instruction and is valid for a pre-determined time. Along with the code, customers get transaction details to verify the instructions additionally.
  • Strict daily limit – an ceiling up to which transfers can be made on a day in Internet banking.
  • Encrypted Internet connections – access to banking systems is possible only with an ID and password. Communication between customers’ computers and the Bank's servers is encrypted with a TLS protocol. The ingbank.pl portal and the Internet banking system are protected with highly confidential digital certificates to protect connection over the encrypted HTTPS protocol. These guarantees fully secure data transfer in encrypted form, protect the data against third-party modifications and authenticate the computers that communicate with each other.
  • 3D Secure (a standard of card payments over the Internet) – when our customers pay with cards in an Internet store handling 3D Secure, the payment is additionally confirmed with a one-off SMS code. To use payments in 3D Secure with our Bank, nothing has to be activated – a card suffices that handles Internet payments.
  • Masked password – logging to the Internet banking system is made without providing the entire password – automatically the system selects only certain characters.
  • Automatic log-out as a result of user inactivity – after 5 minutes of user inactivity, the system logs out automatically.

In our mobile banking, we apply the following security solutions:

  • Transaction authorisation in the mobile application – the method is available to customers who use the Internet banking system Moje ING, who make transfers from their computers and have the Moje ING mobile application installed; it is applied interchangeably with SMS codes.
  • Fingerprint logging – the option is available for phones with fingerprint readers. This logging method may be activated after logging to the application.
  • Strict daily limit – a ceiling up to which transfers can be made on a day via the mobile application.
  • Automatic log-out as a result of user inactivity – after 60 seconds of user inactivity, the system logs out automatically.

In case of a justified suspicion of cybercrime hazards or fraud against customers, we block the services protecting customers against interception of their data or funds by unauthorised persons.

The year 2019 was full of events related to the publication of information about new vulnerabilities in the security of IT products of various suppliers and new methods of implementing intrusions, cybercrime and frauds that were carried out around the world. The visible trends that can be distinguished on this basis are as follows:

  • Phishing campaigns, especially those distributed via SMS, are still popular, although customers react better and better to such scams and the Bank is better prepared,
  • We have not recorded any significant changes compared to previous years in the context of abuses and advances in social engineering applied to individuals,
  • the degree of technological advancement of malware attacks is higher, attacks of this type become more directional, or lead to theft of resources by means of an attack using social engineering, however, the number of attacks has definitely declined,
  • The severity of attacks targeted at businesses and institutions (mainly financial) carried out by organised cybercrime groups is similar to previous years.

Attempts have been made to attack / compromise external suppliers in order to access the infrastructure of cooperating companies.

At the same time, the environment in which we live and operate is undergoing changes. Fast development is specific to:

  • Internet of Things (IoT),
  • smart cities,
  • e-state / e-administration,
  • cloud computing services,
  • 5G networks,

which not only affects comfort, efficiency and performance, but also involves many risks.

Bearing this in mind, we are constantly strengthening and developing our own cyber security system at the local level and across the ING Group in order to prevent acts of cybercrime against clients, employees and our Bank's information and communication system.

We are constantly improving security solutions and systems used to protect our customers, as well as the Bank itself, constantly testing their real effectiveness through, among others, penetration tests of banking infrastructure and applications, advanced APT tests (Eng. Advanced Persistent Threat), tests of immunity to DDoS (Eng.. Distributed Denial of Service) and many others.

We have maintained and updated existing and implement new tools for early detection of all types of fraud and abuse, advanced targeted attacks, including preventing information leakage or execution of unauthorized transfer of large amounts of money from the banking system.

We are working to improve the prevention of cybercrime through Programmes undertaken within the ING Group. We actively cooperate with other financial institutions, governmental and law enforcement authorities and Internet service providers, especially after our Bank has been recognised as a key service provider under the National Cyber Security System Act.

Last year, our Bank carried out a number of activities aimed at raising the level of awareness of the Bank's employees of the threats of cyber security and implemented Programmes aimed at improving the skills of IT staff and teams responsible for ensuring an appropriate level of the Bank's cyber security. We have launched new communication campaigns for our Bank's customers warning about current threats.

Moreover, for several years now the Bank has been cooperating with the Polish Banks’ Association by creating the “Documents Reserved” campaign. It is primarily intended to inform the general public, both those who are customers of the banks and those who are not yet, about an option of endorsing identity documents in case of their loss (loss, theft). The informational campaign is carried out through, among others, posters, leaflets, signs available in the outlets, mailing, banners, announcements and press materials.

Thanks to coordinated actions aimed at ensuring an optimal level of cyber security, in 2019 our Bank did not record any significant cyber security incidents or frauds that would result from the weakness of the banking security system.

Counteracting cybercrime is one of our Bank's basic methods of building secure and attack resistant channels of interaction with customers. Due to the continuous development of new, advanced attack methods, the bank’s security teams are constantly improving existing systems and building new, more effective detection and prevention mechanisms. An important element of our development strategy is the continuous improvement of the competence of security professionals and the testing of systems, processes and people in numerous APTs ( Advanced Persistent Threat) and DDoS (Distributed Denial of Service). All these activities are aimed at protecting the bank’s resources from threats from inside and outside and thus protecting our clients and the funds entrusted to us.

In H2 2019, we implemented behavioural verification, i.e. a service consisting in analysing customer behaviour when using the transactional service. The created user profile allows to detect fraud in case an unauthorized person tries to perform a transaction.

Behavioural verification analyses the user’s interaction with the computer or mobile device. During this verification we do not check what the user does, but how he does it. We collect and analyse, inter alia, information on how fast and often the user clicks on individual keys on the keyboard, how to scroll the screen, how fast and often the user clicks the computer mouse and how to hold the device. We build a user profile only after logging in to Moje ING and compare the behaviour after each login.

Thanks to this solution, we will soon be able to secure additionally our transactions and access internet banking. In this way we will prevent third parties from impersonating Moje ING user.

On current basis we keep our customers informed about existing threats through our websites, educate them and show them how to behave in order to use online and mobile banking safely. Such activities are visible in our e-banking system for each user, and up-to-date information is systematically placed on the basis of the currently detected threat targeting each electronic banking user.

We are constantly developing tools, algorithms and rules to detect various types of fraud and abuse, including preventing data leakage. We execute many of these tasks together with other ING Group member companies, as well as in cooperation with financial institutions, state bodies and law enforcement agencies. We establish cooperation with suppliers of modern technologies in order to introduce new authorisation factors based on e.g. biometrics or customer behaviour.

The year 2019 saw primarily the strengthening the security of many systems to the existing technical and legal requirements aimed at better protection of customer data processed in our systems and about starting the bank’s operations within the national cyber security system.

Personal data security

  • [103-1]
    Explanation of the material topic and its Boundary
  • [103-2]
    The management approach and its components
  • [103-3]
    Evaluation of the management approach

The stability of IT systems also includes protection of personal data of customers, business partners and employees. Apart from IT security, we also focus on physical security of data and information stored in our Bank. Our internal regulations strictly determine the presence of outsiders in our offices and prohibit the connection of unverified devices to out ITC network.

We regularly test our physical security devices and conclusions from inspections inspire changes. Testing of physical security devices has become an integral part of APT tests verifying the Bank's cybersecurity resilience.

Management of personal data security

Last year we received no justified complaints concerning breaches of customer privacy.

We see to a high awareness level of our Bank's employees on protection of personal, financial and business data and the employees are obliged to attend mandatory training. We keep implementing programs to support regular enhancement of employee competencies in the sphere of data protection, indicating the importance of the privacy of customers, business partners and customers. For that purpose, we use meetings, workshops and periodic communication to employees.

Consistently to the changes, we have adapted our technical and procedural safeguards, required by law, internal regulations and good practices, in order to ensure better protection of our customers’ data.

The security of using banking services is also up to our customers and therefore we share information with our customers on potential hazards and we recommend security solutions to devices with which customers access Internet banking. Each customer of our Bank has access to a set of rules how to use on-line banking correctly:

  • we provide tips how to create a secure password,
  • we keep informing about hazards in Internet banking,
  • we remind of secure banking rules,
  • we clarify how to safeguard against data theft in the Internet,
  • we teach how to protect the devices used by our customers,
  • we block access to services in justified instances thus protecting customers against interception of their data by unauthorised people,
  • we make our customers aware of hazards during their meetings to our branches,
  • we meet senior citizens so that being aware of hazards they can protect themselves more effectively,
  • we attend academic workshops to enhance awareness.

We care about retail customers but we never forget about the security of our corporate customers. Similarly to previous years, we continue conferences for corporate and strategic customers at which we present hazards related to cybercrime and mechanisms of our applications and solutions to prevent abuse.

The Bank not only has implemented the requirements related to the Regulation of the European Union on personal data protection but the Bank also keeps analysing changes and implements them without delay into internal procedures and regulations. The most recent example of such ongoing analysis and updates of internal regulations is the implementation of the sectoral Act which – implementing GDPR to Poland’s regulations – has amended the Banking Law thus providing easier access to information on automatic decisions relating to customers. Similarly to previous years, we cooperate with the Polish Bank Association, other banks in order to develop a common code of conduct and to develop common solutions related to personal data protection.

Environmental and social risk

ryz-sridow ryz-sridow

As a bank, we have an influence on financing and lending projects that could have a significant negative impact on society and the environment. Respect for human rights, protection of the natural environment and sustainable development are an important element of the long-term strategy of building the value of our bank. We are aware of the dangers of irresponsible use of natural resources. We support clients in conducting business in a sustainable manner and encourage continuous improvement in this area. We require our clients to operate in accordance with the regulations governing social and environmental issues and to have all the permits and licenses required by law. Therefore, in order to avoid the risks associated with financing projects that have a negative impact on the environment, we use environmental and social risk assessment as well as the Policy of Exclusion.

The most important social and-environmental risks include:

  • violation of human rights as a result of forced labour, child labour, inadequate working conditions, and violence. The risk occurs primarily in forestry, agrocommodities and manufacturing,
  • zagrożen threat to the health of employees and local communities as a result of environmental contamination, contact with harmful chemical materials, transmission of animal diseases to people, non-compliance with labour law. The risk is primarily associated with the chemical industry, energy, mining, metal production and animal husbandry,
  • threat to the health and lives of consumers as a result of consuming products harmful to health. The risk is primarily in the tobacco industry,
  • controversial trade policy consisting in contracting extremely low prices for products produced in economically underdeveloped countries. The risk is mainly related to manufacturing,
  • inhumane treatment of animals in the process of husbandring, transporting, slaughtering or conducting medical experiments (animal welfare),
  • loss of biodiversity and uncontrolled spread of invasive species, including those genetically modified; erosion and soil degradation. The risk is associated primarily with forestry and agrocommodities,
  • pollution of soils and waters with heavy metals, waste, sewage and increase of water consumption in areas poor in water resources. The risk is associated primarily with animal husbandry, forestry and agrocommodities, manufacturing, chemical industry, energy, mining and metal production.

Environmental and social risk management

  • [102-11]
    Significant changes to the organization and its supply chain

The environmental and social risk assessment covers the client and the transaction. We make the assessments to the best of our knowledge. At the client’s level, we assess whether the activity is conducted with respect for human rights, environmental protection principles and whether it is not covered by the policy of exclusion. At the transaction level, we assess whether it is consistent with the requirements of sector policies.

Exclusion policy refers to activities with a particularly high risk of violation of human rights and the risk of negative impact on the natural environment and the principles of sustainable development. We do not establish relationships with clients whose core business is covered by the exclusion policy. We identify and properly manage relationships with clients who operate in areas more susceptible to social or environmental threats. We apply detailed policies that are designed to support environmental protection and minimize risks in vulnerable areas.

The ESR Sector Policies cover the following sectors:

  • Animal Husbandry,
  • Forestry and Agrocommodities,
  • Manufacturing,
  • Chemical industry and the use of chemicals,
  • Defense and the arms industry,
  • Coal mining, coal and related activities,
  • Other mining and energy, petrochemistry and metal production.

In order to better manage risk, we have created an Environmental and Social Risk Manual for our employees. It supports the identification and proper management of customer relationships that operate in areas that significantly affect the environment in which we live.

Change currency to:

Change:

Search results: