Behaving responsibly

Ethics & Integrity

In order to bring a positive contribution to the communities in which it operates, MCB Group Ltd has strengthened its foundations, its reputation and its operations by using a robust ethics & integrity approach. By the very nature of its activities, the Group faces a number of risks in its day-to-day operations. Those risks range from fraud and corruption to financing of terrorism and money laundering and these require constant monitoring. The Group has implemented a number of policies and actions to manage those risks. The organisation also relies on its core values to ensure the conduct of an ethical business.

MCB Group core values

Integrity, Customer care, Teamwork, Innovation, Knowledge and Excellence

Risk governance

The Board of Directors has oversight of risk management and monitoring via a dedicated committee. The Permanent Control department is responsible for managing operational, information and compliance risks. Furthermore, independent assurance on the effectiveness of risk governance is provided by an internal audit function.

Main risks identified

Information security, operational risks (internal and external fraud, health and security, client management, assets loss, systems dysfunction, process and execution) and compliance risks (regulatory, advisory & trading and financial crime). MCB Group has various policies in place to maintain proper internal control. These are available on the Group’s website and include our Code of Ethics, Conflicts of Interest & Related Party Transaction Policy and Whistleblowing Policy.

Employees are required to raise routine issues and concerns relating to day-to-day operations with their respective hierarchy whereas undesirable conduct is reported to the Anti-Money Laundering/Fraud Prevention (AMLFP) BU by e-mail or can be made anonymously if desired, using a dedicated telephone number /whistleblowing hotline. Concerns are investigated either by that office or by the Compliance Officer (CO), depending on the case.

Our Code of Ethics covers the following grounds

Responsibilities towards employees: Respect of human rights principles, equal treatment and the highest standards of health and safety.
Dealings with clients: Outstanding client satisfaction through dedicated and high standards of service, including products and services of the highest standards.
Integrity: No inducements to be accepted or given to conduct business and no compromise to any duty owed to clients and shareholders.
Confidentiality: Utmost care in protecting client information and third party information.
Customer care: Feedback from customers is encouraged and complaints are dealt with promptly.

Our Conflicts of Interest & Related Party Transaction Policy covers the following grounds

Comprehensive definition of conflicts of interest
Identification of related parties
Information pertaining to Directors held by the Company Secretary
Responsibility of each Director/ Senior officer to report interests
Rules on lending to related parties
Rules on granting of credit facilities to related parties

Our Whistleblowing Policy covers the following reportable issues

Suspected criminal offences in breach of government regulations/laws
Suspected criminal behaviours, including bribery, corruption or fraud or misuse of office
Actions significantly detrimental to MCB Group and its subsidiaries or any of their employee
Questionable accounting practices constituting a serious breach of internal policy
Suspected deliberate failure to comply with any legal and regulatory obligations
Actions aiming at concealing any of the above activities.

11 claims reported via the whistle blowing process since 2015

Risk identification linked to clients

Every Anti-Money Laundering (AML) risk has a rating according to its financial impact (High, Medium and Low). A monitoring tool, embedded with AML-related risks, generates warnings according to scenarios as well as thresholds for the Relationship Manager to analyse. Monitoring tools are up and running in the Maldives and the Seychelles and are progressively being implemented in Madagascar.

Varying risks can be identified in relation to the country of operation. Some countries may be blacklisted by the European Union, the United Nations Security Council (UNSC), the Bank of England or the Office of Foreign Assets Control (OFAC). These lists of countries are regularly updated on the system (e.g. countries with high risks of financing terrorism).

Collaboration with relevant regulators and authorities also helps in the identification of risky clients.

25 client applications were turned down last year due to financial crime risks

Risk management process linked to clients

Risks are managed by turning down applications or requests from clients suspected of fraudulent/illicit activities or association thereof (through the risk identification process).

A policy is currently being prepared to define the criteria for forceful closure of accounts.

Reports of breaches and of incidents are forwarded to the Compliance department for investigation.

Training on risks

Internal awareness campaigns are regularly held for employees through the intranet.
MCB also raises awareness of its clients on fraud through mailing and communication campaigns, or official letters, if required.

In financial year ended 30 June 2019

32

Sessions on Fraud Awareness including Anti-Money Laundering, Cyber-Crime and Counterfinancing of Terrorism saw the participation of 295 attendees from the Group, including domestic and overseas subsidiaries

16,545

Financial Crime Risk Management alerts investigated and closed.

261

Internal Suspicious Transactions Reports investigated, out of which 221 were filed at the financial Intelligence Unit (FIU)

1,090

Frauds/alleged frauds investigated.

Business Transparency And Human Rights Risks

Some of MCB’s operations take place in countries that expose the Bank to business transparency and human rights risks. Those risks also threaten our capacity to generate income from the financial services we provide. For example, financing a corporation involved in child labour is risky as reputational damage caused by controversies might result in poor financial performance for the client if not bankruptcy. In such cases, loan repayment capacity suffers and revenues are lost. The charts below highlight our top 15 countries with highest loan exposures. Countries are classified into four score categories, Low Risk, Average Risk, High Risk and Very High Risk with respect to Business Transparency and Human Rights risks. The latter score and scale have been developed by aggregating relevant indicators available in the Gapframe analysis mentioned earlier.

The results show that the Bank has around 8% of its credit portfolio exposed to high risk and very high risk countries with regards to both business transparency and human rights risks. Countries included in those categories are Nigeria, Mozambique, Kenya, India and Gabon. Issuing loans to clients in those countries requires additional care and verification.

Exposure to Business Transparency and Human Rights risks as at 30 June 2019

Top 15 countries* in terms of loan exposures amounting to Rs 234 bn and representing 94% of our total credit portfolio

*includes Mauritius

Responsible Data

The increasingly strict regulatory framework coupled with a growing awareness of customers on the importance of their data make confidentiality and information security a central issue for a financial institution like MCB Group that holds sensitive client data in multiple countries. Our utmost ambition and priority is thus to protect data for the Group and its customers.

With regards to customer privacy, appropriate governance and policies have been set up internally. As such, the Bank recently appointed a Data Protection Officer (DPO) who is now specifically in charge of data protection and compliance topics. The DPO operates under MCB’s Information Risk Management (IRM) team. The main objectives of the DPO are to ensure safe data processing in full compliance with the recently proclaimed Data Protection Act (DPA) and the EU’s General Data Protection Regulation (GDPR) requirements, align our processes with internationally recognised cyber security frameworks and certifications, and strengthen the first line of defence through continuous security awareness. MCB today collects and uses customers’ data as follows:

Cookies, personal data, non-personal data, and banking data are collected via apps, websites and the call centre. Data is more often used to avoid mis-selling (the mismatching of clients and products/services).
Customers’ consent is obtained when they sign a contract with MCB.
Data is kept for a period of seven years after the banking relationship ends.
The customer is notified when his/her data is being collected (recording of phone conversation etc.).
Claims from clients are looked into by Quality Assurance, whereas customer complaints pertaining to alleged breach of confidentiality are investigated by Compliance.

MCB is transparent on how it uses customer data. Customers can have access to a detailed explanation on how MCB uses and collects personal data and what it does with it. This document entitled “A NEW DATA PROTECTION LANDSCAPE” also highlights other relevant information about individuals’ rights over their data and can be obtained on our website.

A general awareness document on DPA and GDPR was also shared on the organisation’s intranet to raise staff’s awareness on this issue. Furthermore, a dedicated team now operates under the IRM to handle and safeguard clients’ data.

MCB is now aiming to eliminate the manual handling of data and avoid breaches by reinforcing the use of digital tools. Other measures being investigated include the development of new job responsibilities internally, related to data mining and data science, the improvement of granularity in data monitoring and grievances and the training of all employees on consent collection and consent traceability.

With regards to information security, MCB has worked with EY on a gap assessment to evaluate its exposure to risks in the data privacy field and to define the perimeter of responsibility of the Group. Regular cyberattack simulations are held to identify weaknesses and strengthen our response. Other measures implemented include ethical hacking to identify security breaches and online tests for employees on cyber risks.

As at 30 June 2019

58

Business Representatives trained on DPA/GDPR

480

Employees attended our Cyber War Game awareness sessions (Leadership team included)

2,373

Employees targeted for Information Security Policy Awareness. Sessions are scheduled until December 2019

Product Responsibility

Equator Principles

A bank’s sustainable development depends on many factors, such as the environmental, social and economic impact of its financial products and services, the direct impacts of its operations (e.g. buildings and non-physical market presence) as well as the indirect impacts of its stakeholders, employees, etc. However, it is ultimately MCB’s responsibility to ensure that its activities degrade neither the environment nor the social conditions of the countries in which it operates. We are therefore committed to market more responsible and ethical products.

MCB Ltd voluntarily adopted the Equator Principles in May 2012. This framework is followed by many financial institutions around the world to identify, assess and manage environmental and social risks associated with project financing. It is also primarily intended to provide a minimum standard for due diligence to support responsible risk decision-making.

The Bank’s Environmental and Social (E&S) Policy is founded on this framework and applies to any project or undertaking entailing loans of an aggregate amount greater than or equal to USD 2 million and with a maturity of at least 24 months. In particular, the process caters for the identification, categorisation, reporting and monitoring of environmental and social risks for projects that fall within the scope of the E&S Policy.

The scope of the Environmetal & Social Risk Management (ESRM) process

MCB Ltd has an exclusion list, elaborated in accordance with international practices, for activities it will not finance. This list, available on the Bank’s website, includes amongst others, pornography, trade in wildlife products, production, use or trade in hazardous materials, pharmaceuticals, pesticides/herbicides and chemicals.

The Bank will not have more than 5% of its capital committed to projects or to clients whose primary operations relate to the production and/or trade in weapons and ammunition, tobacco, hard liquor, gambling, casinos and equivalent businesses.

The ESRM process in detail

All eligible projects i.e. those with undertakings that entail loans of an aggregate amount greater than or equal to USD 2 million and with a maturity of at least 24 months, are grouped under three categories - A, B or C, based on their potential E&S impacts and risks. Category A indicates projects with potentially significant adverse and irreversible E&S impacts, Category B, projects with potentially limited adverse but largely reversible E&S impacts, and Category C, projects with minimal or no E&S impacts.

Some projects are ipso facto categorised as A, for instance, crude oil refineries, thermal power stations, nuclear industry, motorway construction, waste-processing installations, industrial plants and so on.

For some projects, an E&S action plan is agreed upon between the Bank and the client, detailing and prioritising the actions needed to implement mitigation measures, corrective actions and/ or monitoring measures required to manage the impacts and risks identified in the assessment.

MCB is an emerging player in project financing in Africa. The Bank finances specific projects like infrastructure investments (ports, airports, health/education facilities, energy...) and participates in transactions or syndications. If the projects assessed by the E&S process are deemed too risky, they can be turned down. This decision is taken after an appropriate assessment of the client’s sustainability policy and the E&S risks and impacts of the project or transaction at hand.

2

Projects of Category A

1

Projects of Category B

105

Projects financed during the year ended 30 June 2018 The last reporting year to the Equator Principles associations

External Sustainability Initiatives

United Nations Global Compact

MCB is a signatory to the United Nations Global Compact (UNGC), the world’s largest corporate sustainability initiative that believes businesses can be a force for good. UNGC urges companies worldwide to align strategies and operations with ten universal principles on human rights, labour, environment, and anti-corruption, while asking them to take actions that advance societal goals. Every year MCB submits a Communication on Progress (COP) report highlighting its engagements and initiatives on the ten principles.

Principles for Responsible Banking

MCB Ltd has become a founding signatory to the Principles for Responsible Banking (PRB) of the United Nations Environment Programme Finance Initiative (UNEPFI) that were launched on September 22, 2019 in New York. Signatories are responsible banks around the world that agree to adhere to six principles of the initiative and improve their impact and contribution to society. The participants are required to analyse where their institutions have positive and negative impacts on society, and identify ways to increase positive impacts while reducing the negative ones. Banks are also expected to set meaningful targets on the most relevant impacts and are required to report on how they are implementing the PRB and assess their progress in doing so. We believe that joining this initiative is a fantastic opportunity for us to entrench our corporate sustainability programme and showcase our engagement towards building a more prosperous Mauritius.