Corporate Compliance

The MaRisk Officer ensures compliance with the minimum requirements for risk management. This includes evaluating regulatory changes for their relevance to IBB (UV), communicating them to the respective departments if necessary, and monitoring their timely implementation. Additionally, the MaRisk Officer must be involved in significant structural and procedural organizational changes at IBB (UV) before decisions are made.

The MaRisk Compliance function is responsible for bundling the various rules of trustful cooperation and a prudent risk culture, which are reflected in various work instructions. It also aims to raise employee awareness of potential conflicts of interest.

The (Group) Anti-Money-Laundering Officer coordinates the security and defense measures to prevent money laundering, terrorist financing and criminal acts. This includes potential criminal acts against IBB (UV) as well as those that could be committed by employees. Additional responsibilities include verifying the reliability of new employees and systematically reviewing customer relationships by cross-checking against sanctions lists.

The Capital Market Compliance Officer is responsible for ensuring compliance with legal requirements in connection with capital market transactions. These include EU directives and regulations as wells as the German Securities Trading Act (WpHG).

The Data Protection Officers at IBB and IBB UV monitor compliance with the General Data Protection Regulation (GDPR) and the Berlin Data Protection Act, and thus ensure the protection of the data of our customers and of our employees. Their responsibilities include establishing guidelines, conducting training, and monitoring compliance with data protection regulations based on a risk-oriented approach. They also provide advisory support to management, employees, and customers on data protection matters. Additionally, Data Protection Officers are appointed at IBT, IBB Capital, and IBB Ventures.

The Information Security Officer (ISO) is responsible for the planning, implementation, review and improvement of IBB's information security. The ISO advises and reports to IBB's Executive Board on information security issues. The tasks of the ISB include the implementation, operation and further development of the Information Security Management System (ISMS). This includes the development of information security policies. They also serve as the point of contact for security incidents. An ISO is also integrated into IBT, IBB Capital, and IBB Ventures.

The Emergency Officer evaluates regulatory requirements for their relevance to IBB and adapts central regulations and requirements as necessary. They inform and advise the Executive Board of IBB on all emergency-related incidents. As part of their second-line controls, they conduct spot checks to assess the degree of compliance with these guidelines within IBB. Additionally, they initiate the annual Business Impact Analysis (BIA), conducted by the departments, to identify time-critical processes and document various availability requirements. Emergency management aims to ensure the continuation of time-critical processes during major disruptions, thereby maintaining IBB's operational capability.

The Outsourcing Officer serves as the central point of contact for with regard to the specifications for service provider management. Their responsibilities include developing an appropriate outsourcing management framework with control guidelines and establishing adequate processes. They oversee the execution of both event-driven and regular risk analyses, the associated control measures, are responsible for the preparation and maintenance of comprehensive documentation for the IBB Group's outsourcing activities, and carry out the duty of disclosure to the supervisory authority.

A core component of the corporate culture at IBB and IBB UV is the implementation of an appropriate risk culture. The key objectives of this risk culture include:

• Anchoring a conscious approach to risks in day-to-day business in the corporate culture,
• Establishing the risk awareness at all hierarchical levels,
• Promoting critical dialog through management,
• Encouraging employees to act in accordance with the value system and Code of Conduct,
• Convincing employees to behave in an ethically and economically desirable manner and within defined risk tolerances.

The central element of this value system is the Code of Conduct. It stands for integrity, impeccable reputation and good corporate governance. Its commitment to preventing corruption and bribery is particularly emphasized by its firm incorporation into the Code. The Code also governs the management of conflicts of interest and establishes transparent and appropriate procedures for employees in handling the acceptance of gifts and invitations, as defined in the Written Fixed Order (SFO). At least once a year, information is published on the intranet to encourage employees to familiarize themselves with the Code of Conduct.

The Executive Board has a keen interest in compliance with the rules of the Code of Conduct.

The MaRisk compliance function is responsible for bundling the diverse rules of trustful cooperation and prudent risk culture, which are reflected in various work instructions, and for promoting employees' awareness of potential conflicts of interest.

Employees are proactively trained and informed about new legal regulations. The web-based training courses (WBT) for IBB and IBB UV employees on topics such as the prevention of money laundering, terrorist financing, the prevention of criminal acts and market abuse take place annually and are mandatory for all full-time and part-time employees. Additionally, employees are notified of new regulations via intranet updates. When necessary, ad-hoc or specialized compliance training sessions are provided.

IBB and IBB UV have established mechanisms to identify, report and investigate concerns about unlawful conduct or actual conduct that is inconsistent with their Code of Conduct or similar internal rules. A breach of the Code of Conduct must be reported to the Corporate Compliance department, which handles further processing. For whistleblowing or other irregularities, reports can be made through an external Ombudsperson. In the event of customer complaints, the feedback management system ensures a standardized approach.

The legal provisions for the prevention of money laundering are primarily found in the German Money Laundering Act. As the laws become increasingly stricter, the requirements for IBB and IBB UV continue to rise, necessitating extensive due diligence and documentation obligations from employees.

The internal IBB security measures resulting from the German Money Laundering Act and the Banking Act consist primarily of the implementation of customer-related due diligence obligations with regard to contractual/business partners and beneficial owners.

Risk assessment is conducted through an annual risk analysis, which also evaluates the effectiveness and appropriateness of existing security measures.

The (Group) Anti-Money Laundering Officer coordinates the security and defense measures to prevent money laundering, terrorist financing and criminal acts. Possible criminal acts against IBB and IBB UV as well as those that could be committed by employees must be considered. Other tasks include checking the reliability of new employees and systematically reviewing customer relationships by comparing them with sanctions lists. The review is based on United Nations resolutions, the EU issues regulations that stipulate certain sanctions. For IBB and IBB UV, various measures are taken to ensure that no assets are made available to sanctioned persons or organizations, and, if necessary, existing assets are frozen.

To ensure that public funds do not fall into the wrong hands, IBB and IBB UV have implemented various measures and standards to ensure legal compliance. The key components are outlined as follows:

• Examination of suspected cases and cases of damage and forwarding to the responsible authorities (e.g. law enforcement authorities, state data protection officers, Federal Office for Information Security) in the event of reasonable suspicion.
• Central contact persons for advising employees. For the confidential reporting of questionable incidents, IBB employees and business partners as well as any third parties can also contact an external ombudsman's office (law firm) or the Federal Financial Supervisory Authority's contact point for whistleblowers in addition to the Corporate Compliance department. This can also be done anonymously to protect the whistleblower.
• Regular web-based training for employees on compliance issues to prevent infringements.

The Capital Market Compliance Officer is responsible for ensuring compliance with legal regulations in connection with capital market transactions. Key regulations include the Securities Trading Act (WpHG) as well as overarching EU directives and regulations.

As a public development bank, IBB does not engage in capital market activities for private customers. Therefore, the Capital Market Compliance Officer does not deal with consumer protection issues but focuses on IBB’s proprietary securities trading and issuance business. The WpHG requires transparency in trading activities and mandates the communication of behavioral and organizational guidelines. This also includes raising awareness of the proper handling of any insider information that may arise and the compliant treatment of this information. Capital market compliance thus serves as a trust-building measure for capital markets and their participants.

Employees, business partners of IBB and IBB UV, and other stakeholders have several channels available for confidentially reporting questionable incidents. In addition to the Corporate Compliance department, reports can also be made anonymously through an external Ombudsperson (law firm) or the whistleblower contact point at the Federal Financial Supervisory Authority (BaFin). Information on these reporting options is available on both the internet and intranet. Furthermore, reports can be submitted via the Federal Office of Justice's website, and can be made in both German and English.

The Ombudsperson is available to all whistleblowers who wish to confidentially report serious irregularities at IBB, including violations under the Whistleblower Protection Act (HinSchG). The protection and confidentiality of whistleblowers are fundamental to the handling of reports and are taken very seriously by IBB's Ombudsperson. As employers, IBB and IBB UV take all necessary measures throughout the process to protect whistleblowers from discrimination or retaliation based on the information provided. Any attempts to intimidate, threaten, or discriminate against whistleblowers in the workplace will not be tolerated.

Contact details of the Ombudsperson

Elke Schaefer & Dr. Kathrin J. Niewiarra
Law firm Elke Schaefer Attorneys at Law
Philippistr. 11
14059 Berlin
Phone: +49 (0) 30 / 887-1949-0
Fax: +49 (0) 30 / 887-1949-11
info@ra-elkeschaefer.de

The notices can be submitted in German and English.

In addition, notices can be submitted via the following page of the Federal Office of Justice: BfJ - Contact (bundesjustizamt.de)

There is also a contact point for whistleblowers at the Federal Financial Supervisory Authority (BaFin) at the following Internet address: BaFin - Whistleblower Office