The role of compliance in the organisation
Compliance and integrity are closely related. Both acting with integrity and complying with applicable rules and regulations safeguard Vesteda’s reputation and the reputation of the industry we operate in. For Vesteda, it is not enough to simply abide by laws and regulations; integrity should be embedded in day-to-day business and decision-making processes.
To ensure that compliance and integrity are and remain on top of mind in Vesteda’s business activities, Vesteda has appointed a Compliance Officer. The role of the Compliance Officer is formally defined and documented in Vesteda’s compliance charter. The Compliance Officer reports periodically to the Management Board and the Supervisory Committee, while reporting functionally to the General Counsel. Additionally, the Compliance Officer has a direct line to the CFO and the Supervisory Committee.
The compliance function fits into Vesteda’s ‘three lines model’. This model helps to identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management within Vesteda. The first line is formed by the business; the compliance function is part of the second line and operates independently from the business. The third line is formed by the Internal Audit function, which periodically assesses the effectiveness of Vesteda’s internal control framework, including compliance.
The Compliance Officer’s tasks include the identification, evaluation, monitoring and reporting of and advising on compliance risks within the organisation. The Compliance Officer is part of the Risk Committee and discusses incidents, trends and (regulatory) developments that (could) have an impact on Vesteda’s corporate integrity and is the first point of contact for integrity notifications within the organisation. The Compliance Officer operates at both a strategic level, advising the Management Board and senior management, and an operational level, advising the business on day-to-day compliance matters.
The Compliance Officer focuses on the areas detailed in the schedule below.
Focal points in scope of compliance function
This covers risks related to the non-compliance with laws and regulations, such as the Dutch Financial Supervision Act, including the Alternative Investment Fund Managers Directive, the Anti-Money Laundering and Anti-Terrorist Financing Act and the General Data Protection Regulation.
This covers risks related to the non-compliance with the internal code of conduct and related policies.
This covers risks related to non-compliance with rules related to:
This covers counterparty risks and the screening and monitoring of transactions of tenants and parties Vesteda does business with in accordance with Anti-Money Laundering and Anti-Terrorist Financing Act.
Vesteda’s view on compliance and integrity
We strive to ensure integrity on all fronts. Vesteda employees sign a code of conduct and Vesteda has an internal reporting scheme, including anonymous reporting via a SpeakUp line, to report (suspected) compliance and integrity incidents. The Compliance Officer reminds employees of this code and the reporting scheme on an annual basis and employees are asked to confirm that they are aware of the code and the scheme and that they have complied and will continue to comply. When communicating about compliance related matters to the organisation, the Compliance Officer will to the extent relevant, always refer to the code of conduct as the guiding principles within the organisation.
The Compliance Officer keeps a register of all reported incidents. When an incident is reported, the Compliance Officer evaluates whether the reported incident should be classified as material or not. This would be the case when a) there is a considerable risk of a regulatory fine or sanction, or b) the relationship with key stakeholders could be adversely affected in a serious manner or c) it could result in substantial reputational damage.
Key performance indicators with respect to integrity are:
Number of incidents reported to the Compliance Officer. In this respect, Vesteda explicitly does not strive to have zero incidents reported. In addition, employees are encouraged to speak up to colleagues and management before formally reporting an incident to the Compliance Officer. Vesteda is of the opinion that the reporting of incidents can contribute to risk awareness and is a sign of a company culture in which employees do not fear repercussions for reporting an incident. Incident reporting can help to identify trends or risks. In 2021, the number of reported incidents was 27, including one material incident. A material incident could be: criminal acts, corruption, a violation of applicable laws and regulations, a breach of our internal Code of Conduct, a threat to the environment, health or safety, misleading supervisory authorities, intimidation, withholding or manipulation of data or any other act that damages Vesteda directly or indirectly. It is noted that 11 of the 27 incidents are related to illegal hemp plantations. While it is not possible to fully prevent this from happening, this issue has our ongoing attention. Most of the other incidents related to minor data breaches and (alleged) conflicts of interest. The incidents were addressed by the Compliance Officer and, depending on the severity of the case, discussed with the Management Board and reported to the Supervisory Committee.
Percentage of employees that confirm adherence to Vesteda’s code of conduct. In 2021, 97% of all employees confirmed their compliance with Vesteda’s code of conduct. The Compliance Officer contacted employees and their managers who did not confirm in a timely manner, to gain an understanding of any underlying reasons.
Vesteda’s compliance with applicable rules and regulations is the foundation of its license to operate. Two of our main objectives are to incur no (monetary) sanctions and to retain our AFM license. Vesteda met both of these objectives in 2021.
Compliance focal points 2021
The Compliance Officer conducted the annual Systematic Compliance Risk Analysis (SCRA) in Q4 2021. The SCRA is an instrument the Management Board and the Management Team use to identify and analyse compliance and integrity risks in a structured manner. The analysis included an assessment of whether existing control measures were (still) sufficient to prevent or mitigate the risks identified or whether new measures were required. The outcome of the SCRA forms the basis of the Compliance year plan for 2022.
The Compliance Officer recorded compliance and integrity incidents and reported on a quarterly basis to the Management Board and a subcommittee of the Supervisory Committee about these incidents and any measures taken. The number of recorded incidents was 27 in 2021.
The Compliance Officer and Internal Audit Manager conducted an internal investigation into an integrity incident regarding fraud by an employee in 2021. Following this investigation, Vesteda took disciplinary measures, filed a report with the police and initiated civil proceedings. The Management Board and those involved in the investigation presented an online employee meeting about aforementioned incident with the aim of providing transparency and enhancing employee awareness with regard to integrity. Nearly all employees participated in the meeting.
Following the incident, Vesteda's employment screening processes were reviewed and a formal policy was drafted to formalise i) which management positions and integrity-sensitive positions require screening and ii) which level of screening is to be applied.
Vesteda updated and launched its Code of Conduct.
Vesteda sent out the annual confirmation reminder of Vesteda’s Code of Conduct in Q4 2021. Vesteda’s goal is to have 100% of its employees confirm the Code on an annual basis. In late 2021 and early 2022, 97% of employees confirmed their compliance with the code of conduct. The Compliance Officer contacted the employees who did not confirm their adherence to the Code.
Vesteda was in contact with the Dutch Financial Markets Authority (AFM) on the rectification of the registered policy makers and parties having a qualified holding in Vesteda. The registration was finalised in Q1 2021.
Vesteda was in contact with the AFM and Dutch Data Protection Authority (DPA) to report on the aforementioned material incident.
The Compliance Officer gave an update session on the Alternative Investment Fund Managers Directive to all members of the Supervisory Committee.
The Compliance Officer actively advised the business on the review of (high-risk) customer due diligence (CDD) files and acts as a sparring partner for the business with regard to client due diligence procedures. The Compliance Officer also advised on the (further improvement of the) automated monitoring of potentially unusual transactions.
As a result of its transaction monitoring, Vesteda filed various reports with the Dutch Financial Intelligence Unit.
Following aforementioned material incident, the Compliance Officer drew up a work instruction for employees involved in client due diligence investigations and has given presentations to employees on anti-money laundering (AML) principles and recognising potential fraud.
In Q4, Vesteda hired a dedicated CDD officer.
Vesteda offered an e-learning Privacy & Security Awareness to all employees in order to maintain the level of knowledge of the GDPR.
Vesteda arranged an in-house privacy training, provided by a law firm, on the handling of tenants’ personal data and provision thereof to third parties for specific departments, such as Customer Relations and Marketing & Sales.