The role of compliance in the organisation
In addition to having a good reputation and to be a good and reliable investment, we also have to comply with all relevant laws and regulations (internal and external). A Compliance Officer has been appointed to this end. With respect to compliance, two of our main aims are to incur no (monetary) sanctions and to retain our AFM license. There were no significant fines paid by Vesteda in 2018.
The Compliance Officer function is formally defined and embedded in Vesteda’s compliance charter. The Compliance Officer is an independent position. Our Compliance Officer is responsible for the overall compliance programme and monitoring that compliance is embedded in our organisation. The Compliance Officer monitors our compliance and reports periodically to the Managing Board and the Supervisory Committee and falls under the functional management of the General Counsel. The Compliance Officer’s tasks include the identification, evaluation, monitoring and reporting and advising on compliance risks within the organisation.
With respect to the structuring of the compliance function, Vesteda operates according to a ‘three lines of defence’ model. This model helps to strengthen the risk-aware culture within Vesteda, the acceptance of responsibility for the management of risks and internal controls. Compliance is part of the second line of defence. The Compliance Officer has a seat on the Risk Committee and in this committee discusses incidents, trends and developments that (could) have an impact on Vesteda’s corporate integrity. The Compliance Officer is the first point of contact for integrity reports within the organisation.
Compliance and integrity are closely related. Both are closely linked to our reputation, given that acting with integrity and complying to regulation also protects our reputation and the reputation of the industry we operate in. It is no longer enough to simply abide by laws and regulations. Neither is possible without the other and that is also true at Vesteda. The Dutch Financial Markets Authority (AFM) is also stepping up its monitoring of integrity issues, something that was quite clear from the two AFM surveys in which Vesteda cooperated.
In this section, we report on the most important events and activities in the field of compliance and integrity.
As the manager of an investment institution, Vesteda Investment Management B.V, hereinafter referred to as Vesteda, has a licence within the meaning of the Dutch Financial Supervision Act (Wet op het financieel toezicht - Wft). The Compliance Officer’s task is to ensure that Vesteda complies with all (financial) laws and regulations it is required to by virtue of this licence.
The Compliance Officer operates within the broader risk management framework within Vesteda. Within this framework, the Compliance Officer’s remit includes the integrity and compliance risks cited and classified in more detail below. These are:
Focal points in scope of compliance function
Focal points in scope of compliance function
Brief description of the focal point
Market behaviour-related integrity risks
This covers risks related to the non-compliance with regulatory-related laws and regulations and other relevant laws and regulations (such as the AIFMD, Dutch Financial Supervision Act and the General Data Protection Regulation (GDPR).
Employee behaviour-related integrity risks
This covers risks related to the non-compliance with internal codes of conduct and underlying procedures (e.g. gift policy, ancillary positions policy or internal reporting scheme).
Organisational conduct-related integrity risks (including their parties and participants)
This covers risks related to non-compliance with rules in fields such as:
· business partner risks
Client behaviour-related integrity risks
This covers risks resulting from actions affecting or in relation to tenants (e.g. screening / acceptance policy tenants, duty of care as a landlord)
The Compliance Officer organised the annual Systematic Compliance Risk Analysis (SCRA). The SCRA is an instrument the Managing Board and the management use to identify and analyse compliance and integrity risks. The SCRA results in an integrity-risk assessment and appropriate control policy. The results of the SCRA revealed that client integrity, employee integrity and data integrity are all significant integrity risks. The outcome also cites partnerships with external parties as potential integrity risks. The analysis of this set of risks includes an assessment of whether existing control measures are (still) sufficient to prevent or mitigate these identified risks or whether new measures are required. The Compliance Officer incorporated the results of the SCRA in the compliance work plan for 2019. Examples of the measures that will be taken as a result of the SCRA are the adjustment of part of our internal reporting scheme (SpeakUp) and updating our code of conduct.
Vesteda attaches great importance to acting with integrity. To safeguard our integrity, we have our own integrity policy. We strive to guarantee our integrity on all fronts. For instance, all new participants have to undergo a KYC test and we screen the acquisition partners we conduct business with. Internally Vesteda employees sign a code of conduct and have an internal reporting scheme (including anonymous reporting via SpeakUp). In our code of conduct we adhere to the IVBN code of Ethics. Every employee who starts working at Vesteda declares at the commencement of their employment that they will comply with this code of conduct. The Compliance Officer reminds employees of this code and the reporting scheme on an annual basis and employees are asked to confirm that they are aware of the code and the scheme and that they will comply with same. It is Vesteda’s goal to have 100% of its employees confirming the code on an annual basis. In 2018, 99% of the employees confirmed their compliance with the code of conduct. Our Compliance Officer held one-on-one meeting with the employees who did not confirm the code.
All employees are responsible for safeguarding and implementing our integrity policy on a day to day basis. The Compliance Officer keeps the issue of employee integrity top of mind via the likes of awareness meetings, dilemma sessions and publications on the company intranet. The goal of our integrity policy is to prevent either Vesteda or any of our employees getting involved in incidents, unlawful acts and legal violations that might damage the trust in the organisation or the financial markets and as a consequence could lead to reputation damage. Vesteda aims to have no confirmed material incidents.
The Compliance Officer keeps a register of reports of (integrity) violations that occur within Vesteda. Some violations classify as an incident when it is an event or conduct that poses a threat on the business integrity of Vesteda. Among the incidents that occurred in 2018, there was one data breach that has been reported to the Dutch Data Protection Agency (Autoriteit Persoonsgegevens). Another example is an incident that was received via the anonymous reporting scheme Speakup. Some of the reports led to thorough investigation, conversations with those involved and adjusted procedures and/or policies to avoid any repeats. The Compliance Officer informs the Managing Board and the Nomination and Remuneration committee of all (integrity) violations on a quarterly basis. After an incident has occurred the Compliance Officer evaluates if a confirmed incident is material or not. In 2018, Vesteda has experienced one confirmed material incident. Appropriate measures have been taken against the employees involved.
The integrity of private data was a theme that required an active contribution from compliance in 2018. After all, once the GDPR came into force on 25 May 2018, Vesteda had to update its privacy-related policies and processes. Through support of an external expert and internal audit, Vesteda has taken steps to comply with the GDPR. Vesteda uses specifically made GDPR software, which amongst other things creates a transparent picture of Vesteda’s data processing activities. The tool also registers data breaches of which Vesteda has recorded 10 in 2018.
The GDPR assigns rights to subjects to have their records erased or rectified. In 2018, Vesteda received 67 requests to this effect and has dealt with the majority of these requests within the stipulated period. The remaining requests are currently being dealt with.
Dutch Association of Institutional Property Investors - IVBN
Vesteda is a member of various professional associations, including the Dutch Association of Institutional Property Investors (IVBN). On the basis of its membership, Vesteda has committed to send the IVBN an annual overview of incidents. The Vesteda Compliance Officer is an active member of the IVBN’s integrity working group. Since 2017, Vesteda CEO Gertjan van der Baan is vice chairman of the board of IVBN and responsible for housing.
As the manager of an investment institution, Vesteda is subject to the supervision of the Dutch Financial Markets Authority (AFM) and the Dutch Central Bank (DNB). In 2018, the AFM conducted two surveys and Vesteda cooperated in both. The AFM intends to use the results of these surveys to plan its regulatory activities and follow-up surveys.