The role of compliance in the organisation
Compliance and integrity are closely related. Both acting with integrity and complying with applicable rules and regulations safeguard Vesteda’s reputation and the reputation of the industry we operate in. For Vesteda, it is not enough to simply abide by laws and regulations; integrity should be ingrained in day-to-day business and decision-making processes.
In order to ensure that compliance and integrity are and remain on top of mind in Vesteda’s business activities, Vesteda has appointed a Compliance Officer. The role of the Compliance Officer is formally defined and embedded in Vesteda’s compliance charter. The Compliance Officer reports periodically to the Management Board and the Supervisory Committee, while reporting functionally to the General Counsel and has a direct line to the CFO and the Supervisory Committee. During the second half of 2019, the position of the dedicated Compliance Officer was vacant and the General Counsel took over the main tasks on a temporary basis. The position has been filled as per 1 March 2020.
The compliance function fits into Vesteda’s ‘three lines of defense’ model. This model helps to strengthen a) the risk-aware culture within Vesteda, b) the assumption of responsibility for the management of risks and c) internal controls. The first line of defense is formed by the business; the compliance function is part of the second line of defense and operates independently from the business. The third line of defense is formed by the Internal Audit function that periodically assesses the effectiveness of Vesteda’s internal control framework, which includes compliance.
The Compliance Officer’s tasks include the identification, evaluation, monitoring and reporting and advising on compliance risks within the organisation. The Compliance Officer is part of the Risk Committee and discusses incidents, trends and developments that (could) have an impact on Vesteda’s corporate integrity and is the first point of contact for integrity reports within the organisation. He operates at both a strategic level, advising the Management Board and management, and on an operational level, advising the business on day-to-day compliance matters.
The Compliance Officer focuses on the areas detailed in the schedule below.
Focal points in scope of compliance function
This covers risks related to the non-compliance with laws and regulations, such as the Alternative Investment Fund Managers Directive, Dutch Financial Supervision Act and the General Data Protection Regulation.
This covers risks related to the non-compliance with the internal code of conduct and related policies.
This covers risks related to non-compliance with rules related to:
This covers counterparty risks and screening of tenants and parties Vesteda does business with.
Vesteda’s view on compliance and integrity
We strive to ensure integrity on all fronts. Vesteda employees sign a code of conduct and Vesteda has an internal reporting scheme, including anonymous reporting via a SpeakUp line, to report (suspected) compliance and integrity incidents. The Compliance Officer reminds employees of this code and the reporting scheme on an annual basis and employees are asked to confirm that they are aware of the code and the scheme and that they will comply.
The Compliance Officer keeps a register of all reported incidents. When an incident is reported, the Compliance Officer evaluates whether the reported incident should be classified as “material” or not. This would be the case when a) there is a considerable risk of a regulatory fine or sanction, or b) the relationship with key stakeholders could be adversely affected in a serious manner or c) it could result in substantial reputational damage.
Key performance indicators in respect of integrity are:
Number of incidents reported to the Compliance Officer. In this respect, Vesteda explicitly does not strive to have zero incidents reported and in addition, employees are encouraged to speak up to colleagues and management before formally reporting an incident to the Compliance Officer. Vesteda is of the opinion that the reporting of incidents can contribute to risk awareness and is a sign of a company culture in which employees do not fear repercussions for reporting an incident. Incident reporting can help to identify trends or risks. In 2019, the number of reported incidents was stable at 18 (which included mainly minor data breaches and (alleged) conflicts of interest). The incidents were addressed by the Compliance Officer and, depending on the severity of the case, discussed with the Management Board and reported to the Supervisory Committee.
The number of “material” incidents. No material incidents were reported in 2019. Incidents are: criminal acts, corruption, a violation of applicable laws and regulations, a breach of our internal Code of Conduct, a threat to the environment, health or safety, misleading supervisory authorities, intimidation, withholding or manipulation of data or any other act that damages Vesteda directly or indirectly.
Percentage of employees that confirm adherence to Vesteda’s code of conduct. In 2019, 99% of all employees confirmed their compliance with Vesteda’s code of conduct. The Compliance Officer held one-on-one meetings with employees who did not do this to gain an understanding any underlying reasons.
Vesteda’s compliance with applicable rules and regulations is the foundation of its license to operate. Two of our main objectives are to incur no (monetary) sanctions and to retain our AFM license.
Compliance focus points 2019
The Compliance Officer conducted the annual Systematic Compliance Risk Analysis (SCRA) in Q4 2018. The SCRA is an instrument the Management Board and the management use to identify and analyse compliance and integrity risks in a structured manner. The analysis included an assessment of whether existing control measures were (still) sufficient to prevent or mitigate these identified risks or whether new measures are required. The SCRA resulted in an integrity-risk assessment and control policy. The outcome of the SCRA formed the basis of the Compliance year plan for 2019.
The Compliance Officer kept employee integrity top of mind via awareness meetings and publications on the company intranet.
An annual reminder of Vesteda’s Code of Conduct was sent out. It is Vesteda’s goal to have 100% of its employees confirming the Code on an annual basis. In 2019, 99% of the employees confirmed their compliance with the code of conduct. The Compliance Officer held one-on-one meetings with the employees who did not confirm their adherence to the Code.
The Compliance Officer recorded compliance and integrity incidents and reported on a quarterly basis to the Management Board and a subcommittee of the Supervisory Committee about these incidents and any measures taken. The number of recorded incidents remained stable in 2019.
Vesteda is a member of the Dutch Association of Institutional Property Investors (IVBN). As a result, Vesteda is obliged to adhere to IVBN’s Code of Conduct for the Sale of Rented Housing Complexes and Single Properties, which includes adhering to certain rules when entering into portfolio sales. In 2019, Vesteda sold two portfolios and in doing so, adhered to the stipulations of said code and also had the respective purchasers contractually commit to the code.
In 2018, Vesteda did not submit a periodic report to the Dutch Central Bank (DNB) in time and DNB notified Vesteda that it would impose an incremental penalty (last onder dwangsom) of €1,500. However, since the cause of the late submission of the report was not attributable to Vesteda, DNB decided not to enforce payment thereof, as published by DNB on 17 September 2019.
Vesteda was in contact with the Dutch Authority for the Financial Markets (AFM) on the rectification of the registered policy makers and parties having a qualified holding in Vesteda.
Vesteda did not pay any significant fines in 2019.
All Vesteda employees were asked to take an e-learning training course on privacy. The e-learning training was tailored to Vesteda’s business and covered both legislation and practical examples of privacy-related matters.
As described in more detail elsewhere in this report, the roll-out of a new ERP system was one of the main focus areas for Vesteda in 2019. The Compliance Officer monitored whether the development of the functionalities of the new system was in line with the requirements of the General Data Protection Regulation (GDPR) and abided by the principle of “privacy by design”.
In addition to the new ERP system, Vesteda worked on the development of a new client portal. This also include monitoring of GDPR compliance.
The Compliance Officer was part of a workgroup for the development of a Data Security Policy.