By their nature, the Group’s specific-purpose payment operations are relatively unexposed to the risks associated with money laundering and the financing of terrorism. Nevertheless, some specific solutions could be misused for the purpose of money laundering or even financing terrorist organizations or actions. As the transition to digital solutions accelerates and due diligence requirements applicable to regulated payment services are increasingly stepped up, additional resources are being deployed.
In some countries, particularly in Latin America, subsidiaries must comply with regulations designed to combat organized crime, money laundering and/or the financing of terrorism. This is also the case for four European subsidiaries with licenses to conduct business as e-money institutions, including one UK-based subsidiary, and Group businesses covered by e-money or payment service regulations.
Measures to manage the risk
The Legal & Regulatory Affairs Department has prepared and circulated anti-corruption processes to executive management in all of the Group’s subsidiaries. These processes are based on corruption risk mapping, an Anti-Corruption Code of conduct, policies, procedures and other solutions designed to contain the risks identified, as well as a whistle-blowing procedure. In 2020, measures were deployed to strengthen the Group’s existing processes based on the recommendations of the French Anti-Corruption Agency (AFA).
In anticipation of directive (EU) 2019/1937 on the protection of whistle-blowers being transposed into French law, the Group updated its Charter of Ethics in early 2021 and made it the scope of the new internal whistle-blowing process. By end-2021, over 85% of employees had completed the anti-corruption training module.
The Group’s Compliance Department assists subsidiaries to ensure compliance with the laws and regulations designed to combat organized crime, money laundering and/or the financing of terrorism.
The four European e-money institutions reviewed and amended their anti-money laundering and counter-terrorism financing policies following the transposition of directive (EU) 2018/1673, which amends the regulatory constraints applicable throughout the European Union.
In 2021, these measures were bolstered by a training module for all Group employees covering the risks relating to money laundering and/or terrorist financing schemes. By end-2021, over 75% of employees had completed the anti-money laundering training module.
4.1.3 Cybercrime and information system risks
4.1.3.1 Cybercrime risks
Risk
In the normal course of business, the Edenred group and/or its service providers use a certain number of IT tools and information systems, in particular to manage digital media and for prepaid program management, notably as part of its payment operations. In the face of mounting cybercrime, the Group is more exposed to the risk of cyberattacks that may impair the availability, integrity or confidentiality of confidential or sensitive data for Edenred or its clients.
Measures to manage the risk
In 2019, Edenred’s Information Systems Security & Compliance Department began restructuring its Group-level cybersecurity teams to deal more effectively with cybercrime risks (see also section 5.4.2.1 “Priority issue: IT security”).
Analyses and feedback from the November 21, 2019 attack were also used to reinforce protection and resilience against potential cyberattacks.
At the same time, the Group conducts internal or external audits on sensitive IT sites and infrastructure, in particular to monitor safety and improve quality if needed.
Technical measures to boost data security and detect threats
Security measures implemented by the Edenred group to prevent security incidents mainly take the form of access rights management, access traceability, surveillance of external networks (internet and darknet), external audits of sensitive services, antivirus software on workstations and servers, securing of inbound and outbound access (firewalls, proxies, WAFs, VPNs) and encryption of workstation hard drives.
Deployment of a new cybersecurity program
In 2020, the Edenred group launched a new cybersecurity program in its Information Systems Security & Compliance Department. The program aims to monitor and continually improve cybersecurity both at the subsidiary and the Group level by harnessing international IT security standards.
The program will notably cover governance, security by design, cybersecurity awareness, vulnerability and corrective patch management, IT infrastructure and computer application security, access and identity management, cybersecurity incident management and the resilience of critical IT systems.
