Sustainability work at Mandatum is continuous. The entire personnel do their part in implementing Mandatum’s sustainability through their everyday actions. Mandatum’s Code of Conduct and policies set the minimum level for sustainability action.
The processing of personal data at Mandatum is based on the public data protection principles approved annually by Mandatum plc’s Board of Directors and the Group’s internal Data Protection Policy. The Data Protection Policy is applied to all processing of personal data at Mandatum and it concerns the entire personnel of both Mandatum and the company’s external partners. The Data Protection Policy describes the processing of personal data at Mandatum, the type of personal data processed and used, the sharing of data with authorities and Mandatum’s partners according to legal requirements, and the rights of the data subjects. Mandatum supplements the Data Protection Policy with data protection principles and guidelines intended for employees and, if required, key partners. Third parties are required to sign a data processing agreement as part of the procurement contract.
The Boards and CEOs of Mandatum Group companies are responsible for ensuring that the companies’ data protection practices are sufficient and that adequate resources are allocated to them. The Compliance unit steers and monitors the company’s data protection measures. The Data Protection Officer reports to the Executive Management Group, the Boards and the Group’s Audit Committee each quarter and as required. The company’s employees and customers can contact the Data Protection Officer if they have any questions concerning data protection. The Data Protection Officer is responsible for Mandatum’s data protection strategy, policies, guidelines, monitoring and reporting, and for addressing data protection deviations. In addition, the Data Protection Officer highlights development needs related to data privacy and promotes measures to meet them.
In its operations, Mandatum complies with the principles of data protection by design and by default and other legal requirements. The management of data protection risks is part of the company’s operational risk management process. The business units assess data protection risks regularly and risk assessments are reviewed quarterly. The likelihood and severity of the risk to the rights and freedoms of the data subject are determined by reference to the nature, scope, context and purpose of the processing. The most significant risks are reported to both the Risk Management Committee and the Boards of Directors quarterly. Additionally, an impact assessment concerning data protection is conducted when planning the adoption of new procedures or technologies, or when current procedures are updated.
The Data Protection Policy is also closely related to Mandatum’s other internal policies, such as the Information Management Policy and Information Security Policy. The purpose of the Information Management Policy is to identify information and the determination of ownership as well as the classification of information. In addition, the policy is supplemented with the information management principles, which include more detailed information on roles, tasks and classification-related processes.
Mandatum classifies and protects the company’s information systems according to their related risks. An impact assessment concerning data protection is conducted at the planning stage of service procurement or adoption of new procedures or technology. The purpose of the assessment is to discover whether the planned data protection measures result in a high risk to the rights and freedoms of data subjects. Using the assessment results, Mandatum minimises risks and ensures that the requirements of the General Data Protection Regulation are accounted for.
Access to personal data is restricted at Mandatum through user rights management. Data protection practices prohibit the processing of personal data without a work-related reason, which is why data processing is monitored and supervised. In customer online services, strong authentication is required, and communication is encrypted.
Each Mandatum employee participates in data protection training annually. New employees are provided training as part of their induction. If needed, the training is also given to external service providers. The data protection online training completion rate is monitored regularly. In addition to the general online training, teams and individuals receive tailored training throughout the year. Data protection awareness and training are also supported by online training and an app that helps to identify phishing attacks.
Significant data protection breaches are reported to both the Risk Management Committee and the companies’ Boards of Directors quarterly, excluding breaches that must be reported immediately.
Mandatum’s information security management system is certified in accordance with the ISO/IEC 27001:2013 standard. The issuer of the certificate audits the system once a year. The company is adapting its information security risk management model to be part of the operational risk management model. Mandatum has additionally defined key figures and risk appetite, and its risk taxonomy has a separate category for cyber risks.
Mandatum develops information security and cyber security systematically and in accordance with the information security strategy approved by the management. Based on the continuously changing threat landscape, the strategy can be altered, if needed. The strategy’s primary goal is to ensure that the management is aware of the information security situation, define the focal areas of development measures and ensure that sufficient resources are allocated to them.
Mandatum’s daily information security and cyber security management is based on the Information Security Policy approved annually by Mandatum plc’s Boards of Directors. The policy applies to all of Mandatum’s employees and the representatives of stakeholders who process the company’s information in connection with their work. The requirements of the policy are also included in agreements made with subcontractors, service providers and other external stakeholders. The policy is closely related to Mandatum’s other internal policies, such as the more detailed Information Management Policy and Data Protection Policy. Supplementary guidelines are, for example, the principles for use of the internet, information network and email, User Right Principles, log entry principles, principles for the use of cloud services, encryption principles and Mandatum’s information security management system, in addition to other guidelines and practices.
Mandatum’s first and second line of defence have their own information security organisations. The Business Technology unit is responsible for operational information security work, planning and implementing information and cyber security-related technical and administrative solutions. The strategic and tactical management of information security and the monitoring and supporting of other units is centralised in the risk management function where it is led by the Chief Information Security Officer.
The information security and cyber security level is assessed continuously and tests concerning processes and systems are conducted regularly. Information security and cyber risks are monitored actively, and they are reported quarterly to the company’s Information Security and Cyber Risk Committee.
Each Mandatum employee and person working on behalf of the company is obligated to follow the company’s Information Security Policy and information security principles and guidelines and to ensure compliance with relevant legislation. Employees’ information security awareness and competence is ensured though training and guidelines. The online training completion rate is monitored regularly. In addition to the online training, certain teams and individuals are offered tailored training as required.
The sufficient information security awareness and competence of external partners is ensured through agreements and guidelines and, where applicable, through training.
Outsourced data processing
Mandatum monitors and audits third-party data processors by carrying out risk-based follow-up inspections at least once a year. In its monitoring, the company uses various tools and services that offer risk classifications (e.g. risk classification platforms). Furthermore, the level of the service provided by third-party data processors is monitored regularly, typically monthly or quarterly.
Suspected breaches, misconduct or deficiencies in information or cyber security are reported in the incident reporting system or directly to either the Chief Information Security Officer or information security team. Reported problems are processed without delay in accordance with the data protection and information security incident management process and escalated to the crisis management team when needed.
Mandatum’s anti-corruption and bribery framework is based on Mandatum’s Code of Conduct and Mandatum’s internal Conflict of Interest Policy, which are supplemented with the Mandatum Way guide and Gifts and Hospitality guidelines. Together, these policies and guidelines define Mandatum’s anti-corruption and bribery principles and strive to promote ethical and responsible business as well as secure Mandatum’s reputation by preventing inappropriate influence and conflicts of interest.
The work against corruption and bribery is also an essential part of Mandatum’s anti-money laundering (AML) and counter terrorist financing (CTF) framework. Mandatum has procedures in place for the enhanced monitoring of politically exposed persons and national and international sanctions lists. The AML officers and Mandatum’s Group Legal unit support the management and business units in complying with the company policies.
The prevention of corruption and bribery is included in the obligatory training programmes for Mandatum’s new and current employees. Furthermore, all employees must regularly participate in compliance training, which reviews Mandatum’s Code of Conduct and internal operating models.
Any suspicions of corruption or bribery can be reported through Mandatum’s whistleblowing system or otherwise directly to the Compliance function.
Mandatum assesses the company’s risks concerning money laundering and terrorist financing annually. The assessment takes into account risk factors related to customers, countries and geographical areas, products, services, business transactions, technologies and distribution channels. In Mandatum’s view, its investment products come with a normal money laundering and terrorist financing risk, while the risk linked to its pension products and life insurance products is considered to be low.
Mandatum’s anti-money laundering and counter terrorist financing framework is based on the Anti-Money Laundering and Counter Terrorist Financing Principles approved by Mandatum plc’s Board of Directors annually. Mandatum has a risk-based approach through which customers are identified and classified into different risk categories. Enhanced due diligence is applied to higher risk customers such as politically exposed persons or people with connections to high-risk states or regions. Each Mandatum Group company has an internal policy on anti-money laundering and counter terrorist financing based on this risk-based approach, which defines requirements for complying with relevant AML and CTF laws and regulations. The policy is supplemented with additional instructions for each business area.
The main forum for AML and CTF matters at Mandatum is the AML Steering Group, which is headed by Mandatum’s AML directors and AML officers and has representatives from the Legal, Compliance, Client Service, IT, and Back Office functions. The AML Steering Group is an expert group providing support to Mandatum’s AML directors, who have overall responsibility for AML and CTF matters at Mandatum Group. The Board of Directors of each Mandatum Group company reviews and approves the AML policies and the business-wide risk assessments at least annually. Mandatum’s business units are responsible for the implementation of the policies and necessary procedures, with support from the AML officers.
Mandatum’s employees are required to participate in annual AML and CTF training, in accordance with their work profiles. The company arranges additional training when laws or processes change. New employees are introduced to Mandatum’s AML and CTF procedures and internal guidelines as part of the induction programme.
Mandatum has procedures in place for continuous monitoring of suspicious business transactions and operations. The AML officers are responsible for investigating internally reported cases and making a final decision on reporting the cases to the authorities.
Mandatum is committed, based on the company’s Code of Conduct and internal guidelines, to transparent and easy-to-understand sales and marketing communications that are never misleading. The company is also committed to offering its customers comprehensive and accurate information on products and their prices, terms and conditions and risks. Mandatum also has internal marketing and customer communications guidelines that define, among other things, customer groups to whom it is prohibited to market or campaign specific products.
Mandatum has a comprehensive permission structure for the processing of individual user rights related to marketing and customer communications. In addition, GDPR processes are embedded into marketing processes (e.g. removal of personal data). Mandatum’s marketing and customer communications follow regulations and key principles and are reviewed by the company’s Legal department before publication.
When offering investment products, Mandatum always evaluates the customer’s risk profile. The risk profile is based on the responses given by the customer in the investor profile questionnaire. The questionnaire collects information on the customer’s investment experience, risk tolerance and investment purposes and goals. The suitability of the products for the customers’ needs is ensured by offering the customers only products that match their risk profiles.
Mandatum offers compulsory training (at least 15 hours/year/person) to all persons working in customer service. The training covers a needs-based sales model and process, new products and services, regulatory demands such as anti-money laundering, ESG aspects and the requirements of the Insurance Distribution Directive (IDD), sales tools and systems and customer data documentation. In addition, employees working at the customer interface must complete certain product and procedure courses to gain a sales license. To ensure the competence of employees working in sales, executives participate in customer meetings during the year.
Annual sales commission negotiations are part of responsible sales practices. Mandatum’s sales commissions comply with the stipulations of the Insurance Distribution Directive in order to avoid conflicts of interest between the customer and salesperson. To ensure ethical sales, sales contracts also include ethical goals such as internally set customer satisfaction levels. Furthermore, Mandatum does not pay sales commissions before legislative stipulations have been met.
Mandatum respects internationally recognised human rights and is committed to ensuring that its operations are not in breach of those rights. The company takes human rights into account in all of its operations, from investment decisions to employment relationships. Mandatum’s principles concerning human rights and work practices are defined in Mandatum’s Code of Conduct and the company is also committed to the UN Global Compact, which promotes human rights.
Mandatum is committed to responsible investment, and ESG aspects are a key part of its investment risk management. The company regularly reviews its investment portfolio to identify human rights violations as part of its norms-based screening. If any violations are identified, Mandatum seeks to engage with the party in question to rectify the situation.
The human rights of Mandatum’s employees are safeguarded in the company’s HR policies and practices. All policy commitments are approved at the company’s highest level. Mandatum emphasises equality in all its actions and policies and monitors the gender distribution in management positions. Equality issues are also discussed in the Mandatum Way guide, which is given to all new employees during induction.
Mandatum expects its suppliers to practice legal and ethical business. To ensure this, Mandatum conducts a check against its Code of Conduct as part of the supplier assessment prior to agreeing on cooperation and during the cooperation. The most important areas of the assessment are commitment to human rights and equal treatment, environmental goals, data protection and information security, as well as governance-related aspects such as conflicts of interest and preventing bribery and corruption.
Collective bargaining at Mandatum is based on the Act on Co-operation within Undertakings and on the co-operation agreement made with personnel organisations. The purpose of co-operation is to increase the opportunities of Mandatum’s employees to impact the decision-making concerning their work and workplace, and to develop the company’s operations and working conditions.
A shop steward represents Mandatum’s employees in various negotiation situations. The shop steward and deputy shop steward are members of the co-operation committee in addition to the employer representatives. Communication with Mandatum’s personnel takes place through the co-operation committee and the company’s intranet, which is open to all. Mandatum is committed to informing and consulting employee representatives on reorganisations.
Any member of a trade union who is in a permanent employment relationship can stand for election in the shop steward elections. The shop steward’s most important job is to listen to and support members at the workplace and to function as a link between the personnel and employer. Mandatum’s personnel have the opportunity to contact the shop stewards if they need help or advice. An employee may also bring a shop steward along to a discussion between the employer and employee if they feel that it is necessary. Employees have a representative on the Board of Directors. The representative is elected from among the employees for two consecutive years.
Mandatum’s personnel have the opportunity to join a personnel association and through it become a trade union member. The company’s intranet provides more information on the association and advises employees on how to join. New employees are told about the association’s activities at the start of their employment. The freedom of association is respected in the company’s operations and it is ensured through the continuous monitoring of employee rights and through co-operation with trade unions.
The collective bargaining agreement for the insurance industry covers the most important employment terms. According to the collective agreement, employees are allowed to visit health care for certain health checks with no salary reduction. The agreement also defines how work ability and occupational safety are guaranteed at the workplace. Occupational safety covers how occupational safety tasks are arranged, who monitors occupational safety, the responsibilities and other necessary measures.
Remuneration is agreed on in the collective bargaining agreement. Remuneration covers the salary system, pay raises, minimum wages, wages for part-time work, how the monthly salary is divided, how to transfer to more demanding work, which tasks are above the pay groups and how travel and transfers are covered. It also covers compensation for overtime and the pay system for shift work, evening and night compensation, alert compensation, walkouts and resolving conflicts.
Working hours are agreed based on the collective agreement. The collective agreement takes a stand on regular working hours, equalisation of working hours, determining shift work hours and compensation for holidays and other absences.
The collective agreement also includes a training agreement involving vocational retraining, continuing education and supplement training.
In line with Mandatum’s Code of Conduct, the company does not take part in political or religious activities or give direct or indirect donations to these types of activities. Employees’ personal participation in community, religious or political activities must be clearly distinct from Mandatum’s business operations.
Mandatum takes all suspicions of misconduct and violations seriously and wants to offer an easy-to-use and confidential channel for reporting them. More information on our whistleblowing channel and instructions for filing a report: Reporting suspected misconduct (whistleblowing) - Mandatum
Mandatum’s management listens to employees’ concerns, development ideas and encourages them to give feedback. According to the personnel survey, Mandatum’s employees feel that they can make a difference and that their concerns and suggestions are considered in decision-making.
Mandatum has several confidential channels for reporting discrepancies, which are available to all employees.