Corporate governance
The Board of Directors is the highest governing body in charge of carrying out the necessary actions so that our objectives, values and strategies correspond to what is expected from a healthy governance, safeguarding the interests of shareholders, clients, collaborators, suppliers and communities.
Likewise, we have established a Support Committees to the Board of Directors made up of independent members of the board and, some of them, by officials of the institution itself, in accordance with the applicable regulations. These Committees are the following:
- Audit and Corporate Practices Committee
- Risk Policies Committee
- Human Resources Committee
- Nominations Committee
In a complementary manner, a series of Regional Councils and an Advisory Council have been established as consultative and advisory bodies for the Chairman of the Board of Directors.
For its part, the General Assembly of Shareholders, as the highest body of the company, reviews and, where appropriate, annually approves the reports of the Board of Directors and the General Director of the company, in accordance with the Law that Regulates the Financial Groups.
Approximately 85% of floating shares, which allows us to have a globally diversified shareholder base, made up of individuals and institutional investors.
Throughout the process of institutionalization of the group we have developed strategies to adapt to the different investment criteria. This with the purpose of expanding our shareholding base and being an option for both, those seeking long-term or temporary investment, or following our Dividend Policy.
The CEO, his direct reports, and their direct reports are the main employees of the Group, that is, the first three levels of the organizational hierarchy (Senior Management). Their compensation plan is variable and subject to meeting the financial metrics established as objectives of the business strategy. To learn more about the remuneration system for Senior Management, see the following link.
In order to verify the internal mechanisms and controls, we have an Internal Control System in charge of guaranteeing the actions of the Group and our financial entities adhere to the applicable regulations, as well as having the methodologies to review compliance with the foregoing.
Ethics and accountability
The Code of Conduct is a general framework of action that must adapt to the changing nature of our environment; For this reason, we seek to strengthen its content year after year to keep it current, integrating both issues related to the general market situation, as well as some that may reflect daily experiences that could arise in our actions.
The topics that we address in the Code of Conduct are, among others;
- Interest conflict
- Confidentiality of information
- Conduct with clients
- Relations with competitors, suppliers and authorities
- Interpersonal and community relations, and complaints
Its scope includes directors, officers and employees who provide their services, directly or indirectly, in any company that is part of GFNorte. In this sense, employees who have just entered the institution are trained with an introductory course on the Code and, every two years, all employees reaffirm their knowledge and updates through a mandatory course.
In compliance with the regulation that frames banking processes, the content of the Code of Conduct is reviewed annually in order to verify that its context remains in force and covers current issues, so that it serves as an action guide for employees of the companies that belong to GFNorte. Changes to the Code are proposed to the Audit and Corporate Practices Committee and are subsequently submitted to the authorization of the Board of Directors. Once the board approves the adjustments to the document, these are made known to all staff through the issuance of a regulatory bulletin and the electronic signature of the document.
In the event of any breach of the Code of Conduct, through our Whistleblower system "Ethics Point" our collaborators can communicate safely and honestly with the management or administrative board of the organization, regarding problems and concerns related to unethical or illegal activities, while preserving their anonymity and confidentiality. “Ethics Point” is Safe Harbor-certified through the United States Department of Commerce, as a hotline provider having security measures in place to address EU privacy initiatives and other global privacy directives.
Board oversight in matters of corruption, bribery, money-laundering and terrorism financing is carried out through the corporate governance bodies appointed by the Board itself for review and evaluation of the aspects of inspection and control.
The guidelines on corruption are set out in our Anti-Corruption Policy, which is part of a series of relevant governance documents related to internal control.
Information security
We constantly seek to increase the security level of our information assets, both internal and external. Because of this, we have a broad portfolio of information security policies and procedures that define the security strategy that must be complied with, considering the attention of external regulation and best practices, including the general Information Security Policy. These policies are authorized by the Bank's Control and Audit areas, including the CISO (Chief Information Security Officer) and the Integrity Committee. Additionally, the Internal Audit area reviews the information security processes and the controls of the bank's applications, based on a program authorized by the Audit and Corporate Practices Committee.
As part of our compliance with regulatory requirements, we have mechanisms for the detection, treatment and remediation of critical, high, medium and low vulnerabilities of the infrastructure that supports the bank's applications. We also carry out different security tests such as penetration tests, secure code, and platform scanning.
Along the same lines, we implemented a Vulnerability Management Program (VMP), which details the analysis and testing of vulnerabilities to the technological infrastructure that supports critical applications based on their frequency and severity.
In addition, our vulnerability management process adheres to international standards such as ISO 27001: 2013 and PCI-DSS, for which we have been certified since 2015 and 2019, respectively.
Likewise, we have a Security Operations Center (SOC) that permanently monitors network traffic and the behavior of the different applications that make up our infrastructure. In addition to this, our security intelligence team constantly conducts proactive and iterative searches for fraud alerts, as well as threats that could affect information security.
To promote information security for all employees, we annually carry out mandatory and regulatory security training programs, as well as ongoing communication and awareness campaigns. These campaigns include sending emails with phishing scenarios to increase the culture of collaborators in the face of these types of threats.
Technology and innovation
Our global innovation strategy seeks to address the changes that are occurring rapidly in the global financial sector. For this reason, we have the following lines of action:
1. Artificial intelligence
The objective is to develop more accurate campaigns for our clients. In coordination with the Bank's Analytics area, we use artificial intelligence techniques.
2. Digital customer service
Currently, customer service campaigns and processes, including mobile banking, digital banking, branches, contact centers and tablets, operate under a digital service model from a single platform. This model also integrates the hiring processes in order to give the client better service with pre-authorized offers and a simple experience that strengthens financial inclusion.
3. Virtual assistant
Our virtual assistant is the first in Mexico and the one with the highest number of transactions in the national market. Her name is Maya, a Generation X woman with a friendly and direct language. Maya can carry out monetary transactions through different functionalities such as; submission of unrecognized charge claims, activation of interest-free installment payments, sending of account statements, and the ease of making transfers and payments using whatever aliases the client defines, among others.
4. Analytical and predictive systems
We continue to explore new technologies, calculation methodologies and use of alternative information both to provide a more personalized and efficient service to our clients, and to optimize and strengthen internal and control processes. In this last area, we are focusing on automated document analysis, news analysis, estimation of payment capacity and control of concentration limits and artificial intelligence for consultation of regulation, among others.
5. Facial recognition
We are evaluating facial recognition tools with artificial intelligence to increase security, as well as improve the customer experience, in terms of greatly expedited response times.
6. Digitization of customers
We collaborate with various areas, as well as an alliance with the Center for Advanced Hindsight at Duke University, to eliminate barriers to the adoption of the bank's mobile application. Likewise, we deploy offers with a greater degree of personalization in digital channels, translating into a more fluid communication with customers, resulting in the deepening and extension of the business relationship.
Stakeholders relationship
We recognize that our stakeholders are a fundamental part of the relationships and commitments with our internal and external environments, and we know that their participation is crucial for the achievement of long-term objectives. For this reason, we have identified our main audiences and defined various channels of dialogue, which guarantee continuous communication and attention to their requests.
Audit of financial statements
GFNorte has the External auditors’ selection, hiring, evaluation, and rotation manual, which indicates there is no established maximum period for the office of external auditors to provide auditing services for financial statements. The Audit and Corporate Practices Committee evaluates at least every 5 years the convenience of continuing with the same firm, having the power to carry out such evaluation in advance and in accordance with the results obtained, proposes, where appropriate, its change to the Board of Directors.
Regarding the independent external auditor, quality review partner, and audit team manager, they must not participate in the auditing services of financial statements for more than 5 consecutive years, and may be appointed again after a minimum interruption of 2 years. During that period of time they cannot provide services other than those of ruling of the financial statements so that they can be re-designated as such.
The audit services cost rate for fiscal year 2023 was $44.2 million mexican pesos. The Audit and Coporate Practices Committee carried out a review of the nature and cost of said services, which are broken down as follows: basic financial statement audit services $33.7 milliom mexican pesos, tax services $7.5 million mexican pesos, and other services $2.9 million mexican pesos, and recommended them for its approval to the Board of Directors.