Exhibit 11.1
Code of Ethics and Conduct
2024
Dear Team,
Employees of Grupo Bancolombia are recognized for being an example of ethics and integrity. We have a clear vision: we always do what is right, even when no one is watching! We know that integrity and ethical consistency between what we do and say are the foundation upon which our future, that of our families, and that of the organization in all the countries where we operate are built. Ethical culture is the basis upon which we implement our purpose of promoting sustainable development for the well-being of all.
Amid present and future challenges, both our strategy and our culture are dynamic and evolving. As part of that evolution, this Code of Ethics and Conduct offers an updated guide to the behaviors we must practice among ourselves and towards different stakeholder groups.
In this update, I emphasize the importance of being able to integrate behavioral sciences. Understanding how people think, make decisions, and behave allows us to create a more comprehensive framework adapted to the reality of our daily interactions and is essential for promoting integrity at all levels of our organization. This was achieved through careful listening to our employees and stakeholders, ensuring that our values, principles, and cultural traits declared in Movement B are aligned.
I invite you to have this tool at hand every day, so that in the face of any situation that challenges our conduct, we have it as a guide. Remember that a Bancolombia employee always chooses prudence as the first option. Let’s consult and apply our code of ethics whenever we have any dilemma. By doing so, we strengthen our organizational culture based on ethics and transparency, which have been the foundation for continuing to be recognized as the best place to work, the company with the best reputation and corporate governance, as well as one of the most sustainable banks in the world.
Sincerely,
JUAN CARLOS MORA
CEO, Bancolombia
Table of Contents
1.Why Do we Need This Code?
2.How Do We Connect with Our Stakeholder Groups?
• How is the Group Culture Built?
• How Do We Engage with Our Stakeholder Groups?
• How Do We Engage in Digital Environments?
• How Do We Use Group Resources?
3.How Do We Manage Risks?
• How Do We Prevent Fraud, Corruption, Money Laundering, and Terrorist Financing?
• Precautions for the Use of Information and Personal Data.
• Ethical framework for analytical and artificial intelligence systems
4.How Do We Handle Potential Conflicts of Interest?
• When Can Conflicts of Interest Arise?
• How Can We Manage Personal Investments?
• ¿How Do We Handle Gifts and Invitations?
5.What Mechanisms Promote and Support Our Ethical Conduct?
• Ethics Committees.
• Compliance Areas.
• Whistleblowing Channels and Whistleblower Protection.
6.What is the disciplinary Procedure?
1 Why do we need this Code?
“It reflects our purpose, to promote sustainable development for the wellbeing of all.”
1.1 Our extensive trajectory as Grupo Bancolombia (hereinafter, “Group”) in the countries where we operate is characterized by the responsibility of our businesses (both financial and non-financial in nature), and it is through them that we seek to realize our purpose.
1.2 Our decisions adhere to the law, ethics, and integrity, and take precedence over immediate commercial results. These are the pillars upon which we have built sustained growth.
1.3 The Code of Ethics and Conduct embodies the declaration of an organizational culture, which employees are obligated to practice in our internal relationships and with the various stakeholder groups.
1.4 We understand that the Code of Ethics and Conduct cannot regulate all of our actions or anticipate all ethical dilemmas faced by employees, which is why we rely on good judgment, common sense, and prudence to guide our actions at all times. Therefore, we emphasize that what is not expressly prohibited is not tacitly permitted.
1.5 The provisions of this Code apply to employees and apprentices of all entities within the Group, the Management Teams of each of the Group’s companies, members of the Boards of Directors or Management Boards1, Senior Management2, as well as certain third parties with whom we have a relationship and who adhere to our Code. Hereinafter, and for the exclusive purposes of this Code, we will refer to all of them as “employees”.
1.6 Because ethics transcends geographical and cultural barriers, this Code has corporate scope and was approved by the Boards of Directors or Management Boards of each of the following entities within the Group: Bancolombia, Valores Bancolombia, Fiduciaria Bancolombia, Corporación Banca de Inversión Bancolombia, Banistmo and its subsidiaries, Bam and all companies that are part of the Agromercantil Financial Group, Bancoagrícola and its subsidiaries, Bancolombia Panama and Bancolombia Puerto Rico. Our suppliers are subject to the Ethics and Conduct Guidelines for Suppliers, which, along with this Code, are available to the general community on our corporate websites.
1.7 The Corporate Ethics Committee establishes guidelines for the dissemination of this Code and the implementation of awareness and assessment activities. Likewise, for its update, it defines activities led by the Compliance Vice Presidency through its corporate departments and in the different entities that make up the Group
2. How Do We Connect with Our Stakeholder Groups?
“Our cultural traits are the foundation of our decisions, actions, and relationships”.
HOW IS THE GROUP CULTURE BUILT?
1 Members of Boards of Directors or Management Boards are included in the term “employees” only for the purposes of this Code; they have no employment relationship with the Group.
2 These are the Presidents (or equivalent positions) and Corporate Vice Presidents of Grupo Bancolombia.
2.1 Within the Group, we are convinced that individuals make a difference. Therefore, our organizational culture is built on ethical principles and expressed through our cultural traits, aiming for each employee to be the best version of themselves.
2.2 Our commitment aligns with sustainability, corporate governance, and ethics. Therefore, it is crucial that our employees’ actions are consistent with this commitment and reflected within the following definitions of the six (6) cultural traits:
CUSTOMERS
Loyalty, preference, and the well-being of our customers are our raison d’être
HUMAN BEING
People make the difference
INTEGRITY
Our honesty, coherence, and rectitude make us trustworthy.
EXTRAORDINARY PERFORMANCE
We always aim to be our best selves and exceed our goals.
SUSTAINABLE GROWTH
We take pride in our purpose to promote sustainable economic development for the well-being of all.
DYNAMISM
We are passionate about innovation, agility, efficiency, and transformation.
2.3 We firmly believe that each person, regardless of their origin, gender, age, identity, or creed, brings a unique perspective that enriches our organization. Therefore, we promote respect and provide the necessary tools and resources for the personal and professional development of each member of our community.
2.4. We are committed to promoting, respecting, and recognizing human rights as basic, inherent, and essential prerogatives of individuals. Therefore, we reject any attempt or violation of these rights and adhere to the International Charter of Human Rights.
2.5 Employees are the essence of the Group: it is us who deploy the strategy and make the business model possible. Additionally, we protect and strengthen the Group’s reputation through behavior consistent with the law and organizational culture. Therefore, our selection and hiring practices are aimed at identifying and engaging individuals who, beyond their capabilities and talents, reflect who we are and what we believe in. These practices are transparent and focus on merit, competencies, and candidates’ knowledge to ensure that those who are part of our organization reflect its identity and culture. We ensure diversity in our processes;
therefore, we form teams where characteristics such as age, ethnicity, cultural identity, disabilities, religion, ideology, gender, gender identity, sexual orientation, marital status, family composition, or socio-economic backgrounds are not barriers.
Diversity
How do I contribute to diversity in our team?
Do I value and respect diverse perspectives?
Do I learn from the experiences of my diverse colleagues?
Equity
Do I recognize inequalities in the workplace?
Do I ensure equal opportunities for all?
Do I address concerns about equity fairly?
Inclusion
Do I foster an environment where everyone feels valued?
Do I challenge exclusionary behaviors?
Do I promote collaboration among diverse colleagues?
2.6 We have policies aimed at promoting equal opportunities for candidates, regardless of their gender. In the performance evaluation of our employees, the criteria and mechanisms used are free from biases, associated with models for managing and developing competencies.
Additionally, we recognize that expanding towards comprehensive solutions and ecosystems is a significant opportunity to strengthen our relationship with customers and consolidate our presence in the market. In this regard, we commit to fostering a culture where responsible innovation and strategic collaboration with third parties and allies prevail. We strive to deeply understand the needs of our customers, promoting easy and relevant solutions that inspire confidence and loyalty.
HOW DO WE CONNECT WITH OUR STAKEHOLDER GROUPS?
2.7 In our daily interactions, our relationships must be consistent with the Group’s higher purpose, acting competently and integrating our human and technical skills to achieve outstanding results for each of the following stakeholder groups:
2.8 FINANCIAL CONSUMERS
In our actions and decisions, we must consider the loyalty and preference of our customers. Therefore, in our relationship with financial consumers, we must:
a. Strive to clearly understand their needs to build a responsible and close relationship.
b. Promote an environment of trust through efficient, effective, and inclusive service.
c. Provide empathetic, close, and respectful attention that complies with quality and service standards and protects our financial consumers (potential customers, clients, and users).
d. Provide truthful, sufficient, and clear information that allows financial consumers to adequately understand their rights and obligations, as well as the costs of different products, channels, and services.
e. Communicate and explain the different channels and mechanisms established by the Group’s companies to address their requirements, as well as the figure of the Financial Consumer Defender for Colombia or any client protection structure, as appropriate for each country.
f. Implement easy and reliable solutions for our customers. g. Select and manage counterparties3 with sound judgment, in accordance with our ethical principles and risk management systems, including those related to the management and administration of conflicts of interest.
2.9 SHAREHOLDERS
In the pursuit of value and superior results for our shareholders, we require the permanent challenge and extraordinary performance of our employees. Additionally, we will strictly fulfill the duties and responsibilities to which we are committed in our relationship with this stakeholder group.
2.10 AUTHORITIES AND SUPERVISION, MONITORING, AND CONTROL BODIES
Our relationships with the organization’s control areas, especially with Internal Audit, supervision, monitoring, and control bodies, as well as other authorities and public bodies in the countries where the Group operates, will be conducted within the framework of the law, with transparency, respect, and cordiality, and ensuring compliance with all commitments.
2.11. SUPPLIERS
2.11.1 We are responsible and transparent in supplier selection, hiring, and monitoring processes, building teams committed to outstanding performance, sustainability, and compliance with the Ethics and Conduct Guidelines for suppliers and allies.
2.11.2 We are objective and support our decisions with technical, transparent, and ethical criteria, freely and autonomously, ensuring the detection and management of conflicts of interest.
3 Third parties with whom treasury business, collective investment fund management, and delegated portfolio management, and brokerage firms or securities houses, conduct transactions on their own behalf or on behalf of third parties, on securities or assets for which they are authorized, either in a trading system, exchange, or over-the-counter market; additionally, in accordance with the Counterparty Risk Management System (SARIC), applicable for Colombia, a counterparty is the designation that includes the clients of a brokerage firm and those with whom a brokerage firm conducts transactions on its own behalf or on behalf of third parties, on securities or assets for which they are authorized, either in a trading system, exchange, or over-the-counter market.
2.11.3 Contracts and processes derived from them seek the best cost-benefit relationship for the Group at the time of contracting and during the commercial relationship.
2.12. COMPETITORS
2.12.1 Healthy, free, and fair competition is a fundamental element in all our operations and relationships with other financial and non-financial entities. Therefore, as employees, we must avoid, among other things:
• Making comments that may affect the image of competitors or contribute to spreading rumors about them.
• Engaging in acts that may cause confusion or deception to customers.
• Engaging in anticompetitive practices, including but not limited to, agreements aimed at limiting or restricting free competition, abusing dominant market positions if they exist, and engaging in unilateral acts restrictive of competition.
2.13 MEDIA AND PUBLIC OPINION
Through authorized spokespeople in established channels for this purpose, and in cases where not prohibited by regulation, we define the communication strategy in the Group and provide corporate information to sensitize public opinion about our activities, products, channels, and services, promoting financial education and inclusion.
2.13.1 Information disseminated by the Group in compliance with national and foreign regulations must be truthful, clear, timely, and reflective of our integrity.
2.13.2 Presidents (or equivalent positions) of Group companies and employees expressly authorized for this purpose may be the only authorized spokespersons of their respective entities and must, with empathy, promote cordial and respectful relationships with the media and, in general, with public opinion.
2.14 EMPLOYEES
Members of the Boards of Directors or Boards of Administration of Group companies define our ethical principles, guide our behavior, and ensure that business results reflect behaviors consistent with this Code and the law.
2.14.1 Leadership positions in any of the Group’s companies must promote our organizational culture by example. This entails identifying and resolving situations where their teams face ethical dilemmas, involving the Compliance department when their proper and timely management requires advice (to learn more about identifying and managing conflicts of interest, see Chapter 4, How do we act in the face of potential conflicts of interest?). It is important that leaders understand the personal, social, economic, and labor aspects of their team members to guide their development and identify possible warning signs, always through an empathetic, close, and respectful relationship, respecting privacy and confidentiality.
2.14.2 Our internal relationships must be framed within our organizational culture, defined by our cultural traits, this Code, and in strict compliance with our Internal Work Regulations and our Good Governance Code.
2.14.3 As employees, we must promote collaborative work without geographic barriers, adding diverse skills that facilitate learning and ensure gender equality and inclusion through empathetic, respectful, and close relationships with each other and with different stakeholder groups.
2.14.4 We ensure that variable remuneration is consistent with performance, has limits, and does not incentivize incorrect behavior, in order to avoid inappropriate incentives that undermine the integrity promoted by the Group. We have a methodology in the compensation model that guarantees bias-free remuneration, which does not distinguish age, educational level, health condition, ethnicity, gender, cultural identity, sexual orientation, or socioeconomic background.
2.14.5 We reject all forms of illegal or abusive employment and any violation of human rights, including discriminatory acts, workplace or sexual harassment, disrespect, mistreatment, or physical or psychological abuse. As employees, we must, without distinction, build respectful relationships, fostering a positive and inclusive work environment. Any complaint we make will be promptly received and managed by the Talent and Culture department. Through an investigation, actions for attention, reparation, prevention, and non-repetition will be deployed in cases where required.
2.14.6 The safety, health, and well-being (physical, mental, and emotional) of our employees are fundamental to achieving superior results. Therefore, all our leaders must promote a healthy, safe, productive work environment, and equal opportunities for development of capabilities. Additionally, we support our employees and their families in all the places where we operate through strategies focused on their holistic well-being4.
2.14.7 Our comprehensive risk management promotes self-management and self-control, therefore, the activities of the control and audit areas complement those of the direct responsible for executing processes and subprocesses. We are all responsible for knowing and complying with the Group’s internal policies and the controls associated with their functions, which is why we design training courses, some of which are mandatory and must be completed annually.
2.15 PUBLIC ENTITIES, THEIR OFFICIALS, AND COLLABORATORS
Entities and authorities provide a framework of action and essential inputs for the development of our businesses. Our interactions with them and their officials will always be within the framework of the law, transparency, and sound business practices, in a context of respect, collaboration, and under the principles defined by the Group, particularly that of zero tolerance for acts of corruption.
2.16 ENVIRONMENT
2.16.1. Within the Group, we are committed to preserving the environment and natural resources. Therefore, we support and promote initiatives that foster sustainable businesses and integrate elements related to this issue into our risk methodologies.
2.16.2. We raise environmental awareness through environmental partnerships with the public and private sectors, non-governmental organizations (NGOs), and the community at large. Additionally, we encourage our employees to actively participate as volunteers in various sustainability projects aimed at benefiting vulnerable communities.
2.16.3. We evaluate environmental, social, and economic aspects, including good corporate governance, in the projects we finance or invest in, and we guide our clients towards the implementation of projects and activities responsible for the environment.
2.16.4. We support high-impact social programs that contribute to human capital development and the reduction of inequality.
2.16.5 We have an ESG (Environmental, Social, and Governance) governance structure within the organization, from the Board of Directors to each vice presidency, with defined roles and responsibilities
4 For Bancolombia, there is the CONTIGO Line designed to provide legal and psychological support and guidance to employees, should they require expert assistance in personal or work-related matters concerning violence, discrimination, abuse, depression, anxiety, or any other related issue.
regarding sustainability issues, allowing us to articulate environmental, social, and economic trends throughout the organization.
2.16.6 We comply with local and international regulations related to sustainability and participate in local and international groups to influence and advance sustainability goals such as climate change, biodiversity, among others.
HOW DO WE ENGAGE IN DIGITAL ENVIRONMENTS?
2.17 Digital environments (including our own social media, third-party social networks, and instant messaging services) are spaces for conversation and permanent interaction for all aspects of daily life. Therefore, we must protect our reputation and that of the Group on social and digital platforms. Understanding the impact and reach of these environments, we must observe the following:
Impact on institutional image:
1. Our behaviors as Group employees are the same inside or outside the organization, including our digital environment.
2. We are aware that we are not official spokespeople for the organization, and having a personal social network does not make us one. We must always make our posts on a personal basis.
3. We understand that, although social networks are open spaces, within the Group, we act with respect and do not accept any discriminatory or offensive expression from its employees against individuals or other organizations.
4. We are careful about what we say and do in the digital arena, and we do not promote negative conversations or those that directly or indirectly affect the organization and its stakeholder groups.
5. If we wish to use our social networks to promote activities for political purposes, we avoid presenting ourselves as Group employees. In other words, our posts should not relate to both roles.
Confidentiality Protection:
1. We always protect confidential information and any data that may affect the organization and its stakeholders.
2. Under no circumstances do we request or expose personal data or contact information, whether our own or of a third party.
Use of Official Channels:
1. When we receive inquiries or want to share information about Bancolombia Group matters, we always use the appropriate channels and the organization’s official stance.
2. We understand that in publications of the organization’s products and/or services, we must always use authorized materials and commercial language, including terms and conditions. If using graphic elements, they must be provided by the organization, and we should not create our own designs.
3. We do not create spaces or groups on social media platforms on behalf of the organization.
4. We exercise caution when sharing audio or text on digital platforms that can quickly go viral, with potential personal reputational consequences for the Group or its stakeholders.
HOW DO WE UTILIZE GROUP RESOURCES?
2.18 Assets owned by Group companies or under their administration must be used responsibly in performing the duties of each position and for the purposes for which they were acquired.
2.19 The use of digital communication tools and channels (email, internet, intranet, chats, and technological, computer, and office tools, among others) is for informational purposes, to effectively carry out our job functions. Unless explicitly required by job functions or with written authorization, changes to equipment settings are not allowed, unless they jeopardize operations, technological infrastructure, or affect the integrity, availability, or confidentiality of information.
2.20 Personal use of these means must be exercised with good judgment, avoiding any interference with the fulfillment of job duties and complying with all regulations issued by competent authorities or by the Group company for which they work, understanding that:
• all transmitted, created, modified, sent, or retrieved data are the property of the Group and may be monitored when applicable regulations allow, without the need for authorization of any kind;
• inappropriate use constitutes a violation of the provisions of this Code. Without limiting the foregoing, we expressly prohibit the use of Group computer resources for the following purposes:
• Storing, distributing, editing, or recording offensive, racist, pornographic, terrorist, or offensive material to any of our stakeholder groups.
• Distributing political advertising or engaging in political campaigning. • Fraud, extortion, defamation, spreading rumors about any person, creating panic, spreading computer viruses.
• Using technologies and computer resources that undermine the integrity and reputation of any person, their equipment, or their information.
• Engaging in online gambling
• Sharing access keys to software legally used by Group companies.
• Installing software or downloading videos, music, games, or information without legally acquired licenses.
• Allowing third parties to install software on Group equipment.
3. How do we manage risks?
“We conduct comprehensive risk management committed to the evolution of the business and the superior experience of our customers.”
The entity’s comprehensive risk management is developed in compliance with current regulations (where applicable) and internal standards defined by the Board of Directors, which, for its supervisory functions, is supported by the Risk Committee, tasked with accompanying it in the approval, monitoring, and control of policies, methodologies, tools, guidelines, and strategies for the identification, measurement, control, and mitigation of risks.
HOW DO WE PREVENT FRAUD, CORRUPTION, MONEY LAUNDERING, AND TERRORISM FINANCING?
3.1. We are committed to conducting our business in strict compliance with the internal standards voluntarily adopted and the laws and regulations of the jurisdictions in which we operate. Therefore, we seek to prevent the commission of crimes.
PREVENTION OF MONEY LAUNDERING, TERRORISM FINANCING, AND CORRUPTION IN OUR OPERATIONS
3.2 Financial institutions, as guardians of the financial system, have the obligation to prevent money laundering and terrorism financing (ML/ TF). Likewise, we must protect ourselves from being used for any criminal conduct preceding money laundering. These vary from jurisdiction to jurisdiction but include, among others, drug trafficking, terrorism, and corruption-related offenses.
3.3 In line with the above, the Group has established a risk management system to prevent money laundering, terrorism financing, and other related risks. Our corporate system includes policies, procedures, methodologies, and tools for the identification, measurement, control, and monitoring of these risks. This requires all Group employees to comply with the rules, policies, and procedures outlined in the risk management system, including the execution of controls to prevent money laundering and terrorism financing
3.4 In particular, for the effective performance of the commercial and operational roles of our employees and suppliers, we follow the following criteria, even if this entails prioritizing them over achieving commercial objectives:
1. Base management on customer knowledge: Gather timely and complete necessary customer information, such as the onboarding process and routine updates to manage alerts, complying with the most demanding requirements for knowing national or foreign clients representing a money laundering or terrorism financing risk for the entity, according to their profile or functions.
2. Identify and escalate to compliance areas: Use established channels to escalate any unusual activity detected and cooperate with the necessary procedures for evaluation.
3. Manage customer control lists: According to the indications arising from matches of your current and potential customers on the control lists.
4. Update knowledge: On money laundering prevention topics through mandatory training and other training opportunities.
3.5 Compliance department employees will have among their responsibilities evaluating unusual operations to determine if they are justified or if they are suspicious. When the Compliance Officer determines that an operation is suspicious, they must report it to the competent authority on behalf of the respective Group company.
COMPLIANCE WITH TAX AND FISCAL OBLIGATIONS
3.6 We are committed to complying with the tax and fiscal duties applicable to our companies; therefore, as employees, we must align our actions with the fulfillment of our policies, which include, among others:
• Complying with tax obligations according to current regulations and ensuring compliance with laws and regulations in each country.
• Guaranteeing the payment of taxes, fees, and contributions owed in the locations where we operate, considering the use of alternatives and options available in tax laws.
• Disclosing to stakeholders, in the annual report, the resources allocated to the payment of taxes, fees, and contributions in each country where we operate.
• Not engaging in tax evasion operations. Nor conducting operations in jurisdictions classified as non-cooperative or with low or no taxation according to the standards of tax havens defined by the OECD.
• Not participating in artificial tax structures without real economic justification, business purpose, or lacking commercial substancel.
• Identifying, measuring, monitoring, and mitigating tax risks under existing tax principles in the respective country where we operate.
• Timely submitting and paying tax declarations.
• Recognizing transactions conducted between related parties by applying the Arm’s Length Principle. These transactions are documented and reported to each tax authority.
ANTIFRAUD AND ANTICORRUPTION
3.7 As we have mentioned, in the Group, we are committed to respecting and protecting human rights. Therefore, we seek to prevent, measure, and mitigate potential risks that could lead to a violation of these rights, whether through concealment, financing, or any other form of tolerance or support. We exercise this commitment in our operations, ensuring that our alliances with external entities, the projects we invest in and finance, and our suppliers and other stakeholder groups are aligned with our declaration and action in favor of human rights.
3.8 As actors in the financial system, and aware of our role in the countries where we operate, we lead by example and therefore do not tolerate acts of fraud and corruption. Additionally, under the agreements we enter into with our suppliers and partners, we require them to adopt the same standard through the Ethics and Conduct Guidelines for Suppliers and contractual clauses they subscribe to, as well as with our partners and the companies in which we invest.
3.9 The prohibition extends to any form of fraud or corruption sanctioned by law and the best practices that we incorporate into our policies or internal processes.
3.9.1 We define fraud as any act or intent to obtain an illegal benefit or advantage, either personally or for third parties, through deceit and to the detriment of Bancolombia Group’s interests. This may include, among other behaviors:
• Appropriation, embezzlement, or misuse of resources: concealment of assets, misuse of confidential information or intellectual property, unauthorized access or copies of digital assets, unauthorized expenses, or misuse of the internet.
• Forgery or manipulation of financial or non-financial reports: The deliberate misrepresentation of the financial condition of the Group through forgery or manipulation of financial or non-financial reports, deliberate misstatements, or intentional omissions of information.
• Corruption, bribery, conflicts of interest, and abuse of position or functions for personal or third-party benefit
3.9.2 We define corruption as the abuse of power in an assigned function with the purpose of obtaining a personal benefit or for a third party, to the detriment of public or private interests. According to Law 2195 of
2022, issued in Colombia, corruption currently encompasses at least 75 offenses defined in the Colombian Penal Code, including bribery. This implies that all employees in their actions associated with their functions must prevent, identify, and manage potential corruption risks, through the following questions, which are the vulnerable sectors to this risk. The functions performed in relation to our operation in the countries where we have a presence also fall within the scope of Colombian law, taking into account the participation of Bancolombia officials in their day-to-day activities.
OUR MANAGEMENT OF INFORMATION AND PERSONAL DATA
3.10 Our sustainable growth is associated with the responsible use of data that help preserve the integrity, confidentiality, and availability of the information that each of the Group’s companies holds about their processes, technologies, and people. Our employees must make appropriate use based on respect for the information owners.
3.11 We know that information is essential for the execution of our processes, the activities that contribute to innovation, the exploration of new opportunities, and ways of doing things. The use of databases and analytical tools offers us opportunities to better understand our stakeholder groups, including financial consumers, enabling us to provide superior experiences for them; however, they bring significant challenges related to privacy and responsible data use. Therefore, we promote impartiality, ethics, responsibility, transparency, and human control of technology in data use among our employees, in order to protect the privacy and personal sphere of our customers, employees, suppliers, shareholders, and other stakeholder groups.
3.12 We strive to ensure that information is available promptly and intact for our employees who require it to perform their functions, always under adequate security parameters, according to its classification and access management for compliance with regulations applicable to the protection of personal data.
3.13 It is the responsibility of leaders to oversee the information used by employees for the performance of their activities, as well as to verify access control according to the assigned role. However, it is the responsibility of employees to manage the withdrawal of access to technologies and applications that are not required.
3.14 We treat personal data with high compliance standards, under a decentralized model that operates with the principles of legality, purpose, truthfulness, transparency, access, restricted circulation, security, and confidentiality, as well as those derived from the regulations of each country where we have a presence.
3.15 In the design, creation, and implementation of any initiative, a preventive approach to personal data management will be maintained.
3.16 CLASSIFICATION OF INFORMATION
In the Group, we distinguish four types of information: (A) Public; (B) Internal; (C) Confidential, and (D) Restricted. For this, we have minimum security guidelines on criteria for classifying and labeling information in physical or digital format, which is generated, stored, consulted, modified, transmitted, destroyed, or used by the organization’s processes, people, and technologies.
A. We consider information public when it has a low impact on the Organization or related parties. This information is available to all Bancolombia Group employees and third parties, including information intentionally disclosed by Bancolombia Group for public or external distribution, or personal data that is not restricted, confidential, or internal. Additionally:
(i) External sources to the Group have put it in the public domain;
(ii) It has been publicly disclosed by authorized employees, complying with the rules and procedures defined for this purpose;
(iii) It has been generated by employees from public information, with the initial intention of sharing knowledge with third parties, and, exercising their good judgment, they disclose it without restriction. We can use public information as long as we show respect for those we refer to and are convinced that the information is true. If we know that the information has been made public as a result of non-compliance with an internal rule or policy, we must refrain from disseminating it.
B. Information is for internal circulation when it has a medium impact on the Organization or stakeholder groups. This information is available to certain authorized groups of people from Bancolombia Group who require it to perform their functions or for the purposes of the process they support; likewise, it includes personal data whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of authorized individuals for the execution of specific internal processes.
C. Information is confidential when it has a high impact on the organization or related parties. In the event that this information is lost, corrupted, or disclosed, it could result in reputational damage or affect the commercial capacity of the organization. This information is only available to certain groups of people who require it to perform their functions or personal information that, due to its intimate or reserved nature, is only of interest to the owner.
D. Information is restricted when it is privileged or represents a critical impact on the organization, stakeholder groups, affects the privacy of the owners, or whose misuse could generate discrimination. In the event that it is lost, misused, or disclosed, it could result in regulatory or legal action, financial loss, reputational damage, or loss of commercial capacity. It is only available to authorized employees.
3.16.1 When it is necessary to share internal and/or confidential information with authorized third parties, they may access it within the scope of their functions, for established purposes, and with strict adherence to defined confidentiality agreements and our data processing and personal data protection policies.
• Confidential information is also restricted when its loss, inappropriate use, or unauthorized disclosure results in a critical impact on the Group or related parties..
3.16.2 We provide training plans, technological capabilities, and other actions that educate about the restrictions derived from the protection of personal data, banking secrecy, and stock exchange secrecy, as applicable, so that our employees understand the classification of information and the potential restrictions on its use or sharing, within and outside the company for which we work.
3.16.3 When there are doubts about the classification of information, whether public, internal, or confidential, we must always treat it as confidential.
ADDITIONAL MEASURES REGARDING CONFIDENTIAL AND RESTRICTED INFORMATION
3.17 We must safeguard confidential and restricted information, complying with the controls corresponding to its classification and using it only for authorized purposes. Before sharing confidential or restricted information, regardless of the medium (digital or analog), we must inquire whether the recipient has the functions and authorizations required for its knowledge or use.
3.18 We must understand and comply with the following criteria regarding the management and use of confidential and/or restricted information:
• We will assume that all information about shareholders, clients, suppliers, employees, and other financial consumers is confidential and/or restricted unless it is evident that it is public information that can be disseminated.
• We will assume that data on the financial and/or strategic situation of any company in the Group is confidential and/or restricted unless it is evident that it is public information that can be disseminated.
• Treat confidential and/or restricted information to which we have access responsibly and in accordance with established policies on personal data protection.
• Confidential and/or restricted information that we create or to which we have access in our role belongs to the Group and will not be used for our own benefit, for third parties, or for purposes other than those authorized by its owners.
• The information contained in our databases is confidential and/or restricted, and we must use it according to the policies established by the Group regarding the personal data of different stakeholders.
• Neither during the tenure of the position nor upon its departure are we allowed to copy, in whole or in part, elements or documents from the local hard drive of the assigned equipment to other technological devices, or extract copies of databases, even if the copy is used solely and exclusively for the performance of assigned functions, unless it is done in strict compliance with the policies or guidelines defined in that case.
• We cannot disclose, transmit, or transfer confidential and/or restricted information via email, physical copies, or any other means, except when we have express authorization and do so in accordance with applicable regulations and established procedures for this purpose.
• We will use the means of storage and transmission of information provided for this purpose by the Group entities.
• Ensure that those to whom we provide this type of information are aware of its classification as confidential and/or restricted and the limitations on its use resulting from this classification.
• If, due to particular or exceptional circumstances, we must discuss topics involving confidential and/or restricted information in public places, we will act with maximum discretion and prudence, always using good judgment.
• We are responsible for the management of confidential information to which we have access, so we must be aware of security controls and best practices regarding its use, which are established in information security policies.
• If we receive confidential and/or restricted information by mistake, we must refrain from using it and immediately inform the sender so that it is not disseminated.
PRIVILEGED INFORMATION AND OUR BEHAVIOR REGARDING IT
3.19 The applicable legislation in each of the countries where we operate defines what is understood by privileged information. In addition, the use of privileged information for our own benefit or that of a third party may constitute a crime in these jurisdictions; therefore, in addition to what is stipulated in this Code regarding confidential information, privileged information will be subject to the restrictions contained in the law.
Privileged information is specific information not available to the public and that an investor would consider for the management of their investments.
3.20 When we have doubts about whether the confidential information we know or have access to is privileged, we must act as if it were or consult with the Legal and/or Compliance department.
The following list illustrates several situations (but not the only ones) in which we could come to possess privileged information:
• Participation in the preparation of financial statements or inputs for them.
• Development of products or businesses for clients who are issuers in a securities market.
• Discussions about strategic business opportunities and high-impact clients who are issuers, or visits to supervise ongoing projects of this type.
• Participation or knowledge of high-impact and strategic projects for the Group.
• Participation or knowledge of critical administrative decisions.
• Participation or knowledge of investment decisions, purchase and/or sale of materially significant assets.
• Participation in the execution of mandates granted to investment banking when they involve an issuer.
• Participation in crisis management involving, for example, a cyber-attack.
ETHICAL FRAMEWORK FOR ANALYTICAL AND ARTIFICIAL
INTELLIGENCE SYSTEMS
3.21 In the Group, we implement an ethical framework for our analytical
systems and artificial intelligence (AI) based on the principles proposed
by the OECD, which reflects our commitment to business ethics
and social responsibility, aligning with the principles of our Code of
Ethics and Conduct.
DEFINITION OF ANALYTICAL AND AI SYSTEMS FOR BANCOLOMBIA
We understand analytical and artificial intelligence systems as those that
make use of computational capacity for the creation of algorithms or combinations
thereof which, through a prior process of learning or training, generate
predictions, content, recommendations, or decisions from the input
data they receive, with the aim of influencing physical or virtual environments.
These systems can vary in their level of autonomy and adaptability after
deployment. They also encompass several subfields, such as deep learning,
natural language processing, machine learning, various statistical and econometric
techniques, among others.
ETHICAL PRINCIPLES FOR ANALYTICAL AND ARTIFICIAL INTELLIGENCE SYSTEMS
Inclusive Growth and Sustainable Development:
• We promote the inclusion of underrepresented populations and work towards reducing economic and social inequalities.
• We promote initiatives that protect the environment and foster sustainable development.
Human-Centered Values:
• We respect and promote human rights and democratic values at all stages of the life cycle of analytical and artificial intelligence systems.
• We evaluate privacy and data protection, promoting fairness and social justice.
Transparency and Explainability:
• We seek to implement analytical and AI systems that are transparent and provide clear explanations of how they operate and make decisions.
• We encourage open dialogue with all stakeholders about the implications and operations of analytical and artificial intelligence systems.
• Promote transparency in how personal data is collected, used, and processed, adopting Privacy by Design and Impact Assessments in the creation and development of analytical and AI systems.
• Ensure that personal data remains accurate, complete, up-to-date, and understandable, and that its processing does not alter its accuracy.
Robustness, Security, and Protection:
• We promote the development of analytical and artificial intelligence systems that are robust and secure, operating consistently with their intention and without causing harm.
• We implement security measures to protect against the misuse of analytical and artificial intelligence systems and ensure the security of personal data.
• Promote techniques that protect the identification of personal data, such as anonymization and pseudonymization.
Accountability:
• Take responsibility for the operations of AI systems, ensuring they are traceable and can be audited and monitored, including an approach based on the protection of personal data and the privacy of stakeholder groups.
• Establish accountability mechanisms to ensure that analytical and artificial intelligence systems are used ethically and responsible.
Ethics of Analytical and AI Systems
Inclusive Growth, Sustainable Development, and Well-
Do our AI systems promote inclusion and diversity?
How do our AI systems help reduce social inequalities?
Do our AI systems contribute to environmental protection?
Human-centered Values and Equity
Do our AI systems safeguard human rights and democratic values?
How do our AI systems protect user privacy and data?
Do our AI systems promote equality and non-discrimination?
Transparency and Explainability
Are the decisions of our AI systems transparent and understandable?
Do our AI systems allow for transparent auditing of their processes?
How do our AI systems ensure that users understand their decisions?
Robustness, Security, and Protection
Are our AI systems robust and reliable under various conditions?
How do our AI systems protect users from security risks?
Do our AI systems ensure user data protection?
Responsibility
Do our AI systems ensure accountability at all stages of their lifecycle?
Do our AI systems allow for accountability in decision-making?
Do our AI systems ensure the responsibility of all involved stakeholders?
4. How do we handle potential conflicts of interest?
“Conflicts of interest are inherent to human nature, so we manage them properly to make better decisions.”
WHEN CAN CONFLICTS OF INTEREST ARISE?
4.1 In the Group, we are aware that conflicts of interest are inherent to human nature, and we recognize that their existence is not inherently reprehensible. However, our actions in a situation of conflict of interest, without it being disclosed and/or managed, may lead to inappropriate behavior and affect the Group’s reputation. Therefore, we demand maximum prudence regarding a real, potential, or apparent conflict of interest5.
5 An apparent conflict of interest is when it may give the perception that one is acting in favor of a particular interest, even though this may not be the case.
4.2. We are faced with a potential conflict of interest when: (i) we must make a decision or can influence it, (ii) we have conflicting and incompatible interests in that decision, and (iii) the alternative we choose favors one interest over others.
PERSONAL CONFLICTS OF INTEREST
4.3. Conflicts of interest are personal when we have a personal interest in a matter, either directly or indirectly, and this interest somehow opposes the Group’s interest. Some of these cases include:
• Accepting preferential terms or conditions for investment or business from clients, suppliers, or counterparts of Group companies with whom we have a direct or indirect relationship and that are not offered on equal terms to the rest of the Group’s collaborators;
• Participating in or influencing decisions related to the purchase, sale, or rental of assets by any Group company when the assets belong to us or are managed by us;
• Receiving commissions, remuneration, or economic incentives, without authorization, for the sale of Group company assets or assets received in lieu of payment;
• Obtaining loans from clients, suppliers, or other counterparts of the Group serviced by the collaborator unless the loan is received within the framework of a commercial relationship with an entity whose purpose includes providing financing;
• Granting or receiving significant or regular loans from other collaborators on an onerous basis;
• Being part of the acquisition, approval, and administration processes of assets or assets received in lieu of payment:
» Acquiring for ourselves or third parties, directly or indirectly, goods or assets that have been given in payment to the company for which we work;
» Participating in the approval process of credits aimed at granting financing to the buyer for the purchase of the asset.
4.4 External Activities:
• Directly participating or through third parties in external activities that involve competition with any of the Group’s companies; or
• Being a significant shareholder, employee, director, or advisor of companies or businesses engaged in activities competing with those of the Group entities.
4.4 Activities Involving Related Parties6:
• Serving clients who are Related Parties when the collaborator is part of the credit granting processes or when they have the authority to offer or approve products, services, discounts, or exemptions;
6 Related Parties can be direct or indirect. Direct ones include: (i) the immediate family group, namely, parents, siblings, children, spouses or permanent partners, grandparents, grandchildren; (ii) legal entities in which one serves as an administrator, manager, and/or member of any supervisory body; (iii) legal entities of which one owns or is the real beneficiary of more than 10% of the share capital of the company or the lower percentage required by applicable law. Indirect ones include all natural and/or legal persons with whom one has a contractual, personal, familial, or any other type of relationship that could affect the objectivity and impartiality that should characterize commercial relationships (examples: boyfriends, best friends, brothers-in-law, etc.).
• Participating in selection processes for collaborators or suppliers in which a Related Party is a candidate or bidder, or making decisions regarding a contract in which the supplier is a Related Party or the Related Party has a stake;
• Holding positions within the Group where one leads or supervises or is led or supervised by a Related Party;
• Participating as a collaborator in negotiations or in the exploration of a business where the counterparty is a Related Party or the Related Party has a stake; or
• Being accountable to oversight bodies when this is done concerning a Related Party who works for the oversight body.
To properly manage external activities, see Chapter 2 of this Code.
4.5 Activities Financed by Clients: accepting, from clients of Group companies, coverage of travel expenses or other expenses necessary to carry out Group-related work, including client knowledge.
4.6 We have a responsibility to be vigilant and identify these or other situations that confront us with a conflict of interest. When conflicts arise, they must be immediately reported to our leader for management according to the authorities in each country (see table 1). In cases where these positions do not exist, they must be reported to the vice president of the area or equivalent position.
The leader must assess the situation and determine if action can be taken because there is no conflict or how it can be managed. If in doubt, the situation should be reported to the Compliance area for advice. Always record the disclosure of the conflict and the decisions made according to the mechanisms established by the Compliance area.
TABLE 1
Attributions for managing conflicts of interest.
These attributions may be redefined according to the evolution of the organizational structure and/or the guidelines provided by local ethics committees.
|ENTITY
|APPROVAL IN COMMERCIAL AREAS
|APPROVAL IN ADMINISTRATIVE AREAS
|Bam
|Agencies: Regional Agency Manager and other commercial areas: Area Vice President
|Area Vice President overseeing the employee, except for Corporate Services Vice Presidency, which will be managed by Unit Managers
|Bancoagrícola
|Agencies: Commercial Agency Director, other commercial areas: Immediate Director
|Director or equivalent position
|Banistmo
|Regional Director
|Director
|Bancolombia
|Regional Vice President
|Director or equivalent position
4.7 Members of the Board of Directors or Management Boards and the Senior Management of the Group companies must disclose any conflicts of interest in which they may be involved in accordance with the procedure established in the Good Governance Code, so that these can be managed through the established procedure. Additionally, they may disclose to the Compliance area any situations about which they wish to
make a record and obtain clarification, even if these do not require disclosure in the manner established in the Good Governance Code.
4.8 To prevent potential conflicts of interest arising from the relationship between employees, their Related Parties, and our clients or suppliers, we must complete the following declarations and update them as defined:
(i) the declaration of kinship in the system made available by the Vice Presidency of Talent and Culture for this purpose; and (ii) the declaration of other Related Parties in the system or mechanisms made available by the Compliance areas for certain groups of employees. Completing these declarations does not exempt from disclosing any conflict in the manner provided in this Code.
CONFLICTS OF INTEREST THAT MAY ARISE FROM BEING PART OF A BUSINESS GROUP AND AS A RESULT OF OPERATIONS WITH RELATED PERSONS
4.9 Each of the Group companies offers its financial products and services to the general public, including other Group companies and other natural or legal persons who, by regulation, are considered related parties, so it is common for them to have financial products with the entities that make up the Group and carry out day-to-day operations with them.
4.10 In the Group, we promote the synergy that arises from carrying out these operations, as well as from entering into agreements and contracts between Group companies in any of the countries where we operate, but we are aware that employees involved in decision-making may face conflicts of interest. These can arise when a decision made by an employee may favor the interest of one of the Group companies, but it is contrary and incompatible with: (i) the interests of another Group company or another related party, and/or (ii) the duties of the Group towards clients.
4.11 Therefore, in addition to requiring that operations between Group companies or between these and related persons occur only when not prohibited by applicable regulations and strictly comply with the parameters defined therein, we have also defined a series of internal policies and guidelines that we must observe. These are contained in the Good Governance Code and the provisions of this Code of Ethics and Conduct and may be supplemented with internal guidelines. In particular, employees must follow the following guidelines:
• Ensure that Operations with Related Parties do not jeopardize the ability of the involved companies to fulfill their obligations to third parties.
• Ensure that Operations with Related Parties are conducted at competitive market prices, comparable in terms of the quality and quantity of the goods or services involved, and the credentials and experience of the counterparty. In the event that there is no market to serve as a reference framework, the operations will be conducted at prices determined objectively, taking into account the business alliances between the companies and ensuring that the transfer of value does not affect the rights of other shareholders and is presented adequately in an environment of free and fair competition.
• When their functions require seeking the best benefit for the Group company for which they work, they must not access client information in the exercise of such functions, nor participate in the decision-making of third parties (for example, providing advice or managing third-party resources).
• When their functions require seeking the best benefit for the client, they must not participate in or influence decisions related to the position of a Group company, unless the interests of that company are fully compatible or aligned with the client’s interest.
4.12 Any employee facing a situation in which it is not feasible to comply with the above guidelines must report the situation to their leader so that together they can determine:
• whether the operation should not be carried out or
• whether the situation should be reported to the Compliance area so that together they can determine the areas that need to be convened and define the steps to follow.
4.13 Additionally, to properly inform affected clients, Group companies must take the following measures:
• Conflict disclosure: if the conflict has not yet been disclosed to the client through any verifiable means, the employee involved in the situation must inform the affected client so they can make an informed decision.
• Ongoing disclosure: when the potential conflict of interest may persist over time, potentially affecting various products, operations, or transactions, we must notify affected clients of this situation through any verifiable means so that their decisions can be properly informed.
• Contractual clause: in situations where, in the ordinary course of providing services to a client, simultaneous operations with other Group companies or related parties may occur, the situation can be disclosed. Once informed, the client may allow operations that could potentially lead to a conflict, expressly noting any limitations or restrictions on these powers in the contract, if any.
4.14 Group companies may establish financial floors7 in the countries where they operate to handle their various treasury and brokerage operations and products. To ensure that such operations are transparent and ethical, our employees working in financial floors must strictly comply with the applicable regulatory framework and the following provisions:
• They must not access or consult information that is inaccessible to the company for which they work due to regulations.
• They must not disclose privileged information and must adhere to controls established to prevent inappropriate and unauthorized exchange of information among the areas of the financial floor (for example, restrictions imposed regarding the use of cell phones and other technological devices).
CONFLICTS OF INTEREST IN COMPANIES THAT ADMINISTER COLLECTIVE INVESTMENT FUNDS, INCLUDING PRIVATE CAPITAL FUNDS (HEREINAFTER “FUNDS”).
4.15 In the Group, we understand that the promotion, development, and administration of a Fund, the conclusion and execution of its operations and contracts, or the management of its resources and portfolio, may generate conflicts of interest, real or apparent, that must be properly managed.
4.16 To this end, Group companies that manage Funds will comply with the applicable regulatory provisions in each country regarding prohibitions and management of conflicts of interest, as well as the policies established in their operating regulations.
GUIDELINES AND CONDUCT STANDARDS FOR PRIVATE CAPITAL FUNDS.
• Operating regulations establish those conflicts of interest identified since the structuring of the fund and must clearly indicate how to disclose and manage them, taking into account that the Surveillance Committee or equivalent body must be aware of, evaluate, and resolve these situations.
• When any of the Group companies, as an investor in a fund, wants and can make contributions in kind to a portfolio of the fund and this is possible, the management company must conduct a competitive, transparent, and fair process for all interested parties to make contributions, regardless of whether they have links with the management company. In these cases, the management company must have the appraisal of an impartial third party and a report that objectively justifies the contribution price.
7 Facilities where trading desks of various entities are located.
• The same rule must be followed when a member of the Investment Committee or equivalent body, the management company or its administrators, the manager, or any person linked to the fund, wants an asset, whether own or external, to be integrated into the portfolio.
In these cases, the express approval of the Surveillance Committee or equivalent body responsible for knowing, supervising, and managing potential conflicts of interest of the fund is also required.
• If an asset of the fund or any underlying asset thereof is sold, directly or indirectly, before it can be acquired by an investor of the fund, the management company of the fund or its administrators, the manager, or any person linked to the fund, must follow a process that includes: approval of the sale of the asset or underlying asset by the Investment Committee or equivalent body; the appraisal of said asset by an independent third party; a report that reasonably justifies the conditions and criteria establishing the price; and the approval of the Surveillance Committee or equivalent body responsible for knowing, supervising, and managing the potential conflicts of interest of the fund.
GUIDELINES AND CONDUCT STANDARDS FOR COLLECTIVE INVESTMENT FUNDS..
• Members of the investment committees or equivalent bodies of collective investment funds, regardless of whether they are Group employees or external members, as well as the managers or administrators of each collective investment fund, must follow the same rules and restrictions regarding personal investments as established in this Code for employees who are part of asset management teams. This rule does not apply to private capital funds.
CONFLICT OF INTEREST DUE TO EXTERNAL ACTIVITIES
4.17 We promote the integral development of our employees and respect interests complementary to their professional performance in the Group; therefore, external professional activities are permitted. However, responsibilities acquired with the Group take precedence over any other employment relationship and other external activities carried out with or without profit motive. In accordance with the above, if we wish to undertake this type of activities, we must consider the following criteria and obtain approval from our leader:
• Always consider ethical and legal criteria, as well as the possible reputational impact for the employee or the Group.
• Prioritize the employment relationship with the Group and fulfill the responsibilities in charge.
• Absence of conflicts of interest or, if they exist, the proper management of them according to the provisions established in this Code. Notwithstanding other situations that may lead to a real or apparent conflict of interest, due to the conflict involved, we should not directly or indirectly participate in activities that imply competition for the Group companies, which includes seizing for oneself or for a third party a business opportunity that any of the Group companies could take.
• Do not use the Group’s intellectual property, nor use information from its clients or businesses, unless it is classified as public.
4.18 The participation of our employees on boards of directors or committees of third parties, including nonprofit entities, requires authorization from the leader, except for union associations, Employee Funds, and Community Action Boards. This authorization will depend on the following requirements:
• The approving leader must report, at a minimum, directly to a firstlevel vice president or higher position, or to those determined by the local Ethics Committee. In addition, authorization must be requested from the Compliance area, which may convene a subcommittee of the Ethics Committee to evaluate the case and
coordinate with the Talent and Culture area, which must keep a record of the participation of employees on boards of directors.
• Unless the participation is carried out in compliance with instructions from the Group company for which we work, we must always participate on a personal basis.
• We must refrain from participating in deliberations or discussions that involve the Group or that may generate a conflict of interest, and we will consider resignation when the conflict demands it. In case of concerns, inquiries can be raised to the Legal area, for administrators and senior executives; and to the Compliance area, for other employees.
4.19 We respect and promote the exercise of individual rights, including the political rights of our employees. Those who decide to participate in politics through elected positions, public or diplomatic positions, management or treasury of political campaigns, must inform their leader, the Vice Presidency of Talent and Culture, and the Compliance area beforehand. Their political participation must be strictly personal and must not affect their professional objectivity, and the time dedicated to these activities must not interfere with their functions or work schedule.
Additionally, political proselytism activities cannot be carried out through the Group’s tools and communication channels, within the facilities or in the work environment of the Group companies. Nor can the affiliation with the Group be used to promote activities for political purposes.
4.20 In the Group, we respect the private life of our employees and their recreational spaces, expecting that at all times and places, they maintain a full commitment and behavior consistent with our organizational culture and its principles and the law. Therefore, if the behaviors of our employees in society undermine our culture or reputation, we will act to preserve them in accordance with the labor laws applicable in each of the Group companies.
HOW CAN WE MANAGE PERSONAL INVESTMENTS?
• When the assets that the fund wants to acquire or sell correspond to securities traded in the securities market, it will not be necessary to carry out the appraisal by a third party or the report with the pricing justification, but the respective transaction must be made through the transactional systems of the exchanges where these securities are listed.
• Members of the Surveillance Committee or equivalent body cannot participate in and make decisions related to the sale of assets owned by them or their relatives (parents, siblings, spouse, or children) to the fund, or the acquisition of assets or underlying assets that the fund intends to sell to them, directly or indirectly. In these cases, the approval of the board of directors of the management company is required.
General Rules for All Our Employees
4.21 When making personal investments, we must consider the following provisions to avoid conflicts of interest or questions about the misuse of information, among other bad practices.
• Before making personal investments, we must assess whether they generate any conflict of interest with those of the Group or our clients, in which case we must comply with the provisions established for this purpose. In particular, we cannot make investments in businesses of clients, suppliers, or counterparts of the Group whose relationship we manage or with which we have a relevant role, without first managing them as a potential conflict of interest in accordance with the guidelines defined in this Code.
• We must not carry out transactions or operations when we possess privileged information and must comply with the guidelines described in this Code.
• During working hours, we must attend to the needs of clients and the Group, without this being an obstacle to attending to our personal matters prudently and moderately.
• We must be prudent in managing our personal investments considering their legality, our financial capacity, indebtedness, and the risks involved, as well as the possible reputational impacts for the Group.
• Investments made in capital markets must be free from any kind of maneuver that artificially affects asset prices or the perception of their liquidity and must adhere to sound banking and stock exchange practices at all times.
• We must use the same transactional channels that our clients use for these purposes; that is, we must not use the accesses and permissions we have in applications by virtue of our position to manage our operations, nor those of our Related Parties.
• All investment rules apply to us as employees, regardless of whether we negotiate directly, through third parties, or their Related Parties.
• We are authorized to acquire and dispose of any securities issued by any Group company, without further restrictions than those derived from the prohibition of using privileged information, the rules for administrators defined in the Corporate Governance Code of Good
Governance, and the specific provisions contained in this chapter for employees belonging to certain teams.
Group employees who have a value-generation-based remuneration scheme may receive, if they meet the defined goals and conditions, part of their bonus in an investment fund, whose purpose is to purchase shares or ADRs of Bancolombia S.A.
SPECIFIC RULES FOR OUR EMPLOYEES RELATED TO TRADING OF SHARES ISSUED BY BANCOLOMBIA GROUP COMPANIES
4.22 Trading by members of Boards of Directors or Management Councils, Senior Management, and Management Teams of Group companies:
Members of Boards of Directors or Management Councils, Senior Management, and Management Teams of any of the Group companies who wish to carry out operations involving shares of Bancolombia S.A. must comply with the restrictions established in the Corporate Governance Code of Good Governance of the Bancolombia Group.
4.23 Trading by employees who potentially have access to privileged information:
4.23.1 None of the Group employees can carry out personal investments that involve the use of privileged information. We must know the specific rules to prevent its inadvertent use when we may have access to this type of information.
4.23.2. This group of employees includes those who participate in the study and/or execution of special projects for which confidentiality agreements are entered into with specific provisions on information handling (e.g., mergers, acquisitions, or structuring processes), have access to material financial, treasury, accounting, securities market, legal, risk, internal control, or strategic information of any of the Group companies.
4.23.3 Senior Management and Management Teams of Group companies must: identify the employees within their reporting line who are within this group; communicate to them that they are subject to these special rules; and report them to the Compliance area according to the defined procedure.
4.23.4 Operations carried out by this group of employees on shares issued by Bancolombia S.A. must comply with the following requirements:
• The operation does not have or will not have speculative purposes. For purposes of this Code, speculation purposes are presumed when: » Suspiciously short periods elapse between the purchase and sale of securities.
» Exceptionally favorable or unfavorable situations occur for the issuing entity.
» A significant and atypical profit is obtained with the operation.
• Thirty calendar days are taken as the reference period for carrying out transactions of opposite sign.
• The operation is not carried out within blackout periods. For purposes of this Code, “Blackout Periods” are:
» The months of January, April, July, and October of each year.
» The first ten (10) calendar days of the remaining months.
» The time period that elapses between the moment when a relevant operation or business is known and the moment when information regarding such operation or business is disclosed to the market.
4.24 Trading by employees of the Business Vice Presidency responsible for leading the relationship with issuers of shares listed on the local stock exchange:
4.24.1. Employees of the Business Vice Presidency responsible for directly leading the relationship with companies issuing shares listed on the local stock market cannot make investments in shares, derivatives, or investment funds whose sole underlying asset is the share of the issuers they directly manage; the above does not limit investment in multi-asset funds that include the issuer they manage.
Rules for handling personal investments in capital market assets by our collaborators from brokerage firms, treasuries, and teams managing collective investment funds and delegated portfolios8.
4.24.2. Our employees whose functions correspond to front, middle, and back-office activities of our Brokerage Firms or Securities Houses, Treasuries, and teams managing collective investment funds and delegated portfolios9, as well as those who perform audit, compliance, risk, product, technology, or legal activities related to capital market activities, must comply with the additional rules described below:
4.24.3. To promote transparency, manage potential conflicts of interest, and enable control and monitoring activities, all personal investments of this group of collaborators in capital market products must be disclosed at least annually, following the guidelines established by each of the Group’s companies, and must be made through the Group’s companies, except when: (i) they do not offer the required product or service; or (ii) there is any restriction on the transaction.
4.24.4. Operations or investment strategies involving assets of local issuers must be free from speculation as defined in section 4.23.4, except when the employee does not participate in the decision-making for the purchase or sale of the shares, and the transactions result from the use of robots and algorithms.
8 The specific rules established here are consistent with and complementary to the regulations applicable to each company within the Group, to the Treasury Management Manual, the Market Risk and Liquidity Manual, and in general to all internal documents that the Group’s companies have regarding treasury and securities. The Group’s companies may establish additional provisions to comply with applicable regulations and requirements of supervisory and regulatory bodies, but always preserving the culture, philosophy, ethical tone, and principles established in this Code of Ethics and Conduct. In the event that it is necessary to include a provision that contradicts this general framework of action, such a situation will be brought to the attention of the Group’s Compliance Vice Presidency, which will determine the most appropriate way to adopt it.
9 Refer to section 4.16 for the rules applicable to members of the Investment Committees of collective investment funds.
4.24.5. They may make personal investments in shares, convertible bonds into shares, single share funds, or ADRs of issuers of the stock market in both spot and futures markets. When it comes to investments in issuers of the local stock market, they must meet the following requirements, except when the employee does not participate in the decision-making for the purchase or sale of the shares, and the transactions result from the use of robots and algorithms:
• Fill out a declaration of not possessing insider information prior to each transaction, in the format defined and following the procedure determined by the respective Group company.
• Obtain prior approval from their leader to make the investment.
• Express interest in the operation, indicating the date on which the order or instruction must be given, which cannot be less than T+5 (current days) counted from the day the interest in the negotiation is reported.
4.24.6. If they are shares, single share funds, or ADRs of Bancolombia S.A., whether traded in the spot or futures market, they must comply with the requirements described in sections 4.24.4 and 4.23.4 of this chapter regarding the negotiation of shares of Bancolombia S.A.
4.24.7. Those who are market makers or liquidity providers of shares must refrain from trading assets that are the subject of their function.
4.24.8. Collaborators of teams managing and overseeing collective investment funds and delegated portfolios may invest in the funds they manage or oversee, provided that at least 5 current days before each transaction10 , they inform their leader and the Compliance area about it, unless it concerns transactions in liquidity funds, defined as funds whose target duration is less than one year, and the Seed Plan fund, for which it will not be necessary to inform the Compliance area.
4.24.9. For all cases requiring leader authorization, it must be forwarded to the Compliance area through the established means for this purpose.
Special Circumstances
4.25 The leader of each of the different areas and businesses, in consultation with the Legal and Compliance areas, may impose blackout periods or prohibitions on specific assets to prevent a real or apparent conflict of interest and the use of insider information.
4.26 In special situations, investment restrictions may be lifted or reinforced by the Ethics Committee of the respective entity.
HOW DO WE MANAGE GIFTS AND INVITATIONS?
Rules for the reception and granting of gifts and invitations.
4.27 Just as we must manage existing conflicts of interest, we must also prevent the emergence of situations that may generate them. In the Group, we understand that in the business world, the exchange of gifts, invitations, or symbolic tokens of gratitude is a common practice stemming from courtesy. However, when these gestures are recurrent, excessive, or inappropriate, and are made to unduly influence decision-making or their motives are unknown, they can generate a real or apparent conflict of interest that may restrict free competition and, in certain cases, may even be illegal.
10 Within the transactions that must be reported, this includes the opening or early cancellation of an investment strategy managed by robots or algorithms, and as a one-time occurrence, transaction scheduling; withdrawals made on the maturity date in funds with a lock-up period will not require notification.
4.28 To guide our employees regarding the reception and delivery of gifts and invitations, the Group has established the following rules. These must be complied with by all collaborators and complemented by their good judgment, prudence, responsibility, common sense, and ethical sense.
Delivery of Gifts and Invitations to Third Parties.
4.29 As collaborators of the Group, we can only:
a. Deliver gifts that project the values of our brand, consistent with our integrity and our principle of zero tolerance for corruption. Preferably, gifts will be provided or recommended from marketing areas.
b. Make institutional invitations within the ordinary course of business relations (for example, refreshments, lunches, and dinners), provided that the costs of these are in accordance with the corporate expense policies established by each of the companies that make up the Group and our principle of zero tolerance for corruption. Institutional invitations may aim to recognize clients, third parties, suppliers, or allies that are relevant to the Group’s strategy, in which case the selection is made taking into account the provisions on conflicts of interest.
4.30 As collaborators, we can extend invitations to events organized or sponsored by the Group whose primary purpose is commercial or academic, such as forums and fairs relevant to the development of our businesses and those of our clients. These events may include entertainment. Additionally, in coordination with marketing areas, we can invite third parties to events for which the Group has tickets through a commercial sponsorship (for example, sports events and shows), in which case we must consider the free competition regime.
4.31 In the Group, we can sponsor or make institutional contributions to programs with economic, social, environmental, or cultural impact, provided they are framed within the principles of this Code, the policies and procedures on the subject, and aligned with the sustainability strategy and institutional projection guidelines defined by the Group, and/ or the specific policies established by each of the entities that comprise it. Under no circumstances should contributions and sponsorships aim at a business, action, or omission in favor of the Group, nor should they translate into personal gifts for public or private officials.
4.32 In the Group, we can make donations or economic contributions in favor of political parties, movements, or campaigns, provided that the contributions are allowed by applicable legislation, authorized by the corresponding instances, and comply with the policies and procedures established for this purpose. Under no circumstances do they seek to obtain an undue advantage for the Group, its administrators, or Senior Management, in exchange for the donation or contribution.
To learn more about these contributions, click here.
4.33 As collaborators, we can make donations or economic contributions in favor of political parties, movements, or campaigns of our own choice on a personal basis, always avoiding using our affiliation with the Group to make these donations and contributions.
Delivery of Gifts and Invitations to Employees
4.34 Companies within the Group may give gifts to recognize employees for their outstanding performance and contribution to achieving the organization’s objectives.
Likewise, it is possible for Group companies, for various reasons, to have access to tickets and passes for entertainment events, promotional material from other companies, and other goods received as gifts, in accordance with the provisions of this Code. Employees should not seek to receive these goods as gifts, but the entity may distribute them among the employees, ensuring that the delivery is appropriately distributed among the areas of the Group’s companies, taking into account, among other criteria, the type of gift and the performance of the employees.
Receipt of Gifts and Invitations
4.35 Subject to the above general rules, employees may receive gifts and invitations from clients, suppliers, and other counterparts of the Group’s companies, whether current or potential, provided that they do not affect or appear to affect our objectivity, impartiality, or independence. This applies to gifts and invitations made directly to us or through a third party.
When a gift given by the same person, individually or cumulatively over the course of a calendar year, exceeds the equivalent of two hundred United States dollars (USD 200), and as employees, we consider that we can receive it without affecting our objectivity and impartiality, we must request authorization from our leader according to the attributions in each country (see table 2). We must record the receipt of the gift and the authorization through the mechanisms established by the Compliance area for this purpose. If the gift is below the established value and due to its particularity, it can be disclosed through the channels provided.
TABLE 2
Authorization or rejection attributions for gifts and invitations, these attributions may be redefined according to the evolution of the organizational structure and/or the guidelines given by local ethics committees.
|ENTITY
|APPROVAL IN COMMERCIAL AREAS
|APPROVAL IN ADMINISTRATIVE AREAS
|Bam
|Agencies: Regional Agency Manager and other commercial areas: Area Vice President
|Area Vice President overseeing the employee, except for Corporate Services Vice Presidency, which will be managed by Unit Managers
|Bancoagrícola
|Agencies: Commercial Agency Director, other commercial areas: Immediate Director
|Director or equivalent position
|Banistmo
|Regional Director
|Director
|Bancolombia
|Regional Vice President
|Director or equivalent position
4.36 When employees or leaders determine that it is inappropriate to receive a gift, we must reject or return it, even if it has been sent to the home address or any other location, and we must inform the Compliance department of the rejection. If returning the gift may offend the sender, we must consult with our area leader according to Table 2 (authorization or rejection attributions for gifts) and may seek advice from the Compliance department to determine if it can be accepted, the purpose it must serve, and the message to be sent to the giver.
4.37 It is common for allies, suppliers, or potential suppliers to extend invitations to technical or knowledge transfer academic events. These invitations are institutional in nature, and we cannot accept them without first consulting with our leader (according to Table 2 of authorization or rejection attributions for gifts) so that he, after consulting with peers attend and obtain the best benefit from the event. If the invitation includes travel, accommodation, and entertainment expenses, this instance must also decide whether these can be accepted or if, on the contrary, they must be covered by our organization. The decision regarding the invitation must be documented through the mechanism established by the Compliance department for this purpose.
4.38 The above does not apply to events open to the public that do not involve traveling outside the city, in which case, any employee may attend with the approval of their leader.
4.39 Notwithstanding the above, if the event is for the promotion of products or services, or mere hospitality, we cannot accept any gift or invitation from participants in a supplier selection process if they participate or will participate directly or indirectly in it. If as part of the process it is necessary to visit the participants at an event to have a better understanding of the goods or services offered, travel, accommodation, and event registration expenses must be covered by the Group company to which one belongs, unless it is determined, in an exceptional manner and with the approval of the Vice President responsible for procurement and the Supply Chain, that they can be covered by the participants in the process, for which the following criteria must be met:
• Verify that on-site referencing is necessary for the proper assessment of the product or service to be acquired;
• The person responsible for the on-site referencing must not accept invitations or attentions that, during the visit, may compromise their independence and objectivity;
• Require that travel and lodging expenses adhere to the organization’s internal policies; and
• Communicate to suppliers that efforts and resources should be directed towards the objectives of the on-site referencing visit. The Supply Chain must take additional measures to ensure the impartiality and independence of the process, such as a clear methodology for rating suppliers and equal conditions for participants.
5. What Mechanisms Promote and Support Our Ethical Conduct?
“We establish various mechanisms that support our ethical behavior.”
5.1. In the Group, we take pride in our culture and are aware that it is necessary to cultivate and foster it. Therefore, we establish various mechanisms that support this task.
CORPORATE ETHICS COMMITTEE
5.2. The Group has a Corporate Ethics Committee, with scope for all the companies that comprise it. This committee defines the general policy and ethical guidelines, conduct, and integrity, and communicates the corporate positions regarding highly complex ethical dilemmas. The Corporate Ethics Committee ensures that our organizational culture and its fundamental principles are interpreted and lived in the same way in all our companies, and determines the necessary actions to disseminate, among employees, our culture and its standards, including the training program required for this. The Committee may designate the conduct of diagnostic activities on ethics in the Group.
5.3. The Board of Directors of Bancolombia S.A. adopts the Operating Regulations of the Corporate Ethics Committee, which establishes, among other things, the members who integrate it in addition to the president of Bancolombia S.A., who chairs it; the persons who can participate as guests; the quorum for deliberation and decision-making; and the frequency of its meetings.
LOCAL ETHICS COMMITTEES
5.4. The Group’s entities present in each of the countries in which we operate must establish, in accordance with corporate guidelines, a Local Ethics Committee that has, among others, the following responsibilities:
(i) review cases raised to it by the competent areas, to validate the consistency of decisions with the guidelines of the Corporate Ethics Committee;
(ii) identify cases or issues that should be brought to the attention of the Corporate Ethics Committee to define the ethical tone of the organization and guidelines on particular issues;
(iii) define corrective measures for situations within their competence and instruct the areas to implement them; and (iv) monitor indicators related to the activities of prevention, detection, and response to incorrect acts presented to them by the Compliance areas, accompanied by other relevant areas. These committees must report periodically to the Corporate Ethics Committee.
COMPLIANCE AREAS: ADVICE REGARDING THE INTERPRETATION OF THE CODE OF ETHICS AND ETHICAL DILEMMAS
5.5. As employees, we may face situations in our day-to-day where doubts arise about how to act to comply with this Code of Ethics and Conduct. In case of needing support in interpreting what is contained herein, before acting, we must seek the advice of the area leader and/or the Compliance area. The Compliance area has specialists in ethics and integrity who guide us in decision-making to avoid non-compliance with the provisions of this Code.
5.6. The Compliance team in the different countries carries out training, awareness, and dissemination activities so that we understand what the Group expects from our conduct. Annually, in conjunction with the Vice Presidency of Talent and Culture, and in accordance with the guidelines of the Corporate Ethics Committee, the training program that we must complete compulsorily is defined.
WHISTLEBLOWING CHANNELS AND PROTECTION OF THE WHISTLEBLOWER
5.7. When any of our employees or individuals from different stakeholder groups, including shareholders, customers, suppliers, allies, and competitors, among others, have a suspicion or knowledge of violations of the provisions of this Code or the policies that complement it, we can report it through the Ethics Line or by contacting any of the following areas: (i) Compliance area; (ii) areas responsible for conducting investigations into malpractices or complaints related to labor aspects; or (iii) Audit area. We can also channel the complaint or suspicion through our direct or indirect leader, for them to communicate it to the areas responsible for its management.
5.8. Complaints made through the Ethics Line can be anonymous if necessary. Those who submit complaints in this way must be aware that, the more information they provide, the more possibilities there are for an effective investigation to be conducted. The identity of the whistleblower, if disclosed, is confidential at all times. By confidentiality, it is understood that the whistleblower’s name will not be revealed and that the reported facts are only shared with those strictly necessary to carry out the investigation and respond to its findings.
5.9. Complaints receive different treatment, depending on their characteristics.
Complaints and reports related to the organizational climate and labor relations.
We invite our employees to maintain an open dialogue to resolve differences and conflicts that may arise in their work relationships. However, there are situations that undermine our culture and may require different mechanisms for their management, such as harassment, discrimination, among others. Complaints and reports on these issues must be transmitted to the Vice Presidency of Talent and Culture, which manages them comprehensively and promptly through discussions, feedback, support, and, if necessary, possible actions
against the individuals or entities responsible for the acts, regardless of their position or level. If the complaint involves an employee of Talent and Culture, the investigation must be conducted by Internal Audit.
Reports on unusual transactions.
These can be made through different means, including the Ethics Line, available to employees or third parties. These reports are transferred to the Compliance area, responsible for assessing money laundering and terrorist financing alerts. This area, with the support of the front line, determines whether the transactions are justified or if they are suspicious and, therefore, must be reported to the competent authorities. The Compliance area also recommends other measures that must be taken to manage the money laundering risk. If the complaint also involves the conduct of an employee, it is managed as indicated below.
Complaints and reports of malpractices.
Complaints and reports related to fraud, corruption, misuse of information, and other practices that violate the provisions of this Code or depart from the expected conduct of our employees are investigated by the responsible area, in accordance with the policies of the anti-fraud program. Investigations are conducted in accordance with established internal processes, which must guarantee the confidentiality of the investigation. If the complaint involves an employee of the area responsible for conducting the investigation, it must be conducted by Internal Audit.
5.10. It is our employees who, due to their knowledge and functions, can detect malpractices. That is why, in the Group, we encourage them to report this type of act, ensuring that, when they report violations of this Code of Ethics and Conduct, complementary policies, applicable laws, or the standards expected by the Group in good faith, they are protected against any retaliation. Employees who observe or are victims of retaliation can report it through any of the mechanisms described above, so that they are investigated by the Vice Presidency of Talent and Culture.
5.11. When employees report suspicious facts under reasonable belief, it is assumed in good faith that these may be true. On the contrary, reporting facts knowing their falsehood is misconduct and is sanctioned in accordance with the provisions of this code.
5.12. The Ethics Line is one of the channels available to report human rights violations. If there is a complaint about any conduct, in which the Group or any of its related entities violates or threatens human rights, the procedure for remediation and non-repetition must be applied, as well as the intervention protocols provided for this purpose.
6.What is the disciplinary procedure?
“All cases are carefully analyzed to make the best decisions.”
6.1All complaints and reports received are investigated. Additionally, investigations may also be initiated based on alerts detected by the areas responsible for ensuring compliance with this Code. When investigations determine that any of our employees have violated the provisions contained in this Code, its complementary policies, or the ethical standards required by the Group, whether actively or by omission, sanctions must be imposed in accordance with the Internal Work Regulations and applicable regulations.
6.2To establish the sanction, factors such as the severity of the act, recidivism, economic losses, reputational effects, among others, are taken into account.
6.3In addition to internal sanctions, the Group may, if deemed necessary, initiate civil or criminal actions based on the regulations of the country where the Group company to which the employee belongs is located.
Ethics Line
Colombia:
• National Colombia:
018000524499
• Cellular: #955
• Medellín: 448 4868
• FAX Colombia: (4)4531953
Bancolombia App:
• Contact us / ethics line
El Salvador: ·
• 503-2259-7898
Guatemala:
• 502-2378-6933
• etica@bam.com.gt
Panamá:
• National Panam:
01 100 800 157 00 76
• Panama City:
(507) 306 55 74
Puerto Rico: ·
• 1866 6876201
lineaetica@bancolombia.com.co