|
Management of financial risks, financial instruments, and other risks
|12 Months Ended
Dec. 31, 2023
|Management Of Financial Risks Financial Instruments And Other Risks
|Management of financial risks, financial instruments, and other risks
|
31. Management of financial risks, financial instruments, and other risks
a) Overview
The Group monitors all the risks that could have a material impact on its strategic objectives, including those that must comply with applicable regulatory requirements. To efficiently manage and mitigate these risks, the risk management structure conducts risk identification and assessment to prioritize the risks that are key to pursue potential opportunities and/or that may prevent value from being created or that may compromise existing value, with the possibility of having impacts on financial results, capital, liquidity, customer relationship and reputation.
Risks that are actively monitored include Credit, Liquidity, Market, Foreign exchange (FX), Operational, IT and Cyber, Regulatory, Compliance and AML (Anti-money laundering) and Reputational Risk, Interest Rate Risk in the Banking Book (IRRBB) and risk from Cryptocurrency business.
b) Risk management structure
Nu considers Risk Management an important pillar of the Group's strategic management. The risk management structure broadly permeates the entire Company, with the objective of ensuring that risks are properly identified, measured, mitigated, monitored and reported, in order to support the development of its activities. Risk Management is related to the principles, culture, structures and processes to improve the decision-making process and the achievement of strategic objectives. It is a continuous and evolving process that runs through Nu's entire strategy, to support Management in minimizing its losses, as well as maximizing its profits and supporting the Company's values.
The Group's risk management structure considers the size and complexity of its business, which allows tracking, monitoring and control of the risks to which it is exposed. The risk management process is aligned with management guidelines, which, through committees and other internal meetings, define strategic objectives, including risk appetite. Conversely, the capital control and capital management units provide support through risk and capital monitoring and analysis processes.
The Group considers a risk appetite statement (“RAS”) to be an essential instrument to support risk management and decision making. The Board reviews and approves the RAS, as guidelines and limits for the business plan and capital deployment. Nu has defined a RAS (aligned to local regulatory requirements) that prioritizes the main risks and, for each of these, qualitative statements and quantitative metrics expressed in relation to earnings, capital, risk measures, liquidity and other relevant measures were implemented, as appropriate.
Nu operates on the three-line model, which helps to identify structures and processes that best support the achievement of objectives and facilitate a robust governance and risk management structure.
Another important element of the risk management framework is the structure of Technical Forums and Committees. These governance bodies were designed and implemented to monitor and make decisions on aspects associated with the Group's management and control. Nu has implemented this structure both at a Global and a country-level perspective, as described below.
Global risk-related Governance body:
Country-level risk-related Governance bodies:
Each of the countries where the Group has operations established a structure of governance based on the relevant regulatory requirements and composed of the following elements. Depending on the nature of the subject to be managed, some Committees and meetings can be grouped to cover more than one country.
c) Risks actively monitored
The risks that are actively monitored by the Group include Credit Risk, Liquidity, Market Risk, Foreign exchange (FX), Operational, IT and Cyber, Regulatory, Compliance and AML (Anti-money laundering) and Reputational Risk, Interest Rate Risk in the Banking Book (IRRBB)and risk from Cryptocurrency business. The management of these risks is carried out according to the three-line model, considering policies and procedures in place, as well as the limits established in the RAS. Also, there is a Stress Testing program in place.
Each of the risks described below has its own methodologies, systems and processes for its identification, measurement, evaluation, monitoring, reporting, control and mitigation.
In the case of financial risks, such as credit, liquidity, IRRBB and market risk, the measurement is carried out based on quantitative models and, in certain cases, prospective scenarios in relation to the main variables involved, respecting the applicable regulatory requirements and best market practices. Non-financial risks, such as operational risk and technological/cyber risks, are measured using impact criteria (inherent risk), considering potential financial losses, reputational damage, customer perception and legal/regulatory obligations, as well as evaluated in relation to the effectiveness of the respective structure of internal controls.
Based on the results of the measurement and risk assessment activities, the adherence of the residual exposure to Nu's risk appetite is verified. Necessary actions to mitigate risks are presented and discussed in the governance structure (Technical Forums and Risk Committees), which are also the channels responsible for approving and monitoring the implementation of action plans.
Credit risk is defined as the possibility of losses associated with failure of customers or counterparties to pay their contractual obligations; the depreciation or reduction of the expected gains from financial instruments due to the deterioration of the credit quality of customers or counterparties; the costs of recovering the deteriorated exposure; and any advantage given to customers or counterparties due to deterioration in their credit quality.
The credit risk control and management structure is independent of the business units, being responsible for the processes and tools to measure, monitor, control and report the credit risk of products and other financial operations, continuously verifying their adherence to the policies and structure of approved limits. There is also an assessment of the possible impacts arising from changes in the economic environment, in order to ensure that the loan portfolio is resilient to economic crises.
Credit risk management is carried out by the Credit Risk team with a centralized role independent of the business units, being responsible for:
● Estimating the expected losses according to consistent and verifiable criteria.
The Group’s outstanding balance of financial assets and other exposures to credit risk is shown in the table below:
Liquidity risk is defined as:
● the ability of an entity to fund increases in assets and meet obligations as they come due, without incurring unacceptable losses; and
● the possibility of not being able to easily exit a financial position due to its size compared to the traded volume in the market.
The liquidity risk management structure uses future cash flow data, applying what Nu believes to be a severe stress scenario to these cash flows, in order to measure that the volume of high-quality liquid assets that the Group has is sufficient to guarantee its resilience even in very adverse situations. The liquidity indicators are monitored daily. For the funding risk management, the gaps between assets and liabilities in term buckets are monitored to assure that the profile of assets is consistent with the liabilities.
The Group has a Contingency Funding Plan for the Brazilian entities that describes possible management actions that should be taken in the event of a deterioration of the liquidity indicators.
Primary sources of funding - by maturity
Maturities of financial liabilities
The tables below summarize the Group’s financial liabilities and their contractual maturities:
The unused limit of credit cards is the pre-approved limit that has not yet been used by the client and represents the current maximum potential credit exposure. Therefore, it does not represent the real need for liquidity arising from commitments. When customers begin utilizing their unused limits, the duration of the credit card receivables are expected to be shorter than the duration of the payables to network.
Maturities of financial assets
The table below summarize the Group’s financial assets contractual undiscounted cash flows and their contractual maturities:
Market risk is defined as the risk of losses arising from movements in market risk factors, such as interest rate risk, equities, foreign exchange (FX) rates and commodities prices. IRRBB refers to the current or prospective risk to an entity's capital and earnings arising from adverse movements in interest rates that affect the banking book positions.
There is a market risk & IRRBB control and management structure, independent from the business units, which is responsible for the processes and tools to measure, monitor, control and report the market risk and IRRBB, continuously verifying the adherence with the approved policies and limits structure.
Management of market risk and IRRBB is based on metrics that are reported to the Asset & Liability Management and Capital ("ALM") Technical Forum and to the country-level Risk Committee. Management is authorized to use financial instruments as outlined in the Group's internal policies to hedge market risk & IRRBB exposures.
Management of market risk and interest rate risk in the banking book (IRRBB) is based on the following metrics:
In Brazil, the Brazilian Central Bank (BCB) requires an assessment of the sufficiency of capital for the interest rate risk of the banking book (IRRBB) based on Delta EVE and Delta NII metrics. The Group calculates these metrics in Brazil according to the regulator standard for managing this capital requirement. Delta EVE is the change in the Group's economic value of equity in the scenarios prescribed by the BCB. Delta NII is the change in the Group's net interest income in the same standard prescribed scenarios.
The table below presents the VaR uses a confidence level of 99% and a holding period of 10 days, by a filtered historical simulation approach, with a 5-year historical window. For Brazil, it is calculated only for the Trading Book in line with the portfolio management strategy.
The following analysis is the Group's sensitivity of the mark to market fair value to an increase of 1 basis point (“bp”) (DV01) in the Brazilian risk-free curve, Brazilian IPCA coupon curve, US risk-free curve and Mexican risk-free curve, assuming a parallel shift and a constant financial position:
The interest rate risk in Colombia and in Brazilian subsidiaries other than those mentioned above is not significant as of December 31, 2023 and 2022. To maintain DV01 sensitivities within defined limits, interest rate futures, traded in B3, and swaps derivatives are used to hedge interest rate risk.
The financial information may exhibit volatility due to the Group’s operations in foreign currencies, such as the Brazilian Real and Mexican and Colombian Pesos. At the Nu Holdings level, there is no net investment hedge for investments in other countries.
As of December 31, 2023 and 2022, none of the entities of the Group had significant financial instruments in a currency other than their respective functional currencies.
The functional currency of the entities in Brazil is the Brazilian Real. Certain costs in US Dollars and Euros, or intercompany loans in US Dollars, are hedged with futures contracts, traded on the B3 exchange, based on projections of these costs, or when there are new exposures. Hedge transactions are adjusted when internal cost projections change and when the FX derivatives expire. As a result, the consolidated financial statements have no significant exposures to exchange rates after the hedge transactions take effect.
Operational risk is defined as the possibility of losses resulting from external events or from failure, deficiency or inadequacy of internal processes, people or systems. In this context, the legal risk associated with inadequacy or deficiency in contracts signed by Nu, sanctions due to non-compliance with legal provisions and compensations for damages to third parties arising from the activities developed by the Company must also be considered.
The structure of control and management of operational risk and internal controls is independent of the business and support units, being responsible for the identification and assessment of operational risks, as well as for evaluating the design and effectiveness of the internal controls, covering risks such as system and services disruption, external fraud and failures in activities involved in payment scheme arrangements. This structure is also responsible for the preparation and periodic testing of the business continuity plan and for coordinating the risk assessment in new product launches and significant changes to existing processes.
Within the governance of the risk management process, mechanisms are presented to identify, measure, evaluate, monitor, and report operational risk events to each business and support area (first line), in addition to disseminating the control culture to other employees. The main results of risk assessments are presented in the Technical Forum on Operational Risk and Internal Controls and in the Risk Committee, when applicable. Applicable improvement recommendations result in action plans with planned deadlines and responsibilities.
● Information Technology/Cyber ("IT") risk
IT/Cyber risk is defined as the undesirable effects arising from a range of possible threats to the information technology infrastructure, including cybersecurity (occurrence of information security incidents), incident management (ineffective incident/problem management process, impact about service levels, costs and customer dissatisfaction), identity and access management (unauthorized access to sensitive information), data management (lack of compliance with data privacy laws or gaps in data management governance or data leakage issues), among others.
As the Group operates in a challenging environment in terms of cyber threats, it continuously invests in controls and technologies to defend against these threats. IT risks, including cyber risk, are a priority area for Nu, thus there is a dedicated IT Risk structure, which is part of the second line. This team is independent from IT-related areas, including Engineering, IT Operations, and Information Security.
The IT/Cyber Risks area is responsible for identifying, evaluating, measuring, monitoring, controlling, and reporting Information Technology risks in relation to the risk appetite levels approved by the Executive Board. The Group continually assesses Nu's exposure to threat risk and their potential impacts on the business and customers. The Group continues to improve its IT and cybersecurity capabilities and controls, also considering that people are an essential component of the security strategy, ensuring that the employees and third-party consultants are aware of prevention measures and also know how to report incidents.
The results of the IT risk and controls assessments are regularly discussed at the IT Risk Technical Forum and presented to the Risk Committee when applicable. The applicable improvement recommendations result in action plans with planned deadlines and responsibilities.
In a complex and highly regulated environment, legislative and regulatory initiatives may result in significant changes to Nu's regulatory framework and consequently its business activities.
To address such risks Nu maintains teams in Brazil, Colombia and Mexico dedicated to monitoring these changes and engaging to explain their potential impacts to the Group and the broader financial industry.
Legislative and regulatory initiatives that can present a material impact to the Group are brought to the attention of the Risk Committee and the management team allowing the Group, when necessary, to adjust its strategy and decide on the best course of action to deal with such changes.
As the Group operates in a highly regulated environment, a robust Compliance program was established within the second line of defense. The Compliance team has resources dedicated to the Ethics Program, Regulatory Compliance as well as to Anti Money Laundering Program and Combating the Financing of Terrorism.
The Ethics Program sets the minimum conduct standards for the organization, including Code of Conduct, Compliance Policies, Training, and Awareness Campaigns, as well as an independent Whistleblower Channel. Some examples include the anti-bribery and corruption risks, conflict of interest, related parties, insider trading as well as any violations from Nu's Code of Conduct.
The Regulatory Compliance team is focused on overseeing the regulatory adherence of the organization. Main activities involve regulatory tracking and managing the regulatory adherence, assessment of new products and features, advisory, Compliance testing as well as centralizing the relationship with regulators regarding requests of information and exams. By not being in compliance with laws and regulations, the Group may be exposed to sanctions, loss of license as well as potential criminal implications on management.
Nu's Anti Money Laundering (AML) Program represents the global framework and guidelines for AML and Combating Terrorism Financing (CTF) and is the basis for the AML team's strategic planning. It involves the risk of the company being exposed to sanctions for not implementing controls to avoid AML or terrorism financing.
The Program is structured in three levels - strategic, tactical and operational - and it's composed of 7 pillars (strategic level): Enterprise Risk Assessment; Policies and Procedures; Communication and Training; Know Your Customer (KYC); Due Diligence (KYE, KYS, KYP and KYB); MSAC - Monitoring, Selection, Analysis and Communication (SAR); and Effectiveness Assessment Program.
The Group believes that the materialization of other risks can negatively impact its reputation, as they are intrinsically connected. Unfavorable events in different risk areas such as business continuity, cyber security, ethics and integrity, social media negative activity, among others, can damage Nu's reputation.
Therefore, the Group has teams and processes in place dedicated to overseeing external communication and for crisis management, which are key elements in identifying and mitigating reputational events, as well as to gain long-term insight to better prevent or respond to future events.
● Risks from cryptocurrency business
In addition to the risks set out above, the Group's activities and services related to cryptocurrency (NuCrypto) generate specific risks which are directly related to cryptocurrency technology. NuCrypto may utilize the services of third-party licensed trust companies in the operation and management of the cryptocurrency business activity. The Group keeps a copy of the records maintained by the third-party as well as its own internal tracking of customers' assets for reconciliation purposes. NuCrypto may have a liability to indemnify customers under consumer protection laws (like any other supplier of goods and services in Brazil) but the agent is obligated to secure the assets and protect them from loss and theft. Currently, the majority of assets under custody are managed internally, and liquidity providers operate within a trust structure and carry insurance for potential losses which the Group would seek to make claims upon if required, with any benefit obtained being transferred to impacted customers. See note 34 for further explanations.
● Stress testing program
The stress testing program considers shocks/impacts to Nu's main products, such as credit cards, personal loans and funding instruments, in addition to their respective sub-products. Scenarios are considered in which stress is applied in isolation, at different levels of intensity and probability, and also scenarios in which managerial actions are considered to increase the Group's resilience and preserve its capital and liquidity indicators.
The proposed scenarios are presented to the Stress Testing Technical Forum. The scenarios to be addressed, duration and severity and plausibility of each shock are discussed, as well as the ways in which they will be modeled and the level of detail required. After modeling and executing the tests, the results are submitted to the appropriate committees and technical forums, an integral part of Nu's risk management structure. The proposed actions aimed at ensuring the Group's resilience are discussed and approved. The Stress Testing Program is updated annually and defines which tests the team must undertake in the next 12 months.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.