EFTA01382705.pdf

S-1/A Table of Contra& We have increased headcount in these areas and enhanced our capabilities by recruiting leaders from a variety of industries, such as financial services, with diversified backgrounds and extensive experience in controls. We are also continuously improving our controls-related processes by making significant investments in technology and managing a dedicated technology team to support our efforts. Some key elements of our controls organization include: Enterprise Risk Nlatiagement Program --- Our enterprise risk management framework reflects a methodology comprised of six key components: ( I ) risk governance and culture. (2) risk strategy and appetite. (3) risk assessment and measurement, (4) risk management and monitoring, (5) risk reporting and communications, and (6) risk data technology and infrastructure. We have established a Risk Committee of the Board and an executive level risk committee. These arc responsible for articulating our risk appetite and determining an acceptable level based on the tradeoff of assumed risk versus the expected value of the opportunity. The enterprise risk management program is integrated with the strategic planning process and is aimed at identifying the risks associated with our strategic objectives and related objectives, such as operational, financial reporting, and compliance. • Underwriting and Credit Risk Management —Our credit risk management team defines our underwriting policies and standards for prospective new business and financial institution clients and performs the initial client risk assessment to determine creditworthiness and acceptable credit terms, which may include funding delay or collateral requirements. We continuously monitor the risk profile of our client portfolio to determine adherence to our credit policy and assessment of the clients' business model relative to our risk appetite, and remediate problematic clients as warranted. Our risk scoring models and rules consider such factors as how long a client has been on file, dispute history, credit utilization, deposit patterns and trends, industry vertical, payment history, account delinquency, financial safety and soundness, and compliance with regulations. Regulatory Compliance — We have established and maintain a regulatory compliance program and framework, as a second linc-of- defense, that is designed to (1) identify and establish an understanding of First Data's regulatory compliance responsibilities; (2) train owner associates; (3) achieve compliance with regulator• requirements and internal regulator• compliance policies; (4) review operations to verify responsibilities arc carried out and requirements are met; (5) take corrective and timely action when necessary; and (6) provide timely and effective management information on the state of regulatory compliance to internal and external stakeholders. We have tailored the program to the business strategy and needs of First Data by creating line-of business groups that provide dedicated compliance coverage to our three business segments globally. The program also includes subject-specific areas of coverage, including: privacy, ethics, antitrust, anti-money laundering, government sanctions, and anti-bribery• and corruption. • Internal Audit — Our internal audit team provides management and the Audit Committee with independent. objective assurance and consulting activities designed to add value and improve our operations We do this through a systematic, risk-based, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance proe4mes. Our annual plan is aligned to our objectives and the results of our audits are shared with management and the Audit Committee. The internal audit department reports directly to the Chair of the Audit Committee and to management through the CCO. • Third-Party Risk Management — Our third-party risk management team establishes policies and practices used in managing and overseeing third-party risks to us and our clients, necessary for meeting regulatory requirements. client contract obligations and industry best practices. This team manages third-party related audits, performs due diligence reviews, targeted risk assessment analysis and ongoing monitoring activities of third-parties to identify and address potential patterns or trends which may pose enhanced risk. 147 httplAverw.sec.gov/Arehivaledgar/datatit83980/000119312515334479/d31022dsla.htm[10/14/2015 9:06:38 AM] CONFIDENTIAL - PURSUANT TO FED. R. CRIM. P. 6(e) DB-SDNY-0082166 CONFIDENTIAL SDNY GM_00228350 EFTA01382705