Jump Main Menu. Go directly to the main content

Sección de utilidades

Fin de la sección de utilidades

Internal control and compliance

Start of main content



In 2017 this demanding regulatory environment was further complicated by preparations for the entry into force of the new Markets in Financial Instruments Directive (MiFID II), the new Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR).

Bankia has an effective internal control and risk management organisation and effective systems to ensure compliance with the rules to which its actions are subject.


Bankia’s criminal risk prevention model identifies the activities that must be prevented and the necessary procedures to avoid any behaviour that could give rise to criminal liability. The model establishes the implementation of controls and incorporates the standards of the bank’s Code of Ethics and Conduct.

In line with the criteria set out by the Office of the State Public Prosecutor and with criminal liability prevention best practice, in 2017 Bankia engaged an outside expert to prepare an independent review report on the bank’s criminal liability prevention model.

In 2018, Bankia will adapt its criminal liability prevention model to the bank’s new situation after the merger with BMN, updating the risk and control map.


Bankia collaborates actively with the institutions responsible for supervising and controlling compliance with European and Spanish laws and regulations on the prevention of the laundering of the proceeds of criminal activities and terrorist financing. For this purpose, Bankia has mandatory rules and procedures to:

  • Comply with applicable laws and regulations and follow the recommendations of national and international authorities.
  • Assess the risk exposure in relation to its activity.
  • Implement rules of conduct and appropriate control and communication systems.
  • Establish customer acceptance and know-your-customer policies and ensure that all employees are aware of and adhere to them.
  • Train all its employees in a culture of compliance, aimed at delivering a good service to its customers.

In 2018, the fourth European anti-money laundering directive is expected to be incorporated into Spanish law. This directive reduces the maximum permitted amount of cash transactions and facilitates the sharing of information between countries, with a view to reinforcing the fight against money laundering and, in particular, the financing of terrorism.


Bankia has adopted a set of measures to ensure proper implementation of data protection principles and customers’ data protection rights. The rules include instructions concerning the information that must be provided when collecting data, the duty of secrecy and safeguarding of data, the need to obtain consent for data processing, and exercise of the rights of access, rectification, cancellation and objection.

During 2017, the group started a project to adapt to the new General Data Protection Regulation, which will come into force on 25 May 2018 and will affect the entire organisation. The aim is to analyse the possible legal, organisational and technological impacts of this new regulation and gradually take whatever steps or measures may be necessary in order to ensure compliance.

The main purpose of the General Data Protection Regulation is to implement common data protection principles, rules and standards (rights of data subjects and obligations of data controllers) that are adapted to the digital environment. The new regulation represents a substantial change compared with the previous regulation and is a challenge for the bank.


The prospect of the entry into force of the second Markets in Financial Instruments Directive (MiFID II) in 2018 forced the bank to make considerable efforts during 2017 to analyse and adapt both its processes and procedures and its business model.

The new regulations require reinforcing the rules of conduct that must be applied in order to provide greater investor protection.

The most noteworthy steps taken in 2017 to adapt to MiFID II, which need to be consolidated during 2018, are as follows:

  • Product governance.
  • Continuous development of employees.
  • Greater information transparency.


The corporate Internal Audit Directorate supervises and evaluates the effectiveness of the bank’s corporate governance, risk management, internal control and information systems and also verifies compliance with internal and external regulations.

The Internal Audit function covers all the activities carried out in the group and has unlimited access to the information it needs for the performance of its tasks.

 In carrying out its work it may contact and gather information from any senior manager or employee of the bank. Internal Audit also participates actively in several of the group’s control committees.

Internal Audit has established seven processes, which summarise the work it does:

  1. Preparation of the Audit Plan.
  2. Execution of business centre audits.
  3. Execution of process, centre and system audits.
  4. Monitoring of audit recommendations.
  5. Development and maintenance of audit function support applications.
  6. Internal audit communication and reporting.
  7. Collaboration with and coordination of external audits.


The Bankia Group is in the process of implementing a new information governance model. This is a far-reaching, enterprise-wide project that encompasses all corporate information in the regulatory, analytical, commercial and risks areas.

The goal is to turn information into a strategic asset and bring the bank into line with the best market standards, as well as to comply with risk data aggregation (RDA) requirements.

The project comprises three lines of action:

  • Organise information through a single data repository and a common data dictionary.
  • Optimise data provisioning and ensure consistency and flexibility in data use.
  • Implement an information quality governance and control model throughout the data life cycle.

In 2017 the project progressed in the following aspects:

  • Approval of the Regulatory Framework for Data Governance and Quality.
  • Implementation of the first management reports with advanced visualisations (iPads, new reports on the SIG management information system platform)
  • Construction of an in-house tool for mining regulatory financial statements that will allow functional users to validate and analyse their information more flexibly and dynamically.
  • Report on the first regulatory statements from the new informational architecture.
  • Registration of the first group of business concepts in the Single Glossary of Terms, which will assist user understanding.
  • First dashboard for monitoring data quality.
  • Definition of an overall data quality plan that will serve to gradually strengthen the various control points and ensure continuous improvement of information.
  • Execution of the lines of work identified in the RDA Master Plan, which is intended to prepare the bank to be RDA compliant by December 2018.


Responsible tax management, fraud prevention and detection, and tax transparency are principles that help ensure the bank’s effective, sustainable development and build trust among stakeholders.

To safeguard these principles, Bankia adopts specific tax risk management and control measures. It also has internal control systems in place and has policies that establish the proper way to act in various areas, including corporate tax policy and tax risk management, transparency, corporate responsibility and good corporate governance.

The tax principles governing Bankia’s activity are as follows:

  • Transparency. Bankia mantiene una política transparente sobre gestión fiscal y el pago de sus impuestos, cumpliendo así con las exigencias normativas.
  • Compliance with obligations. The bank applies at all times the tax regulations applicable in Spain, which is the jurisdiction in which it carried on all its activity, as well as pertinent international guidelines and standards.
  • Risk exposure. Bankia analyses transactions with special tax risk according to their impact on corporate reputation, shareholders and customers.

The Board of Directors must approve actions in areas such as related party transactions; presence in tax havens (the bank does not operate in them in order to avoid its tax obligations); the creation of tax structures (which are not used to facilitate tax evasion or to breach the spirit of the regulations); the use of tax incentives; and the hiring of external tax advisers, among other things.

As an expression of Bankia’s firm intention to collaborate with public agencies, the bank is an active participant in the Large Businesses Forum, which promotes a more cooperative relationship between Spanish companies and the tax authorities.

In addition, since 2016 Bankia has been a member of the Tax Agency’s Code of Best Tax Practices (CBTP). This code contains recommendations that are accepted voluntarily by the Tax Agency and member companies. In 2017, Bankia, as a CBTP member company, drew up its first Annual Tax Transparency Report, with information for financial year 2016, which it plans to submit to the Tax Agency in 2018.

The bank also took part in the project to analyse the sector’s Total Tax Contribution, carried out by the Spanish Confederation of Savings Banks (CECA).  The results show that in 2016 CECA members’ Total Tax Contribution in Spain was 4,866 million euros.

On 1 July 2017, the regulations concerning the Immediate Supply of Information on VAT (Sistema de Suministro Inmediato de Información, or SII), came into force, modernising VAT management. The new standard entails keeping VAT records via the Spanish Tax Agency’s online office through the almost immediate, daily submission of sales records. Since the new system was introduced, Bankia has complied with the obligations it entails.


In 2017 Bankia continued to develop the 2016-2018 Strategic Security Plan. The main actions taken were as follows:

  • Security governance. The Cyber Security Committee, which in 2017 held 12 meetings, gained in importance, as it became one of the bank’s executive committees. Also, a comprehensive awareness-building plan for the period 2017-2018 was put into effect, aimed at making employees and customers more aware of the importance of the individual in maintaining security. A proposal to purchase insurance to cover security incidents was approved.
  • Protection. New tools were implemented to improve and extend the scope of supervision and control of vulnerabilities.
  • Surveillance. A management unit was created to carry out a continuous security assessment and strategies were defined for the use and analysis of Big Data, as part of the trend in security and fraud monitoring towards the implementation of advanced predictive models.

Last year the group also started to use security innovations such as artificial intelligence for mass analysis of network flows and the discovery of suspicious behaviour patterns and Big Data techniques that make it possible to predict attacks.

In 2018 a new Strategic Plan will be drawn up for the period 2019-2021 and work will start on various projects, including the approval and rollout of the Objective Data Security Model, with extended analysis of new risk scenarios and the design of response plans to cyber-attacks and situations of non-availability. Additionally, advanced tools will be implemented to reinforce the existing defences and security in application-managed access by users with privileges.

Biometric data will become particularly important for employee access and access to resources external to the bank’s information systems, in order to raise the level of data protection.

Various context-based factors will be taken into consideration in granting access to information, using what is known as adaptive authentication.

This will help overcome the possible weaknesses of using a password as the sole authentication factor by replacing or supplementing it with other factors.




Bankia defines its data security strategy by adopting a benchmark model based on the most widely recognised information processing and security standards in order to safeguard and protect its customers’ data. The goal is to ensure data integrity, confidentiality and availability whenever customers wish to have access to their information by whatever means the bank places at their disposal.

This benchmark model is based on the four main domains on which information security is based: governance, information protection, surveillance and response capacity.

Every three years, with the assistance of the market’s leading consultants and providers, Bankia prepares and executes strategic information security plans in order to be always up-to-date in the face of constantly evolving technology.

In March 2017, Bankia received the CISO Award in recognition of its cyber security policies.

End of main content