Jump Main Menu. Go directly to the main content

  1. Corporate governance
  2. Internal control and regulatory compliance

Internal control and regulatory compliance

Start of main content


Internal control and compliance activities have played a more prominent role in European financial institutions in recent years as a result of the increase in regulatory pressure.

Several regulations of decisive importance for the banking industry came into force in 2018, including the new European Payment Services Directive (PSD2), the Markets in Financial Instruments Directive (MiFID II), the General Data Protection Regulation (GDPR) and the new IFRS 9 accounting standard.

In the face of this wave of regulatory change, Bankia has the necessary organisational resources and effective internal control and risk management systems to ensure compliance with the regulations governing its activities and the principles of good banking practice.

Bankia has internal control and risk management systems to ensure compliance with good banking practices


Bankia has a best-practice criminal risk prevention model for identifying activities that must be stopped, as well as protocols and procedures aimed at preventing conduct that could lead to the commission of criminal offences and ensuring compliance with its Code of Ethics and Conduct.

The model is based on the implementation and regular execution of both general and specific controls through software applications that systematically analyse the risks and the associated controls, so as to detect any circumstance that could entail a heightened risk of the commission of criminal offences.

In 2018, Bankia adapted its criminal liability prevention model to the bank’s new situation after the merger with BMN and updated the risk and control map.




Bankia collaborates actively with the institutions responsible for supervising and controlling compliance with European and Spanish laws and regulations on the prevention of the laundering of the proceeds of criminal activities and terrorist financing. For this purpose, Bankia has mandatory rules and procedures aimed at:

  • Ensuring compliance with applicable AML/CFT laws and regulations and the recommendations of national and international authorities.
  • Assessing the exposure to AML/CFT risk in its activity.
  • Implementing the necessary rules of conduct and control and reporting systems to prevent the bank from being used to launder money or finance terrorism.
  • Establishing customer acceptance and know-your-customer policies and ensuring that all professionals are aware of and adhere to them.
  • Training all its professionals in a culture of compliance, with a view to delivering a good service to its customers.

On 4 September 2018, the Spanish government issued a Royal Decree-Law amending Law 10/2010 on the prevention of money laundering and the financing of terrorism, so as to incorporate the EU’s fourth money laundering directive. One of the main changes was the sharp increase in the severity of the penalties for serious and very serious breaches, both for the reporting entity and for the directors or officers responsible for the breach.

On 19 June 2018, even before the Fourth Directive had been fully transposed into Spanish law, the Council of the European Union passed the Fifth Directive in response to the terrorist attacks in Paris and Brussels. The Fifth Directive provides for much stricter surveillance of providers of exchange services between virtual currencies and fiat currencies and custodian wallet providers, as well as restrictions on the use of anonymous prepaid cards, which have proven very attractive for financing terrorist activities. Member States must transpose the Fifth Directive into national law no later than 10 January 2020.


The bank took steps to comply with the new obligations and requirements introduced by the European Market Abuse Regulation (Regulation (EU) No 596/2014 of 16 April 2014 and its implementing regulations), which came into force in the summer of 2016, so as to strengthen market integrity and comply with implementation and supervision mechanisms at the European level.

Of particular importance were the requirements relating to market manipulation indicators, reporting of abusive practices or suspicious orders or transactions, accepted market practices, market prospecting, managers’ transactions, insider lists, buy-back and stabilisation programmes, investment recommendations, private interests and conflicts of interest.

During 2018, advanced technologies for the prevention of market abuse were implemented, integrated with those already in place in other areas, so as to obtain a comprehensive, unified view and so be able to analyse behaviours and increase the culture of compliance regarding the detection and prevention of activities suspected of constituting market abuse, promoting market transparency and the normal functioning of the market. That culture is further supported by training programmes for employees and development of the appropriate policies, manuals and internal procedures.


The entry into force, in 2018, of the second Markets in Financial Instruments Directive (MiFID II) and its implementing regulations, which was transposed into Spanish law on 21 December 2018, has entailed a challenge for the bank. Bankia has had to adapt its processes and procedures, as well as its business model. The directive is intended to increase the quality of the distribution of investment services, provide greater investor protection and secure a competitive advantage through the development of these services.

Among other things, it reinforces and consolidates the conduct of business rules, especially for the provision of investment services, so as to offer greater investor protection.

The most significant steps taken in 2018 to adapt to MiFID II, which will have to be consolidated during 2019, include the following:

  • Continuous training of professionals: Bankia has started specific training plans for practically all employees in the commercial network to ensure that both the information about financial instruments provided to customers and the advice customers are given result in a better service, exceeding regulatory requirements.
  • Product governance: Investment service design and distribution processes have been restructured so as to bring them into line with best practices.
  • New models for the suitability and appropriateness test: The suitability and appropriateness tests were reinforced in 2018, adapting the assessment processes to the different market segments and the products marketed, so as to more closely match each customer’s risk profile, knowledge and needs.
  • Greater information transparency: Without losing sight of the objectives and increasing digitisation of the financial sector, customer notification procedures were strengthened with a view to improving customers’ investment decision making, while also reinforcing information systems as regards record keeping of communications in relation to investment transactions and the provision of investment services. This translates into mechanisms that ensure the availability at all stages (pre-contractual, contractual and post-contractual) of relevant information about investment strategies and financial instruments, as well as more detailed, transparent information about the associated costs and expenses, and about communications with our customers.



During 2018, the bank took steps to adapt to the new data protection regulation (GDPR), which affects the entire organisation, gradually working towards full compliance. A total of 12,811 professionals received data protection training during the year.

In line with the GDPR, the main aim has been to ensure common principles, rules and standards on data protection (rights of data subjects and obligations of data controllers) adapted to the digital environment.

Furthermore, to strengthen surveillance of the processes that ensure the privacy of customers’ personal information, Bankia has created the Data Protection and Privacy Office (DPPO). This decision is part of the bank’s integrated strategy, set out in the 2018-2020 Strategic Plan, of implementing a responsible digitisation process, tailored to the customer.

With this initiative, Bankia meets the requirements set out in the GDPR and strengthens its control over customer information and transparency. Among other things, the DPPO is responsible for overseeing compliance with the requirements regarding the protection of personal information provided by customers.


The Corporate Internal Audit Directorate supervises and evaluates the effectiveness of the bank’s corporate governance, risk management, internal control and information systems and also verifies compliance with internal and external regulations.

It covers the following areas:

  • Commercial Network Audit
  • Markets and Structural Risks Audit
  • Central Services Audit
  • Processes Audit
  • Systems Audit

The directorate reports periodically to the Audit and Compliance Committee and to the bank’s Senior Management on the implementation and results of the Annual Audit Plan and any audit recommendations and their degree of implementation. This reporting obligation is fulfilled through quarterly presentation of the Audit Follow-Up Report to the Audit and Compliance Committee and the Management Committee.

The Internal Audit function covers all the activities carried out in the group and has unlimited access to the information it needs for the performance of its tasks. In carrying out its work it may contact and gather information from any senior manager or employee of the bank.

Internal Audit has established seven processes, which summarise the work it does: Preparation of the Audit Plan; Audit of business centres; Audit of processes, centres and systems; Monitoring of audit recommendations; Development and maintenance of audit support applications; Internal audit communication and reporting; Collaboration with and coordination of external audits.

In recent years the Corporate Internal Audit Directorate has also developed various web applications designed to optimise its operations and allow more agile communication between auditors and audit subjects.





Bankia is engaged in a far-reaching transformation project, involving the implementation of an enterprise-wide information governance model in the regulatory, analytics, commercial and risks areas.

The goal is to advance towards an information governance model that meets the highest market standards and complies with the Basel Committee on Banking Supervision’s principles for effective risk data aggregation and risk reporting.

In 2018, progress was made in the following areas:

  • Centralisation of regulatory reporting in a single unit, which reports to the chief data officer (CDO), providing synergies in terms of resources, governance and specialisation.
  • Launch of the IOM (Operating Model) project, which provides the bank with a complete informational structure for its corporate data.
  • Creation of the new Data Portal, as an entry point for the consumption of all corporate information.
  • Completion of the first phase of the risk data aggregation project, including the regulatory reporting self-assessment exercise. According to the results, Bankia is reasonably compliant with the BCBS principles, in line with market standards.


Responsible tax management, fraud prevention and detection, and tax transparency are principles that support effective, sustainable development of the bank and create trust among stakeholders.

To safeguard these principles, Bankia adopts specific tax risk management and control measures. It also has internal control systems in place and has policies that indicate the proper way to act in various areas, including corporate tax policy and tax risk management, transparency, corporate responsibility and good corporate governance.

The Board of Directors sets tax strategy, approves the risk policy (including the policy on tax risks), supervises internal reporting and control systems, approves investments that entail special tax risk and authorises the creation of, or acquisition of interests in, entities domiciled in tax havens.

The Audit and Compliance Committee, for its part, supervises the tax risk management system and reports to the Board on interests in entities domiciled in countries or territories that are considered tax havens.

Bankia’s activity is governed by three tax principles: transparency, compliance with obligations and risk exposure.

The bank maintains a transparent policy on tax management and the payment of its taxes and applies the tax regulations applicable in Spain, which is where it carries out all its activities. It also follows the guidelines issued by international bodies such as the Organization for Economic Cooperation and Development (OECD).

As regards the principle of risk exposure, Bankia performs an analysis of all transactions that entail special tax risk, based on, among other things, their impact on the bank’s reputation, shareholders and customers and on its relations with the tax authorities.

As an expression of its firm intention to collaborate with public bodies, Bankia is an active participant in the Large Businesses Forum, which promotes a more cooperative relationship between companies and the Spanish Tax Agency (AEAT) through the sharing of any general problems that may arise in putting the tax system into effect, on the basis of mutual trust. The bank is also a member of the AEAT’s Code of Best Tax Practices (CBTP), which includes recommendations that both sides voluntarily agree to follow.

This collaboration allows Bankia to operate with greater legal certainty, contain compliance costs and reduce the number of disputes with the AEAT. It also strengthens the group’s reputation, with the consequent positive impact on earnings.

In 2018, as a CBTP member company, Bankia drew up its second Annual Tax Transparency Report, with information for financial year 2017, which it plans to submit to the Tax Agency in 2019.

This report contains information on certain aspects of Bankia’s economic activity and funding structure, an explanation of the most significant corporate transactions, details of the group tax strategy approved by the governing bodies and a list of transactions referred to the Board of Directors. It also establishes the extent to which the bank’s tax policy is consistent with the principles of the OECD’s BEPS (Base Erosion Profit Shifting) package.


Against the background of growing concern in the global financial sector regarding the potential negative impact of cyber-attacks, last year Bankia completed the 2016-2018 Strategic Security Plan, which brought its security levels into line with those of the world’s leading banks. The main achievements are listed below:

  • Protection and defence: Tools were deployed that significantly improve the control of users with privileges and allow user credentials for the bank’s different systems and auxiliary third-party systems to be brought under unified control. Measures were taken to control and block any unauthorised connection to the corporate network and solutions were implemented to detect advanced malware. Also, important decisions were taken regarding the containment of possible information leaks.
  • Surveillance and fraud: Intelligent models were developed for the automatic detection and blocking of fraudulent transactions and attacks on the bank’s systems. The set of tools for the Security Operations Centre was expanded and strengthened.
  • Prevention and response: The plan to raise security awareness among employees and customers was completed and training was given in collaboration with national cyber security bodies. Also, steps were taken to comply with the requirements of the Critical Infrastructure Protection Act.
  • Governance and control: Bankia maintained its security governance model focused on the actions of two committees: the Cyber Security Committee (an executive body made up of top-level managers that meets every month) and the Security Committee (an informative and consultative body, whose functions were redefined in 2018). Also, cyber security control systems were developed, outsourced security services were renewed and a new project participation model was defined that allows closer monitoring of compliance with security requirements.

Bankia’s security levels are comparable with those of the world’s top banks




In the last quarter of 2018, a new 2019-2021 Strategic Plan was drawn up. Approved by the Cyber Security Committee, the plan is aimed at improving the management of cyber risks and bringing it into line with the strategy of making security a fundamental pillar for gaining customers’ trust. The plan’s main lines of action are as follows:

  • Publicise cyber security actions that benefit everybody.
  • Anticipate the regulator’s requirements and ensure efficient compliance with regulations.
  • Increase customers’ trust and satisfaction.
  • Achieve greater maturity in cyber security and the fight against fraud, contributing to sustainable profitability that creates shareholder loyalty.
  • Have a workforce that is highly committed to cyber security and that acts as the bank’s first line of defence.

The plan specifies 19 initiatives, a significant number of which are transformational and which include changes in the cyber risk management models, in the governance of fraud prevention and in information protection.

To put the plan into effect, the Cyber Security area’s budget has been increased by 33% and the technical and executive team has been reinforced (growing by almost 24%), with the hiring of specialised staff. Also, a new organisational structure has been implemented in line with best security practices and standards.


Bankia works with various industry institutions, trade associations and business organisations to help grow and strengthen the financial and business sector.

It is also registered in the European Union’s Transparency Register, to which it discloses its membership of any associations or institutions which, by their nature, have influence within Spain or the EU.

Through its presence in these entities and through forums and working groups with other companies, government bodies and third sector entities, Bankia gives voice to the interests of the industry and its stakeholders in economic, environmental, social and governance matters.

The most noteworthy memberships are as follows:


Bankia is one of the main financial institutions in Spain, with a strong customer base and a consolidated structure of approved suppliers. This fact, coupled with having a large workforce and an impact on society, are the reasons why the bank is fully committed to compliance with and respect for human rights in all areas.

This commitment is stated in the bank’s Code of Ethics and Conduct and is implemented in the Memorandum of Respect for and Compliance with Human Rights, which has been approved by the Board of Directors. The UN’s Guiding Principles on Business and Human Rights, which the bank accepts, recognise the role companies play in ensuring compliance with and respect for human rights and state the need to provide victims of human rights violations with the necessary mechanisms to seek redress.

Bankia also make responsibility for human rights part of its strategy through its Responsible Management Plan.

In 2019 the bank launched a Human Rights due diligence process to assess its actual and potential impact. Having analysed the results of that process, Bankia undertakes to adopt the necessary measures to prevent or mitigate any potential impacts and ensure effective compliance both in its own activities and throughout its value chain.





In relation to society, Bankia acts as:


Bankia’s employment policies are governed by applicable Spanish law. The whole workforce is protected by the employment conditions set out in the Collective Agreement for Savings Banks and Other Savings Institutions.

The collective agreement and the bank’s employment policies guarantee non-discriminatory treatment and homogeneous working conditions for all employees, regardless of their gender, age, race, religion, sexual orientation, marital status or social condition.

The trade unions take active part in collective bargaining and the bank respects freedom of association and social dialogue. The workforce includes 468 union delegates, who were elected at the last union elections, held in Bankia in 2018. Members who belong to trade unions devoted 146,760 hours to union activities.

Provider of products and services

As a provider of products and services, Bankia aims to put its commitment to human rights into effect in several different spheres:

  • Data protection: The bank preserves and safeguards the privacy of customer data not only by preventing its use for marketing purposes but also by ensuring that all the necessary measures are adopted to prevent information leakage and misuse. Beyond the requirements of data protection regulations, Bankia understands the protection of its customers’ information as an ethical obligation.
  • Relations with customers: The bank does not apply any criterion that might entail discrimination against any person or group on the grounds of gender, age, race, religion, sexual orientation, marital status, social condition or place of residence. To help customers and non-customers make informed decisions about their daily finances, Bankia has undertaken various financial education initiatives that facilitate an understanding of the products and services it offers.

    The bank also offers the possibility of purchasing financial products and services through a wide range of face-to-face and remote channels that give the general public better access to banking services.

    In addition, Bankia has a Responsible Marketing Code, which is public and which sets out its promise to customers to meet their real needs and create lasting ties. Bankia’s Customer Service Department enables any customer of the bank to lodge any complaint, claim or suggestion they see fit regarding any infringement of their basic rights.
  • Social and environmental impact: In its banking activity Bankia shows respect for and commitment to human rights by including in its catalogue a set of products with social and environmental purposes, which allow vulnerable or disadvantaged groups and customers with environmental concerns to benefit from the favourable terms offered by the bank. At the same time, the bank has mechanisms to control and mitigate social and environmental impacts in its lending activity.


Bankia has 792 active approved suppliers and its procurement volume amounts to 1.2 million euros. To stimulate, promote and ensure respect for human rights, the bank manages its suppliers in accordance with the Purchasing Policy, which gives special consideration to suppliers’ adoption of the principles of the Global Compact, the Universal Declaration of Human Rights and the fundamental conventions of the International Labour Organization.

The supplier approval process includes an assessment of social, environmental and governance aspects.

Questions related to corporate social responsibility, human rights and the environment account for 33% of the total score. The weight assigned to compliance with human rights is reviewed at regular intervals.

Social Agent

Once the restrictions on certain business lines imposed by Brussels in the Restructuring Plan were removed, Bankia joined the Equator Principles. The bank commits to these principles, which entail taking social and environmental risks into consideration when deciding which projects to finance, with the aim of mitigating or eliminating adverse impacts on people, society or the environment.

The strategic focus of Bankia’s social action is on the areas of housing and new poverty, employment and training, local development and disability. Specifically, Bankia allocates homes at social rents to individuals and families in situations of vulnerability.

Bankia has adopted the Code of Good Practices for the financial sector and takes voluntary measures to assist families in situations of vulnerability who find themselves at risk of losing their homes. It also helps people find work and improve their employability through training initiatives.

The bank collaborates with local social entities working mainly in the areas of employment, diversity, ageing and care. It also supports the integration of disabled people in society and in companies through employment promotion and educational schemes.








Bankia is working to create a complete regulatory conceptual framework for external and internal implementation and verification of respect for human rights.

The goal, to be implemented in 2019, is to create a single due diligence process for the whole bank, with unequivocal, homogeneous criteria, so that human rights risk management and the identification of human rights opportunities are integrated structurally, not just through the management units concerned.

Accordingly, Bankia has set itself the following tasks for this current year:

  • Set up a human rights compliance body within the bank and specify its powers and how they are to be deployed through the organisation.
  • Establish a specific communication and accountability system.


Use the browsing suggestions to explore the Annual Report


Click to see related content

Hightlights 2018

Bankia appoints Laura Gonzalez Molero as new independent director

Read More

Bankia receives the award for the "most transparent company of the Ibex 35" by AECA

Read More

End of main content