Stripe Brasil Soluções de Pagamento Ltda. ("Stripe Brazil") is a limited liability company incorporated in 2015, which operates in the area of payment methods. The company is a wholly-owned and indirect subsidiary of Stripe, Inc. ("Stripe"), a technology platform founded in the United States in 2011. Stripe offers software tools that help entrepreneurs start, manage, and grow their online businesses.
Aligned with applicable regulations and market best practices, Stripe Brazil maintains an Enterprise Risk Management Framework ("ERMF"), whereby it has established its approach to identify, measure, monitor, control, mitigate and manage operational, liquidity, and credit risks on an ongoing and integrated basis.
Stripe Brazil adopts a comprehensive approach to risk management, comprising four process components: (i) risk identification; (ii) assessment; (iii) mitigation; (iv) monitoring and reporting.
The ERMF takes into account the nature, volume, and complexity of Stripe Brazil’s actions and business, and is updated annually and/or in a shorter period if necessary, in order to determine its compatibility with the institution's objectives and with market conditions. Risks that could cause negative material impacts on its commitments and projects are prioritised.
Stripe Brazil employs a "Three Lines of Defence" model when organising the functions and responsibilities and the management of its risks, based on the following principles: (i) groups that engage in activities and conduct business that create risks on behalf of Stripe Brazil are primarily responsible for the respective risk management activities (First Line); (ii) specific risk management and compliance functions are required to oversee the first line (Second Line); and (iii) assessment of adherence to applicable rules is best provided by independent functions (Third Line).
The Three Lines of Defence are overseen by Stripe Brazil's Chief Risk and Compliance Officer ("CRCO"), who ultimately oversees Stripe Brazil's compliance with all laws, regulations and policies.
2.1. First Line of Defence
Stripe Brazil’s first line of defence is comprised of risk management functions, including business and product and operations-related functions. These Risk Owners, or their designees, are responsible for the risk management cycle, including risk identification, assessment, mitigation, monitoring, and reporting. They are ultimately responsible for operationalising controls, performing the eventual monitoring of the effectiveness of controls, and referring any issues they themselves identify to the Second Line and/or Stripe Brazil's Chief Risk and Compliance Officer. Risk Officers are also responsible for developing action plans and ensuring remediation when an issue is identified by themselves or by compliance functions, audit, or a partner bank.
2.2 Second Line of Defence
The compliance and risk management functions make up the Second Line of Defence and serve to facilitate and monitor the implementation of an effective First Line of Defence. The Second Line of Defence ensures that the First Line has adequate knowledge and understanding of the relevant risks and provides advice to the First Line of Defence on identifying compliance risks and developing controls to manage those risks. The Second Line is also responsible for testing the First Line's controls and compliance with partner and regulatory obligations, although in some cases the Second Line performs the controls itself (e.g. monitoring money laundering prevention operations – AML).
2.3. Third Line of Defence
The Third Line of Defence consists of Internal Audit, or when applicable, a third-party auditor responsible for providing an independent and objective assessment of adherence to applicable rules. In particular, Internal Audit assesses the effectiveness of internal controls, risk appetite and risk governance with a focus on results, not merely process. The Third Line assures the effectiveness of the First and Second Line risk management activities to Stripe Brazil's Board of Directors, including Stripe Brazil's Chief Risk and Compliance Officer.
The approach covered by ERMF includes: (i) the existence of the Three Lines of Defence, with their respective roles and responsibilities (topic 3 below), (ii) descriptions of the processes used for the identification, assessment, mitigation, monitoring and reporting of risks (topic 4 below); (iii) the main tools for documenting risks (topic 5 below).
Risk management involves all elements of the business and all levels of Stripe Brazil. The ERMF applies to Stripe Brazil, including its Officers and employees, as well as third parties hired to assist in conducting its business.
Given that Stripe Brazil is an indirect wholly-owned subsidiary of Stripe, Stripe Brazil’s management may engage Stripe Brazil to provide ancillary services relating to its risk management and/or risk operations. However, Stripe Brazil's management, including its Chief Risk and Compliance Officer, is ultimately responsible for Stripe Brazil's risks and risk management.
The chart and sub-topics below describe the ERMF participants at Stripe Brazil. Committees and technical forums may be formed, with these and/or other professionals with appropriate technical capabilities, to discuss and address specific issues.
3.1. Stripe Brazil Board of Directors' functions
Board of Directors (in general)
The main functions of Stripe Brazil’s Board of Directors regarding the ERMF include, without limitation:
review, question, and approve the ERMF;
ultimately set the Risk Appetite Statement – RAS (with input from other functions as described below);
review, question, and approve Stripe Brazil's Risk Registers;
oversee the implementation of the ERMF; review Stripe Brazil's risk profile against the RAS for risk management and trend identification; and
set the tone from senior management.
Chief Risk and Compliance Officer
The primary duties of Stripe Brazil's Chief Risk and Compliance Officer include, without limitation:
be responsible for Stripe Brazil's ERMF, promoting a sound risk management culture in compliance with Brazilian regulatory requirements;
Oversee and monitor the effectiveness of risk management systems, including escalation processes and communication;
Provide periodic risk updates to the Stripe Brazil Board of Directors;
Oversee all outsourced risk management processes and relationships with third party service providers;
Implement the ERMF; and
Analyse and assess new and emerging trends and risks and risk increases.
3.2. Functions of the Lines of Defence
First Line of Defence: responsibilities include, without limitation:
Risk Identification (identify, monitor, analyse, measure, track risks on an individual and consolidated basis);
Risk Assessment (performed periodically due to new products, markets, geographies, delivery modes, or customer types to anticipate and adequately plan for related new risks); and
Risk Mitigation (development and implementation of action plans for risks);
Risk Monitoring and Reporting (monitoring and reporting the ongoing effectiveness of relevant and applicable internal controls; ensuring that business activities are in accordance with Stripe Brazil's RAS and ERMF; periodic reporting; and referral to higher instances if necessary).
Second Line of Defence: responsibilities include, without limitation:
Risk management and oversight within their areas;
Communicating to Stripe Brazil's Board of Directors, as applicable, any non-compliance with applicable rules;
Reviewing action plans for risks and overseeing their implementation; and
Design policies and procedures to ensure that compliance risks are properly mitigated.
Third Line of Defence: responsibilities include, without limitation:
Independent verification as to whether Stripe Brazil's ERMF, RAS, systems and processes are operating effectively;
Validating Stripe Brazil's ERMF compliance; and
Review the effectiveness of existing internal controls.
To mitigate operational, credit and liquidity risks, processes and policies are formulated, monitored, and updated by local management from alignments with Stripe's senior management.
The processes and policies are widely disseminated to members of the institution and, as appropriate and/or necessary, to third parties. The dissemination effort includes awareness raising and training, with a particular focus on prevention.
4.1. Operational Risk
Efforts include recurrent tests as well as a business continuity plan, aiming at ensuring that all critical processes of the institution are restored as soon as possible – in case of a continuing incident – with consistent information security practices and relying on efficient instruments for fraud detection and prevention.
4.2. Credit Risk
Stripe Brazil is exposed to credit risk as an accreditor, and seeks to mitigate it with various tools, including: the requirement of payment guarantees, the establishment of exposure limits per counterparty, as well as a detailed articulation of payment flows.
4.3 Liquidity Risk
Liquidity Risk is one of the points naturally mitigated by Stripe Brazil’s business model itself, considering that all settlements of payment transactions between the parties involved (issuer, acquirer, sub acquirer and end user) occur through a single grid orchestrated by CIP (Câmara Interbancária de Pagamentos, Interbank Payments Chamber), with settlement banks and the competent domiciliary institutions. Minimum cash obligations are also a pillar of protection. An effective liquidity contingency plan has been implemented and will be periodically reviewed by Stripe Brazil, necessarily contemplating the ongoing management and monitoring of funding sources, including limit controls for each source.
All actions on risk management and governance policies and strategies are documented and kept at the disposal of the Central Bank of Brazil. The main documentation tools are described below.
5.1. Risk Appetite Statement
Stripe Brazil’s Risk Appetite Statement (RAS) is the main strategy document that identifies the risks that Stripe Brazil can and should accept, those that do not make strategic sense for Stripe Brazil, and the quantitative and qualitative guidelines for the tactical management of acceptable risks (risk tolerances and caps). It was prepared in a manner consistent with the strategic business vision of the institution.
It is reviewed and approved by Stripe Brazil’s Board of Directors together with the respective risk managers. Stripe Brazil’s RAS is established by Stripe Brazil’s Board of Directors, with the recommendation of Stripe Brazil’s Chief Risk and Compliance Officer. The RAS is communicated to all Stripe Brazil employees at least annually, after its approval by the Board of Directors.
5.2. Risk Register Documentation
The Risk Register Documentation complements Stripe Brazil’s Risk Appetite Statement. It is approved by Stripe Brazil’s Board of Directors and updated annually, with its recommendation by the Chief Risk and Compliance Officer. It contains ongoing updates on controls, inherent/residual risk assessments, risk metrics/main Risk Indicators, categorisations or other administrative functions as the processes that produce this information are completed.
5.3. Document Maintenance Term
All documents involving policies, risk management strategies and governance are kept available to the Central Bank of Brazil. Although this is not an exhaustive list, the following records will be kept according to the terms below for at least five years:
The Legal department will maintain all ERMF approvals by the Board of Directors (i.e., through Board minutes);
Stripe Brazil’s Chief Risk and Compliance Officer will maintain sequential copies of the documents approved by the Board (e.g. the Risk Register Documentation and Risk Appetite Statement);
Stripe Brazil's Chief Risk and Compliance Officer will maintain any external communication artefacts in compliance with regulatory or contractual record retention requirements.