Corporate governance

Governance, ethics and regulatory compliance at Kommuninvest

Kommuninvest is committed to conducting its operations with integrity, transparency and strong ethical standards. Through robust governance, clear responsibilities and comprehensive compliance processes, we ensure responsible decision-making, safeguard stakeholder trust and maintain sustainable, well-managed operations.

Business ethics

Kommuninvest operates in two trust sectors, the financial and public sectors. Accordingly, it is central that we conduct sound and sustainable operations. Both the Company’s Sustainability Policy and Code of Conduct emphasise the importance of ethical and responsible action. Our success depends on the trust of members, customers, counterparties, investors, employees and authorities. Any conflicts of interest are to be identified and handled efficiently and effectively to prevent negative impacts on customers, members or the Company. With regard to tax matters, the Company’s actions must be responsible, correct and transparent. The Company shall not participate in transactions or make products available that may be questionable in relation to applicable tax legislation. Where there is any doubt, the Company shall refrain from participating.

The Board of Directors of Kommuninvest i Sverige AB has established a Code of Conduct for the Company. Kommuninvest is a values-driven organization, and the Code of Conduct describes our responsibility as an employer and the responsibility of the employee, based on the ownership directive for the Company.

Having a sustainable organization is crucial for long-term value creation. It includes both work environment, organization, and employees.

Our Code of conduct can be found in the ESG library.

Board members of the Company are elected by the owner Kommuninvest Ekonomisk förening (the Society) at the Annual General Meeting, for a period of one year. The Nomination Committee's guidelines state that the committee shall assess the suitability of members proposed for the Company´s Board of Directors. Such a fit and proper assessment shall also be made at other times, if deemed necessary. A suitability assessment of a Board member shall be made in connection with the nomination for election of a new member and at lastest before the general meeting at which the member is to be elected. The fit and proper assessment takes into account the person's skills, experience, reputation, and judgment. Taking into account Kommuninvest’s operations, stage of development and other circumstances, the Board of Directors shall have an appropriate composition, characterized by diversity and breadth in terms of the members' competence, experience and background in general.

When assessing an existing board member or nominating a new board member to the Board, account shall be taken of the contribution of the individual member's competence and skills to the Board as a whole. In the event of changes in the composition of the Board or if there are changes in the number of members of the Board, a fit and proper assessment of the entire Board shall be carried out. Unless there are special reasons, all board members must be independent in relation to Kommuninvest and its management. The owner considers that all current Board members well meet the requirements for sufficient knowledge, insight, experience and suitability set out in the external regulations and internal instructions.

The members of the Board of Directors have many years of professional experience from various areas relevant to Kommuninvest. The Board has knowledge and experience in areas such as banking and financing, both in Sweden and internationally, the financial market and its regulation, and risk control. The Board also meets the need for municipal expertise; publicly controlled operations, the political process in these and their financing needs, management and governance in the municipal sector. A more detailed presentation of the members' background and other assignments can be found under /About us/Organisation and governance/Board of the company.

There is an annual evaluation of the Board's performance and knowledge, insight, experience and suitability. The outcome of that evaluation is reported to the Nomination Committee. One purpose of the evaluation is to assess how well the current composition of the Board meets the requirements that have been and will be set. Using the information gathered, the Nomination Committee identifies whether any particular skills or experience need to be added to the Board.

Both the Board members' individual ability to contribute to the work of the Board and the Board's overall competence and ability to cooperate are subject to assessment in the work of the Nomination Committee. When a member is to be replaced, an assessment is made of whether it is primarily the departing member's skills and experience that are required or whether Kommuninvest's situation or changes in the business environment mean that other skills and experience should be prioritized.

Conflict of interest means the risk that conflicting interests and double loyalty can affect the ability to act in the best interests of the Company either through owners, directors, senior executives, employees, assignees or others engaged in the business. Conflicts of interest can also occur between businesses.

The Board of Directors of Kommuninvest i Sverige AB has established internal rules for handling potential and existing conflicts of interest on the Company’s Board of Directors (or for directors personally) and in the Company’s business (or for employees of the Company) and has also established routines and measures for doing so. In respect of the Company’s business, this also includes rules for evaluating employees’ ancillary activities.

The members of the Kommuninvest Society (the Society) are not only indirect owners of the Company, but also its customers. This understanding, together with a deliberate approach, forms the basis for all analyses of existing and potential conflicts of interest, as well as their management by the Company.

The aim is to identify and manage existing and potential conflicts of interest in an efficient and suitable manner in order to prevent any conflicts of interest from leading to detrimental consequences for customers, members, or the Company. The purpose of the evaluation of employees’ ancillary activities, if any, is to ensure that they do not have a detrimental impact on the employee’s tasks within the Company or give rise to potential conflicts of interest through competing activities.

A full description of how we work with potentail conflict of interests can be found in our “Conflict of interest policy”.

Our “Conflict of interest policy" can be found in the ESG library.

Money laundering and terrorist financing, fraud, tax offences, and corruption are collectively referred to as financial crime.

The work to combat financial crime also includes obligations under agreed international sanctions, including regulations regarding violation of such sanctions.

In our “Policy for Combating Financial Crime” the Board of Directors has established internal rules to prevent and combat financial crime. The policy can be found in our ESG library.

The Company has implemented control measures to mitigate the risks of financial crime. Control measures include inter alia: customer due diligence, checks against sanctions lists, customer risk classification, transaction review and preservation of relevant documents and data.

Kommuninvest has implemented a structured and role-based governance framework to ensure that personal data is managed responsibly and in full compliance with applicable data privacy laws and regulations. Responsibilities are clearly distributed across key roles to ensure both oversight and operational compliance.

The Head of Legal and Procurement plays a central role in our privacy management. This role is responsible for overseeing the implementation and enforcement of our internal privacy policies, ensuring that personal data is deleted promptly and lawfully, keeping our data protection framework up to date and reports directly to the CEO on privacy matters. The Legal and Procurement department manages our record of processing activities, handles data breach notifications, and leads privacy impact assessments when new IT-systems are introduced. Additionally, they serve as the primary contact for individuals seeking to correct or delete their personal data.

Our Department and Consulting Managers are responsible for ensuring that all contracts involving personal data comply with relevant legal requirements and reporting any personal data processing activities within their areas to the Legal and Procurement department.

We have a complaints officer that data subjects can contact if they feel that their rights regarding the processing of personal data are not being fulfilled despite contacts with Kommuninvest.

This governance structure enables the organization to maintain a high standard of data protection by aligning strategic oversight with operational accountability across business units.

Reports to company board

The Board of Directors receives a report at least annually on how the work with personal data is conducted and whether any shortcomings have been identified in the handling in relation to data privacy laws and regulations.

Privacy training

All employees at Kommuninvest receives regular training in data privacy protection.

Privacy awareness communication

Kommuninvest carries out ongoing privacy awareness communication to ensure that employees are informed about data protection obligations and best practices. This includes guidance materials, updates on relevant policies, and reminders about data handling responsibilities.

Privacy analysis, risk assessments (PIAs, DPIAs) audits and/ or operational reviews.

The Head of Legal and Procurement has overall responsibility for checking, evaluating and updating the internal rules on personal data. Compliance is checked and evaluated at least once a year.

When we introduce new, or significantly change existing, IT-systems, we conduct a risk analysis that includes personal data processing operations.

We carry out DPIAs prior to the start of personal data processing when the processing is likely to result in a high risk to the data subject's privacy, rights and freedoms.

Breach notification process

Kommuninvest has implemented a structured breach notification process as part of our data protection programme. The process outlines clear responsibilities for internal reporting, risk assessment, documentation, and notification to both the supervisory authority (IMY) and affected individuals, in accordance with Articles 33 and 34 of the GDPR.

In the event of a personal data breach, incidents are escalated without delay, assessed in collaboration with relevant functions (including the Legal and Procurement department and CISO), and documented in line with regulatory requirements.

Supplier standard

We are committed to conducting all procurement and purchasing activities with a high level of economic, environmental, and social responsibility. Our suppliers play a key role in supporting this commitment, and we only engage with companies that are assessed to be reputable, financially stable, technically competent, and compliant with legal obligations, including tax and social security regulations.

To promote sustainability, we integrate relevant criteria provided by the Swedish Public Procurement Agency (Upphandlingsmyndigheten), particularly those related to environmental and social responsibility, into our procurement processes where applicable. Labour rights and working conditions are considered important factors in supplier selection.

As part of our contract management and in line with our sustainability strategy, we ensure that environmental, social, and economic aspects are incorporated into agreements and supplier evaluations. All contracts are also designed to prevent financial crime and other regulatory compliance risks. This includes, but is not limited to, risks related to money laundering, corruption, fraud, and sanctions violations. Particular attention is given to identifying and mitigating conflicts of interest and reputational risks that may negatively impact the company.

We expect our suppliers to:

  • Operate with professional integrity and demonstrate sufficient financial, technical, and human resources.
  • Comply with high standards of information security and maintain appropriate internal controls and risk management structures.
  • Ensure ethical and socially responsible conduct, including respect for human and children’s rights, prohibition of child labour, and commitment to fair working conditions.
  • Adhere to environmental protection principles and promote sustainable practices.
  • Disclose any use of subcontractors for critical ICT services.
  • Accept audit rights for designated third parties or regulatory authorities, including the right to conduct on-site inspections.
  • Support operational resilience and meet our standards for security and business continuity.

Through these standards, we aim to contribute to our members’ sustainability goals and maintain long-term, responsible supplier relationships.

Kommuninvest is obliged by law to set labour law contractual conditions in procurements under the Public Procurement Act where necessary, i.e. when there is a risk of unfair or unreasonable working conditions in the performance of the contract.

If the work is performed where Swedish law is applicable (mainly in Sweden), the labour law conditions shall be stated in accordance with the specified levels of wages, holidays and working hours that follow from a central collective agreement that is applied throughout Sweden to equivalent employees in the industry in question. However, the terms and conditions must always at least correspond to the levels that follow from law.

If the work is carried out in other countries where Swedish law does not apply, the conditions must be specified in accordance with the ILO's core conventions. The terms may also refer to provisions that apply where the work is performed.

Kommuninvest is committed to ensuring robust digital operational resilience in accordance with the EU Digital Operational Resilience Act (DORA). Our approach to managing third-party ICT service providers is governed by a structured framework of policies, executive instructions, and operational procedures that ensure compliance, transparency, and continuity across all ICT-related engagements. Kommuninvest also adheres to all regulatory requirements imposed by legislators and regulators regarding outsourcing.

The Board of Directors of Kommuninvest i Sverige AB has adopted a formal policy for ICT third-party management, which is implemented under the leadership of the CEO and the Head of Legal and Procurement. This governance structure ensures that all ICT services supporting critical or important functions are subject to rigorous oversight and regulatory alignment.

Before entering into any ICT service agreement, Kommuninvest conducts a comprehensive risk analysis to determine whether the service supports critical or important functions. This includes evaluating operational, legal, reputational, and ICT-specific risks, as well as potential concentration risks. The results of these assessments are documented and form part of the decision-making process presented to the Board.

All ICT providers undergo a structured due diligence process, which includes:

  • Assessment of financial stability, technical capacity, and information security standards.
  • Evaluation of organisational structure, internal controls, and risk management frameworks.
  • Verification of relevant certifications, audit reports, and regulatory registrations.
  • Review of ethical conduct, including respect for human rights and environmental principles.

ICT service agreements must include:

  • Clear descriptions of services and responsibilities.
  • Provisions for data confidentiality, integrity, and availability.
  • Audit and inspection rights for Kommuninvest and supervisory authorities.
  • Requirements for incident reporting, business continuity, and exit strategies.
  • Performance indicators and service level agreements (SLAs), with enforceable penalties for non-compliance.

We maintain a centralised information register of all ICT service agreements and outsourcing agreements, distinguishing between those that support critical or important functions and others. This register is regularly updated and reported to the Board and supervisory authorities.

Regular performance monitoring is conducted to ensure that ICT providers meet contractual obligations and resilience standards. This includes:

  • Periodic reporting and incident notifications.
  • Independent audits and penetration testing.
  • Evaluation of service quality and operational effectiveness.
  • Documentation of follow-ups and integration into risk assessments.

Contact

NameGalit Saar

RoleChief Legal & Procurement Officer

Emailgalit.saar@kommuninvest.se