October 2023
ESG Statement
4finance Group is a leading European digital consumer lender, that extends access to finance to those underserved by the established banks.

Our subsidiary TBI Bank is a licensed bank that serves consumers, SMEs and merchants, primarily in Bulgaria and Romania.
This is 4finance Group’s first public ESG statement and captures a range of activities, themes and concerns that have been discussed and developed over the past years. Over time we expect to expand our reporting, as the ESG category itself develops and becomes more standardised. We hope this document helps investors, customers, regulators, and other stakeholders to better understand our business and its approach.
Access to
Consumer Finance
Access to Consumer Finance
Offering access to finance is our core business, reaching people ignored or excluded by banks. Serving creditworthy people that the banks do not understand or wish to cater for is our social purpose.
This can only be sustained with care and insight into an individual’s creditworthiness.
Being a responsive and responsible lender means identifying those who can benefit from credit and declining to lend to people who, in our judgement, are unlikely to find a loan affordable. Far from being careless in our lending, we decline around 70% of first-time loan applications.

We believe that a viable, safe, regulated credit market is the best protection against problem debt and the growth of illegal lending. 4finance seeks to serve creditworthy people that the banks overlook, providing useful, timely access to credit when they need it.
As a lender that serves those with lower credit scores, we have an important role in offering useful and timely credit, so people can take an opportunity or bridge a gap. With this comes an obligation to lend responsibly, taking care that our products meet our customers’ needs.
Our products represent a safe, regulated option and are a barrier to the growth of the grey market of unlicensed credit.
Products
Our products represent a safe, regulated option and are a barrier to the growth of the grey market of unlicensed credit.
Oversight
Our products and any significant changes to them are reviewed at a Group level by our executive committee and board.
Debt collection
We have a Group level policy that requires that we treat our customers fairly and equitably: “Regardless of the duration of the delay in loan repayment, history of the customer behaviour, payment discipline or any other aspects, the Group always remains polite, treats customers with respect and offers the best possible solutions considering the circumstances.”
Customer satisfaction and feedback
Our subsidiaries manage and measure customer satisfaction through a range of measures, recording complaints data, using customer surveys and third-party rating services.
Our response to the Covid-19 pandemic
During the current pandemic we introduced forbearance measures to support those impacted by Covid-19. We responded faster than any government mandated measure and the approaches we offered had a higher uptake than any mandated scheme.
Understanding the economics of non-bank lending
Understanding the economics of non-bank lending
Funding
Banks fund loans through deposits at a low cost. Non-banks such as 4finance Group don’t have the same access to deposits, so generally raise money through bond issues, at a cost typically c.12% or more.
Underwriting
Underwriting a €300 loan has a similar cost to underwriting a €30,000 loan. This and other costs of a small loan may have to be recovered in a single payment.
Regulatory overhead and servicing costs
Similarly, these costs must be covered by each small loan.
Responsiveness
We process applications in seconds and deliver to a customer’s bank typically in minutes. We do so 24/7/365 – offering money when a customer needs it. This is more expensive than an internal transfer.
Risk
Non-bank lenders operate in a market categorised as ‘sub prime’ and ‘near prime’ – this means higher risk and consequently higher costs that are reflected in our charges.
APR calculations generate huge distortions for short term loans
APR figures provide a useful and consistent measure for comparing 12-month and multi-year loans and understanding their likely costs.

But, the shorter the loan term and the smaller the sum, the greater the distortion is. For example, a €100 single payment loan that has an APR of 1737% would only cost a borrower €25 when paid back at the end of its 28-day term. For consumers of short term loans, the cost is more like a service fee than an interest rate.
Many banks decline to serve a whole section of society who are creditworthy and seeking finance but have a slim credit file. Non-bank lenders like 4finance Group offers a safe, regulated option for those in need of finance.
Human Capital Development
Human Capital Development
4finance Group aims to be a responsive and rewarding employer, offering meaningful development opportunities.
Employee satisfaction surveys
We monitor employee satisfaction through quarterly surveys. Each quarter the leadership team develops a plan to respond to the feedback at the local (country level) and at Group.
Continuous training opportunities and support for vocational qualifications
Alongside extensive internal training, both elective and required, the company supports job-related study and certification, including professional certification in HR, IT development, marketing, privacy and data protection, accountancy and auditing.
Leadership training and development
Since 2019 we have used an annual 360-degree assessment to evaluate leadership competences and to enhance individual development, exploring leadership behaviour, personal behaviour, professional competence, team management and values.
Gender balance
In the year to March 2021 4finance’s employee mix was 53%/47% women/men. 48% of management positions are held by women.
Whistleblowing
We have an established whistleblowing procedure, overseen by our Audit and Legal leads that permits anonymous reporting if desired and is backed by legal protection for the whistle-blower.
Energy use
and Carbon
Energy use and Carbon
4finance Group aims to be a responsive and rewarding employer, offering meaningful development opportunities.
In August 2019 our headquarters used 14,000 KWh, whereas in August 2023, the energy use was 2,330 KWh, a reduction of over 87% in energy use.
Our online business has aggressively reduced our carbon use through the following actions:
01
Migration from on-premises data centres to the cloud (AWS)
This has allowed us to right-size our server use – consuming only resources that we need, not having large amounts of spare capacity running idle.

We automatically shut down development environments when not in use. This reduces energy consumption.
02
Moving to serverless or minimizing server hardware in our branch offices
03
Using cloud services as much
as possible.
04
We utilize/recycle our equipment or re-sell to employees to extend the useful life of a device.
05
We analyse our data and resource capacity and usage regularly:  reducing usage, closing unneeded resources and scaling down according to actual consumption.
Our Approach to Anti Money Laundering and Counter Terrorist Financing
Our Approach to Anti Money Laundering and Counter Terrorist Financing
4financeGroup understands how crucial and important it is to have strong AML (anti money laundering) and CTF (counter terrorist financing) controls in its daily business operations.
As a regulated consumer lender, 4finance Group has implemented an AML/CTF governance framework across all Group operating entities to meet and exceed regulatory requirements.
Our mission is to be a trusted partner to our customers and business partners, therefore we are an active player in fighting against ML and TF. In order to achieve our goal, 4finance Group has a range of controls, such as internal audit, clearly defined roles and responsibilities, customer due diligence, among others, to be fully compliant with the respective regulations. 
AML/CTF principles
4finance Group is committed to the fight against ML and TF and these principles are followed to control our Group's risk:
Compliance with AML/CTF regulations and laws across all 4finance Group operating entities.
Unified framework for Group AML/CTF compliance programme.
A risk-based approach in all 4finance Group operating entities to determine the extent of Customer Due Diligence measures and controls.
Cooperation with regulatory bodies and law enforcement agencies in order to prevent ML/TF.
Zero tolerance regarding compliance breaches of sanctions regulations.
Updating and constantly enhancing AML/CTF controls to keep up with the dynamics of financial crime patterns, applying best practices and new technologies, reflecting changes in regulatory environment and business processes.
AML/CTF Governance Framework
4finance Group has a robust governance framework to address AML and CTF across the whole Group, covering all our operating markets.
4finance Group Anti-Money Laundering and Counter Terrorist Financing policy sets high standards by defining a harmonized set of rules and principles applicable to all Group operating entities.
4finance Group has a dedicated Group AML team responsible for overseeing4finance Group’s compliance with all relevant AML/CTF regulations in its operations, with a reporting line to top management. Group AML acts as a knowledge centre for all Group operating entities. Ultimate AML/CTF governance and compliance accountability lies with the Group Chief Legal Officer, a member of the Group’s Executive Committee.
To ensure flexibility, local accountability and responsibility our operating entities also have Money Laundering Reporting Officers (MLROs) who act as contact points locally. Local MLROs bear ultimate responsibility, ensure day-to-day oversight over the local entity's AML/CTF compliance programme and management; and that Group level guidance with the highest standards is adhered to and implemented according to the specific market and jurisdiction.
AML/CTF risk management is performed by using a risk-based approach and conducting AML/CTF risk assessments for each 4finance Group's operating entity.
We use advanced Fintech and Regtech systems to strengthen and enhance our AML/CTF control system.
Compliance management and quality control is ensured by internal controls, reporting to management and the relevant authorities.
Awareness and Training
All employees receive training and information on AML/CTF when joining and then at least annually.
Special training is given to employees with specific roles in AML/CTF compliance regarding their area of responsibility.
Employees have access to dedicated AML/CTF knowledge base with up-to-date information, for example, relevant policies, procedures, legal requirements and training materials.
Privacy
and Data Security
Privacy and Data Security
Data is at the core of 4finance Group’s business operations. As a regulated lender, serving our customers requires interaction with personal data.
Our customers trust us to serve them, and a key element of the trust we build with our customers is how we handle and care for the personal data entrusted to us.
We do not consider personal data protection merely a compliance matter. In the digital realm, personal data handling practices require us to make deliberate choices.
Therefore, we want to excel in privacy and cybersecurity, to be fully trusted by our customers.
Governance
Framework
4finance Group has a robust governance framework to address privacy and personal data protection across the whole Group, covering all our markets.
4finance Group Personal Data Protection Policy sets high standards by defining a harmonized set of rules and principles.
To ensure flexibility and local accountability our operating entities also have DPOs who act as contact points locally. Local DPOs ensure that Group level guidance with the highest standards is adhered to and implemented according to the specific market and jurisdiction.
4finance Group has a dedicated Group Data Protection Officer (DPO) and personal data protection team reporting to top management and risk governance body. Ultimate data protection governance and compliance accountability lies with the Group Chief Legal Officer, a member of the Group’s Executive Committee.
Independent assurance in data protection and cybersecurity areas is ensured by Group internal audit function or in some cases third party providers.
Our dedicated Group Information Security team is entrusted with implementing and monitoring technical and organizational measures for cybersecurity in all environments whether digital of physical.
Data processing principles
4finance Group ensures that the fundamental data protection principles are embedded across the whole data lifecycle:
Lawfulness
We process data only when there are legal grounds to do it
Fairness
We process data in a way that is expected and fair towards the person
Transparency
We clearly communicate (via our Privacy Policies) how we process personal data
Purpose limitation
We process data only for the purposes it was collected for or compatible purposes
Data minimization
We process adequate and relevant data to the purposes
Accuracy
We keep data precise and up to date
Storage limitation
We keep data only as long as necessary and delete the data after a set time frame
Security
We keep data secure against unauthorized or unlawful access and use, and against accidental loss, damage or destruction
Data management
Data management
4finance Group screens all vendors involved in personal data processing to ensure a level of data protection on par with our standards and that they do not pose a risk to data processing
We only transfer personal data to third parties when there is a lawful reason to do so. When data is transferred outside of the EU, we ensure adequate safeguards are in place
As with most digital services our processes involve a degree of profiling and automated decision-making, however, we have a clear set of standards to ensure fairness and accuracy as well as the possibility to have human involvement
In general, we do not collect and process sensitive data of customers, however, we have procedures in place how such incidentally received data should be handled
None of 4finance Group’s entities process children’s data, as our products may not be provided to children. We make sure our marketing and data analysis processes are not privacy intrusive by ensuring centralized and limited data processing.
Requests from government are handled by qualified personnel to ensure that only the legally allowed disclosures are made and that there is a possibility for a reasonable challenge if appropriate.
4finance Group is committed to ensure highest quality customer care and promptly reacts to data subject requests and responds as soon as possible. Personal data request forms are available in the Privacy Policy of each product page. If you are a client, please visit your profile with self-service options as well.
Accountability and awareness
We keep detailed records and inventories of all personal data assets and automatically track all data flows to and from our organizations. Records of processing activities and tracking solutions are regularity updated to reflect all changes.
Embedding data protection already at inception, Data Protection by Design and by Default approaches are employed in all new product and solution developments.
To address specific data protection risks we perform Data Protection Impact Assessments and make sure that risks are minimized and there is no scope for unacceptable risks.
4finance Group ensures general privacy and information security training is mandatory during the employee introduction process and repeated yearly. There are also specific training programmes tailored to specific functions.
Information security
4finance Group Information Security governance practices
Information assets are vital to 4finance Group and require effective protection against unauthorized access, modification, disclosure, or destruction. Information assets stored, transmitted, and processed in various electronic formats have become critical to almost every aspect of business. Risks related to those assets, once a minor component  of operational risk, are now critical for organizations to identify and manage.
4finance Group has established an Information Security management system, complete with policies and procedures, and is committed to protect information used by 4finance Group in attaining its business goals.
These principles meet or exceed applicable industry, global, regional, and local country regulatory requirements.
The main goal for 4finance Group in Information Security is achieving the maximum level of confidentiality, integrity, and availability of information, preventing unauthorized use of this information, and raising awareness of security amongst personnel.
Policies and procedures
Our Information Security policies set out the main security concepts, outline the main rules for data handling and disposal, and together with our procedures cover such security areas as access management, vulnerability management, security testing, third party security management, and other operational Information Security principles. They outline necessary responsibilities and practices with the goal of ensuring that Information Security objectives are achieved, that risks are managed appropriately and verify that information assets are used responsibly to ensure confidentiality, integrity and availability of business-critical information.
These policies and procedures must be followed by all personnel, contractors, vendors and third parties that process, store, transmit or handle information assets of the 4finance Group.
Responsibilities
It is a fundamental responsibility of 4finance Board of Directors to protect the interests of the organization’s stakeholders. Information and the systems that process information are critical to the operation of 4finance Group.
The security of information, as with other critical organizational assets, is addressed at the senior management level. Effective security requires active involvement of executives to assess emerging threats and provide effective response to them.
4finance Group Risk Committee
The committee’s main purpose is to ensure that risks are identified, measured, managed, and communicated properly.

The Risk Committee develops full visibility of risks, the level of exposure, mitigation plans and possible negative consequences across all risk categories, including Information Security risks.
The Risk Committee regularly evaluates risk management practices and tools adopted by the Group and ensures they are sufficient, effective, compliant with regulatory requirements, adhere to the best market practices and support a sustainable business in long-term.
4finance Group also maintains the role of Chief Information Security Officer (CISO) that is directly responsible for coordinating and overseeing 4finance Information Security strategies and compliance with security policies and procedures regarding the confidentiality, integrity, and availability of its information assets.
The CISO works closely with internal security team, the IT organization, and other 4finance Group managers and staff involved in securing the company’s information assets to enforce established policies, identify areas of concern, and implement appropriate changes as needed. CISO provides regular updates about Information Security related risks, emerging threats, and other items of concern to the Risk Committee.
Security operations and incident response
4finance Group continuously monitors and analyzes security events, and defends against security breaches, and actively isolates and mitigates any security threats.
Our incident response processes cover such tasks as incident identification, classification, reporting to management and any relevant supervisory authorities and describes further steps of specific incident handling in details.
4finance Group considers it a priority to ensure that effective incident response is possible and necessary investigation activities for suspicious and potentially malicious activities are carried out.
For more information on our approach to ESG matters please contact:
investorrelations@4finance.com
www.4finance.com