Skip to content

Governance: Business Ethics

Our governance structure, thoughtful policies and active engagement with our employees underscore our commitment to this principal.

We provide annual training for all employees on our Standards of Conduct, compliance management requirements, BSA/AML (Bank Secrecy Act/Anti-Money Laundering) processes, physical security, risk culture and internal controls, risk reporting and awareness, and information security awareness.

The Board of Directors is also required to adhere to the company’s Code of Ethics in satisfaction of Section 406 of the Sarbanes-Oxley Act of 2002, the NASDAQ listing requirements and related regulations. As a national bank, each member of BOK Financial’s Board of Directors affirms their commitment to uphold the organization’s standards in its annual Oath of Office.

BOK Financial’s Chief Compliance Officer oversees the enterprise compliance program and reports to the Chief Risk Officer. The compliance program includes policies and procedures, annual training requirements, monitoring and testing, annual risk assessments and a complaint management program.

Compliance staff actively monitor line of business activities and governance to determine compliance with applicable regulatory requirements. Monitoring activities identify, track, and report issues discovered in the lines of business through formal risk assessments. Monitoring also aids in identifying opportunities to inform the scope of testing performed by Corporate Compliance Management and Internal Audit.

Our efforts and programs help support the United Nations Sustainable Development Goals.


Reference

Standards of Conduct
Employees are annually trained on and attest to the company’s Standards of Conduct.

Code of Ethics
Annually, directors attest to and the Audit Committee reviews the Code of Ethics.

Proxy Statement
The annual proxy statement identifies responsibilities of board committees including the company’s capital planning process.

Privacy Practices
The company’s Privacy Officer implements our privacy practices and ensures compliance with applicable privacy regulations.


  • The company’s Whistleblower Policy enables anyone to report any suspected illegal or unethical activity without fear of retaliation. The company’s Risk Reporting Hotline is managed by an independent third party and allows 24/7 reporting of concerns about anything that may violate our Standards of Conduct or Code of Ethics.

    Upon notice of a potential Code of Ethics violation, the Chief Auditor, Chief Risk Officer and Chairman of the Audit Committee are responsible for reporting the matter to the Office of the General Counsel. Retaliation affecting a term and condition of employment because an individual reported a potential conflict of interest and/or potential violation of the Code of Ethics or applicable law is strictly prohibited.

  • BOK Financial is committed to detecting persons engaged in money laundering or terrorist financing and preventing them from using our products or services. The company complies with all Anti-Money Laundering (AML), Bank Secrecy Act (BSA), OFAC (Office of Foreign Assets Control) and USA PATRIOT Act regulations.

    The companywide BSA/AML Program addresses the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A board-appointed BSA officer who reports to the Chief Risk Officer coordinates and monitors all aspects of the BSA/AML compliance program and its implementing regulations.

    A system of internal controls has been designed to prevent money laundering and terrorist financing, report potentially suspicious transactions, assess risk in an ongoing manner, and monitor OFAC sanctions and customers and transactions. Annual testing evaluates the effectiveness of the program which is reviewed annually by the Risk Committee of the Board of Directors and the Office of the Comptroller of the Currency.

  • BOK Financial is committed to safeguarding company and client information with a stringent program encompassing policies, processes, procedures, and organizational structures that are continuously monitored, reviewed and improved upon.

    Protection requirements for sensitive data are established based on its classification to ensure the mitigation of unauthorized access regardless of its state (i.e. data-in-motion, data-in-use, and data-at-rest). The board and company ensure that the Information Security Program is well resourced, and management ensures that the program is integrated into all lines of business, support functions, and third-party management programs.

    The company’s Chief Information Security Officer (CISO) oversees a team responsible for security risk management, data protection, identity and access management, security operations, security incident management, security awareness, threat management, and security architecture and engineering. The CISO provides quarterly updates to the company’s management-level Risk Council and Risk Committee of the Board of Directors on the company’s cybersecurity program, policies and controls; efforts to improve security; and responses to cybersecurity events. The program is reviewed annually by the company’s regulators, internal and external auditors.

    The company sets the expectation that each employee is responsible for the security and confidentiality of client and customer information. That expectation is communicated upon hire and annually through cybersecurity trainings; frequently in internal publications and employee intranet site; and attested to annually in the company’s Standards of Conduct.

    Information Security continually monitors company networks and systems to detect suspicious or malicious events. Additionally, the Security Operations team monitors threat intelligence sources to anticipate and research evolving threats, investigate potential impact, and examine company controls to detect and defend against those threats.

    The company’s cybersecurity program implements security controls aligned with ISO 27001:2013 standard and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and demonstrates the effectiveness in controlling, mitigating, and reducing security and privacy risks by:

    • Securing the client – Utilizing streamlined secure logins, product security protection, online fraud detection and cybersecurity awareness.
    • Securing computing environments – Utilizing top cybersecurity partners and technologies whether in the cloud, in our data centers or with our third-party vendors.
    • Securing the workforce – Through policies and standards, we regularly inform our employees about their responsibilities to protect client data.
  • The company’s Privacy Officer implements our privacy practices and ensures compliance with applicable privacy regulations. We apply privacy-by-design in the development of our applications and also establish processes to fulfill data requests from our customers.

Our Commitment to ESG

For more than 100 years, we’ve focused on making sure that families and businesses have a trusted, secure source of financial expertise. We’ve been committed to making our communities a better place to live and work. And, we’ve been an employer that values diversity, promotes inclusion and fosters career growth for all of our team members.

Governance: Board Oversight
Governance: Customers
Governance: Systemic Risk Management
Governance: Responsible Investing