Our Commitment
to Integrity

Who This Code Applies To

This Code of Conduct applies to all individuals and entities acting on behalf of Compliance House, including but not limited to:

• All employees, regardless of seniority, contract type, or location
• Founders, directors, and members of advisory or supervisory boards
• Associates, independent consultants, and contracted advisors
• Trainees, interns, and secondees
• Third-party service providers, partners, and sub-contractors who act on our behalf

Jurisdictional Reach

Compliance House operates internationally from its base in Istanbul, Turkey. This Code applies in all jurisdictions where we deliver services — including but not limited to engagements governed by Turkish law, EU law, UK law, and US law. We comply with the most stringent standard applicable in any given context.

The "Newspaper Test"

When in doubt about whether a particular action is appropriate, apply the following question: "Would I be comfortable if this decision appeared on the front page of a reputable newspaper?" If the answer is no — stop, consult, and do not proceed.

Relationship to Other Policies

This Code is the overarching ethical framework. Specific internal policies — on gifts, data handling, procurement, and training delivery standards — supplement and detail the principles set out here. In the event of any conflict, the higher standard applies.

Our Position: Absolute Zero Tolerance

Compliance House maintains a strict, unconditional zero-tolerance policy on bribery and corruption in all its forms. This position is non-negotiable, applies in every country in which we operate, and is not subject to commercial or competitive pressure.

Facilitation Payments

Facilitation payments — small payments made to expedite routine government actions — are prohibited, even where they may be locally tolerated or considered minor. The UK Bribery Act 2010 (which applies to our UK-nexus work) and our own internal policy do not recognise a de minimis threshold for such payments.

Interaction with Public Officials

Engagements that involve interaction with public officials — including regulatory bodies, government ministries, public procurement authorities, or state-owned enterprises — require heightened due diligence. All such interactions must be:

• Documented in writing before and after the interaction
• Disclosed to the relevant engagement leader or managing partner
• Conducted through legitimate, transparent channels only
• Free from any offer, gift, hospitality, or benefit of any kind beyond permitted modest courtesies

Political Contributions

Compliance House does not make political contributions — financial or in-kind — to any political party, political candidate, or political campaign, in any jurisdiction. Political activity by individual team members in their personal capacity must not be conducted in the name of, or with resources belonging to, Compliance House.

Applicable Frameworks

Our anti-bribery controls are designed to meet or exceed the requirements of: ISO 37001:2016 (Anti-Bribery Management Systems), FCPA (applicable to US-nexus engagements), UK Bribery Act 2010 (applicable to UK-nexus engagements), Turkish Criminal Code Articles 252–255, and the OECD Anti-Bribery Convention.

Why Independence is Our Core Product

For a compliance advisory and training firm, professional independence is not merely an internal governance concern — it is the very foundation of the value we deliver. A client who cannot rely on the objectivity of our advice has received nothing of worth.

What Constitutes a Conflict

A conflict of interest exists — or may reasonably be perceived to exist — when:

• A personal, financial, or family interest of a team member could influence, or appear to influence, a professional judgment or recommendation
• We hold a financial or equity interest in a client's business or a competitor's
• We have been engaged by parties with directly opposing interests on related matters
• A team member receives personal benefits from a vendor, supplier, or certification body that our firm recommends or evaluates
• A team member sits on the board or advisory body of a client or competitor organisation

Consulting-Specific Conflict Scenarios

Disclosure and Management

All actual, potential, or perceived conflicts must be disclosed promptly — before an engagement begins, or immediately upon discovery during an engagement. Undisclosed conflicts are a disciplinary matter. The firm will determine, on a case-by-case basis, whether the conflict can be managed (with safeguards) or requires recusal.

Outside Activities

Team members wishing to engage in external professional activities — including board positions, advisory roles, speaking engagements for remuneration, or published work — must seek written approval in advance. Such activities must not compete with Compliance House or create reputational risk.

The Governing Principle

Gifts, hospitality, and entertainment must never influence — or be perceived to influence — a business decision, professional judgment, or client recommendation. The purpose of any hospitality must be legitimate, transparent, and proportionate.

Thresholds & Requirements

Recording

All gifts and hospitality received or extended above a nominal threshold must be recorded in the firm's Gifts & Hospitality Register, regardless of whether they require pre-approval. This register is reviewed by management on a quarterly basis.

The Principal-Agent Risk

Under the UK Bribery Act and FCPA, Compliance House can be held liable for the corrupt acts of those acting on our behalf — even without our direct knowledge. Third-party risk management is therefore not an optional due diligence step; it is a legal necessity.

Risk-Based Due Diligence

All third parties who act on behalf of Compliance House — including sub-contractors, local partners, referral agents, translators, event organisers, and technology vendors — must undergo due diligence proportionate to the risk they represent:

• Low-risk: Screening against sanctions lists and negative news databases
• Medium-risk: Above, plus verification of legal status, beneficial ownership, and references
• High-risk (public official nexus, new jurisdiction, intermediary role): Enhanced due diligence including site verification, in-person meeting, and management sign-off

Third-Party Code Compliance

All significant third parties must acknowledge and agree to comply with the core principles of this Code of Conduct as a condition of engagement. Contracts with third parties must include appropriate anti-bribery representations, audit rights, and termination clauses.

Red Flags to Watch For

• Requests for payment to unusual accounts, in cash, or through intermediaries
• Refusal to confirm beneficial ownership or provide standard documentation
• Unusually high commission or fee structures without clear justification
• Close personal or family relationships with public officials in the relevant jurisdiction
• Reputation for making "facilitation" payments in the market
• Pressure to proceed without completing due diligence

Client Confidentiality

All information obtained in the course of a client engagement — including findings, internal documents, personnel information, risk assessments, investigation outcomes, and strategic plans — is strictly confidential. This obligation:

• Applies during and indefinitely after the engagement
• Extends to all members of the engagement team and anyone briefed on the matter
• Is not satisfied by anonymisation alone — aggregated or contextual information may still be identifiable
• Cannot be waived informally; any authorised disclosure requires prior written consent from the client and management approval

Case Studies and Training Materials

Compliance House frequently develops training materials and case studies that draw on real-world scenarios. Where a scenario is based on an actual client engagement, it must be sufficiently anonymised and transformed to prevent identification. Publication or use requires management review. Client-identifiable scenarios may never be used in public training, marketing content, or external publications without explicit written consent.

Data Privacy — GDPR and Turkish KVKK

Compliance House processes personal data in the course of delivering services and operating internally. We are committed to full compliance with:

• KVKK — Turkish Law on Protection of Personal Data No. 6698 (applicable to all Turkish operations)
• GDPR — EU General Data Protection Regulation (applicable when processing EU data subjects' personal data)

Personal data is collected only for specified, explicit, and legitimate purposes. It is not processed in a manner incompatible with those purposes, and it is not retained longer than necessary. All data subjects have the rights provided by applicable law, including the right of access, rectification, erasure, and portability.

Information Security

Client files, engagement documentation, and internal records must be stored and transmitted through approved, secured channels. The use of personal email accounts, unsecured cloud storage, or public Wi-Fi for handling confidential material is prohibited.

Anti-Money Laundering

Compliance House must not be used — knowingly or unknowingly — to facilitate money laundering, terrorist financing, or the concealment of proceeds of crime. We are obligated to:

• Screen all clients and significant third parties against applicable sanctions lists before engagement and periodically thereafter
• Identify and verify the beneficial ownership of corporate clients
• Decline or terminate engagements where the source of funds or the purpose of the engagement raises unresolved AML concerns
• Report suspicious activity to the appropriate authority in accordance with applicable law (MASAK in Turkey, FATF-aligned frameworks in other jurisdictions)

Sanctions Compliance

Compliance House does not conduct business with individuals, entities, or jurisdictions subject to applicable sanctions — including but not limited to sanctions programs maintained by:

• The United Nations Security Council
• The European Union
• OFAC (US Treasury, Office of Foreign Assets Control)
• HM Treasury / OFSI (UK)
• Turkey's international sanctions implementation regime

Unusual Payment Requests

Any client request to route payments through unusual channels — including third-country bank accounts, cryptocurrency, cash, or non-client accounts — must be escalated immediately and not acted upon until cleared by management.

Commitment to Fair Markets

Compliance House competes on the merits of its services, expertise, and team. We do not engage in, facilitate, or condone any conduct that distorts competition — regardless of jurisdiction or the competitive pressures we may face.

Prohibited Conduct

The following are strictly prohibited:

• Agreements or understandings with competitors on pricing, fee structures, market allocation, or client targeting
• Exchanging commercially sensitive information (pricing, pipeline, capacity) with competitors — even informally at industry events
• Bid rigging or coordinated tendering with other firms
• Abuse of any dominant position Compliance House may hold in a particular niche or geography
• Any conduct designed to exclude a competitor through illegitimate means rather than superior service

Industry Associations and Peer Networks

Participation in industry associations, professional networks, and peer groups is encouraged — but requires care. Team members participating in such settings must:

• Avoid discussions of pricing, fees, capacity, or specific clients
• Leave any meeting where such topics are raised and notify management
• Be mindful that informal conversations carry the same legal risk as formal agreements

Dignity and Respect

Every person associated with Compliance House is entitled to work in an environment free from discrimination, harassment, bullying, intimidation, or any other conduct that undermines human dignity. This applies to our internal team, our treatment of clients, and our interactions with any third party.

Compliance House does not tolerate any form of discrimination on the basis of gender, race, ethnicity, national origin, religion, age, disability, sexual orientation, gender identity, or any other characteristic protected under applicable law.

Diversity and Inclusion

Operating across multiple languages and cultures is a defining feature of our firm. We view diversity of perspective, background, and experience as a professional asset and a source of competitive advantage. Exclusionary behaviour is incompatible with who we are.

Human Rights Due Diligence

Although Compliance House is a professional services firm — not a manufacturing or extractive operation — we recognise that consulting services can be implicated in human rights risks. Specifically:

• We will not accept engagements where the primary purpose is to mask, minimise, or create the appearance of compliance with human rights standards that the client is actively violating
• We apply human rights considerations to our supply chain, including technology vendors, event venues, and subcontractors
• Our advisory services will proactively reference applicable human rights standards (UN Guiding Principles on Business and Human Rights, ILO core conventions) where relevant

Health, Safety and Wellbeing

The wellbeing of our team is a management responsibility, not an individual burden. We maintain a working culture that is demanding but sustainable, and we take seriously any reports of excessive workload, professional burnout, or unsafe working conditions — including in the delivery of field training engagements.

The Foundation of Accountability

Accurate, complete, and transparent recordkeeping is a legal obligation and a pillar of our integrity. For a firm that advises others on compliance program design, the quality of our own records is a direct reflection of our credibility.

Our Requirements

• All financial transactions must be accurately recorded and supported by appropriate documentation
• No entry may be made that is false, misleading, or designed to conceal the true nature of a transaction
• Expense claims must be truthful, supported by receipts, and aligned with actual business expenditure
• Engagement records — including scope documents, deliverables, correspondence, and billing — must be complete and accurately reflect the work performed
• Records must be retained for the periods required by applicable law (minimum 5 years for most financial records under Turkish law; longer where required by contract or regulation)

Document Integrity

The intentional falsification, destruction, or alteration of any business record — including digital files, emails, invoices, and engagement documentation — is a serious disciplinary matter and may constitute a criminal offence. This prohibition applies regardless of whether legal proceedings are pending or anticipated.

Financial Controls

All significant expenditure requires appropriate pre-authorisation. No team member may approve their own expenses, or expenses in which they have a personal financial interest. The separation of duties principle is applied to all financial processes.

Responsible Use of Technology

Compliance House increasingly uses digital platforms, communication tools, and artificial intelligence in the delivery of its services and the management of its operations. All such use must align with our integrity standards, our data privacy obligations, and our client confidentiality commitments.

Artificial Intelligence

The use of AI tools in advisory work and content development requires specific care:

• Client-confidential information must not be entered into public or third-party AI platforms without appropriate data processing agreements and client consent
• AI-generated content used in client deliverables must be reviewed, verified, and accepted professional responsibility for by a qualified human expert before delivery
• AI tools must not be used to produce legal opinions, regulatory conclusions, or definitive compliance determinations without human expert verification
• We are mindful of the EU AI Act's evolving requirements and apply appropriate caution in high-stakes advisory contexts

Cybersecurity

• All team members must use approved devices and secure networks for firm work
• Phishing attempts, suspected data breaches, and security anomalies must be reported immediately
• Password hygiene and multi-factor authentication are mandatory for all firm systems
• Client data may only be shared over encrypted, approved channels

Intellectual Property

Compliance House's training materials, methodologies, frameworks, and tools are proprietary intellectual property. Team members must not share, reproduce, or use these materials outside the firm without authorisation. We equally respect the intellectual property rights of others and will not incorporate third-party content without appropriate licensing.

Speaking on Behalf of Compliance House

Only authorised spokespersons may make statements to the media or public on behalf of Compliance House. All media enquiries — print, broadcast, or digital — must be directed to the designated contact without comment. This applies equally to requests through social media, podcasts, and online publications.

Social Media

Team members are encouraged to build professional profiles and share relevant thought leadership. When doing so, the following standards apply:

• Personal social media accounts must be clearly personal; no confidential firm or client information may be disclosed
• Posts that could be attributed to or reflect upon Compliance House require discretion and good judgment
• Political statements on public platforms in the name of or associated with Compliance House are not permitted
• Negative commentary about current or former clients, competitors, or regulators on social platforms is prohibited

Publications and Speaking Engagements

Articles, white papers, conference presentations, and other public outputs produced by team members in their capacity as Compliance House representatives must be reviewed by management before publication. Content must not disclose confidential information, make unsupported regulatory claims, or create reputational or legal risk for the firm.

Client Testimonials and References

Client names, logos, and testimonials may only be used in marketing and business development materials with prior written client consent. We do not claim certifications, regulatory endorsements, or institutional relationships that we do not hold.

Our Speak-Up Culture

A compliance program without a functioning speak-up culture is a compliance program in name only. At Compliance House, we understand this better than anyone — because we build speak-up programs for our clients. We hold ourselves to exactly the same standard.

What We Expect You to Report

• Any suspected or actual violation of this Code of Conduct
• Suspected bribery, corruption, or improper payment — whether involving our team, a client, a third party, or any other actor connected to our work
• A potential conflict of interest — your own or someone else's
• Harassment, discrimination, or any conduct that undermines dignity in the workplace
• Any pressure to falsify records, override controls, or deviate from this Code
• An incident of data breach or information security failure

How to Report

Absolute Protection Against Retaliation

No person who raises a concern in good faith — through any channel, about any topic covered by this Code — will suffer retaliation, disadvantage, adverse treatment, or any form of sanction. This protection applies regardless of whether the concern is ultimately substantiated.

Retaliation against a person who has raised a concern is itself a serious disciplinary matter, potentially resulting in termination. This applies to all — including management and founders.

Investigations

All reports received will be assessed promptly and, where warranted, investigated. Investigations will be conducted impartially, with appropriate confidentiality protections for all parties involved. Outcomes will be communicated to the reporting person to the extent permitted by law and confidentiality obligations.