Governance

Ethics and Compliance Program

We maintain a robust set of ethics and compliance documents, which we review and update annually. The principles and expectations set forth in those documents are reinforced through annual training and certification, and processes are in place to detect and remediate any violations. The ethics and compliance program administration and key documents are described in detail below.

Compliance Administration

We have established the following roles and processes to promote ethical business conduct and compliance with our policies:

Our General Counsel serves as our Chief Compliance Officer and is responsible for overseeing our ethics and compliance program, which includes reviewing and updating policies annually. As further described below, the Chief Compliance Officer also provides for annual training, tracks and responds to any reports of suspected noncompliance, and collects annual certifications.

All officers and employees with supervisory responsibilities are responsible for ensuring that the personnel they supervise, including temporary contractors, are familiar with and comply with our compliance materials.

Every officer, employee, and contractor receives mandatory ethics and compliance training within 30 days of commencing work at Granite Point and on an annual basis thereafter. The ethics and compliance training covers the following topics, among others:

  • Fair dealing
  • Conflicts of interest
  • Business gifts and entertainment
  • Bribery and kickbacks
  • AML and fraud
  • Related-person transactions
  • Information security and confidentiality, including PII
  • Workplace conduct
  • Human and labor rights
  • Regulation FD
  • Insider trading

In addition, all officers and employees receive regular third-party training on cybersecurity, anti-harassment, and diversity, equity, and inclusion.

Any ethics or compliance concerns can be raised through Granite Point’s whistleblower alert line at 844-572-2197 or at www.gpmortgagetrust.ethicspoint.com. This alert line is operated by a third party; is available 24 hours a day, 365 days a year; and will accept anonymous reports. Our compliance documents and training also encourage employees to report concerns to their supervisor or the Chief Compliance Officer. For more information about our program for addressing accounting or auditing concerns, see our Whistleblowing Procedures for Accounting and Auditing Matters.

All officers and employees must certify annually to the Chief Compliance Officer that they have read and understood the compliance materials listed below, have acted and will continue to act in compliance with them, and have reported any known or suspected violations:

  • Code of Business Conduct and Ethics (described below)
  • Information Security, Cybersecurity, and Acceptable Use Policy
  • External Communications Policy
  • Insider Trading Policy
  • Related Person Transactions Policy
  • Anti-Money Laundering Policy (described below)
  • Human and Labor Rights Policy (described below)

We strictly prohibit retaliation related to any report of a suspected ethics or compliance violation made in good faith.

Code of Business Conduct and Ethics

Our Board of Directors has adopted a Code of Business Conduct and Ethics that applies to our officers, directors, and employees. The code is designed to detect and deter wrongdoing and to promote, among other matters:

  • Compliance with applicable laws, rules, and regulations, including those related to securities, labor, employment, and workplace safety
  • Honest and ethical promotion of Granite Point’s interests through fair dealing with counterparties, suppliers, competitors, and colleagues; appropriately handling actual or apparent conflicts of interest between personal and professional relationships; and advancing the company’s legitimate interests rather than pursuing personal benefit when business opportunities arise
  • Ethical business decision-making, including limits on gifts and entertainment and a prohibition on bribery, kickbacks, or other improper payments
  • Full, fair, accurate, timely, and understandable disclosure in our reports filed with the SEC and other public communications
  • Appropriate treatment of confidential information and company assets
  • A safe and healthy work environment that is free from discrimination and harassment
  • Reporting, investigating, and disciplining violations of the Code of Business Conduct and Ethics

Anti-Money Laundering Policy

We voluntarily maintain an Anti-Money Laundering Policy to help prevent money laundering and terrorist financing and to support law enforcement efforts that combat such activities. The policy applies to all officers, employees, and contractors and is administered by our Chief Compliance Officer acting as AML Compliance Officer. The policy educates personnel about indicators of suspicious and possibly fraudulent activity and provides that, when originating a loan, personnel must first undertake to confirm and document the identity of any party with a significant interest in the transaction.

After identifying and documenting any such party, we engage specialized vendors to run a battery of know-your-customer (KYC) searches, including searches for liens, litigation, and inclusion on watch lists published by the Office of Foreign Assets Control. Our Anti-Money Laundering Policy requires personnel to report any suspicious transaction or activity to the AML Compliance Officer, who will refer the matter to legal or regulatory authorities if appropriate.

Human and Labor Rights Policy

We acknowledge the potential impact that Granite Point’s actions can have on the human and labor rights of our employees, prospective employees, and other individuals with whom we interact in the conduct of our business. Accordingly, we have established a Human and Labor Rights policy to promote the basic rights of life, liberty, and security for all individuals (specifically including women and members of minority groups). The policy applies to all officers, employees, and contractors and is administered by our Chief Compliance Officer.

As stated in our Human and Labor Rights Policy, we aim to do business in accordance with the UN Universal Declaration of Human Rights and the UN Guiding Principles on Business and Human Rights. The policy includes the following key principles:

  • No Child Labor - We employ only those individuals who meet the applicable minimum legal age requirements, and in no event utilize child labor.
  • No Forced Labor - We do not use or engage in any forced labor, including prison labor, indentured labor, bonded labor, military labor, slavery, human trafficking, or compulsory labor.
  • Lawful Hours and Leave - We ensure that employees are entitled to working hours, breaks, holidays, and leave periods in compliance with all applicable laws, rules, and regulations.
  • Lawful Compensation - We comply with all minimum wage and compensation requirements as mandated by applicable law.
  • Humane Treatment - We seek to provide a workplace that is free of all forms of abuse, exploitation, or other inhumane treatment, and we do not engage in or permit corporal punishment or threatened or actual violence.
  • Basic Human Needs - We seek to ensure that our activities do not negatively affect access to basic human needs, including access to food, water, sanitation, or healthcare.
  • Freedom of Association - We respect employees’ right to freedom of association and honor the lawful rights of our workforce to exercise (or not exercise) their right to collective bargaining.

Political Contributions Policy

Granite Point does not make contributions to political candidates, political parties, political campaigns, or intermediary organizations such as political action committees. Personnel are counseled not to make any personal political contributions in a way that appears to be an endorsement or contribution by the company.

Information Security and Privacy

We understand the significance of information security, including cybersecurity, to all our stakeholders. We actively manage cybersecurity, information security, and technology risks, and we are committed to implementing leading data protection standards and respecting data privacy.

Risk Management Program

Pursuant to its charter, our Audit Committee oversees our management of risks related to information security and technology, including cybersecurity. Senior management regularly reports to our Chief Executive Officer and members of our Board of Directors on the status of our cybersecurity risk management initiatives.

Our cybersecurity and information security risk management program also provides for evolving targets and objectives and incorporates expertise and suggested best practices from outside experts, including multifactor authentication, firewalls, and intrusion detection and prevention systems. We also regularly monitor relevant guidance provided by the SEC and other regulators. In addition, we maintain cybersecurity risk insurance coverage and other relevant insurance policies to mitigate cybersecurity and other information security risks.

We have an information security incident response team tasked with implementing our Incident Response Plan in the event of cybersecurity or other information security incidents. That team works with our internal and external resources (for example, insurers, outside counsel, and forensic advisors) as necessary with the goal of containing, mitigating, and remediating cybersecurity or other information security incidents.

Training and Testing

All Granite Point officers, employees, and directors are required to take quarterly cybersecurity training modules delivered through a third-party platform. As part of our ongoing cybersecurity and data security training efforts, we also arrange for all officers, employees, and contractors to periodically receive simulated socially engineered “phishing” emails to test and improve their awareness of this particular threat. Personnel who “click” or otherwise fail these tests receive immediate notifications and may be required to undergo additional testing or training. Such individuals may also receive reminder emails from members of the senior management team.

We regularly conduct cybersecurity risk assessments of our company and key outside vendors, including penetration testing and vulnerability scanning, with the goal of protecting the confidential, proprietary, and sensitive information of our company and stakeholders. These assessments are administered by independent third-party firms, and we review the recommendations contained in those assessments and implement them as appropriate.

Privacy

As a commercial real estate lender, we do not offer financial products or services used primarily for personal, family or household purposes. Consequently, we do not regularly obtain personally identifiable information (PII) in connection with our product and service offerings.

We may, however, receive PII for other purposes—for example, due diligence in connection with a commercial real estate loan or personnel record keeping—and have implemented a number of physical and technical standards, procedures, and other safeguards for protecting any PII we receive, including information security and privacy policies for the appropriate handling of personal data.

We also maintain a formal privacy policy on our website that describes the types of personal information we may collect about users when they access our website, the purpose for which we may use that information, and the circumstances in which we may share or disclose that information.

Corporate Governance Practices

We have adopted many best practices to protect the long-term interests of our stockholders, as summarized below. See our Corporate Governance Guidelines for more information.

  • Separation of Chair and CEO - Our Chief Executive Officer focuses on managing the company while our independent Board Chair drives accountability at the Board level.
  • Independence - All our directors are independent except for our CEO, and all our Board committees are comprised entirely of independent directors.
  • Majority Voting - We have a majority standard for uncontested elections of directors and a resignation policy for directors who do not receive a majority of the votes cast.
  • Unclassified Board - All of our directors are elected annually for a one-year term.
  • Board Assessments - A rigorous evaluation process that covers the Board, its committees, and individual directors help our Board identify and address any opportunities for improvement.
  • Executive Sessions - Our independent directors hold regular executive sessions.
  • Director Education - We will reimburse directors for up to $5,000 per year of continuing education costs incurred in connection with their service on our Board, empowering them to be well-versed in principles of corporate governance and other critical subject matters.
  • Over-Boarding Restrictions - A director may not serve on more than three other boards of public companies in addition to our Board, and a director who serves as a public company CEO may not serve on more than one other board.
  • Stock Ownership Guidelines - Each independent director is expected to accumulate equity interests in an amount equal to three times the director’s annual base cash retainer.
  • No Hedging or Pledging - We prohibit short sales, transactions in derivatives, hedging, and pledging of our securities by directors, executive officers, and employees.
  • Single Class of Common Stock - Each share of our common stock has one vote.
  • Special Meetings - Holders of a majority of our stock are able to call a special meeting of stockholders.
  • "Rooney Rule" - We will take reasonable steps to assemble a diverse pool of nominees when conducting searches for new directors, and any search firm we engage will be affirmatively instructed to seek to include diverse candidates.