AFD - Universal Registration Document 2020

RISK MANAGEMENT 4 Risk management

4.3.6.3 Non-compliance risks According to regulations, the Compliance Department (DCO) is responsible for the prevention, detection, monitoring and management of non-compliance risk throughout AFD Group. Non-compliance risk is defined as “the risk of legal, administrative or disciplinary sanction, material financial loss or loss to reputation arising from failure to comply with the provisions governing banking and financial activities, whether they be directly applicable legal, regulatory, national or European provisions, or whether they are professional and ethical standards or the instructions given by executive officers, particularly in light of the guidelines from the supervisory body” (Decree of 3 Ǿ November 2014, Article Ǿ 10p). The DCO ensures the Group complies with (i) Ǿ internal and external provisions related to preventing money laundering and terrorist financing (AML/CFT), (ii) Ǿ provisions related to the fight against corruption and associated offences as well as fraud and anti-competitive practices, (iii) Ǿ provisions to do with abiding by national and international trade and financial sanctions, provisions that govern the performance of banking and financing activities or (v) Ǿ provisions that ensure the protection of the personal data and private lives of clients. The department is part of the Executive Risk Department (DXR). The Compliance function reports on its activities to the Internal Control Committee (Cocint) and to the New Products and New Activities committee (Coconap in its Compliance configuration), as well as the Regulatory Risk Committee. The Compliance function covers all sectors, operations, geographic areas and regulatory contexts of AFD Group. In addition to operational projects and activities, it also concerns the Group’s new activities and products, in accordance with regulations. Its ultimate aim is to ensure that non-compliance risks are appropriately evaluated in the interest of preventing and limiting the exposure of AFD Group and its management to legal and/ or administrative action and to reputational risks, by supervising them should these risks arise. Non-compliance risk monitoring is ongoing and backed by a risk map. The following changes were made to the non-compliance risk mitigation system during 2020: P continuation of the roll-out of an anti-corruption and influence peddling programme resulting from the so-called “Sapin Ǿ II” law of 9 Ǿ December 2016 with the entry into force of the new procedures relating to the regulation of gifts and invitations in order to clarify the applicable rules, in particular in terms of thresholds and the declaration and approval process, and the strengthening of the procedures relating to the assessment of the situation of the Group’s first-tier suppliers with the development of a classification matrix to assess the risks of supplier corruption with which the AFD Group worked in 2019 and the development of a procedure to enable it to identify and assess the risk of corruption associated with new suppliers as well as throughout the business relationship with them. This procedure will come into force in 2021;

P finalisation of the project to overhaul measures to prevent and manage conflicts of interests within the Group with the aim of streamlining the roles and responsibilities of each of the players involved in preventing and managing conflicts of interest and reviewing internal procedures. The revised

system entered into force on 1 Ǿ January 2021. Insurance – Coverage of risks run by AFD

AFD has a “Civil Liability” insurance policy that also covers Proparco, a “Directors and Officers civil liability” policy, a “labour relations” policy, a “first excess property damage” policy that also covers Proparco and VAL, an “all exhibition risks – works of art” policy, and a “Directors and Officers civil liability specific to supplementary pension scheme management (IGRS) risk policy (1) ”. All of the network’s agencies are covered by locally underwritten insurance policies (multi-risk residential and office, and civil liability for office activities). These policies are accompanied by vehicle insurance covering head office (head office policy) and the network (local policies) plus “worldwide” “individual accident” insurance guaranteeing disbursement of share capital in case of death or disability caused by an accident with a vehicle belonging to or rented by AFD. 4.3.6.4 IT-related risks Information systems security The Security Department oversees all aspects of ICT risks, including IS security. To this end, the head of the department is supported by the AFD Group’s head of IT system security (RSSI). An analysis of ITC risks is carried out at least once a year under the IS risk governance system. Security risks are extracted from it and processed under the IT security management system (SMSI), in compliance with ISO Ǿ 27001. The SMSI provides a framework for addressing AFD’s IT-related risks, from appraisal of the risks to implementing remedial measures and ongoing IT system security checks. After the annual risk analysis, AFD’s operational risk map and the triennial security project plan are updated. The steering bodies use this plan to determine the security upgrades for the IT system. The information systemsecurity policy (ISSP), which is compliant with ISO Ǿ 27001 and ISO Ǿ 27002, defines the 90 Ǿ security rules needed to protect AFD’s information systems. The application of each rule is stipulated by a set of internal security standards and procedures, in compliance with good practices in the field. This ISSP is accompanied by an IT user charter which has been enforceable for all users since it was included in the rules and regulations. Measures to raise awareness of ISS, in the form of regular talks and digital training, ensure that all Group users are familiar with the main rules for use.

(1) This insurance contract has been transferred to and is managed by the HR Department.

106

www.afd.fr

2020 UNIVERSAL REGISTRATION DOCUMENT