BPCE - 2018 Registration document

6 RISK REPORT

Non-compliance, security and operational risks

Non-compliance, security and operational 6.11 risks

The Compliance, Security and Operational Risk division works independently of the operational divisions, as well as of the other Internal Control divisions with which it cooperates. It has three major divisions: a Compliance department which covers three areas: banking ● compliance, investment services and financial security, notably ensured by BPCE’s Tracfin officers; a Security department covering all areas: personal and property ● safety, business continuity, information system security, cyber security and fraud watch, as well as coordination of the new DPO (Data Protection Officer) function; an Operational Risk Management department. ● The Compliance, Security and Operational Risk division carries out its duties within the framework of business line operations. To this end, it helps guide and motivate the Heads of the Compliance, Security and Operational Risk functions of the affiliates and subsidiaries. The Compliance Officers appointed by the various affiliates, including the Caisse d’Epargne and Banque Populaire parent companies and direct subsidiaries covered by the regulatory system of banking and financial supervision, are functionally subordinate to the Compliance, Security and Operational Risk division. The Compliance, Security and Operational Risk department conducts any necessary initiatives to strengthen compliance, security and operational risk management throughout Groupe BPCE. As such, it sets out standards, shares best practices and coordinates working groups consisting of departmental representatives. ORGANIZATION The Compliance function covers two main fields of expertise: Banking Compliance, aimed at preventing risks of failure to comply ● with laws, regulations and professional standards governing KYC and the banking industry. To that end, it encompasses support for operational departments in their compliance with regulatory changes, dissemination of standards (including ACPR recommendations and EBA guidelines), compliance expertise for the purpose of helping approve new products or sales processes, supervision of document and challenge approval processes, and oversight of the Group’s outsourced critical or essential services. It also strengthens the management of non-compliance risk through oversight of complaints analysis, use of compliance controls and mapping of non-compliance risks reported by Groupe BPCE institutions within the scope of banking and KYC compliance; Investment Services Compliance, which covers compliance and ● ethics in the conduct of financial activities, as defined by the AMF General Regulations. More broadly, it includes the prevention of conflicts of interests, ensuring that customer interests prevail, compliance with market rules and professional standards in the banking and financial sectors, and, finally, regulations and internal standards governing business ethics. It also includes oversight of investment services and the operating procedures of investment Compliance 6.11.1

Promoting a culture of risk management and taking into account the legitimate interests of customers is also achieved through employee training. Consequently, the Compliance, Security and Operational Risk department: creates the content for the training materials used for the ● Compliance function and manages interactions with the Group Human Resources division and the Governance and Coordination department of the DRCCP, which coordinates the annual work schedule for the Risk and Compliance functions; helps train Compliance staff, mainly through specialized annual ● seminars (financial security, ethics and compliance, banking compliance, coordination of permanent compliance controls, cybersecurity, etc.); coordinates the training program for heads of compliance and ● Compliance Officers; coordinates the Compliance, Security and Operational Risk ● functions of the institutions, primarily by organizing national compliance, security and operational risk days; draws on the expertise of the Compliance functions of Group ● institutions via theme-based working groups. Moreover, BPCE’s corporate compliance as well as the compliance of the Group’s Insurance businesses is handled by a dedicated team in the DRCCP Secretary’s Office. services compliance officers (RCSIs). Since the end of 2016, Investment Services Compliance has also included SRAB commitments (Separation and Regulation of Banking Activities) – Volcker office. MEASUREMENT AND SUPERVISION OF NON-COMPLIANCE RISK Non-compliance risks are analyzed, measured, monitored and managed in accordance with the Ministerial Order of November 3, 2014, with the aim of: ensuring a permanent overview of non-compliance risks and the ● associated risk prevention and mitigation system, including updated identification under the new non-compliance risk-mapping exercise; ensuring that the largest risks, if necessary, are subject to controls ● and action plans aimed at supervising them more effectively. Groupe BPCE manages non-compliance risk by mapping out its non-compliance risks and implementing mandatory Level 1 and 2 compliance controls common to all Group retail banking institutions. These control frameworks were reviewed in 2018 for the purpose of adapting them to the risks and systems in place, and will be rolled out in the first half of 2019.

682

Registration document 2018