BPCE - 2018 Registration document

6 RISK REPORT

Non-compliance, security and operational risks

ACTIVITIES IN 2018 While updating their joint guidelines in 2018, the ACPR and Tracfin highlighted the importance of the anti-terrorist financing plan deployed for the last several years by the Ministry of Finance. Accordingly, the institutions of Groupe BPCE strengthened their anti-terrorist financing system in 2018, based on a set of standards and automated scenarios tailored to the specific circumstances of terrorist financing (weak signals, relatively low amounts, importance of cross-checking several indices), and meeting enhanced agility and fast-response requirements. Group anti-corruption commitments Corruption, which is defined as an act in which a person offers or grants an undue reward to another person in exchange for an act falling within that person’s remit, is a fraudulent and unethical behavior subject to severe criminal and administrative sanctions. Groupe BPCE denounces corruption in all forms and in all circumstances. It is a signatory of the United Nations Global Compact, whose tenth principle states that “Businesses should work against corruption in all its forms, including extortion and bribery.” Anti-corruption measures The Group strives to prevent corruption in order to guarantee the financial security of its activities, including in particular: by taking measures against money laundering & terrorist financing ● and fraud, supervising “politically exposed persons”, and complying with embargoes; ensuring that employees observe professional rules of compliance ● and ethics by applying policies governing conflicts of interest, exchanges of gifts, benefits and invitations, confidentiality and professional secrecy. Disciplinary sanctions have been defined for

any failure to respect professional rules governing the activities conducted by Group companies; exercising due diligence when making contributions to political ● campaigns or to government agents, donations, patronage and sponsorship, and lobbying; supervising relations with intermediaries and business introducers ● via groupwide standardized contracts describing the reciprocal services and obligations and contractually establishing compensation terms; mapping out exposure to corruption risks through Group activities; ● providing regulatory training on the rules of ethics in the industry ● and against corruption (an e-learning course). A whistleblowing system is available to employees and included in the internal rules. Employees have a procedure in place for implementing the whistleblowing system. The Group has also defined standards and procedures governing KYC and due diligence procedures used for customer classification and supervision purposes. In the interest of organizing the internal control system, whistleblowing/detection tools and permanent control plans serve to bolster the security of this system. BPCE also has accounting policies and procedures in place in line with professional standards. The purpose of the Group’s internal control system for accounting information is to check the conditions in which such information is assessed, recorded, stored and made available, in particular by verifying the existence of the audit trail, within the meaning of the Ministerial Order of November 3, 2014 on internal control. This control system is part of the fraud, corruption and influence-peddling prevention and detection plan. From a more general standpoint, these systems are formalized and detailed in the umbrella charter governing the organization of Group internal control and the Risk, Compliance and Permanent Control Charter. Parent company affiliates and all BPCE subsidiaries have adopted these charters.

Business continuity 6.11.3

The management of business interruption risk is handled from a cross-business perspective. This includes the analysis of the Group’s main critical business lines, notably liquidity, payment instruments, securities, individual and corporate loans and fiduciary activities.

ORGANIZATION As of September 1, 2017, the Group Head of Business Continuity, responsible for the Group Business Continuity division, reports to the Security division, which in turn reports to the Compliance, Security and Operational Risk division. The Group Business Continuity division performs its tasks independently of operational divisions. These include: managing Group business continuity and coordinating the Group ● Business Continuity division; coordinating Group crisis management; ● managing the implementation of the Group Contingency and ● Business Continuity Plans (CBCPs) and keeping them operational; ensuring compliance with regulatory provisions governing business ● continuity; participating in Groupe BPCE’s internal and external bodies. ●

ACTIVITIES IN 2018 Cybercrime risk was the main focus of the year: development of a cybercrime plan, complete with exercises organized internally or by third parties (Digital Economy Directorate of French Polynesia, Banque de France Robustness Group). Improved understanding of the business continuity plans of the Group’s main providers was the second major focus, which will be continued in 2019: overhaul of the approach, rolled out via a Group tool currently under development. Continued efforts to strengthen the overall business continuity system: a new Groupwide business continuity policy is being developed, coverage of cross-business incidents has been improved and a crisis management decision-making tool has been deployed.

686

Registration document 2018