BPCE - 2019 RISK REPORT Pillar III

RISK MANAGEMENT SYSTEM

INTERNAL CONTROL

Reporting to the Chairman of the Management Board, the Group Inspection Générale division performs its duties independently of the Operational and Permanent Control divisions. REPRESENTATION ON GROUP GOVERNANCE BODIES AND RISK MANAGEMENT COMMITTEES In the interest of exercising its duties and contributing effectively to the promotion of an auditing culture, the Head of the Group Inspection Générale division takes part, without voting rights, in the central institution’s key Risk Management Committees. As indicated above, the Head of the Group Inspection Générale division is a member of the Group Internal Control Coordination Committee and has a standing invitation to participate in the Risk Committee and Audit Committee of BPCE, Natixis and the main Groupe BPCE subsidiaries (BPCE International, Crédit Foncier, Banque Palatine). SCOPE OF AUTHORITY To fulfill its duties, the Group Inspection Générale division establishes and maintains an inventory of the Group’s auditing scope, which is defined in coordination with the Internal Audit departments of the Group institutions. It makes sure that all institutions, activities and corresponding risks are covered by comprehensive audits, performed at frequencies defined according to the overall risk level of each institution or activity, and at least every four years on average for banking activities. In so doing, it takes into account not only its own audits, but also those conducted by the supervisory authorities and the Internal Audit divisions. The annual audit plan is defined with the Chairman of the BPCE Management Board, and presented to the Group Internal Control Coordination Committee and the Group Risk Management Committee. It is also transmitted to the national and European supervisors. Inspection Générale division audits contain recommendations prioritized by order of importance, which are regularly monitored (at least once every six months). The division reports the findings of its work to the executive managers of the audited companies and to their supervisory body. It also reports to the Chairman of the Management Board, the Risk Committee and the Supervisory Board of BPCE. It provides them with a report on the implementation of its major recommendations, as well as those of the ACPR and the Single Supervisory Mechanism (SSM). It sees to the expedient execution of any corrective measures to the internal control system, in accordance with Article 26 of the Ministerial Order of November 3, 2014 on internal control, and may call on the Supervisory Board Risk Committee to address any measures that have not been executed. RELATIONS WITH THE PERMANENT CONTROL DIVISIONS OF THE CENTRAL INSTITUTION In the central institution, the Head of the Group Inspection Générale division maintains regular relations and shares information with the heads of the units in the scope of inspection, and more specifically with the divisions in charge of Level 2 controls. REPORTING Group

The heads of these divisions are responsible for notifying the Head of the Group Inspection Générale division in a timely manner of any disruption or major incident that comes to their attention. The Head of Groupe BPCE’s Inspection Générale division and the Heads of Group Risk Management and Group Compliance and Security notify each other in a timely manner of any inspection or disciplinary procedure initiated by the supervisory authorities and in general of any external audits brought to their attention. ACTIVITIES IN 2019 Over the course of the complete cycle of investigations conducted over an average four-year period, and relying on a risk assessment updated regularly for each institution, the Group Inspection Générale division carried out its audit schedule largely according to plan, making a few adjustments for ongoing restructuring operations at entities initially included in the schedule or for regulatory priorities. It also performed a quarterly follow-up on the implementation of recommendations issued by the division, the ACPR and the SSM. Pursuant to Article 26 of Ministerial Order A-2014-11-03 on internal control, the Group Inspection Générale division is able to use the whistleblowing system to alert the Risk Committee of delays in the implementation of recommendations. The Group Inspection Générale division carries out its duties within the framework of business line operations. Its methods of operation – for the purposes of consolidated supervision and optimal use of resources – are set out in a charter approved by BPCE on December 7, 2009, which was last updated in July 2018. The aim of this structure is to cover all of the Group’s operational or functional units over a reasonable number of fiscal years, according to the associated risk, and to achieve efficiency between the various complementary audits conducted by the Internal Audits teams of Group entities. The Internal Audit divisions of the direct affiliates and subsidiaries are functionally subordinate to the Group Inspection Générale division and report to the executive branch of their entity. These ties are strictly replicated at the level of each company in the Group, which is itself a parent company. This strong functional subordination is also based on operating rules and the Group Internal Audit Standards applicable by the entire function. It is reflected as follows: in the groupwide Audit Charter, which defines the end • purpose, powers, responsibilities and general structure of the internal audit function in the overall internal control system, and applies to all Group companies supervised on a consolidated basis. This charter is implemented via thematic standards (audit resources, audit of the sales network, audit assignments, follow-up of recommendations, etc.); the appointment and dismissal of the Heads of Internal Audit of • affiliates or direct subsidiaries are subject to the prior approval of the Head of the BPCE Group Inspection Générale division; the annual evaluations of Heads of Internal Audit are • transmitted to the Head of the BPCE Group Inspection Générale division; AUDIT FUNCTION STRUCTURE OF THE AUDIT FUNCTION

3

37

RISK REPORT PILLAR III 2019 | GROUPE BPCE