BPCE_PILLAR_III_2017

1 GENERAL STRUCTURE OF GROUPE BPCE’S INTERNAL CONTROL SYSTEM Permanent and periodic control departments

Permanent and periodic control 1.2 departments

Integratedpermanentand periodiccontroldepartmentshave been set up throughout Groupe BPCE. Two Permanent and Periodic Control divisions are established within the central institution, under its authority:the Group Risk, Complianceand PermanentControldivision for permanentcontrolsand the Group InspectionGénérale divisionfor periodic controls. The permanent and periodic control functions, which are located at affiliates and subsidiaries subject to banking supervision, have a strong functional link, as consolidated control departments,to BPCE’s correspondingCentral Control divisions and a hierarchical link to their entity’s executive body. This link includes approval of the appointment and dismissal of managers responsible for permanentor periodic control at affiliates and direct subsidiaries; reporting,disclosureand alert obligations;standardsimplementedby the central institutionand laid down in a body of standards;and the definitionor approvalof control plans. These links have been formally defined incharterscovering each department.

The entire system was approved by the Management Board on December 7, 2009 and presented to the Audit Committee on December 16, 2009. It was also presentedto the SupervisoryBoard of BPCE. The Risk Charter was reviewed at the beginning of 2017 and the body of standards now consists of three Group charters covering all activities: the Group’s Internal Control Charter: an umbrella charter based on ● the followingtwo separate charters: the Internal Audit Charter, - and the Risk, Compliance and Permanent Control Charter. - As mentionedabove, the system also includes the IT System Security departmentand, to a certain extent, the Human Resourcesand Legal Affairs departments.

7

Risk Report Pillar III 2017