GROUPAMA / 2020 UNIVERSAL REGISTRATION DOCUMENT

8 ADDITIONAL INFORMATION Regulatory environment

8.3.4

ANTI-MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM

The obligations incumbent on distributors, including insurance companies, relate to the following aspects: the duty to advise and pre-contractual information to be ❯ communicated to the customer; product governance and monitoring; ❯ the compensation of distribution networks, as the network ❯ compensation policy must not run counter to their obligation to act in the best interests of customers and to make a recommendationappropriate for the needs and expectationsof customers; training of insurance distributors; ❯ conflict of interest prevention, for insurance investmentproducts ❯ only, which consists in taking all reasonablemeasures to detect and prevent conflict of interest situationsfrom adverselyaffecting the interests of customers. The General Data ProtectionRegulation(GDPR) was transposedin France by law 2018-493 on personal data protection, which entered into force on 25 May 2018, and by various implementing measures. It provides a regulatory framework for the protection of the personal data of individuals established in the territory of the European Union. It therefore applies to any organisation, whether established in EU territory or not, that accesses, uses, or transfers personal data of EU nationals. This applies to all insurance and service companies of the Group directldyealing with EU nationals. This EU regulation builds on the historical national regulatory frameworksof the various EU countries,where they existed before 2018. The GDPR has several objectives: Provide a standard legal framework applicable throughout the European Union, facilitate data transfers between Member States, strengthen the fundamental rights of individualsto control their personal data, with greater transparency as to how such data are used, make companies accountable through probation measures to ensure their compliance at all times, give credibility to the regulation by allowing the supervisory authorities to impose sanctions of up to 4% of a Group’s global revenue. The GDPR also provides for some adaptabilityof its articles, at the hands of the national protection authorities, to allow the specific features of national legal frameworksof the membercountriesto be integrated. Furthermore,although the GDPR aims to facilitate data exchange between Member States, it provides a very strict framework for transfers of personal data outside the EU Member States. This aspect was further strengthened following the July 2020 ECJ “Schrems2” ruling invalidating the existing EU-US Privacy Shield. As such, any transfer of data to a non-EU country that has not been the subject of a decision by the European Commission as to whether that country has an adequate level of data protection, requires organisations to conduct very precise assessments of the characteristics of the non-EU country with regard to the presented risks for the fundamental rights of the persons for whom their data are transferred. This reinforcementof control will have an impact on the choice of the location of data processors and partners with which Group companies can exchange data. REGULATORY FRAMEWORK 8.3.3 FOR PERSONAL DATA PROTECTION

The EU financial system is subject to specificobligationsto combat money laundering and terrorist financing (AML/CFT). At the EU level, these obligationshave resulted from five successivedirectives since 1991. The Directive of 30 May 2018 amending the Directive of 20 May2015 on the preventionof the use of the financial system for the purpose of money laundering or terrorist financing, known as the “Fifth Directive”,was transposedby the order of 12 February 2020. It strengthensand complementsthe existing systemand the obligations imposed on regulated professionals. Provisions are also applicablewith regard to the freezing of assets and the prohibition of the provision of funds or economriecsources. The AML/CFT systems of international subsidiaries may vary according to national legislation and, for those established in the European Union, accordingto the transpositionof the directiveson the subject. In groups,French regulationsrequireparent companies to define at the Group level an internal organisationand procedures taking into account the assessment of money laundering and terrorist financing (ML/FT) risks and to ensure that this organisation and these procedures are deployed by their international subsidiaries, taking into account their specific characteristics and the ML/FT risks to which they are exposed. The Group’s regulatedcompanies, including insurancecompanies, are subject to obligations to assess their ML/FT risks, conduct customer due diligence measures, and report suspicious transactions. They must be equipped with appropriate tools and control mechanisms as well as sufficient physical and human resources to enable these obligations to be effectively implemented. The systemof supervisionand sanctionsfor regulatedprofessionals has been strengthened. In France, the ACPR is responsible for monitoringcompliancewith these obligationsfor the financial sector and has the power to impose sanctions. In addition to the national accounting standards to which each of the Group’s entities is subject, the Group has applied since 2005 the provisions of the International Financial Reporting Standards (IFRS) and the interpretationsapplicable to the closing of accounts as adopted by the European Union. The main methods of their application by Groupama Assurances Mutuelles are described in the notes the consolidatedand combined financial statements (for the consolidatedfinancial statements, see paragraph 7.1.6-point2 of this universal registration document). The consolidated financial statements of Groupama Assurances Mutuelles cover the scope of GroupamaAssurancesMutuellesand its subsidiaries and incorporate the reinsurance ceded by the regional mutuals. The combined financial statements relate to the Groupama group and include all local mutuals, regional mutuals, Groupama Assurances Mutuelles and its subsidiaries. Subsidiaries, joint ventures, and related companies of the consolidation scope are consolidated within the scope in accordance with the provisions of IFRS 10, IFRS 11, and IAS 28. ACCOUNTING STANDARDS 8.3.5

331 Universal Registration Document 2020 - GROUPAMA ASSURANCES MUTUELLES