NATIXIS - 2018 Registration document and annual financial report

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Risk management 3.2

ORGANIZATION OF NATIXIS’ 3.2.1 INTERNAL CONTROL SYSTEM

the Risk division , which is headed by the Chief Risk Officer, j reports directly to the Chief Executive Officer, and is responsible for measuring, monitoring and managing the risks inherent to the business activities, in particular credit and counterparty risk, market and liquidity risk, operational risk and model risk, the Finance Review team within the Accounting and Ratios j division, which reports functionally to the Compliance Department, verifies the quality and accuracy of accounting and regulatory information; periodic controls , performed by the Internal Audit a Department. The Internal Audit Department reports to the Chief Executive Officer and performs periodic audits to assess the risks to which the businesses are exposed and ensure the effectiveness of the entire internal control system. The Corporate Secretary is responsible for permanent controls and ensures their consistency and effectiveness. Natixis organizes its control functions on a global basis in order to ensure consistency of the internal control mechanism throughout the Company. Second-level permanent and periodic control functions within subsidiaries or businesses report to Natixis’ corresponding central control departments, either on a functional basis in the case of subsidiaries or on a hierarchical basis in the case of business lines. The purpose of this organization is to ensure adherence to the following principles: a strict segregation of duties between units responsible for a performing transactions and those that approve them, in particular accounting teams; strict independence between the operational and functional a units responsible for undertaking and validating transactions, and the units that control them. Coordinating the system as a whole is the Control Functions Coordination Committee . The executive managers , under the supervision of the Board of Directors, are responsible for implementing Natixis’ internal control system in its entirety. The Board of Directors is regularly kept informed, by the executive managers, of all significant risks, risk management policies and changes made thereto.

Natixis' internal control system covers all the steps taken by the institution to measure, monitor and manage the risks that are inherent to its various activities in accordance with legal and regulatory requirements. The system complies with the provisions set forth in the French Order of November 3, 2014, on internal control by companies in the banking, payment services and investment services sector. It is structured in a manner consistent with the principles set out by BPCE, with the objective of ensuring a consolidated approach to risk within the framework of the control exercised by the shareholding group. The objective is to ensure the effectiveness and quality of the Company's internal operations, the reliability of accounting and financial information distributed both internally and externally, the security of operations, and compliance with laws, regulations and internal policies. Overview of the internal control 3.2.1.1 system (Data certified by the Statutory Auditors in accordance with IFRS 7) Natixis’ internal control system comprises: first-level permanent controls , performed by operational staff a on the processing in their charge, following internal procedures and legal and regulatory requirements; second-level permanent controls, performed by four a departments that are independent of operational staff: the Compliance Department , which reports to the j Corporate Secretary, is notably responsible for managing compliance risk, organizing the first-level permanent control system, and performing second-level controls, the IT Systems Security and Business Continuity j (ITSS-BC) function , which reports to the Compliance Department, assesses the risks, establishes the information systems security and business continuity policies and ensures their correct application,

116

Natixis Registration Document 2018