NATIXIS - 2018 Registration document and annual financial report

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

The Compliance Department performs permanent second-level controls mainly in the following areas: customer protection, professional ethics and compliance, market abuse and financial security. At December 31, 2018, 3,715 second-level controls were assessed. (For more information on Compliance and on ITSS-BC, refer to section 3.2.8) In terms of IT Systems Security and Business Continuity (ITSS-BC), the department’s main role is to define and monitor security standards (see section 3.2.8) . The second-level control plan has two parts, one shared with Groupe BPCE and another specific to Natixis, and is the result of a risk-based approach. The controls are carried out based on the first-level controls reported by the contributors (Information Systems Security Department or the appropriate security representatives for authorizations). ITSS-BC performs around 6,000 second-level controls every year. The Risk division performs controls on credit and counterparty risk, market and liquidity risk, overall interest rate risk, operational risk and model risk. Specific risks related to the Insurance and Asset Management activities are included in these controls, and its scope of action extends to all the entities within Natixis’ consolidation scope. (For more detailed information, see section 3.2) The Finance Review team within the Accounting and Ratios division reports functionally to the Compliance Department. This team plays a role in improving the accuracy of accounting and financial information through the implementation of control systems covering the accounting, tax declarations and regulatory reports produced by the Finance Department. (See Chapter 5 section 5.5—Internal control procedures relating to accounting and financial information). Periodic controls 3.2.1.5 Third-level controls, or periodic controls, within the meaning of the French Order of November 3, 2014, are performed by the Internal Audit Department. In this respect, the Internal Audit Department is independent of all operational entities and support functions. With no operational role, it can never find itself in a position of conflict of interest. It reports to Natixis' Chief Executive Officer. The Internal Audit Department has a strong functional link with its BPCE counterpart, in accordance with the Natixis audit charter, revised at the end of 2018. In accordance with these principles, the Internal Audit Department coordinates a global audit function at Natixis and is part of the Groupe BPCE Internal Audit Function. The Internal Audit Department reports on all its activities and projects to the Risk Committee, which then presents a summary report to the Board of Directors. It conducts audits across the whole of Natixis (parent company, subsidiaries and branches) and covers all classes of risk arising from the various business activities carried out. It has full and unrestricted access to all information, confidential or otherwise. Its field of investigation encompasses all of Natixis’ operational activities, its functional departments—notably including entities in charge of permanent control assignments—and its outsourced activities. For all the business lines, these audits result in an assessment of the suitability of existing control points in the processes audited as well as an appraisal of the

risks arising from the relevant activities. It makes use of recurrent work in the area carried out by operational departments and permanent control teams. The audits lead to recommendations by order of priority to strengthen the comprehensiveness and robustness of the mechanisms for controlling or managing the risks audited. The reports are sent to BPCE's Chairman and General Inspection, to the Risk Committee Chairman and the Senior Management of Natixis, as well as to the audited units. The Internal Audit Department monitors the implementation of recommendations and presents its findings to Natixis’ Senior Management Committee, the Risk Committee and the Board of Directors via the Chairman of the Risk Committee. To this end, it performs due diligence and carries out follow-up audits. The work of Natixis’ Internal Audit Department is based on an annual Audit Plan drafted and executed jointly with Groupe BPCE’s General Inspection, and after consulting the various members of the Senior Management Committee. It is part of a four-year plan that sets out the intervention frequency and adapts resources to the risks. The Audit Plan may be revised during the year at the request of Senior Management or if required by circumstances. In addition to conventional audit assignments, the Internal Audit Department is also able to carry out ad hoc audits in order to address issues arising during the year and not initially included in the Audit Plan. Natixis' annual and multi-year audit plans are approved by its Chief Executive Officer. The Annual Audit Plan is examined by the Risk Committees of Natixis and BPCE and approved by the Natixis Board of Directors. In 2018, the Internal Audit Department conducted audit assignments on all risk classes to which Natixis’ activities are exposed. It dedicates a significant share of its resources to assignments of a regulatory nature, by working with Natixis on its new obligations (New Definition of Default, ICAAP), as well as assignments conducted in Natixis’ subsidiaries pursuant to audit agreements entered into with them. Several specialist projects involved all Internal Audit staff in 2018. These included: follow-up to the 2018 independent review by an external a consultant of the self-assessment of the quality of audits conducted in 2017; improving the quality of audits by implementing most of the a recommendations of the 2017 and 2018 audits and taking further action to reduce the turnaround times for audit reports; strengthening the organization and resources of Natixis’ a Internal Audit function by building expertise in the area of data science (recruitment of an expert and selection of a specialized tool for use in all for all audits); stepping up the general oversight of the work of the nine a international and subsidiary audit teams (formalizing and following up the implementation of audit plans, inspectors’ skills and training, etc.); strengthening the system for following up recommendations a by introducing an alert on the platforms and in the subsidiaries whenever a recommendation has not been implemented in a timely manner, similar to the system used by the Group;

118

Natixis Registration Document 2018