NATIXIS -2020 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Risk management 3.2

the risk division , which is headed by the chief risk officer, reports V directly to senior managementand is responsible for measuring, monitoring and managing the risks inherent to the business activities, in particular credit and counterparty risk, market and liquidity risk, operational risk and model risk, the Permanent Financial Control team within the Accounting V and Ratios division, which reports functionally to the Compliance Department, verifies the quality and accuracy of accounting and regulatory information; periodic control, exercised by the general inspectorate. V The General Inspection Department reports to the Chief Executive Officer and performs periodic audits to assess the risks to which the businesses are exposed and ensure the effectiveness of the entire internal control system. The Corporate Secretary is responsible for permanent controls and ensures their consistency and effectiveness. Natixis organizes its control functions on a global basis in order to ensure that the internal control mechanismis consistent throughout the Company. Second-level permanent and periodic control functions within subsidiaries or business lines report to Natixis’ corresponding Central Control Departments, either on a functional basis in the case of subsidiariesor on a hierarchicalbasis in the case of business lines. The purpose of this structure is to ensure adherence to the following principles: a strict segregation of duties between units responsible for V performing transactionsand those that approve them, in particular accounting teams; strict independence between the operational and functional units V responsible for undertaking and validating transactions, and the units that control them. The Control Functions Coordination Committee coordinates the system as a whole. The executive managers , under the supervision of the Board of Directors, are responsible for implementing Natixis’ internal control system in its entirety. The Board of Directors is kept regularly informed of all significant risks, risk management policies and changes made thereto.

Organization of Natixis’ 3.2.1 internal control system Natixis’ internal control system encompasses all the steps taken by the institution to measure, monitor and manage the risks that are inherent to its various activities in accordance with legal and regulatory requirements. The system complies with the provisions set forth in the French Ministerial Order of November 3, 2014 on internal control by companies in the banking, payment services and investment services sector. It is structured in accordance with the principles set out by BPCE, with the objective of ensuring a consolidatedapproach to risk within the framework of the control exercised by the shareholding group. The objective is to ensure the effectiveness and quality of the Company’s internal operations, the reliability of accounting and financial information distributed both internally and externally, the securityof operations, and compliancewith laws, regulationsand internal policies. of the internal control system (Data certified by the Statutory Auditors in accordance with IFRS 7) Natixis’ internal control system comprises: first-level permanent controls performed by operational staff on V the processing in their charge, following internal procedures and legal and regulatory requirements; second-level permanent controls performed by four departments V that are independent of operational staff: the Compliance Department, which reports to the Corporate V Secretary, is notably responsible for managing compliance risk, performing second-level controls, and organizing the first-level permanent control system, the Information Systems Security and Business Continuity V Department (ISS-BC), reporting hierarchically to the Compliance Department, ensures the control of technological risks. These may relate to information system security, business continuity, IT governanceand strategy, IT productionactivities or processes related to changes in the information system, Overview 3.2.1.1

3

121

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2020