NATIXIS -2020 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

The General Inspection Department reports on all its activities and projects to the Risk Committee, which then presents a summary report to the Board of Directors. It conducts audits across Natixis’ full scope (parent company, subsidiaries and branches) and covers all classes of risk arising from the various business activities carried out. It has full and unrestricted access to all information, confidential or otherwise. Its field of investigation encompasses all of Natixis’ operational activities, its support functions – including entities in charge of permanent control assignments – and its outsourced activities. For all the business lines, these audits lead to an assessment of the suitability of existing control points in the processes audited as well as an appraisal of the risks arising from the relevant activities. It makes use of recurrent work in the area carried out by operational departments and permanent control teams. The audits lead to recommendations ranked in order of priority to strengthen the mechanisms for controlling and managing audited risks and to make them more comprehensive. The reports are sent to BPCE’s Chairmanof the ManagementBoard and General Inspection Department and to Natixis’ Chairman of the Risk Committee and senior management, as well as to the audited units. The General InspectionDepartmentmonitors the implementationof recommendations and presents its findings to Natixis’ Senior Management Committee, the Risk Committee and the Board of Directors via the Chairman of the Risk Committee. To this end, it performs due diligence and carries out follow-up audits. The work of Natixis’ General Inspection Department is based on an annual Audit Plan drafted and executed jointly with BPCE’s General Inspetion Department, after consulting the various members of the Senior ManagementCommittee. The Chairmen and Chairwomenof the Audit and Risk Committees are also consulted. This annual program is part of a four-year plan that sets out the intervention frequency and adapts resources to the risks and to the relevant regulatory requirements. The audit plan may be revised during the year, at the request of general management or if circumstances require (current events, deteriorationof the environment or the emergence of new risks, for example). In addition to conventional audit assignments, the General Inspection Department is also able to carry out ad hoc audits in order to address issues arising during the year and not initially included in the Audit Plan. Natixis’ annual and multi-year audit plans are approved by its Chief Executive Officer. The Annual Audit Plan is examined by the Risk Committeesof Natixis and BPCE and approvedby the Natixis Board of Directors. In 2020, the General InspectionDepartment carried out missions on all the risk classes generated by Natixis’ activities, while strengthening the resources devoted to managing risks related to market activities and the use of models, as well as the control of credit risks caused by the deteriorationof the situation linked to the health crisis. In addition, a number of projects and specialized sites have mobilized all the staff of the general inspectorate throughout the department, in order to strengthen the quality control of auditing and the implementation of recommendations,as well as to promote the use of data analysis techniques. The working methods and program of missions have been adapted to meet the constraints of the lockdown imposed by the health crisis.

Second-level

3.2.1.4

permanent control Second-level permanent controls are performed by four departments that are independent of operational and support function staff. The Compliance Department is responsible for carrying out permanent controls in relation to non-compliancerisks, in particular around the following areas: customer protection, professional conduct and ethics, market abuse and financial security. In addition to the risks of non-compliance, the division carries out permanent second-level controls on certain operational risks. In addition, the Compliance Department monitors the implementation by operational business lines and support functions of the recommended corrective measures (for more details on non-compliance risks, see section 3.2.8) . The main actions of the Information Systems Security and Business Continuity Systems Department (SSI-BC) relate to the definition and monitoring of the regulatory framework in terms of technological risks. As such, this department defines policies and rules, carries out second-level control and oversees the assessment and managementof associated risks. The second-level control plan is made up of a section that applies to Groupe BPCE as a whole supplementedby a section that is more specific to Natixis. It is the result of a risk-based approach. These controls are carried out on the basis of first-level controls reported by the contributors (Information Systems Department, logical security correspondent for authorizations, local manager of the business continuity plan) (for more details on technological risks, see section 3.2.8) . The risk division performs controls on credit and counterparty risk, market and liquidity risk, overall interest rate risk, operational risk and model risk. Specific risks related to the Insurance and Asset Management activities are included in these controls, and its scope of action extends to all the entities within Natixis’ consolidation scope (see section 3.2 for more detailed information) . The permanent financial control team in the Accountingand Ratios Department reports functionally to the Compliance Department. This team helps to ensure the reliability of accounting and financial information, through the implementation of control systems covering accounting, tax returns and essential reports produced by the Finance Department, which cover all the reports required by the regulator (see Chapter 5 section 5.5 – Internal control procedures relating to accounting and financial information) . 3.2.1.5 Third-level controls, or periodic controls, as defined by the French MinisterialOrder of November 3,2014, are performedby the General Inspection Department. In this respect, the General InspectionDepartment is independentof all operational entities and support functions. With no operational role, it can never find itself in a position of conflict of interest. It reports to Natixis’ Chief Executive Officer. Natixis’ Inspector General is a permanent guest on Natixis’ Audit and Risk Committees. He or she has the opportunity to meet with the Chairman of the Risk Committee one-on-one. The General Inspection Department has a strong functional link with its BPCE counterpart, in accordancewith the Natixis Audit Charter. In accordance with these principles, the General Inspection Department coordinates a global audit function at Natixis and is part of the Groupe BPCE Internal Audit Function. Periodic controls

3

123

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2020