NATIXIS // 2021 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Risk management 3.2

the Risk division, which is headed by the Chief Risk Officer, V reports directly to Senior Management and is responsible for measuring, monitoring and managing the risks inherent to the business activities, in particular credit and counterparty risk, market structural balance sheet risks,, operational risk and model risk, the Permanent Financial Control team within the Finance V division, which reports functionally to the Compliance Department, verifies the quality and accuracy of accounting and regulatory information; periodic control, assumed jointly by the two general inspectorates V of Natixis and BPCE. It ensures, through surveys, the periodic control of the compliance of operations, the level of risk actually incurred, compliance with procedures, and the effectiveness and appropriateness of the entire internal control system. The General Inspection of Natixis is under the responsibility of the Chief ExecutiveOfficer and under the supervisionof the Chairman of the Risk Committee of the Board of Directors. The General Secretary, an executive officer, is responsible for permanent controls and ensures their consistency and effectiveness. Natixis organizes its control functions on a global basis in order to ensure that the internal control mechanismis consistent throughout the Company. Second-level permanent control and internal audit functions within subsidiaries or business lines report to Natixis’ corresponding Central Control Departments, either on a functional basis in the case of subsidiariesor on a hierarchicalbasis in the case of business lines. The purpose of this structure is to ensure adherence to the following principles: a strict segregation of duties between units responsible for V performing transactionsand those that approve them, in particular accounting teams; strict independence between the operational and functional units V responsible for undertaking and validating transactions, and the units that control them. The Control Functions Coordination Committee coordinates the system as a whole. The executive officers , under the supervision of the Board of Directors, are responsible for implementing Natixis’ internal control system in its entirety. The Board of Directors is kept regularly informed of all significant risks, risk management policies and changes made thereto.

Organization of Natixis’ 3.2.1 internal control system Natixis’ internal control system encompasses all the steps taken by the institution to measure, monitor and manage the risks that are inherent to its various activities in accordance with legal and regulatory requirements. The system complies with the provisions set forth in the French Ministerial Order of November 3, 2014 on internal control by companies in the banking, payment services and investment services sector. It is structured in accordance with the principles set out by BPCE, with the objective of ensuring a consolidatedapproach to risk within the framework of the control exercised by the shareholding group. The objective is to ensure the effectiveness and quality of the Company’s internal operations, the reliability of accounting and financial information distributed both internally and externally, the security of operations, and compliance with laws, regulations and internal policies. control system (Data certified by the Statutory Auditors in accordance with IFRS 7) Natixis’ internal control system comprises: first-level permanent controls performed by operational staff on V the processing in their charge, following internal procedures and legal and regulatory requirements; second-level permanent controls performed by four departments V that are independent of operational staff: the Compliance Department, which reports to the General V Secretary, is notably responsible for managing compliance risk, performing second-level controls, and organizing the first-level permanent control system, the Global Technology Risks Management (G-TRM) V Department , reporting to the Compliance Department, is responsible for managing IT risks. These may relate to information system security, business continuity, IT governance and strategy, IT production activities or processes related to changes in the information system, Overview of the internal 3.2.1.1

3

111

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021