NATIXIS // 2021 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

It conducts audits across Natixis’ full scope (Natixis S.A., subsidiaries and branches) and covers all classes of risk arising from the various business activities carried out. It has full and unrestricted access to all information, confidential or otherwise. Its field of investigation encompasses all of Natixis’ operational activities, its support functions – including entities in charge of permanent control assignments– and its outsourced activities. For all the business lines, these audits lead to an assessment of the suitability of existing control points in the processes audited as well as an appraisal of the risks arising from the relevant activities. It is based on the work carried out in this area on a recurring basis by operational departments and second-level permanent control functions. The audits lead to recommendations ranked in order of priority to strengthen the mechanismsfor controllingand managing audited risks and to make them more comprehensive. The reports are sent to BPCE’s Chairmanof the ManagementBoard and General Inspection Department and to Natixis’ Chairman of the Risk Committee and Senior Management, as well as to the audited units. The General Inspection Department regularly monitors the implementation of recommendations and presents its findings to Natixis’ Senior Management Committee, the Risk Committee and the Board of Directors via the Chairman of the Risk Committee. To this end, it performs due diligence and carries out follow-up audits. The work of Natixis’ General Inspection Department is based on an annual Audit Plan drafted and executed jointly with BPCE’s General InspectionDepartment, after consulting the variousmembers of the Senior ManagementCommittee. The Chairmen and Chairwomenof the Audit and Risk Committees are also consulted. This annual program is part of a multi-year plan. which was increased from four to five years following the publication of the amended decree of November 3, defining intervention intervals and a calibration of resources adapted to the risks as well as to regulatory recurrence requirements. The audit plan may be revised during the year, at the request of Senior Management or if circumstances require (current events, deterioration of the environment or the emergence of new risks, for example). In addition to conventional audit assignments, the General Inspection Department is also able to carry out ad hoc audits in order to address issues arising during the year and not initially included in the Audit Plan. Natixis’ annual and multi-year audit plans are approved by its Chief Executive Officer. The Annual Audit Plan is examined by the Risk Committees of Natixis and BPCE and approvedby the Natixis Board of Directors. In 2021, the General InspectionDepartment carried out missions on all the risk classes generated by Natixis’ activities, while continuing to strengthen the resources devoted to managing the risks related to market activities and the use of financial models, as well as by maintaining constant vigilance on the control of credit risks potentially generated by the health crisis. In addition, several projects and specializedsites have mobilizedall the staff of General Inspection Department, and this throughout its sector. The quality control of audit work and the implementationof recommendations has been strengthenedand the use of data analysis techniques has been extended to identify risks (with a new risk assessment tool) and in the conduct of inspection missions. Lastly, Natixis’ General Inspection Department collaborated with its BPCE counterpart on a number of projects and assignments. The two departments held eight meetings in 2021. The meetings provided a forum for addressingmatters related to audit plans and practices, as well as matters related to risk assessment and assignment evaluation (Joint General Inspection Coordination Committee).

Second-level permanent

3.2.1.4

control Second-level permanent controls are performed by four departments that are independent of operational and support function staff. The Compliance Department is responsible for carrying out permanent controls in relation to non-compliance risk, in particular around the following areas: customer protection, professional conduct and ethics, market abuse and financial security. In addition to the risks of non-compliance, the division carries out permanent second-level controls on certain operational risks. In addition, the Compliance Department monitors the implementation by operational business lines and support functions of the recommended corrective measures (for more details on non-compliance risk, see section 3.2.9). The main actions of the Global Technology Risks Management (G-TRM) Department concern the definition and control of the regulatory framework for IT risks. As such, this department defines policies and rules, carries out second-level control and oversees the assessmentand managementof associated risks. The second-level control plan is made up of a section that applies to Groupe BPCE as a whole supplementedby a section that is more specific to Natixis. It is the result of a risk-based approach. These controls are carried out on the basis of first-level controls reported by the contributors (Data & Technology Department, logical security correspondent for authorizations, local manager of the business continuity plan) (for more details on technological risks, see section 3.2.8) . The Risk division performs controls on credit and counterparty risk, market structural balance sheet risks, operational risk and model risk. Specific risks related to the Insurance and Asset Management activities are included in these controls, and its scope of action extends to all the entities within Natixis’ consolidation scope (see section 3.2 for more detailed information) . The Permanent Financial Control team of the Finance division reports functionally to the ComplianceDepartment.This team helps to ensure the reliability of accounting and financial information, through the implementation of control systems covering accounting, tax returns and essential reports produced by the Finance division, which cover all the reports required by the regulator (see 3.2.2 “Internal control procedures relating to accounting and financial information”) . 3.2.1.5 The third level of control - internal audit function - within the meaning of the revised decree of November 3, 2014 is assumed by General Inspection Department. In this respect, the General InspectionDepartment is independentof all operational entities and support functions. With no operational role, it can never find itself in a position of conflict of interest. It reports to the Chief Executive Officer of Natixis and to the Chairman of the Board of Directors’ Risk Committee. The Natixis Inspector General, responsible for the internal audit function, is a permanent guest on Natixis’ Audit and Risk Committees. He or she has the opportunity to meet with the Chairman of the Risk Committee one-on-one. The General Inspection Department has a strong functional link with its BPCE counterpart, in accordancewith the Natixis Audit Charter. In accordance with these principles, the General Inspection Department coordinates a global audit function at Natixis and is part of the Groupe BPCE Internal Audit Function. The General Inspection Department reports on all its activities and projects to the Risk Committee, which then presents a summary report to the Board of Directors. Periodic control

3

113

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021