NATIXIS // 2021 Universal Registration Document

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Internal control procedures relating to accounting 3.2.2 and financial information General system 3.2.2.1

Concerning the publication of Pillar III, it is based in particular on involve several departments. Pillar III is based on the publication of regulatory information produced through various declarations (COREP and FINREP, in particular). Lastly, Natixis, and Groupe BPCE more broadly, publish the financial information (consolidated financial statements, regulatory statements and Pillar III) on a schedule that complies with the practices of all banking players. Permanent control system 3.2.2.2 for accounting, financial and regulatory information As part of its missions and in accordance with the order of November 3, 2014 on the internal control of companies in the banking sector and European supervision by the Single Supervisory Mechanism, the internal control system contributes to risk management. The management of all types of risks is governed by an umbrella charter in accordance with the BPCE framework. This permanent control system aims to ensure, for the financial information published, its quality with regard to the requirements defined by the order of November 3, 2014 on internal control or the obligations relating to reporting (in particular those arising from the application of CRR 2). The fact that most subsidiaries have their own management and control functions means that internal control procedures are decentralized and are tailored to the organization of each of the consolidated entities, relying on a multi-tier accounting control process: a first level, where permanent controls localized in the operational V business lines are integrated into the processing process and formalized in detailedwork programs. This principle is also applied to the Pillar III production and control processes; a second line of defense overseen by each entity’s Finance, V Compliance or Risk Departments where permanent second-level controls, independent of processing processes, are performed to ensure the reliability of accounting and regulatory reporting processes and verify the existence and quality of the first-level controls. For Pillar III, this work is carried out by the second-level permanent control of the Finance and Risk divisions; lastly, a final level of this system entrusted to the General V Inspection Department in its periodic control role. The accounting and financial reporting control system is primarily based on the following fundamental principles: separation of the accounting production and control functionsa;nd V homogenization of control processes within the various business V lines and entities of the Group: method, tool, feedback and timing of the process. It also draws on: the application of the principles defined by BPCE, which specifies V in particular the scopes subject to a two-level control process and which provides for the implementationof a managementapproach for the control teams. In addition, it is requested that the evaluation process of the productionand control systembe broken down into five assertions in accordance with the BCBS 239 principles which are: Documentation, Organization, Auditability, Control, Accuracy and Clarity (only for internal management reporting);

Consolidated financial statements and statutory declarations (including capital adequacy ratios, liquidity ratios, or those covered by the Resolution) and Natixis Pillar III are prepared by the Finance division using the tools and guidelines developed and administered by Natixis S.A. Natixis prepares its declarations separately, although the sub-group, of which it is the head, has been included, since July 1, 2009, in Groupe BPCE’s consolidated financial statements. In this respect, the processes for preparing the consolidatedfinancial statements and reporting as well as Pillar III, while being operationally independent, are closely linked to those of BPCE. The reliability of these processes is based on the following core principles: the definition, in coordinationwith BPCE, and disseminationof the V accounting and regulatory principles applicable to Natixis subsidiaries and branches, including the analysis and interpretation of new standards published during the period; documentation and management of the various stages of V preparation of these declarations; audit trails justifying all published accounting and management V data, based on the individual contributions made by each entity and restatements made centrally; documented and formalized first- and second-level control V systems, thus contributing to the management of risks related to accounting and financial information (balance sheet, net income, regulatory and financial information, Pillar III information); procedures for archiving and securing data; V support and appropriate training for the accounting and regulatory V reporting teams of those consolidated entities that use the consolidation and data collection tools so that best practices are shared across the Company. The preparation of the consolidated financial statements also relies on: the use of a direct consolidation method, rolled out throughout V Natixis, allowing for the analysis and control of the consolidation packages of each consolidated company via a formal review process; preparation of consolidated financial statements on a quarterly V basis. This allows for greater control over financial reportingwithin tight time frames; a process of automated accuracy and consistency checks of V individual information from consolidated entities whose non-compliance blocks the transmission of data. For the preparation of its financial information, Natixis has a powerful and secure tool for collecting accounting and regulatory information on all its banking and insurance entities. Natixis is also continuing its project to streamline and pool data, which is gradually being implemented through the introduction of certified accounting quality data for all summary functions (accounting and regulatory, financial oversight, financial management and risks) and which makes it possible to produce the declarations required by the regulator (MREL, Anatitres, Anacrédit) on a granular grid.

114

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021