NATIXIS // 2021 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

two types of missions, operational on the one hand, to carry out V first-level controls and their review and to carry out additional second-level controls (this work being carried out either within the framework of the orders, or in the form of interim missions), and organizationalon the other hand, within the framework of the management and supervision of the control unit; formalized documentationas part of the “Accountingand financial V information quality control framework” drawn up by Groupe BPCE. This includes procedures that describe in detail the organization of the system; control maps showing the nature, frequency of performance and V responsibilities by level of control across all scopes (accounting and regulatory); centralized management within the Finance, Risk or Compliance V departments, implemented by a dedicated Finance Audit function, which reviews the first-level controls and, moreover, the Performance of additional second-level controls; a risk-based approach, enabling the permanent financial control V teams to guide and pace their work with regard to the quality of internal control processes. It should be noted that in 2021, a tool to formalize the performance of first- and second-level controls and their feedback was rolled out centrally as well as in subsidiaries and branches. On this occasion, the control systems and mappings were updated and the control methodologies were streamlined and standardized. In addition to the operational control missions assigned to it, the Permanent Financial Control Department carries out the following tasks as part of the management and supervisionof the control unit within the consolidated Natixis group: definition of the control policy applicable to Natixis and its V subsidiaries: organizational and operational principles of permanent internal control for accounting, fiscal and regulatory matters, in accordance with the policy established by Groupe BPCE; management of the control system within the subsidiaries, V working with the Permanent Financial Control officers appointed by each of the local Financial, Compliance or Risk Departments. This takes place through quarterly Financial Control Committee Meetings, themed workshops, and bilateral cooperation with international entities and platforms; monitoringand implementingan accountingand regulatorycontrol V environment within each entity by collecting and operating a set of periodic reporting dashboards. The results of these dashboards are then sent to each entity, including a process for alerting the finance, complianceor risk officers and, if necessary, the central or local Control Functions Coordination Committees; continuation of actions undertaken to strengthen second-level V controls. Scope of accounting and financial information For accounting, permanent and periodic controls apply to the completion and/or monitoring of: for justifying accounts, accuracy and veracity checks, such as the V procedures for management/financial account reconciliation (on-balance-sheet outstandings and off-balance-sheet commitments), reconciliation of cash accounts and checking and clearing of suspense items; consistency checks through analytical reviews; V

checks to make sure income and expenses are allocated to the V correct period; compliance and presentation controls relating to compliance with V accounting rules; correct processingof specific transactions in line with the relevant V principles; controls of financial information by ensuring the traceability and V completeness of the data; adjustment of anomalies identified at the time of these controls as V well as the corresponding analyses and documentation. These controls are conducted using several accounting systems, whose number is being reduced, however, due to the integration of a significant part of Natixis’ consolidated scope into the target financial information ecosystem. Natixis and its subsidiaries continue to develop their accounting and financial control procedures and to equip themselves with appropriate audit trail tools. The Finance division has a role of supervising, supporting and monitoring the controls carried out within the subsidiaries. Scope of regulatory and prudential information The regulatory area, like the accountingscope, has a permanent and periodic control system based on the same types of controls. In addition to, and in order to take into account the specificities inherent in theregulatory field, the control system is also based on: controls on quality, traceability and data processing (in line with V the BCBS 239 program) necessary for the production of these declarations; consistency checks between published reports, where possible V and relevant; compliance and presentation controls in respect of the regulatory V requirements specific to each reporting process. With regard to Pillar III, it is governedby provisionsstrictly defined by Groupe BPCE (in particular the framework for the preparation and publication of reports and management indicators) aimed at strengthening the production, control and publication environment of the report and the quality of its underlying indicators. The objective of Pillar III is to establish market discipline through a set of reporting and transparency obligations, both qualitative and quantitative, concerning the institution’s risk exposure, risk assessment procedures and capital adequacy. In addition, in accordance with the CRR II amendment brought by Regulation (EU) 2019/876 on Article 431, the management body or Senior Management must adopt formal policies to comply with the disclosure requirements. Thus, a specific internal control systemhas been deployed to provide additional assurance to Senior Management on the information (published in Pillar III). In addition to the documentation and the self-checking or control procedures for elements contributing to Pillar III, an independent control system for the publication of Pillar III has been defined, including roles and responsibilities. The second-level control system consists of ensuring that the information required for the Pillar III report has been prepared in accordance with the policies, procedures, systems and controls in force.

3

115

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021