NATIXIS // 2021 Universal Registration Document

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Its review is carried out jointly by Natixis’ Risk division and Permanent Financial Control, based on the Group’s standard assessment grid. Pillar III is fully in line with the BCBS 239 methodology deployed by the Group, given that the information reported mainly comes from regulatory data (FINREP, COREP, ICAAP, etc.), supplementedby qualitative information.The use of the standard grid makes it possible to harmonize the scoring methods according to pre-defined criteria (documentation, organization, auditability, accuracy, existing control system and clarity). A special analysis is carried out on the accuracy of Pillar III publications to ensure that they are aligned with the requirementsof the European Directive (implementing Regulation (EU) 2021/637) which sets the content of the financial information to be published, the format and frequency of publication. For the prudential indicators underlying Pillar III, their assessment is fully integrated into Natixis’ existing permanent control system through quarterly closing checks and ad hoc missions. Changes to the system 3.2.2.3 In 2021, the system for controlling accounting, financial and regulatory information was strengthened and adapted: by a change in the reporting of permanent financial control to the V Chief Financial Officer; the definitionand implementationof a new organizationin line with V the strategic plans of Natixis and BPCE and that accompanies the development of the activities in Porto; the implementationof changes in standards CRR II, FINREP 2021 V and RUBA (Unified banking and similar reporting– from the decree of January 31, 2022). Pillar III is also concernedwith the obligation to publish a certificate concerning the quality of the data; to changes to the decree of November 3, 2014 which concern the V extension of the permanent control coverage, the evaluation of transactions in the management systems, the accounting frameworks, the frequency of the review of market risk transactions and the management of IT risk; the implementation of new reporting (COVID, SBSD – “Security V Based Swap Dealers” given the status of a swap dealer in New York); continued deployment of the tool for reporting the results of first- V and second-level permanent controls in Natixis subsidiaries and branches; by implementing the Group system dedicated to BCBS 239 V (creation of CDO functions (Chief Data Officer) and teams dedicated to data quality); as part of the “ Deep dive ” requested by the regulator, the LOD1 V (Line of defense level 1- first level of permanent control) within the internal control system dedicated to this exercise is now supplemented by an LOD2 team (Line of defense level 2 – second level of permanent control within the internal control system) for the contribution of Natixis in this exercise managed by BPCE; with the pooling of the data used (inventories and certified V accounting data) for the various summary systems; the ongoing progress of the project to streamline the information V systems used for market and financing transactions in France and abroad; finally, the continuation of remedial actions in response to the V recommendations made during the control work.

In 2022, the main areas of development will be: the completion of the roll-out of the new organization, which is in V line with the strategic plans of Natixis; and control of the financial impacts of structural operations V undertaken; the launch of new declarations for which projects were initiated in V 2021, such as the RUBA reporting, the first application of which was postponed tothe decree of January 31, 2022 by the regulator; the continued implementationof the project to streamlineand pool V the data used by the various summary systems, with a view to acquiring, controlling and transforming accounting and management data in a single system; continued deployment of the tool for reporting the results of first- V and second-level permanent controls in Natixis subsidiaries and branches; the implementation of remedial actions in response to the V recommendations issued by the ECB following the “ Deep dive ” exercises conducted in 2021 and managed by BPCE. External controls 3.2.2.4 In addition to the control procedures followed by the Finance divisions responsible for preparing individual or consolidated accounts, the quality of accounting controls is verified by: the one-off assignments of BPCE and Natixis General Inspections; V the inspections carried out by the banking supervisory authorities V as well as the thematic investigations initiated by the latter (and in particular the “Deep dive” exercises in 2021); audits conducted by the Statutory Auditors. This work is carried V out by a group of firms working in a uniformmanner each quarter on most of the entities falling within Natixis’ scope of consolidation and whose opinions rely on, in particular, compliancewith policies determined by Natixis and validated beforehand and the effectiveness of local internal control procedures. and management system Risk management system 3.2.3.1 Natixis’ risk management is based on independent control functions, each addressing the risks falling within their scope of oversight. The risk management function, carried out by the Risk division, is structured as an independent and global matrix that covers all scopes under its responsibility and related geographic areas. The Risk division is organized around four main areas: six cross-functional departments (Credit Risk, Market Risk, V Operational Risk, Structural Balance Sheet Risk, Enterprise Risk Management and Model Risk & Risk Governance) covering their specific risks. Enterprise Risk Management is dedicated to developing risk models and managing the risk appetite systemand the performance of regulatory monitoring activities for the entire Risk division. Convinced of the importance of the risks and opportunities arising from climate change, Groupe BPCE and Natixis have made the energy transition and the climate one of the priorities of their strategy for several years. To support this ambition, the existing system has just been strengthened by the creation of a department dedicated to climate risks within Groupe BPCE. Functionally reporting to the Natixis Risk division, this new department, a true center of expertise, will, in addition to its missions within Groupe BPCE, be responsiblefor implementingthe climate risk system within Natixis. In this context, work will be Risk governance 3.2.3

116

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021