NATIXIS // 2021 Universal Registration Document

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

An e-learning module was made mandatory for all employees and was rolled out after adapting the performance indicators and dashboards to each entity. An analysis was then presented at Conduct Committee Meetings held for each entity. They are four-party Committees that bring together the business line, Human Resources, Compliance and the Risk division. In addition to this system, in 2021 Natixis adopted a new framework aimed at better anticipating risk management: I-CARE “Issues Considered As Reportable for Escalation”. This refers to “outcomes”, meaning any malfunction, failure or weakness identified in a process, system or control that could expose Natixis to one or morreisks. Lastly, Natixis’ compensation policy is structured in a way that encourages the long-termcommitmentof the Company’s employees while ensuring appropriate risk management. Adequacy of risk management 3.2.3.4 systems In the course of 2021, the Board’s Risk Committee reviewed the assessment of Natixis’ Risk Appetite Strategic Plan and was presented with a summary of the main changes in credit risk and market risks management policies. Thesesystemscoverall risks, as describedin the orderof November3, 2014 on internal control, amended by the order of Febru2a5ry, 2021. Risk appetite 3.2.3.5 (Data certified by the Statutory Auditors in accordance with IFRS 7) Natixis’ risk appetite is defined as the nature and the degree of risk that the bank is willing to take within the bounds of its business model and strategy. It is established in a manner consistent with the strategic plan, the budget process and the activities carried out by Natixis and falls within the general framework of Groupe BPCE’s risk appetite. The system is based on two elements: the Risk AppetiteStatement (RAS), which sets out, in qualitative 1. and quantitative terms, the risks that the Bank is prepared to take based on its business model; the Risk Appetite Framework (RAF), which describes the 2. interface between the organization’s key processes and the implementation of the governance that puts the RAS into action. Risk appetite is reviewed annually by Senior Management and approved by the Board of Directors after consultation by the Risk Committee. Risk Appetite Statement Natixis’ risk appetite principles result from the selection and control of the types of risks that the Bank is prepared to take in pursuit of its business model. They ensure consistency between Natixis’ overarching strategic guidelines and its capacity to manage risks. The businessmodel developed by Natixis is based on its recognized areas of expertise (corporate financing, capital market activities, Asset & Wealth Management, Insurance and Payments), in response to the needs of its clients and those of Groupe BPCE. The Bank seeks sustainable and consistent profitability in balance with its consumption of scarce resources (capital, liquidity, balance sheet). It declines any engagement with activities that it does not master. Activities with high risk/profitability ratios are subject to strict selection and oversight. Market risk management in particular has

a highly selective investment approach, coupled with limited tolerance for extreme risk, and very close monitoring. Natixis incurs risks that are intrinsic to its Corporate & Investment Banking, Asset & Wealth Management, Insurance and Payments business activities: credit risk generated by Corporate & Investment Banking is V managed under specific risk policies adapted by business and subsidiary, concentration limits defined by counterparty, country (mature and emerging), sector, and through extensive portfolio monitoring with stress tests and segment reviews. The system allows for the selective management of issuance commitments through independent analyses (business lines/risk function) conducted by the various Credit Committees; the bank’s market activities – which aim to meet the needs of its V clients and exclude all forms of proprietary trading – incur market risk . The market risk supported thereby is managed according to a body of risk policies and specific qualitative and quantitative indicators (e.g. list of authorized instruments, VaR measurement, stress tests, sensitivities); leverage risk and liquidity risk are monitored by financial V management and are subject to specific oversight by Senior Management within a dedicated governance body (ALM Committee every two months). These two risks require setting specific objectives for managing scarce resources using a dedicated framework and management objectives for leverage required for business lines. In addition, liquidity risk is monitored in collaboration with BPCE, the “ultimate lender” for affiliates and responsible for MLT issues of public “vanilla” funding transactions. Within structural balance sheet risks, Natixis is exposed to credit spread risk; the bank’s solvency trajectory is set by Senior Management and V overseen by the Ratio & Capital Steering Department, which sets the target levels of capital and regulatory capital requirements. This trajectory takes into account changes in the bank’s scope and activity, methodological changes, particularly with regard to regulatory capitalrequirements, as well as debt issuance or equity; operational risk , due to its nature, is present across all the bank’s V business lines and functions. It is managed through a system, which has been rolled out across the business lines and geographic areas, using a shared data collection tool to map risks on an annual basis and provide feedback on losses and incidents, in collaborationwith the other control functions, which enables to implement corrective and preventive action plans accordingly; As a rule, Natixis has no particular appetite for operational risk and manages it very closely; Natixis is exposed to non-compliance risk in respect of banking V and financial regulations, which it is committed to control through the implementation of a Code of Conduct and strict compliance with the laws, regulations and standards governing its activities, in France and internationally, in the realm of financial security, ethics and client protection; Natixis’ most important asset is its reputation and its relationship V with its clients. Clients’ interests are therefore put first and the bank – irrespective of the business activity, entity or geographic area – is dedicated to operating at the highest level of ethical standards, and in line with the best transaction execution and security. This risk arising from the existence of other “direct” risks such as financial, legal or operational risks is closely monitored using indicators that combine an ex ante/ex post approach; model risk concerns both internal models within the meaning of V Directive 2013/36/EU (CRD IV) and all other models used by the bank (including those used for the valuation of financial products) within the meaning of the definition of a model under Directive SR 11-7 of the Board of Governors of the Federal Reserve System. It mainly concerns Corporate & Investment Banking market

118

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021