NATIXIS // 2021 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

activities and is subject to dedicated governance and monitoring through specific indicators; Natixis brings together the risks related to Insurance activities V (Natixis Assurances), Asset Management (Natixis Investment Managers) and those related to Payments activities, under specific scopes. With regard to Insurance activities , the main risks incurred by the bank concernunderwritingrisk, in particular for non-life risks and market risks arising from the investments of insurance companies (interest rate risk, equity risk, spread risk, real estate risk and foreign currency risk). Asset Management activities involve reputational, non-compliance (specific management of conflicts of interest) and operational risks. They are also exposed to investment risks (Private Equity, seed money and real estate). Revenues are highly dependent on market trends. In addition, a large part of the financial risks are borne by investors, as Asset Management is a fiduciary activity. Natixis is also exposed to the following global risks: business and V strategic risks, risks related to macroeconomic and regulatory changes (unfavorable economic conditions and the strengthening of additional regulatory requirements), and those related to other external factors. As such, climate-related risks are directly integrated into Natixis’ main risk identification and monitoring processes. Risk Appetite Framework Each risk identified and considered material for the bank is monitored using an indicator and tolerance thresholds: a threshold setting the risk exposure allocated to each business V line; and a limit stating the maximum risk that, if exceeded, would pose a V risk to Natixis’ business continuity and/or stability (in terms of solvency, liquidity, results and reputation). Any breach of the tolerance thresholds (thresholds and limits) defined in the Risk Appetite Framework is subject to a notification and escalation procedure with executive officers and subsequently the supervisory body. This operational framework is applied by type of risk (credit and counterparty risk, market risk, structural balance-sheet risks, including liquidity risk and leverage risk, operational risk, solvency risk, etc.) and draws on Natixis’ pre-existing measuring and reporting systems. It is regularly reviewed, consolidated and presented to the Senior Management Committee and the Board of Directors’ Risk Committee. The risk appetite framework forms part of Natixis’ main processes, especially regarding: risk identification: risks are mapped every year to give an overview V of the risks to which Natixis is or could be exposed (by business line and type of risk). With this approach it is possible to identify material risks, the indicators of which are included in the risk appetite framework; the budget process and overall stress tests; V the Group strategic plan – BPCE 2024. V In accordance with regulations concerning systemically important financial institutions, Groupe BPCE has drawn up a recovery prevention plan (PPR).

Risk reporting and assessment 3.2.3.6 systems At both local and central level, the finance and risk function teams aggregate the data and produce consolidated risk indicators and reports. The informationsystemof the risk assessment system is global and deployed across the entire scope (including Natixis subsidiaries and branches) in France and internationally. In line with the BCBS 239 regulation, the IT architecture principles have been clarified, endorsed and backed by the implementationof a master scheme with a multi-year deployment plan. This work defined a target architecture for the risk and finance functions in order to comply with the requirements of BCBS 239, the principles of which are structured around the following objectives: the production of risk indicators is based on operational data V placed under the responsibility of the business lines and certified within the “Golden sources” applications; risk and finance applications share common frameworks; V the alignment of data between the central (Natixis S.A.) and the V local (subsidiaries and branches), including with regard to Groupe BPCE; the automation of business processes and reporting practices, V particularly through the risk and finance datalake; the ability to access the full history of data and the associated V audit trail through the various repositories; easy access to data and measurements produced through V standardized analysis tools and interfaces; the consistency of risk measurementswith respect to accounting V and the ability to cross-reference finance and risk data calculated at the contract/transaction level; the implementation of control and monitoring processes to V monitor the quality of the data and the consistency of the measurements. These architectural principles, largely implemented by the end of 2021, are applied to the following six main application scopes: the calculation chains for credit risk, market risk, counterparty risk V on market transactions, structural risks (liquidity, interest rate, foreign exchange) and operational risk; the prudential chain for the calculation of RWA. V 3.2.3.7 (Data certifiedby the Statutory Auditors in accordance with IFRS 7) Natixis is exposed to a set of risks inherent to its activities, which may change, particularly as a result of regulatory requirements. Credit and counterparty risk Credit risk is the risk of financial loss due to a debtor’s inability to honor its contractual obligations.Assessing the probabilityof default and, in such cases, how much we can expect to recover is a key component of measuring credit quality. Credit risk increases in periods of economic uncertainty, insofar as such conditions may lead to a higher rate of default. Counterparty risk is the risk of exposure to a counterpartydefaulting on market transactions. Counterparty risk evolves as market parameters fluctuate. Risk typology

3

119

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021