NATIXIS // 2021 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Stress test results for the Natixis scope (Data certified by the Statutory Auditors in accordance with IFRS 7)

Overall stress test levels reached an average level of +€25.2 million as of December 31, 2021, versus +€17.5 millioans of December 31, 2020. The historical stress test replicating the sovereign debctrisis in 2011 gave the maximum loss (-€40 million as oDf ecember 31, 2021).

Overall stress tests as of December 31, 2021

(in €M)

Historical stress tests

130

Hypothetical stress tests

100 120 140

79

20 40 60 80

61

3

43

37

35 34

27

5

2

5

2

-80 -60 -40 -20 0

-6

-37

-40

Liquidity

Commodities

2008 Lehman

2007 FED Action

1997 Asian Crisis

Default by a bank

2002 Credit Crash

2011 Sovereign Crisis

2008 Corpo/ABS/MBS

Emerging market crisis

1994 Bond Market Crash

1987 Stock Market Crash

Influential issuer default

Increase in interest rates

Fall in stock market indices

Operational risks 3.2.7 Objectives and policy 3.2.7.1

Organization 3.2.7.2 The function in charge of operational risk ensures the monitoring and management of risks arising from failures attributable to operating procedures, employees and internal systems or arising from outside events. Its duties, as described in the operational risk policies and procedures validated by the Natixis Operational Risk Committee, include: recording incidents via a network of Operational Risk Officers V across all business lines and support functions; analyzing serious incidents using an escalation process; V mappingpotential risks, both qualitativelyand quantitatively,based V on a risk self-assessment and audits and controls carried out by the business lines; links with other control functions; V establishing key risk indicators and environmental variables of a V predictive nature.

As part of the definition of its risk appetite, and in accordance with Article 98 of the French Ministerial Order of November 3, 2014, Natixis defined its operational risk tolerance policy with a view to limiting losses related to operational risks and regularly reviewing actions to reduce risks. The policy sets out the governance established, the quantitative and qualitative management framework, and the monitoring performed thus far. It defines the operational risk management criteria, including: quantitative indicators: one historical indicator measuring the cost V of risk, one individual indicator identifying the occurrence of major incidents to be reported to the regulator (Article 98 of the French Ministerial Order of November 3, 2014), a specific individual indicator raising the alert on internal fraud events, and an operational risk management indicator measuring the progress of corrective actions; a qualitative indicator regarding the compliance of the governance V of the system; specific indicators monitoring Information and Communication V Technology (ICT) risk, including cyber risk. The operational risk management system identifies, measures, monitors and controls the level of operational risks for all the Company’s business lines and support functions in France and abroad.

143

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021