NATIXIS_PILLAR_III_2017_EN

GOVERNANCE AND RISK MANAGEMENT ORGANIZATION Risk typology

charge of IT security and set up a cyber Security Operating Center (SOC) that works directly with Groupe BPCE’s Computer Emergency Response Team (CERT). Within the Compliance Department, the IT Systems Security Department’s Risks and Controls team forms the second line of defense, and assesses the risk borne by each entity. It also supports the businesses’ initiatives to ensure their full compliance with security requirements. Natixis has also begun the overhaul of its information security model for 2020, with the aim to adapt the security framework to current developments, strengthen the protection of our most sensitive assets and improve the SOC’s detection capabilities. Reputational risk Reputational risk is the risk of damage to the confidence shown in the company by its customers, counterparties, suppliers, employees, shareholders, supervisors, or any other third parties whose trust, in whatever respect, is a prerequisite for the normal conduct of business. Reputational risk is essentially a risk contingent on the other risks incurred by the bank. Legal risk Legal risk is defined in French regulation as the risk of any legal dispute with a third party, arising from an inaccuracy, omission or deficiency that may be attributable to the company’s operations. Other risks Insurance business-related risk : insurance risk is the risk to profits of any difference between expected and incurred claims. Depending on the insurance product in question, the risk varies according to macroeconomic changes, changes in customer behavior, changes in public healthcare policy, pandemics, accidents and natural disasters (such as earthquakes, industrial accidents or acts of terrorism or war). Strategic risk is the risk inherent to the strategy chosen or resulting from Natixis’ inability to implement its strategy. Climate risk is the increased vulnerability of businesses to variations in climate indices (temperature, rainfall, wind, snow, etc.). Environmental and social risks arise from the operations of the clients and companies in which Natixis invests.

Liquidity risk Liquidity risk is the risk that Natixis will be unable to honor its commitments to its creditors due to the mismatching of maturities between assets and liabilities. This risk could arise, for example, in the event of massive withdrawals of customer deposits, a crisis of confidence, or an overall market liquidity crisis. As a corporate and investment bank, this risk for Natixis results primarily from mismatched positions between transactions with contractual maturities, as Natixis has fewer stable and permanent customer resources than retail banks and partly funds its operations on the markets. Structural foreign exchange risk Structural foreign exchange risk is defined as the risk of transferable equity loss generated by an unfavorable fluctuation in exchange rates against the currency used in the consolidated accounts due to a mismatch between the currency of net investments refinanced by purchases of currency and the currency of equity. Natixis’ structural foreign exchange risk for the most part concerns structural positions in the US dollar due to the consolidation of foreign branches and subsidiaries funded in this currency. Non-compliance risk Non-compliance risk is defined in French regulation as the risk of a legal, administrative or disciplinary penalty, accompanied by significant financial losses or reputational damage, that arises from a failure to comply with the provisions specific to banking and financial activities, whether these are stipulated by national or directly applicable European laws or regulations, or instructions from the executive body, notably issued in accordance with the policies of the supervisory body. This risk is a sub-category of operational risk, by definition. Cyber risk Natixis’ ability to conduct its business is determined by the availability of its information system, the guaranteed integrity and confidentiality of data and the traceability of every transaction. The transformation of banking information systems, the new technologies it heralds and the increased outsourcing of the related services offer cybercriminals new opportunities to carry out increasingly sophisticated and industrialized attacks. To address this issue, Natixis has restructured its departments in

2

17

NATIXIS Risk report Pillar III 2017