NATIXIS_REGISTRATION_DOCUMENT_2017

RISKS AND CAPITAL ADEQUACY Organization of Natixis’ internal control system

Organization of Natixis’ internal 3.2 control system

Natixis' internal control systemcovers all the steps taken by the institution to measure, monitor and manage the risks that are inherent to its various activities in accordance with legal and regulatory requirements. The system complies with the provisionsset forth in the FrenchOrder of November 3,2014, on internal control by companies in the banking, payment services and investmentservicessector. It is structuredin a manner consistentwith the principlesset out by BPCE, with the objectiveof ensuringa consolidatedapproach

to risk within the framework of the control exercised by the shareholdinggroup. The objective is to ensure the effectiveness and quality of the Company's internal operations, the reliability of accounting and financialinformationdistributedboth internallyand externally,the securityof operations,and compliancewith laws, regulationsand internalpolicies.

3

OVERVIEW OF THE INTERNAL CONTROL SYSTEM 3.2.1

(Data certified by the statutory Auditors in accordance with IFRS7) Natixis’internalcontrolsystemcomprises: first-levelpermanentcontrols , performedby operationalstaff a on the processingin their charge,followinginternalprocedures and legal and regulatoryrequirements; second-level permanent controls, performed by four a departmentsthat are independentof operationalstaff: the Compliance Department , which reports to the j Corporate Secretary, is notably responsible for managing compliance risk, organizing the first-level permanent control system, and oversees second-level controls of operational risk (complianceand other operationalrisks), the IT Systems Security and Business Continuity j (ITSS-BC) function , which reports to the Compliance Department,assesses the risks, establishesthe information systems security and business continuity policies and ensurestheir correctapplication, the Risk Division , which is headed by the Risk Officer, j reports directly to the Chief Executive Officer since October 1, 2017, and is responsible for measuring, monitoring and managing the risks inherent to the business activities, in particularmarket risk, credit risk and operational risk, the Regulatory and Accounting Review team within the j Accountingand Ratios Division,which reports functionallyto the Compliance Department, verifies the quality and accuracyof accountingand regulatoryinformation; periodic controls , performed by the Internal Audit a Department. The Internal Audit Department reports to the Chief ExecutiveOfficer and performsperiodic audits to assess the risks to which the businessesare exposed and ensure the effectivenessof the entire internalcontrolsystem.

The CorporateSecretaryis responsiblefor permanentcontrols and ensurestheir consistencyand effectiveness. Natixis organizes its control functions on a global basis in order to ensure consistency of the internal control mechanism throughout the company. Second-level permanent and periodic control functions within subsidiaries or businesses report to Natixis’ corresponding central control departments, either on a functional basis in the case of subsidiaries or on a hierarchical basis in the case of businesslines. The purpose of this organization is to ensure adherence to the followingprinciples: a strict segregation of duties between units responsible for a performing transactions and those that approve them, in particularaccountingteams; full independencebetweenthe operationaland functionalunits a responsiblefor undertakingand validatingtransactions,and the units that controlthem. Coordinating the system as a whole is the Control Functions CoordinationCommittee . The ExecutiveManagers , under the supervisionof the Board of Directors, are responsible for implementing Natixis’ internal control system in its entirety. As such, they designate the persons in charge of the Risk Management,Permanent Control and ComplianceControl functions, who report to them on their assignments. The Board of Directors is regularly kept informed, by the executive managers, of all significant risks, risk management policiesand changesmade thereto.

109

Natixis Registration Document 2017