NATIXIS_REGISTRATION_DOCUMENT_2017

RISKS AND CAPITAL ADEQUACY Organization of Natixis’ internal control system

SECOND-LEVEL PERMANENT 3.2.4 CONTROLS

It conductsaudits across the whole of Natixis (parent company, subsidiariesand branches)and covers all classes of risk arising from the various business activities carried out. It has full and unrestrictedaccess to all information,confidentialor otherwise. Its field of investigationencompassesall of Natixis’ operational activities,its functionaldepartments– notablyincludingentitiesin charge of permanentcontrol assignments –and its outsourced activities. For all the business lines, these audits result in an assessment of the suitability of existing control points in the processesauditedas well as an appraisalof the risksarisingfrom the relevantactivities.It makesuse of recurrentwork in the area carried out by operational departmentsand permanent control teams.The auditslead to recommendations by orderof priorityto strengthen the comprehensiveness and robustness of the mechanisms for controllingor managing the risks audited. The reports are sent to Natixis' Chairman and Senior Management, to the audited units and to the Internal Audit Departmentof BPCE. The Internal Audit Departmentmonitors the implementationof recommendationsand presentsits findingsto the Management Board, the Risk Committeeand the Board of Directors. To this end, it performsdue diligenceand carriesout follow-upaudits. The work of Natixis’ Internal Audit Department is based on an annual Audit Plan drafted and executed jointly with Groupe BPCE’s General Inspection, and after consulting the Senior ManagementCommittee.It is part of a four-year plan that sets out the intervention frequency and adapts resources to the risks. The Audit Plan may be revised during the year at the request of Senior Managementor if requiredby circumstances.In addition to conventional audit assignments, the Internal Audit Department is also able to carry out ad hoc audits in order to address issues arising during the year and not initially included in the Audit Plan. Natixis' annual and multi-year audit plans are approved by its Chief Executive Officer. The Annual Audit Plan is examined by the Risk Committeesof Natixisand BPCE. In 2017, the Internal Audit Department conducted audit assignments on all risk classes to which Natixis’ activities are exposed. It dedicates a significant share of its resources to assignmentsof a regulatorynature, by working with Natixis on its new obligations (Basel internal models, US regulations), as well as assignmentsconductedin Natixis’ subsidiariespursuant to audit agreementsenteredinto with them. Several specialist projects involved all Internal Audit staff in 2017. These includedin particular: performing a self-assessmenton the quality of audits, using a the BCBS regulatory framework and the IIA’s Best Practices as reference; strengthening the organization and resources of Natixis' a Internal Audit function by improving the efficiency of the recruitmentprocess, further promotingdiversity and stepping up internationalization; deepeningthe current relationshipbetweenthe Internal Audit a Department,BPCE’s Internal Audit Departmentand the nine international and subsidiary audit teams by enhancing resourcesharing;

Second-level permanent controls are performed by four departmentsthat are independentof operationalstaff. The ComplianceDepartment performspermanentsecond-level controls on operational risks mainly in the following areas of non-compliance: Customer protection, professional ethics, market abuse and financial security. At December 31, 2017, 4,162 second-level controls were assessed. (For more information on Compliance and on ITSS-BC, refer to section 3.10) In terms of IT Systems Security and Business Continuity (ITSS-BC),the department’smain role is to define and monitor securitystandards (see section 3.10.5) . The second-levelcontrol plan has two parts, one shared with Groupe BPCE and another specificto Natixis,and is the resultof a risk-basedapproach.The controlsare carriedout based on the first-levelcontrolsreported by the contributors (InformationSystems Security Department or the appropriate security representativesfor authorizations). ITSS-BC performs around 6,000 second-level controls every year. The Risk Division performscontrolson credit risk, counterparty risk, market risk, liquidity and overall interest rate risk, and operational risk. Specific risks related to the Insurance and AssetManagementactivitiesare includedin these controls,and its scope of action extends to all the entities within Natixis’ consolidation scope. (For more detailed information, see sections3.5, 3.6, 3.8 and 3.9) The Regulatory and Accounting Review team within the Accounting and Ratios Division reports functionally to the ComplianceDepartment.This teamplays a role in improvingthe accuracy of accounting and financial information through the implementationof control systemscoveringthe accounting,tax declarations and regulatory reports produced by the Finance Department. (See Chapter 5 section 5.5 – Internal control proceduresrelatingto accountingand financialinformation) Third-level controls, or periodic controls, within the meaning of the French Order of November 3,2014, are performed by the InternalAudit Department. In this respect,the InternalAuditDepartment is independentof all operationalentities and support functions. With no operational role, it can never find itself in a positionof conflictof interest.It reports to Natixis' Chief Executive Officer. The Internal Audit Departmenthas a strongfunctionallinkwith its BPCEcounterpart, in accordancewith the Natixis audit charter, revised in 2017. In accordancewith these principles,the Internal Audit Department coordinatesa global audit function at Natixis and is part of the GroupeBPCEInternalAuditFunction. The Internal Audit Department reports on all its activities and projects to the Risk Committee, which then presents a summaryreport to the Boardof Directors. PERIODIC CONTROLS 3.2.5

3

111

Natixis Registration Document 2017