NATIXIS_REGISTRATION_DOCUMENT_2017

3 RISKS AND CAPITAL ADEQUACY Governance and risk management system

Market risk Market risk is the risk of loss in value caused by any adverse fluctuations in market parameters. These parameters include, in particular, bond prices, interest rates, securities and commodities prices, derivatives prices and prices of all other assets, particularly foreign exchange rates. Asset liquidity is also an important component of market risk. In the event of insufficient or non-existent liquidity (for example, because of a reduced number of transactions, or a major imbalance in the supply and demand of certain assets), a financial instrument or any other tradable asset may be unable to be traded at its estimated value. The lack of liquidity may lead to reduced access to capital markets, unforeseen cash or capital requirements, or legal restrictions. Operational risk Operational risk is the risk of loss due to inadequate or failed internal processes, human resources, information systems, or external events with financial, regulatory, legal or reputational impacts. The Groupe BPCE Insurance Department is tasked with analyzing insurable operational risks and taking out appropriate insurance coverage. Natixis and its subsidiaries benefit from insurance policies pooled with Groupe BPCE against potentially significant consequences resulting from fraud, embezzlement and theft, operating losses or the incurring of Natixis’ civil liability or that of its subsidiaries or the employees for which it is responsible. Overall interest rate risk Natixis’ overall interest rate risk is defined as the risk of losses on the banking portfolio stemming from mismatches between interest rates on assets and on liabilities. As is the case for most corporate and investment banks, Natixis has very few assets and liabilities generating structural interest rate positions. Natixis’ overall interest rate risk concerns contractual transactions. The most significant positions concern exposures to the short end of yield curves and are predominantly linked to the lag between IBOR reset dates. This is therefore classed as a secondary risk at the bank level. Liquidity risk Liquidity risk is the risk that Natixis will be unable to honor its commitments to its creditors due to the mismatching of maturities between assets and liabilities. This risk could arise, for example, in the event of massive withdrawals of customer deposits, a crisis of confidence, or an overall market liquidity crisis. As a corporate and investment bank, this risk for Natixis results primarily from mismatched positions between transactions with contractual maturities, as Natixis has fewer stable and permanent customer resources than retail banks and partly funds its operations on the markets.

Structural foreign exchange risk Structural foreign exchange risk is defined as the risk of transferable equity loss generated by an adverse fluctuation in exchange rates against the Group currency used in the consolidated accounts due to mismatches between the currency of net investments refinanced by purchases of currency and the currency of equity. Natixis’ structural foreign exchange risk for the most part concerns structural positions in the US dollar due to the consolidation of foreign branches and subsidiaries funded in this currency. Non-compliance risk Non-compliance risk is defined in French regulation as the risk of a legal, administrative or disciplinary penalty, accompanied by significant financial losses or reputational damage, that arises from a failure to comply with the provisions specific to banking and financial activities, whether these are stipulated by national or directly applicable European laws or regulations, or instructions from the executive body, notably issued in accordance with the policies of the supervisory body. This risk is a sub-category of operational risk, by definition. Cyber risk Natixis’ ability to conduct its business is determined by the availability of its information system, the guaranteed integrity and confidentiality of data and the traceability of every transaction. The transformation of banking information systems, the new technologies it heralds and the increased outsourcing of the related services offer cybercriminals new opportunities to carry out increasingly sophisticated and industrialized attacks. To address this issue, Natixis has restructured its departments in charge of IT security and set up a cyber Security Operating Center (SOC) that works directly with Groupe BPCE’s Computer Emergency Response Team (CERT). Within the Compliance Department, the IT Systems Security Department’s Risks and Controls team forms the second line of defense, and assesses the risk borne by each entity. It also supports the businesses’ initiatives to ensure their full compliance with security requirements. Natixis has also begun the overhaul of its information security model for 2020, with the aim to adapt the security framework to current developments, strengthen the protection of our most sensitive assets and improve the SOC’s detection capabilities. Reputational risk Reputational risk is the risk of damage to the confidence shown in the Company by its customers, counterparties, suppliers, employees, shareholders, supervisors, or any other third parties whose trust, in whatever respect, is a prerequisite for the normal conduct of business. Reputational risk is essentially a risk contingent on the other risks incurred by the bank.

116

Natixis Registration Document 2017