NATIXIS_REGISTRATION_DOCUMENT_2017

3 RISKS AND CAPITAL ADEQUACY Operational risks

A combined “Global Banking (Damages to j Fraud)” & “Profess ional Liability” policy with a total maximum payout of €148 millionper year of insurance (of which €1 33 millionhas been pooled with Groupe BPCE), of which: €15 million per year, combined “Fraud/Professional Civil a) Liability” insurance available, subordinate to the amounts guaranteedset out in b) and/orc) and/ord) below; €38 million per claim and per year, solely reserved for b) “GlobalBanking”risk; €25 million per claim and per year, solely reserved for c) “ProfessionalCivil Liability”risk; €70 million per claim and per year, combined “Global d) Banking/ProfessionalCivil Liability” insurance available in addition to or after use of the amounts guaranteedset out in b) and/orc) above. The maximum amount that can be paid out for any one claim under this arrangement is €109.5 million under “Professional Civil Liability” coverage and €109 million under “Fraud” coverage in excess of the applicable deductibles. “Regulated Intermediation Liability” (in three areas: j Financial Intermediation, Insurance Intermediation, Real Estate Transactions/Management) with a total maximum payoutof €10 millionper claimand per year. “Operating Civil Liability” covering €100 million per claim, j as well as a “Subsidiary Owner Civil Liability”/”Post Delivery-ReceptionCivil Liability”coverageextensionfor up to €30 millionper claimand per year of insurance. “Company Directors Liability” for up to €200 million per j claimand per year of insurance. “Property Damage” to Buildings and their contents j (including IT equipment) and the consecutive “losses in bankingactivities”,for up to €300 millionper claim. “Protection of Digital Assets against cyber risks” and the j consecutive “losses in banking activities”, for up to €100 millionper claimand per insuredyear. This coverageextendsworldwidefor initial risk or umbrellarisk, subject to certain exceptions,mainly in terms of “professional civil liability” where the policy does not cover permanent institutions based in the United States (or the coverage is obtainedlocallyby Natixis’US subsidiariesor branches). All the insurancepoliciesmentionedabovewere taken out with reputable,creditworthyinsurancecompanies. All the insurance policies mentionedabove are purchasedwith deductibles (accepted retention level) in accordance with Natixis'retentioncapacity. Valuables and

Measures to reduce risk Natixis has implementedmeasures in every business line and support functionto monitor the correctiveactions to reduce the Bank’s exposure to operational risks. These corrective actions are actively managed by the designated implementation managers (of more than 500 correctiveactions set up in 2017, nearly 60% have been completed) and monitored by the business line and central Operational Risk Committees. They are also assigned one of three levels of priority reflecting the risks incurred and whether or not they are associated with a serious incident. An alert system has been set up to prompt assessmentby the Natixis OperationalRisks Committeeof any delays in implementingfirst-levelcorrectiveactions. In 2017, a risk analysis was performed on all of Natixis’ business lines and on its support and control functions. Consistencyreviewswith internal audit findings and permanent control results helped highlight the biggest risks in each scope and set priorities for corrective actions to improve the risk management system. The Corporate & Investment Banking business lines represent the majority of risks under review owing to the extensive nature of the division’s activities and operationsin both Franceand internationally. The Company’srisk profile features two main categoriesof risk with a strong potential impact: business line risk, concentrated under Corporate& InvestmentBanking,and overall risk that the Bank is exposed to as a whole (cyber risk, regulatory risk, loss of access to premises or informationsystems, or of availability of employees).Appropriaterisk managementsystemsare put in place to cover them, including safeguarding of processes and controls, raising employee awareness, business continuity plans, informationsystemsecurityand insurancepolicies. The GroupeBPCE InsuranceDepartmentis taskedwith: analyzinginsurableoperationalrisks; a taking out appropriate insurance coverage (direct insurance a and/ortransfer). Natixisand its subsidiariesbenefitfrom the guaranteesprovided by the followingmain policies: coveringits insurableoperationalrisks; a and which are pooled with Groupe BPCE (with the sole a exceptionof the policy describedin point a) below. OPERATIONAL RISK INSURANCE 3.8.5 RISK PROFILE 3.8.4

150

Natixis Registration Document 2017