NATIXIS_REGISTRATION_DOCUMENT_2017

RISKS AND CAPITAL ADEQUACY Non-compliance risk

Any transaction that is detected as potentially contributing to terrorist activities or potentially benefiting persons or entities linked to such activities warrants a suspicion report to the relevantfinancialintelligenceunit. Compliance with financial sanctions and embargoes Natixishas implementeda frameworkto ensurecompliancewith regulationson applicablefinancialsanctionsand embargoes. The framework draws on systems that verify client databases and filter transactions with a view to identify, on an ongoing basis, any person or entity subject to financial sanctions, specifically account freezes or restricted access to bank financing.It can apply account freezes aimed at Natixis clients in a timely manner, as well as prevent any transaction linked to sectors, goods or technologiesthat are subject to restrictionsor bans pursuantto embargomeasures.The jurisdictionssubject to embargoundergo constantsupervisionand heighteneddiligence as part of a prudent and restrictive approach to prevent interpretationof regulatoryscope. A team focused on financial sanctions provide assistance and adviceto the Bank’sbusinesslines and entities. Anti-fraud measures The anti-fraud measures are steered by the Anti-Fraud Coordination Unit in collaborationwith the concerned business lines. This unit is also in charge of drafting and implementing standards and principles for fraud risk management and of coordinating the anti-fraud officers’ network across the subsidiariesand branchesof Natixis in Franceand abroad. More specifically, risk linked to Capital markets activities is closely monitored and subject to specific first- and second-level controls overseen and implementedby a dedicated team within CIB Compliance. Social engineering-typepayment fraud is also subject to constant vigilance and specific preventionmeasures, as this continuouslyevolving fraud is particularlywidespreadand has evolvedto impact the differentcommercialbankingbusiness lines. Lastly, the risk of informationleakage,which has becomea major risk, is subject to a specific control and investigation employingthe expertiseof fraud and IS security experts as well as the legal and HR functionsas necessary. Prevention of corruption To complywith the requirementsset out in Article 17of the law of December 9,2016, on transparency,preventionof corruption and the modernization of the economy (“Sapin II”), in 2017 Natixis carried out a campaign to strengthen and align some of the rules and procedures of its compliance framework to the best internationalstandardsin corruptionprevention. These rules and proceduresaim to identifyhigh-risksituationsby drawingon preventionand managementof situationsof conflicts of interest, conducting anti-corruption due diligence when initiating business relationships with third parties (clients, suppliers, intermediaries), and prior to forming partnerships or

carrying out merger and acquisition transactions and by supervisingrecruitments. They also endeavor to evaluate the situation of third-parties in terms of corruptionand influence-peddling issues (reputationand background analysis), identify the factors of exposure to corruption risk (such as the presence of public decision-makers among the direct or indirect beneficiaries of a transaction), ensure the economic justification of the role of various participants in a transaction, check that effective payments of funds are justified,etc. They also set out to avoid the risk of improprietythrough which certain practices could give rise to giving/accepting gifts or invitations, payments as part of patronage or sponsoring initiatives,donationsor third-partycompensation. The rules and procedures of this prevention framework are set out in Natixis’ anti-corruption Policy that is applicable to all its entitiesand employees. Internationally, Natixis ensures strict compliance with local regulations,such as the UK Bribery Act and the Foreign Corrupt PracticesAct. The objectives of IT Systems Security and Business Continuity Department, which is organized as a function, are to protect Natixis’ informationassets, identify risks (relating to information availability, integrity, confidentiality and traceability), to request, where applicable, a remediation plan to be put in place, to provide expertise and advice to the business lines and to keep the overall crisis set-up in working order. To meet these objectives, the department draws on its own resources to providecross-businessfunctions.It also relies on representatives within the business lines (IT Systems Security managers and BusinessContinuityPlanmanagers)and the IT Department. The ITSS-BC Department coordinates its activities based on risks. It employs a method which identifies, in terms of operational risk, the risk situations of concern to the business lines and their IT assets that may be vulnerable.This methodhas since been adopted by Groupe BPCE. Risk assessmentscan be conducted during the annual review or can result from supporting a project. In 2017, the ITSS-BC monitored close to 300 business line projects, half of issued specific security requirementsin order to bettermitigaterisks. In light of these risks, the ITSS-BC Department runs an annual second-level permanent control plan covering all areas of IT System Security, with a tight focus on the control of access rights. The user access management overhaul program that began in 2012 was concluded in 2017. The tool manages approximately 1.2 million access rights for over 21,000 employees and contractors. The controls also check compliance with the security policy. Natixis was an active participant in the review of Groupe BPCE’s IT system security policy,whichcomprisedsome 400 rules at end-2017. IT SYSTEMS SECURITY 3.10.5 AND BUSINESS CONTINUITY

3

165

Natixis Registration Document 2017