NATIXIS - Universal registration document and financial report 2019

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

field of investigation encompasses all of Natixis’ operational activities, its support functions — including entities in charge of permanent control assignments — and its outsourced activities. For all the business lines, these audits lead to an assessment of the suitability of existing control points in the processes audited as well as an appraisal of the risks arising from the relevant activities. It makes use of recurrent work in the area carried out by operational departments and permanent control teams. The audits lead to recommendations ranked in order of priority to strengthen the mechanisms for controlling and managing audited risks and to make them more comprehensive. The reports are sent to BPCE’s Chairman of the Management Board and General Inspection Department and to Natixis’ Chairman of the Risk Committee and senior management, as well as to the audited units. The General Inspection Department monitors the implementation of recommendations and presents its findings to Natixis’ Senior Management Committee, the Risk Committee and the Board of Directors via the Chairman of the Risk Committee. To this end, it performs due diligence and carries out follow-up audits. The work of Natixis’ General Inspection Department is based on an annual Audit Plan drafted and executed jointly with BPCE’s Inspection Générale, after consulting the various members of the Senior Management Committee. The Chairmen and Chairwomen of the Audit and Risk Committees are also consulted. This annual program is part of a four-year plan that sets out the intervention frequency and adapts resources to the risks and to the relevant regulatory requirements. The Audit Plan may be revised during the year at the request of senior management or if required by circumstances. In addition to conventional audit assignments, the General Inspection Department is also able to carry out ad hoc audits in order to address issues arising during the year and not initially included in the Audit Plan. Natixis’ annual and multi-year audit plans are approved by its Chief Executive Officer. The Annual Audit Plan is examined by the Risk Committees of Natixis and BPCE and approved by the Natixis Board of Directors. In 2019, the General Inspection Department conducted audit assignments on all risk classes to which Natixis’ activities are exposed. It dedicated a significant share of its resources to managing the risks related to capital markets activities and the use of models. Several specialist projects involved all General Inspection staff. The most noteworthy included: the successful implementation of all recommendations issued by V General Inspection in 2017 as part of its self-assessment of its audit activities and in 2018 during a review by an external consultant; working groups with representatives from the branches’ and V subsidiaries’ own Audit Departments (DAI) that were run by General Inspection in 2019 to share best practices. Each DAI included a quality review that is independent of its processes in its 2020 plan; the hiring of a second data scientist with experience in data V management. The tool chosen by Natixis was connected to the main databases and rolled out in all DAIs; training provided to all employees in the function’s monitoring V and coordination systems (related to BPCE’s Inspection Générale) and the integration of their projects into said systems. Data management techniques were automatically implemented in all relevant assignments, with support from both data scientists;

Second-level permanent

3.2.1.4

controls Second-level permanent controls are performed by four departments that are independent of operational and support function staff. The Compliance Department performs permanent second-level controls mainly in the following areas of non-compliance: customer protection, professional ethics, market abuse and financial security. At December 31, 2019, 3,225 second-level controls were assessed. (See section 3.2.8 for more information on the Compliance Department and on ITSS-BC). In terms of IT Systems Security and Business Continuity (ITSS-BC), the function’s main role is to define and monitor security standards (see section 3.2.8.5) . The second-level control plan has two parts, one shared with Groupe BPCE and another specific to Natixis, and is the result of a risk-based approach. The controls are carried out based on the first-level controls reported by the contributors (Information Systems Security Department or the appropriate security representatives for authorizations). ITSS-BC performs around 6,000 second-level controls each year. The Risk Supervision Division performs controls on credit and counterparty risk, market and liquidity risk, overall interest rate risk, operational risk and model risk. Specific risks related to the Insurance and Asset Management activities are included in these controls, and its scope of action extends to all the entities within Natixis’ consolidation scope (see section 3.2 for more detailed information). The Regulatory and Accounting Review team within the Accounting and Ratios division reports functionally to the Compliance Department. This team plays a role in improving the accuracy of accounting and financial information through the implementation of control systems for the accounting, tax declarations and regulatory reports produced by the Finance Department. (See section 5.5 — Internal control procedures relating to accounting and financial information].) 3.2.1.5 Third-level controls, or periodic controls, as defined by the French Ministerial Order of November 3, 2014, are performed by the General Inspection Department. In this respect, the General Inspection Department is independent of all operational entities and support functions. With no operational role, it can never find itself in a position of conflict of interest. It reports to Natixis’ Chief Executive Officer. The Natixis Head of General Inspection is a standing guest member of the Audit and Risk Committees of Natixis and its subsidiaries, and can speak directly to the Chairman of the Risk Committee. The General Inspection Department has a strong functional link with its BPCE counterpart, in accordance with the Natixis audit charter. In accordance with these principles, the General Inspection Department coordinates a global audit function at Natixis and is part of the Groupe BPCE Internal Audit Function. The General Inspection Department reports on all its activities and projects to the Risk Committee, which then presents a summary report to the Board of Directors. It conducts audits across Natixis’ full scope (parent company, subsidiaries and branches) and covers all classes of risk arising from the various business activities carried out. It has full and unrestricted access to all information, confidential or otherwise. Its Periodic controls

110

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2019