Société Générale / Risk Report - Pillar III

12 COMPLIANCE RISK, LITIGATION COMPLIANCE

ANTI-CORRUPTION MEASURES Societe Generale is fully committed to fighting corruption and has given clear undertakings in this respect by participating in the Wolfsberg Group and the Global Compact. The Group applies strict principles that are included in its Code of Conduct and its “Anti-Corruption and Influence Peddling Code”. Societe Generale’s anti-corruption programme is built around the following themes: code of Conduct; p annual risk mapping; p appropriate training at all levels (senior management, exposed p persons, all employees); control systems; p accounting procedures; p evaluation of third parties; p The normative framework was first updated in 2018 (“Fight Against Corruption in Societe Generale Group”, “Gifts, Hospitality and Entertainment” instructions) and new instructions supplemented the framework in 2019 (“Whistleblowing mechanism”, “Know Your Supplier Obligations, Managing the Corruption and Influence Peddling Risk of Financial Service Suppliers”, “Patronage and Sponsorship Principles”, “Human Resources Principles (recruitment, appraisals and disciplinary sanctions)”, “External Growth Procedures”). Societe Generale revised its whistleblowing mechanism by rolling out a secure Internet platform across the entire Group to enable all employees (whether internal, external or temporary) to exercise their right to whistleblow. In January 2019, a new instruction was published to present this new mechanism. It protects whistleblowers in particular by guaranteeing strict confidentiality and personal data protection. In 2019, the Group also rolled out a tool to report, approve and monitor gifts, business meals and external events. Anti-corruption accounting and operational controls have also been strengthened. In addition, a comprehensive training programme has been rolled out across the Group to increase employee vigilance. Online training was rolled out in mid-2018 for all employees, with a 97% completion rate at the end of December 2019. In 2019, classroom training was also provided to 6,155 employees and senior managers (99.5% completion rate) in roles particularly exposed to the risk of corruption. DATA PROTECTION As a trusted partner of its customers, Societe Generale is especially sensitive to personal data protection. The entry into force, in May 2018, of the new European General Data Protection Regulation (GDPR), which increases the Company’s obligations and the level of sanctions in case of non-compliance with these obligations (up to 4% of revenue) has offered an opportunity for the Group and its subsidiaries to further reinforce their compliance system. Across all Group entities, internal instructions and associated procedures in line with local and European regulations define the rules to apply and the measures to take to guarantee the protection and security of customer and staff data. Measures to inform data subjects and process their demands are in place so that such persons can exercise their rights, notably via dedicated digital platforms. A personal data security policy has been defined, which fits in with the disciplinary system; p right to whistleblow. p

Group’s overall security strategy, especially as regards cybersecurity. Moreover, as part of GDPR deployment, there has been a specific effort to increase staff awareness via dedicated training. An e-learning module has been introduced for the employees of every entity concerned. At end-2019, 97.3% of employees had undertaken the training. Lastly, Societe Generale Group has appointed a Data Protection Officer (DPO). Reporting to the Head of Group Compliance, and the main contact for the Personal Data Protection Authority (the CNIL in France), he or she is responsible for ensuring sound Group compliance in terms of personal data protection. He or she has a network of local DPOs and Correspondents throughout the Group entities, and must support them on security issues and personal data usage. As part of his or her duties, the DPO regularly reviews a number of indicators, notably the number and nature of right exercise requests, the internal training completion rate, and the local DPO certification programme launched at the end of 2018. RISK AND REMUNERATION POLICY Since the end of 2010, in accordance with the regulatory framework defined by European Directive CRD3, Societe Generale has implemented a specific governance to determine variable remuneration. Beyond financial market professionals, the rules introduced by this directive apply to all persons whose activity is likely to have a substantial impact on the risk profile of the institutions which employ them, including those exercising control functions. The regulatory framework defined by the European Directive CRD4 has applied since 1 January 2014. The framework does not modify the rules determining the variable remuneration of persons whose activity is likely to have an impact on the risk profile of the Group and on the employees who exercise control functions. The above-mentioned principles and governance remain in place within the Group. According to the principles approved by the Board of Directors as proposed by the Compensation Committee, the remuneration mechanisms and processes for the identified population not only factor in the financial results of the transactions undertaken, but also how these results are generated: control and management of all risks and adherence to compliance rules. For their part, control function employees are remunerated independently of the results of the transactions that they control and according to criteria specific to their activity. Variable remuneration includes a non-deferred portion and a deferred portion. The acquisition of the deferred portion of the variable remuneration is subject to three conditions, i.e. a minimum length of service, a minimum level of financial performance of the Company and/or the activity, and appropriate management of risks and compliance (malus and clawback clauses). All deferred variables of the regulated population are subject to a non-payment clause to sanction any excessive risk-taking or behaviour deemed unacceptable. A clawback clause enables Societe Generale, subject to applicable regulations, to request the return of deferred variables, in part or in full, after the holding period and for a five-year period after their allocation was included in the Group’s plan for deferred variable remuneration allocated for 2019. At least 50% of this remuneration is paid in shares or equivalent securities. The purpose of thesepayment methods is to align the remuneration with the Company’s performance and risk horizon. The Risk Division and Compliance Division help define and implement this policy. In particular, every year they independently assess the main activities of Wholesale Banking, and French and International Retail Banking, and the principal risk takers, together with the desk managers subject to the Separation and Regulation of Banking Activities Act and the Volcker Rule in relation to their risk management and compliance. These assessments are reviewed by General Management and taken into account when determining the amounts of variable remuneration.

213

| SOCIETE GENERALE GROUP | PILLAR 3 - 2020