Société Générale / Risk Report - Pillar III

12 COMPLIANCE RISK, LITIGATION COMPLIANCE

The regulatory framework defined in European Directive CRD4 has applied since 1 January 2014 and does not amend the rules on determining the variable remuneration of persons whose activity is likely to have an impact on the Group’s risk profile and control function employees. Accordingly, the principles and governance mentioned above continue to apply within the Group. Societe Generale has also implemented a specific system and governance aimed at the holders of trading mandates to ensure that the remuneration policy genuinely factors in the requirements of the Separation and Regulation of Banking Activities Act of 26 July 2013 and the Volcker Rule. In keeping with our historical approach and in accordance with the recommendations of the Committee of European Banking Supervisors, several regulatory principles - the portion of deferred remuneration, the acquisition of which is subject to conditions of presence, the minimum performance of the Group and the activity, and appropriate risk and compliance management - apply to a wider population than the regulated population depending on the level of variable remuneration, notably across the scope of Wholesale Banking. In addition, the Group's annual employee appraisal tool has included a Conduct and Compliance section since 2018 enabling managers to factor in cases of employees' non-compliant behaviour when managing risks, providing quality of service and respecting customers' interests. Where an employee has failed to observe conduct and compliance rules, the manager must draft and implement a dedicated action plan to assist him or her. The results of this specific appraisal measure are crucial in determining the employee's career path and remuneration. The consideration given to risks in the remuneration policy is presented every year to the Risks Committee and a Director sitting on the Risks Committee also sits on the Compensation Committee. Management of reputational risk The management of reputational risk is governed by an internal directive signed by the Societe Generale Group CEO. The control system is intended to prevent, identify, assess and control this risk. It is coordinated by the Compliance Division, which: supports Group employees, and more particularly the Compliance p Control Officers of the businesses, in their strategy for preventing, identifying, assessing and controlling reputational risk; offers and updates training programmes to raise awareness of p reputational risk; develops a reputational risk dashboard that is communicated p quarterly to the Risk Committee of the Board of Directors, based on information from the businesses/Business Units and support functions/Service Units (in particular the Human Resources, Communications, Legal, Corporate Social Responsibility and Data Protection Departments). Moreover, Chief Compliance Officers dedicated to Business Units take part in the various bodies (new product Committees, ad hoc Committees, etc.) organised to approve new types of transactions, products, projects or customers, and formulate a written opinion as to their assessment of the level of risk of the planned initiative, and notably the reputational risk. The compliance function transformation programme The Compliance function transformation programme aims to strengthen compliance risk management via the increased vigilance and awareness of all stakeholders, including businesses, support staff and other units, to increase the operational efficiency of the associated processes and to meet the demands of supervisory and regulatory authorities in the long term.

This programme includes updating the governance and allocating greater resources to the Compliance function, whether in terms of recruitment, training, or modernisation of dedicated information systems and digitalisation. It also relies on a stronger risk-assessment framework and a robust control system. The programme includes a specific component on remediation linked to the agreements signed in 2018 with the US and French authorities. Its action plan was supplemented and updated in 2019, and it will continue to be implemented in 2020. COMPLIANCE REMEDIATION PLAN IN THE WAKE OF AGREEMENTS ENTERED INTOWITH FRENCH AND US AUTHORITIES In June 2018, Societe Generale entered into agreements with the US Department of Justice (DOJ) and the US Commodity Futures Trading Commission (CFTC) to resolve their investigations into IBOR submissions, and with the DOJ and the French Parquet National Financier (PNF) to resolve their investigations into certain transactions involving Libyan counterparties. In November 2018, Societe Generale entered into agreements with the US authorities to resolve their investigations into certain US dollar transactions involving countries, persons or entities subject to US economic sanctions. As part of these agreements, the Bank has committed to enhance its compliance system in order to prevent and detect any violation of anti-corruption and bribery, market manipulation and US economic sanction regulations, and any violation of New York state laws. The Bank has also committed to enhance corporate oversight of its economic sanctions compliance programme. The Bank will not be prosecuted if it abides by the terms of the agreements, to which Societe Generale is fully committed. The Bank has also agreed with the US Federal Reserve to hire an independent consultant to assess the Bank’s progress on the implementation of measures to strengthen its compliance programme. To meet the commitments made by Societe Generale as part of these agreements, the Bank has developed a programme to implement these commitments and strengthen its compliance system in the relevant areas. This programme has been placed under the direct supervision of the Group Head of Compliance. In addition, the programme’s Steering Committee is chaired by a member of the Bank’s General Management, and a programme progress report is presented to the Board of Directors on a monthly basis. In 2019, the Programme was rolled out according to the schedule presented to the internal Governance bodies and the various authorities receiving regular reports on the progress of remedial actions. Moreover, the external audits provided in the agreements have been conducted or are under way. UNITED STATES COMPLIANCE REMEDIATION PLAN On 19 November 2018, Societe Generale Group and its New York branch (SGNY) entered into an agreement (enforcement action) with the NY State Department of Financial Services regarding the SGNY anti-money laundering compliance programme. This agreement requires (i) submitting an enhanced anti-money laundering programme, (ii) an anti-money laundering governance plan, and (iii) the performance of an external audit in May 2020. As a reminder, on 14 December 2017, Societe Generale and SGNY on the one hand, and the Board of Governors of the Federal Reserve on the other hand, agreed to a Cease and Desist order (the “Order”) regarding the SGNY compliance programme to adhere to the Bank Secrecy Act (“BSA”) and its anti-money laundering (“AML”) obligations (the “Anti-Money Laundering Compliance Program”), and regarding some aspects of its Know Your Customer programme.

214

PILLAR 3 - 2020 | SOCIETE GENERALE GROUP |