WORLDLINE_REGISTRATION_DOCUMENT_2017

Risk Factors [GRI 102-15] and [GRI 102-11] Riskmanagement activities

F.5.2.2

Anti-Money Laundering Policy Worldline SA/NV has had an anti-money laundering (AML) policy in place since 2011. This policy applies also to the companies acquired by the Group in 2016, Paysquare and KB SmartPay. It sets out the general principles of AML, the ‘Know Your Customer’ (KYC) principle and the allocation of responsibility between the Sales and Marketing and the Customer Services Divisions. The Group’s security riskmanagement The Group has put in place within its Internal Control department a specific function to manage security risk. This function includes security awareness, access and security management (review of access to production systems, data and functions, access to cardholder data by the banks and cryptographic key management) and security architecture and policies. Security risk management measures relate in particular to the following: Physical measures: facility entry controls to limit and monitor ● physical access, video cameras and access control mechanisms, media back-up storage in secured locations, control over the internal or external distribution of any kind of media and storage and accessibility of media; Network: firewall and router configuration standards and ● procedures are designed and deployed for protection against unauthorized access from untrusted networks; System security: strict application of regularly reviewed and ● clearly described hardening rules to avoid exploitation of default passwords and system settings; Protection of cardholder data: storage kept to a minimum ● with data retention and disposal policies, strong cryptography and security protocols, anti-virus software deployed and regularly updated on all systems; Secured systems and applications: latest vendor-supplied ● security patches installed; identification and assessment of security vulnerabilities; secure coding guidelines in order to prevent vulnerabilities to be introduced in the software development processes. In addition, a review of source code prior to release to production or customers is performed in order to identify any potential coding vulnerability; Logical access: to ensure that critical data can only be ● accessed by authorized personnel, systems and processes are in place to limit access based on access requirements and according to job responsibilities;

Bid Control and business risk management organization

The control and approval process governing the bidding and contracting activities report to the Group Senior Vice-President for Bid Control and business risk management, ensuring the capturing and ongoing tracking of risks identified at the bidding stage throughout the delivery cycle. Bid Control and business risk management report directly to the Group Chief Financial Officer, with the risk managers in the GBUs and the Global Divisions reporting directly to the Group Senior Vice-President for Bid Control and business risk management, shortening the lines of command. A Group Risk Management Committee convenes on a monthly basis to review the most significant contracts and the sensitive ones. The Committee is chaired by the Group CFO and led by the Senior Vice-President for Bid Control and business risk management. Permanent members of the Committee include the Senior Executive Vice-President Operations, Executive Vice-Presidents in charge of the Global Divisions and several other representatives from the Global Functions, including Finance, and Legal. On a quarterly basis, the Audit Committee conducts a thorough review of all the major contracts considered to be high risk. The Global Divisions and the Risk Managers perform the continuous monitoring of contracts in deviation of their initial business case. Group RiskManagement Committee F.5.2.3 Fraud riskmanagement The Group as an issuer processor has, to its knowledge, taken all required actions (e.g. PCI certification) to minimize the risk of data breaches. In its role as commercial acquirer, the Group must ensure compliance with payment security rules established by the organizations that issue PCI certifications and address money laundering risks. The Group’s Fraud risk management department has implemented various policies and procedures to address these risks. The Group has developed a Fraud Detection & Reaction (FD&R) application that allows the detection of fraud in near-real-time based on a data analysis application. The Group’s risk mitigation process has been enhanced with additional features to further address the residual risks, such as geo-blocking, real-time blocking, fall back de-activation and back-up systems. Specific riskmanagement activities F.5.2.4

F

281

Worldline 2017 Registration Document