Worldline - 2019 Universal Registration Document

D

EXTRA-FINANCIAL STATEMENT OF PERFORMANCE Ensuring business ethics within our value chain [GRI 102-9] [GRI 103-3 Social compliance]

Utmost compliance standards in D.4.2.4 our markets [GRI 203-1] [GRI 102-6] As an international Group operating in highly regulated sectors, Worldline not only ensures full compliance with the applicable laws and regulations, but it is also focuses on providing its customers with solutions and services integrating the utmost ethical standards, notably within its two specific and heavily regulated markets: the financial and the health industries. To achieve that, Worldline leverages its know-how and compliance experience, and works with regulatory bodies to innovate within the framework of strong regulatory constraints. The European payments market is characterized by rapidly evolving technologies, regulatory requirements, standardization trends and increased customer focus on cost awareness, process control and risk management. The regulatory focus is shifting from a banking view towards a broader view that includes the payment industry. As new parties enter the payment landscape, the complexity and dependencies are increasing, hence the growing need for regulation and expert knowledge in a company like Worldline, capable of ensuring compliance. As Europe’s leading payment services provider, Worldline combines long-standing proven expertise in traditional mass payment systems (issuing, acquiring, intra- and interbank payment processing) and innovative e-commerce and mobile payment solutions. The Group provides Europe’s most extensive end-to-end service portfolio both for payments and card transactions and offers cross-border availability of value-added services for banks, financial institutions and corporations. The Eurosystem, part of the European Central Bank, promotes the safety and efficiency of payment, clearing and settlement systems under its oversight mandate. The systems play important roles not only in the stability and efficiency of the financial sector and the euro area economy as a whole, but also in the smooth conduct of the single monetary policy of the euro area and in the stability of the single currency. The Eurosystem oversight of Financial Market Infrastructures is based on the internationally accepted CPSS-IOSCO Principles for Financial Market Infrastructures (PFMIs), which were adopted by the ECB’s Governing Council in June 2013 as the standards for Eurosystem oversight of all types of FMIs in the euro area under the Eurosystem’s responsibility. Worldline complies with these principles in all of its regulated countries and with the regulatory oversight regimes applicable in Belgium, Netherlands and Latvia. Along with supervision by regulators in some countries, there is also an increase in requirements imposed on the suppliers of financial institutions, especially in the payments market. Worldline is fully compliant with all these additional requirements. For example, in Germany Specific compliance in the financial D.4.2.4.1 industry [GRI 102-9]

the BAFIN has released in October 2017 an update of the Main Risk requirements with more strict controls/requirements for outsourcing. As a Financial Market infrastructure, Worldline further ensures compliance with applicable laws, rules and regulations and customer expectations through key standardized certifications, such as ISO 27001 (Information Security), ISO 22301 (business continuity), ISO 9001 (PCI DSS and Quality), which support the Company’s ambition and, together with the ISAE 3402, provide this high level of assurance. Moreover, Worldline is working closely with the European Commission and the entire payment ecosystem to define and improve the payment value chain to reduce risks, facilitate competition and transparency while encouraging innovation and standardization for the benefit of the consumer and the merchant. Worldline's activity in the e-health sector is reflected in services that include the development of information systems that process and host personal health data. This data is particularly critical since it is confidential and personal information, as highlighted in the GDPR (refer to Section D.2.4): “personal data relating to the physical or mental health of a person, including the providing health care services, which reveals information about the state of health of that person”. The software development and hosting activities related to these sensitive data require a specific compliance with a normative and regulatory framework. Since 2009, Worldline participates to and integrates definitions of several standards in the software development, interoperability and security of health e-services, in synergy with the agency of shared health information systems in France ( agence des systèmes d’information partagés en santé or ASIP Santé). Interoperability Framework for Health Information Systems (CI-SIS) is among the main standards that have emerged. Since 2005, Worldline has also participated several times in the “Connectathon”, an annual European meeting which approves the interoperability of the developed solutions and allows displaying true expertise in interoperability. The Company conducts a systematic and continuous monitoring of these standards, their evolution and their implementation, to ensure its customers the guarantee of compliance with the state of the art, and the control of these standards by Worldline's experts. For instance, references and solutions developed by Worldline include three computer security standards that became applicable in 2018: The “INS-C” referencing, the “DMP-Compatibility” certification (intended to validate the software's ability to interface with the shared medical file (DMP) implemented by the CNAMS) and the “prescription assistance software” certification, obtained for two applications in order to secure medication prescriptions in addiction centers on the one hand, and in maternal and child health centers on the other hand. Specific compliance in the health D.4.2.4.2 industry

162

Universal Registration Document 2019