Worldline - 2019 Universal Registration Document

F

RISK ANALYSIS Risk management activities

Specific risk management F.1.2.5 activities

Security risk management measures relate, in particular, but not exclusively, to physical measures, network, system security, protection of person payment data, security patches, logical access, intrusion detection, logging and monitoring. The Group’s operational risk management process, supervised by the Quality Security Risk & Compliance (QSRC) division, analyzes security-related threats and vulnerabilities in order to avoid any unwanted increase in risk exposure. A formal security awareness program is maintained to ensure that all personnel are aware of the importance of security. On a yearly basis, all employees of the Group have to attend this program and to acknowledge that they have read and understood the security policy and procedures of the Group. Incident response plans are developed and deployed in order to be prepared to respond immediately in the event of a system breach. Environmental risk management Environmental risks are identified at several levels in the Group. At global level, inherent environmental risks are identified as part of the Group's extra-financial analysis (refer to Section D.5.1.1). More specifically, Worldline's climate risks have been detailed in 2019 according to the framework of the Carbon Disclosure Project (CDP) questionnaire (refer to Section D.5.2.1.1). Based on a series of workshops that have been organized with key transversal functions and on the Company's data (site locations, etc.) a climate-scenarios analysis was conducted and allowed to identify the most materials risks and opportunities. The methodology used alsoo aligns with the TCFD framework and is based on Worldline existing Entreprise Risk Management framework. At local level, environmental risks are identified through the ISO 14001 environmental management system (refer to Section D.5.1.2.1). A number of artifacts, like interested parties (stakeholders) requirements environmental analysis and legal compliance, allow identifying environmental risks. Compliance Risk The Group has in place various policies, ranging from the compliance charter to the Anti-Bribery and Anti-Corruption policy designed to tackle any noncompliance risk. Compliance risk is defined as the exposure to fines or penalties, financial impacts, material losses, reputational damage or the inability to operate in key markets, Worldline may face as a result of its failure to comply with specific laws, regulations and ethical principles (as outlined in the Code of Ethics).

Card data security The Group as an issuer processor has, to its knowledge, taken all required actions (e.g. PCI certification, card scheme rules) to minimize the risk of data breaches. In its role as commercial acquirer, the Group must ensure compliance with payment scheme rules established by the organizations that issue PCI certifications. The Group’s Fraud Risk management department has implemented various policies and procedures to address these risks. Fraud risk management The Group has developed a Fraud Detection & Reaction (FD&R) application that allows the detection of fraud in near-real-time based on a data analysis application. The Group’s risk mitigation process has been enhanced with additional features to further address the residual risks, such as geo-blocking, real-time blocking, fall back de-activation and back-up systems. Service Not Rendered (Credit) risk management The Group has developed a Services Not Rendered exposure assessment process to manage and limit acquiring exposure through risks-based collaterals and guarantees. The process allows for risk reward decision routine and includes an ongoing review of the financial exposure and the client’s financial quality. Anti-Money Laundering and Counter Terrorist Financing Policy The Group has an anti-money laundering (AML) and Counter Terrorist Financing (CTF) policy in place. This policy applies, as the case may be, to the companies acquired by the Group. It sets out the general principles of AML and CTF, the ‘Know Your Customer’ (KYC) principle and the allocation of responsibility between the Sales and Marketing and the Customer Services Divisions. The Group security risk management The Group has put in place a specific function to manage security risk, covering security awareness, access and security management (e.g. review of access to production systems, data and functions, access to cardholder data by the banks and cryptographic key management) and security architecture & policies.

330

Universal Registration Document 2019