Worldline - 2020 Universal Registration Document

F

RISK ANALYSIS Risk management activities

Group Risk Management F.1.2.4 Committee

the case may be, to the companies acquired by the Group. It sets out the general principles of AML and CTF, the ‘Know Your Customer’ (KYC) principle and the allocation of responsibility between the Sales and Marketing and the Customer Services Divisions in accordance with the various regulations applicable to the Group. The Group security risk management The Group has put in place a specific function to manage security risk, covering security awareness, access and security management ( e.g. review of access to production systems, data and functions, access to cardholder data by the banks and cryptographic key management) and security architecture & policies. Security risk management measures relate, in particular, but not exclusively, to physical measures, network, system security, protection of person payment data, security patches, logical access, intrusion detection, logging and monitoring. The Group’s operational risk management process, supervised by the Quality Security Risk (QSR) division, analyzes security-related threats and vulnerabilities in order to avoid any unwanted increase in risk exposure. A formal security awareness program is maintained to ensure that all personnel are aware of the importance of security. On a yearly basis, all employees of the Group have to attend this program and to acknowledge that they have read and understood the security policy and procedures of the Group. Incident response plans are developed and deployed in order to be prepared to respond immediately in the event of a system breach. Environmental risk management Environmental risks are identified at several levels in the Group. At global level, inherent environmental risks are identified as part of the Group’s extra-financial analysis (refer to Section D.5.1.1). More specifically, Worldline’s climate risks have been detailed in 2019 according to the framework of the Carbon Disclosure Project (CDP) questionnaire (refer to Section D.5.2.1.1). Based on a series of workshops that have been organized with key transversal functions and on the Company’s data (site locations, etc.) a climate-scenarios analysis was conducted and allowed to identify the most materials risks and opportunities. The methodology used alsoo aligns with the TCFD framework and is based on Worldline existing Entreprise risk management framework. At local level, environmental risks are identified through the ISO 14001 environmental management system (refer to Section D.5.1.2.1). A number of artifacts, like interested parties (stakeholders) requirements environmental analysis and legal compliance, allow identifying environmental risks.

A Group Risk Management Committee convenes on a monthly basis to review the most critical contracts, internal projects or services at risks and review periodically major operational risks. The Committee is chaired by the Group Deputy Chief Executive Officer. Permanent members of the Committee include the Group Financial Officer, the Group Chief Operations Officer, the Group Head of Legal and each Head of Global Business Line. On a quarterly basis, the Audit Committee conducts a thorough review of all the major critical contracts and major litigations. The Global Business Lines and the Risk Managers perform the continuous monitoring of areas in deviation of their initial business case. Card data security The Group as an issuer processor has, to its knowledge, taken all required actions ( e.g. PCI certification, card scheme rules) to minimize the risk of data breaches. In its role as commercial acquirer, the Group must ensure compliance with payment scheme rules established by the organizations that issue PCI certifications. The Group’s Fraud Risk Management department has implemented various policies and procedures to address these risks. Fraud risk management The Group has developed a Fraud Detection & Reaction (FD&R) application that allows the detection of fraud in near-real-time based on a data analysis application. The Group’s risk mitigation process has been enhanced with additional features to further address the residual risks, such as geo-blocking, real-time blocking, fall back de-activation and back-up systems. Service Not Rendered (Credit) risk management The Group has developed a Services Not Rendered exposure assessment process to manage and limit acquiring exposure through risks-based collaterals and guarantees. The process allows for risk reward decision routine and includes an ongoing review of the financial exposure and the client’s financial quality. Anti-Money Laundering and Counter Terrorist Financing Policy The Group has an anti-money laundering (AML) and Counter Terrorist Financing (CTF) policy in place. This policy applies, as Specific risk management F.1.2.5 activities

338

Universal Registration Document 2020