NATIXIS -2020 Universal Registration Document

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

In addition to risk mapping, there are over 600 KRIs (key risk indicators) in place with corresponding limits, and which are monitored regularly. KRIs dynamically detect any changes in the operational risk profile and cover the seven Basel categories of loss-generating events. They apply either to Natixis (overall indicators), to the business lines, or to the support functions that, with the operational risk manager, set the indicators as relevant early warning indicators during the mapping process. These indicators are submitted to the Operational Risk Committee for approval. Any breach of their thresholds, that is the subject of a systematicalert, may trigger action to be carried out immediatelyor requiring OR Committee approval.

the operational risk department) are reported immediately to the business line’s management and to Natixis’ chief risk officer. Following an investigation involving all relevant parties, the operational risk manager of the business line compiles a standardized full report, including a factual description of the event, the analysis of the initial cause, the description of the impact and the proposed corrective actions. At all levels of the Company, the business line Operational Risk Committees review their serious incidents. They decide on the implementationof corrective actions propose the associated deadlines and deliverables, and monitor progress. The entities and business lines can decide to apply these measures to their own threshold, which is lower than that of Natixis and consistent with its activity and level of risk. The vast majority of operational risk incidents occur frequently and have a low impact per incident. Overall trend of reported incidents In 2020, 3,258 incidents that occurred in the year (representing 5,520 single incidents) were entered into the recording tool by the Natixis business lines. The application of the reporting threshold has contributed to the decrease in the number of reports since 2016.

Identifying losses and incidents Recording and analyzing incidents

Incidents are recorded as they occur, starting from an optional reporting threshold of €5,000 for the Corporate & Investment Banking and Asset Management business lines, and €1,500 for Payments, Insurance and Wealth Management. A single definition of “serious incident” is used, in compliance with Groupe BPCE standards (€300,000 gross).All serious incidents (above the defined threshold or deemed serious by the business line and the head of

3

Breakdown of reported incidents by business and date

2,500

2018 2019 2020

2,145

2,080

2,000

1,868

1,500

1,000

587

461 448 389

442 444

426 380

500

386 326

307

265

80 74 48

1

0

Asset & Wealth Management

Payments

Corporate & Investment Banking

Functional Departments

Insurance

Financial Investments

Global and systemic risks - Paris

Breakdown of reported incidents by net amount, date and Basel category

100 %

2018 2019 2020

90 %

80 %

72 %

69

%

60 %

40 %

23 %

20 %

18 %

6 %

6 %

5 %

2 %

2 % 1 %

2 % 1 %

1 % 0 %

0 %

0 %

0 % 0 %

0 % 0 %

0 %

Execution, delivery and procedures

External fraud

Internal fraud

Commercial customers, products and practices

Damage to property plant and equipment

Business interruption and Information System deficiencies

Employment and safety practices

151

www.natixis.com

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2020