AFD_REGISTRATION_DOCUMENT_2017

4

RISK MANAGEMENT

Risk management

4.3.6.3 Non-compliance risks According to regulations, the CPC department is responsible for the prevention, detection, monitoring and management of non- compliance risk throughout AFD Group. Non-compliance risk is defined as “the risk of legal, administrative or disciplinary sanction, material financial loss or loss to reputation arising from failure to comply with the provisions governing banking and financial activities, whether they be directly applicable legal, regulatory, national or European provisions, or whether they are professional and ethical standards or the instructions given by executive officers, particularly in light of the guidelines from the supervisory body” (Decree of 3 November 2014, Articleb10p). The CPC department ensures the Group complies with (i) internal and external provisions related to preventing money laundering and terrorist financing (AML/CFT), (ii) those related to the fight against corruption and associated infractions as well as fraud and anti-competitive practices, (iii) those that govern the performance of banking and financing activities or (iv) those that ensure the protection of clients’ personal data and private lives. The department is part of the Executive Risk department (DXR). The Compliance function reports on its activities to the Internal Control Committee (Cocint) and to the New Products and New Activities committee (Coconap in its Compliance configuration), as well as the Group Risk Committee. The Compliance function covers all sectors, operations, geographic areas and regulatory contexts of AFD Group. In addition to operational projects and activities, it also concerns the Group’s new activities and products, in accordance with regulations. Its ultimate aim is to ensure that non-compliance risks are appropriately evaluated in the interest of preventing and limiting the exposure of AFD Group and its management to criminal and reputational risks, by coaching them if these risks should arise. Non-compliance risk monitoring is ongoing and backed by a risk map. The following changes were made to the non-compliance risk- management system during 2017: P continuing training initiatives on combating internal and external fraud as well as combating corruption and embezzlement of project funds; P following the adoption of the so-called “Sapin II” Law of 9 December 2016bon transparency, fighting corruption and modernising economic life and the implementation of a corruption and influence peddling prevention plan which is based on eight measures provided in the law and which complements the Group’s pre-existing system for preventing and combating corruption;

P update of AFD Group’s AML/CFT procedure following Order no. 2016-1635 of 1 December 2016btightening the French system to combat money laundering and the funding of terrorism, which transposes into French law the provisions of the 4th directive 2015/849/EU of 20 May 2015bon the prevention of the use of the financial system for the purposes

of money laundering or terrorist financing. Insurance – Coverage of risks run by AFD

AFD has a “civil liability” insurance policy that also covers Proparco, a “Directors and Officers civil liability” policy, a “labour relations” policy, a “first excess property damage” policy that also covers Proparco and VAL, an “all exhibition risks – works of art” policy, and a “Directors and Officers civil liability specific to supplementary pension scheme management (IGRS) (1) risk” policy. All of the network’s agencies are covered by locally underwritten insurance policies (multi-risk residential and office, and civil liability for office activities). These policies are accompanied by vehicle insurance covering head office (head office policy) and the network (local policies) plus “worldwide” “individual accident” insurance guaranteeing disbursement of share capital in case of death or disability caused by an accident with a vehicle belonging to or rented by AFD. 4.3.6.4 IT-related risks P Information systems security AFD Group’s Information Technology, Property Management and Logistics department (DMI) combines all aspects of security within its Security division (SEC). The head of the division is also responsible for AFD Group’s IT system security (RSSI). The security risks are analysed at least once a year as part of the IT security management system (SMSI), in line with ISOb27001. The SMSI provides a framework for all of AFD’s IT-related risk management, from appraisal of the risks to implementing remedial measures and ongoing IT system security checks. After the annual risk analysis, AFD’s general risk map, which is maintained by the Permanent Control and Compliance Department (CPC), and the triennial security project plan are updated. The steering bodies use this project plan to determine the security upgrades for the IT system. AFD Group’s security policy (PSEC) lists the responsibilities and management procedures for all security risks. This strategic document identifies the application policies which require to be updated or put in place to cover all areas of Security, including IT-related security. This policy will change in 2018bto take into account the organisational changes of 2017.

(1) This insurance contract has been transferred to the HR department which manages it.

77

REGISTRATION DOCUMENT 2017

www.afd.fr