Universal registration document and annual financial report 2020

2020 Universal registration document and annual financial report - BNP PARIBAS288

5 risks and CaPital adequaCy Pillar 3

Annual risk survey

Moreover, in this stengthened regulatory context, the risk of non- compliance with existing laws and regulations, in particular those relating to the protection of the interests of customers and personal data, is a significant risk for the banking industry, potentially resulting in significant losses and fines(1). In addition to its compliance system, which specifically covers this type of risk, the Group places the interest of its customers, and more broadly that of its stakeholders, at the heart of its values. Thus, the Code of conduct adopted by the Group in 2016 sets out detailed values and rules of conduct in this area.

Environmental risks

Environmental risks and, more particularly, those associated with climate change are a financial risk for the Group. They may affect it, either directly on its own operations, or indirectly via its financing and investment activities. These risks mainly concern the physical risks related to the consequences of climate change and the carbon risks resulting from the transition to a low-carbon economy.

For more details, please see risk factor 7.5 The BNP Paribas Group could experience business disruption and losses due to climate change risks such as transition risks, physical risks or liability risks as well as the measures taken and commitments made by the Group in this area in paragraph Commitment 3: Systematic integration and management of Environmental, Social and Governance risks (ESG) of chapter 7.

Cyber security and technology risk

BNP Paribas ability to do business is intrinsically tied to the fluidity of electronic transactions as well as the protection and security of information and technology assets.

The technological change is accelerating with the digital transformation and the resulting increase in the number of communications circuits, proliferation in data sources, growing process automation, and greater use of electronic banking transactions.

The progress and acceleration of the technological changes needed to respond to customer requirements are giving cybercriminals new options for altering, stealing and disclosing data. Attacks are more frequent, with a bigger reach and sophistication across all sectors, including financial services.

The outsourcing of a growing number of processes also exposes the Group to structural cybersecurity and technology risks leading to the appearance of potential attack vectors that cybercriminals can exploit.

In this context, the Group has reinforced the second line of defence within the Risk Function dedicated to managing technological and cyber security risks (see the paragraph Cyber security and technology in section 5.9 Operational Risk). Thus, operational standards are regularly adapted to support the Bank s digital evolution and innovation while managing existing and emerging threats (such as cyber-crime, espionage, etc.).

The health crisis, which prevailed in 2020, increased the Group s dependence on digital technologies in order to have the capacity to work remotely and to allow the Group to continue operating safely despite the high risk of cyber-crime. The Group invested in IT upgrades to quintuple the bandwidth of the network and ensure the stability of the remote access infrastructure. At the same time, Cyber Security Operations teams have strengthened their surveillance capabilities to improve detection and respond to threats more quickly.

EMERGING RISKS An emerging risk is defined as a new or evolving risk which potential impact could be material in the future but is currently not fully known or is difficult to quantify.

The Group identified emerging risks related to technological innovations, the evolving regulatory environment, as well as certain health, demographic and societal risks.

Technological innovations

Technological developments related to the growing use of data in all production, marketing, and distribution processes, and to data sharing among economic players (producers, suppliers, and customers) will impact the economic models of the Group s clients and counterparties in a lasting way. These impacts, which are sometimes hard to assess in a context where new standards, economic balances, and regulatory entities are in the process of evolving and adapting, are being analysed internally by industry experts focused on the economic sectors most exposed to this evolution.

In addition, the dependence of economic players, and the Group in particular, on systemically important infrastructures, such as cloud platforms, creates new vulnerabilities.

Furthermore, the Group s competitive environment is undergoing profound change, with the presence of fintech, the emergence of new players of importance in the activities of the financial sector as GAFAM (Google, Apple, Facebook, Amazon, Microsoft) and technological innovations which disrupt the traditional value chains of Group businesses, and place the quality of the customer experience, and the use of new technologies to reduce the cost of low added-value operations, as their key competitive success factors. Maintenance of the Group s information systems must be done in this context of evolving value chains and increasing protection needs (of systems, data, etc.), in particular against cyber threats. The Group is deploying a proactive strategy in this area to adapt its activities to these major technological developments and promote some industrial cooperation with fintech players.

(1) Risk factors: 6.2 The BNP Paribas Group may incur substantial fines and administrative and other criminal penalties for non-compliance with applicable laws and regulations and may also incur losses in related (or unrelated) litigation with private parties .