Universal registration document and annual financial report 2020

2020 Universal registration document and annual financial report - BNP PARIBAS462

5 risks and CaPital adequaCy Pillar 3

Operational risk

TAX RISK In each country where it operates, BNP Paribas is bound by specific local tax regulations applicable to companies engaged for example in banking, insurance or financial services.

The Tax Function ensures at a global level that the tax risk is managed throughout all of the transactions conducted by the Group. In view of the financial and reputational stakes, Finance and Compliance are involved in the tax risk monitoring process.

The Group Tax Department carries out the tax function and calls on the assistance of tax managers in certain businesses and in the main geographical areas where the Group operates (as well as tax correspondents in other geographical areas where the Group operates).

In ensuring the coherence of the Group s tax practices and the global tax risk monitoring, the Group Tax Department:

■ has drawn up procedures covering all divisions, designed to ensure that tax risks are identified, addressed and controlled appropriately;

■ has implemented a process of feedback aimed at contributing to the control of local tax risk;

■ reports to Executive Management on tax risk developments;

■ oversees the tax-related operational risks and the internal audit recommendations falling within the Tax Function s scope of responsibility.

A Tax Coordination Committee, involving Finance and Compliance and, on an as-needed basis, the businesses, is tasked with analysing the main tax issues with respect to the transactions the Group performs.

CYBER SECURITY AND TECHNOLOGY The use and protection of data and technologies are determining factors for the Bank s activity and its transformation process.

While the Bank continues the roll-out of Digital Banking (for the Group s customers and partners) and Digital Working (for the Group s employees), it must incorporate new technology and innovative risk management practices, and establish new working methods. This introduces new technology risks in the cyber security arena.

Technology management and information systems security is part of the Group s cyber security strategy. This strategy is focused on the preservation of the most sensitive data, regularly adapting both its internal processes and procedures, and its employee training and awareness to contend with increasingly sophisticated and varied threats.

To reinforce its technology and the protection of data, the Group has adopted a comprehensive approach in cyber security management through its three lines of defence:

■ operational entities are the first line of defence. Since 2015, the Group has introduced across all of the entities a transformation programme based on the international standard NIST (National Institute of Standards and Technology). This programme is regularly updated taking into account the new threats and recent incidents identified around the world;

■ as a second line of defence, the team dedicated to managing cyber security and technology risk (RISK ORC ICT), reporting to the Chief Cyber and Technology Risk Officer, is tasked with:

■ presenting the Group s cyber security and technology risk position to the Group Executive Committee, the Board of directors, and the supervisory authorities,

■ monitoring the transformation programme across the entire Group,

■ integrating the cyber security and technology risk aspects into all major projects within the Group,

■ ensuring that policies, principles and major projects take aspects of cyber security and technology risk into consideration,

■ monitoring existing risks and identifying new threats likely to have a negative impact on the Group s business,

■ overseeing third-party information systems risks within a strengthened framework,

■ conducting independent assessment campaigns on priority objectives,

■ taking measures to assess and improve the Group s ability to respond to failings and incidents;

■ as the third line of defence, the role of General Inspection is to:

■ assess the processes put in place to manage ICT risks, as well as associated controls and governance,

■ check for compliance with laws and regulations,

■ propose areas of improvement to support the mechanisms put in place.

The Group is responding to new technological and cybersecurity risks as follows:

■ availability and continuity risks:

BNP Paribas relies heavily on communication and information systems across all its business activities. Any breach in the security of these systems could lead to failures or interruptions in the systems used to manage customer relations or to record transactions (deposits, services and loans) and could incur major costs to recover and verify compromised data. The Group regularly manages, and revises its crisis management and recovery plans, by testing its data recovery services and the robustness of its information systems, using various scheduled stress scenarios;

■ security risks:

the Bank is vulnerable to cybersecurity risk, or risk caused by malicious and/or fraudulent acts, committed with the intention of manipulating information (confidential, bank/insurance, technical or strategic data), processes and users, which may result in material losses for the Group s subsidiaries, employees, partners and customers. The Group continually reassesses the threats as they evolve and mitigates risks detected in a good time by means of taking effective counter measures;