Universal registration document and annual financial report 2020

2020 Universal registration document and annual financial report - BNP PARIBAS56

2 CorPorate GovernanCe and internal Control

Report on Corporate governance

■ monitored the deployment of the cybersecurity program within the Group, its action plan, the priority topics and the related budget. It was informed of the achievements of the year, in particular the way in which the program has been adapted in the context of the health crisis and the objectives for the following financial years. The Committee reviewed the degree of maturity of each business and each region according to the standards set by the Group;

■ reviewed the dashboard presented quarterly by the Head of RISK and reviewed trends in market, counterparty and credit risk as well as liquidity. It regularly analysed the impacts of the health crisis on the various risk categories. It deliberated on the basis of information presented by RISK. The Head of Risk responded to the Committee s questions during the meeting;

■ was informed of any risk indicator limits that had been exceeded and, where applicable, any action plans decided by Executive Management;

■ examined the renewal of risk limits for specific sectors and activities;

■ decided whether the Group s remuneration policy was compatible with its risk profile.

The Board:

■ was informed of all the Committee s work on Group risks and liquidity, in particular it was regularly informed of the impact of the health crisis on risks;

■ approved changes to the Group s RAS;

■ approved the liquidity risk tolerance level and the policies, procedures and internal systems relating to liquidity risk;

■ approved the forwarding to the ACPR of the operational risk, permanent control and business continuity components of the internal control report;

■ approved the renewal of risk limits for specific sectors and activities.

Ad hoc work The Internal Control, Risk and Compliance Committee:

■ was informed of the impact of the health crisis on the IT system, in particular the massive deployment of remote working and increased vigilance in terms of cyber-attacks;

■ acknowledged the Bank s proposed response to the ECB s letter of 28 July 2020 on the Bank s operational capability to deal with debtors in difficulty;

■ was informed of the implementation of the action plan defined following the IT incidents during the first quarter of 2019;

■ reviewed the outsourcing strategy as defined by Executive Management in response to the follow-up letter relating to the ECB s Deep Dive on the Third Party Risk Management;

■ acknowledged the follow-up letters and the Bank s responses to the ECB s missions on (i) IT Continuity Management, (ii) Commercial Real Estate and (iii) non-performing loans at BNL;

■ was informed of the risk management framework for institutional investors.

The Board:

■ approved the Bank s draft response letter to the ECB s letter of 28 July 2020 on the Bank s operational capability to deal with debtors in difficulty;

■ approved the outsourcing strategy proposed and implemented by Executive Management;

■ was informed of the Committee s review of the ECB s monitoring letters and of the Bank s responses to the missions on i) IT Continuity Management, (ii) Commercial Real Estate and (iii) non-performing loans at BNL.

Compliance, internal control, litigation and periodic control The Internal Control, Risk and Compliance Committee:

■ reviewed the section of the management report on internal control and submitted it for the approval of the Board;

■ reviewed the 2019 internal control report including the Compliance Risk Assessment report, the key compliance points across all business lines and geographical areas, and the periodic control report;

■ reviewed reports on the organisation of internal control systems on anti-money laundering and terrorism financing, as well as on asset freezing in accordance with the provisions of the Decree of 21 December 2018 relating to the report on the organisation of the Bank s systems in this area;

■ examined the report prepared for 2019 on the assessment and monitoring of risks, in accordance with the provisions of the order of 3 November 2014 on the internal control of companies in the banking, payment services and investment services subject to the control of the ACPR. It assessed the effectiveness of the policies and systems put in place;

■ reviewed the annual update of the recovery plan and resolution documentation and was informed of any requests for additional modifications made by supervisors to the recovery plan and resolution documentation; it proposed that the Board approve the recovery plan;

■ reviewed the European regulatory developments in terms of resolution and was informed of the initial estimates of the Minimum Requirement for own funds and Eligible Liabilities (MREL) of the Group to be reached by 1 January 2024 set by the Single Resolution Board;

■ reviewed, at each of its meetings, the list of ongoing legal disputes and proceedings, as well as the developments in each of the cases;

■ discussed the main outcomes of the periodic control carried out in 2019;

■ reviewed the General Inspection s half-year report;

■ analysed the Compliance Function s half-year report;