104 2019 Universal registration document and annual financial report - BNP PARIBAS

2 CorPorate GovernanCe and internal Control

2

Internal control

■ the procedures in terms of compliance with embargoes and anti- money laundering.

These processes rely primarily on committees (Exceptional Transactions Committees, New Activities and Products Committees, Credit Committees, etc.) mainly covering, on the one hand, operational and related functions such as IT and Operations, and on the other, the control functions (Risk, Compliance, Finance, and Legal and Tax Functions), which take a second- look on transactions. In the event of a dispute, they are submitted to a higher level of the organisation. Leading this process are the committees (Credit, Market Risk, Risk Policy Committees, etc.) chaired by members of the Executive Management.

2019 HIGHLIGHTS In 2019, the Compliance Function was focused on the following issues in particular:

■ In terms of financial security, in continuation of the work started in 2018, the implementation of the remediation plan relating to international sanctions, the reinforcement of the Anti-Money Laundering/Combatting the Financing of Terrorism (AML/CFT) system and the deployment of the programme to ensure compliance with the anti-corruption provisions of the Sapin 2 law of 9 December 2016;

■ Completing the ownership by the businesses of the different elements of the Code of conduct, with Compliance having, henceforth, a supervisory role;

■ The application of controls relating to the implementation of the MiFID 2 regulations and arrangements for reporting to senior management.

With regards to the other elements of operational risk, cyber threats remained high in 2019. As a result, the relevant teams throughout the Group continued to strengthen the Group s system to protect, detect and control such threats. Significant work was also completed in terms of IT continuity, in particular as part of an action plan following incidents in January and March 2019.

COMPLIANCE Integrated globally since 2015, Compliance brings together all Group employees reporting to the function.

Compliance is organised based on its guiding principles (independence; integration and decentralisation of the function; dialogue with the business lines; a culture of excellence) through three operating areas, two regions, five fields of expertise and three cross-functional activities.

All Compliance Officers in the various operational areas, regions, business lines and territories, fields of expertise and Group functions report directly to the Compliance Function.

The Compliance workforce increased by 5% compared to 2018 to reach 4,378 full-time equivalent (FTE) employees at the end of 2019.

Compliance continued to oversee the implementation of remediation plans initiated as part of its agreements with the authorities in France and the United States regarding international financial and foreign exchange sanctions. This plan has been largely implemented.

In 2019, for example, the Compliance Function s activity resulted in the following developments:

■ in terms of financial security, the fourth annual audit was undertaken by the independent consultant of the Fed and the ACPR to verify the Group s compliance with the commitments made to its two supervisory authorities. It took place between August and the end of October 2019, and concluded with a report published on 20 December which set out the progress made;

■ the review by the independent consultant of the Department of Financial Services of New York ( DFS ) also took place in 2019. This covered the customer data screening tools and processes, the list management processes and tools, and BNP Paribas New York s new Anti-Money Laundering/Terrorist Financing Tool. The first joint quarterly report prepared by BNP Paribas and the independent consultant was presented to the DFS in November 2019, detailing the improvements made in governance and progress on the projects covered by the review;

■ the significant IT developments made to the central screening tools for client names and management of sanction lists were reiterated by the independent consultants in the respective report. Efforts will continue in this area in 2020;

■ the bank strengthened the Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) and asset freezing system by updating several key elements of its regulatory framework. The operational implementation of the new standards on transaction monitoring and the management of AML/CFT alerts defined in 2017 has been completed since the end of 2019 in most of the Group s entities;

■ in the area of Know Your Client , or KYC, all business lines continued to implement the Group s policies and to improve operational efficiency. These projects are regularly monitored by the Executive Management;

■ BNP Paribas system for the prevention and management of corrupt practices continues to be further strengthened further following the publication of the Sapin 2 law of 9 December 2016. Governance arrangements have been consolidated by the increased involvement of contact points in the businesses and functions, the methodology of corruption risk mapping has been reviewed and improved to cover the additional processes (supplier awareness, lobbying and governance), training on awareness of corruption risks has been completed by all employees, diligence policies with respect to third parties have been reinforced, the disciplinary process clarified and a number of awareness and communication initiatives have been launched to increase everyone s commitment to combating corruption;

■ improvement of the whistleblowing system continued: an internal communication was sent to all Group employees in the middle of 2019; alerts are treated consistently, thanks to the dissemination of rules and the creation of a dedicated forum for the whistleblowing alert officers responsible for receiving and processing alerts; the documentation for the system s level 1 control plan and the review of level 2 controls have been completed;

■ compliance with the Benchmark Regulation (BMR) for all business activities undertaken by BNP Paribas as an administrator, contributor or user of benchmarks, and compliance with the principles of the IOSCO;