1052019 Universal registration document and annual financial report - BNP PARIBAS

2CorPorate GovernanCe and internal Control

2

Internal control

■ compliance with the foreign exchange Code of Conduct of the Bank for International Settlements;

■ the implementation of systems relating to client tax regulations (Foreign Account Tax Compliance Act (FATCA), the Automatic Exchange of Information (AEOI) for tax purposes system or the Qualified Intermediary scheme concerning the taxation at source of American securities) has been strengthened, in particular, by implementing an annual internal FATCA/QI certification process, drafting specific procedures, training employees about these regulations and deploying adequate controls at first and second level. Moreover, the first certification for QI compliance for the 2014-2017 period was sent to the IRS before the deadline in February 2019;

■ the strengthening of systems relating to the implementation of banking laws continued in 2019 (French banking law, American Volcker Rule and CFTC Swap Dealer) and the associated changes were integrated (decree of 18 March 2019 under the French banking law and Volcker 2.0).

Training in compliance issues remains a priority for the Group. Thus, at 31 December 2019, more than 94% of relevant employees completed online training on international sanctions and embargoes and on combating money laundering and the financing of terrorism.

Improvement of the permanent control mechanism for compliance continued in 2019, and it was aligned with the Risk ORC system in terms of standards, methodologies and tools, and the businesses were given increased responsibility (as the first line of defence) in managing compliance risks. In this context, the objective of the Compliance Function is to continue to consolidate and reinforce its supervisory role, by increasingly using permanent control measures as a first line of defence and supporting the businesses during this transformation phase, while guaranteeing compliance at all times with the Group s regulatory obligations in the area of compliance.

The automation process passed another important milestone by refocusing on the end-to-end management of compliance processes. This involved the gradual implementation of a new organisational structure with a greater focus on new technologies (data analysis, AI, etc.) and the creation of a process leader role for four workstreams: names screening and payment filtering , anti money laundering , market integrity, Client Interest Protection and professional ethics and risk and controls . Project management activities have been transferred to the Group IT Function.

Finally, data governance was strengthened with the appointment of a manager reporting directly to the Head of Automation.

2020 will see the continuance of the different projects launched. The Compliance Function must face the twin challenge of closely managing its risks and of efficiency. With regards to this last point, the ability to industrialise and automate these processes by relying on new technologies is particularly important.

LEGAL In 2019, the Legal Function continued to strengthen its legal risk management system, in particular through:

■ Improving governance:

■ increasing employee numbers in the Legal Risk Oversight team (within the Legal COO) dedicated to developing the permanent control system;

■ strengthening the system for anticipating legal risks by the Legal Risk Anticipation Department in particular by increasing employee numbers;

■ review of the target operating model for the regulatory monitoring applicable to all the functions involved in the monitoring process.

■ The Legal Function has had a number of achievements in terms of legal risk management, notably:

■ the taxonomy of legal risks, aligned with that of the Group, was approved by the GORC (Group Operational Risk Committees);

■ the Legal Function s generic control plan was updated, implemented by the first line of defence within the Legal Function and is supplemented by the deployment of second level controls over legal processes;

■ the implementation of procedures relating to regulatory monitoring at Group and Legal Function level;

■ definition of a mission letter for the Territory legal officers and the Business line legal officers;

■ entry into operation, in June 2019, of a single legal risks reporting tool;

■ roll-out of a mandatory module for training and raising employee awareness of competition law;

■ roll-out of a mandatory employee awareness module on personal data protection in the context of the European General Data Protection Regulation;

■ implementation of a legal digital expertise plan focusing on the increasing importance of digital legal expertise. Its major focus is the development of a skills centre for training corporate lawyers on the legal issues relating to digitalisation, in order to support the Group with its transformation plan and to understand these new issues;

■ call for tenders issued to select an application-based market solution for Matter Management (second quarter 2019);

■ the finalisation of a Knowledge Management programme for the Legal Function, whose first achievements included the mapping of legal knowledge. This is a collection of best practices, a methodology to ensure the transmission of at risk expertise and the creation of a digital directory of lawyers based on their legal knowledge and expertise.

■ Several points will be included on the 2020 roadmap, notably:

■ a new Multi-Local Panel of legal firms to replace the Specialist Panel;

■ finalisation of the global operational risk management system and the permanent control mechanism in accordance with the Target operating model defined by the Risk Function;

■ educational support for the first lines of defence and reinforcement and expansion of the supervision of legal risks;

■ functional enhancement of the Legal Function s tool for reporting legal risks;

■ implementation of an application-based Matter Management solution for the entire Legal Function;