2732019 Universal registration document and annual financial report - BNP PARIBAS

5risks and CaPital adequaCy Pillar 3

5

Annual risk survey

■ the new rules for the regulation of over-the-counter derivative activities pursuant to Title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, notably margin requirements for non-cleared derivative products and the security derivatives traded by swap dealers, major swap participants, security-based swap dealers and major security-based swap participants, and the rules of the US Securities and Exchange Commission which require the registration of banks and major swap participants active on derivatives markets as well as transparency and reporting on derivative transactions;

■ the new MiFID 2 and MiFIR, and European regulations governing the clearing of certain over-the-counter derivative products by centralised counterparties and the disclosure of securities financing transactions to centralised bodies;

■ the General Data Protection Regulation (GDPR), which came into force on 25 May 2018. This regulation aims to move the European data confidentiality environment forward and improve personal data protection within the European Union. Businesses run the risk of severe penalties if they do not comply with the standards set by the GDPR. This regulation applies to all banks and companies providing services to European citizens;

■ the finalisation of Basel 3 published by the Basel committee in December 2017, introducing a revision to the measurement of credit risk, operational risk and CVA risk for the calculation of risk-weighted assets. These measures are due to come into force once they will be transposed into European law. The new Basel framework also provides for the gradual introduction of an overall floor which will be based on standardised approaches.

For a more detailed description, see risk factor 6.1 Laws and regulations adopted in recent years, particularly in response to the global financial crisis, as well as new legislative proposals, may materially impact the BNP Paribas Group and the financial and economic environment in which it operates .

Moreover, in this stengthened regulatory context, the risk of non- compliance with existing laws and regulations, in particular those relating to the protection of the interests of customers and personal data, is a significant risk for the banking industry, potentially resulting in significant losses and fines(1). In addition to its compliance system, which specifically covers this type of risk, the Group places the interest of its customers, and more broadly that of its stakeholders, at the heart of its values. Thus, the Code of conduct adopted by the Group in 2016 sets out detailed values and rules of conduct in this area.

Climate change-related risks

Climate change is a financial risk for the Group. Climate change-related risks may affect the Group, either directly on its own operations, or indirectly via its financing and investment activities. These risks mainly concern the physical risks related to the consequences of climate change and the carbon risks resulting from the transition to a low-carbon economy.

For more details, please see risk factor 7.4. The BNP Paribas Group could experience business disruption and losses due to climate change risks such as transition risks, physical risks and liability risks and the measures taken and commitment made by the Group in this area in paragraph: Commitment 3: Systematic integration and management of Environmental, Social and Governance risks (ESG) of chapter 7.

Cyber security and technology risk

BNP Paribas ability to do business is intrinsically tied to the fluidity of electronic transactions as well as the protection and security of information and technology assets.

The technological change is accelerating with the digital transformation and the resulting increase in the number of communications circuits, proliferation in data sources, growing process automation, and greater use of electronic banking transactions.

The progress and acceleration of the technological changes needed to respond to customer requirements are giving cybercriminals new options for altering, stealing and disclosing data. Attacks are more frequent, with a bigger reach and sophistication across all sectors, including financial services.

The outsourcing of a growing number of processes also exposes the Group to structural cybersecurity and technology risks leading to the appearance of potential attack vectors that cybercriminals can exploit.

Accordingly, the Group has reinforced the second line of defence within the RISK Function dedicated to managing technological and cyber security risks (see the paragraph Cyber security and technology in section 5.9 Operational Risk). Thus, operational standards are regularly adapted to support the Bank s digital evolution and innovation while managing existing and emerging threats (such as cyber-crime, espionage, etc.).

EMERGING RISKS An emerging risk is defined as a new or evolving risk which potential impact could be material in the future but is currently not fully known or is difficult to quantify.

The Group identified emerging risks related to technological innovations, the evolving regulatory environment, as well as certain health, demographic and societal risks.

(1) Risk factors: 6.2. The BNP Paribas Group may incur substantial fines and administrative and other criminal penalties for non-compliance with applicable laws and regulations and may also incur losses in related (or unrelated) litigation with private parties .