Apologies: Peter Taylor, Flamish Treleaven, Mike Kavanagh ...

R

CBA.0002.0343.4190

Date: Wednesday 6 July 2016: 2.00pm to 4.00pmVenue: Level 19, DP1

Dial In:1800 692 255/9916 3900;WA: 6436 7300; HK 800 930 997; NZ 0800 453 323; SA 0800 993 884Conf ID: 2271416

StandingAttendees:

David Cohen, Gary Dingley, Peter Clark, Peter Taylor, Fiona Larnach,Chris Williams, Hamish Treleaven, Poppy Fassos, Lee De-Souza,Peter Smith, Chris Florsley, Stacey Alexander, Karina Kwan.By Phone: Kevin McDonald, Mike Kavanagh, Emil Matsakh, Guy Flarding

Apologies: Peter Taylor, Flamish Treleaven, Mike Kavanagh.Chair: David Cohen

Details Presenters / Author Sponsor Time

1RMLT meetings and papers (No delegates)Pre-read to be forwarded next week

David Cohen DC 30 2.00-2.30

2 RMD: Intended areas of focus

Bonar CarsonJohn EvansBruce YoungToby Johnston Cassandra Williams

PS 90 2.30-4.00

Actions from 30 June 2016 RMLTAction Who Due Status UpdateDevelop naming convention for risk roles across lines 1 and 2 Gary 31 August

Discuss with Audit the need for minutes when they meet with APRA Gary 31 August

Provide Template for P&C bottom-up feedback for RMLT session on 3 August Lee

6 July20 July

3 August

Template providedRMLT to complete template P&C session at RMLT

Integrity, Accountability, Collaboration, Excellence, Service

R

CBA.0002.0343.4191

_R

CBA.0002.0343.4191

CONFIDENTIAL

Commonwealth Bank of Australia Paper No. 2

RMLT Meeting6 July 2016

Review of Areas of Focus templates supporting the FY16 Risk Management Declaration (RMD)

1. Value at stake1.1. The RMD Challenge Meeting (on 3 August) provides the Board with an

opportunity to make appropriate enquiries of management, prior to deciding whether/ how to qualify the RMD for FY16. The Areas of Focus presented at the meeting will guide these enquiries.

2. Action and key judgments sought2.1. Prior to the RMLT meeting, the RMLT should review the attached draft Area

of Focus templates from the perspective of the relevance and materiality of the topic in the context of the Directors signing the RMD.

2.2. At the RMLT meeting:2.2.1. each Area of Focus owner will introduce their topic and take feedback from

the RMLT to guide them in finalising their template; and2.2.2. a Priority Rating (“More Probable”, “Possible”, “Unlikely”) for each Area of

Focus will be agreed, based on the level of enquiry that management suggests the Board should devote to each. A suggested categorisation is included in the attachment for RMLT refinement.

3. Background3.1. A list of proposed Areas of Focus was presented to RMLT on 22 June. The

attached templates were prepared based on the feedback received.

4. Accountabilities and next steps4.1. A final draft of the Challenge Meeting pack, incorporating the finalised

templates, will be circulated to RMLT on 15 July for review and feedback prior to its submission to the meeting attendees on 22 July.

4.2. Enterprise Risk Advisory and the Group CRO will prepare a paper summarising the Areas of Focus to be tabled for noting at ExCo on 18 July.

4.3. Owners of each Area of Focus will present their area at the Challenge Meeting on 3 August. They will be supported in completing dry-runs of their presentation outside of RMLT during July (including developing reasons for and against qualification of the RMD).

John EvansHead of Enterprise Risk Advisory

Attachment: Draft Areas of Focus for Board Challenge Meeting (slides)

END OF PAPER

Risk Management DeclarationDraft Areas of Focus for Board Challenge Meeting

R

CBA.0002.0343.4194

Areas of FocusThe Areas of Focus have been ordered by priority for discussion with RMLT (note the order for the Challenge Meeting which will be dictated by the Priority Rating agreed by RMLT). ——

Data Management Toby Johnston More probable

Regulatory Reporting Data Quality Gary Dingley More probable

Model Policy Effectiveness Brian Bose Unlikely

Long Standing Issues and ORMF Effectiveness Gary Dingley Possible

Supplier Management Bruce Young More probable

Control Environment Gary Dingley Possible

Cyber/Technology Risk Bruce Young Possible

Conduct Risk Cassandra Williams Possible

Compliance with Serviceability Policies and Procedures Fiona Larnach Possible

Incomplete Implementation of the CRMF (Compliance RMF) Cassandra Williams Possible

RMDs of Separately Regulated Entities (CMLA, CIL + RSEs) Peter Taylor More probable

Risk Framework Strengthening John Evans Unlikely

• The yellow areas are those new for FY16, while blue are repeated from FY15 (or significantly similar).• Those with an asterisk were mentioned in the RMD cover letter to APRA for FY15.

The following slide contains the prescribed wording of the RMD and what the Prudential Standard states relating to qualification.

2 /CAN

_R

CBA.0002.0343.4195

What needs to be qualified in the RMD?CPS 220 para 50:

The Board must qualify the risk management declaration if there has been any significant breach of or material deviation from, the risk management framework or the reguirements set out in Attachment A to this Prudential Standard. Any qualification must include a description of the cause and circumstances of the qualification, and steps taken, or proposed to be taken, to remedy the problem.

Risk Management Declaration

The Board must provide APRA with a risk management declaration stating that, to the best of its knowledge and having made appropriate enquiries, in all material respects:a) the APRA-regulated institution has in place systems for ensuring compliance with all prudential

requirements;b) the systems and resources that are in place for identifying, measuring, evaluating, monitoring, reporting,

and controlling or mitigating material risks, and the risk management framework, are appropriate to the institution, having regard to the size, business mix and complexity of the institution and group (where appropriate);

c) the risk management and internal control systems in place are operating effectively and are adeguate having regard to the risks they are designed to control;

d) the institution has a RMS that complies with this Prudential Standard, and the institution has complied with each measure and control described in the RMS;

e) where it is a general insurer, the institution’s Reinsurance Management Strategy complies with Prudential Standard GPS 230 Reinsurance Management, for selecting and monitoring reinsurance programs; and

f) the institution is satisfied with the efficacy of the processes and systems surrounding the production of financial information at the institution and group (where appropriate).

3 /CAN

4. Areas ofFocus

1. Data Management

4

Presenter: Toby Johnston

_R

CBA.0002.0343.4196

/CAN

4. Areas of Focus

CBA.0002.0343.4196


R

4. Areas ofFocus

CBA.0002.0343.4197


1. Data Management_____________________________________________________Cause and circumstances of the potential qualification:

• The framework is less than effective in allocating data ownership responsibilities to detect and prevent DQ issues:• The framework was restricted to IRB Credit Data in Oct 2014, and this area itself is only partially compliant with further funding and date extensions likely.• The restriction has been in place for almost two years with no approved plan/allocation of funding to progress practice improvement or policy compliance in non IRB

Credit Data areas.• The framework focuses on detecting DQ. It lacks data governance authority across the data lifecycle (through a lack of data architecture principles and data lifecycle

standards) to compel data management practices to prevent DQ issues arising from the outset.• The implementation is less mature than peers and somewhat less than industry best practice. Implementation is not addressing the broader data risk practices outlined

by APRA CPG235 Prudential Practice Guide "Managing data risk" on which the policy is intended and designed. Peer banks are more advanced in sponsoring, funding and resourcing data quality, data governance support teams, and common enterprise tools and practices.

• Significant and unexpected data quality issues continue to emerge, which are expensive to remediate. There are ten subject areas that had audit or regulator concerns noted.• Ongoing surprises impact on the trust and confidence, and ability to use our data; recent examples include ineffective record keeping, insecure customer data, and the

inability to adequately monitor where our customer data resides - be it internally or with external vendors.• Our key capability gaps (lack of adequate data architecture principals, data governance and data reference tools) and the ongoing high pace of technology investment

(coupled with a drive for process simplification) means ongoing high levels of data change activity, resulting in opportunities for new data quality issues to occur and remain elevated.

Steps taken, or proposed to be taken, to remedy the problem:• Fore mostly, in regard to credit risk regulatory capital, when data is inaccurate or missing, conservative assumptions and/or other actions are taken so as to not

underestimate the risks arising from data quality. Hence, while an inadequate solution, conservative treatments apply.• Whilst current not complied to adhere to Group Data Policy, the APRA required LVR and Collateral Management have specific DQ remediation funding in place. Work has

commenced planning requirements and sizing for Segment/Statistical data reporting and FATCA.• Key gaps in data management capabilities, governance and DQ have been identified, and an incremental plan to address these, lead by BU priority setting has been

developed (albeit it not ExCo endorsed or funded at this time).• Data Governance has been implemented in the warehouse (GDW2.0) stage of the Best in Class Data (BICD) program's.• There has been a gradual improvement in recognising data issues in RiS. Fourteen best endeavour approaches have commenced in various parts of the group on various data

types to improve aspects of data management, DQ and data governance.• Recent actions taken to support improving Group data management capabilities include:

• A Group-wide data quality awareness learning program rollout out to ~40,000;• DQ and good data practice learning material is being developed to insert into other existing relevant learning channels (productivity, operational risk, and Security and

Privacy modules);• Data Risk behaviour guidelines established for each BU to support Risk Gateway and consequence management discussion;• Group-wide "data stewardship" roles allocated (on part time basis) to support data owners meet new data quality framework obligations and working groups

established to define consistent data quality management practices. Ten "auditable governance practice" guidelines available to encourage common approaches to be taken;

• Some BU specific KPI's for data quality have been implemented.

5 /CAN

R

4. Areas ofFocus

CBA.0002.0343.4198

Presenter: Gary Dingley

Regulatory Reporting Data QualityRating Business Units/

Areas affected/ impacted

Previously discussed with APRA

Noted by Audit Escalation to Board/ ExCo Action(s) Recorded inRisklnSite

Action Due Date Relevanceto RMD

Group-wide, Residential Mortgage • Internal Audit review of Origination Board: February 2016, RI-020642 30 September RMDwith particular meeting March 2016 - LVR-30 June 2015 March 2016, April 2016, 2016 clauses: (b),impact in RBS, June 2016 • Internal Audit review of Current June 2016 (c)&(f)BankWest and Dynamic LVR - 30 April 2016

APRA RBS Mortgage • External Audit by KPMG (Current Board: February 2015, IS-031229 30 June 2016Risk Review November and Dynamic LVR) - 30 April 2016 August 2015, October2014 -May 2016 • Internal Audit review of investor 2015, December 2015,

lending - 30 May 2016 February 2016, March• Interim APS 310 Audit and Related 2016, April 2016, June

Matters - 30 June 2016 2016

EXECUTIVE SUMMARY Regulatory ReportingAPRA have raised concerns regarding the accuracy and quality of Regulatory Reporting. These have arisen due to:• Material ARF231 and ARF111 resubmissions which were due to deficiencies in review controls and "upstream" system changes with data/reporting impacts not identified by

Regulatory Reporting teams;• Uncertainty over segmentation of customers; and• Inaccuracies in data and data sets which have impacted reporting.Investor LendingAPRA issued a letter to all ADIs on 11 March 2016 highlighting the increased focus on reporting of housing loans to reflect the current purpose of the loan, which is important for monetary policy and financial stability considerations. Guidance was provided for the reporting of loans on specific reporting forms, which are largely produced by Group Financial Operations.APRA had previously requested in December 2015 for an independent third party to validate that robust policies, governance arrangements, business processes and systems are in place to ensure the accurate reporting of investment loan data. A co-engagement involving Internal Audit and KPMG to review housing loan purpose across the Group was completed in May 2016.APRA noted that they are disappointed at the findings, and have requested a work plan be provided in July for discussion and agreement, with the work to be completed by 30 September 2016. From RBS' perspective, the findings relate to an interpretation of APRA instructions. Work is currently underway, which will be independently validated by KPMG.LVRAPRA conducted a retail mortgages credit risk review in 2014. One requirement raised was to validate the RBS Risk Data Set used for LVR reporting as APRA believes that RBS has not been able to demonstrate the completeness and accuracy of its LVR data.• Internal Audit completed their independent review of the Origination LVR in June 2015. No material issues were identified, resulting in an overall rating of Green for the audit.

Although other findings from the review included identifying control gaps in the reporting process• Internal Audit completed another round of validation RBS' proposed solution for the Current and Dynamic LVR measure in April 2016. At APRA's request, KPMG were also

engaged to completed their own validation over the LVR Data Set and the work completed by Internal Audit. The KPMG review identified only "minor" issues for RBS. However, we understand APRA still have residual concerns and a meeting to resolve these views and to close out the issue has been scheduled or 28 July 2016.

RBS Management are focused on continuing to improving data quality and LVR reporting through Project Crystal.

4. Areas of Focus

Regulatory Reporting Data QualityPresenter: Gary Dingley

_R

CBA.0002.0343.4199

/CAN7

4. Areas of Focus

CBA.0002.0343.4199


CAN

4. Areas ofFocus

3. Model Policy Effectiveness

8

Presenter: Brian Bose

_R

CBA.0002.0343.4200

/CAN


8

4. Areas of Focus

CBA.0002.0343.4200


CAN

4. Areas ofFocus


9


_R

CBA.0002.0343.4201

/CAN


9

4. Areas of Focus

C BA.0002 .0343.4201


CAN

R

4. Areas ofFocus

CBA.0002.0343.4202


4. Long Standing Issues and ORMF EffectivenessRating Business Units/


Previously discussed withAPRA

Noted by Audit Escalation to Board/ ExCo

Action(s) Recorded inRisklnSite

ActionDue Date

Relevance toRMD

RBS, IB&M,B&PB,Bankwest, WM and Risk

Yes (various)• APRA Op Risk

ManagementReview 2015

• GA&A Audit Thematic Report - Six month period ended April 2016

• Interim APS B10 Audit and Related Matters -30 June 2016

Paper presented to BoardRiskCommitteein TBC

IS-049588

IS-049591

TBC RMD clauses:(b), (c) & (f)

EXECUTIVE SUMMARYAPRA raised concerns in their 2015 Operational Risk Management Review about the number of persistent significant operational risk issues and questioned the effectiveness of the implementation of the ORMF in the day to day management of risk.In response, CBA outlined to APRA that we believe that the ORMF is effective in identifying, escalating and addressing significant operational risks and that the areas which had been identified as the ORMF not working effectively were disappointing exceptions.Management have subsequently confirmed that all known issues, barring some new issues presently being finalised, are recorded in RisklnSite and are being managed through the Group's Issue Management process.

Implications:• Failure to effectively implement the ORMF, identify and manage risks, embed controls or escalate issues may result in financial loss, reputational

damage or adverse customer impacts.

10 /CAN

R

4. Areas ofFocus

4. Long Standing Issues and ORMF EffectivenessCause and circumstances of the potential qualification:

• APRA's concerns specifically related to the following issues:a) implementation of effective rogue trading controls;b) ongoing control weaknesses at Count Financial;c) approach to addressing known weaknesses with the collateral management system (CMS); and,d) a pattern of operational risk incidents with both financial and reputational consequences.

CBA.0002.0343.4203


Steps taken, or proposed to be taken, to remedy the problem:

• Board Risk Committee reporting has been enhanced to included visibility of High/Very High issues• The Group has established an Operational Risk Group Monitoring and Review function for Operational Risk oversight, review and challenge• The Group is to commission an independent review of operational risk governance arrangements (including capability) at Group and Divisional levels

to consider oversight of ORMF application and to ensure the right balance of accountability between Lines 1 and 2. Findings from the independent review will be reported to APRA.

11 /CAN

4. Areas ofFocus

5. Supplier Management

12

Presenter: Bruce Young

_R

CBA.0002.0343.4204

/CAN

4. Areas of Focus

R

CBA.0002.0343.4204


4. Areas ofFocus


13

R

CBA.0002.0343.4205


/CAN


13

4. Areas of Focus

R

CBA.0002.0343.4205


CAN

4. Areas ofFocus

6. Control Environment

14


_R

CBA.0002.0343.4206

/CAN


14

4. Areas of Focus

R

CBA.0002.0343.4206


CAN

4. Areas ofFocus


15


_R

CBA.0002.0343.4207

/CAN15

4. Areas of Focus

R

CBA.0002.0343.4207


CAN

R

4. Areas ofFocus

CBA.0002.0343.4208


7. Cyber/Technology RiskRating Business

Units/Areasaffected/impacted

Previouslydiscussedwith APRA

Noted by Audit Escalation to Board/ ExCo Action(s) Recorded inRisklnSite

Action DueDate

Relevance toRMD

Group:CBA, ES,ASB, BW, PTBC

• IT Targeted Review (Sept 2014)

• VariousAPRAmeetings(2015,2016)

• Key Audit Themes-Yearended 30June 2016

• PwC's Report oninternal controlsfor the year ending 30 June2015 and 2016

• ES State of Internal Controls (March 2016) to Board Audit Committee

• Quarterly Resilience, Stability and Cyber Security update (Feb 2016) to ExCo

• Cyber Security Business Unit reporting (March 2016) to ExCo

• Executive Cyber Council meetings (ExCo), GroupExecutive Cyber Council

Various(MultipleIssues)

Various(MultipleIssues)

RMD clauses:(b), (c) & (d)

EXECUTIVE SUMMARYArea of focus covering a number of control gaps and issues identified in relation to the Group's management of Cyber and Technology Risk.

Implications:• Disruption to key customer facing or business systems and/or inability to recover systems in a timely manner;• Failure to maintain availability, integrity or confidentiality of sensitive customer, employee and/or corporate information;• Inability to prevent criminal and fraudulent acts performed through digital channels;• Failure to comply with regulatory requirements.

16 /CAN

R

4. Areas ofFocus

7. Cyber/Technology Risk

CBA.0002.0343.4209


Cause and circumstances of the potential qualification:• A high proportion of the key controls relied upon to manage the risk of Cyber/Technology Risk are currently rated marginal or unsatisfactory (per ES

State of Internal Controls presentation to BAC);• There is increasing complexity and End-Of-Life in CBA core infrastructure potentially leading to continued high business impact IT incidents (per recent

Line2 IT Incident review);• There are gaps in controls around IT Service Continuity Management impacting the ability to recover from a major IT service failure [IS-044367];• There is a lack of monitoring, vulnerability management and patching over network perimeter devices and servers [IS-027124];• There are gaps in confidentiality controls over electronic customer data [IS-043767];• Currently there is an inability to adequately detect cyber security incidents [IS-024701];• There are insufficient segregation of duties, role provisioning and governance over access entitlements to key systems [e.g. IS-023527, IS-046291]

and access to source code [IS-024008];• There are inadequate security controls over internal and external document repositories [IS-024571, IS-051335];• Weaknesses in Software Asset Management may impact the ability to comply with licensing requirements [IS-046291],

Steps taken, or proposed to be taken, to remedy the problem:• The Resilience Industrialisation program is driving an approach to provide an "always available bank" including change impacts, reducing end-of-life

systems, ensuring appropriate support and enhancing IT Service Continuity;• The Infrastructure Remediation Program is improving resilience through remediation of Burwood Data Centre, the data centre networks and network

perimeter services;• The Sabre program is implementing security control enhancements through the security "non-negotiables" and implementing a state of the art Cyber

Security Centre for monitoring and responding to security threats;• The Aegis program is finalising its implementation of enhanced Identity and Access Management, improved segregation of duties, access

de/provisioning, authentication and user access revalidation;• Various ES tactical initiatives and programs are remediating known issues and with progress tracked through RisklnSite;• There is a focus on uplift of Risk Culture in Enterprise Services including enhanced Risk Behaviours assessments linked to Risk Gate-Opener reviews.

17 /CAN

n . ^ pn(JBA.0082.034V4210Presenter: Gary Dingley/Cassandra Williams

4. Areas ofFocus

8. Conduct RiskRating Business Units/



Noted by Audit Escalation toBoard/ExCo

Action(s) Recorded inRisklnSite

Action DueDate

Relevance toRMD

RBS, WM, IB&M, B&PB, Bankwest

Individual issueshave beendiscussed withAPRA. ReferORMF reviewNov 2015 andCBA response

• Internal: RBS Sales practices (Nov 15)

• External: Report on Internal Controls (Jun 16)

• Internal audit reporting to Board Audit Committee

• CRO report to (ExCo and) Board Risk Committee

Separate actions havebeen recordedfor each BU

Various.Specific issues due dates:• Product

Governance: Dec 2016

• Mortgages SalesPractices:June 2017

RMD clauses:(b), (c) & (d)

EXECUTIVE SUMMARY• Conduct Risk covers both inappropriate corporate sales and service (including distribution risk and mis-selling) and rogue activity of staff (including insider

trading, index rigging, fraud, theft of data, bribery and corruption and intentional AML and sanctions breaches).• Conduct related issues have been highlighted by product governance, sales practices, customer service and fees and market-related issues.• This is being addressed by new Group Product Policy outlining enhanced governance requirements, by improving governance over sales practices, BU

customer focused programs, markets related initiatives, introduction of a revised performance framework, SpeakUp initiative, formation of Group Customer Advocacy and creation of specific conduct related roles.

• Conduct risk is viewed as a sub-risk of operational risk and compliance risk. Operational risk in the sense it is inherent in all activities taken and compliance risk in its relationship to regulatory breaches and illegal activities. The issues and incidents raise questions on the appropriateness, adequacy and effectiveness of product design, distribution, monitoring and review and the systems and resourcing to support controls in place across the 3LOD.

18 /CAN


4. Areas ofFocus

Conduct RiskCause and circumstances• The focus on Conduct Risk has been highlighted by a number of conduct related instances:

• Product governance issues: Audit has identified there is a fragmented implementation of governance product life-cycle activities, with limited Group-level oversight, monitoring and accountability. This includes variability and limitations in annual product assessments, product registers, key risk indicators, in-life suitability monitoring.

• Mortgages sales practices issues: Audit has identified a lack of routine monitoring and oversight of sales practices for mortgages (down to lender/broker level) with reporting/analytics that is reactive to current issues or requests.

• Customer service and fee issues: A series of open conduct related incidents self-identified or notices including: the WM financial planning advice and service issues fee-related and system issues for RBS Wealth package, Agri-advantage Plus package, SAP Commercial Lending, Bankwest Home Loan Offset Accounts and more recently in IB&M, Merchant clients being incorrectly billed and non-billable/Bank-initiated transactions billed to client accounts.

• Market related issues: ASIC notices in relation to BBSW and FX related trading activities, CFSGAM market misconduct issues raised by the Monetary Authority of Singapore.

To address Conduct Risk issues various steps are being taken• Group Compliance is introducing a new Policy for Product Governance including an outline of the principles and minimum requirements (including

activities, artefacts and approvals required) for product design, suitability and sales practices and in-life monitoring and review of product performance including from a customer perspective. This is currently being assessed with the Business Units for gaps in current practice and impact before introduced.

• Mortgage business has identified opportunities to improve governance over broker sales practices and a need for improved data analytics. This will be expanded to cover all channels and develop appropriate monitoring activity and responses.

• BU level conduct initiatives e.g. RBS Better Customer Outcomes, WM Customer Advocacy enhancing sales related controls and IB&M Themis implementing and enhancing market-conduct related controls in Markets and Treasury

• A revised performance framework is being introduced for FY17 which will include specific assessment on conduct against the organisation's values, in addition to the risk assessment. Guidelines have been developed on what kinds of behaviours are expected to demonstrate values-based conduct.

• The SpeakUP Hotline is now the primary way to report internal fraud and dishonest behaviour or misconduct issues across the Group.• Group Customer Advocacy & Remediation is a newly formed team to provide practical support, leadership and expertise on customer interests and

remediation. They are making Group-wide recommendations for the promotion of customer impact considerations, prevention of poor customer outcomes and customer advocacy and remediation practices. In markets, specific conduct related roles have been created in Line 1 supporting the Global Markets business (Managing Director, Global Markets Conduct) and Line 2 supporting Institutional & Business Banking Risk (Head of Regulatory Reform and Conduct Risk).

19 /CAN

R

4. Areas ofFocus

9. Compliance with Serviceability Policies and Procedures

CBA.0002.0343.4212

Presenter: Fiona Larnach

Rating BusinessUnits/Areasaffected/impacted

Previously discussed with APRA

Noted by Audit Escalation toBoard/ExCo

Action(s)Recorded inRisklnSite

Action DueDate

Relevance toRMD

RBS APRA RBS Mortgage Risk Review 2014November 2014 -March 2016

No Board: July 2014 - March 2015

AI-039902,AI-039903AI-044391AI-0044397

30-Sep-2015*30- Nov-201630- Sep-2015*31- Mar-2017

RMD clauses: (c)&(d)

BW Various No AI-046569AI-046568AI-067466

30-Sep-15*26-Jun-15*

EXECUTIVE SUMMARYWithin the RBS Proprietary Channel, errors relating to serviceability verification for mortgages were evident through interna I reviews and audits completed by our mortgage insurer, Genworth. APRA raised a requirement in relation to serviceability policy compliance in the October 2014 Mortgage Credit Risk Review. The corresponding action items to address these issues were open during FY16. RBS also identified that system errors resulted in some serviceability calculations being incorrect.

Although Bankwest had no breaches of policy for mortgages, an ongoing programme of conservative changes to the BW serviceability engine have been made throughout 2015/2016 to meet the regulator's expectations. RBS also undertook changes to its serviceability assessments to address APRA's concerns.

RBS had an issue with the serviceability calculation for its Personal Overdraft product. This issues resulted in customers being remediated and engagement with ASIC. RBS is also engaging ASIC in relation to responsible lending and the Interest Only Home Loan product.

* Actions that were closed during FY16

20 /CAN

R

4. Areas ofFocus

9. Compliance with Serviceability Policies and Procedures

CBA.0002.0343.4213

Presenter: Fiona Larnach

Cause and circumstances of the qualification:The existing risk frameworks that relate to compliance with serviceability policies have a combination of automated and manual controls operating across different teams within the product value chain. Errors are occurring in the income calculation and verification processes, and missing existing debts/commitments. Over FY16 a significant amount of work has been undertaken to enhance these frameworks.

Implications:• Errors in income verification can lead to an inaccurate assessment of the customer's servicing capacity.• Applications may be approved that are in fact outside credit policy and/or appetite.• For Lender's Mortgage Insurance (LMI) covered loans, errors at origination may lead to future reduction or denial of claims.

Steps taken, or proposed to be taken, to remedy the problem:Targeted actions undertaken under the RBS Lending Assurance project have improved overall compliance with serviceability policies and procedures within the home loan portfolio, with error rates from Line 2 Assurance monitoring reducing below our 5% appetite since July 2015. The work has targeted the following:

• End to End process and system - Separation/centralisation of verification processes, policy & process simplification, decisioning analysis and CommSee improvements.

• Lender "uplift" - Accreditation program, ongoing training and consequence management.• Control enhancements and change management - Line 1 Lender assurance, assurance MIS and communication & change management.

Only one action remains to address the issues raised by APRA, which relates to improved oversight by Line 1 Assurance. This will be completed by November 2016.

Given the increasing level of regulatory focus on responsible lending and conduct risk, RBS is reviewing its governance and controls around product design. RBS has created the Product Governance Forum and is redesigning the on-boarding process for Personal Overdrafts and Personal Loans.

21 /CAN

R

4. Areas ofFocus

10. Incomplete Implementation of the CRMF


Rating Business Units/ Areas affected/ impacted


Noted by Audit Escalation to Board/ ExCo

Action(s)Recorded inRisklnSite

Action Due Date Relevance toRMD

Group-wide July 2014 to now - most recent update May 2016

• CRMF FY16-auditcompleted April 2016

Various Current to Dec2017

RMD clauses: (c) &(d)

EXECUTIVE SUMMARYCompliance Risk is a material Risk Type for the Group. The CRMF was revised in August 2014, and whilst significant progress has been made by a number of BUs, gaps remain in the implementation and embedding of the CRMF across the Group. This was confirmed by internal audit in its CRMF review, which concluded in April 2016, noting that implementation plans are in place, and work is progressing, but different levels of progress is being made across BUs.

Key areas of concern relate to non-Prudential Standards compliance obligations:• limited compliance monitoring;• areas where Policy implementation/alignment is unconfirmed;• all compliance obligations are not recorded in RisklnSite; and• poor third party management oversight regarding adherence to compliance obligations.

These gaps were notified to APRA on 31 March 2015, along with a Group-wide implementation plan, with actions extending to December 2017. APRA have received regular updates from CBA on these matters.

22 /CAN


4. Areas ofFocus

10. Incomplete Implementation of the CRMFCause and circumstances of the potential qualification:

• A revised CRMF was introduced in August 2014 to better align with the Operational Risk Management Framework and provide clarity of what is expected of each part of the CBA Group in relation to its management of compliance.

• Following this, BUs were asked to self assess their level of compliance with the CRMF, identifying any gaps and the actions necessary to arrive at a state of full compliance. This work was completed 28 February 2015 and all BUs noted gaps in their implementation/embedding of the CRMF.

• APRA conducted a review of the compliance framework in July 2014 and made several requirements, including enhancements to Group's oversight of BUs; deeper identification and analysis of emerging issues/trends; the creation of indicators for key risks and risk culture.

• Much work has been undertaken over the past 18 months to address these issues, and the RMF is more embedded in BUs than in previous years.This was confirmed by internal audit who reviewed the framework between August 2015 and March 2016. The audit recognised the Line 2 Compliance teams have a good understanding of the gaps in their level of compliance with CRMF and are working through the actions of their CRMF Implementation Plans, albeit at different stages of maturity. Audit noted the key outstanding actions are:

• The compilation and capture of Compliance Obligation Registers;• Establishment of structured processes to manage regulatory risk in change;• Identification, assessment and documentation of compliance risks and controls; and• implementation of Line 1 and Line 2 Compliance Monitoring programs (including CAP testing and KRIs).

Steps taken, or proposed to be taken, to remedy the problem:• Following the internal audit, Group Compliance has established an Obligations Review Project (the Project). The Project is supported by delegates

from Line 2 Compliance teams whom have formed a working group. The Project is focusing on driving a consistent process for defining compliance risks, including:

• Creation of a compliance risk library;

• Review scope of Group wide obligations;

• Structure of the obligation; and

• Obligation linkages to risks.

We expect this work to be completed in approximately 12 months.

• A CRMF implementation plan was provided to APRA on 31 March 2015 outlining the actions to be taken by Group and the BU Compliance teams to further assess and implement the CRMF. Regular updates have been provided to APRA, with the most recent update sent in May 2016 which provided a comprehensive update on the recent CRMF internal audit findings, as well as work undertaken across the Group to:

• Improve data quality in the RisklnSite system;

• Update compliance governance forums; and

• Develop a new compliance framework training programme with the Risk Business School.

23 /CAN

4. Areas ofFocus

1 la. Commlnsure RMD

24

Presenter: Peter Taylor

_R

CBA.0002.0343.4216

/CAN

lla. Commlnsure RMD

24

4. Areas of Focus

R

C BA.0002 .0343.4216


CAN

R

4. Areas of Focus

CBA.0002.0343.4217


lib. Registrable Superannuation Entities RMDs

25 /CAN

4. Areas of Focus

llb. Registrable Superannuation Entities RMDs

25

C BA.0002 .0343.4217


, CAN

4. Areas of Focus

12. Risk Framework Strengthening

26

R

CBA.0002.0343.4218

Presenter: John Evans

/CAN26

4. Areas of Focus

C BA.0002 .0343.4218


CAN

4. Areas of Focus


27

R

CBA.0002.0343.4219


/CAN

4. Areas of Focus


27

C BA.0002 .0343.4219


CAN

Apologies: Peter Taylor, Flamish Treleaven, Mike Kavanagh ...

Documents

Transcript of Apologies: Peter Taylor, Flamish Treleaven, Mike Kavanagh ...