Compliance Incident Management Group Policy

ACN 123 123 124

CONFIDENTIAL

COMMONWEALTH BANK OF AUSTRALIA

Compliance Incident Management Group Policy

Group Compliance Risk Management

CBA.0001.0084.2565

CBA.0001.0084.2566

Commonwealth Bank of Australia Compliance Incident Management Group Policy

DOCUMENTCONTROLTABLE

Version J Date J Amendment description I review details

1.0 June 2013 New policy created to establish principles, for the management of compliance incidents - The Incident Management Group Standard ceased on 1 July 2013 and has been replaced by a "How to guide" this guide includes procedural information on dealing with both operational and compliance incidents.

2 August 2014 Annual review , inclusion of additional key terms (notifiable significant matter); mandating use of a fact find or equivalent process; making it more explicit to not delay reporting to a regulator.

APPROVAL

Version J Date J Approving body or person

1 17 October Chief Operational Risk Officer 2013

2 23 October Chief Operational Risk Officer 2014


Table of Contents

1. CONTEXT 1

2. PURPOSE 1

3. SCOPE 1

4. KEY TERMS 1

5. POLICY PRINCIPLES 2

6. ROLES AND RESPONSIBILITIES 6

7. RELATED POLICIES AND REFERENCES 7

8. REGULATORY REQUIREMENTS - AUSTRALIA 8

9. CONTACT 8

10. APPENDIX A – CBA GROUP AND BUSINESS UNIT IMPACT MATRIX 9

11. APPENDIX B –FACT FIND TEMPLATE 12

CBA.0001.0084.2567


Page 1

1. CONTEXT 1.1 The Group is committed to complying with the law and regulations in all businesses

and activities. Accordingly, Compliance Obligations are embedded in the design and operation of the Group’s systems and processes.

1.2 Failure to deal effectively with Compliance Incidents creates compliance and legal risks for the Group which may have an adverse impact upon all stakeholders which includes, but is not limited to: customers; policy holders; investors; employees, and regulators as well as the Group’s brand and reputation.

1.3 There are a number of specific regulatory requirements and timeframes for reporting Compliance Incidents to regulators. It is important that the Group is aware of, and complies with these obligations.

1.4 The Group has in place an integrated Operational Risk Incident & Compliance Incident management process with the intention being to collect incident data which is timely, accurate, simple, consistent, complete and valid.

1.5 This Policy is a key component of the Compliance Risk Management Framework.

2. PURPOSE 2.1 The purpose of this Policy is to:

Establish principles in relation to identifying, assessing and managing Compliance Incidents; and

To outline the requirements with respect to Roles and Responsibilities for managing and reporting of Compliance Incidents.

3. SCOPE 3.1 This Policy applies to Commonwealth Bank of Australia and its controlled entities (the

Group). 3.2 For those parts of the Group that are impacted by foreign or local laws, regulatory

requirements or contractual obligations that conflict with this policy, an exemption from the policy or specific obligations within the policy should be sought by completing the policy exemption form.

4. KEY TERMS 4.1 Compliance Obligations

Are formal requirements that must be complied with by the legal entity and/or Business Units (BUs). Compliance Obligations may arise from various sources such as; laws, regulations, legislation, industry standards, rules, codes or guidelines

4.2 Compliance Incident Is an actual, suspected, potential, likely or imminent contravention or breach of a Compliance Obligation of any applicable:

law; regulation; industry standard; industry codes which have been subscribed to; or an external business rule or guideline (such as ASX Market Rules, APRA

guidance notes).

CBA.0001.0084.2568

CBA.0001.0084.2569


Likely or imminent Compliance Incident means a matter which may not currently be a breach of law however a breach of law will occur at a future date as we are unable to rectify before its occurrence.

A Compliance Incident may also result from a material contravention of an internal policy/procedure.

4.3 Early Warning Notification This term is used for notifications provided to a regulator where it is unclear if a breach of law has occurred or is significant but it is considered that after further investigation it may be a Reportable Breach. These notifications are also known as potential breach notifications.

4.4 Governing bodies Refers to the people who have accountability and responsibility for the governance of a legal entity, business unit or division. This may include Boards (including Trustee Boards and Boards of Responsible Entities), Board Committees, Responsible Managers or Responsible Persons, Senior Management.

4.5 Notifiable Significant Matter A Compliance Incident that has not been determined to be a breach of law or a Reportable Breach but where other aspects of the Compliance Incident (e.g. significant remediation or reputational risk) mean that the matter has been determined as being required to be disclosed to a regulator.

4.6 Operational Risk Incident Occurs when the actual outcome of a business process differs from the expected outcome due to inadequate or failed processes, people, systems and external events.

4.7 Reportable Breach Is a Compliance Incident which has been assessed and determined as being reportable to a regulator.

4.8 Riskin Site Is the Group's integrated system which delivers a common platform for managing operational risk and compliance risk across the Group.

5. POLICY PRINCIPLES

5.1 BUs must develop and maintain up to date and approved procedures that are clear, well-understood and document the process for:

• Identifying Compliance Incidents;

• Assessing all Compliance Incidents including specifying the governance process for determining if they are Reportable Breaches or Notifiable Significant Matters;

• Recording and reporting Compliance Incidents;

• Advising and escalating Compliance Incidents to the relevant authorised position/person or governing body who has responsibility for making decisions in regard to Compliance Incidents;

Page2


Page 3

Advising the relevant people the outcome of the assessment of determining any Compliance Incidents as Reportable Breaches or Notifiable Significant Matters; and

Rectifying and resolving Compliance Incidents. 5.2 Procedures must be aligned to this Policy, meet relevant regulatory requirements

including meeting reporting timeframes, and to meet relevant governing body requirements.

Identification 5.3 Compliance Incidents can be identified from numerous sources, including but not

limited to: whilst undertaking usual business activities; investigation of a customer enquiry or complaint; during compliance monitoring activities; results of internal and external audits; or in some cases, during regulatory enquiry.

5.4 Adequate training and resources must be provided to all employees to ensure: they are aware of the Compliance Obligations applicable to them for the

business process they are accountable for; the circumstances that may give rise to a Compliance Incident and/or a

Reportable Breach; and what is expected from them to report, assess without delay, deal with, manage

and rectify Compliance Incidents.

Assessment 5.5 All Compliance Incidents must be assigned an incident owner, to ensure the

compliance elements are considered. 5.6 An assessment of each Compliance Incident must be undertaken without delay. 5.7 The assessment should be done by BU representatives in conjunction with the

relevant BU Compliance and/or Risk team and, where required, Legal Services. 5.8 The assessment must include an impact assessment as required by paragraph 5.30

below and also an assessment of whether the Compliance Incident could require reporting to a regulator.

5.9 When a Compliance Incident is assessed as minor or above using the Impact Matrix of the Group’s 5x5 Risk Matrix (Appendix A) or, if the compliance incident is assessed as negligible but could be an indicator or evidence of a systemic or more significant matter, then a Fact Find or equivalent document, must be prepared as part of the assessment.

5.10 A Fact Find template is provided at Appendix B. This template includes the minimum information required which must be completed and kept as a record that the Fact Find process has been completed.

5.11 Except for matters that are clearly a breach of law, Legal Services should be consulted and must be provided with a Fact Find or equivalent document, to assist in determining whether a matter is a breach of law.

5.12 If some of the required information cannot be completed in the fact find process, the form should still be sent to Legal Services to commence the consultation process and Legal Services to be advised of the expected time frame to provide the final information.

CBA.0001.0084.2570


Page 4

5.13 Where Legal Services is consulted and they are provided with sufficient information:

Legal services will make a determination of the matter;

Legal Services should conduct a peer review process of the determination made; and

must respond and articulate whether the Compliance Incident is a breach of law and the reasons for the determination.

Legal may also provide a recommendation on whether the matter is reportable.

5.14 Once legal advice has been received, or it has otherwise been determined that a Compliance Incident is a breach of law then an assessment needs to be made as to whether the matter is reportable to the relevant regulator.

5.15 Where the assessment needs to determine significance as required by a regulatory requirement then consideration must be given to the criteria articulated by the relevant regulator.

5.16 Where Legal Services or BU Compliance/Risk is unable to determine that there has been a breach of law or there is no breach of law, consideration should also be given to whether an Early Warning Notification or a Notifiable Significant Matter should be made.

5.17 The factors that should be taken into consideration in determining whether a Compliance Incident is a Notifiable Significant Matter are whether: a related breach/matter has previously been reported to ASIC; the matter has been reported to another regulator; there is significant remediation/rectification required.

5.18 If it becomes clear when further investigations or consideration has been made that an Early Warning Notification or Notifiable Significant Matter amounts to a Reportable Breach then the matter must be reported to the regulator as a breach notification.

5.19 Protracted discussions about whether a matter is reportable must be avoided. Where there is a difference of opinion in regard to whether a Compliance Incident is reportable to a regulator the Group Compliance team must be engaged. In all circumstances the Group should err on the side of reporting to a regulator.

Reporting to the Regulator 5.20 Timeframes for reporting Compliance Incidents to a regulator are critical and can vary

according to the product, entity or the relevant regulatory or jurisdictional requirements.

5.21 Reporting must be made within those timeframes prescribed in applicable, legislation, regulations, industry codes or as required by a regulator. Any communication with regulators must be in accordance with the Group Contact with Regulators Policy.

5.22 The reporting of a matter to a regulator must not be subject to extended processes and if unsure it is best to report the matter. Reporting must not be protracted or delayed even if: not all of the information relating to the incident is available; the matter has already been rectified or steps have commenced to rectify;. formal legal advice has not yet been provided; or internal reporting or escalation to governing bodies has not yet been completed.

5.23 Where a matter has been assessed as being reportable, the BU must engage the relevant Compliance/Risk Team, Legal Services and relevant Head of Business to prepare, review and approve the notification sent to the regulator.

CBA.0001.0084.2571


Page 5

External Auditor obligations 5.24 The Group’s external auditor has an obligation to report certain matters to a regulator

if it has reasonable grounds to suspect that a reportable contravention has occurred. The considerations made by the external auditor can differ to the assessment considerations made under this Policy.

5.25 To assist the external auditor in meeting its legal obligations, relevant BUs must provide copies of Compliance Incident registers upon request, to allow the external auditor to identify matters that may trigger reporting requirements.

5.26 For any ASIC matters that are referred to Legal Services for determination of being a Reportable Breach or a Notifiable Significant Matter, consideration must also be given to notify the external auditor at the same time.

5.27 The external auditor will undertake a separate assessment to that being undertaken by Legal Services and will provide a report to the relevant BU on the outcome of the assessment.

5.28 In cases where the external auditor indicated that it will report a matter to the regulator, BUs must also consider separately reporting to the relevant regulator if they have not done so already.

5.29 Group Compliance may assist in the provision of registers to the external auditor.

Impact rating 5.30 An impact assessment of each Compliance Incident must be completed and a rating

assigned. Where all of the information is not available an initial rating is to be assigned. The rating must be reassessed as additional information becomes available.

5.31 The impact assessment must take into consideration, amongst other factors, the associated legal/regulatory impacts and customer implications. Aggregated information that highlights any systemic issues also needs to be considered.

5.32 As a guide the relevant factors set out in the Impact Matrix of the Group’s 5 x 5 Risk Matrix and/or BU financial impact matrix are to be used.

5.33 Records must be retained to support the ratings assigned. Recording, Internal Reporting and Escalation 5.34 All Compliance Incidents need to be accurately recorded into and maintained in

RiskInSite (RIS). It is expected that all Compliance Incidents will be recorded into RIS within a maximum of 5 business days of discovery. Further guidance to support consistent application and management in regards to RIS can be found in the ORMF How to Guide.

5.35 All regulatory correspondence and interactions relating to the reporting of Compliance Incidents must also be recorded into the Regulator Interaction module in RIS. This is an additional step to the process of recording a Compliance Incident

5.36 Accurate and up to date records must be maintained to support the decisions made in determining if a Compliance Incident is or is not a Reportable Breach or a Notifiable Significant Matter. These records must be made available for audit purposes. In the circumstances where records contain any legal advice, prior approval must be obtained from Legal Services.

5.37 As a minimum the risk escalation protocols outlined in the approved Group’s 5 x 5 Risk Matrix should be followed for escalating Compliance Incidents. For Reportable Breaches or Notifiable Significant Matters the matter must be notified to the most relevant Group Executive or delegate.

CBA.0001.0084.2572


Page 6

5.38 Reporting and escalation of Compliance Incidents must also be in accordance with BU procedures and the reporting requirements of the relevant Governing Body.

5.39 Reports on Compliance Incidents must contain an appropriate level of detail having regard to the significance/materiality of the matter. Information should be accurate and factual as to the circumstances surrounding the compliance incident and current status as to any reporting to a regulator. Care should be taken to ensure legal professional privilege is maintained.

Rectifying and Resolving 5.40 Compliance Incidents may in certain circumstances be classified as an operational

risk incident or vice versa. The process flow to rectify generally remains the same; the key difference is that an assessment must be undertaken without delay to determine if the incident is a Reportable Breach or a Notifiable Significant Matter and needs to be reported to a regulator.

5.41 Compliance Incidents must be reviewed to establish what, if any, remedial action needs to take place or improved controls need to be implemented and establish suitable remedial action and timeframes in which that action will be completed.

5.42 Where the Compliance Incident is reported to a regulator, updates are to be provided to the regulator(s) on the remedial action taking place and when the incident has been resolved. This contact must be in accordance with the Contact with Regulators Policy.

5.43 Following the completion of the final action, records must be retained to ensure supporting documentation is collated as part of the Compliance Incident sign off process.

6. ROLES AND RESPONSIBILITIES

Role Responsibilities

Chief Operational Risk Officer

Own and approve this Policy

Relevant Group Executive (or delegate)

Overall accountability for the timely reporting of relevant Reportable Breaches or Notifiable Significant Matters impacting the BUs they have responsibility for.

Business Units

Develop and maintain Compliance Incident procedures that are aligned to this policy, relevant regulatory requirements, industry standards or codes, governing bodies and appropriate Roles & Responsibilities are assigned.

Ensure adequate training, coaching and resources are provided to ensure employees are aware of how to identify, deal with and manage Compliance Incidents.

Follow the agreed BU procedure in relation to assessing the impact of a Compliance Incident to determine if a Reportable Breach or a Notifiable Significant Matter has occurred and report to a regulator without delay and without waiting for all of the information and/or BU processes have been completed.

Allocate an incident owner. Manage: Compliance Incidents until resolution and closure

ensuring all impacts, including regulatory impacts, direct or indirect costs associated with the compliance incident, are captured.

CBA.0001.0084.2573


Page 7

Role Responsibilities

Analyse: Determine underlying cause of the incident and/or control weakness and ensure they are raised and rectified as required.

Escalate/ Report: Compliance Incidents in accordance with relevant Governing Body reporting requirements including where required to the relevant Group Executive.

Business Unit Risk and/or Compliance team

Support BUs in implementing the requirements of this policy including the assessment for determining Reportable Breaches or Notifiable Significant Matters.

Respond to BU queries on the application of this policy. Review and monitor the BUs compliance with this policy and any

specific BU policies that support its implementation. Provide guidance to the business in managing Compliance

Incidents and monitoring of Compliance Incidents until resolution and closure.

Escalation/Reporting: In terms of BU, Group and any other Subsidiary Committee and any relevant Governing Body reporting requirements, including where required to the relevant Group Executive. .

Legal Services When engaged by a BU; provide advice on Compliance Incidents as to whether they are Reportable Breaches or Notifiable Significant Matters.

Where a determination is made of a Compliance Incident or Notifiable Significant Matter, conduct a peer review process.

Respond and articulate whether a Compliance Incident is a breach of law and if so provide a recommendation if it is a Reportable Breach.

Group Compliance

Review this policy regularly to ensure its ongoing relevance. Respond to Group queries on the application of this policy and

escalation for disputed assessments. Seek assurance regarding ongoing compliance with this policy.

Internal & External Audit

Provide independent assurance to key stakeholders (including the Audit Committee, senior management, and regulators) regarding the adequacy and effectiveness of the Group’s system of internal controls, risk management procedures and governance processes.

7. RELATED POLICIES AND REFERENCES CBA Group Risk Appetite Statement Operational Risk Management Framework Compliance Risk Management Framework ORMF How to Guides Group Contact with Regulators Policy Customer Complaint Handling Policy & Standard Group Internal Privacy Policy

CBA.0001.0084.2574


Page 8

8. REGULATORY REQUIREMENTS - AUSTRALIA Corporations Act 2001, s912D APRA:

Banking Act 1959, ss 13(3) and 62 Insurance Act 1973, s 38AA Life Insurance Act 1995, s 132A Superannuation Industry Supervision Act 1993, s 29JA and s 106(1)

ASIC Regulatory Guide 78 Breach reporting by AFS licensees ASIC Regulatory Guide 214 Guidance on ASIC market integrity rules for ASX and

ASX 24 market Anti-Money Laundering and Counter-Terrorism Financing Act 2006

9. CONTACT Group Compliance Risk Management [email protected] Policy owner: Chief Operational Risk Officer

CBA.0001.0084.2575


Page 9

10. APPENDIX A – CBA GROUP AND BUSINESS UNIT IMPACT MATRIX

FINANCIAL (BUSINESS)

FINANCIAL (TRUSTEE) *

FINANCIAL (FUM/FUA) *

CUSTOMER SERVICE & OPERATIONS

REPUTATION/ BRAND LEGAL/REGULATORY

COMPLIANCE PEOPLE CUSTOMERS

MANAGEMENT EFFORT

GUIDANCE **

A1 A2 A3 B C D E F

Assessment Based on:

As per Group or Business Unit defined values

Impact on Unit Price

Impact on Funds under Management or Administration

Loss of existing customers/market share

Cost of remediation/recovery

Fall in Group’s share price

Loss of new business / market share. Includes impacts on all brands e.g. Colonial, ASB, Bankwest

Damage to reputation by actions of both individual staff and the Group as a whole

Lack of confidence in financial sector generally

Regulatory action

Customer/third party legal actions

Workplace health & safety

Workplace relations

Staff morale/loyalty

Actual or potential impact on customers

Drain on

Executive resources

Opportunity cost

5 Severe


>100bp >20% Significant loss of market share and customer numbers because of extensive interruption to service capability

Group Wide data availability or integrity issues or information security is compromised

Widespread and prolonged inability to service all or the majority of our customer base irrespective or geographic location, channel or product.

Significant fall (> 20%) in Group’s share price resulting from financial performance with recovery over several months

Major failure of the payments system and/or Group’s systems impacting personal and business customers

Prolonged media and/or political attention as a result of inappropriate pricing or product decision or operational incident

Actual or potential loss of license, loss of ASX listing and/or penalties on directors

Severe impact on regulator relationships

Imposition of significant regulatory restrictions e.g. enforceable undertakings, conditions or directions

Death or incapacitation to employees whilst on Group business, or customers on Group property

Widespread loss of morale among management and staff resulting in high staff turnover

Industrial dispute/action – Group Wide impact

Serious financial or reputational impact to all or most customers

Potential to lead to the significant damage to the business

Sustained ExCo/Senior Management effort

CBA.0001.0084.2576


Page 10

4 Major


>50bp-100bp

>10-20% Some loss of market share and customer numbers because of major interruption to service capability

Extensive management involvement and significant costs to restore critical processes

Significant data availability or integrity issues or compromise of information security

Widespread inability to service a significant proportion of customers irrespective or geographic location, channel or product.

Medium fall (10 – 20%) in Group’s share price or a loss of market share or damage to Group brands resulting from detrimental national publicity or extensive negative local publicity

Short term media and/or political attention as a result of inappropriate pricing or product decision or operational incident

Medium but widespread disruption of the payments system and/or Group’s systems lasting several days

Major fines and sanctions

Multiple legal actions

Focussed regulatory surveillance / significant increased regulatory oversight

Major systemic, recurring or significant breaches

Major impact on regulator relationships

Severe injury to employees whilst on Group business, or customers on Group property

Serious but localised loss of morale among management and staff resulting in high staff turnover

Industrial dispute/action – State or BU based impact

Serious financial or reputational impact to a significant number of customers

Moderate financial or reputational impact to all customers

A significant event requiring major Group Executive/Senior Management effort to absorb the impact

3 Modera

te


>25bp-50bp

>5-10% Minimal loss of market share and customer numbers because of minor interruption to service capability

Some costs to restore critical processes

Localised data availability or integrity issues, or compromise of information security

Inability to

Short term fall (<10%) in Group’s share price as a result of product/pricing decisions

Reduced market share or temporary damage to Group brands resulting from limited negative national publicity or detrimental local publicity

Minor but widespread disruption of the payments system and/or Group’s systems lasting several days

Fines

Multiple agreements with customers at risk

Systemic complaints or compliance incidents

Significant breaches

Potential impact on regulator relationships

Increased general regulatory oversight

Injuries to employees whilst on Group business, or customers on Group property

Some loss of morale among management and staff

Industrial dispute/action – localised department level

Moderate financial or reputational impact to a limited number of customers

Minor financial or reputational impact to a significant number of customers

Moderate EGM/Senior Management effort is required to absorb the event impact

CBA.0001.0084.2577


Page 11

* Columns (A2 & A3) relate to funds management, investment management, superannuation and life insurance businesses and can be deleted by Business Units that do not market these products. ** To be used as additional guidance in determining the level and amount of management effort to resolve any event impacts. To be used in conjunction with other impact categories

satisfactorily service a material proportion of customers irrespective or geographic location, channel or product.

impact

2 Minor


3bp-25bp 1-5% Service Standards not achieved, but no impact on market share or customer numbers

Minimal time, effort and cost required to correct critical processes

Minimal disruption to satisfactorily servicing some customers irrespective or geographic location, channel or product.

No fall in Group’s share price due to pricing decision/products

Small, short term loss in market share resulting from limited negative local publicity

Limited disruption of the payments system and/or Group’s systems impacting some geographical areas

Multiple customer complaints or compliance incidents which are not systemic or significant

Individual legal actions

Low range fines

Injury to an employee whilst on Group business, or a customer on Group property

Short term and localised loss of morale among management and staff

Industrial dispute/action – localised at team level impact

Minor financial or reputational impact to a limited number of customers

Impact can be absorbed though normal activity with minor effort required from senior management

1 Negligib

le


<3bp <1% No measurable operational impact on business.

Limited operational impact on business; Ability to service individual customers impacted but no systemic issues

Limited adverse publicity = 1 – 2 days as a result of isolated customer complaint impacting little or no customers nationally

Intra-day disruption of the payments system and/or Group’s systems

No measurable loss of market share resulting from limited negative local publicity

One off complaints or compliance incidents

No impact on staff morale

Insignificant financial or reputational impact to a limited number of customers

Impact can be absorbed through normal activity with no senior management effort required

CBA.0001.0084.2578


Page 12

11. APPENDIX B –FACT FIND TEMPLATE

THIS FORM IS TO BE COMPLETED FOR THE PURPOSES OF ASSESSING COMPLIANCE INCIDENTS AND FOR OBTAINING LEGAL ADVICE IN RELATION TO COMPLIANCE INCIDENTS1

A copy of the completed form must be retained for record keeping purposes.

Guide to Use

Legal Services has requested this form be completed and sent to Legal Services with any requests for Legal Advice as to whether the Compliance Incident ("Incident") is a breach in terms of the Compliance Obligations for the entity.

Completing the Form with all available details will assist in providing a timely and accurate response. If some of the required information cannot be completed the form should still be sent and state when you expect to provide the outstanding information. Once the missing information has been received please send an updated version of the form to Legal Services.

Please be as clear as possible. In particular, avoid business jargon or explain any business jargon that has been used.

Some of the questions may seem to be repetitive. However this is intended to assist consideration of all aspects of the Compliance Incident.

When statistical information is included you should indicate whether these numbers have been confirmed (e.g. by impact assessment) and if so please provide their source or whether they are estimates.

Question Answer

1. Briefly state the facts regarding the matter. Do not include any statements of opinion. Keep your description of what has happened purely factual.

2. Indicate if known who is the licensee/product issuer or authorised representative involved in the matter? (Name all parties involved).

3. Please name all products affected and include their product type.

4. If aware please indicate what Compliance Obligation was involved in the matter?

1 A compliance incident is an actual, potential, suspected, likely or imminent contravention or breach of an obligation of any applicable: law; regulation; industry standard; industry codes which have been subscribed to; or an external business rule or guideline (such as ASX Market Rules, APRA guidance notes). A Compliance Incident may also result from a material contravention of an internal policy/procedure.

CBA.0001.0084.2579


Page 13

Question Answer

5. If aware please indicate if there is a mandatory obligation to report to a regulator?

6. What happened/should have happened or failed to happen?

7. When did the matter occur and for how long has this been happening?

8. How was the matter identified? For example, was it identified as a customer enquiry or complaint or identified as part of a compliance or operational risk process, such as CAP testing, monitoring/review or audit process? Or other?

9. How long was the matter undetected?

10. Has the matter ceased?

11. If ceased, has the matter been corrected and if so how?

12. If not corrected, what steps are planned to ensure that the matter will cease/be corrected?

13. Are you aware if this matter or a similar matter has occurred before? (If so how often, please provide details.)

14. If aware has legal advice previously been provided? If so please provide a reference or a copy of that advice if available, ensuring it is appropriate to do so in respect of legal professional privilege (refer section 5.36 & 5.39 of the Policy).

15. How many customers have been or are likely to be affected by the matter?

16. Does the matter involve unauthorised conduct? For example, was the wrong advice provided or did the matter involve fraud or unethical behaviour?

CBA.0001.0084.2580


Page 14

Question Answer

17. Has a customer suffered a financial loss or loss of any financial or other benefit or potential benefit as a result of the matter?

18. Are other customers affected or are likely to be affected and how much have they lost individually and collectively?

19. Has the matter impacted or is it likely to impact upon, the licensee's ability to continue to provide financial services for which it is licensed?

20. Has the licensee suffered or is likely to suffer a loss as result of the matter?

21. Does the matter indicate that compliance arrangements to ensure compliance with the obligations (that have been breached or contravened) are inadequate?

22. Have any steps already been taken or are about to be taken in respect of the matter to ensure compliance?

23. Are there any other factors which Legal Services should be made aware of in relation to this matter?

24. Have you attached/enclosed documents relevant to the matter (eg a copy of any letters, PDS, SOA, FSG, trust deeds, policies etc). If not, please state when they will be available.

Summary of Compliance Incident

[Please briefly summarise what you consider are the key points around this Compliance Incident]

Date completed/updated

CBA.0001.0084.2581

Documents

Compliance Incident Management Group Policy