Reporting period: August 20 - Royal Commission

Reporting period: August 20:

September 2016

National Australia Bank Limited ABN 12 004 044 937 AFSL and Australian Credit Licence 230686

NAB.005.046.2007

NAB.005.046.2008

TABLE OF CONTENTS1. Message from the CRO 3

2. Risk Review of Performance RukAppetite, 5

2. Risk Review of Performance tyPeit/eratUx, 7

2. Risk Review of Performance CreditRukPa&hboivcC 9

2. Risk Review of Performance CreditRukSettings 10

3. Important Updates 13

Appendix A - Risk Review of Subdivisional Performance 14

Appendix B - Material Events 15

Personal Banking CRO Report - September 2016

HIGHLY CONFIDENTIAL 2 of 17

NAB.005.046.2009


1. MESSAGE FROM THE CRO| Contains confidential informationL_________________________________________________________________

Risk Insights from the Chief Risk Officer

With the end of year coming to a close and the organisational changes in progress, the key focus for Personal Banking is to ensure momentum is maintained and appropriate governance is in place for the work currently underway across various key initiatives and material events.

The appropriate governance framework is being (re)established across both material events - Greater Western Sydney (GWS) and Beacon - and a considered priority is to improve resourcing to support the process of identifying the banker misconduct and also enabling the implementation of the learnings as a means of strengthening the control environment. This is pertinent given the findings from the investigations and associated file reviews - GWS, Beacon, Mobile Banker, Star Sales Incentives (SSI) and personal loans- have provided the insight that there are bankers’ whose conduct sees them as the subject of more than one review for different reasons. Further work will be completed by the CRO Insights team which will draw on linkages to people leader judgement, capability and risk culture.

Given the issues and investigations across the two Introducer-related events and personal loans, respective provisions will be required to be raised. Early estimate of GWS & Beacon program costs are expected to be $l6M (assuming the program will run until December 2017) and credit related operational losses from file remediation and potential lending losses are anticipated to be another $l6M.

The work on these material issues will feed into the end-to-end Responsible Lending Review currently underway with Andrew Hagger now as the sponsor of the review and an additional 5 stream of work, "Industry Matters”, has been added. This reflects the fact that Responsible Lending is an industry challenge and will focus on ensuring the best practice work of the ABA members’ work (for example) is incorporated into the NAB review.

Risk Services are supporting the review and KPMG have been formally engaged to assist with the review and provide project oversight.

• Support end-to-end Responsible Lending review

• Continue to progress existing investigations

• Lending Standards Review and Conduct framework refresh

Wells Fargo event - Implications for NAB: It has been widely reported in the media about the Wells Fargo “cross-selling" strategy where over 2 million fake bank accounts and credit card accounts were opened without the knowledge or consent of its customers. Staff in the Community Banking


NAB.005.046.2010

Personal Banking CRO Report - September 2016 | Contains confidential information ii_______________________________________________________________ i

Division had set up fake accounts to hit targets and get bonuses. Wells Fargo employees opened accounts and moved funds that resulted in customers getting charged fees. Staff have said they were pressured to meet unrealistic sales goals and that they opened the bogus accounts so they wouldn't lose their jobs. 5300 staff have been let go as part of the scandal and the company has been fined USD 185 million.

thFurther to this example on poor culture, it was reported in the Australian Financial Review on the 10 September that the Finance Sector Union (FSU) has made a submission to a Government Enquiry that is highly critical of the sales culture at the large banks and asserts that staff are pressured into selling customers products they do not need, for fear of naming and shaming in performance tables. It refers to anxiety, stress, inadequate staffing, aggressive management as well as a culture of 'won't receive a bonus and employment jeopardised' if targets are not met.

Unsecured Lending (Personal Loan) Fraud - Greater Western Sydney: It has recently been identified that fraud-related losses for personal loans are highly concentrated within Greater Western Sydney, with 47% of losses originated by 10 bankers in 8 branches across the region. Further investigation identified that some of these losses were caused by bankers potentially breaching the verifications process. There has already been a number of activities undertaken to tighten controls (including centralising verification, manual review of high risk applications, exiting new-to-bank lending via Digital & Direct channels and commencement of an external review by PwC) - however there is more work to be done to confirm the root cause of the fraud (internal collusion or customer/syndicate) as well as actions to be taken to improve our fraud monitoring and detection capability moving forward. An estimated $9.6M in Bad & Doubtful Debt losses is to eventuate in FY16, with a further $11.5M exposure forecast for FY17 (impacting the Customer Products & Services division).Recommended action: Whilst there are actions proposed by Customer Products & Services to remediate this issue, CRO has recommended that these actions be aligned to those in place to support the end-to-end Responsible Lending Review.

Recommendation - The committee is asked to NOTE this report.


NAB.005.046.2011


2. RISK REVIEW OF PERFORMANCE m Appetite \ Contains confidential information

i__________________________________________

Overall Risk Profile

6-month OutlookJ

RiskCategory Rating1 Outlook2 Risk’s view on performance against appetite

Compliance A O (9)

A• Material event relating to Introducer and Banker relationships assessed as a reportable event to the Regulator for a

breach of NCCP and general obligations.

Customer Fairness & Conduct

AO(9)

A

• Rating driven by Not Effective control environment in the 3 related risks, performance of risks settings and outcomes of Banker investigations. Actions underway are expected to see an overall improvement in the control environment in the short-term for risks relating to mis-selling and false, misleading or deceptive representations.

• Risk settings for number of Adverse Terminations (Broker, Introducer, BLSSA Credit Reps) and Internal Fraud Investigations are tracking Red.

RegulatoryA O (9)

A

• Rating driven by continued Regulatory scrutiny on conduct events and Banker investigations. Pressure will continue on the ability to respond to ASIC in a timely manner. To date 9 notices have been received and responded to in relation to the GWS event.

• ASIC areas of focus for 2016/2017 are relevant across the Business, including Loan fraud (particularly in the home loan market), marketing practices by credit card issues and compliance with issuer obligations, breach reporting practices, quality of financial advice and life insurance churn by advisers.

RAG rating = the overall risk profile for the GRI category relative to appetite. Arrows = trend vs. prior month. Number (in parentheses) = consecutive months in Red/Amber (inclusive of current month). Note: the above methodology and assessment of risk performance only commenced in January 2016 (for November and December 2015 reporting period).2

Outlook represents a 6-month forecast for the overall risk profile for the GRI category relative to appetite, as judged by CRO.HIGHLY CONFIDENTIAL 5 of 17


RiskCategory Rating1 Outlook2 Risk’s view on performance against appetite

HIGHLY CONFIDENTIAL

NAB.005.046.2012

j Contains confidential informationL___________________________________________________________

6 of 17

NAB.005.046.2013


2. RISK REVIEW OF PERFORMANCE Pda/erabUst,

Topic #1 - Responsible Lending Review Summary

2016O

6 month outlook

The end-to-end review of the consumer lending process is currently underway. The purpose is to review recent events across the E2E process to understand similarities, root causes and any control weaknesses. The overarching governance framework is being developed and is subject to the finalisation of key roles to determine the appropriate wider Committee representation.

The review will comprise five streams of work which have been established to fulfil the requirement of a comprehensive root cause analysis into the recent secured and unsecured lending frauds to identify and remediate gaps in the control environment. Progress updates are noted below.

UpdateStream Description Accountable

Group Executive1. Root Cause Analysis and Control Enironment Review

Commenced and view being formed based on recent events and learnings.

Andrew Hagger Timing: 12 weeksStatus: Green

2. NCCP House View Refresh

Commenced with internal workshops held to lock down program of work.

Antony CahillTiming: 8 weeks Status: Green

3. Sales Incentives & Banker CapabilityReview

Commenced and is drawing on several sources of independent views to assist.

Lorraine Murphy Timing: 12 weeks Status: Green

4. Regulatory Engagement &Customer Response

Commenced leveraging experience and use of the Incident Management Plan (IMP) in the Wealth division to assist.

David GallTiming: 8 weeks Status: Green

5. Industry Matters The external view, work and findings to be incorporated into the internal NAB view.

TBCTiming: TBCStatus: TBC

Risk's ViewThe finalisation of key roles is important to ensure momentum is maintained and that the review remains on track with timelines.

This will also create the mechanism for any decision making and approval of recommendations that arise from the review.

CRO will continue to provide support to this initiative.



Source: Group Chief Risk Officer Report - September 2016

HIGHLY CONFIDENTIAL

NAB.005.046.2014

Contains confidential information |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ .«

8 of 17

NAB.005.046.2015

Personal Banking CRO Report - September 2016| Contains confidential informationi______________________________________________________________________


NAB.005.046.2016


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Contains confidential information !


Contains confidential informationNAB.005.046.2017

L

Personal Banking CRO Report - September 2016 i


NAB.005.046.2018

Personal Banking CRO Report - September 2016Contains confidential information


NAB.005.046.2019


3. IMPORTANT UPDATESContains confidential information


NAB.005.046.2020


APPENDIX A - RISK REVIEW OF SUBDIVISIONAL PERFORMANCE j Contains confidential informationi________________________________________

Risk Performance - Subdivisional Ratings Risk’s view on performance against appetite

Risk Category

Ret

ail

OperationalRO

(5)

Compliance AO(9)

Customer Fairness & Conduct

RO

(2)

RegulatoryA O

(6)

Credit A O (6)

Retail remains to be rated Red for Operational Risk and Customer Fairness & Conduct. CRO view is that the rating will remain at Red until such time the NSW performance units can demonstrate improvement in risk identification and there is a reduction of fraud events in both NSW and VIC.

RAG rating = the overall risk profile for the GRI category relative to appetite. Arrows = trend vs. prior month. Number (in parentheses) = consecutive months in Red/Amber (inclusive of current month).Note: the above methodology and assessment of risk performance only commenced in January 2016 (for November & December 2015 reporting period).



Events previously raised

Jul 16 risksmart ID 30160985 - Banker/Introducer Control TestAn increase in non-compliance with the Introducer Framework by bankers and/or 3rd parties has been identified following a recent review of banker engagement with Introducers. This raised concerns on 44 bankers whose activities are now under investigation for potential breaches of a range of policies. Whilst aspects of fraud may be evident in some cases, the key issue observed involve banker conduct in finding a way to “work around" agreed policy and process.In addition to those bankers mentioned above, to date in 2016 there have been upward of 40 bankers investigated for various types of policy breaches. A number of these have involved internal/external fraud, collusion with 3rd parties and/or customers, however in many cases, have only involved non- compliance with internal policy and process breaches. Whilst all cases show differing traits of non- compliance, and some events are inter-connected, all have the potential now, or in future, to

HIGHLY CONFIDENTIAL

NAB.005.046.2021

Contains confidential information i

Actual event. PB / Retail Draft

Major non- financial impacts (Regulatory and Management Remediation)

September update: Project Beacon has completed reviews on 23 bankers to date resulting in six dismissals, five resignations, and five red and three amber gates applied under the consequence management framework. A SERP was held and the matter reported to ASIC. Customer remediation is still to be determined and the remaining bankers to be interviewed. Of the Introducers, 74 have been reviewed with 41 immediate terminations and 23 given 30

15 of 17

NAB.005.046.2022

Personal Banking CRO Report - September 2016 j Contains confidential informationi___________________________________________________

challenge our compliance with Responsible Lending obligations. Although various tactical and reactive actions have been taken which have been satisfactory to date, the risk remains in the back book.

days' notice.



Datelodged Description & reference number (where relevant)

Dec 15 risksmart ID 6572713 - Introducer Lending FraudAs a result of a whistleblower, a review was undertaken of Introducer files referred to bankers within the Greater Western Sydney Local Area Market (LAM). The outcomes of these reviews (ongoing) identified a number of concerns including collusion, fraudulent documentation, accepting documents from Introducers, false allocation of customers to Introducers. Review seeks to identify relevant bankers and files as well as the root cause of this event to determine appropriate remediation.

HIGHLY CONFIDENTIAL

NAB.005.046.2023

i Contains confidential information

L_____________________________

Division/Gross impact BU/ PUs Status CRO Oversight Comments

Impacted

Actual event PB / Retail Approved September update: The GWS program have$500K* reviewed 1700 files from the 24 bankers

implicated with 24% requiring further review given issues identified with serviceability, documentation and loan purpose. To date, six bankers have been dismissed and 11 are still to be determined.

17 of 17

Documents

Reporting period: August 20 - Royal Commission