commonwealth bank€¢ ongoing improvement in the end-to-end home buying process. in recognition of...

Commonwealth BankCommonwealth Bank of Australia ABN 48 123 123 124

Level 2A11 Harbour Street Sydney NSW 2000 Australia

Telephone

15 September 2017

Mr Brandon Khoo Executive General Manager Diversified Institutions Division Australian Prudential Regulatory Authority Level 12, 1 Martin Place Sydney NSW 2001

Dear Brandon,

APRA Targeted Review - Verification of borrower data used in home loan serviceability assessments

Outlined in this letter is CBA’s detailed response to the PwC APRA Targeted Review Report, dated 29 May 2017.

CBA is committed to ensuring the completeness and accuracy of borrower financial information used in assessing serviceability of residential mortgages. In line with this commitment we have outlined a plan (Attachment C) to address all twenty one of PwC’s findings—both CBA specific and industry wide—with significant actions being completed in the short term, and longer term strategic solutions by 31 December 2018. Five of the findings have already been addressed, and significant programs of work have been established to address the remainder.

As discussed in our meeting on 25 August 2017, in addition to resolving PwC’s specific findings, we have also sought to address the broader themes of the review and its recommendations in the context of our longer term vision and CBA’s commitment to demonstrate leadership in these areas. This will continue to be a strategic priority beyond the dates outlined in this letter as our practices continue to improve and evolve. We will also monitor market practices to ensure, in the event that new developments or industry standards move faster or in a different direction to CBA, we will respond with urgency.

We have established programs of work within RBS and Bankwest to improve outcomes against four major themes as illustrated in the materials provided to APRA during the August meeting (Attachment D), being:

• Improved financial information and verification;• Enhanced customer acknowledgement and validation;• Real time portfolio monitoring and assurance; and• Ongoing improvement in the end-to-end home buying process.

In recognition of your particular concerns regarding our approach to monthly living expenses, verification of existing customer debt (including our response to Comprehensive Credit Reporting (CCR)), and monitoring of serviceability overrides,

_RCBA.0517.0002.0002

we have provided an overview highlighting our strategic short and medium term actions in relation to the relevant risks in these areas in Attachment A. These actions are also summarised below.

Monthly Living Expenses (MLE) and Household Expenditure Measure (HEM)

In line with the recommendations made by PwC, we are focused on improving our approach to capturing and assessing customer declared monthly living expenses.

As APRA is aware, CBA has been participating in a working group together with Westpac, ANZ and NAB to develop options to proactively address issues raised by financial regulators, including APRA, in relation to responsible lending practices. The objective of the group is to identify potential enhancements to current practices, to promote best practice, and to respond to the issues that have been raised by the regulators. One of the current areas of focus of the working group is developing options for the enhancement of HEM to be put to APRA, for consideration in its decision making on changes to HEM. At APRA’s request, this will include an independent analysis of the potential impact of the proposals, to assess the extent and timing of the change required.

CBA will adopt a recalibrated HEM benchmark, which will result in an increase to the minimum level of monthly living expenses used for serviceability, should APRA request this following it’s consideration of the enhancement options. CBA is committed to meeting an accelerated timeframe, should APRA require the industry to implement some or all of these enhancements. CBA is able to deliver the changes in December 2017, provided notice is given by 1 November 2017.

In addition to modifying the HEM benchmark, CBA will also significantly enhance the processes for customer expenses data capture, to provide a more accurate estimate of their MLE. Since the review period, RBS have implemented a detailed breakdown of expenses in our new serviceability calculator. CBA have also commenced a program of work focused on implementing changes across our systems and processes that will enhance how customer declared living expenses are collected and validated. These changes will include the collection of granular expense information; customer confirmation of expense data used for serviceability assessment; and automated analytical testing of this information to identify outliers.

In the medium term, the Industry Working Group is working on defining a consistent set of design principles for a new HEM measure, including expenses classification, the statistical quartiles applied and a larger range for income extrapolation. The Melbourne Institute has been engaged to build a revised HEM measure that aligns to these principles. In addition to this, CBA will also undertake work to identify categories of customer specific living expenses that may not be adequately represented in the HEM benchmark (e.g. school fees) and enhance its processes to better capture this information.

Existing debt and Comprehensive Credit Reporting (CCR)

CBA is committed to strengthening our processes for verifying existing customer debt and assessing the completeness of the customer’s disclosure through the use of data. We recognise the importance of implementing CCR to enhance residential mortgage application processes and are committed to meeting APRA’s expectation

RCBA.0517.0002.0003

of implementing CCR in 2018. However, as discussed we would like to engage closely with APRA on specific implementation details to minimise data security risks and to adequately mitigate concerns from consumer groups. While CCR will form a critical part of these processes, CBA will act in the near term to address this area prior to the implementation of CCR.

To improve our ability to assess the completeness of customer debts, CBA will undertake the following:

• RBS, through the Dynamic Decisioning project, will implement CommLiabilities with the capability to identify potential undisclosed debt commitments from CBA transaction accounts;

• RBS will conduct further analysis (to be completed by December 2017) of internal customer transaction data to determine the benefit of obtaining and reviewing transaction data over a longer period of time beyond the current requirement for one month; and

• At a minimum, Bankwest will align to the current CBA policy of obtaining one month’s transaction account data by 31 December 2017.

To further strengthen verification of disclosed or identified debts, CBA will require account statements for all customer debts to confirm information such as balance (or credit limit), interest rate, and remaining loan term. In early 2018, the delivery of upgraded platforms in RBS will allow for the recording and storing of this information to enable recasting of existing repayments with serviceability buffers applied on proposed loans.

Monitoring of serviceability overrides

Relating to PwC’s findings, PCAA commentary standards will be lifted to ensure justification for overrides is recorded, demonstrating that verification requirements were specifically and knowingly waived.

More broadly, as APRA are aware, CBA will implement consistent and more granular reporting across the Group in line with APRA’s guidelines for reporting serviceability overrides by the September 2017 quarter.

PwC engagement

in formalising our response, we have worked with PwC to consider the nature of each finding in detail and obtain their objective feedback on the nature and extent of our proposed actions in the context of these findings. While it is not possible to consider the design or implementation of these actions given their prospective nature. Upon implementation of the relevant control enhancements, CBA will engage PwC for further independent assessment. PwC have provided their approval to be named in this letter and have been copied in to this letter as a result.

Our response is expected to be tabled at the CBA Board meeting in November 2017.

Should you wish to discuss or clarify any aspect of our response, please do not hesitate to us.

Yours sincerely,

Matt Comyn Group Executive Retail Banking Services

Rowan Munchenberg Managing Director Bankwest

Cc: David Cohen, Group Chief Risk OfficerCc: Adam Bennett, Group Executive Business and Private BankingCc: Dan Huggins, Executive General Manager, Home BuyingCc: Nigel Dunn, Acting Chief Risk Officer, RBSCc: Michael Kavanagh, Chief Risk Officer, BankwestCc: Chris Williams, Chief Risk Officer, Business and Private BankCc: Peter Clark, Chief Credit OfficerCc: Mathew Lunn, Partner, PwCCc: Sam Garland, Partner, PwC

RCBA.0517.0002.0005

Attachment A. Consideration and approach to key risks identified by PwC and APRA

Overall Risk Objective CBA Actions

1.1. CBA will significantly enhance the processes for the customers to provide a more accurate estimate of their MLE

• RBS will implement the Lender Front End (LFE) serviceability calculator with detailed Monthly Living Expense (MLE) categories. Where possible, these categories will be aligned with the recalibration of HEM (see 1.2). (Pilot Aug 17, Implement Proprietary Dec 17)

• For Bankwest, Project DeNovo will improve the ability to capture granular living expense data in language easily understood by customers (Dec 18)

• Lenders will be provided detailed guidance and scripting (for RBS this will be embedded within the LFE application) to structure enquiries and prompt investigation where expense items are missing, low or inconsistent with the customer’s circumstances (LFE Pilot Mar 18, National

Customers cannot service the proposed loan without reducing living expenses that, in the customer’s circumstance, would be hard to reduce

Customer living expenses used in the serviceability assessment are not below that required to meet a basic level of living expenditure and those expenses most customers would find hard to reduce, given the customer’s personal circumstances.

Konout iviay Vi)Customers will be required to formally confirm the completeness and accuracy of their living expense estimate within the RBS Enhanced Written Assessment Report (Dec 17). This customer declaration exists within the Bankwest process.Enhanced data monitoring capabilities will be designed and implemented within the “Command Centre” for RBS to identify unusual combinations of income/expense, lender/broker trends and household size/composition related to customer declared MLE. Similar monitoring capabilities will be designed and implemented in Bankwest.

1.2. CBA will adopt a recalibrated, higher Household Expenditure Measure (HEM) benchmark as a minimum level of MLE

• Industry Working Group activities:o CBA is participating in a Industry Working Group (IWG) (within an established set of

competition law parameters), comprising representatives of the 4 major banks, which will provide APRA with options to modify the HEM measure (Sep 2017)

o The IWG has engaged Melbourne Institute to calculate a revised set of HEM tables based on the principles above (Sep 2017)

o The IWG is currently designing a modelling approach, using a third party, to understand the impacts of the revised benchmark on hypothetical borrowers, bank flow and industry credit availability to ensure market impacts are understood and staged if required. (Nov 2017)

RCBA.0517.0002.0006


• CBA specific activities:o Upon APRA’s request, the revised HEM measure will be implemented in to CBA's

systems on a timescale required by APRA, and in stages if required. CBA is able to deliver the changes in December 2017, provided notice is given by 1 November 2017. The higher of customer declared living expenses and the revised HEM measure will continue to be utilised in serviceability assessments. (Dec 17)

o The expense categories included in the revised measure will be compared to the detailed MLE categories described in 1.1 above and the HEM measure will be used as a minimum for the aggregate of only those expenses captured within HEM, with other MLE (where relevant) considered under our approach to Objective 2 below. (Dec 17) Alignment of this process is under review at Bankwest and will require system enhancements.

o CBA agrees with the principle of the income adjusted HEM measure being based on the declared income of the customer. For Bankwest, this will occur with Project DeNovo (Dec 18). For RBS, the complexity of implementing this change is significant as origination systems are designed to capture verified income only. RBS will investigate the practicality of making this change, and assess alternative approaches, if required (Dec 17).

1.3. CBA will improve the nature of monitoring of customer declared living expenses and increase the accountability of lenders/brokers for assessing borrower declarations

• Based on the calibration performed by Melbourne Institute, CBA will define tolerances for the proportion of customers declaring relevant MLE categories at or around the revised HEM measure (i.e. HEM usage percentage). For RBS, these tolerances will be monitored at the flow, lender and broker level via the Command Centre and anomalies investigated with consequences for lenders and/or brokers as required. (Dec 17)

• Lenders and brokers will be required to document the actions taken to clarify and investigate cases where relevant customer-declared expenses appeared low relative to HEM and/or inconsistencies were identified with the customer circumstances (see 2 below). Assurance activities performed will specifically test for evidence of this scrutiny.

• The outputs of the RBS ‘Command Centre’ will inform targeted responses such as Mystery Shopping, targeted file review, and outcomes testing direct with customer. As an example, clustered outliers with similar declared expense figures across customer cohorts or lenders will trigger deep dives. This will increase coverage across all channels.

RCBA.0517.0002.0007


• In Bankwest, current Lender and Broker level monitoring will be enhanced and aligned to the revised HEM measure, and will be used to identify outliers for performance/consequence management and targeted coaching.

2. Customer living expenses used in the serviceability assessment include hard to reduce expenses that are specific to the customer’s circumstances and are not captured by the HEM measure

2.1. CBA will increase the extent of inquiry into customer-specific living expenses that may not be adequately represented by HEM

• CBA will define a list of common hard-to-reduce living expenses that are not captured by the HEM measure. Lenders and brokers will be required, based on their understanding of the customer circumstances, to specifically enquire with the customer whether such expenses exist or are anticipated to exist in the near future, and document this enquiry (Estimate Jun 18).

• The final figure used will be the higher of customer declared living expenses or HEM plus an adjustment for hard to reduce customer declared living expenses (which are not already included in the HEM measure).

• CBA is investigating the validation options for these expense items, with the objective of improving standards overall (Estimate Jun 18).

• RBS will implement the Lender Front End (LFE) serviceability calculator with detailed Monthly Living Expense (MLE) categories. Where possible, these categories will be aligned with the recalibration of HEM (see 1.2). (Pilot Aug 17. Implement Dec 17)

• Customers will be required to formally confirm the completeness and accuracy of their living expense estimate within the Enhanced Written Assessment Report (Dec 17). This customer declaration exists within the Bankwest process.

• In RBS, the outputs of the ‘Command Centre’ will inform targeted responses such as Mystery Shopping, targeted file review, and outcomes testing direct with customer. As an example, clustered outliers with similar declared expense figures across customer cohorts or lenders will trigger deep dives. This will increase coverage across all channels.

• In Bankwest, current Lender and Broker monitoring will be enhanced and aligned to the revised HEM measure and will be used to identify outliers for performance/consequence management and targeted coaching.

3. Customer living expenses 3.1. CBA will increase the depth and consistency of customer conversations at origination to used in the serviceability ensure customer declarations include the impact of known changes in circumstancesassessment include increases • CBA will define a list of common hard-to-reduce living expenses that are not captured by the in living expenses as a result HEM measure. Lenders and brokers will be required, based on their understanding of the

ObjectiveOverall Risk

of known and intended changes in customer personal circumstances

Customers cannot service the proposed loan due to repayments required on existing mortgage debt with other financial institutions

4. Customers declare a complete listing of existing mortgage debt with other financial institutions

5. The balances and features of mortgage debt declared by customers is accurate

RCBA.0517.0002.0008

CBA Actions

customer circumstances, to specifically enquire with the customer whether such expenses exist or are anticipated to exist in the near future, and document this enquiry (Estimate Jun 18).

4.1. CBA will support and adopt Comprehensive Credit Reporting (CCR) in 2018• CBA will implement positive CCR, which will provide a complete view of a customer’s existing

commitments. CBA intend to be compliant with APRA’s expectations in 2018.• As discussed, we would like to engage closely with APRA on specific implementation details to

minimise data security risks and to adequately mitigate concerns from consumer groups.

4.2. Prior to the implementation of CCR, CBA will increase requirements to identify and validate undisclosed debts

• Customers will be required to formally confirm the completeness and accuracy of their disclosed commitments within the Enhanced Written Assessment Report (Dec 17). This customer declaration exists within the Bankwest process.

• RBS will undertake further analysis into internal customer transaction data to assist in determining the benefit of obtaining and reviewing additional transaction data over a longer period of time beyond the current requirement of one month (Dec 17).

4.3. CBA will continue monitoring via assurance activities the completeness of customer declared debts with other financial institutions

• Existing assurance activities will continue to review adherence to internal requirements for lenders and brokers to check transaction account statements obtained to identify where existing mortgage debts have not been disclosed.

• In RBS, the outputs of the ‘Command Centre’ will inform targeted responses such as Mystery Shopping, targeted file review, and outcomes testing direct with customer.

5.1. CBA will enhance the level of verification required over declared debts• CBA will require evidence of all non-CBA debts to be obtained such as statements, regardless of

whether CBA is the customer’s Main Financial Institution (MFI) or the size of the balance outstanding. Statements will be used to capture the outstanding balance, remaining loan term, customer rate and commitment amount.

RCBA.0517.0002.0009


5.2. CBA will continue monitoring via assurance activities the accuracy of mortgage debt amounts declared

• CS&M monitoring will review the accuracy of existing mortgage debt information. Should a requirement to obtain statements be implemented, CS&M monitoring will be extended to ensure the accurate capture of relevant loan information.

• The outputs of the ‘Command Centre’ will inform targeted responses such as Mystery Shopping, targeted file review, and outcomes testing direct with customer.

• Assurance activities at Bankwest will be enhanced to monitor the accurate capture of relevant loan details.

6. Repayments on existing mortgage debt declared by customers is accurate, to allow a similar level of conservatism for potential increases in repayments, such as interest rate changes, as is applied for proposed mortgage debt

6.1. RBS continue to apply a conservative buffer of 30% on existing mortgage commitments until systems permit the use of actual term and rate

• RBS adopt a 30% loading on existing Other Financial Institution (OFI) mortgage commitments.This loading ensures that a serviceability buffer is equivalent or greater than that applied for the proposed mortgage debt,

• Existing RBS commitments continue to be assessed using serviceability buffers required for the proposed mortgage debt.

• One we obtain statements for all non-CBA mortgage debts, repayments will be recast based on serviceability buffers applied to the proposed mortgage debt.

• Bankwest will calculate existing mortgage debt using limit, benchmark interest rate, and a 25 year loan term.

R

CBA.0517.0002.0010

Attachment B - Summary of Findings and Due Dates

Finding RBS Due Date BWA Due Date

1 Borrowers not required to confirm the details, completeness or accuracy of the information used in their serviceability assessment 30 June 2018 Complete

2 Borrower personal information relevant to the Group’s serviceability assessment, such as household size and number of dependents, are not subject to verification 30 June 2018 Complete

3 Approved exceptions to verification requirements are not adequately documents to ensure they were appropriately considered

30 June 2018 31 October 2017

4 In a number of the loan files tested, income verification was not performed in accordance with policy 30 June 2018 31 October 2017

5 During the review period, CBA management identified shortcomings in the process for translating foreign language documents provided to support mortgage applications Complete N/a

6 During the review period, management identified that the scope of CBA's Credit Investigation Team (CIT) did not include relationship managed customers and loan “top-ups" Complete N/a

7There is no requirement under Group policies to assess the completeness or accuracy of borrower declared living expenses. This appears to be contributing to a higher than intuitive use of HEM as a proxy for living expenses

30 June 2018 30 June 2018’

8 Living expense data required from borrowers is not sufficiently granular to encourage complete and accurate declarations 30 June 2018 30 June 2018’

9 During the review period, management identified that borrower’s expenses were not completely interfacing into RMG's home lending system (BOSS) Complete N/a

10 There are components of verification of investment property income and expense that do not meeting APRA’s guidance released following the review period. 30 June 2018 31 December 2017*

11 The calculation of income-adjusted HEM is based on verified income only, potentially resulting in an inappropriate measure. Serviceability impacts are likely to be limited. 31 December 2017 31 December 2018

* Due date is reflective of delivery date of material activities with longer term strategic solutions to be delivered through either Project DeNovo (Dec 18) or CCR {Dec 18],

Finding RBS Due Date BWA Due Date

12 Verification of debts that borrowers declare does not ensure completeness and we identified a number of exceptions during the period 30 June 2018 31 December 2017*

13 There is insufficient controls to identify debts/commitments that have not been declared by borrowers 30 June 2018 31 December 2017*

14In CBA's proprietary channels (i.e excluding Third Party Banking and RMG) there is a lack of preventative controls to ensure data is accurately entered in to the serviceability assessment

30 June 2018 N/a

15 User access to serviceability-related systems was not appropriately restricted and reviewed on a periodic basis during the review period 30 September 2019 30 June 2018

16 Some users had access to develop and promote code in the CommSee system 30 September 2017 N/a

17 Weaknesses in the IT control environment around BOSS system 31 March 2018 N/a

18 The code used to extract the list of loans for control testing by CBA and Bankwest has not been recently validated 30 November 2017 30 November 2017

19 A snapshot of the serviceability calculation for Bankwest loans is not retained on file N/a Complete

20 Applications received via CBA’s captive Home Lending Solutions brokers are not subject to the same validation checks as other third party originated loans 31 December 2017 N/a

21 Some loan applications originated through Bankwest’s Private Banking portfolio did not pass through the validation functions N/a Complete

Due date is reflective of delivery date of material activities with longer term strategic solutions to be delivered through either Project DeNovo (Dec 18) or CCR (Dec 18).

RCBA.0517.0002.0012

Attachment C. Updated Management Actions to PwC’s Findings

Updated proposed actions are separated between the RBS and Bankwest portfolios. A BPB-specific response is noted where relevant to the findings (e.g. results from PwC’s files reviews). For actions such as changes to RBS credit policy or processes, these will apply to BPB- originated home loans.

1. Borrowers are not required to confirm the details, completeness or accuracy of the information used in their serviceability assessment * •

To assess serviceability, borrowers provide the Group with information about their financial and personal circumstances. In many cases this is entered directly in to application systems by front line lenders, mortgage brokers or the borrower themselves in a digital environment.

• At CBA, borrowers are not provided with a summary of what information has been entered in to the assessment and are therefore not required to declare that this is complete and accurate

• At Bankwest, policy requires that such a breakdown is signed, however most applicants do not complete this until after they have unconditional approval• Neither CBA nor Bankwest requires an equivalent document to be completed by borrowers applying through the broker-originated channel

While requiring such a declaration would not prevent a borrower from misrepresenting their circumstances, it is an important step to encourage rigour from borrowers and requires them to explicitly declare incorrect information, where they know it to be so.This is particularly relevant for those items for which the primary misrepresentation risk relates to completeness (i.e. expenses and liabilities) and for which independent validation is most challenging.Implementing a declaration is also likely to assist with obtaining a more detailed breakdown of borrower living expenses, as noted in finding 8 below.

Original Management Comment (May 2017) Updated Proposed Actions (September 2017) Target Date

RCBA.0517.0002.0013

CBA agrees with the need for borrowers to confirm the details, completeness, and accuracy of the information used in the serviceability assessment.CBA is designing an enhanced written assessment report to be included in the application’s document pack and required to be signed and imaged to the application, likely after formal approval and prior to funding, as a necessary condition for funding. The intent is that this document will be completed by all borrowers applying through both proprietary and broker-originated channels. This will be completed by 30 June 2018.At Bankwest, the current practice of requiring a borrower to verify the accuracy of their details prior to funding will be continued and expanded to the Broker channel by 30 June 2018. The PwC suggestion to move this verification step to earlier in the approval process will be considered based on risk benefit versus change impact by 30 August 2017.

RBS Response:

Accountable EGM: Dan Huggins, EGM Home BuyingAccountable GM: Simon George, Head of Home Buying Risk and Control

Home Buying has accelerated the design and implementation of the enhanced assessment report and is targeting the R48.1 release cycle for implementation. The release will commence 17 November 2017, with customer signature of the new report being mandatory for all loans in all channels from 1 December 2017. A later release planned for February 2018 will enable electronic signature of the document.

A project team is now in place with funding of $1 million. The high-level requirements are:

• Change Home Loan Written Assessment Report (WAR) document template to include additional data.

• Generate the WAR report as part of the Home Loan Contract/Borrowers pack and get it signed by the customers

• Include WAR report in the HL e-delivery of HL contracts and Notice of variation document packs

• Update Home Loan Document Checklist to ensure WAR report has been signed by the customers

• Store the signed WAR report document/image against the customer/application

30 Jun 2018

The following information will be presented in the document (where applicable and where data is available):

• Loan application number

• Loan application date

• Loan applicant name

• Purpose/s for seeking credit (Loan purpose)

• Itemised amount for each loan purpose

• Australian Tax Resident

• Permanent Resident• Residential Status• Employment status• Occupation• Time at present

employer• Annual Income -

breakdown & total

Current liabilities breakdown & total Future significant changes Security type/s Loan amount (including financed fees)Loan Term Interest Only repayments reason

R

• Product selection answers

• Amount of credit sought (including financed fees)

• Date of Birth• Dependants

Annual expenses and commitments breakdown & total Monthly living expenses total Monthly living expenses -detailed breakdown

• Interest Only Period

• Fixed Rate Period• Rate Lock

Requested• Refinance reason

Bankwest Response:

Accountable EGM: Paul Vivian, Acting EGM Products, Operations & Analytics Accountable GM: Ian Sivwright, Acting GM Products & Pricing

To clarify for Bankwest, both broker and proprietary deals require customers to sign forms with information about their financial and personal circumstances at unconditional approval stage per propriety customer process.

The PwC suggestion to move this verification step to earlier in the approval process has been considered and it has been recognised that information provided by the customer, lender or broker is validated and where appropriate corrected (for example, if we identify that the customer has dependent children which were not declared in the original submission). As these corrections can occur at any time through until an unconditional offer is made, BW will continue to issue the application form to the customer after the offer is generated as it will then show all the correct information used to assess the customers suitability for the loan.

To further support this current process, work is already underway to upgrade Bankwest loan systems (Project De Novo) which will improve the ability to capture data logically in a language easily understood by customers which will be supported by inbuilt validation controls (e.g. expected range values lookups) for proprietary customers. This will be rolled out to home lending applications through calendar year 2018. For applications submitted through other channels, applicants will continue to be sent a copy of key data after formal approval and will be required to acknowledge those details before settlement or loan disbursal.

CBA.0517.0002.0014

Closed

RCBA.0517.0002.0015

2. Borrower personal information relevant to the Group!s serviceability assessment, such as household size and number of dependents, are not subject to verification

There is no requirement under Group policies to corroborate borrower personal circumstances that are relevant to components of the serviceability calculation.While we acknowledge that there is no authoritative source for such information (as each borrower’s circumstances are different) certain evidence may be useful to corroborate and/or identify possible inconsistencies for further investigation.For ‘new to bank’ customers, identity documents that include basic personal details are required to be obtained in order to satisfy other compliance requirements and to perform a ‘Bureau’ check. We note that for broker-originated customers, identification is completed by the third party broker.Other information including household size and number of dependents of a borrower are inputs in to the HEM living expenses estimate. Frontline staff are expected to be alert to inconsistencies if other information is available such as Medicare cards, transaction statements or tax return, however, this is not a requirement.


RCBA.0517.0002.0016

CBA agrees with the need to have reliable information on the customer’s personal circumstances to support an effective assessment of the customer’s ability to repay the loan applied for.Before originating a Home Loan application through the RBS Proprietary Channel, a needs based analysis is completed as part of the Financial Health Check. Through this conversation frontline staff enquire about a customer’s personal circumstances such as family details and financial goals. Similarly, at Bankwest a needs based conversation is completed, and personal details are discussed as part of the process.Staff completing verification are trained to update the customers profile and identify inconsistencies, including but not limited to number of dependents and marital status, via review of the customer’s profile, transaction statements and other supporting documentation such as payslips or tax returns.This is monitored through assurance activities including CS&M at RBS and the CQR at Bankwest.Similarly for applications written via BPB channels, enquiries are made into the customer’s financial circumstances to have comfort our records are accurate.Supporting the above will be the intended enhanced written assessment report noted in item no. 1.

RBS Response:


A new sales monitoring framework in development will include an enhanced file review process. In the new framework, targeted file reviews will be completed to check that personal customer information, such as number of dependents, is entered correctly in applications.

Additionally, as described in item 1, from 1 December 2017 all customers will sign the enhanced assessment report, acknowledging that the information provided regarding the customers’ personal circumstances are complete and accurate.

Bankwest Response:


Enhancement opportunities are captured through other commitments related to granular expense capture, review of statements, OFI debt verification, CCR participation, and borrower attestation.

Given Bankwest applications are independently verified, Bankwest considers the current process for trained verification colleagues to update any identified inconsistencies in the borrower personal circumstances to be sufficient.

SalesMonitoring: 30 Jun 2018

AssessmentReport:1 Dec 2017

Closed

RCBA.0517.0002.0017

3. Approved exceptions to verification requirements are not adequately documented to ensure they were appropriately considered

The Group has a control in place whereby requirements under the relevant lending policy may only be waived by a Personal Credit Authority Approval (PCAA - CBA/Bankwest Retail) or a Lending Delegation Authority (LDA - Bankwest Business) holder. This includes exceptions to verification requirements under such policies.PCAA/LDA holders are individuals with high levels of credit decisioning experience and training allowing them to exercise judgement over applications as whole that are within their delegation.Policy requires PCAA and LDA holders to document the specific components of policy and basis for waiver on a given application, including where these exceptions may relate to verification requirements.Through our testing we have identified instances where it was not possible to ascertain whether verification requirements were specifically and knowingly waived as part of an application or to assess whether this decision was appropriate. This similarly applies to the performance of review functions who also are not able to make that assessment.In practice we observed that within the ‘retail’ channels such as CBA RBS and Bankwest retail, the audit trail of such decisions is documented more clearly than in potentially more complex and relationship managed channels such as Business and Private Bank channels (CBA and Bankwest)94 of the 271 samples we tested for CBA were subject to PCAA approval and did not meet the verification requirements of policy. For 22 of these samples we were unable to determine whether the verification requirements that were not met were specifically subject to PCAA approval. PCAA approvals in our samples are outlined below:

• 6 out of 64 loan applications tested from CBA Proprietary. Of these 6, all were adequately documented to justify the basis for PCAA approval.

• 21 out of 61 loan applications tested from CBA Third party Broker. Of these 21, all were adequately documented to justify the basis for PCAA approval.

• 29 out of 60 loan applications tested from CBA Private Bank. Of these 29, 9 were not adequately documented to justify the basis for PCAA approval.

• 24 out of 61 loans applications tested from CBA Business Bank. Of these 24, 13 were not adequately documented to justify the basis for PCAA approval.

• 14 out of 25 loan applications tested from CBA RMG. Of these 14, all were adequately documented.


BPB customers can be of higher net worth (via the Private Bank channel) or have more complex financial circumstances in comparison to RBS customers, leading to a higher level of overrides on Home Loans written for BPB customers.As per related correspondence with APRA, BPB is working to implement recording overrides in line with RBS channels allowing for greater ongoing monitoring. We note

RBS Response:


CBA is developing reporting on serviceability overrides, in line with APRA’s guidelines. Reporting will include BPB. As advised in our letter of 8 February 2018, CBA will introduce a Risk Appetite Statement (RAS) Key Risk Indicator (KRI) for serviceability

30 Jun 2018

RCBA.0517.0002.0018

that BPB applications may be originated via the CommSee Commercial Loan platform, and often requires a holistic approach to the credit assessment of a customer and any related commercial entities.PCAA commentary may not note specific items as it was exercised more broadly. For the purposes of this review a proportionally higher sample was taken for BPB customers, resulting in 45% of applications tested, whereas for new home loan application flow BPB customers make up 9%.

overrides to ensure the volume of exceptions to policy remain within acceptable thresholds.

Additionally, CBA is developing an enhanced monitoring framework to be built around a new Home Buying risk management dashboard and analytics tool (the ‘Command Centre’). The Command Centre is being designed to:

• Create analytical capabilities to validate business questions and provide business insights;

• Create a control repository to store and automate Home Buying exception/control reports and enhance reporting capabilities to monitor performance of control reports to ensure that CBA is selling HB products in accordance with policies outlined in the terms & conditions;

• Enable ongoing monitoring of the sales funnel and maintenance lifecycle to identify unusual patterns for early investigation and follow-up.

Command Centre monitoring will cover all channels, including all home loans originated in BPB. The Command Centre will monitor the sales pipeline for unusual or anomalous trends which will prompt further targeted review into those applications.

For example, the Command Centre will monitor the number of PCAA exceptions. Triggers can be set to identify areas or individual lenders for additional targeted file reviews if circumstances such as the following occur:

• The number of PCAA exceptions moves outside of tolerance• The number of exceptions is within tolerance but spiking• The number of exceptions is within tolerance but is forecasted to exceed

tolerance• Areas, branches, or individual lenders have unusually large numbers of

exceptions.

These triggers will prompt follow-up actions to be defined under the enhanced monitoring framework described in the response to item 2.

Response for BPB-Specific Findings:

Accountable EGM: Chris Williams, BPB CRO Accountable GM: Leanne McDougall, GM PB BB SME & Digital

R

The BPB Portfolio Appraisal and Oversight Team (Hindsight Team) and Private Bank credit team reviewed all loans identified by PwC in its report. Whilst a number of the applications subject to the PwC review were noted as having issues with regard to verification and/or use of appropriate expenditure benchmarks, on review by the Hindsight Team the lending decisions were predominantly considered to be sound and satisfactory from a portfolio perspective.

However, BPB acknowledges APRA’s concerns and as a result BPB Risk is working to limit the number of staff that can approve Home Loans in BPB, with expected changes to be enacted by 30 September 2017. For those staff with authorities the following actions will be taken to lift commentary standards:

1. A Decision Sheet will be introduced to document PCAA decisions and all risk teams will be coached to ensure variations from Risk Policy are adequately documented and to call out all exceptions that they are accepting. This has already been implemented in Private Bank and will be extended to all segments/PCAA holders.

2. Ahead of RBS’ Command Centre implementation, BPB will hindsight 100% of exceptions approved in September 2017 through its established Hindsight team to validate that commentary standards have been raised and meet APRA’s expectation. Hindsighting of 10% of all exceptions approved in the period from October 2017. In June 2018 this process will be reviewed with consideration of the introduction of the Command Centre monitoring.

3. The results of hindsight reviews will be oversighted on a monthly basis by the General Manager Risk, BB SME and Private Bank and reported bi-monthly to the CRO for inclusion in the CRO report to BPB Risk Governance Forum.

BPB will monitor the implementation, effectiveness and impact of these control changes to ensure that they remain fit for purpose.

Bankwest Response:

Accountable EGM: Michael Kavanagh, Bankwest CRO Accountable GM: Ian Pike, GM Credit

Exceptions to policy are approved by PCAA holders. Approvals of exceptions by PCAA holders are captured in Lendnet and Genesis. Hindsight reviews of PCAA holder decisions are undertaken to ensure policy exceptions are accurately recorded.________

CBA.0517.0002.0019

30 Sep 2017

30 Sep 2017

30 Jun 2018

31 Oct 2017

RCBA.0517.0002.0020

Bankwest is on track to provide reporting also on business originated exceptions to APRA from September 2017.

4. In a number of the loan files tested, income verification was not performed in accordance with policy

Our sample testing identified that income verification was not performed in accordance with policy in the following instances:• 5 out of 64 loan applications tested from CBA Proprietary. Of these 5, 4 were approved by PCAA. Of these 4, all were adequately documented to justify the basis

for PCAA approval.• 10 out of 61 loan applications tested from CBA Third party Broker. Of these 10,10 were approved by PCAA. Of these 10, all were adequately documented to

justify the basis for PCAA approval.• 28 out of 60 loan applications tested from CBA Private Bank. Of these 28, 24 were approved by PCAA. Of these 24, 6 were not adequately documented to justify

the basis for PCAA approval.• 24 out of 61 loans applications tested from CBA Business Bank. Of these 24, 21 were approved by PCAA. Of these 21,10 were not adequately documented to

justify the basis for PCAA approval.• 2 out of 25 loan applications tested from CBA RMG. Of these 2, all were approved by PCAA and were adequately documented to justify the basis for PCAA

approval.At Bankwest, the following exceptions were noted where income verification was not completed in line with policy, there were data entry errors, or there was amisinterpretation of evidence:

• 6 out of 60 loan applications tested in Bankwest Proprietary• 4 out of 60 loan applications tested from Bankwest Broker• 3 out of 25 loan applications tested from Bankwest Business Banking


CBA income verification requirements are designed to use corroborating information to verify and validate income used for servicing.For the reviewed applications without a PCAA approval, income verification was held in all but one example relating to rental income. Adherence to requirements are

RBS Response:


As outlined in the original management response, the 8 files (inclusive of BPB) that were not subject to PCAA approval were investigated at the time of PwC’s review and income verification was found to be held in all but one example. This account was placed on a

monitored through CS&M reviews, leading to a Lender error being raised where applicable.CBA will be reviewing the identified applications to assess whether there are any customer impacts.Bankwest will conduct a review of the applications identified and identify any customer impacts by 31 August 2017.

_RCBA.0517.0002.0021

watch list so that, in the event that the customer falls into arrears, we will apply a specific collections process.

In line with APRA’s guidance, serviceability overrides reporting will include serviceability verification waivers to provide visibility over exceptions to verification policy. 31 Oct 2017

CBA will explore the feasibility of monitoring PCAA approvals across all origination channels via the Command Centre monitoring tool, as described in the response to item3. Unusual activity detected by the Command Centre will prompt targeted file reviews to check that sufficient documentation is provided to justify PCAA approvals. Data correlation analysis performed by the Command Centre may identify opportunities to improve risk metric monitoring by identifying new data points to monitor.

30 Jun 2018

Overall Credit Scoring & Monitoring (CS&M) error rates have consistently trended down since the review period and have remained well under appetite, except for a slight uptick during November 2016, following which the declining trend continued. CS&M serviceability error rates remain low and are also continuing on a downward trend from the end of the review period.


Accountable EGM: Chris Williams, BPB CROAccountable GM: Leanne McDougall, GM PB BB SME & Digital

As set out in response number 3 above BPB teams have reviewed all loans identified by PwC in its report. Whilst a number of the applications subject to the PwC review were noted as having issues with regard to verification and/or use of appropriate expenditure benchmarks, on review by the Hindsight team the lending decisions were predominantly considered to be sound and satisfactory from a portfolio perspective.

However, BPB acknowledges APRA’s concerns and as a result BPB Risk is working to limit the number of staff that can approve Home Loans in BPB, with expected changes to be enacted by 30 September 2017. For those staff with authorities the following actions will be taken to lift commentary standards:

30 Sep 2017

1. A Decision Sheet will be introduced to document PCAA decisions and all risk teams will be coached to ensure justification of verification requirements are

30 Jun 2018

R

adequately documented. This has already been implemented in Private Bank and will be extended to all segments/PCAA holders.

2. BPB will hindsight 100% of exceptions approved in September 2017 through its established Hindsight team to validate that commentary standards have been raised and meet APRA’s expectation. Hindsighting of 10% of all exceptions will be conducted for all exceptions approved in the period from October 2017. In June 2018 this process will be reviewed with consideration of the introduction of the Command Centre monitoring.



Bankwest Response:

Accountable EGM: Paul Vivian, Acting EGM Products, Operations & Analytics Accountable GM: Pete Birch, GM Group Lending Services WA

Bankwest’s Credit Quality Review team has conducted a review of the 13 applications identified (where income verification was not performed in accordance with policy) to identify customer impacts. This review identified 1 application where internal policies were not followed, with a minor impact on serviceability. A review of this customer’s subsequent loan conduct found no evidence to suggest any repayment difficulty. The review also identified 1 marginal data input error which did not result in a customer impact, as the customer could still service the loan post the correction of the error.

All Group Lending Services WA validating colleagues will undertake retraining on the performance of income verification by 31 October 2017. A specific Key Risk Indicator will be developed for income and serviceability related error rates as measured by Quality Assurance by 31 October 2017. Error rates will also continue to be monitored through the independent Credit Quality Review.

CBA.0517.0002.0022

30 Jun 2018

31 Oct 2017

RCBA.0517.0002.0023

5. During the review period, CBA management identified shortcomings in the process for translating foreign language documents provided to support mortgage applications

Foreign language documents can be provided as evidence to support borrower financial circumstances used in serviceability assessments, particularly for foreign income based loans.For the review period, at CBA, front line lenders were responsible for translating foreign language documents without further review. During the review period, management assessed that this approach did not provide sufficient consistency and segregation of duties given the inherent risk associated with foreign documentation and applications.During the review period applications with foreign income were required to be reviewed by Retail Credit Decisioning. Following identification of the issue, management implemented a requirement for the translation of documents to be completed by a certified translator.


CBA implemented a process change on 12 December2016, whereby customers applying for a Home/Investment Home Loan or Line of Credit must provide foreign currency income verification documents translated into English by a translator accredited by the National Accreditation Authority for Translators and Interpreters Ltd (NAATI).CBA staff members can no longer translate these documents into English on behalf of a customer.CBA Home Buying has a self-identified issue, IS-059395 ‘Foreign income - document verification and sanctions check’ requiring implementation in Retail CreditDecisioning (RCD) of a control to ensure that applications with foreign income are all referred for manual decisioning by RCD. As of 16 November 2016, applications where a customer has income from a very high risk country have been declined.

RBS Response:


From 12 December 2016, only foreign income documents translated by NAATI accredited translators may be used for verification. The self-identified issue has been closed.

Closed

RCBA.0517.0002.0024

6. During the review period, management identified that the scope of CBA’s Credit Investigation Team (CIT) did not include relationship managed customers and loan ‘top ups’

The Credit Investigations Team (CIT) at CBA is responsible for identifying and investigating loan applications with a higher risk of fraud. In particular, CIT performs additional income verification procedures on applications that exhibit higher fraud risk features.During the review period management considered that the scope of CIT should include loans originated via relationship managers in the CBA proprietary channel or ‘top ups’ to existing loan facilities under all CBA channels.We understand this was remediated on 6 March 2017 and CIT now includes all such loans in their scope for potential testing.


As of 6 March 2017 relationship managed customers and top up loans are no longer excluded from the CIT process.Previously relationship managed loans and top-ups were viewed as having a lower likelihood of fraudulent activity. Management took the view to include these segments to ensure a more complete coverage.

RBS Response:

Accountable EGM: Nigel Dunn, Acting RBS CROAccountable GM: John Dennison, GM Secured Risk Management

This self-identified issue has been closed, following inclusion of top ups and relationship managed home loan applications in the CIT sampling.

Closed

7. There is no requirement under Group policies to assess the completeness or accuracy of borrower declared living expenses. This appears to be contributing to a higher than intuitive use of HEM as a proxy for living expenses.Our loan file testing identified instances in CCL files where the higher of HEM or declared living expenses was not used.

The Group uses the higher of the living expenses declared by the borrower and the income-adjusted Household Expenditure Measure (HEM) in serviceability assessments.The living expense declarations provided by borrowers are not subject to verification or assessment beyond comparison to HEM.This approach does not encourage borrowers to focus efforts on ensuring the completeness and accuracy of their expense estimates.This may be contributing to a high proportion of borrowers declaring living expenses at or below income-adjusted HEM, which is counter-intuitive given the nature of the HEM benchmark. 78.9% (CBA: 79.7%, Bankwest: 72.0%) of applications in the population of loans in scope for testing under our review utilised the income- adjusted HEM benchmark.

RCBA.0517.0002.0025

While we acknowledge the inherent challenges in validating the completeness of living expenses, there are a number of sources of evidence that are routinely obtained by the Group in applications that may provide corroborative evidence, assist in identifying items for further investigation or follow up with borrowers. For example, CBA routinely reviews bank statements in order to consider the potential for unrecorded liabilities of the borrower.This, combined with potential responses to 8 and 11 herein would add additional rigour to the reliability of borrower declarations.We further understand that APRA recommended in an April 2016 credit risk review of Bankwest’s mortgage portfolio that Bankwest implement additional measures to increase the accuracy of expense information provided by borrowers and reduce reliance on HEM as a result.Our sample testing further identified the following instances where the control to compare borrower declared living expenses to HEM did not operate effectively: Applications where the higher of borrower declared living expenses and HEM was not used:

• 1 out of 64 loan applications tested from CBA Proprietary. This CCL application used the Henderson Poverty Index (HPI) with a 30% loading instead of HEM.• 4 out of 61 loan applications tested from CBA Business Bank. All 4 CCL applications used the Henderson Poverty Index (HPI) with a 30% loading instead of

HEMA number of applications were also identified where an incorrect HEM number was applied in the serviceability assessment. Refer to finding 14 for further details.


CBA utilises an income-based HEM to validate the living expense estimate provided. In cases where the estimate is lower, the HEM amount is in the serviceability assessment.We acknowledge the aim to have complete and reliable living expenses declared by the applications. Efforts to improve the expense capture via separate fields (as noted in item no. 7) will encourage greater consideration of the various expenses needing consideration by the applicants.There are inherent challenges in completing verification of living expenses through review of customer transaction activity, credit card activity and cash withdrawals. Additionally, there are constraints in being able to identify discretionary expenses or transactions that may not continue in the future.HEM provides an estimate of household consumption and is used industry-wide. This measure enables a consistent

RBS Response:


As APRA are aware, CBA is reviewing the strategy for utilising HEM in a working group with the Melbourne Institute and industry partners. While the outcome is pending, CBA is committed to the actions to resolve the underlying concerns behind this issue.

Home Buying is developing a tool to capture living expenses in separate fields as a mandatory step in the application process for Home Buying proprietary channels. The tool is being built in a system called ‘Helix’ that sits as an overlay above CommSee and its application systems (CHL and CTU). When the loan interview reaches the stage in the application to complete living expenses, a button in the application form must be pressed to launch the tool, which will take over the screen until the detailed expense information is entered in the tool. Once complete, the data will be stored and the application will resume. This detailed expense information will then be presented back to the customer at fulfillment for mandatory acknowledgment in the enhanced assessment report from 1 December 2017.

Proprietary & BPB (CHL):1 Dec 2017

Third-party:30 Jun 2018

R

approach to measuring household expenditure when determining a customer’s capacity to repay.RBS Risk Management monitors low declared living expenses. Reviews are completed by CS&M at regular intervals resulting in a frontline staff error where very low expenses are not justified or captured incorrectly.In the Commercial Property review in mid-2015, APRA raised the need for the servicing tests for home loans originated within BPB to align to RBS policy rules, including the use of the HEM benchmark. Pending the staged system change (undertaken between February and April 2016) to introduce HEM for manually based CCL applications, from November 2015 the higher of Henderson Poverty Index (HPI) with a 30% loading and customer declared living expenses was to be used in the servicing test. The workaround for auto-decisioned CCL applications for home loans was not introduced until earlier this year as home loans included in a CCL application are generally manually decisioned.APRA flagged some improvement areas for Bankwest in the March 2016 home loan review in relation to the use of HEM. In the time since, Bankwest has tightened its amber and red tolerances for instances where customer stated expenses are below base HEM, reinforced the expectation that the budget planner tool should be applied and delivered both generic training as well as colleague targeted coaching where based on individual results. This has seen the instances where customer stated expenses are greater than base HEM to increase from 40.8% in March 2016 to 62.3% in March 2017. Monitoring of this metric is well embedded through the Bankwest Retail Credit Risk Committee.

From August 2017, living expense categories are also being captured in the Lender Front End serviceability calculator.

Living expense categories will be incorporated into the Lender Front End application form when rolled out in June 2018.

Categories include:• Food• Housing and Property Expenses• Insurance• Bills and Phone Expenses• Medical and Health Care• Transportation• Clothing and Personal Care• Recreation and Entertainment

Lenders will also be provided detailed guidance and scripting, embedded within the LFE application, to structure enquiries and prompt investigation where expense items are missing, low or inconsistent with the customer’s circumstances.

Additional system changes will be required to replicate this process in the third-party channels, and work is currently underway to confirm a target date for those changes.

For BPB, the majority of home loans are currently originated in CHL and will use the new living expense tool. By June 2018, these CHL users will use Lender Front End, which will similarly capture detailed expense data.

Accountable EGM: Nigel Dunn, Acting RBS CRO Accountable GM: John Dennison, GM Secured Risk Management

With respect to CCL applications and use of HPI, following the 2015 APRA Commercial Property Review, the decision was made to align the home loan servicing approach with that adopted in RBS including use of HEM as the living expenses benchmark. Relevant policies and procedures in BPB were updated on 30 October 2015. Constraints on system changes between releases meant that it was not possible to implement the revised benchmark within CommSee Commercial Lending (CCL) until the next release date, being February 2016.

CBA.0517.0002.0026

Closed

R

As an interim measure pending system changes, BPB used the higher of declared living expenses and HPI plus a 30% buffer. At the time, analysis was done on comparing outcomes under the two approaches (HEM and 130% of HPI) and the majority of scenarios tested showed a more conservative outcome with the use of HPI plus buffer. The CCL platform change was progressively staged in the period February to April 2016. Unfortunately system capabilities constrain the ability to identify specific volumes of housing loans that were subject to the higher of declared living expenses and 130% of HPI approach. It is noted however that this approach was, in the majority of scenarios, at least as conservative if not more conservative than application of HEM.

Applications are often standalone CHL (and therefore using HEM as the benchmark), and only require a CCL application in cases such as larger existing commercial exposures and cross-collateralised security with commercial facilities.

Bankwest Response:


MonitoringThrough the Retail Credit Risk Committee (RCRC) and the Retail Risk Forum Bankwest monitors CSLE > Base HEM against targets implemented in October 2016. RCRC now also monitors CSLE > Income-Scaled HEM overall and by channel and will establish targets based on this refined measure.

Retail Risk Forum will have visibility of a new proprietary KRI on CSLE > Income - Scaled HEM to drive further improvement. Existing broker and lender level reporting will be modified to capture this measure and where outliers are identified targeted coaching and performance/consequence management will be undertaken.

The use of these measures will be revisited as industry work with HEM and granular data capture evolves.

Proprietary• Bankwest’s existing Budget & Expenditure Planning tool will be reviewed and

Bankwest will revise procedures to mandate the use of an expenditure

CBA.0517.0002.0027

30 Nov 2017

31 Jan 2018

30 Jun 2018

RCBA.0517.0002.0028

calculation tool with decisions to be made on the number of expense categories, their descriptions and alignment to revised HEM categories.

• Communication and training will continue to be delivered to all colleagues to increase the understanding of revised income scaled HEM and procedures will be revised to mandate the use of an expenditure calculation tool as a mechanism to capture complete and accurate living expenses. Existing lender level reporting will be modified to capture CSLE > Income Scaled HEM measures and where outliers are identified targeted coaching and performance/consequence management will be undertaken.

• With the mandating of an expenditure calculation tool, Lender and validation colleagues will be provided with guidance and coaching on how to investigate and undertake enquiries on customer provided information (including statements) to identify and act on instances where expenses or liabilities are missing, low or inconsistent with the customer circumstances for propriety originated applications. Steps taken to remediate inconsistencies will be documented to support assurance processes and assurance and monitoring practices will be enhanced accordingly.

Broker• Bankwest, with broker networks, will develop a suitable solution for the granular

capture of living expenses. System requirements will be determined and timelines for implementation will be advised to APRA by March 2018.

• Customer conversation expectations and assurance activities will be aligned to the above proprietary process improvements following system implementation of granular living expenses.

31 Mar 2018

Work underway to upgrade Bankwest loan systems (Project DeNovo) will capture more granular expense data and will be rolled out to home lending applications through calendar year 2018 for both proprietary and broker channels. These improvements will take into consideration an approach to apply the revised HEM measure as a minimum for the aggregate of only those expenses captured within HEM. Through this approach customer stated non-HEM expenses would then be included to determine total living expenses.

For proprietary, Project De Novo is planning to include the deployment of ‘expense guardrails’, where applicants’ initially declared expenses could be compared to income- scaled HEM benchmarks in real-time, with applicants prompted to re-consider their expenses where they are below benchmark.

RCBA.0517.0002.0029

8. Living expense data required from borrowers is not sufficiently granular to encourage complete and accurate declarations * •

Both CBA and Bankwest use the higher of the living expenses declared by the borrower and the income-adjusted HEM in serviceability assessments.The effectiveness of this control is predicated on encouraging borrowers to make rigorous estimates of their current living expenses to reduce the risk of incomplete or inaccurate expense declarations and overreliance on HEM as a proxy (see issue 7).Currently, both CBA and Bankwest require borrowers to declare expenses only as an aggregate number (i.e. 1 or 2 categories). Specifically:

• Both CBA and Bankwest a budget planner tool that may be used however is not mandatory, a copy is not retained with the customer’s application• In CBA portfolios living expense data is captured in a single field.

Requiring borrowers to ‘unpack’ expense declarations in to more granular categories is likely to encourage more comprehensive consideration of living expenses. This is reflected in the actions that some banks have taken recently to implement more detailed declaration requirements

Original Management Comment (May 2017) Updated Proposed Actions (September 2017)

CBA’s intent is to make the detailed expense data mandatory for all Home Loan originations in both proprietary and broker-originated channels.The new Lender Front End (LFE) proprietary origination system in development will require borrowers to provide detailed living expense information and will record and store this data in separate fields. Similar system changes are planned for the broker origination systems in order to record the same granular expense data. The LFE application form is targeted for implementation by 30 June

RBS Response:


As described in the response to item 7, Home Buying is developing a tool to capture living expenses in separate fields as a mandatory step in the application process for Home Buying proprietary channels. This expense information will be presented in the enhanced assessment report for customer acknowledgment from 1 December 2017. Additional system changes will be required to replicate this process in the third-party channels.

Target Date

Proprietary: 1 Dec 2017

Third-party: 30 Jun 2018

2018.CBA will investigate how to integrate the enhanced detailed living expense requirements introduced in LFE into BPB.

Bankwest Response:

BPB (CHL): 1 Dec 2017

Bankwest will continue to encourage the use of the budget planner tool. In the medium term, granular expense data capture has been embedded into the new home loan application system, which is being developed through project DeNovo (due 31 December 2017). System changes are planned for the broker origination systems in order to record the same granular expense data.


As described in the response to item 7, process, systems, assurance and monitoring activities will be revised to ensure the capture of granular living expenses. These changes will be applied in the proprietary channel and timelines for broker channel improvement will be advised to APRA by March 2018.

30 Jun 2018

RCBA.0517.0002.0030

9. During the review period, management identified that borrower expenses were not completely interfacing into RMG’s home lending system (BOSS)

For loans originated through CBA’s RMG channel, borrower information is captured in front end systems and transferred to the BOSS lending system. Verification and other credit activities are performed based on the data in BOSS by CBA’s Retail Credit Decisioning (RCD) team.Due to issues with system interfaces, for the period 25 April 2016 to 26 July 2016 borrower expense data fields did not completely interface to the BOSS system. As a result assessments may have been performed on incomplete expense data.We understand this issue was subsequently remediated as part of the PCO / Transact upgrade in July 2016.


In June 2016 an incident was identified and resolved via an update to manual process. An additional system fix was introduced one month later with the full implementation of PCO.As of 10 May 2017, there were 9 remaining accounts where the data discrepancy materially affected the servicing decision. These accounts are monitored byHome Buying and Credit Risk, with all accounts making repayments on or ahead of schedule. A process is being implemented to ensure that if the account falls into arrears it will receive a specific hardships process. Enhancements are also being made to the change management controls to address the root cause of the issue.

RBS Response:


The root cause underlying this finding was addressed during the review period. An incident (IN-089676 - RMG Mismatch of MLE in BOSS to TRANSACT) was raised on 1 June 2016 and closed on 30 June 2017 after review and approval by RBS Compliance.

The 9 affected accounts were ring-fenced by placement on a watch list by Bluestone collections so that, in the event an affected customer falls into arrears, Bluestone will not follow normal collections procedures but instead contact CBA to agree on a treatment approach. One account was discharged subsequent to the incident closure, leaving 8 affected accounts now active.

Complete

RCBA.0517.0002.0031

10. There are components of verification of investment property income and expense that do not meet APRA’s guidance released following the review period. There has not been recent detailed analysis by the Group to the adequacy of these approaches to capture property expenses

Borrowers with investment properties will often include rental income in their declared income and serviceability calculation. Across the Group a haircut of 20% of declared rental property income and in CBA a maximum rental yield (gross of haircut) of 6% of the value of the property is used as rental income in the serviceability calculation. Applications must also be escalated for review if rental and other investment income exceeds 50% of total income that is used in servicing.There is no requirement in verification procedures to ensure the expenses related to owning an investment property (beyond any relevant loan commitments) are captured in the declaration of borrower expense and used in serviceability assessments. For example, fees payable to agents, council rates, maintenance etc.We understand from management that across the Group the 20% haircut applied to income is designed to incorporate these costs.

In CBA and Bankwest, there has not been any recent detailed analysis performed to consider the adequacy of the 20% haircut to incorporate relevant expenses. Both CBA and Bankwest do perform regular (at least annual) reviews of credit-related policies, including serviceability approaches.

The revised APG223 was released outside the review period, however for completeness we note the following with respect to the Group’s practices as compared to this guide.As this haircut is applied to income used in a serviceability assessment, this effectively means that the running costs of an investment property are only considered when the income from that property is included in a borrower’s assessment. It is probable that in many cases the property income would exceed the related costs given the serviceability assessment would also include any declared debt repayments on the property regardless of whether income was included. However, this may not always be the case and for borrowers with multiple investment properties, the expense may be significant.

Recent guidance from APRA, which was outside the review period, recommends that the 20% haircut should contemplate the uncertainty of income from investment property only, for example due to periods of vacancy.

We further note that in relation to rental income, APRA considers that in situations where the estimate of income is less reliable, such as with a real estate agent's estimate, less reliance should be placed on this evidence. Across the CBA group, the same haircut is applied regardless of the support provided.APRA also recommends that serviceability calculations should not include the tax benefit from a borrower's investment property operating at a loss. While this occurred during the Review Period, across the Group there was a policy change in 2015 and the tax benefit of rental properties is no longer included in serviceability calculators for LVRs over 90% and for higher risk postcodes for CBA and for all applications for Bankwest.

RCBA.0517.0002.0032


CBA and Bankwest agree with the need to allow for periods of vacancy for investment properties as well as the costs associated with ownership. CBA and Bankwest apply a haircut of 20% to rental income to account for both costs and potential vacancy periods. Additionally at CBA we manage rental income usage via:

• A 6% yield cap (4.8% after haircut is applied);• Referral to Credit Decisioning for applications with

greater than 50% reliance on rental and other investment income; and

RBS Response:


A detailed review of investment property income and its treatment for assessing serviceability will be reviewed with findings presented in to HL Sub-Committee in March 2018 with implementation timelines to be determined following endorsement at the committee, but no later than 30 June 2018. This review will cover the adequacy of the 20% rental income haircut and how costs associated with investment properties are included in the serviceability calculation.

Target Date

30 Jun 2018

• Analysis of identified high risk postcodes resulted in a more conservative approach with no rental income or tax benefit applied within these areas.

We consider this to be sufficient to allow for costs associated with an investment property.At CBA, further, apartments in high density locations will require LMI from 70% LVR prior to July 2017.

Enhancements to the types of acceptable rental income evidence will be presented to HL sub-committee in September 2017 to only allow a rental appraisal if the property has not been previously tenanted or is not currently tenanted with implementation timelines to be determined following endorsement at the committee, but no later than 31 December.

Bankwest Response:

31 Dec 2017

Bankwest has enacted multiple tightening measures in its servicing calculator for investor loans in recent months. These measures include an increase to the benchmark interest rate, removal of negative gearing benefit, and not allowing rental income from mining towns. These measures, coupled with the 20% rental income haircut (this % has been verified), will be considered for adequacy in the context of the further capture of investment property related expenses. This holistic review will be complete 31 July 2017.

Accountable EGM: Michael Kavanagh, Bankwest CRO Accountable GM: John Hart, GM Credit Strategy & Analytics

In addition to recent changes involving multiple tightening measures to servicing calculators for investor loans (e.g. a complete removal of negative gearing benefits, not allowing rental income from mining towns), Bankwest completed a holistic serviceability review in July 2017 and will implement the following changes by 30 September 2017:

• Change the minimum Net Income Surplus from the current $1 per month ($12 p.a.) to $50 per month ($600 p.a.) to ensure a buffer is specifically available to cover increasing living expenses. At the same time the mortgage benchmark rate floor will be reduced from 7.35% to 7.25%, still sufficient to buffer for interest rate increases.

• Update HEM to the 17 tier income smoothed version indexing income brackets to current dollars; and,

• Change the default term for existing mortgage debt from 30 years to 25 years and the default term for existing personal loans from 7 years to 5 years.

30 Sep 2017

RCBA.0517.0002.0033

Further analysis is currently underway on the adequacy of the 20% rental income haircut. Bankwest is considering an additional rental income haircut, particularly for apartments in high density locations until more granular data is available for use through Project De Novo. Findings will be presented to the Retail Credit Risk Committee by December 2017.

31 Dec 2017

Work already underway to upgrade Bankwest loan systems (Project DeNovo) will capture more granular expense data that is outside of HEM including property expenses like agency fees, strata fees and maintenance costs for each property for both proprietary and broker channels. Loan amounts will be specifically tied to properties and property values allowing for the calculation of rental yields and use of rental yield caps where appropriate.

31 Dec 2018

11. The calculation of income-adjusted HEM is based on verified income only, potentially resulting in an inappropriate measure. Serviceability impacts are likely to be limited

In arriving at an income-adjusted HEM measure, we found that this was based on verified income only, which in some situations is less than declared income.Nevertheless it appears common for borrower-declared living expenses to be even lower than this income-adjusted HEM, which appears counterintuitive (see 7 above).This is unlikely to be an overall serviceability concern assuming the unverified income exceeds the increase in living expenses that would otherwise be applicable under a higher HEM measure, however in the context of achieving the control objective related to completeness of expenses, this approach reduces the likelihood that the benchmark utilised is an appropriate approximation.


In calculating serviceability CBA and Bankwest applies the higher of the customer declared living expenses and the income-adjusted HEM. We acknowledge the HEM figure is calculated using verified income, based on:

• Income not required to evidence serviceability; and

RBS Response:


RBS agrees with the principle of the income adjusted HEM measure being based on the declared income of the customer. The complexity of implementing this change is significant as origination systems are designed to capture verified income only. RBS will

31 Dec 2017

RCBA.0517.0002.0034

• Unreliable income declared, such as investigate the practicality of making this change, and assess alternative approaches, ifunsustainable income or income not accepted required.under credit policy.

It is probable that additional income not included in the Bankwest Response:serviceability assessment would be sufficient to cover Accountable EGM: Michael Kavanagh, Bankwest CRO

Accountable GM: John Hart, GM Credit Strategy & Analyticspotential additional expenses.

Work is already underway to upgrade Bankwest loan systems (Project DeNovo) and will use declared income for establishing the correct income band for HEM. This upgrade will be rolled out to home lending applications through calendar year 2018.

31 Dec 2018

12. Verification of debts that borrowers declare does not ensure completeness and we identified a number of exceptions during the period * •

The Consumer Lending Credit Policy is dependent on borrowers declaring their debts and other commitments (excluding Monthly Living Expenses). Where aborrower declares debt with other financial institutions, limited verification is performed to ensure the completeness of the debt that is declared by a borrower:• Bankwest does not require any evidence to be obtained for debts declared by a borrower that are not being refinanced.• CBA do not required any evidence to be obtained for debts with other financial institutions (if they are not being refinanced) where the borrower is an existing

customer• At CBA, statements are only requested for debt declared by a new-to-bank borrower if the individual debt declared is above $10,000 (and multiple debts below

$10,000 can be declared without verification). There is a risk that borrowers declare below this threshold to avoid verification of an otherwise higher debt, or that in aggregate the borrower’s debt is larger than $10,000.

• Serviceability calculators at CBA and Bankwest assume other mortgages declared are on 30 year termsFor debt balances required to be verified as per policy, our sample testing identified the following number of instances where the evidence required by CBA’s CLCPwas not obtained:• 7 out of 64 loan applications tested from

approval.• 4 out of 61 loan applications tested from

PCAA approval.• 3 out of 60 loan applications tested from

basis for PCAA approval.• 6 out of 61 loan applications tested from

for PCAA approval.• 2 out of 25 applications tested from CBA RMG. Of these 2, 2 were PCAA approved and had adequate documentation to justify the basis for PCAA approval.

CBA Proprietary. Of these 7, 1 was PCAA approved and had adequate documentation to justify the basis for PCAA

CBA Third party Broker. Of these 4, 3 were PCAA approved and had adequate documentation to justify the basis for

CBA Private Bank. Of these 3, 2 were PCAA approved. Of these 2, 1 did not have adequate documentation to justify the

CBA Business Bank. Of these 6, 2 were PCAA approved and did not have adequate documentation to justify the basis

RCBA.0517.0002.0035


All CBA facilities are auto-populated to the application and considered verified given the direct nature of the information.The inquiries made for verification of other financial institution liabilities is considered appropriate based on the advised limit or balance of the facility as well the relationship of the customer with Bank (e.g. existing customer).

RBS Response:


Recommendations to enhance the verification of OFI debts, and specifically mortgage debts, will be presented to HL sub-committee in September 2017 with implementation timelines to be determined following endorsement at the committee.

Target Date

31 Dec 2017

The most recent review and update of verification requirements occurred in October 2015 and this approach continued to be considered appropriate by the Home Loan Sub-Committee.The overall verification of liabilities and commitments is currently under review as required by the RBS Risk Management framework and in response to the APG223 update. To coincide with LFE, implementation of any changes will occur by 30 June 2018.Adherence to requirements are monitored through CS&M reviews, leading to a Lender error being raised where applicableA change is planned to recast repayments over the remaining term using current assessment rates for all mortgages as a long term strategy; this is planned to be implemented by 31 December 2017.In the interim, the repayment loading will be increased to 30% for OFI mortgage debts and RBS loans will be recast.

The recommendations include:• Verifying the balance, including any redraw/additional repayments, interest rate

and repayments to internet transaction listings and /or statements as appropriate for all OFI mortgage debts

• Verifying the credit limit for all OFI Credit Cards

Implementation is expected within 3 months of approval of any policy change.


Monitoring of liabilities and commitments in accordance with APG223 will be done via the Command Centre and the enhanced monitoring and file review framework as described above. Errors rates, exception rates, and serviceability overrides will be monitored within the new framework. The outputs of the Command Centre will inform targeted responses such as Mystery Shopping, targeted file review, and outcomes testing direct with customer.

30 Jun 2018

Bankwest facilities are auto-populated to the application and considered verified given the direct nature of the information.

R

The overall verification of liabilities and commitments is currently under review in line with the guidance provided within APG223. Bankwest may consider a change to the calculation of repayments (to a shorter loan term) of OFI debts not subject to refinance.At the same time, validation procedures do exist to review all application materials for consistency and to seek additional validation when discrepancies are noted. Bankwest will also investigate alternate options to ensure completeness of customer information provided (by 31 December 2017).

CBA.0517.0002.0036


Accountable EGM: Chris Williams, BPB CROAccountable GM: Leanne McDougall, GM PB BB SME & Digital

BPB notes that it utilises and adheres to the policy and process framework set out for Home loans by RBS. Changes noted in RBS’ response above will flow, in the normal course, to BPB. Similarly, changes made in CHL will capture all BPB loans processed through this platform.

30 Sep 2017

In addition, and as noted in response number 3 above, BPB acknowledges APRA’s concerns and as a result BPB Risk is working to limit the number of staff that can approve Home Loans in BPB, with expected changes to be enacted by 30 September 2017. For those staff with authorities the following actions will be taken to lift commentary standards:

30 Sep 2017

1. A Decision Sheet will be introduced to document PCAA decisions and all risk teams will be coached to ensure justification of verification requires are adequately documented and to call out all exceptions that they are accepting. This has already been implemented in Private Bank and will be extended to all segments/PCAA holders.

2. BPB will hindsight 100% of exceptions approved in September 2017 through its established Hindsight team to validate that commentary standards have been raised and meet APRA’s expectation. Hindsighting of 10% of all exceptions will be conducted for all exceptions approved in the period from October 2017. InJune 2018 this process will be reviewed with consideration of the introduction of the Command Centre monitoring.


30 Jun 2018


Bankwest Response:

Accountable EGMs: Paul Vivian, Acting EGM Products, Operations & Analytics & Michael Kavanagh, Bankwest CRO

RCBA.0517.0002.0037

Accountable GMs: Ian Sivwright, Acting GM Products and Pricing & John Hart, GM Credit Strategy and Analytics

In June 2017 the Bankwest Retail Credit Risk Committee approved the reduction of the term used to calculate existing home loan repayment obligations from 30 years to 25 years. This change will be implemented into systems in September 2017.

30 Sep 2017

Bankwest will implement new processes to verify customer OFI debt information to loan account statements (covering a period of at least one month).

31 Dec 2017

The introduction of comprehensive credit reporting (CCR) will support the industry in verifying debts. By December 2018 Bankwest will begin full participation in CCR and leverage consumption to verify that debts have been declared accurately and to identify debts that have not been declared.

31 Dec 2018

RCBA.0517.0002.0038

13. There are insufficient controls to identify debts/commitments that have not been declared by borrowers * •

The identification of debt obligations that have not been declared by a borrower is inherently challenging in the Australian market due to a lack of trusted, consolidatedthird party sources for such information.As a result, the Group is reliant on assessing the quality of borrower declarations (see 1 above) and considering whether there are indications from other sources thatdebt/commitments may not have been declared.

The Group currently takes only limited steps to identify possible indications of undeclared debts or commitments:

• In CBA, lenders are required to perform a review of one month’s transaction account activity to identify payments that may indicate undisclosed debt/commitments (‘account conduct check’). While this step compares favourably to peers, it would not identify an undisclosed debt if a payment was not made during the month under review or not from the account covered by the control.

• Bankwest do not require any procedures to be performed to assess the completeness of borrower debt/commitments declared (e.g. review of transactional accounts to identify payments to other credit providers/other commitments)

• Queries are made of a credit reporting agency for many (but not all) applications though these are focused on identifying defaulted payments. While such reporting would only indicate a limited number of credit enquiries by a borrower, the Group does not require the comparison of enquiries to declared debt.

Our sample testing identified that the review of unrecorded liabilities required by CBA policy was not performed in accordance with policy in the following instances:• 1 out of 64 loan applications tested from CBA Proprietary. This application was PCAA approved and was adequately documented to justify the basis for PCAA

approval.• 11 out of 61 loan applications tested from CBA Third party Broker. Of these 11, all were PCAA approved and were adequately documented to justify the basis for

PCAA approval.• 10 out of 60 loan applications tested from CBA Private Bank. Of these 10, 7 were approved by PCAA. Of these 7, 2 were not adequately documented to justify

the basis for PCAA approval.• 5 out of 61 loans applications tested from CBA Business Bank. Of these 5, 3 were approved by PCAA and all were adequately documented to justify the basis for

PCAA approval.• 14 out of 25 applications tested from CBA RMG. Of these 14, all were PCAA approved and all were adequately documented to justify the basis for PCAA

approval.At Bankwest, there were some loans that had input errors when customer declared financial commitments were entered into the serviceability calculator, of the total145 loans tested these errors were in:• 2 of 60 loan applications tested in Bankwest Third Party• 1 of 25 loan applications tested in Bankwest Business Bank

RCBA.0517.0002.0039


CBA considers the current practice of obtaining and reviewing of one month’s transaction activity from the customer’s primary account to be a strong process in identifying regular Other Financial Institution commitment payments and an appropriate inquiry to understand the customer’s financial situation. One month is considered sufficient as it is rare for a commitment to be repaid outside of a weekly, fortnightly or monthly cycle.In support of the transaction statement review, behavioural scoring via the auto-decisioning models assesses credit quality in part based upon CBA accounts and the credit bureau file. Existing CBA facilities are prepopulated into the application.CBA is also exploring options on automating undisclosed liabilities checks based on existing CBA transaction facilities.We note a larger proportion of waivers within the RMG sample. In late 2016 RCD reviewed the appropriateness of waivers for RMG applications. The outcome was a resetting of appetite and when looking at April 2017 resulted in a 64% reduction in waivers.For Bankwest, refer to response to finding 12, which applies to this finding as well.

RBS Response:


As part of the Dynamic Decisioning project, CommLiabilities will be utilised to automatically identify potential undisclosed debts from CBA transaction accounts

• Capability to analyse outgoing payments in CBA transaction accounts, and classify these as liabilities using 6 months of transaction history.

• Initially, classifications will include home loans, personal loans, and credit cards. We will look to expand it to other types of liabilities under continuous improvement activity throughout FY18.

• At initial implementation declared liabilities will be matched against the liabilities identified being paid from their transaction account. This will achieve technical delivery in December, to be gradually switched on from January 2018.

• The second tranche of delivery will allow us to understand if there are liabilities we can see a customer is paying from their account, however have not declared. Implementation is expected second quarter 2018.

31

As the CommLiabiltiies project is underway, CBA will use the learnings from the development and testing to determine the benefit of obtaining and reviewing additional transaction data over a longer period of time beyond the current requirement of one month, by December 2017.

Dec 2017

Validation procedures do exist to review all application materials for consistency and to seek additional validation when discrepancies are noted. For existing customers, in addition to application scoring, internal customer information is used to assess credit quality. This assessment takes account of current account performance and the credit bureau file. Existing Bankwest facilities are pre-populated into the application.


Monitoring of policy exceptions will be done via the Command Centre and the enhanced monitoring and file review framework as described above. Errors rates, exception rates, and serviceability overrides will be monitored within the new framework, with additional actions triggered when:

• Monitored data points move outside of tolerance• Monitored data points are within tolerance but spiking• Monitored data points are within tolerance but forecasted to exceed tolerance• Areas, branches, or individual lenders show unusual behaviour.

30 Jun 18

R

These triggers will prompt follow-up actions to be defined under the enhanced monitoring framework described in the response to item 2.

Response for BPB-Specific Findings :


BPB notes that it utilises and adheres to the policy and process framework set out for Home loans by RBS. Changes noted in RBS’ response above will flow, in the normal course, to BPB. Similarly, changes made in CHL will capture all BPB loans processed through this platform.

In addition, and as noted above in response number 3, BPB acknowledges APRA’s concerns and as a result BPB Risk is working to limit the number of staff that can approve Home Loans in BPB, with expected changes to be enacted by 30 September 2017. For those staff with authorities the following actions will be taken to lift commentary standards:

1. A Decision Sheet will be introduced to document PCAA decisions and all risk teams will be coached to ensure justification of verification requires are adequately documented and to call out all exceptions that they are accepting. This has already been implemented in Private Bank and will be extended to all segments/PCAA holders.

2. BPB will hindsight 100% of exceptions approved in September & October 2017 through its established Hindsight team to validate that commentary standards have been raised and meet APRA’s expectation Hindsighting of 10% of all exceptions will be conducted for all exceptions approved in the period from October 2017. In June 2018 this process will be reviewed with consideration of the introduction of the Command Centre monitoring.

3. The results of hindsight reviews will be oversighted on a monthly basis by the General Manager Risk, BB SME and Private Bank and reported bi-monthly to the CRO for inclusion in the CRO report to BPB Risk Governance Forum


CBA.0517.0002.0040

30 Sep 2017

30 Sep 2017

30 Jun 2018

RCBA.0517.0002.0041

Bankwest Response:

Accountable EGMs: Paul Vivian, Acting EGM Products, Operations & Analytics & Michael Kavanagh, Bankwest CROAccountable GMs: Ian Sivwright, Acting GM Products and Pricing & John Hart, GM Credit Strategy and Analytics

Bankwest will implement new processes to review internet transaction listings and/or bank statements in line with RBS to identify potential instances of non-disclosed OFI debts.

31 Dec 2017

By December 2018 Bankwest will begin full participation in CCR and leverage consumption to verify that debts have been declared accurately and to identify debts that have not been declared.

31 Dec 2018

14. In CBA’s proprietary channels (i.e. excluding Third Party Banking and RMG) there is a lack of preventative controls to ensure data is accurately entered in to the serviceability assessment

In many cases, borrower information is entered directly in to application systems by front line lenders.Within CBA’s proprietary channel, this task is performed by the same lender who is performing the verification and data entered is not subject to system validations or secondary review unless the application requires escalation for a credit-risk related matter.CBA application system automatically populates existing CBA debt details. CBA also utilises ‘Commlncome’; a tool to help validate the PAYG income advised by the customer, however this was not used extensively during the period under review.As a result, loans can be approved and funded prior to the accuracy of data input being subject to any testing, for example by the Credit Support and Monitoring function.Our sample testing identified a total of 43 loan applications where data was entered incorrectly or there was a calculation/interpretation error within the serviceability assessment, resulting in the following exceptions across these files:Income:

• 5 out of 64 loan applications tested from CBA Proprietary• 2 out of 61 loan applications tested from CBA Third party Broker• 10 out of 60 loan applications tested from CBA Private Bank

RCBA.0517.0002.0042

• 9 out of 61 loans applications tested from CBA Business BankLiving expenses :

• 3 out of 64 loan applications tested from CBA Proprietary. 1 resulted in the lower of HEM or declared expense was used.• 1 out of 61 loan applications tested from CBA Third party Broker• 2 out of 60 loan applications tested from CBA Private Bank. 2 resulted in the lower of HEM or declared expense was used.• 4 out of 61 loan applications from CBA Business Bank. 4 resulted in the lower of HEM or declared expense was used.Financial Commitments (e.g. expenses)

• 6 out of 64 loan applications tested from CBA Proprietary• 4 out of 61 loans applications tested from CBA Business Bank Debt (declared)

• 2 out of 64 loan applications tested from CBA Proprietary• 1 out of 60 loan applications tested from CBA Private Bank• 1 out of 61 loans applications tested from CBA Business Bank


CBA operating model permits front line staff in RBS and BPB to complete verification activities where aligned to credit policy requirements.Preventative controls in place include pre-population of existing CBA liabilities, and following the review period the enhanced Commlncome model validating declared income was implemented.The assurance framework has oversight to front line activities, including monitoring of the CS&M major error rate to provide management with a view to the quality of applications being originated. In cases where multiple decision errors are identified for frontline Proprietary Lenders, all applications over 80% LVR must have verification completed by RCD. Additional oversight is provided through CIT reviews and regular audits by CBA’s LMI provider, Genworth Financial.CBA is reviewing the process around documenting the customer conversation, including declared income and

RBS Response:


As noted in the response to item 4, overall Credit Scoring & Monitoring (CS&M) error rates have consistently trended down since the review period and have remained well under appetite, except for a slight uptick during November 2016, following which the declining trend continued. CS&M serviceability error rates remain low and are also continuing on a downward trend from the end of the review period.

The primary preventive controls to address accuracy of data going into the serviceability assessment will come with the development of the Command Centre and enhanced monitoring framework. Although these will be through the use of detective tools, the objective is to substantially increase our early detection of risk events at or soon after the application is submitted for decisioning, with triggers occurring and corrective action taken prior to loan funding.

This type of early detection, intervention, and correction will effectively then function as a preventive control, as the problem can be resolved prior to funding. The objective is to

Command Centre and Monitoring Framework: 30 Jun 2018

AssessmentReport:1 Dec 2017

LenderFront End application:30 Jun 2018

RCBA.0517.0002.0043

liability information, with the view to implement enhanced documentation signed by the applicants, as described in item 1.CBA will be reviewing the identified applications to assess whether there are any customer impacts.It is noted that by their nature, BPB customers tend to be of a more complex nature i.e. either high net worth individuals via the PB channel and/or individuals with businesses structured along corporate lines. We also note BPB applications may be originated via the Commercial loan platform with serviceability data contained in either CCL or CHL and fulfilment via CHL.

reduce the customer impact of errors and unjustified exceptions by correcting the problem before the assessment of suitability is made or before any funds change hands.

The mandatory enhanced assessment report will include declared income and liability information as a further check to improve the completeness and accuracy of the customer-declared information prior to funding the loan.

Additionally, controls will be built into Lender Front End to improve adherence to verification policies. Following application submission, the enhanced monitoring regime based around the Command Centre will monitor application flows and flag anomalous applications for additional verification prior to funding, as well as identify outlying lenders for further review and consequence management.

In terms of system validation of data, from November 2016, CBA implemented Commlncome v2, an enhancement to the Commlncome model that apportions Commlncome into PAYG salary types based on a customer’s income patterns in alignment with income stability policies. Further work will be required to further increase the usage of Commlncome for verification of income for existing customers.

Response for BPB-Specific Findings :


BPB notes that Home Loans originated in our segment fall within scope for review by the 15 Oct 2017 CS&M team. In addition, Home Loans that are concurrently originated with a commercial loan are subject to hindsight review within the BPB hindsight function.

BPB acknowledges APRA’s concerns around data accuracy entered into serviceability 15 Oct 2017 assessments. BPB will examine the effectiveness of introducing hard gate checking of serviceability to those segments & geographies where repeated errors are observed by loan approvers, CS&M or the Hindsight team. A decision on this prospective control will be made by 15 October 17, dependent on whether the control is assessed as required and its design effect.

15. User access to serviceability-related systems was not appropriately restricted and reviewed on a periodic basis during the review period

RCBA.0517.0002.0044

User access administration controls are essential in managing operational risks that arise from inappropriate access rights.Access to key systems and the underlying infrastructure used in the home loan origination process is not appropriately restricted. Our testing highlighted the following:• A number of new users were granted access to the CommSee (CBA) and CBS (Bankwest) applications without approval.• The user access review performed for the Windows Operating System (CBA) and DB2 (Bankwest) databases highlighted that a number of users reviewed their

own access rights and not all groups are included in the review process.• A number of generic or non-user specific accounts were identified across in scope Bankwest applications that are not managed in line with the Group policy.• A number of terminated users were not removed from the Oracle database. In addition it was identified that the automated control in place to remove Network

LAN access was not operating effectively from July 2015 to September 2016.


Management has undertaken a review of the access granted and confirmed they are valid but not evidenced through a form completion. Forms have now been completed where they were previously missing. Management can confirm there is no inappropriate activity as a result of this access.HPE will develop a general uplift in their identity and access management processes including the following steps: 1. Development of a revised HPE Access Management Policy. 2. Review and redesign of roles based access control (RBAC) roles 3. Development of SOPs outlining both account provisioning and termination for the various layers of access. 4. Implementation of UAV reviews across all access layers, with the results and artefacts of the UAVs stored, as well as evidence of all resulting access remediation. In addition, appropriate checks on the completeness and accuracy of all user listings generated for those User Access Reviews (UARs) will be implemented to ensure that all accounts used byHPE users are included in the UAV review.Management have identified the following root causes: ■Line managers not raising timely termination requests inHR ■ Applications currently not onboarded to Identity Manager have to rely on manual methods of removing access when staff leave ■ Exceptions have been noted

RBS Response:

Issue (IS-064120) to ensure a standard process for authorising and retaining access approvals, was noted as closed during the FY16 ES Controls Review by PwC.

Further, a broader Line 1 identified ‘privilege infrastructure access’ issue (IS-068405) is currently being tracked for remediation under DPG. Remediation plan and timeframes are currently being finalised.

This issue covered gaps relating to completeness and accuracy of UARs at OS and DB layers, for DXC managed services.

The rationale for closure of this issue was that DXC have established a set of policies and procedures covering all layers of access across the DXC managed fleet. Tactical implementation of the policies and procedures has been completed with further uplift of DXC’s identity and access management controls currently underway through ProjectIDM. This remediation is being tracked under an overarching issue (IS-071215) which will deliver of the full onboarding of all DXC managed services onto Identity Manager and provide end-to-end automation and consistency in the execution of identity and access management controls.

As part of issue remediation, the following activities have been completed:• Socialised guidance for stakeholders (including Line Managers and Service

Owners) on their accountabilities as it relates to timely removal of access on termination.

Closed

30 Sep 2019

Plan to be finalised by31 Oct 2017; Completion date TBD.

R

with HR feed to the iAM system resulting in HR and iAM not being in syncManagement will develop guidance for various stakeholders (Line Managers and Service Owners) on their accountabilities and processes to actively mitigate the risk related to timely removal of access on termination. A new system release will integrate the user access system to the HR system and has implemented controls to ensure the HR records between the two systems are in sync.The user provisioning issues at Bankwest were due to known RACF connector issues with Bankwest Identity and Access Management platform - Sailpoint (version 6.2). Until the software is upgraded, management will continue to troubleshoot and investigate long term resolution within Sailpoint 6.2 and provide options with recommendations for next steps by 31 August 2017.Bankwest is updating the SoP within the database management team to ensure peer review is conducted and logged as soon as is practicable (to be completed by30 June 2017).Sailpoint 6.2 does not provide Privileged Access Management Functionality. Bankwest is undertaking a series of reviews to determine how best to mitigate the risk of account compromise/unauthorised access in line with Group policy and standards (by 31 October 2017).

• Identified all the PWC relevant Very High/High rated systems, which are not onboarded onto Identity Manager, and reported to the BU RCCs to be either risk accepted or funded for onboarding. This is currently tracked under issue IS- 065808 (due February 2018).

• As part of the Aegis 4.1 release the Identity Manager system now integrates directly with the HR system and has implemented controls to ensure the HR records between the two systems are in sync. PWC also confirmed as part of their FY17 ES Controls review, that the automated control in place to remove Network LAN access was operating effectively and therefore the related LAN issue from the FY16 ES Controls review was no longer applicable in FY17.

Issue is being prepared for issue closure in September 2017.

Bankwest Response:

Accountable EGM: Andy Weir, Technology & Transformation Accountable GM: Shuky Bendek, Digital Protection Group West

• DPG West completed a full automated User Access Review (UAR) of all myAccess applications managed/owned by Bankwest in May 2017 with satisfactory outcomes. •

• It is mandatory for all myAccess users to be onboarded into the Bankwest HR application (Talent) before they can be birth righted into myAccess.Line Mangers are responsible for submitting terminations within Talent. Once this termination date is realized, an automated task is run to disable the user’s access account and disable/revoke access to any onboarded application which has a fully automated connector.For those applications which use a manual connector to myAccess, tasks are automatically submitted into myAccess for the DPG West Identity and Access Management team to revoke/disable the nominated user. This process is supported by a monthly review of selected high risk applications to identity any group employee who have been terminated but not detected by Talent. Delivered by Project Atlas, Group HR applications will be consolidated into single repository which will feed directly into SailPoint (myAccess) and will remove the requirement to run the monthly termination process. This project is scheduled to go live in March 2018.

CBA.0517.0002.0045

Completed

30 Jun 2018

RCBA.0517.0002.0046

• In addition to the above, other long term improvement initiatives to be delivered include:

o The transfer all myAccess applications from SailPoint to Dell One Identity Manager to have a single Group platform for application and user access life cycle provisioning. This project will commence in October 2017.

o Improved guidance to colleagues on how to conduct UAR’s.o Improved governance and scoring of UAR results to ensure they meet

expected Group UAR standards.o DPG West Identity and Access Management team will continue to

undertake a series of reviews of service and privileged accounts.

16. Some users had access to develop and promote code in the CommSee system

Where access to the production, development and test environments of an IT system is not sufficiently segregated, there is an increased risk that application support teams bypass change management processes and make unauthorised or untested changes to application code. This could result in business critical applications behaving inaccurately or inconsistently.The Group mandates that privileged access to the production environment be segregated from access to make code changes for all applications.Our testing identified a number of users have access to develop and promote code in the CommSee production environment.


CBA management reviewed access rights to develop and promote code to CommSee.Inappropriate access was removed to ensure segregation of duties exist.

RBS Response:

A plan to define control considerations is currently being drafted, which will include control ownership and remediation due dates. Once agreed, remediation will be tracked through RisklnSite.

30 Sep 2017

RCBA.0517.0002.0047

17. Weaknesses in the IT control environment around BOSS system

BOSS is the system used by the RMG business in the origination of residential home loans. CBA have engaged a third party (Bluestone) to manage and support the BOSS application. To gain comfort over the controls designed and placed into operation by the third party, CBA received an ASAE3150 on the design effectiveness of controls.The ASAE3150 report was obtained by CBA and it was noted that an adverse opinion was issued. As a result reliance cannot be placed on the BOSS application for the purpose of this review.Management has initiated a remediation plan to improve the control environment, however, no assurance has been obtained to date to verify that the issues noted have been addressed.


CBA and RMG management initiated a PWC review inJune 2016 to provide assurance over the control environment at Bluestone. The findings of this review identified a number of control weaknesses with the supplier.Since then, Bluestone re-engaged PWC for a separate engagement to address these weaknesses. This included:• Risk and control workshops to build capability for

Bluestone employees;• Review and enhancement of all Bluestone controls to

remediate initial gaps; and• A second review assessing the design effectiveness

of all implemented and proposed controls.In December 2016, this second review from PWC highlighted that “significant progress” had been made since the initial June 2016 review, and that ~75% of previously identified gaps appeared resolved. CBA partnered Bluestone through this process. All remaining control gaps are prioritised to be resolved as part of BAU over the next six months.A third PwC review will be commissioned in 2017 to review the operating effectiveness of the control

RBS Response:


The target date of October 2017 has been extended to March 2018, as Bluestone have advised that PwC will complete an additional round of design effectiveness testing for all Bluestone controls prior to initiating the operating effectiveness review, and that they will need 6 months of clean data with which to assess the operating effectiveness.

31 Mar 2018

RCBA.0517.0002.0048

environment. Findings of this review are being targeted forOctober 2017.

18. The code used to extract the list of loans for control testing by CBA and Bankwest has not been recently validated

CBA (Credit Support and Monitoring, CS&M) and Bankwest (Credit Quality Review, CQR) have both implemented a control function that reviews a sample of funded and prefunding (but fully approved) home loan applications in a given period.This is a key detective control to ensure compliance with, among other things, the verification requirements of the relevant Consumer Lending Credit Policy. CS&M aim to test a minimum of 6% of approved mortgage applications on a monthly basis and we understand that on average 6.11% of loans were tested during the period. CQR have a minimum threshold of 5% and 7% were tested during the review period.The codes used to extract the populations from which samples are selected for both CS&M and CQR were not validated in the period under review. This is not in accordance with CS&M Standard Operating Procedures and there may be a risk that loan populations are omitted from selection if the code is not appropriate.

Management Comment CBA Response Target Date

The CS&M sample extraction code was reviewed in July 2015, two months priorto the review period. In 2016 the Assurance Optimisation project was commenced to review the CS&M selection, workflow and review processes, with the intent to improve the functions through tools such as robotics and an enhanced targeted selection scorecard.The codes used to define samples for CQR testing at Bankwest were developed to ensure a representative sample size and to over-sample higher risk segments. Bankwest acknowledge that this code has not recently been reviewed, and will complete this task by 30 September 2017 and annually thereafter.

RBS Response:

Accountable EGM: Paul Newham, EGM Group OperationsAccountable GM: Cherie McKinnon. GM Credit Decisioning

CBA will conduct the independent review of the Credit Support and Monitoring CS&M data for completion by 30th November 2017. This will validate the completeness and appropriateness of all characteristics, ensuring all necessary loan populations are included. A key control have been created in RiskinSite for the Retail Credit Decisioning (RCD) risk profile to ensure annual compliance going forward.

Bankwest Response:

Accountable EGM: Michael Kavanagh, Bankwest CROAccountable GM: John Hart, GM Credit Strategy & Analytics

Bankwest completed an initial review of the code and will conduct an annual review of the code going forward. This review involved an independent review of the data build and sample selection logic used to generate the CQR target sample.

30 Nov 2017

30 Nov 2017

RCBA.0517.0002.0049

The review identified that a coding enhancement to the sampling approach is required, which will be actioned by November 2017.

19. A snapshot of the serviceability calculation for Bankwest loans is not retained on file

At Bankwest, a snapshot of the serviceability calculator is not retained with the customer's application, as a change to the Lendnet system in February 2017 removed this feature.As a result, control functions that review loan applications (e.g. Credit Quality Review) are required to manually re-create the calculator using the benchmarks (e.g. interest rate and HEM) applicable at the time of the application.There is a risk that the relevant control functions do not detect errors in applications as a result of using incorrect rates in the manual reperformance highlighted above, though we note that during our testing we did not identify any such cases.


Though it is possible to recalculate the servicing outcome using stored data inputs, Bankwest acknowledge that there would be efficiencies in recording a snapshot of this outcome on system. Bankwest will re-introduce this system capture of servicing outcomes by 30 September 2017.

Bankwest Response:


The Sanctioner Summary Screen in Lendnet was reinstated in Lendnet in July 2017. Closed

RCBA.0517.0002.0050

20. Applications received via CBA’s captive Home Lending Solutions brokers are not subject to the same validation checks as other third party originated loans

Home Lending Solutions (HLS) is an origination stream consisting of independent lenders who only originate CBA products as authorised credit representatives under the Banks’ credit license. They are typically self-employed.Loans originating from HLS may not be subject to the secondary review that is applied to other Third Party originated loans.As a result there is a reliance on the verification of borrower information performed by a third party that is not employed by CBA.


HLS managers and lending specialists are appointed authorised/credit representatives under the Bank’s ACL and AFSL to perform services “exclusively” for CBA. Commission payments for HLS managers differs to Third Party Brokers.HLS managers and lending specialists are required to complete (and maintain through ongoing training) a Bank delivered training and coaching program to gain aCertificate IV in Financial Services (Finance/Mortgage Broking) over a 6 month period. Those who have completed an external Cert IV are required to complete additional CBA training to ensure it meets the Bank’s requirements.Per the requirements of the Mortgage Innovation Services Agreements, HLS managers and lending specialists must perform verification strictly in accordance with GroupPolicy. Non-adherence to this can lead to serious consequences including loss of commission and termination of agreement. The Bank reserves the right to review a delegation at any time and to revoke or suspend any delegation granted (clause 2.4).The channel is subject to oversight through sample reviews conducted by CS&M (with proportionally higher sample sizes as compared to Proprietary channels), and

RBS Response:


A CBA working group is reviewing the strategic direction of the HLS channel. CBA remains committed to reviewing the operating model and control environment for the channel’s verification processes by the end of December.

The proportionally higher CS&M sample size for the HLS channel as noted in the original response remains in effect in the meantime.

31 Dec 2017

RCBA.0517.0002.0051

inclusion in other CS&M targeted sampling and standard oversight through the RCD referral process.CBA commits to reviewing the operating model and control environment for Home Lending Solutions in regard to verification processes by 31 December 2017.

21. Some loan applications originated through Bankwest’s Private Banking portfolio did not pass through the validation functions

Throughout the period of review, Bankwest’s Private Banking portfolios were part of the Bankwest Business division. Almost all loans originated in BankwestBusiness would either be validated by Business Credit or by Business Lending Quality Assurance (BLQA) if they were approved u nder LDA.However, only customers with business lending facilities would have their residential mortgage applications validated by BLQA. Residential mortgage applications as part of the Private Bank portfolios would often not be validated by BLQA as they are not related to business facilities.In our testing of 145 loan applications, we identified 2 applications that did not go through one of the validation functions and in one of those applications we identified an exception.


This gap is known by Bankwest and is currently under issue management, with a solution due to be implementedby 30 June 2017.The solution will ensure validation of 100% of applications prior to approval, by an independent colleague. Checklists to support the validation have been developed based on Retail Lendnet Hard-Gate check lists and the existing GLS process for Retail Home Loans.

Bankwest Response:


The existing issue was closed in June 2017 following the implementation of validation checklists which is to be completed by independent colleague for all Genesis home loan applications that will be tracked via validation processes.

Closed

Attachment D - Materials provided as part of meeting on 25th August 2017

RCBA.0517.0002.0052

Overview1. RBS priorities and timeline of improvements2. Bankwest priorities and timeline of improvements3. RBS key strategic initiatives to strengthen the environment

- Lender Front End and Serviceability Calculator- Written Assessment Report- Portfolio Monitoring and Assurance- HEM and Exceptions- End-to-End Process View of Risk

4. Bankwest approach to living expenses and customer confirmation, including Project DeNovo

5. Update on improvements to serviceability override reporting6. Review of credit policy for alignment to APG223 updates7. Other key findings for Bankwest8. Appendices

| Commonwealth Bank of Australia |

/Can

RCBA.0517.0002.0053

Aligned with PWC review findings, a significant program of work is underway within Home Buying to improve outcomes

CD C

Workstream Specific initiatives being delivered Investment

wX

w

£ofTJ u

5-iCD

>

£o■H -4—1 £ 5h £

■ iuCDT3

£U

OSh-4-1£ou

■4—*£a£

£Q

CD£O

■ I—I-4-<a a> uxO)>u

- i-H I Ioa

Improved financial - information

collection and verification

Enhanced customeracknowledgement and validation

Real-time portfolio „ monitoring and

assurance

Ongoing, improvement in end-to-end Home Buying process

Lender Front End—transform information capture, validation, and verification. Enhance customer conversation Serviceability calculator—standardise and simplify serviceability calculation across businessDynamic decisioning—improved expense breakdown and question set, utilisation of existing customer data in decisions

Written Assessment Report—mandatory, customer signed summary and revalidation of all data used to assess loan Top-up processes—enhanced digital top-up experience, expenses breakdown, purpose capture and acknowledgement Interest Only Customer acknowledgement—provided to all 10 customers capturing purpose of loan and 10 payment profile

Automated assurance and portfolio monitoring— Data led assurance and outlier management through Command Centre Mystery shopping— Targeted and regular reviews of customer interaction pointsFile reviews and outcome testing—Enhanced file reviews and targeted customer outcome validations

End to end Risk Process—90 day Risk Profile Review and Refresh and Major Risk Reduction ProgrammeBenchmark (HEM) review and interview guide—Industry review of approach to HEM and customer inquiryAutomated serviceability exceptions reporting—Detailed and automated Serviceability overrides

$38m

2 | Commonwealth Bank of Australia | Confidential

/Can

RCBA.0517.0002.0054

The program of work will continue to deliver improvements over the next 12 months

Delivered In progress

2016 2017

Q1 Q2

-O--O--OQ3

2Oct Nov Dec

2018Jan Feb MarO—o 2

Apr May Jun Jul

-0—0—

Aug Sep Oct Nov Dec

r• Nationwide launch

serviceability calculator w/ detailed MLE categories

• Project initiated to implement written assessment report

• Mandatory interest only customer acknowledgement

• Enhanced early switch monitoring

■ Build underway for CommSee tool to record & store detailed MLE categories

■ Serviceability calculator pilot begins

■ Further IO communications

■ New switching notification letter■ Communication to all IO

customers giving switching info

■ Foreign income documents are only accepted from NAATI accredited translators

■ All foreign income applications referred to RCD

■ Enhanced written assessment report, signed by all borrowers before funding

■ ‘Command Centre’- dashboard reporting of risk analytics

■ ‘Command Centre’ outlier detection completed

■ All exception reports automated, real time with push notifications

■ HLS applications referred to RCD

■ Broker channel application quality enhancements

■ System change to enable recording of detailed MLE categories without manual worksheet

Lender Front End phase 2 pilot Review of serviceability data by KPMG Top-up process enhancements national rollout ‘Command Centre’ Workflow tracking launchEnable digital repayment type switches in the new switching tool “Over the shoulder’ switching authentication for multiple borrowers Improved switch form for use in branchesStreamlined system capture of customer reason for wanting IO Refinance scripting

■ Dynamic decision introduction of expense breakout and enhanced questions

■ Automated serviceability exceptions reporting

Lender Front End phase 3 enhancements

■ Implementation of LFE Phase 2 application, including detailed MLE and dynamic product selection questions, reason capture for product & feature selection and enhanced scripting for refinance reason capture

■ Dynamic Decisioning CommLiabilities v3 delivered

■ ‘Command Centre’ KRI forecasting launch


/Can

RCBA.0517.0002.0055

Aligned with PWC review findings, significant works are underway within Bankwest to improve outcomes.

Theme

Improved financial information collection and verification

Enhanced customer acknowledgement and validation

Specific initiatives being delivered■ Project DeNovo - Bankwest is transforming its customer lending experience and

enhancing the capture of customer information.■ Broker Platforms - Collaborating with brokers on platform enhancements to enable

more granular capture of customer expense information.■ Budget and Expense Planner - A tool available through BWs public web-site for use

by customers and colleagues that provides a granular view of customer expenses.

■ Customer Needs Assessment - Improving the guality and capture of customer conversations and needs assessment.

Portfolio monitoring and assurance

Ongoing improvement in end-to-end Home Buying process

Risk Culture

Governance - Retail Credit Risk Committee, Retail Risk Forum, and Broker Governance Committee:

- Plan and track progress of actions to improve serviceability process, controls, and assurance activities.

- Monitor and provide oversight of CSLE utilisation, serviceability exceptions against targets and conseguence management.

Prudent Servicing Assessment Measures- Holistic review of servicing assessment calculator (benchmarks, floors,

buffers).- Increased monthly surplus reguirements, reduced loan term assumptions,

removed negative gearing benefit, higher credit card payment expectations.

Risk Culture Journey - Continued progress against each of the elements described within the PWC Risk Management Maturity Model and People Capability & Culture Model.


/Can

RCBA.0517.0002.0056

Bankwest Improvement Timeline

Jul 16: Customer Needs Assessment Diagnostic completed and program established to address diagnostic recommendations.

Jun 17: Bankwest Retail Credit Risk Committee has

approved an increase in the minimum surplus NICL to $50 p.m. and aligned HL

assessment rate floor to minimum of 7.25%.

Jun 17: Manual validation checklist implemented in Bankwest Private Banking.Jun 17: Retail Credit Risk Committee approved OFI HL term used in serviceability calculations to be reduced from 30 years to 25 years and PL term to be reduced from 7 years to 5 years.

O O

Jul Aipg

Feb 17: Capping of negative gearing benefits

from serviceability calculation

O ^^6Sep Oct Nov Dec Jan Feb

OJul Aug $ep Oct Nov

CY18: Work to upgrade loan systems underway (Project DeNovo) which

will capture more granular expense data and

investment-related expenses and total

declared income for determining HEM

banding..

2018

Dec Jan Feb Mar Apr May

CD

Oct 16: Introduced KRIs and progressive minimum thresholds for the proportion of new lending in which CL5E are higher than base HEM.

Aug 16: Budget & Expense planner monitoringimplemented through KRIs with supporting training, coaching and increased focus on control testing.


O

Mar 17: Retail Lending Customer NeedsAssessment tool implemented

O

Sep 17:Implementation of 17 tier income scaled HEM. Jun 18: Current practice of

requiring a borrower to verify accuracy of their

details prior to funding will be expanded to the broker

channel.

/Can

The Home Buying Serviceability Calculator delivered a more standardised and automated servicing calculator to enable better customer outcomes

R17.0002.0057

Background

Progress

How we will close the

gap

• Multiple serviceability repayment and up front cost calculators existed across the business• Calculators were manual in nature and required inputs from multiple sources and manual calculations• Lenders required pre-existing knowledge of credit policy to perform the assessments effectively• A single serviceability calculator was required to improve completion and control * •

• Delivered in August 2017 to over 1400 lenders nationwide• A single serviceability calculator also rolled out to credit decisioning team ensuring better consistency• Full actuarial testing of calculator completed by Ernst & Young

wMonthly Living Expenses and HEM Usage

Verification / Completeness of Customer

Financial Information

UObtainingCustomer

Declarations

VData Input

ControlsExceptions to

Policy

Break out of Automated Pre-population Built in policycustomer calculations of data from and rules,declared living based on CommSee automatedexpenses by customer calculations,expense captured data Data validation guidance andcategory, and policy for mandatory scriptingfrequency, application fieldsguidance, andwarnings Dynamic policy Automated

guidance based calculations toon customer prevent inputinformation and calc, errors


/Can

RBS is mandating the detailed breakdown of living expenses through Lender Front End

RCBA.0517.0002.0058

Capability for lenders to enter expenses as a break down of individual categories

Guidance text dynamically appears where the amount entered is below thresholds to prompt lenders to do further expense enquiries

Frequencies can be easily changed by lenders with conversion done in the background to avoid manual errors

Tooltips available to prompt clients on types of expenses per category

Financials

Food 0

Housing and

Communication O

Education O

Clothing and Personal Care O

Transportation 0

Medical and Health Care 0

Insurance 0

Monthly

Yearly

Travel, Recreation and Entertainment 0I

E.g.. holidays, gym fees, sports costs, eating out, alcohol, gambling, tobacco Monthly

Other 0 $ Monthly

+ Add Household

Total Living Expenses


/Can

R

Lender Front End will transform the capture of information, validation of information and enhance the customer conversation

CBA.0517.0002.0059

Background

Progress


gap

• Lenders required pre-existing knowledge of credit policy to perform the assessments effectively• Lenders required pre-existing knowledge or look up document verification requirements based on individual customer

information• No pre-population from manual servicing calculator * •

• Lender Front End is delivered in two phases:* Phase I delivered a new compulsory home loan serviceability calculator in August 2017• Phase II new home loan application front end scheduled for February 2018 pilot

• Phase II build underway, with design and requirements completed

wMonthly Living Expenses and HEM Usage



UObtainingCustomer

Declarations

OData Input Controls

Exceptions to Policy

Mandatory Dynamic Capture of Pre-population Built in policybreakout of document customer needs of data from the and rules,customer checklist to and objectives calculator into automateddeclared living ensure correct for product the application calculations,expenses supporting type, guidance and

information repayment Data validation scriptingRevised verified type, and for mandatoryquestion set for features fieldsInquiry into Additional dataLiving validation, AutomatedExpenses guidance text, calculations to

and scripting prevent inputand calc, errors


/Can

R

The Enhanced Written Assessment Report will become a key validation step and provide greater transparency to the customer

CBA.0517.0002.0060

Background

Progress


gap

Home Buying self-identified a need to strengthen the documentation of borrower financial information used in the serviceabilityintroduce a process for the borrower to confirm the completeness and accuracy of such information

Home Buying has initiated a project to design and implement an enhanced assessment summary report. Requirements have been defined and a solution is in the design phase.Implementation is release-dependent; once designed, the solution will be prioritised for implementation in the next available scheduled release cycle.

Verification /Completeness of Customer


Customer signs to acknowledge the accuracy of financial information captured, product selection and identification of need

9ObtainingCustomer

DeclarationsData Input

Controls

UExceptions to

Written Replaying theassessment breakdown ofreport captures customerloan purpose financialand needs and income andobjectives of the declarationscustomer

OMonthly Living Expenses and HEM Usage

Replaying the breakdown of the customer declared living expenses with


/Can

From our end to end work we are reshaping the Home Buying Monitoring and Supervision Framework

RCBA.0517.0002.0061

Background

Progress


gap

• Process view of risk work identified that the monitoring framework for Home Buying was fragmented and inconsistent across channels

• EY were engaged in March 2017 to perform an assessment of current state monitoring and supervision across the end to end Home Buying Value Chain and development of best practice monitoring and oversight framework * •

• A draft monitoring and supervision framework has been developed to encompass all channels• Significant investment is being made in the development of a Home Buying Data Command Centre• Key test and learn activity has commenced on Machine Learning algorithms with Data scientists to develop outlier and

flow monitoring

OMonthly Living Expenses and HEM Usage

Data driven analysis of HEM usage, Living expense anomalies and concentration of lending with assigned and consistent response categories



Development ofmachinelearningcapability toidentifyconcerns

Revised assurance and responses to data outliers

OObtainingCustomer

Declarations

Using data assurance technigues to obtain positive confirmation that customer declarations are obtained.

OData Input Controls

Exception report command centre and data validation monitoring to identify anomalies

eExceptions to

Policy

Data analytics developed to identify policy exceptions across all channels


/Can

R

Overview of the Proposed Home Buying Monitoring Framework

CBA.0517.0002.0062

End to End Multi Channel Monitoring Framework

Data Development and Augmentation

Development of stitched internal credit and product data with external industry, specialist and macro-economic data sources

Data Analysis

Development of statistically informed Rules Based and Machine Learning analytics to drive process and responses

Home Buying Command Centre

Exception and Control Centre

Management Information and Process Monitoring

Portfolio Insight and Lending Quality

Monitoring

Forward Looking Horizon scanning

Suite of Responses

Product and Business Exception Reporting centralised to monitor execution of critical controls

Control Reporting across all product features across all channels

Early Identification of process breaks, Deep Dives and Causal Analysis

Positive Assurance that product and process operating effectively

Management of specific flow outliers - e.g. low HEM prefunding review

Increased capability in• File Reviews• Mystery Shopping• Outcomes Testing• Deep dive Reviews• Data driven assurance

Portfolio monitoring identifying future potential portfolio issues

Increased capability for• Pricing response• Policy Response• Process Response

/Can11 | Commonwealth Bank of Australia | Confidential

RCBA.0517.0002.0063

Home Buying is focused on improving our approach to the capture and assessment of customer declared living expenses

We are maintaining our focus on serviceability outcomes• Continue to use HEM as a key determinant in assessing serviceability outcomes

• Exploring alternative modifications to the current HEM model to make short term adjustments to the HEM figure used in servicing calculations to be more conservative

• Working with the Melbourne Institute on the future construct of HEM, aligned to the objectives of the measure in the context of serviceability and the focus of the inquiry made of the customer

We are reviewing the customer conversation and the method of capture• Reviewing and clarifying the purpose and objective of the minimum living expense questions along with the industry

working group, focussing on future expense behaviour

• Reviewing the current processes and how inquiry is made into living expenses asked across all origination channels

• Developing and mandating what information is to be captured as part of the living expense discussion and updating systems and application processes to align to the new requirement •

• Developing data analytics to monitor and investigate outlier expense data and capture


/Can

R

We have developed a consistent approach to identify and resolve gaps and enhancements across the control environment to reduce the risk profile of the business

CBA.0517.0002.0064

Identification DefineRequirements Provisional Allocation Allocation Delivery Reduction

A risk o Requirements are The requirement is 0 The Delivery is “Buy down” ofreduction defined provisionally allocated to requirement is monitored riskopportunity is What exactly do we a potential delivery mode assigned toidentified via: need to deliver to The requirement may best an owner Any proposed Requirements are

resolve the risk? be addressed by: (project, issue, changes are delivered and• Issue or BAU)and escalated to HB closed.

Q An existing in-flight / agreed upon leadership• Incident Existing planned project before The impact of the

requirements are requirements are delivered• Causal reviewed or de-scoped. requirements is

analysis of assessed fora Risk Issue Management or Any reduction of the

O BAU Product requirements associated risk andIn-flight and planned Management not delivered overall Homeprojects are reviewed return to the Buying risk profileAre there or backlog ofopportunities to unallocateddeliver risk reduction? A new project may be requirements

needed and are reA business case and cost assessed andestimate is prepared and prioritisedprioritised


/Can

_RCBA.0517.0002.0065

Bankwest Response - Living Expenses & Customer ConfirmationPWC recognised the need for recording expenses in defined categories to hold a more accurate figure, and customer confirmation of application details only occurs after unconditional approval

Actions taken• Governance forums monitor CSLE v HEM (both base

HEM and income scaled HEM).

• As at June 2017, 59% of new approvals had CSLE greater than base HEM, while 30% of new approvals has CSLE greater than Income Scaled HEM.

• Use of the Bankwest budget planner tool (which encompasses granular expense categories such as transport, household, entertainment etc.) has been reinforced in the past 12 months, leading to improved outcomes in CSLE to HEM.

• Ongoing monitoring and coaching is occurring to help ensure accurate expense data capture.

I Planned Activities

• Work to upgrade loan systems underway (Project DeNovo) which will capture more granular expense data.

• This upgrade is currently being piloted through the new Personal Liability Small Business Credit Card application process, with a view to it being progressively rolled out to home lending applications through calendar year 2018.

• The current practice of reguiring a borrower to verify accuracy of their details prior to funding will be expanded to the broker channel by 30 June 2018. •

• Bankwest is considering revising the current process to obtaining customer signatures earlier in the loan application/approval process.


%New Approvals where CSLE > Base HEM70.00%

Implementation of metre starting from Oct-16

30.00%

2000%

10.00%

0.00%

# f cf <f f <f f <f f ^ ^ yf cf <f if if f <f f f f

------CSLE > Base HEM —Amber — Red

Note: %New approvals where CSLE > Base HEM are based on the reported figure for respective month.

RCBA.0517.0002.0066

Bankwest Project DeNovoEnhancing Customer Expense Information Capture

"llNova: System Screens

MM

What is your living situation?

Let*go over your expenses

oofcjitiw • 0

Tell us what you usually spend

Through Project DeNovo, Bankwest is transforming its customer experience and enhancing the capture of

customer information.

Iowa

Do you have a mortgage on your home? *

Mu tin the property value? *

5 500,'WO

IMiiK are your repayments?' *

S 1.000

Hw much b th* mortgage tor? • (?)

S dSO.OOOHow much n left to pay or the mortgage? * (7)

S 400/000

Select wtath lender *

St George v

Dto you share th * mortgage will someone else? *

ft

I rent /hoardhtowmirfi asyoupcji? *

S 150

Do you have anything else?

Add any assets, loans or llaMioes that are in your name.

AVehicle finance

$Savings / Shaces

aCo] e ft

Calculating,*.This will Only take a few MXOttft.

©Sorry,

©Its looking good,!

le have done a quick calculation of your income

Whaliautr


/Can

RCBA.0517.0002.0067

Bankwest Project DeNovoEnhancing Customer Expense Information Capture

Mobile Design Examples

• ••

-

■.

Step 3

Expenses

Living situation

What is your situation at 300 Murray St, Perth

WA 6000?

We own

We rent

At this place, are either of you financially

supporting anyone? (adults or children)

How many adults? £

Back Continue >

rn

•• m

HI ■■

i i

Are they working?

How many adults are working?

How many children under 18?

Do either of you have a HECS/HELP debt?

Who has a HECS/HELP debt?

I bankwest [ f

Hi. Log out

Utility bills, insurance and health

$

i=

Entertainment

$

Education and childcare

-

r"

Hi. Log out SUMMARY CALLUS

What’s your portion of household expenses?

%

Rent/board

$

Fuel, parking and transport

r--------------------------------------------------------------------------------

< Back

i

r'


RCBA.0517.0002.0068

Bankwest Budget and Expense Planner

• The Bankwest Budget and Expense Planner was introduced in 2013 as an optional tool to assist customers in arriving at an estimate of their expenses.

• In August 2016, an awareness campaign was instituted internally to heighten the use of the expense planner tool.

• Monitoring tracks the proportion of lending where customer stated expenses are lower than HEM benchmarks. These are tracked at a portfolio level, though are also available at a colleague and broker level.

• Exception reporting was enhanced in September 2016 to provide CSLE vs HEM data at a banker level. This allows management discussions and coaching where CSLE levels are below expected ranges.

©e

Q Expenses

Motor Vehicle / Transport /v

Motor Vehicle Registration

Petrol

Maintenance and repairs

Public Transport

Parking

Enter another vehicle expense

Amount Frequency

H 500 Annually -

Q 30 Weekly v

Q 350 Annually V

Q 50 Weekly v

H 10 Weekly -

i 0 Annually -

Annual Amount

$500

$1,560

$350

$2,600

$520

$0

-ft Household Expenses V

15 Living Expenses V

IT Insurance & Superannuation V

a Loans & Credit Cards V

Leisure, Entertainment & Donations V

Total Annual Expenses $39,520


/Can

RCBA.0517.0002.0069

We are on track with the strategic solution to improve serviceability overrides reporting

CBA will implement an automated solution for reporting serviceability overrides in line with APRA’s reporting guidance by the end of September 2017.

The guarter to December 2017 will be the first full period for reporting under APRA’s definition.

New processes will be implemented across the BPB business and BWA business originated Home Loans in order to align the capture of overrides across the Group.

Both RBS and Bankwest have existing serviceability exception reporting, with controls in place to ensure the accuracy and validity of the exception being recorded

Reporting design will allow segmentation into reasons, including overrides related to verification reguirements, bridging and temporary fails etc.

Serviceability Override CategoriesExpenses and Liabilities i.e. Expenses/liabilities updated to reflect applicant’s expected commitments Income Type or Method i.e. Inclusion of income from alternative type or method to reflect applicant’s expected income

Verification Requirements i.e. accepting reduced verification

Serviceability Fail i.e. accepting servicing calculation fail.

Bridging Period Serviceability Fail i.e. Accepting temporary servicing calculation fail during a bridging loan period. Temporary Serviceability Fail i.e. Accepting temporary servicing calculation fail.

Action Feb-17 Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17 Sep-17

ARF 320.8 Reporting O OARF 320.8 Regulatory Reporting

Working Group to agree aligned Regulatory Reporting Defintion

1 1-----------------------V

Training of staff (BPB, RBS, BWA Retail and BWA Non-Retail)

----------------------- S-2

Design of automated system solution (CBA and BWA)

---------------------- iV---------------------- /

Implementatation and testing of system solution (CBA and BWA) ------------------ -------------------1--------------------------------------1-----------------^


We are reviewing credit policies for APG223 alignment

RBS and Bankwest credit policies are being reviewed in line with expectations highlighted by APRA in the APG223 update.

There were two main areas of review:

Income verification and buffers

Serviceability and liability verification

Implemented To Be Implemented Under Development

• RBS: Increased automated servicing loading on existing OFI mortgage repayments from 20% to 30%.

• RBS: Existing CBA mortgage repayments calculated on the higher of the current rate + 2.25% (less any discount) or the floor assessment rate of 7.25%

• Bankwest: Credit card repayments increased to 3% of the credit card limit, up from 2.5%.

• Bankwest: Capping of negative gearing benefit in servicing assessment.

• Bankwest: The HL term used in serviceability calculations for existing / OFI debt will be reduced from 30 years to 25 years

• Bankwest: increase in the minimum surplus from $1 per month to $50 per month. The intention is that this supplies a buffer for expenses that are not otherwise accounted for using the maximum of CSLE vs Income Scaled HEM.

• RBS: Credit card repayments increased to 3% of the credit card limit, up from 2.5% (Implementation October 2017).

• Enhanced verification of OFI credit facilities

• RBS: Recasting OFI mortgage repayments over the remaining term using an applicable assessment rate

• RBS: Introducing a notional commitment for applicants living rent free

• Bankwest: Capturing rental property related expenses.

19 | Commonwealth Bank of Australia | ConfidentialV v

RCBA.0517.0002.0071

Bankwest Response - Other Key Findings

Actions taken• PWC identified that a snapshot of the serviceability calculation for Bankwest loans is not retained on file. The

Sanctioner Summary Screen in Lendnet has now been reinstated in Lendnet and no residual action is required.

• PWC identified that some loan applications originated through BankWest Private Banking portfolio did not pass through the validation functions. This was a known gap and an issue was in place at the time of the review. This issue closed on the 29th of June 2017 with the implementation of a manual checklist solution. Completion of this manual validation checklist will be tracked through existing validation processes and monitored through control assurance activities.

• PWC identified that a number of new users were granted access to the CommSee and CBS applications without approval. Bankwest has updated processes within the database management team to ensure peer review of access approvals is conducted and logged. Further manual work around solutions continue to be utilised until Bankwest RACF applications have been migrated to Dell One Identity Manager.

Planned Activities• PWC identified that the code used to extract the list of loans for control testing by CBA and Bankwest has not

been recently validated. To remediate this, BW Operational & Compliance Risk has commenced an independent review of the Bankwest code in August 2017 for completion by September 2017.


/Can

Appendices

1. RBS Performance and Distribution of HEM versus CDLE

2. Bankwest Performance and Distribution HEM versus CSLE

3. Home Loan Monitoring Results

4. Detailed Home Buying Serviceability Calculator Walkthrough


/Can

RCBA.0517.0002.0073

Appendix 1 - RBS Performance and Distribution of HEM versus CDLE

Distribution of CDLE variance to HEM30%

25%

20%

15%

10%

5%

0%

53% of CDLE values below HEM within 20% of HEM

SOOS SpcN SPO''o O Oi_n i_n '3-

SPOS spo O

ro

spo spOS spOSO O Oro rsj T—1spds spO' sporsj OT—1 O

spo spOS spOS sp o • spOS spOS spo'O O O O O O oi 1 rsj ro ^r LOs? 1 1 1 1 Vo sp o ■ spo' spo' sp o ■T—1 Orsj O

roO OLO

30+ Arrears10.60%

0.40%

0.20%

Of the 78% of instances where CDLE is below HEM, 53% were within 20% of the HEM estimate.

Overall, less than 4% of applications were below the HEM estimate by more than 50%.

Performance of accounts that have used HEM is broadly in line with those that have used CDLE.

hem CDLE

1 Based on originations since 2014 /Can22 | Commonwealth Bank of Australia | Confidential

CBA.0517.0002.0074

Appendix 2 - Bankwest Performance and Distribution of Income based HEM versus CSLE

Distribution of CSLE variance to Income based HEM40.00%

35.00%

30.00%

25.00%

20.00%

15.00%

10.00%

5.00%

0.00%

a.>50% b.40%-50% c.30%-40% d.20%-30% e.10%-20% f.0%-10%

40.9% of CSLE values below HEM within 20% of

g.0% h.10%-0% i.20%-10% j.30%-20% k.40%-30% l.50%-40% m.<50%

30+ Arrears2.00%

1.50%

1.00%

0.50%

0.00%

N*> .N53 A & $

CSLE<HEM CSLE=HEM CSLE>HEM


/Can

RCBA.0517.0002.0075

Appendix 3 -Home Loan Application Review Results

CS&M and CQR Error Rate8.00%

Targeted Review Period end date

CS&M Random Sample Appetite BW CQR

LMI Audit Decision Error Rate RBS CS&M Serviceability Decision Error Rate10.00%

6.00%

8.00% 5.00%

6.00% 4.00%

3.00%4.00%

2.00%2.00%

1.00%0.00%

0.00%Feb-16 Apr-16 Jun-16 Aug-16 Oct-16 Dec-16 Feb-17 Apr-17 Jun-17Jul-16 Sep-16 Nov-16 Jan-17 Mar-17 May-17 Jul-17

■--------Decision Error Rate (RBS) Benchmark

Decision Error Rate (Bankwest) Serviceability Error Rate (Random Sample)


/Can

Appendix 4 - Detailed serviceability calculator walkthroughPhase I of Lender Front End has Delivered a new automated home loan servicing calculator


/Can

R

Serviceability Calculator Walkthrough

CBA.0517.0002.0077


CBA.0517.0002 .0077

Serviceability Calculator Walkthrough

25 I CommOl"Mealth Bank 01 Aust ralia I Confld.nU_'

Financials section - Income tab


_RCBA.0517.0002.0078

/Can

Financials section - Income tab

27 I CommotMealth Baric 01 Aust ralia I COI'1fld.nU_'

_R

CBA.0517.0002 .0078

R

Financials section - Commitments tab

CBA.0517.0002.0079


/Can

Financials section - Commitments tab

211 1 CommotMealth Baric 01 Aust ralia I COI'1fld.nU_'

_R

CBA.0517.0002 .0079

R

Loan Details, Repayments, Securities and Upfront Costs sections

CBA.0517.0002.0080


/Can

CBA.0517.0002 .0080

Loan Details, Repayments, Securities and Upfront Costs sections

~Can

RCBA.0517.0002.0081

Phase II - New Application Process

Integration with Serviceability

Calculator

Monthly Living Expense Categories

{Dynamic Guidance

& Scripting

DynamicDocument

VerificationChecklist

Needs-Based Product Selection

Seamless integration from serviceability calculator into an applicationData captured from serviceability automatically transferred to application (incl. MLE).Lenders will be required to record MLE on a category by category basis in the application if they have not done so already.

Values for breakdown of living expenses carried over from the serviceability calculatorWhere a total number was entered in the calculator, lenders will be required to enter a breakdown of values per category

Dynamically surface guidance information based on customer input information and relevant CBA policy or business rulesLender scripting appears where relevant with capability to create audit trail to recall the conversations

Document verification checklist tailored based on the application data. Shows the verification options as well as what the lender needs to check for to ensure the document used is compliant

A dynamic needs-based tool embedded in the new Application that will digitally facilitate the conversations Lenders have with customers on their requirements and objectives when determining a product that is suitable for their needs.


/Can

commonwealth bank€¢ ongoing improvement in the end-to-end home buying process. in recognition of...

Documents