incident management procedures & guidance

Incident Management Procedures & Guidance of 62

FOR INTERNAL USE ONLY

Document Owner: Group Head of Operational Risk & Insurance

Date updated:Version:Location:

December 20152.9Risk Document Library

Incident Management Procedures & Guidance

WBC.100.118.8029CONFIDENTIAL


Document version control

No. Date Version Author Description

1 - 5 11/06 V0.1 Mike Purvis Drafting to support introduction of new process at 1 Dec 06.

6 8/1/07 V0.2 Mike Purvis Drafting to reflect introduction of new processes at 31 Dec 06

7 22/1/07 V0.3 Mike Purvis Drafting to reflect new systems in February 07

8 06/02/07 V1.0 Steven Bardy Drafting to reflect Business Unit input and changes to reflect migration to new Policy Framework

9 15/02/07 V1.1 Aislinn Strang ORMF review amendments

10 07/08/07 V1.2 Maebehe Garcia Drafting to clarify issues related to credit and market risks and other amendments

11 24/04/08 V1.5 Andrew Leslie Annual Review

Update for Rapid Recovery, Insurance Threshold and APS115

12 23/12/08 V1.6 Dung Thien Tran Update for the implementation of ACCORD

13 22/04/09 V1.7 Andrew Leslie Add hand written marked up edits to electronic version

14 15/05/09 V1.8 Andrew Leslie Simplified content. Integrated version to include SGB.

15 27/07/09 V2.0 Luke Tazelaar Updated from BU feedback

16 01/03/12 V2.1 Nadine Schaefer-Medappa

Updated to reflect Policy updates and add additional guidance

17 02/04/12 V2.2 David Tan Updated to include operational risk related to project costs

18 24/04/12 V2.3 David Tan Updated to clarify about the treatment of near misses

19 05/06/12 V2.4 David Tan Greater clarification to the Basel Business Lines section of the appendix for Retail and Commercial Banking having regard to Divisional input.

Minor modifications to the Corporate Items Basel Business Line title to reflect the *Not otherwise allocated* categorisation in ACCORD.

20 20/08/12 V2.5 Juliette Lemaire Include Lean incident Management Workshop Quick Wins :

o Incident Ownership *Circuit breaker*o *Lite* treatment for incidents with potential or

actual financial impact under $50,000 and $1,000 tolerance for GL/ACCORD reconciliation differences

21 07/03/13 V2.6 Juliette Lemaire/ David Tan

Updated to include AML / CTF management of incidents

22 03/06/13 v.2.7 Juliette Lemaire Updated to include Industry standards agreed at the Interbank forum with regards to the treatment of boundary losses



Document version control

No. Date Version Author Description

23 30/05/14 v.2.8 Juliette Lemaire/

Derek Byrne

Annual Review

Updated to include Legal Risk related Operational Risk incidents (LOPs) and Outsourced Service Provider related Operational Risk incidents

Add a reference to the role of ACCORD support team Updated to include a new section on Internal Escalation

reporting Updated to rationalise the list of Mandatory

stakeholders Updated to simplify appendices with regards to

Reconciliation processes Removal of appendix relating to ACCORD process on

relocating incidents to support business restructure

24 11/12/15 v.2.9 Derek Byrne Inclusion of a roles and responsibilities section and process flow

Reference to the new escalation process for incidents not owned within 5 days of identification.

The inclusion of an exception for Technology, HS&W and Fraud incidents, which will now require ownership within 5 days of reporting in ACCORD, given that there are subsystems in place to manage the ownership of these incidents

Additional examples of Credit related Operational Risk incidents (CROPs) provided

Inclusion of additional industry guidance on the treatment of Legal Risk related Operational Risk incidents (LOPs) prior to capture in ACCORD

Distribution

Title/Function Sign-off/review

Group Head of Operational Risk & Insurance Sign-off

Head of Regulatory Affairs Review

Enterprise Compliance Review

Business Unit Heads of Operational Risk Review

Head of Systems & Data Review

Financial Crime and Fraud Review

Group Health, Safety and Wellbeing Review



Table of Contents1 Purpose .....................................................................................................................6

2 Operational Risk Incidents .........................................................................................72.1 What is Operational Risk? .....................................................................................................7

2.2 What is an Operational Risk Incident?.....................................................................................7

2.3 Incident Reporting Thresholds ...............................................................................................82.3.1 Financial threshold...........................................................................................................82.3.2 Non-compliance threshold.................................................................................................9

2.4 Related Incidents ...............................................................................................................10

2.5 Money Laundering (ML) / Terrorism Financing (TF) incidents ....................................................10

2.6 Boundary Losses ................................................................................................................122.6.1 Credit Risk-related incidents caused by Operational Risk (CROPs).........................................122.6.2 Market Risk-related incidents caused by Operational Risk (MOPs) .........................................15

2.7 Legal Risk related Operational Risk incidents (LOPs) ...............................................................16

2.8 Outsourced Service Provider related Operational Risk incidents ................................................17

2.9 Operational Risk incidents related to projects .........................................................................18

3 Incident Management Process..................................................................................193.1 Incident Management Metric................................................................................................19

3.2 Incident Management * key roles & responsibilities.................................................................20

4 Incident Identification and Recording.......................................................................234.1 Incident Identification and Recording * Example.....................................................................24

5 Incident Verification.................................................................................................265.1 Incident Verification * Example ............................................................................................29

5.2 Rejecting an incident ..........................................................................................................30

6 Incident Ownership..................................................................................................31

7 Assessments............................................................................................................32

8 Incident Rectification ...............................................................................................328.1 Incident rectification * Example ...........................................................................................34

9 Incident Closure ......................................................................................................36

10 Re-Opening of Incidents..........................................................................................36

11 Data Quality.............................................................................................................37

12 External Reporting...................................................................................................38

13 Internal Escalation Reporting ...................................................................................38

Appendix 1 Direct vs. Indirect Financial Impact...............................................................39

Appendix 2 Basel Business Lines ....................................................................................40

Appendix 3 Basel Event Types ........................................................................................45

Appendix 4 Product........................................................................................................47

Appendix 5 Process........................................................................................................49

Appendix 6 Mandatory Stakeholders ..............................................................................51

Appendix 7 Rectification Procedures on Financial Impact................................................52

Appendix 8 ACCORD financial reconciliation performed by Risk Systems & Data.............57

Appendix 9 ML/TF incident significant /systemic criteria................................................58

Appendix 10 Glossary of terms ......................................................................................59



1 PurposeThe Operational Risk Incident Management (IM) Policy outlines the minimum requirements for managing incidents across the Westpac Group. This Procedure document complements the IM Policy by providing guidance and examples. It should be read in conjunction with the IM Policy.

Divisions may document additional guidelines specific to their business activities as long as these do not contradict the intentions of the Group IM Policy or this Procedure.

The objectives of the IM process are to:

Facilitate the timely identification, reporting, rectification and management of incidents Minimise the financial, reputation, customer and regulatory impacts of incidents Minimise the reoccurrence of incidents by addressing their root cause in a timely manner Ensure the quality of incident data to promote the integrity of the capital model and its outputs Assist Westpac in meeting regulatory and compliance obligations Promote and enable a risk-aware culture

The system supporting this process is ACCORD. All Incidents must be captured in ACCORD. Should the business mandate that incidents be captured in other systems, this will be in addition to ACCORD, as ACCORD is the designated IM system.

Everyone involved in the IM process must ensure that the data collected meets the principles set out in the Data Policy and is complete, accurate, valid, timely and sufficiently detailed in order to:

Support the efficient management of incidents Reduce unnecessary errors and re-work of incident data Ensure the integrity of incident data as input into the capital model i.e. internal loss data Meet regulatory data requirements

If further clarification regarding the IM Process, Policy or Procedure is needed, please contact your Manager, Operational Risk Advisor or Group Operational Risk & Insurance (GORI) for further guidance.



2 Operational Risk Incidents

2.1 What is Operational Risk?

Operational Risk is defined as *the risk of loss from inadequate or failed internal processes, people and systems, or from external events. It includes legal and regulatory risk but excludes strategic and reputation risk*.

The definition is a Basel II definition and is also used by the Prudential Regulator (APRA) in APRA Prudential Standard (APS) 115 * Capital Adequacy: Advanced Measurement Approaches to Operational Risk and the industry. Westpac has aligned its definition with this standard.

2.2 What is an Operational Risk Incident?

Operational Risk covers a broad spectrum and can occur virtually anywhere e.g. data entry or accounting errors, product defects, fraud, employee health and safety incidents, technology failures, natural disasters or failed mandatory reporting.

An Operational Risk incident is an incident that is caused by an Operational Risk event i.e. by inadequate or failed internal processes, people, systems, or from external events. As an example, where there is a breakdown in the control environment which results in, or has the potential to result in, an adverse impact to Westpac, an incident must be recorded in ACCORD. The adverse impact can be financial (e.g. loss) or non-financial (e.g. non-compliance with legal or regulatory requirements, financial misstatements). Please note that there may be certain circumstances where the occurrence of an incident is not as the result of a control breakdown, e.g. severe weather conditions.

Operational Risk incidents that do not result in an actual financial loss (i.e. near miss incident) are treated in the same manner as all other Operational Risk incidents. They are recorded when they meet the minimum reporting threshold as they:

Provide a valuable learning experience - they demonstrate where controls have failed and where Westpac could have lost money and/or it has not discharged its obligations correctly. Once recorded, they will follow the IM process. This means that management is aware of the issue and its cause and can rectify it before it leads to an actual financial loss

Help to identify systemic issues (i.e. where the same or similar issues occur multiple times indicating an underlying problem) that would otherwise have gone undetected. These often seemingly small issues can indicate significant control failures with potentially serious implications for Westpac

Operational Risk incidents may also feature one or more of the following characteristics:

Credit Risk-related incidents caused by Operational risk (CROPs) * where an operational risk event resulted in a lending loss that otherwise would not have occurred.

Market Risk-related incidents caused by Operational risk (MOPs) * where an operational risk event leads to a difference between initial value and mark-to-market value.

Related incidents - are made up of a group of related operational risk events (that often occur over a period of time) but that are all a direct result of one initial operational risk event.

Money Laundering (ML) * where it is suspected that activity relating to the placement, layering and/or integration of illegally obtained funds is occurring whether or not as a result of an operational risk event



Terrorism Financing (TF) ¬ where it is suspected that activity relating to the funding of terrorism is occurring, whether or not as a result of an operational risk event.

Incident data is obtained from different key sources/Source Systems1 and provides input into ACCORD:

Operational Risk incidents: Incident Identifiers must log incidents immediately in ACCORD via the *record an incident form* on the intranet.

Fraud incidents: All fraud incidents must be immediately reported via the *report a fraud* link on the intranet (via Fraud Detection Toolkit). Group Investigations will advise Financial Crime Management (FCM) of any incidents that require entry into ACCORD, and captured within pre-defined SLAs.

Work Health & Safety (WH&S) incidents: All WH&S incidents must be logged immediately via the *safe and sound* link on the intranet homepage. The Risk Systems & Data team receives incidents monthly from STARS (the WH&S system) and enters them in ACCORD.

Legal Risk related Operational Risk incidents (LOPs): The business is expected to maintain incident-related litigation data in ACCORD, including provisions.

Technology incidents are initially recorded in Remedy (Technology*s IM system). On a monthly basis, Remedy incident records and National Operations Centre (NOC) reports are reviewed by Technology. Technology-related incidents meeting minimum reporting thresholds are then recorded in ACCORD by Group Technology.

ML/TF Incidents: ML/TF suspected activities must be reported to the Division Compliance team for assessment2. The Division Compliance team must report significant ML/TF suspected activities to the Enterprise Financial Crime AML/CTF team via the team email box within five business days3.

Outsourced Service Provider related Operational Risk incidents: All Outsourced Service Provider incidents are required to be captured in ACCORD.

2.3 Incident Reporting Thresholds

To determine whether an incident must be recorded in ACCORD, minimum thresholds have been established. All incidents that meet one of these thresholds must be recorded:

Potential and / or actual gross financial impact4 of AUD20k or more; or A compliance incident is an actual, likely or imminent contravention or breach of:

o a compliance obligation of any applicable law or regulation;o an industry standard or code, such as the ASX Market Rules;o a material contravention of an internal policy or procedure.

Non-compliance (or likely non-compliance) with any legal or regulatory requirements (regardless of financial impact).

Incidents which do not result in an actual gross or net financial impact (referred to as a *near miss*) are still required to be recorded in ACCORD where the potential financial impact is AUD20k or more.

2.3.1 Financial threshold

At a Group level, Westpac has established a minimum financial threshold (AUD20k) at which incidents must be reported. However, Divisions may set a lower threshold if they wish (e.g. Technology currently record all Severity 1 incidents).

1 Refer to Appendix 82 NB The escalation of suspected ML/TF activity to the relevant divisional compliance team does not replace or remove an employee*s suspicious matter reporting (SMR) obligations under the AML/CTF legislation.3 [email protected] Gross Financial Impact means the impact before an allowance is made for a recovery and can be positive or negative



Financial threshold - example

Fee miscalculation * A Westpac staff member miscalculates fees and underquotes fees payable by the customer by AUD7k. As the AUD20k threshold is not triggered, an incident does not have to be recorded in ACCORD unless the Division has set a lower threshold e.g. AUD5k

The threshold refers to gross amounts. This means that all incidents that have the potential for a financial impact of AUD20k or more must be recorded. The requirement for recording an incident stands even if Westpac recovers the money partly or in full. This is due to the fact that when the incident is recorded, there is no guarantee that money will be recovered in the future.

Operational Risk incidents that result in a positive financial impact (i.e. gain) must be recorded in ACCORD as well (if they meet the threshold).

The trigger points are the occurrence of an Operational Risk event and meeting the threshold, not whether the financial impact results in a loss or gain.

Financial threshold (resulting in gain) - examples

*Fat finger* error - A trader makes a *fat finger* error, buying 5000 derivative contracts instead of 500. By the time this is detected and the trades reversed, the market moved in Westpac*s favour, generating a profit on the trade. This incident must be recorded in ACCORD indicating that the potential financial impact is positive.

Payroll tax rebate error - Due to the wrong data communicated to the tax team, the payroll tax traineeship rebate was understated for two consecutive years. This lead to a positive tax impact of AUD1.6m. This category of payroll tax rebate was not previously disclosed in the prior years due to the lack of proper system to track the trainees. This incident must be recorded in ACCORD indicating that the potential financial impact is positive.

2.3.2 Non-compliance threshold

An incident must be recorded in ACCORD for all instances of non-compliance (or likely non-compliance) with legal or regulatory requirements. This includes Licence Conditions, Contracts, Standards, Rules, Regulations, Acts and external Codes that Westpac agreed to adhere to e.g. the Code of Banking Practice.

Non-compliance incidents- examples

Failure to provide amended AFSL * The Operating Rules stipulate that a copy of an amended AFSL for a registrable Superannuation Entity (RSE) has to be lodged with the ASX within a stipulated timeframe. However, for one particular RSE this was not provided to the ASX until some months later, resulting in a breach under Operating Rules and the need to record an incident in ACCORD.

Commingling of funds - The mingling of proprietary and client funds held in the operating account of the bank*s Margin Lending must be reported to the regulator, as it constitutes a breach of ASIC*s requirements and it needs to be recorded as an incident in ACCORD.

Breach of notification requirements * APS520 stipulates timeframes within which an APRA-regulated institution must lodge its *Fit & Proper* notifications to the regulator. If the notification timeframe for APS520 is missed, a breach occurs and an incident must be recorded in ACCORD.

If there is any doubt as to whether an incidence of non-compliance (or likely non-compliance) has occurred, the matter should be escalated to the relevant Compliance Advisor immediately, who will advise if the matter needs to be recorded in ACCORDthe relevant system.

Westpac Group has the regulatory obligation to notify its regulators of certain compliance matters, in particular, notification to ASIC of significant breaches of the AFSL obligations (refer to the AFSL Breach Policy). Failure to



report matters or undue delays in investigating and reporting matters could result in legal or regulatory action being brought against staff or Westpac. Any matter thought to be significant and/or reportable to a regulator must be escalated immediately to the relevant Compliance Advisor in addition to being promptly recorded in ACCORD.

Please note that all notifications to regulators continue to be made centrally and exclusively via Group Regulatory Affairs and not by Divisions (refer to section 12. External Reporting and also to the *Managing our Regulatory Relationship* Policy). All regulator notifications are subject to the AFSL Breach Policy, Voluntary Disclosure and Legal Professional Privilege Policy and Managing our Regulatory Relationships Policy.

Accounting errors

These incidents are due to an operational risk event and result in a temporary misstatement in financial accounts that require subsequent correction e.g. revenue overstatement, accounting errors and mark-to-market errors.

Accounting errors - example

Valuation errors * A portfolio of derivatives has an incorrect mark-to-market valuation applied resulting in incorrect P&L gains over a number of years. The P&L gains are written-back in the current year giving rise to a large P&L expense.

Often, when accounting errors are corrected no direct financial impact arises. However, these incidents can stretch over multiple financial periods and therefore could lead to significant misstatements as well as non-compliance with regulatory requirements.

While these events may not represent a true financial impact on the bank (because the net impact over time is zero), if the error continues across two or more accounting periods, it may represent a material misrepresentation of the bank*s financial statements. Material *timing losses* due to operational risk events that span two or more accounting periods should be included as operational risk incidents when they give rise to legal or compliance events (e.g. Sarbanes-Oxley deficiencies and statutory/regulatory reporting errors).

2.4 Related Incidents

Related incidents are incidents that consist of a group of connected operational risk events. The incidents are connected because they are a direct result of the same underlying operational risk cause event * even if the events occur over a period of time. The original incident must be recorded in ACCORD and all further occurrences (e.g. related incidents) must be updated within the initial incident.

These related incidents, due to the same underlying event, should be reported in ACCORD under the initial original incident irrespective of their dollar value. This would allow the full financial impact of related incidents to be identified even if the individual related incidents are below the relevant financial threshold.

Related incidents - example

Mainframe storage outage * An approved technology change in Sydney leads to a mainframe storage outage that suspends all processing but is recovered during the day. However, the next day payment systems in NZ are unable to send/receive transactions as a result of the original outage - leaving settlement transaction flows and customers waiting.

2.5 Money Laundering (ML) / Terrorism Financing (TF) incidents



ML is the name given to the process by which illegally obtained funds are given the appearance of having been legitimately obtained to avoid prosecution, conviction and the confiscation of those funds. Anti-Money Laundering (AML) is concerned with mitigating the risk that Westpac products or services may be used in the course of ML.

TF is the name given to the funding of terrorism. In comparison to ML, which aims to hide the origin of illegally obtained funds, TF seeks to hide the destination of funds (which may be derived from legitimate or illegitimate sources). Counter-Terrorism Financing (CTF) is concerned with mitigating the risk that Westpac products or services may be used in the course of TF.

AML / CTF Incidents

AML / CTF breaches differ from ML/TF incidents and are cases where there has been either: Non-compliance with AML/CTF requirements and/or obligations resulting in a breach A break-down or misapplication of processes and procedures resulting in a breach of AML/CTF

requirements and/or obligations

AML / CTF incidents - examples

Failure to meet regulatory reporting timeframes * due to an IT or manual processing issue Westpac fails to report Suspicious Matter Reports (SMRs), Threshold Transaction Reports (TTRs) and/or International Funds Transfer Instructions (IFTIs) within the required legislative timeframes.

Complete Payer Information * IFTIs processed by branch staff as over the counter customer transactions but fail to capture the *complete payer information* as required by the AML/CTF Act and Rules in the transaction details

Breaches of AML/CTF legislation should be reported to the Group Money Laundering Reporting Officer (MLRO) as the primary contact and the Head of Group Regulatory Affairs. The Group MLRO (or approved delegate) is responsible for ensuring breaches are reported to AUSTRAC in accordance with the AML/CTF Breach Reporting Procedure.

AML/CTF compliance breaches, regardless of financial impact, are recorded as an incident in ACCORD.

ML / TF incidents

ML / TF incidents are cases where:1. It is known or suspected that Westpac products or services have been used in the course of ML and/or TF;

and2. there has been either:

Identified weaknesses in any risk controls, processes or procedures Identified gaps in the AML/CTF control infrastructure, for example, in employee training and

awareness; and/or A change in the inherent and/or residual risk represented by a Division*s customers,

products/services, jurisdictional impact and/or channels caused by the suspected ML/TF activity.

ML / TF incidents * example

Identification & Verification (ID&V) * due to a breakdown in processes and procedures a large number of a particular customer type are onboarded without the relevant Customer Identification Program (CIP) requirements being met.

All ML/TF incidents should be submitted to the relevant Division AML/CTF Risk and Compliance team to undertake an assessment of whether:

a regulatory or compliance breach has occurred In this case, an incident should be recorded in ACCORD.



the ML/TF risk presented by the linked customer(s) needs to be managed and mitigated under the appropriate High Risk Customer processes and procedures.

the ML/TF suspected activities meet or exceed the significant/systemic case criteria. In this case, they will be reviewed and assessed on a case by case basis by Enterprise Financial Crime AML/CTF and may result in a detailed findings memo to enable the divisional stakeholders impacted by the customer(s) involved to be able to make risk appetite, management and mitigation decisions. Cases meeting the significant/systemic criteria (see appendix 9) should be raised and managed in ACCORD as an issue and linked to the impacted risks and/or controls.

ML/TF incidents may not be, in themselves, direct breaches of AML/CTF legislation, however Westpac is required to comply with the relevant reporting obligations under the AML/CTF legislation including any suspicious matter reporting in relation to the incident.

2.6 Boundary Losses

Losses that were caused by an Operational Risk incident but manifest themselves in other risk types such as Credit or Market Risk can sometimes be hard to distinguish and classify correctly. It is important to establish the underlying cause for incidents to correctly capture boundary losses caused by Operational Risk, as this will determine whether the incident is included in the calculation of Operational Risk regulatory capital.

Incidents that are Operational Risk-related credit losses must be treated as Credit Risk for the purpose of calculating regulatory capital with the exception of fraud (perpetrated by parties other than the borrower), which is treated as operational risk for the purpose of calculating regulatory capital. These are communicated to the Enterprise Risk Analytics (ERA) team and are excluded from the Operational Risk capital model where appropriate.

2.6.1 Credit Risk-related incidents caused by Operational Risk (CROPs)

Credit risk is the risk of loss due to counterparty default. Credit Risk-related incidents caused by Operational Risk (CROPs) arise when the credit loss is due to an Operational Risk incident (such as process failure or fraud).

Where Westpac experiences losses that appear to be pure credit losses (e.g. mortgage default), it needs to be established if this is indeed the case or whether the credit loss was due to an Operational Risk incident. A staff member could have made an error during the mortgage assessment process, for example, and approved an application incorrectly whereas, if procedures had been followed correctly, the mortgage would not have been approved. In this case, the cause for the credit loss is due to an Operational Risk incident.

Categorisation /Treatment of CROPs

CROPs can be categorised by applying the decision tree outlined below to confirm whether or not it is a pure Credit Risk, an Operational Risk or a CROP event. CROPs are treated as Credit Risk for the purpose of calculating regulatory capital. The exception is fraud5 (perpetrated by a member of staff or a third party, with or without the borrower*s involvement) which is treated as Operational Risk for the purpose of calculating Operational Risk regulatory capital.

5 Internal Fraud losses relate to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party. APRA, Prudential Standard APS 115, Jan 2013. Note: Internal Fraud* includes both Theft & Fraud and Unauthorised Activity.External Fraud losses relate to acts of a third party that are of a type intended to defraud, misappropriate property or circumvent the law. APRA, Prudential Standard APS 115, Jan 2013.



Note that a CROP should only be reported at the point at which a loan default has resulted in either a provision or write-off. The below decision tree should not be used in isolation of the wider Incident Management Procedure and Guidance, as an event that is not determined to be a CROP may still need to be recorded as an Operational Risk incident.



CROPs decision tree

**

**

**

**

**The actual accounting treatment may vary and is subject to final determination by Finance having regard to the particular facts of an incident, Group Accounting Policies, applicable Accounting Standards and any specialist advice.



CROPs - examples

Security not registered correctly *A customer goes into default. Collections begin recovery action and a security check reveals that the Bank has not correctly registered a mortgage over the property and is unable to recover the loan. CROP * excluded from Op Risk Capital

Fraudulent loan approval - Collections advise that they hold an account that has been referred to the fraud department. Investigation finds that customer provided fraudulent income and liability details (e.g. inflated income/reduced number of dependants) and are of an obvious nature that should have been identified by the Loan Assessor during loan approval. The customer is overcommitted and makes only a few repayments before going into default.CROP * excluded from Op Risk Capital

Inadequate loan approval * An unsecured loan for a customer falls into arrears and a provision is raised against the loan. A review of the file reveals that the assessor did not perform a credit check and hence, failed to detect previous credit defaults and judgements against the customer. The assessor*s error was considered a failure to follow procedure rather than intentional.CROP * excluded from Op Risk Capital

Significant Customer defaults * A significant business customer defaults on a loan. Investigations revealed that the default was due to the customer losing a major client and hence, the business was unable to meet existing obligations. There was no failure in the Bank*s lending processes. Not a CROP * Pure Credit Loss

Fraudulent loan approval - We lend $50m to a business and take security over a number of properties. The borrower defaults due to a decline in their business. In working through the default, it becomes clear that there was a process failure at origination and we had not correctly registered security over one of the properties and another creditor is able to take possession of that property and sells it. We end up recovering $20m from the borrower, so the total lending loss is $30m. However, if we had been able to take possession of the third property and sell it, we estimate that our losses would have only been $22m rather than $30m.CROP * excluded from Op Risk Capital * for $8m (amount that the process failure contributed to the loss).



2.6.2 Market Risk-related incidents caused by Operational Risk (MOPs)

Market Risk is the risk of loss/gain due to market prices changes on outstanding positions due to discretionary market judgements.

Operational Risk-Related Market events (MOPs) arise where there has been an Operational Risk event (e.g. keying errors, *buy* instead of *sell*) which either causes a market risk loss or gain.

By closing unwanted positions, losses or gains may be realised - depending on price movements in e.g. foreign exchange rates, interest rates, commodity or equity prices.

MOPs - examples

Foreign Exchange contract confirmation - A customer called to discuss a price on a forward contract to buy USD. A miscommunication between the customer and the dealer resulted in the dealer booking the deal, which the customer*s dealer later said should not have gone ahead. Westpac closed out the transaction at market rates and incurred a loss.

Incorrect beneficiary name * Overseas telegraphic transfer was actioned with the customer*s name misspelt. The customer advised that the payment was rejected by the overseas bank, which then sent the funds back to Westpac using a different exchange rate. There was thus a shortfall and also a risk that Westpac was liable for the lost interest amount.

Incident (trading position open) * Customer had call options in portfolios with May expiry date for which Westpac must sell underlying stock at AUD750k at expiry. However, underlying stock was not sold due to a miscommunication with the trading desk and reconciliation monitoring failed to pick this up. When discovered two days later, the market value is AUD500k. The action to sell is made with position closed at AUD450k with a total loss of AUD300k. The loss has to be recorded immediately when it is identified even if the positions are still open i.e. where the loss is AUD250k. The total loss amount can be amended later.

Unwanted positions (gain) - A misunderstanding between two dealers, results in the purchase of AUD500m of securities instead of AUD5m because confirmation protocols were not followed (i.e. the dealer was not advised of purchase). By the time the Westpac dealer has sold the unwanted securities, the market had moved 10 bps - resulting in a gain to Westpac of AUD330k.

Treatment of MOPs

MOPs must be recorded in ACCORD when the incident occurs, regardless of the trading position i.e. whether positions are open or closed. All MOPs must be captured in ACCORD and flagged as Market Risk incidents.

MOPs that are open events (open market risk position) must be included in the calculations of Traded market risk, Foreign exchange and Commodities (TFC) capital requirement.

MOPs that are closed events and resulting in an actual loss/gain (closed market risk position) must be treated as Operational Risk for the purpose of calculating Operational Risk regulatory capital.



MOP with open positions - example

Foreign Exchange keying error - FX Desk was meant to sell $USD100m of foreign currency but instead bought $USD100m of foreign currency due to a human error. Position is still open on the books (i.e. have not taken steps to unwind and close out).

Market or Operational Risk incident? This is a Market Risk-related incident caused by Operational Risk (MOP) * the Market Risk flag in ACCORD must be ticked.

Cause Analysis A keying error was made that allowed the trader to buy instead of selling $USD100m of foreign currency.

Capital Model Include the $USD100m in the open FX position for TFC Capital calculations.

MOP with closed positions - example

Foreign Exchange keying error - FX Desk was meant to sell $USD100m of foreign currency but instead bought $USD100m of foreign currency due to a human error. Position is not open on the books (i.e. have closed out position but in doing so have realised a loss due to market movement and associated costs of $USD1m).

Market or Operational Risk incident? This is a Market Risk-related incident caused by Operational Risk (MOP) * the Market Risk flag in ACCORD must be ticked.A financial impact of $USD1m must be created in ACCORD.

Cause Analysis A keying error was made that allowed the trader to buy instead of selling $USD100m of foreign currency.

Capital Model Include the actual loss of $USD1m in Operational Risk capital calculations.

2.7 Legal Risk related Operational Risk incidents (LOPs)

All Legal risk related incidents that impact Westpac are required to be captured in ACCORD in line with the internal incident reporting thresholds.

Legal risk related incidents include but are not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions, as well as ordinary damages in civil litigation, related legal costs and private settlements.

This applies to the full scope of Group activities and may also include others acting on behalf of the Group. Common Legal Risk incidents include all claims against the Bank that involve allegations of wrongdoing and/or liability and where payments are made to third parties to settle *claims*. It includes payments which are required as a result of legal proceedings as well as payments with no admission of liability or wrongdoing. By way of example:

Alleged staff misconduct; The provision of negligent or inappropriate financial advice; Failure to follow a customer*s mandate; Payments made to customers or other parties to settle claims, disputes or complaints.

Legal Risk related Operational Risk incidents - examples

The provision of negligent or inappropriate financial advice *The Financial Services Ombudsman (FOS) makes a determination that Westpac is liable to compensate a customer who has incurred a financial loss from investing in a financial product based on a personal advice recommendation from a bank teller (who was not authorised or trained to provide personal advice).



Payments made to customers or other parties to settle claims, disputes or complaints * A customer threatens to take legal action against Westpac following an opportunity cost they incurred as a result of a delay in trade settlement. Although Westpac does not believe that it is liable for the opportunity cost, a control breakdown has been identified and it is agreed to settle the claim as a goodwill gesture.

For litigated matters, or where a real threat of litigation exists, guidance should be sought from Legal concerning the wording of the incident. All legal advice should be clearly flagged so as to be excluded from discovery if so required.

At a minimum, at the point when a provision is raised in the Financial records or when a claim is settled is a LOP required to be recorded in ACCORD. Where a provision for the claim is raised, the date that a loss event is recorded for operational risk capital purposes should be consistent with, and no later than, the date the legal provision is established.

For incidents where no control breakdown can be identified, the incident can be recorded in line with the *Lite* treatment as prescribed in Section 8 * Incident Rectification.

For litigated settlements of insurance claims where no control breakdown or inadequate or failed internal processes has been identified, the portion of the provision or settlement relating to the policy claim amount should not be captured as a LOP. This claim related portion is considered Insurance Risk and should already be factored in the insurance capital. The portion that should be captured as a LOP, is any legal costs, penalties or punitive damages awarded, over and above the claim that is being litigated.

Treatment of LOPs prior to recordingIf the LOP is not yet due to be recorded within ACCORD, the following must still be performed as appropriate: Timely root cause analysis and remediation of the incident, this may be completed by Legal or the

Operational Risk Advisor. Consider relevant potential Legal exposures in the RCM and Scenario processes. If the LOP could have a potential material impact on the Operational Risk Regulatory Capital, contact

Group Regulatory Affairs as consideration should be given to bringing the relevant facts and circumstances of the LOP to the attention of APRA where appropriate.

If the LOP has potential to result in a regulatory breach, contact Specialised Compliance as consideration should be given to bringing the relevant facts and circumstances of the LOP to the attention of the relevant regulator as appropriate.

2.8 Outsourced Service Provider related Operational Risk incidents

All Outsourced Service Provider incidents that impact Westpac are required to be captured in ACCORD in line with the internal incident reporting thresholds.

An Outsourced Service Provider who provides mail-house services issues a large number of credit card statements to the incorrect customers resulting in a potential regulatory breach.

Outsourced Service Provider Incident - examples

An Outsourced Service Provider who provides cheque clearing services to the Group remits $500K to an incorrect Third Party. The funds are recovered however our contract with the Outsourced Service Provider indemnifies them for any losses over $250K. This is captured as a near miss incident as there was a potential loss of $250K to Westpac.



These will generally be identified and recorded by the Business Unit impacted by the incident (or by the Vendor where they have system access) however where they are Enterprise related (impacting more than one Business Unit) it may be appropriate for Enterprise Sourcing to record the incident. Guidance should be sought from your Risk Advisor.

Once an incident is recorded and verified in ACCORD, requirements for root cause analysis, remediation etc. are the same as with internal incidents, with the service provider undertaking a number of the underlying activities.

2.9 Operational Risk incidents related to projects

Project Related Loss Events could be due to project risks or operational risk incidents related to projects.

Project risk is the risk that the project does not provide the agreed functionality and/or complete within budget and/or complete on time. (e.g.: budget overruns, scope creep, project cancellations)

Operational Risk incidents related to projects arise as a result of project activity (i.e. impact business processes, resourcing and IT systems) which may prevent the business from meeting its objectives (e.g.: late or duplicate payments, frauds, guideline breaches).

Treatment of Project risk losses

Project risk losses incurred due to incorrect judgment and bad decisions are regarded as Strategic Risk and not treated as Operational Risk incidents as they are not Operational Risk based on the Basel definition. Budget overruns, *scope creep* and project cancellations are not considered Operational Risk incidents because the underlying judgments and decisions are similar to decisions to invest in new business, which may go wrong in a similar manner.

Operational Risk incidents that happen during the project or as a result of a project implementation are recognised as Operational Risk incidents and must be recorded in ACCORD when the incident occurs.

Operational Risk incidents related to projects - examples

Unexpected operational impacts during a project or as a result of project implementation * Ineffective testing or roll out causes unforeseen operational (e.g. people, process, system or customer) impacts or losses.

Project Risk examples not related to Operational Risk

Changes to a project scope or *scope creep* * A strategic decision is taken to modify a project scope during the course of a project and is appropriately approved by a governance committee and the original budget and timeframes are extended as a result.

Budget overruns and project cancellations * Failure to plan and manage the resources required for achieving project goals, leading to budget and/or time overruns, or a cancellation of a project.

Unrealised project benefits * Unrealised benefits relating to a project due to a failure to meet its scope or objectives are not considered to be losses.



3 Incident Management ProcessIf an incident meets the minimum reporting thresholds, the incident must be managed through all stages * from identification and recording, through verification, ownership, assessment and rectification to closure.

The roles of Incident Verifier, Incident Owner and Rectification Manager should be carried out by different people. These roles should be segregated to ensure the quality of data and an independent review. Where segregation of roles is not possible, guidance must be sought from GORI.

In accordance with the ORMF, Incident Verifiers are typically from the 2nd line of defence (i.e. Division Risk Advisors or Core Teams), whereas Incident Owners and Rectification Managers are from the 1st line of defence (i.e. the Business). For the specific roles and responsibilities of the IM process refer to the ORMP.

3.1 Incident Management Metric

IM activities must be progressed and escalated through to the acceptance of the ownership stage within five business days of the incident being identified.

For Technology, Fraud and Occupational Health & Safety incidents, these must be progressed and escalated through to the acceptance of the ownership stage within five business days of the incident being recorded within ACCORD. This is due to these incidents being initially recorded, owned and managed in different systems and recorded to ACCORD on a later date if the minimum reporting thresholds are met.

Timely identification and recording of Operational Risk incidents is critical for their effective management and an indicator of a *healthy* risk culture. Incidents must be escalated to internal stakeholders as soon as possible to enable them to commence mitigation activities. This will ensure that incidents and any potential control weaknesses are addressed in a timely manner with clear accountability. Additionally, it supports the requirement to advise regulators of reportable breaches within prescribed timeframes.

Incidents that have not been owned within the current five day policy requirement will be escalated weekly to CROs and on a monthly basis to the responsible Group Executive. In the event that ownership of an incident cannot be agreed between relevant business units, the Group Head of Operational Risk and Insurance will make a determination on ownership in consultation with the GM, Operational Risk and Assurance with notification to the Group CRO.

The above metric is supplemented by additional metrics which are distributed on a monthly basis by the Risk Systems & Data team:

Time-to-record: as an indicator of a *healthy* risk culture Time-to-verify: to encourage timely awareness and reporting Time-to-own: to encourage timely ownership and data quality of incidents in alignment with

Westpac*s risk culture of no surprises

Identification &Recording

Verification Ownership Assessment Rectification Closure



3.2 Incident Management * key roles & responsibilities

Incident Identifier

(refer to

section 4)

Raise all incidents reaching minimum reporting thresholds in ACCORD within required timeframe stated in Section 3.1 of the document.

Ensure sufficient information is entered into ACCORD to enable the nature of the incident to be understood, verified and assessed in ACCORD, including whether it has a compliance impact.

Identify the primary caused BU; and notify the Incident Verifier. Stakeholder engagement is KEY. Contact the necessary stakeholders e.g. Verifier, to discuss in person or via telephone.

Re-assigns incidents as a result of business restructures

Incident

Verifier

(refer to

section 5)

Confirm data integrity of all details contained in the incident. (Useability, accuracy, and completeness) ensuring that it is not a duplicate entry.

Confirm whether the incident meets the definitions of an incident. Review the details of the incident documented by the Incident Identifier and ensure

financial details captured are correct, the description is clear, including root cause contributing to the incident occurrence, update if required.

Consult with their BU Risk representative where required. Confirm the Impact classification of the incident. Assign an Incident Owner. Assign mandatory incident stakeholders based on the primary caused BU and

primary impacted BU. Assign a Rectification Manager. Confirm whether the incident should be flagged as *sensitive*. Confirm if the incident has been correctly flagged as credit risk or market risk

related if applicable. Confirm both the Basel Event Type and the Basel Business Line. The timely and accurate execution of verification is key as it drives the overall

workflow of the management of the incident, especially the timely investigation, assessment and reporting of regulatory/legislative breaches.

Obtain ACCORD updates from Legal where appropriate Assess whether the incident has a compliance impact.

Incident

Owner

(refer to

section

6 & 9)

Overall Accountability for the incident including ownership for life of the Incident. Manage and oversee the rectification of the incident until closure.

Prior to closure: Ensure that all assessments are completed including financial, risk and control,

legal, compliance and insurance. Confirm all linked issues and action items have been satisfactorily completed and

all necessary supporting documents are attached in ACCORD. Authorise closure of an incident.



Incident Rectification Manager

(refer to section 8)

Coordinate the development and execution of a rectification plan in conjunction with mandatory stakeholders.

Ensure that agreed action items from the assessments (if any) are incorporated within the rectification plan.

Confirm the financial impact of an incident and liaise with the BU Finance contact to ensure that the Final entries are accurately reflected within both ACCORD and the General Ledger.

Provide updates and status reports as required. Ensure that an accurate record is created in ACCORD. Ensure that the incident is rectified in a timely manner. Link the incident/issue to a risk and/or control in ACCORD. Recommend incident closure to the Incident Owner.



4 Incident Identification and RecordingAll employees have a responsibility to identify and record incidents. The person who identifies the incident or potential incident (*Incident Identifier*) must raise an incident in ACCORD immediately.

The key dates that are recorded in relation to incidents are:

*Incident recorded* date is created automatically when the incident is entered into the system. *Incident identified* is the date the Incident Identifier becomes aware of the incident. As incidents

are required to be recorded immediately, the *incident recorded* date should be either the same as the *incident identified* date or as soon as possible afterwards (i.e. within 24 hours).

*Incident occurred* is the date on which the incident took place. The *incident occurred* date can be the same as, or previous to, the *incident identified* date.

The *recording* step in the process is where information about the incident is entered in ACCORD. All incidents that meet the minimum reporting threshold must be captured in ACCORD6 - the incident identification form for ACCORD can be accessed via the intranet through the Resources & Tools link on the Westpac Intranet, then clicking on the *Record an Incident* link.

If employees are unsure whether to capture an incident, they should immediately contact their Manager, Operational Risk Advisor, Compliance Advisor or Group Operational Risk & Insurance for further guidance.

Entry of data that describes the incident is the first step in the IM process. The data should be accurate and where possible, sufficiently detailed to enable the Incident Verifier to understand the circumstances and causes of the incident in order to carry out their role.

At a minimum, the incident data must contain this information:

Name and contact details of the employee who identified the incident Date that the incident occurred (if an incident has occurred over a period of time, the initial date of

the incident should be entered) Date the incident was identified Name of the incident (the name of the incident should be succinct e.g. duplication of payment, credit

card fraud, non-compliance with licence condition, ATM outage etc.) Description of the incident - including the root cause of the incident where possible. Descriptions

may be read by a diverse audience not familiar with the circumstances of the incident, ranging from peers to Senior Management. Therefore the description should be accurate, succinct and in plain English. Avoid abbreviations and include all relevant information.

Potential financial impact7 * including whether the financial impact is negative (i.e. loss) or positive (i.e. gain) and the currency

Compliance impact * for all non-compliance with legal or regulatory requirements (including

6 Note for ML/TF incidents, as it is not possible to restrict access to an incident recorded in ACCORD to the core impacted business stakeholder group, it is critical that the appropriate level of detail is provided and that where necessary is restricted to ensure that the risk of inadvertently breaching the *Tipping Off* provisions of Section 123 of the AML/CTF Act is managed.7 The potential financial impact is the total gross financial impact for the incident at the time of identification i.e. the maximum financial impact that the incident could have, considering the control environment in which it occurred before any action has been taken to rectify.



AML/CTF related incidents) it is mandatory to tick the compliance box in ACCORD. If the Incident Identifier is uncertain whether there is a compliance impact or not, *unsure* may be selected. These incidents will then be assessed by a Compliance Assessor. Incident Identifiers should only select *No* in situations where they are certain that there is no compliance impact

Primary Caused BU, i.e. the BU believed to be responsible for the incident, and Primary Impacted BU, i.e. the BU believed to be most affected by the incident. (Refer to section 5. Incident Verification for definition.)

Product and Process (optional at this stage in the process) (see Appendices 4 and 5) Additional Caused and Impacted BUs (optional)

Business Units must train their staff to ensure they know what an Operational Risk incident is and what incidents need to be captured in ACCORD (refer to the Online Incident Management Training modules available in E-academy as well as quick reference guides located on the ACCORD support site ). Once the information has been entered into ACCORD, an e-mail notification (and a notification to the ACCORD inbox) is sent by the system to the Incident Verifier(s).

Throughout this process stakeholder engagement is KEY. Whilst it is important to escalate the incident within the required timeframes stated in this document, it is equally important to discuss events with those ultimately responsible for the management to ensure there are NO surprises or unnecessary delays.

When logging an incident, it is important to ensure the correct BUs are selected, as this determines who will be responsible for verification and ownership. It is important to communicate with these stakeholders, especially when logging incidents outside of your own BU. If in doubt, speak with your Risk representative.

Clear communication with stakeholders will save any additional rework and potentially prevent an incident from being unnecessarily rejected at verification.

4.1 Incident Identification and Recording * Example

Incident Identification

The relationship of a long-term customer was migrated through several different Divisions over a

period of years. The customer currently holds a range of facilities for his business (around

AUD20m). All facilities are essentially uncontracted, out of date and business finance agreements

have not been executed for several years.

The Incident Identifier should ask two questions to decide whether or not the incident should be

entered into ACCORD:

Is this an incident? As the incident resulted from inadequate client account management due

to multiple key staff changes, it is an Operational Risk incident.

Does the incident meet the minimum reporting threshold? As the customer facilities are

around AUD20m, the reporting threshold is met and the incident should be recorded in

ACCORD.



Example ACCORD entry:

Incident IDSystem generated (Important reference for future data entries related to the incident)

Incident Identifier June May

Identifier Phone No. 02 1234 5678

Incident Status System generated

Date Incident Recorded System generated

Date Incident Occurred 30 Nov 2008

Date Incident Identified 17 Feb 2012

Detailed Incident Description (including root cause)

Customer holds around AUD20m of facilities for his business of which are uncontracted and out of date, as agreements have not been executed for several years as a result of inadequate client account management across Divisions.

Primary Caused Business Unit Corporate Business Group

Primary Impacted Business Unit Corporate Business Group

Product/ProcessThese fields are optional for the Incident Identifier and if left blank must be determined by the Incident Verifier

Potential Financial Impact AUD20m * maximum possible loss is the total value of the facilities

Currency AUD

Financial Impact positive or negative Negative

Compliance Impact?No (If the Incident Identifier is unsure whether there is a compliance impact, *unsure* can be selected, triggering an assessment by a Compliance Assessor)

Initial actions undertaken to rectify or prevent recurrence of the incident?

Internal review of procedures and controls commenced where *handover* of customer from one Division to another occurs

Additional Caused BU/Additional Impacted BU No



5 Incident VerificationDivisions designate one or more employees as the *Incident Verifier* to be responsible for confirming the incident information that has been captured in ACCORD.

Incident Verifiers play a key role in the IM process as they assure the quality of incident data, i.e. that it:

Supports the management of incidents Ensures data integrity as it is an input into the Operational Risk Capital Model. (BU capital allocation

is dependent on the allocation of the Primary Impacted BU for Internal Loss Data)Meets regulatory requirements e.g. the requirement to provide regulatory reporting of internal incidents

by Basel Event Type

The key responsibilities of the Incident Verifier are to:

Confirm that the incident meets the minimum reporting threshold Confirm that there is no duplication of incidents Ensure the quality of the data provided (i.e. that it is usable, sufficiently detailed, accurate and

complete), such that the reader can obtain a clear understanding of the incident, (potential) impact and underlying cause(s). If there is not enough information or clarity as to what caused the incident, the Incident Verifier contacts the Incident Identifier for additional information

Review the potential financial impact and estimated financial impact

Financial Impact

Financial impact is defined as the direct loss or gain resulting from the actual operational risk incident as well as other associated direct costs. Note that within ACCORD the incident verifier must capture both the Potential and the Estimated financial impact.

Potential Financial Impact

The potential financial impact is the total gross financial impact for the incident at the time of identification i.e. the maximum financial impact that the incident could have. After verification, potential financial impact can no longer be amended.

Estimated Financial Impact

The estimated financial impact indicates what financial impact is required to be captured in the General Ledger. This number may be amended throughout the life cycle of an incident, until investigation confirms its final value.

Any cost that is incurred directly and solely because of the operational risk incident, not just the actual loss of e.g. fraud or processing error, should be included in the financial impact of the incident (see Appendix 1).

The estimated financial impact of an incident is required to be reviewed throughout the life of the incident until the incident is rectified and closed. The incident data for the estimated financial impact (together with other aspects of the progress of IM) must be updated in ACCORD, whenever there is a significant change.

Review and ensure that Primary Caused BU and Primary Impacted BU are completed correctly



Primary Caused Business Unit

The Primary Caused BU is the owner of the control or process weakness which gave rise to the incident. A control breakdown will include a situation where controls were not performed as required through, e.g. poor design, application or execution.Where an incident has been allocated to an incorrect BU Caused, the Incident Verifier must consult with the Incident Verifier from the correct BU Caused and agree an approach to the submission of the incident in ACCORD. The Incident Verifier should not reject an incident on the basis of the incorrect BU Caused being allocated.

Primary Impacted Business Unit

The Primary Impacted BU is the BU that bears the majority of the impact of an incident. Generally, this is the BU that bears the financial loss. It is important for this categorisation to be accurate, as the capital model uses the Primary Impacted BU. Where an incident affects a product or customer, the impacted BU is defined as the BU that earns the revenue from the affected product or customer and has an associated real economic profit target (a list of such BUs is maintained by the Division Finance teams).There can be multiple BUs that cause an incident and multiple BUs that are impacted by the incident; however, there will be only one Primary Caused BU and one Primary Impacted BU. The Primary Caused BU and Primary Impacted BU can be the same.

Ensure that the correct Basel Business Line (BBL) and Basel Event Type are recorded (see Appendices 2 and 3). The Basel Business Line (BBL) relates to the business area that bears the financial loss (i.e. the Primary Impacted BU) and the business activity that it relates to. This information is a key input into the Operational Risk Economic & Regulatory Capital Model. An incorrect choice could negatively impact your BU during the operational risk capital model reviews. It should be assessed at an incident level, see example below.

Basel Business Line mapping * example

Due to an oversight, incorrect fees for a margin lending product were calculated and communicated to retail customers. Margin Lending is the Primary Impacted BU and will bear the financial impact.

An incident is lodged and during verification the Incident Verifier decides that the correct BBL is *Trading & Sales* due to the fact that margin lending rolls up into the equities business at the GM level.

However, the BBL should be chosen at the incident level and not necessarily the GM level. The BBL for an individual incident must align with the business activity that it relates to (in this case margin lending to retail customers). In this instance, *Retail Banking* should be chosen as the correct BBL.

Incidents form part of the input data for the model and the correct categorisation will ensure that the incident is reflected correctly for capital allocation purposes. The Location is the country of occurrence rather than the city.

Ensure that the correct Product and Process have been chosen by the Incident Identifier. If this information was not provided, the Incident Verifier must enter this information (see Appendices 4 and 5).

Product and Process and the event classifications are aligned to the Basel Event Categories. The Product field consists of 12 Level 1 categories (e.g. equities) and further Level 2 product categories (e.g. exchange traded securities and derivatives) and the Process field consists of 17 Level 1 processes (e.g. deliver products and service).

Classify the incident by applying the criteria set out in the below table. Incidents must be classified into one of five categories: Extreme, Very High, High, Medium, or Low. The incident must be given the highest classification of any of the criteria satisfied.



Gross Financial Impact (actual

and/or potential)

Non-Compliance

(actual and/or potential)

CustomerImpact

StaffImpact

ReputationImpact

ExtremeGreater than

AUD20m

Significant impact to

most/all of customer base,

channels, regions or portfolios

Widespread industrial action

or significant impact to most/all

of our people

Sustained national adverse media attention and/or substantial long

term damage

Very High

Greater than AUD2m but less than AUD20m

Significant impact to most customers in one channel,

region or portfolio

Loss of key specialists or

team(s) or significant adverse

impact to our people in more than one line of

business

Sustained local media attention and/or

substantial medium to long term damage

High

Greater than AUD500k but

less than AUD2m

Any significant non-

compliance with Legal/ Regulatory

requirements including all

ML / TF incidents

Impacts some part of customer base, channel,

region or portfolio

Some impact to our people in

more than one line of business

Local adverse media attention and/or

substantial short to medium term damage

Medium

Greater than AUD100k but

less than AUD500k

More than two recurrences of

non-compliance previously

classified as Low

Impacts small part of customer base, channel,

region or portfolio

Some impact to our people in

more than one team within one line of business

Limited adverse media attention and/or some

short term damage and/or complaints to

industry complaints body

LowLess than AUD100k

Any non-compliance

Minimal impact to part of

customer base, channel, region

or portfolio

Minimal impact to our people and limited to local

team

No publicity and/or minor short term damage

For example, if an incident has a likely financial impact of less than AUD100k but impacts some part of our customer base, channel, region or portfolio, the incident must be classified as *high*.

Incident classification

Customer credited with incorrect amount * A manual customer request to transfer funds from a Westpac account to an external bank account is incorrectly completed and processed. Customer detects the transfer of AUD3m in the external account instead of AUD300k. Error was caused by numbers being unclear on the voucher (3 zeros after the decimal point). Classification: *Very High* as the financial impact is AUD2.7m.

Assign Mandatory Stakeholders for Primary Caused and Additional Stakeholders for Primary Impacted BUs based on the incident classification (see table above)

Notifying the Mandatory Stakeholders in a timely fashion supports Westpac*s risk culture and ensures that the priority given to the incident receives the appropriate level of oversight. In particular, the stakeholders from the risk function provide independent oversight of the incident and its management.



ACCORD will automatically generate and send a notification e-mail to each of the Mandatory Stakeholders that were entered by the Incident Verifier into ACCORD.

Assign an Incident Owner which is generally from the Primary Caused BU (the Business Unit in which the incident originated) in accordance with the incident classification table (see table above). As with all stages in the incident management process, communication with the necessary stakeholders is important. Discussing with the necessary members prior to assigning any ownership will assist in the matter being owned quickly and save any possible confusion.

Assign a Rectification Manager. Assigning a Rectification Manager should be done in consultation with the primary caused BU and proposed Incident Owner/Rectification Manager. Effective communication throughout this process is important.

Confirm the incident has been flagged correctly as credit risk (ref to the CROPs decision tree) or market risk (if applicable)

Assess whether the incident has a compliance impact and assign a Compliance Assessor where applicable. If the Incident Verifier is uncertain whether there is a compliance impact or not, *unsure* may be selected. These incidents will then be assessed by a Compliance Assessor. Incident Verifiers should only select *No* in situations where they are certain that there is no compliance impact

Determine if the incident should be flagged as *sensitive* i.e. if it contains sensitive information which should be restricted from normal users to access or view e.g. AML/CTF incidents or harassment cases

If there is a Legal contact for the incident, obtain all ACCORD updates from that Legal contact. Include the name of the Legal contact and only include updates that have been specifically provided as updates for ACCORD by the Legal contact. If subject to legal privilege, insert the disclaimer upon receiving advice from Legal

5.1 Incident Verification * Example

Incident Verification

On 22 Nov 2011, a Money Market Deal of GBP20m @0.42 Principal for XYZ Overseas

Bank and Interest repayable on maturity (GBP20,001,610.97) is accepted, with a start

date of 23 Nov 2011 and a Maturity Date of 30 Nov 2011.

On maturity, the payment is completed by a bank officer and released by her

supervisor before cut-off. While the payment is still in transit, a different securities

supervisor in the same team receives a phone call from XYZ Overseas Bank, advising

that the funds have not been received. Without checking SWIFT alliance, the supervisor

instructs another staff member to create the payment, resulting in the duplication of

the payment.

Example ACCORD entry:

Is this an Incident?Yes - Incident resulted from inadequate or failed internal processes (operational risk incident)

Minimum recording threshold met? Yes ≥AUD20k

Date Incident Occurred 30 Nov 2011

Date Incident Identified 02 Dec 2011

Incident Name Duplication of Payment

Detailed Incident Description (including root cause)

WBC money market deal processed by officer/released by Supervisor before cut-off. While in transit, a separate Supervisor



received call from customer advising non-receipt of funds. Supervisor ordered a new payment to be created, which was subsequently sent, resulting in duplication. Supervisor releasing duplicated payment had not checked SWIFT alliance, as per existing procedure, due to the timing of the payment. Root Cause: Existing procedures not followed

Primary Caused Business Unit Global Markets Operations

Primary Impacted Business Unit FX & C Trading

Product/ProcessForeign Exchange and Money markets (FX and MM)/Perform Settlements and Closing Activities

Basel Business Line Impacted (Level 1/Level 2) Payment & Settlement/External Clients

Basel Event Type (Level 1/Level 2)Execution, Delivery & Process Management/ Transaction Capture, Execution and Maintenance

Location Australia

Currency GBP

Potential Financial Impact GBP 20,001,610.97

Financial Impact positive or negative Negative

Estimated Financial Impact Zero

Classification of the incident Extreme

Flag the incident as Credit Risk related? No

Flag the incident as Market Risk related? No

Flag the incident as sensitive? No

Compliance Impact? No

Assign the Incident Owner, Rectification Manager, Mandatory Stakeholders and Additional Stakeholders

Done

Identification source Employee * Internal

5.2 Rejecting an incident

Should an incident not meet the required criteria, prior to rejecting an incident it is advisable to speak with the person who logged the incident. In some instances, the identifier may have had limited information at the time of logging and having a discussion (where appropriate) could save any unnecessary rework or confusion. If the information can be obtained and meets the materiality thresholds the verifier should update the incident with the new information and not reject it.

As previously advised, communication is the most important tool in the incident management process * it is important to discuss with the right stakeholders who can provide the correct or additional information.



6 Incident OwnershipThe Incident Owner must have accepted ownership of the incident within five business days of the incident having been identified.

Incidents that have not been owned within the current five day policy requirement will be escalated weekly to the responsible CRO and on a monthly basis to the relevant Group Executive. In the event that ownership of an incident cannot be agreed between relevant business units, the Group Head of Operational Risk and Insurance will make a determination on ownership in consultation with the GM, Operational Risk and Assurance with notification to the Group CRO.

For Technology, Fraud and Occupational Health & Safety incidents, these must be progressed and escalated through to the acceptance of the ownership stage within five business days of the incident being recorded within ACCORD. This is due to these incidents being initially recorded, owned and managed in different systems and recorded to ACCORD on a later date if the minimum reporting thresholds are met. The Incident Owner has the following responsibilities:

Take accountability for the incident; Retain the ownership for the life of the incident; Manage and oversee the rectification of the incident until closure; Take action to prevent reoccurrence;

It is important to note that taking ownership does not imply that the primary *caused* business unit will automatically bear all associated costs of the incident.

If the Incident Owner does not accept the incident within three business days of the incident verification date, an escalation e-mail notification will be sent to the BU Head of Operational Risk.

It is the responsibility of the BU Head of Operational Risk to remind the Incident Owner of their responsibilities in the IM process.



7 AssessmentsA Compliance or Insurance assessment may be required where the minimum requirements are met:

Compliance assessment * performed for all incidents where a *compliance impact‟ is flagged as either “yes‟ or “unsure‟. Compliance assessments must be performed by the Compliance Assessor (nominated by the Incident Verifier) for incidents with a compliance impact or a potential compliance impact (refer to section 2.3.2 Non-compliance threshold). Compliance assessments are also subject to the AFSL Breach Policy.

Insurance assessment * performed for all incidents where potential loss is equal to or greater than AUD250k. ACCORD will automatically send a notification to Group Insurance when an incident falls within the above criteria. The threshold is in line with the notification obligations that Group Insurance has to Westpac*s Underwriters.

The Incident Identifier, Verifier and/or Rectification Manager should escalate any potential compliance breaches immediately to their relevant Compliance Advisor to ensure timely assessment of the incident and reporting to the regulator if required.

The agreed issues and actions from the assessments (if any) must be incorporated in the rectification plan in ACCORD which is managed by the Rectification Manager.

8 Incident RectificationThe Rectification Manager coordinates the development and execution of a rectification plan in conjunction with the Incident Owner, Group Insurance, Compliance, BU Finance Representatives, and other relevant stakeholders.

The Rectification Manager must review recommendations from any assessments that had to be undertaken and incorporate them into the rectification plan. Additionally, the Rectification Manager must ensure the correct treatment and capture of financial information in ACCORD by working closely with the BU Finance representatives.

During the rectification process, it is important to remember that ACCORD is a system that assists with the workflow * it does not drive rectification activities on its own. Stakeholder engagement is critical to the process and incident identifiers and verifiers play a key role.

The responsibilities of the Rectification Manager include:

Assess the circumstances of the incident, identify the control weaknesses that led to the incident occurring and determine the potential direct financial impact

Link to an issue and develop the rectification plan in conjunction with the Incident Owner, BU Finance Representative and other stakeholders (as required) and implement actions from the rectification plan to prevent re-occurrence of an incident

Notify the relevant Control Owner(s) at the point at which an issue is raised Ensure that findings and recommendations from the Insurance and/or Compliance assessments are

incorporated in the rectification plan (where applicable) Ensure that information updates are captured in an accurate and sufficiently detailed manner over

the life of the incident



Notify the BU Finance Representative of the estimated direct financial impacts and agree the treatment of the financials - including all direct losses (and gains), costs (including provisions), recoveries and write-offs resulting from the operational risk incident

Consult with the BU Finance Representative to identify the correct accounts in the General Ledger (GL) and accurately reflect the financial impact in ACCORD

Gather all incident journal entries from BU Finance representative and update them accordingly in ACCORD

Check with the BU Finance representative that the ACCORD Incident ID has been included on the Journal Description

Incident Financial Entries status must be "Final" not "Draft* Fraud incident financial entries must be updated per FCM*s advice by the 5th and 17th business day

of each month Prior to closing an incident, confirm with the BU Finance representative if provisions have been

reversed out or whether a loss has been incurred and ensure financial entries are recorded correctly in ACCORD

Provisions in the General Ledger must be released before the incident is closed If there is a Legal contact for the incident, obtain all ACCORD rectification updates from that Legal

contact. Include the contact*s name and only include updates in ACCORD that have been specifically provided by the Legal contact

The Dispute Resolution Group should be consulted if the incident has possible confidentiality concerns (i.e. incident with prospects of litigation or an internal matter requiring confidentiality)

Link the incident to the relevant risk or control Provide regular status updates to the Incident Owner and relevant stakeholders Ensure that the incident is ready for closure and recommend incident closure to the Incident Owner

Procedures to be followed for these steps are set out in the Appendix item 7 and must be followed by the Rectification Manager, BU Finance Representative and Group Accounting.

Once a rectification plan has been formulated, the Rectification Manager should then create action items in Accord under the Issue to enable the individual components of the rectification plan to be managed. Each Action item is then assigned an action owner and this enables stakeholders to tracking progress of all rectification steps. Guidance on how to create an Action Item in Accord is outlined in the following hyperlink:

https://wbcspaces.intranet.westpac.com.au/risk/teams/orc/ACCORD/QRG/Issue%20and%20Actio

n%20Management.pdf

When inputting the action into ACCORD the rectification manager should ensure the action is clear and aligned with the rectification plan including due dates. The Rectification Manager should discuss and agree action item ownership prior to assigning an Action to an owner in Accord.

*Lite* treatment for incidents with potential or actual financial impact less than $50,000

Incidents with a potential or actual financial impact (whichever is the greater) of less than $50,000 (gross recovery) can be fast tracked in ACCORD via a *Lite* treatment. The *Lite* treatment is optional and it impacts the rectification stage of the incident management process only.

For *Lite* incidents, capturing the following data is no longer required:

Details of the root cause analysis and rectification plan.



Linking the incident to a risk, control, and issue (when closing an incident it can be linked to a dummy issue called *Lite Incident*).

Status updates and a final report about the rectification. Only a short closing comment is required to be entered.

The option to take a Lite approach will not apply to Compliance incidents for which full details are required to be entered as per the current procedures/guidance.

8.1 Incident rectification * Example

Incident Rectification

On 29 June 2007, a customer signed a 5 year fixed rate agreement. In December 2008

the customer enquired about a prepayment quote. An incorrect quote was provided by

the staff member and the customer went to Banking Ombudsman in February 2009.

Following the complaint, the bank agreed with the Banking Ombudsman

recommendation and the dispute was settled resulting in a loss.

Example ACCORD entry (depending whether or not the *Lite* treatment applies)

Incident with potential or actual gross financial impact > $50,000 AUD

Incident with potential or actual gross financial impact ≤ $50,000 AUD

(*Lite treatment*)

Is this an Incident?Yes - Incident resulted from inadequate or failed internal processes and people

(operational risk incident)

Minimum recording threshold met?

Yes ≥AUD20k

Date Incident Occurred 29 Jun 2007

Date Incident Identified 1 Feb 2009

Incident Name Pre-payment quote error

Detailed Incident Description (including root cause and rectification plan summary) 8

On 29 June 2007, the customer signed a 5 year fixed rate agreement. In December 2008 the customer enquired about a prepayment quote. An incorrect quote was provided by the staff member and the customer went to Banking Ombudsman in February 2009.Following the complaint, the bank agreed with the Banking Ombudsman recommendation and the dispute was settled resulting in a loss.

Root cause analysis: Lack of training provided to the staff member resulted in the miscalculation of the prepayment cost quote.

On 29 June 2007, the customer signed a 5 year fixed rate agreement. In December 2008 the customer enquired about a prepayment quote. An incorrect quote was provided by the staff member and the customer went to Banking Ombudsman in February 2009.Following the complaint, the bank agreed with the Banking Ombudsman recommendation and the dispute was settled resulting in a loss.

8 Details of the root cause analysis and rectification plan are not required when applying the *Lite* treatment to incidents with potential or actual

gross financial impact under $50,000 (this does not apply to Compliance incidents for which full details are required).



Rectification plan: - Provide additional training to staff

members on procedures- Improve Complaints review

process

Primary Caused Business Unit

WNZL Retail

Primary Impacted Business Unit

WNZL Retail

Product/Process Commercial & Industrial Loans / Deliver Products & Services

Basel Business Line Impacted (Level 1/Level 2)

Retail Banking

Risk Category 1 / 2 Execution, Delivery and Process Management / Customer/Client Account Management

Currency NZD


$100,000 $40,000

Financial Impact positive or negative

Negative Negative


$75,500 $25,000

Classification of the incident

Medium Low

Flag the incident as Credit Risk related?

No

Flag the incident as Market Risk related?

No

Flag the incident as sensitive?

No

Compliance Impact? No

Identification source NZ Banking Ombudsman - External

Reason for closureSettlement with customer reached. Investigation and recommended actions complete.

Incident can now be closed

Add financial entries (with Final status) that correspond to the GL entries

YES YES

Status update for issues/actions associated to the incident

YES OPTIONAL

Link the incident to an Issue and associated actions

YESOPTIONAL

Only linkage to a dummy issue called *Lite Incident* is required

Linking the incident to a risk, control

YES OPTIONAL



9 Incident ClosureWhen all rectification activities have been completed, the Rectification Manager requests closure of the incident from the Incident Owner. The Incident Owner is accountable for ensuring the satisfactory resolution of an incident and makes the final decision whether it is ready to be closed.

In order to close an incident, the following must be completed by the Rectification Manager and then checked by the Incident Owner:

All financial entries have been recorded correctly in ACCORD All provisions in the GL have been released (i.e. balance is *zero*) Insurance and/or Compliance assessments have been completed (where applicable) All relevant supporting documents are attached to the incident All linked issues have been actioned and closed (this includes issues and actions related to

regulatory issues * confirm with Group Regulatory Affairs if unsure). Incident is linked to the appropriate risks or controls in ACCORD. This is optional for Incidents with

a potential or actual financial impact under $50,000 (net recovery).

If the Incident Owner accepts the closure, the incident will be closed and a notification sent to all stakeholders. However, should the Incident Owner not accept the closure within two business days, an escalation e-mail notification will be sent to the BU Head of Operational Risk. It is the responsibility of the BU Head of Operational Risk to remind the Incident Owner of their responsibilities within the IM process.

In closing the incident, the Rectification Manager and Incident Owner are providing confirmation that all policies and procedures have been followed and the information contained in ACCORD is complete and accurate.

10 Re-Opening of IncidentsA closed incident should only be re-opened if there is a need to update the incident due to new information. The Rectification Manager must request approval for re-opening the incident from the Incident Owner. The Incident Owner will receive the notification and decides to accept or reject the re-opening request within two business days, otherwise a notification will be sent to the BU Head of Operational Risk. Once accepted, a notification will be sent to the Rectification Manager and all Mandatory Stakeholders.



11 Data QualityAll people involved in the IM process must ensure that the minimum standards of data quality are met. The principles of these quality standards are set out in more detail in the Data Policy.

Role Responsibilities

Business Unit Finance

Confirms the financial impact of an incident and determines the accounting treatment Initiates actions to accurately reflect the financial impact of the incident in the GL Supports Rectification Managers to resolve reconciling items identified by the quarterly GL

reconciliation Assists in the GL reconciliation process Monitors the non-lending loss accounts and ensure all entries ≥ AUD20k have supporting

documentation from ACCORD

Operational Risk Leadership

Team (ORLT) Provide oversight and ownership of operational risk data quality issues

Divisional Operational

Risk & Compliance

Ensures the incident*s information is recorded accurately in ACCORD Coordinates the investigation of unreconciled items identified during the quarterly Source

System and GL reconciliations Provides quarterly ILD attestation (signed off by Division Head of Operation Risk) Facilitates the inclusion of Source System incidents into ACCORD Re-assigns incidents as a result of business restructures

GORI Owns and maintains the IM Policy and the Incident Management Procedure and Guidance Ensures Division Operational Risk awareness and understanding of the IM Policy Monitors compliance with the IM Policy

Risk Systems & Data team

Facilitates the GL and Source System reconciliations and the Legal Risk Review

Source System (FCM, STARS)

Owner

Reports incidents to Group l Risk at a minimum every month Provide a Source System extract to support the Source System quarterly reconciliation

ACCORD Support team

Helpdesk and ACCORD Intranet provide support and maintenance with regards to ACCORD access management, data changes (e.g. business restructures) and training materials



12 External ReportingIn each of Westpac*s jurisdictions, certain incidents have to be reported to regulators in order to comply with specific regulatory requirements. In Australia, Westpac reports incidents to:

APRA Australian Prudential Regulation Authority

ASIC Australian Securities and Investment Commission

AUSTRAC Australian Transaction Reports and Analysis Centre

OAIC Office of the Australian Information Commissioner (includes the Federal Privacy Commissioner)

RBA Reserve Bank of Australia

All potential compliance breaches should be escalated immediately to the relevant Compliance Advisor to ensure timely and appropriate reporting.

All breach reporting to Regulators continues to be made via Group Regulatory Affairs and is subject to the AFSL Breach Policy, Voluntary Disclosure & Legal Professional Privilege Policy and Managing Our Regulatory Relationships Policy.

In the case of a dispute, the final determination about whether an incident is reportable to regulators is made subject to the above mentioned policies or by the Chief Compliance Officer in conjunction with Group Regulatory Affairs.

13 Internal Escalation ReportingThe Systems & Data Team issue a report on a weekly basis to both the Operational Risk Leadership Team and the Enterprise Risk Leadership Team providing a notification and commentary on all incidents with a potential impact exceeding $1 million.

On top of the $1 million weekly reporting there is also a list of mandatory stakeholders provided (see Appendix item 6) who are required to be added to the incident in ACCORD for escalation purposes in line with the incident classification level (see Section 5).



Appendix 1 Direct vs. Indirect Financial ImpactCategory Direct Financial Impact Indirect Financial Impact

Staff Impacts

Costs of hiring or use of external parties to investigate and rectify an incident or to fill the role of permanent staff diverted to investigate and rectify the incident.Costs of work performed by an external party, under an existing contract, where the work diverts resources from planned activities.

Remuneration of internal staff with a direct involvement in the management of incidents as part of their normal role in the business.Incremental increase in staff costs as a result of a decision to change the processes, people or systems to mitigate risk.

Physical Asset Impact

Cost of replacing assets, e.g. IT hardware, property, damaged as a direct result of an operational risk incident and required to restore the business to the position prior to the incident * this includes rental costs for any equipment utilised during the recovery period.

Investment in assets, e.g. IT hardware, property, planned by the business and/or not directly related to operational risk incident.

Project Impact

Budgeted/actual administration, management and delivery costs associated with projects (formal and informal) established to support the rectification of an incident.

Incremental project costs due to approved scope changes, unforeseen/unexpected events, reprioritisation or inefficiencies and not directly associated with an operational risk incident.

Regulatory Impact

Direct value of fines and penalties imposed by the Regulators and other authorities. Costs arising from regulator-imposed remediation activities.

Costs associated with scheduled on-site visits by Regulators or other authorities or investigations or notifications.

Legal CostLegal fees incurred where external legal council is required to deal with specific matters associated with an incident.

Cost of legal advice obtained during the normal course of business, both internal and external.

Claims/ Compensation

Compensation or claim amount paid, e.g. as a result of a WH&S claim, failure to settle.Damages or costs arising from legal action against the Bank, e.g. for breach of duty or disclosure of confidential information.

Trading Impact

Direct value of loss/gain that has materialised as a result of an erroneous trade and any good value claims and interest on funding the position.

Fraud Impact Monetary loss/gain to the Bank as a result of fraud.

Revenue Reversal/ Negative Revenue

Reversal of revenue, e.g. fee or interest income, originally recognised in a prior accounting period/financial year.

Opportunity Cost

Opportunity costs foregone as a result of an operational risk incident.

Tax Impact

Adverse tax consequences arising from the incident, i.e. tax the Bank would not have been liable for had the incident not occurred or the resulting fines.Increased/decreased tax liability as a result of errors in the tax calculation, the supporting model or the underlying assumptions originally recognised in a prior accounting period/financial year.

Direct and indirect tax arising on losses/gains, costs and recoveries, e.g. corporate tax, GST.Increased/decreased tax liability as a result of errors in the tax calculation, the supporting model or the underlying assumptions originally recognised in the same accounting period/financial year.



Appendix 2 Basel Business Lines

BBL Category 1 Category 2 Examples of business activities

Structuring, issuance or planned placement of securities and similar instruments, not just for capital raising

Mergers and acquisitions (M&A), underwriting, privatisations, securitisation, research, syndications, IPOs, secondary private placements, holdings of debt (government, high yield) and equity

Examples of incidents that may be allocated to this BL:

Asset financing systems failed to pick up that company provided finance against an asset with the same serial number twice

Bond coupon payment to counterparty is missed (payment was not authorised) due to staff not knowing how to process the transaction

During the preparation of the prospectus for a debt raising, a factual error is included in the documentation

Errors when advising corporations on raising funds through bond, equity or money market issues

Corporate Finance Non-municipal and government clients - underwriting, privatisations, securitisations, debt (government & high yield), equity, syndications, IPOs, private placements, M&A, research

Municipal/ Gov. Finance

Underwriting * bonds, syndicated loans, asset backed securities (ABS), privatisations & disposals

Westpac is currently not active in this business line

Merchant Banking Banking that specialises in providing financial services such as accepting bills arising out of trade, underwriting management of new issues, providing advice on M&A, foreign exchange (FX), temporary financing for leveraged buy outs (LBO), portfolio management, credit syndication

This does not include credit/debit card facilities provided to merchants

1 Corporate Finance

Advisory Services Strategic planning in terms of balance sheet restructuring * acquisitions or disposals, establishment of subsidiaries for financial optimisation, tax planning

Westpac is currently not active in this business line

2 Trading & Sales Products/positions held in the trading book and corporate investments such as fixed income, equity, FX, commodities, credit trading, funding, lending and repurchase agreements and brokerage (other than retail brokerage)


Contravention of ASX Business and Market Rules by failing to send out confirmations for equity securities transactions to its customers within the required timeframe resulted in fine imposed by the ASX Disciplinary Tribunal

Settlement failures due to operational risk events such as system outage




A coding error caused a company*s quantitative investment model to improperly calculate risks for its proprietary trading

Losses are accumulated as a result of poorly documented OTC derivative contracts A rogue trader through fictitious transactions that concealed the bank*s risk

exposure causes the bank to lose a substantial amount

Sales Sales activities such as FX and commodities distribution or sales related activities for commodities, carbon and energy

Market Making Market maker (i.e. a company that quotes a buy as well as a sell price for financial instruments) trades equities, FX or commodities in order to make money from the bid-offer spread

Proprietary Trading Where any part of the Group, or an employee acting on behalf of the Group, actively trades financial instruments on its own account (i.e. using the Group*s funds as opposed to the customer*s money) with the aim of making a profit

Treasury Funding and capital management for the Group and its subsidiaries, portfolio risk management

3 Retail Banking9 Retail lending and deposit-taking, banking services, trust and estates * including the following retail products and services: bank branches, ATMs, issue and administration of cards, credit card terminals, savings accounts, loans, money transfers, cash transactions

Retail banking caters to retail clients i.e. Consumer and SME banking and includes Westpac SME (regional & metro), St George (enterprise & business) and Bank SA (enterprise & business), Bank of Melbourne (enterprise & business)


Incorrect calculation of interest payments due e.g. deposit accounts Incorrect retail loan documentation is processed and approved Robbery and destruction of ATM Losses due to physical damage to branches and unrecoverable loans due to natural

disasters such as earthquakes or floods Credit card or cheque fraud Bank reached settlement with customers that complained about excessive

overdraft fees. Bank commonly processed larger transactions before smaller ones regardless of when they occurred. As a result, some customers unexpectedly

9 The general differentiation between Retail Banking and Commercial Banking is as follows:

Retail Banking: All Westpac Group consumer banking activity servicing the banking needs of Affluent and Mass Retail customers (including PFS and Private Banking Customers). All Westpac Group business banking activity servicing the banking needs of business customers with turnover < $5Mil revenue.

Commercial Banking: All Westpac Group business banking activity servicing the banking needs of business customers with turnover > $5mil revenue (i.e. all WIB customers and those RBB Commercial Banking customers falling within this criteria).

Please note that this wording has been provided for general guidance. Where there is uncertainty, contact Group Operational Risk & Insurance for further assistance.




incurred overdraft fees

Retail Banking Retail loans, retail deposits, banking services, trusts & estates, investment advice

Private Banking Private Banking offers high net worth clients a broad range of products and services that can be specifically tailored to them (e.g. private loans, private deposits, banking services, trusts & estates, investment advice)

Westpac Private Bank: AUD2.5m balance sheet and/or AUD400K gross incomeSt George Private Clients/Bank of Melbourne Private: AUD2m balance sheet and/or AUD250K gross income

Card Services Merchant, commercial and corporate cards, private label, credit & debit cards

4 Commercial Banking10

Commercial Banking Commercial lending and deposit-taking, project finance, real estate, export finance, trade finance, factoring, leasing, lending, guarantees and bills of exchange

Commercial banking caters to wholesale clients, ranging from SME and middle market banking to corporate and institutional customers and includes Westpac Commercial (metro), Commercial and Agribusiness (regional), St George (corporate/key accounts), Bank SA (major clients) and WIB Corporate Business Group and Institutional business


Fraud perpetrated on letters of credit An overdraft facility was established by Operations without

following the correct procedure. The loan was established at the default product rate rather than commercial base rate, resulting in the business having to refund the client overcharged interest

Incorrect commercial loan documentation is processed and approved

10 The general differentiation between Retail Banking and Commercial Banking is as follows:

Retail Banking: All Westpac Group consumer banking activity servicing the banking needs of Affluent and Mass Retail customers (including PFS and Private Banking Customers). All Westpac Group business banking activity servicing the banking needs of business customers with turnover < $5Mil revenue.

Commercial Banking: All Westpac Group business banking activity servicing the banking needs of business customers with turnover > $5mil revenue (i.e. all WIB customers and those RBB Commercial Banking customers falling within this criteria).

Please note that this wording has been provided for general guidance. Where there is uncertainty, contact Group Operational Risk & Insurance for further assistance.




5 Payment & Settlement

External Clients Payments and collections, funds transfer, clearing and settlement (Westpac does not undertake securities clearing)

Payment and settlement losses related to Westpac*s own activities should be incorporated in the loss experience of the affected business line


Incorrect payment/ transfers of client monies Incorrect payment / allocation of cash/securities to

multiple accounts operated by one customer/client Incorrect position statements and valuations

This BL includes escrow, depository receipts, securities lending (customers) and corporate actions, issuer and paying agent activity


Inadequate segregation of clients* money from bank*s money i.e. commingling of funds

Custody

Corporate Agency

6 Agency Services

Corporate Trust

Westpac is not currently active in this line of business

The key difference between discretionary and non-discretionary fund management lies in the level of management responsibility that the investors give to the service providers


Unit Pricing errors / valuation errors Investing in instruments outside the investment mandate e.g. certain types of OTC

derivatives

Discretionary Fund Management

Pooled, segregated, retail, institutional, closed and open discretionary funds management and private equity In discretionary funds more control is given to the service provider who takes decisions on behalf of the investor

7 Asset Management

Non-discretionary Fund Management

Pooled, segregated, retail, institutional, closed and open non-discretionary funds management and private equityCompanies that have their own in-house investment management teams are often more involved in investment decisions and therefore exercise more control and give less discretion to the service provider

8 Retail Brokerage Retail Brokerage Execution of brokerage services including services related to the administration





Unauthorised access or use of client accounts Incorrect order execution

10 Corporate Items(Referred in ACCORD as *Not Otherwise Allocated*)

Corporate Items This business line captures incidents which do not fall into specific business lines but can only be categorised at the corporate level

These are primarily functions that arise in the Corporate Core and impact the group as a whole e.g. Group Risk, Group Finance, Group People, Finance & Secretariat as well as Technology

Examples of an incident that may be allocated to this BL:

Dispute over a technology sourcing agreement impacting the whole bank

Example of an incident that should not be allocated to this BL:

Technology system error that causes ATMs to be temporarily unavailable. As retail customers are impacted, this should be mapped as a retail banking incident



Appendix 3 Basel Event Types

Basel Event Type

(Category 1)

Definition Activity examples

Internal Fraud Losses due to acts of a type intended to defraud,misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party.

Transactions not reported (intentional) Transaction type unauthorised Mismarking of position (intentional) Fraud/credit fraud/worthless deposits Theft/extortion/embezzlement/robbery Misappropriation of assets Malicious destruction of assets Forgery Cheque kiting Smuggling Account take-over/impersonation, etc. Tax non-compliance/evasion (intentional) Bribes/kickbacks Insider trading (not on ADI*s account)

External Fraud Losses due to acts of a third party that are of a type intended to defraud, misappropriate property or circumvent the law.

Theft/robbery Forgery Cheque kiting Hacking damage Theft of information (with monetary loss)

Employment practices and workplace safety

Losses arising from acts that are inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims or from diversity/discrimination events.

Compensation, benefit, termination issues Organised labour activity General liability (slip and fall, etc.) Employee health and safety rules events Workers* compensation All discrimination types

Clients, products and business practices

Losses arising from anunintentional or negligent failure to meet a professional obligation to specific clients, including fiduciary and suitability requirements, or from the nature or design of a product.

Fiduciary breaches/guideline violations Suitability/disclosure issues (e. g. know your client

requirements) Retail customer disclosure violations Breach of privacy Aggressive sales Account churning Misuse of confidential information Lender liability Antitrust Improper trade/market practices Market manipulation Insider trading (on the ADI*s account) Unlicensed activity Money laundering Product defects (unauthorised, etc.) Model errors



Failure to investigate client per guidelines Exceeding client exposure limits Disputes over performance of advisory activities

Damage to physical assets

Losses arising from loss ordamage to physical assets fromnatural disaster or other events.

Natural disaster losses Human losses from external sources (e.g. terrorism or

vandalism)

Business disruption

Losses arising from disruption of business or system failures.

Hardware Software Telecommunications Utility outage/disruptions

Execution, delivery andprocess management

Losses arising from failedtransactions processing, process management, relations with trade counterparties and vendors.

Miscommunication Data entry, maintenance or loading error Missed deadline or responsibility Model/system mis-operation Accounting error/entity attribution error Other task mis-performance Delivery failure Collateral management failure Reference data maintenance Failed mandatory reporting obligation Inaccurate external report (loss incurred) Client permissions/disclaimers missing Legal documents missing/incomplete Unapproved access given to accounts Incorrect client records (loss incurred) Negligent loss or damage of client Assets Outsourcing Vendor disputes



Appendix 4 Product

No. Product * Level 1 Product * Level 2 Description

Equity Issuance

Bond Issuance

Structured Products Issuance

Securitisations

Private Placements

1 Capital Raising

Syndications

Structuring, issuance or placement of securities and similar instruments

Mergers & Acquisitions2

Corporate Finance Services Corporate Advisory Services

Advisory services regarding corporate structure and strategic decisions

Fixed Income

Equities

Commodities

FX and Money Markets

Repos and Securities Lending

Investment Funds

OTC and Securitised Interest Rate Derivatives

OTC and Securitised Credit Derivatives

OTC and Securitised FX Derivatives

OTC and Securitised Equity Derivatives

OTC and Securitised Commodity Derivatives

Other OTC and Securitised Derivatives

3Exchange Traded Securities & Derivatives

Exchange Traded Futures and Options

Trading and sale of all securities and derivatives either via an exchange or over-the-counter

Retail Cards

Vehicle Loans

Vehicle Leasing

Student Loans

Mortgages

Home Equity Loans and Lines of Credit

Other Secured Consumer Loans

Other Unsecured Consumer Loans

Other Consumer Leasing

4Retail Credit

Personal standby letters of credit or guarantees

Financing and related services

Commercial & Industrial Loans

Commercial Real Estate Loans

Construction, Acquisition & Development Loans

Commercial Leases

Commercial Cards

Card Merchant Services

Project Finance Loans

Trade Finance

Standby Letters of Credit, Bank Guarantees,Bankers Acceptances

5Commercial Credit

Factoring

Financing and related services



No. Product * Level 1 Product * Level 2 Description

Structured Lending

Consumer Current Accounts

Consumer Notice Accounts

Commercial Bank Accounts

Commercial Time & Term Accounts

6 Deposits

Investment Products

Bank account, deposit services, *plain vanilla* investment products

Retail Cash Management

Commercial Cash Management

Electronic Payments

Manual Payments

Clearing

Settlement

7

Cash Management, Payments & Settlements

Exchange Services

Client management of own cash in/outflows, all forms of payments, clearing, settlement and exchange services

Custody Service

Corporate Actions Services

Corporate Trusts

Prime Brokerage

Financial and Estate Planning

Discretionary Portfolio Management

Execution-only Services

Advisory Portfolio Management

8Trust/ Investment Management

Lombard Credits

Various services related to administration and management of estates, trusts, assets, portfolios, etc.

Fund Administration

Traditional Institutional Asset Management 9Investment Products

Alternative Institutional Asset Management

Investment management, execution, administration, operational management services

Full Service Brokerage10 Brokerage

Self Directed Brokerage

Investment advisory, management and execution services

11Non-Banking Products

Non-Banking Products

Other products/services not generally considered part of a bank or investment bank's offering, e.g. insurance

12Not Product-related

Not Product-relatedUsed for situations not involving products or services



Appendix 5 Process

No. Process * Level 1 Description

1

Develop, Design and Maintain Products, Services and General Business Capabilities

Identify, design, produce and maintain new financial products, services and capabilities, including the models and methodologies upon which they are based

2

Market Products and Services Promote the firm and/or its products and services, through general marketing or advertising, including the publication of standard fees, rates charges, and prices for specific products and services

3

Sell or Reach Agreement to Conduct Specific Business

Sell or offer specific products and/or services of the firm in discussions with individual clients, including the quotation of firm or indicative fees, rates, charges, prices, or the like, with the intent of concluding a specific deal for specific product sales or service delivery

4Take on and Maintain Clients/ Customers, Counterparties & Trade Relationships

Onboard and maintain client or counterparty accounts, including related due diligence, data and documentation

5

Capture and Document Transactions Record transaction-specific terms and instructions in the processing systems of the firm; also produce related transaction documents

6

Deliver Products and Services Deliver or fulfil agreed-upon products and services, including the set-up and maintenance of transactions and required arrangements, and agreed-upon non-transaction financial services (trust administration, financial advisory services, sale of research as a product, etc.)

7

Perform Settlements and Closing Activities

The definitive exchange or transfer of assets, currency or other property (commonly in exchange for value), and related transactional mechanics

8Perform Transaction Accounting Record transaction and/or position information

in the company*s accounting records/general ledger

9Manage HR Manage human resources, apart from direct

business management functions

10Manage IT Acquire or design/develop information

technology and implement security and incident response measures

11Manage Financial Reporting and Taxation

Perform financial reporting and control, based on (but not including) general ledger entries made during Transaction Accounting



No. Process * Level 1 Description

12Manage Capital, Funding & Liquidity Manage the firm's capital account, liquidity and

balance sheet

13Manage Suppliers and Outsourcing Service Suppliers

Selection, on-boarding, management, and oversight of third party vendors and outsourcing service providers

14Manage Physical Assets and Facilities Provision and management of physical facilities,

equipment and safe workplace environments

15Manage Compliance, Legal, Governance and Audit

Establish and maintain firm policies, standards, procedures, codes of conduct, and associated compliance controls and testing procedures

16

Manage Risk Systems Establish risk management processes and methodologies (apart from standard business process and supervisory controls) to record, monitor, evaluate, control or manage risk exposures within the firm

17Not Process Related Used for situations where no specific process

was involved



Appendix 6 Mandatory Stakeholders

Incident Owner Mandatory Stakeholders Additional Stakeholders (optional)

Extreme

Group Executive (GE) from Primary Caused BU or their delegate - with oversight by the Board

Chief Executive Officer Group Chief Risk Officer Primary Impacted BU Group Executive (GE) GM, Operational Risk & Assurance Primary Caused BU GM Risk Primary Impacted BU GM Risk GM Corporate Affairs and Sustainability Group Head of Operational Risk &

Insurance Chief Compliance Officer & Group General

Counsel

Chief Financial Officer Head of Group Regulatory Affairs

(where non compliance with regulatory requirements)

Group Head of Financial Crime and Fraud 11

Very High

Group Executive (GE) from Primary Caused BU or their delegate - with oversight by the Chief Executive Officer

Group Chief Risk Officer Primary Impacted BU Group Executive (GE) GM, Enterprise Risk Primary Caused BU GM Risk Primary Impacted BU GM Risk Group Head of Operational Risk &


Counsel

Primary Caused BU Chief Financial Officer

Primary Impacted BU Chief Financial Officer

Head of Group Regulatory Affairs (where non compliance with regulatory requirements)

Group Head of Financial Crime and Fraud 12

High

General Manager (GM) from Primary Caused BU or their delegate * with oversight by the Group Executive

Primary Caused BU Group Executive (GE) Primary Impacted BU Group Executive (GE) Primary Impacted BU GM Group Head of Operational Risk &


Counsel

Primary Caused BU GM Risk Primary Impacted BU GM Risk Head of Group Regulatory Affairs

(where non compliance with regulatory requirements)

Primary Caused BU Head of Compliance Primary Impacted BU Head of

Compliance Group Head of Financial Crime and

Fraud 13

Medium

General Manager (GM) from Primary Caused BU or their delegate

Primary Impacted BU GM

Primary Caused BU GM Risk Primary Impacted BU GM Risk Group Head of Operational Risk &

Insurance Chief Compliance Officer & Group

General Counsel

Low

GM-1 from Primary Caused BU or their delegate

Appropriate Operational Risk, Compliance and/or AML/ CTF employees from both the Primary Impacted and Primary Caused BUs

Note: Mandatory stakeholders correspond to the highest positions in the escalation chain. It is expected that people at levels below would have either been involved in the management of the incidents or been cascaded down information from the mandatory stakeholders.

11 For all AML/CTF and/or ML/TF incident only.





Appendix 7 Rectification Procedures on Financial ImpactThe following procedures must be followed to support the rectification of an incident. They will ensure information about the financial impact of the incident is captured accurately and completely.

Identify

The Rectification Manager must identify the losses (and gains), costs and recoveries associated with, and expected from, an incident at initial identification, when there is a significant development, on closure and overall. ACCORD allows the financial assessment of the incident to be recorded in foreign currencies (if applicable). When utilising this function, all financial assessments are to be entered in the chosen currency. When the currency field is chosen, the following fields are impacted:

Potential Financial Impact Estimated Financial Impact Current Provision Held Total gross amount written off to date Recoveries Net amount written off to date

In identifying the losses (and gains), costs and recoveries the Rectification Manager should understand the following:

The types of losses (and gains), costs and recoveries can be identified, even if the dollar value may be difficult to determine with absolute certainty, as they are often a direct result of the Incident or the actions of the Rectification Manager/Incident Owner to manage or rectify the Incident

The direct losses (and gains), costs and recoveries of an incident will vary depending on the specific nature of the incident. The following tables will assist Rectification Managers to determine the losses (and gains) and costs to be included in the financial impact

Rectification Managers will need to apply their professional judgement and consult with all relevant stakeholders (refer to Mandatory Stakeholder table in Appendix 6), including their Business Unit Operational Risk Team, if they are uncertain about specific losses (and gains) or costs

The incident may be similar to other incidents already experienced at Westpac and an examination of similar incidents in ACCORD may assist in identifying the types of losses (and gains), costs and recoveries to be expected

The actual losses (and gains), costs and recoveries of an incident may only become apparent as the incident develops and it may not be possible to identify all losses (and gains) and costs when the incident is identified. Some losses (and gains) and costs may only become apparent on, or close to, closure and these must be captured in the financial assessment of the incident and reconciled to the General Ledger

The losses (and gains), costs and recoveries will take three forms from an accounting perspective:actual losses (and gains) that have been realised/actual costs that have been incurred (i.e. the *total amount written off to date*, being amounts written off/written back to the profit and loss account)known losses (and gains) and costs that have yet to be realised/incurred (i.e. *current provisions held* being provisions in the balance sheet based on the definition and criteria contained in Group Accounting Policy * Provisions: Policy No 4)



potential losses (and gains) and costs that have yet to be realised and may never crystallise (i.e. contingencies are in ACCORD as part of the potential loss, but are not included in the General Ledger).

The financial impact functionality of ACCORD will assist the Rectification Manager to capture and track the losses (and gains), costs and recoveries associated with an operational risk incident over time.

Confirm

The Rectification Managers must meet with their Business Unit Finance Representative, at a minimum every month or following a significant development, to confirm the financial impact of all open operational risk incidents and confirm the correct accounting treatment (i.e. the amounts to write-off/be written back, or provided for in the General Ledger).

The Business Unit Finance Representative will need to be aware of and understand the previous accounting treatment and associated entries in the General Ledger, including amounts written off/written back to date, provisions established and receipts/payments made.

Journal entries relating to an operational risk incident must have an ACCORD reference in the journal description. The standard journals required to account for an Incident are as follows:

To write-off a loss or cost to the profit and loss account:

Dr NLL profit and loss account (refer table 1 below) Cr Asset/liability account (based on the specific nature of the incident and the losses/costs involved)

To establish a provision:

Dr NLL profit and loss account (refer table 1 below) Cr NLL provision account (refer table 2 below)

To write-off against a provision:

Dr NLL provision account (refer table 2 below) Cr Asset/liability account (based on the specific nature of the incident and the losses/costs involved)

To write back a provision:

Dr NLL provision account (refer table 2 below) Cr NLL profit and loss account (refer table 1 below)

Remember, if a provision has been raised * it must be reversed before an incident is closed.

How to enter financial entries when the account number is not listed in ACCORD:

GL Account Number and Name - do not select *501019 - Op Risk Other" when your financial entry GL account number is not 501019

1. In the GL Account Number and Name field - Select "Other"2. In the GL Account Other field - type in the financial entry GL account number (for example: 754054)

Example in table below displays:



Most commonly used accounting treatments:

The following tables show examples the IM General Ledger accounts for WBC:

1. Non Lending Loss accounts in the Profit and Loss Account

Account no. Description

751020 NLL * Fraud & Staff Malpractice

751060 Non Lending Losses * Other * W/O Direct

751061 NLL *Other * Recoveries * Direct

751070 Non Lending Losses * Chargeback W/O Direct

751026 NLL * Litigation/Legal Costs * W/O Direct

751021 NLL * Fraud & Staff Malpractice Recoveries Direct

751022 NLL * Fraud * Recoveries

751031 NLL * Theft/Robbery Provision

751032 NLL * Theft/Robbery W/O Direct

751035 NLL * Process Errors * W/O Direct

751036 NLL * Workers Compensation W/O Direct * Work Cover Payments

751037 NLL * Workers Compensation W/O Direct * Payments

751038 NLL * Workers Compensation W/O Direct * Legal Costs

751039 NLL * Workers Compensation W/O Direct * Settlement Costs

751047 NLL * Fines

751059 Non Lending Losses * Chess Tolerance

2. Non-Lending Loss provision accounts in the Balance Sheet




268010 NLL Provision - Fraud & Staff Malpractice

268012 NLL Provision - Litigation & Legal Costs

268020 Provision - Non Lending Losses - Workers Compensation

268030 NLL Provision * Other

3. Lending Loss accounts (Bad Debts * Credit Loss Accounts)


500501 IFRS - Provision - Impaired - Individual Assessment - Gross - Funding

500502 IFRS - Provision - Impaired - Individual Assessment - Funding - Discount

500503 IFRS - Provision - Impaired - Individual Assessment - Gross - Writeback

500504 IFRS - Provision - Impaired - Individual Assessment - Discount - Writeback

500015 IFRS - Provision - Economic Funding Accrual

500016 IFRS - Provision - IBNR - Funding Accrual

500017 IFRS - Provision - Impaired - Collect Assessment - Funding Accrual

500018 IFRS - Litigation Provisions Funding

501010 Bad Debts Written Off Direct - Other

501012 Bad Debts Written Off - Other - Manual Entry

501014 IFRS - Loans write off with recoveries

501015 Personal Loan Fraud Losses

501020 Bad Debts Written Off Direct - Small Balances

501035 Bad Debts Written Off Direct - Fraud

501100 Write Offs - Legal Recovery

502010 Bad Debt Recovered Direct

502011 Bad Debts Recovered Direct - Legal & Recovery Costs

502012 Bad Debts Recovered Direct - Credit - ABG - Manual Entry

502013 Bad Debt Recovered - Debt Sales

502014 IFRS - Loans write off with recoveries - Recovery

All direct costs associated with the incident must be identified and captured. . Rectification Managers must communicate with Business Unit Finance and Finance Business Services on a regular basis to ensure these financial impacts are captured accurately and completely.

Update

The Business Unit Finance Representative must provide the Rectification Manager with the cost centre number, General Ledger account number, effective date and Dr amount or Cr amount in which currency for each entry in the General Ledger to allow ACCORD to be updated immediately. The Rectification Manager must update ACCORD to reflect all financial entries, and reflect the correct estimated financial impact.



Review

Group Accounting, in FBS, must review the amounts (≥ AUD20k) written off to, or provided for in, the NLL accounts in the General Ledger (refer to tables 1 and 2 above) and must only process those entries with a print of the ACCORD incident attached. Any rejections must be provided to the Business Unit Finance Representative.

The Business Unit Finance Representative must discuss any rejections with the Rectification Managers, confirm that the losses (and gains) and costs are related to an operational risk incident, obtain supporting information from ACCORD as appropriate and liaise with Group Accounting in FBS to allow resubmission. The Rectification Manager must capture any changes in ACCORD General Ledger reconciliation.



Appendix 8 ACCORD financial reconciliation performed by Risk Systems & DataThe purpose of the ACCORD Financial Reconciliation is to ensure accuracy and completeness of Internal Loss Data in ACCORD for use in regulatory reporting, management reporting and capital model use. The reconciliation process is conducted in January, April, July and October each year following the corresponding calendar quarter just ended. The reconciliation must be completed within four working weeks after quarter end to meet regulatory reporting timelines.

The reconciliation process is performed by checking various data sources against ACCORD. Data sources used are: the General Ledger and material source systems * Nemesis (Fraud), STARS (WH&S) and ACCORD Internal Loss Data for financial impact details. All data for reconciliation purposes is managed by the Enterprise Risk Systems & Data team to check accuracy and completeness, with any exceptions identified sent to Division Operational Risk teams.

Business Units and their Rectification Managers are responsible for ensuring that the losses (and gains), costs and recoveries for each incident are complete and accurate in ACCORD. Where an exception is raised during the reconciliation process for review, appropriate action must be taken to ensure ACCORD is correct. Division Head of Operational Risk must ensure that the reconciliation between ACCORD, the General Ledger and the material source systems is completed satisfactorily each quarterly with all exceptions actioned.

For further guidance, please refer to the Quarterly ACCORD Financial Reconciliation Guidelines:

https://wbcspaces.intranet.westpac.com.au/risk/teams/gr/imforum/ILD%20RECONCILIATION/Forms/AllItems.aspx



Appendix 9 ML/TF incident significant /systemic criteriaSignificant or systemic incidents involve one or more of the following: any potential TF related incident systemic breach(es), control failings and/or weaknesses related to the AML/CTF requirements

and/or obligations potential employee involvement increased employee risk due to the customers involved incidents that have the potential to cause a significant reputational impact to Westpac; and in addition to at least one of the other elements listed, suspected ML amounts laundered of greater

than AUD 1 million.

Cases involving suspected ML/TF activity meeting the above criteria will rarely contain the same characteristics or involve customers posing the same type and levels of ML/TF risk. Each case should therefore be treated on its own merits. The following two examples are representative only of the type of case that should be also raised and managed in ACCORD as an AML/CTF breach and linked to the impacted risks and/or controls resulting from identification of the ML/TF incident.

Significant ML/TF activity * example 1

A criminal investigation initiated by the Australian Federal Police identified that a Westpac individual customer and a number of associated companies, also with Westpac accounts, was engaged in cash structuring activity. Cash structuring involves the systematic deposit or withdrawal of cash amounts under $10,000, designed to avoid Threshold Transaction Reporting (TTR) obligations. It is commonly connected to the sale of illegal drugs (deposits) and tax avoidance (withdrawals).Further analysis revealed that in an 18-month period, the customer made more than 1,100 cash withdrawals from three separate Business One accounts, at more than 50 closely located Westpac branches. All withdrawals were for less than $10,000, and in total amounted to over $20 million in cash. Deposits to the accounts were made electronically and by cheque, from businesses linked to farming and fruit / vegetable picking, an industry in which cash is often used to pay illegal labour and avoid tax obligations.Impacted controls in more than 100 instances, frontline staff had not met manual TTR reporting obligations of the more than 50 branches involved, only 5 had lodged SMR reports indicating a training

and awareness gap the customer*s details had not been correctly verified at onboarding.

Significant ML/TF activity * example 2

A number of Detection Scenario (DS) alerts in the Transaction Monitoring Program (TMP) were triggered when the transactional activity in XYZ Pty Ltd*s account suddenly changed. For the first 5 months, there were low level transactions, consistent with a new business. Then in a 6 week period in excess of $2.8 million was deposited in cash. The cash transactions were in amounts of at least $50,000 and conducted by third parties at 20 branches across Australia. On the same day as a cash deposit *John*, an employee of the company, would go to his local branch and send the funds to a single entity in Hong Kong.Impacted controls some branches had not captured any *Person Transacting* (PT) information for the third party

cash deposits *John* was not the employee*s real name and the individual concerned had never been

properly identified the IFTI*s processed for *John* contained the details of a generic bank suspense account and

not the complete payer information of XYZ Pty Ltd as defined in the AML/CTF Rules only 1 of the 20 branches where cash deposits took place submitted an SMR * noting that the

cash smelt strongly of detergent - indicating a potential training and awareness gap.



Appendix 10 Glossary of terms

Term Description

ACCORD ACCORD is Westpac Group*s integrated enterprise-wide system for the Operational Risk Management Framework, encompassing operational risk, controls, compliance plans, action plans and Sarbanes-Oxley (SOX) processes. ACCORD is the source of data for the Westpac Group operational risk capital model.

ADI Authorised Deposit-taking Institution.

Australian Financial Services License (AFSL)

An AFSL is a license for any Australian businesses involved in the provision of financial services. It is issued by the Australian Securities and Investments Commission as required by the Corporations Act 2001.

Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) * AML / CTF policy and addenda

Details the responsibilities of Westpac Group*s employees and contractors in relation to AML/CTF, including the requirement to report suspicious matters or behaviours in accordance with Division procedures.

Australian Prudential Regulation Authority (APRA)

APRA is the prudential regulator of banks, insurance companies and superannuation funds, credit unions, building societies and friendly societies.

Capital Allocation The process for distributing calculated operational risk capital to each Division and line of business using loss history and scenario analysis.

Capital Calculation Outlines the practice of calculating operational risk capital.

Compliance incidents A compliance incident is an actual, likely or imminent contravention or breach of: * a compliance obligation of any applicable law or regulation;* an industry standard or code, such as the ASX Market Rules;* a material contravention of an internal policy or procedure.

An incident must be recorded in the relevant system for all instances of non-compliance, or likely non-compliance, with legal or regulatory requirements, and escalated to a Compliance Assessor.

Mandatory reporting requirements are in place regarding significant breaches of AFSL obligations, which are based on significance assessment criteria. Refer AFSL Breach Policy for further guidance.

Contraventions of other regulatory requirements, such as the ACL, Privacy Act etc., have no mandatory reporting requirements. These may, however, be subject to other reporting considerations, including those relevant to our external auditors, and should be considered as to whether a voluntary report is required, to ASIC or any other regulator, as per the *Voluntary disclosure and legal professional privilege policy*.Compliance incidents are defined as instances of non-compliance with a legal or regulatory requirement or, licence condition. Compliance breaches are incidents with sufficient significance that we are required to notify a regulator of our non-compliance, where significance is determined by considering factors such as the number and frequency of similar incidents, or the impact of the incident on the bank*s



Term Description

ability to supply the financial services covered by its licence.

Credit Risk The potential for financial loss where a customer or counterparty fails to meet their financial obligations to the Group

Data quality The measure of the requirement for data to meet the specific needs of business users. Completeness, accuracy, validity, timeliness and consistency are the chief measures of data quality. Data quality efforts tend to focus on validating or transforming data to improve the efficiency of enterprise applications.


Estimated Financial Impact is the expected or known total gross financial impact for the incident. It can be a moving value through the life-cycle of an incident until investigation confirms the final value. The estimated financial impact value indicates what financial impact is to be captured in the General Ledger.

External loss data (ELD)

Qualitative and quantitative information about historical operational risk losses experienced by other financial institutions. Westpac sources external loss data from independent suppliers such as the Operational Riskdata eXchange (ORX) and Fitch First database.

Financial impact The direct loss or gain resulting from incidents, as well as other direct costs associated with the incident.

GL General Ledger.

Gross Financial Impact

The financial impact before an allowance is made for a recovery.

GORI GORI is the Group Operational Risk & Insurance team which has the following responsibilities: Owns and maintains the IM Policy Ensures Division Operational Risk awareness and understanding of the IM Policy Monitors compliance with the IM Policy

Issue Control failures with potentially serious implications for Westpac. Issues can be systemic problems (i.e. where the same or similar problem occurs multiple times indicating an underlying problem).

Lending loss A loss arising from the provision of credit (as defined in the Westpac Intranet Consumer Credit Policy Manual).

Mark to Market To make an accounting adjustment to reflect unrealised gains and /or losses on book values of a particular investment.

Market risk The risk to earnings from changes in market factors, such as foreign exchange rates, interest rates, commodity prices and equity prices.

Non-lending loss Any loss that has not arisen as a consequence of an impaired credit decision.

Operational Risk Management Framework (ORMF)

The organisational structures, processes and systems used in identifying, assessing, measuring, monitoring, controlling and mitigating operational risk.


Potential financial impact is the total gross financial impact for the incident at time of identification. It is the total financial impact that the incident could have considering the control environment in which it occurred before any action has been taken to rectify.



Term Description

Primary caused BU The Business Unit owner of the control or process weakness which gave rise to an incident.

Primary impacted BU The Business Unit that bears the majority of the impact of an incident. Where an incident affects a product or customer, the impacted BU is defined as the BU that earns the revenue from that product or customer and has an associated real Economic Profit target. The list of such BUs is maintained by the Division Finance teams.

Related Operational Risk events

Where an operational risk event occurs and directly causes one or more subsequent events to occur. These related events would not have occurred had the original operational risk event not occurred first. These related operational risk loss events must be grouped and recorded as one incident.

Risk Systems & Data team

Facilitates GL and Source System reconciliations.

Sensitive incident An incident that contains *sensitive information* where it may relate to WH&S, *Legal Privilege*, or fraud. *Sensitive incidents* and their information have restricted user access in ACCORD.

Significant Non-compliance

Non-compliance that is material with regard to:

The number or frequency of similar previous non-compliance Westpac*s ability to provide the financial product or service covered by the

obligation The actual or potential financial loss to our clients, or Westpac, arising from the

non-compliance Any other matters prescribed by legislation Extent to which the incident suggests compliance arrangements would be

considered inadequate Time taken to identify incident/breach


incident management procedures & guidance

Documents