compliance incident management group policy
TRANSCRIPT
ACN 123 123 124
CONFIDENTIAL
COMMONWEALTH BANK OF AUSTRALIA
Compliance Incident Management Group Policy
Group Compliance Risk Management
CBA.0001.0084.2565
CBA.0001.0084.2566
Commonwealth Bank of Australia Compliance Incident Management Group Policy
DOCUMENTCONTROLTABLE
Version J Date J Amendment description I review details
1.0 June 2013 New policy created to establish principles, for the management of compliance incidents - The Incident Management Group Standard ceased on 1 July 2013 and has been replaced by a "How to guide" this guide includes procedural information on dealing with both operational and compliance incidents.
2 August 2014 Annual review , inclusion of additional key terms (notifiable significant matter); mandating use of a fact find or equivalent process; making it more explicit to not delay reporting to a regulator.
APPROVAL
Version J Date J Approving body or person
1 17 October Chief Operational Risk Officer 2013
2 23 October Chief Operational Risk Officer 2014
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Table of Contents
1. CONTEXT 1
2. PURPOSE 1
3. SCOPE 1
4. KEY TERMS 1
5. POLICY PRINCIPLES 2
6. ROLES AND RESPONSIBILITIES 6
7. RELATED POLICIES AND REFERENCES 7
8. REGULATORY REQUIREMENTS - AUSTRALIA 8
9. CONTACT 8
10. APPENDIX A – CBA GROUP AND BUSINESS UNIT IMPACT MATRIX 9
11. APPENDIX B –FACT FIND TEMPLATE 12
CBA.0001.0084.2567
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 1
1. CONTEXT 1.1 The Group is committed to complying with the law and regulations in all businesses
and activities. Accordingly, Compliance Obligations are embedded in the design and operation of the Group’s systems and processes.
1.2 Failure to deal effectively with Compliance Incidents creates compliance and legal risks for the Group which may have an adverse impact upon all stakeholders which includes, but is not limited to: customers; policy holders; investors; employees, and regulators as well as the Group’s brand and reputation.
1.3 There are a number of specific regulatory requirements and timeframes for reporting Compliance Incidents to regulators. It is important that the Group is aware of, and complies with these obligations.
1.4 The Group has in place an integrated Operational Risk Incident & Compliance Incident management process with the intention being to collect incident data which is timely, accurate, simple, consistent, complete and valid.
1.5 This Policy is a key component of the Compliance Risk Management Framework.
2. PURPOSE 2.1 The purpose of this Policy is to:
Establish principles in relation to identifying, assessing and managing Compliance Incidents; and
To outline the requirements with respect to Roles and Responsibilities for managing and reporting of Compliance Incidents.
3. SCOPE 3.1 This Policy applies to Commonwealth Bank of Australia and its controlled entities (the
Group). 3.2 For those parts of the Group that are impacted by foreign or local laws, regulatory
requirements or contractual obligations that conflict with this policy, an exemption from the policy or specific obligations within the policy should be sought by completing the policy exemption form.
4. KEY TERMS 4.1 Compliance Obligations
Are formal requirements that must be complied with by the legal entity and/or Business Units (BUs). Compliance Obligations may arise from various sources such as; laws, regulations, legislation, industry standards, rules, codes or guidelines
4.2 Compliance Incident Is an actual, suspected, potential, likely or imminent contravention or breach of a Compliance Obligation of any applicable:
law; regulation; industry standard; industry codes which have been subscribed to; or an external business rule or guideline (such as ASX Market Rules, APRA
guidance notes).
CBA.0001.0084.2568
CBA.0001.0084.2569
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Likely or imminent Compliance Incident means a matter which may not currently be a breach of law however a breach of law will occur at a future date as we are unable to rectify before its occurrence.
A Compliance Incident may also result from a material contravention of an internal policy/procedure.
4.3 Early Warning Notification This term is used for notifications provided to a regulator where it is unclear if a breach of law has occurred or is significant but it is considered that after further investigation it may be a Reportable Breach. These notifications are also known as potential breach notifications.
4.4 Governing bodies Refers to the people who have accountability and responsibility for the governance of a legal entity, business unit or division. This may include Boards (including Trustee Boards and Boards of Responsible Entities), Board Committees, Responsible Managers or Responsible Persons, Senior Management.
4.5 Notifiable Significant Matter A Compliance Incident that has not been determined to be a breach of law or a Reportable Breach but where other aspects of the Compliance Incident (e.g. significant remediation or reputational risk) mean that the matter has been determined as being required to be disclosed to a regulator.
4.6 Operational Risk Incident Occurs when the actual outcome of a business process differs from the expected outcome due to inadequate or failed processes, people, systems and external events.
4.7 Reportable Breach Is a Compliance Incident which has been assessed and determined as being reportable to a regulator.
4.8 Riskin Site Is the Group's integrated system which delivers a common platform for managing operational risk and compliance risk across the Group.
5. POLICY PRINCIPLES
5.1 BUs must develop and maintain up to date and approved procedures that are clear, well-understood and document the process for:
• Identifying Compliance Incidents;
• Assessing all Compliance Incidents including specifying the governance process for determining if they are Reportable Breaches or Notifiable Significant Matters;
• Recording and reporting Compliance Incidents;
• Advising and escalating Compliance Incidents to the relevant authorised position/person or governing body who has responsibility for making decisions in regard to Compliance Incidents;
Page2
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 3
Advising the relevant people the outcome of the assessment of determining any Compliance Incidents as Reportable Breaches or Notifiable Significant Matters; and
Rectifying and resolving Compliance Incidents. 5.2 Procedures must be aligned to this Policy, meet relevant regulatory requirements
including meeting reporting timeframes, and to meet relevant governing body requirements.
Identification 5.3 Compliance Incidents can be identified from numerous sources, including but not
limited to: whilst undertaking usual business activities; investigation of a customer enquiry or complaint; during compliance monitoring activities; results of internal and external audits; or in some cases, during regulatory enquiry.
5.4 Adequate training and resources must be provided to all employees to ensure: they are aware of the Compliance Obligations applicable to them for the
business process they are accountable for; the circumstances that may give rise to a Compliance Incident and/or a
Reportable Breach; and what is expected from them to report, assess without delay, deal with, manage
and rectify Compliance Incidents.
Assessment 5.5 All Compliance Incidents must be assigned an incident owner, to ensure the
compliance elements are considered. 5.6 An assessment of each Compliance Incident must be undertaken without delay. 5.7 The assessment should be done by BU representatives in conjunction with the
relevant BU Compliance and/or Risk team and, where required, Legal Services. 5.8 The assessment must include an impact assessment as required by paragraph 5.30
below and also an assessment of whether the Compliance Incident could require reporting to a regulator.
5.9 When a Compliance Incident is assessed as minor or above using the Impact Matrix of the Group’s 5x5 Risk Matrix (Appendix A) or, if the compliance incident is assessed as negligible but could be an indicator or evidence of a systemic or more significant matter, then a Fact Find or equivalent document, must be prepared as part of the assessment.
5.10 A Fact Find template is provided at Appendix B. This template includes the minimum information required which must be completed and kept as a record that the Fact Find process has been completed.
5.11 Except for matters that are clearly a breach of law, Legal Services should be consulted and must be provided with a Fact Find or equivalent document, to assist in determining whether a matter is a breach of law.
5.12 If some of the required information cannot be completed in the fact find process, the form should still be sent to Legal Services to commence the consultation process and Legal Services to be advised of the expected time frame to provide the final information.
CBA.0001.0084.2570
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 4
5.13 Where Legal Services is consulted and they are provided with sufficient information:
Legal services will make a determination of the matter;
Legal Services should conduct a peer review process of the determination made; and
must respond and articulate whether the Compliance Incident is a breach of law and the reasons for the determination.
Legal may also provide a recommendation on whether the matter is reportable.
5.14 Once legal advice has been received, or it has otherwise been determined that a Compliance Incident is a breach of law then an assessment needs to be made as to whether the matter is reportable to the relevant regulator.
5.15 Where the assessment needs to determine significance as required by a regulatory requirement then consideration must be given to the criteria articulated by the relevant regulator.
5.16 Where Legal Services or BU Compliance/Risk is unable to determine that there has been a breach of law or there is no breach of law, consideration should also be given to whether an Early Warning Notification or a Notifiable Significant Matter should be made.
5.17 The factors that should be taken into consideration in determining whether a Compliance Incident is a Notifiable Significant Matter are whether: a related breach/matter has previously been reported to ASIC; the matter has been reported to another regulator; there is significant remediation/rectification required.
5.18 If it becomes clear when further investigations or consideration has been made that an Early Warning Notification or Notifiable Significant Matter amounts to a Reportable Breach then the matter must be reported to the regulator as a breach notification.
5.19 Protracted discussions about whether a matter is reportable must be avoided. Where there is a difference of opinion in regard to whether a Compliance Incident is reportable to a regulator the Group Compliance team must be engaged. In all circumstances the Group should err on the side of reporting to a regulator.
Reporting to the Regulator 5.20 Timeframes for reporting Compliance Incidents to a regulator are critical and can vary
according to the product, entity or the relevant regulatory or jurisdictional requirements.
5.21 Reporting must be made within those timeframes prescribed in applicable, legislation, regulations, industry codes or as required by a regulator. Any communication with regulators must be in accordance with the Group Contact with Regulators Policy.
5.22 The reporting of a matter to a regulator must not be subject to extended processes and if unsure it is best to report the matter. Reporting must not be protracted or delayed even if: not all of the information relating to the incident is available; the matter has already been rectified or steps have commenced to rectify;. formal legal advice has not yet been provided; or internal reporting or escalation to governing bodies has not yet been completed.
5.23 Where a matter has been assessed as being reportable, the BU must engage the relevant Compliance/Risk Team, Legal Services and relevant Head of Business to prepare, review and approve the notification sent to the regulator.
CBA.0001.0084.2571
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 5
External Auditor obligations 5.24 The Group’s external auditor has an obligation to report certain matters to a regulator
if it has reasonable grounds to suspect that a reportable contravention has occurred. The considerations made by the external auditor can differ to the assessment considerations made under this Policy.
5.25 To assist the external auditor in meeting its legal obligations, relevant BUs must provide copies of Compliance Incident registers upon request, to allow the external auditor to identify matters that may trigger reporting requirements.
5.26 For any ASIC matters that are referred to Legal Services for determination of being a Reportable Breach or a Notifiable Significant Matter, consideration must also be given to notify the external auditor at the same time.
5.27 The external auditor will undertake a separate assessment to that being undertaken by Legal Services and will provide a report to the relevant BU on the outcome of the assessment.
5.28 In cases where the external auditor indicated that it will report a matter to the regulator, BUs must also consider separately reporting to the relevant regulator if they have not done so already.
5.29 Group Compliance may assist in the provision of registers to the external auditor.
Impact rating 5.30 An impact assessment of each Compliance Incident must be completed and a rating
assigned. Where all of the information is not available an initial rating is to be assigned. The rating must be reassessed as additional information becomes available.
5.31 The impact assessment must take into consideration, amongst other factors, the associated legal/regulatory impacts and customer implications. Aggregated information that highlights any systemic issues also needs to be considered.
5.32 As a guide the relevant factors set out in the Impact Matrix of the Group’s 5 x 5 Risk Matrix and/or BU financial impact matrix are to be used.
5.33 Records must be retained to support the ratings assigned. Recording, Internal Reporting and Escalation 5.34 All Compliance Incidents need to be accurately recorded into and maintained in
RiskInSite (RIS). It is expected that all Compliance Incidents will be recorded into RIS within a maximum of 5 business days of discovery. Further guidance to support consistent application and management in regards to RIS can be found in the ORMF How to Guide.
5.35 All regulatory correspondence and interactions relating to the reporting of Compliance Incidents must also be recorded into the Regulator Interaction module in RIS. This is an additional step to the process of recording a Compliance Incident
5.36 Accurate and up to date records must be maintained to support the decisions made in determining if a Compliance Incident is or is not a Reportable Breach or a Notifiable Significant Matter. These records must be made available for audit purposes. In the circumstances where records contain any legal advice, prior approval must be obtained from Legal Services.
5.37 As a minimum the risk escalation protocols outlined in the approved Group’s 5 x 5 Risk Matrix should be followed for escalating Compliance Incidents. For Reportable Breaches or Notifiable Significant Matters the matter must be notified to the most relevant Group Executive or delegate.
CBA.0001.0084.2572
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 6
5.38 Reporting and escalation of Compliance Incidents must also be in accordance with BU procedures and the reporting requirements of the relevant Governing Body.
5.39 Reports on Compliance Incidents must contain an appropriate level of detail having regard to the significance/materiality of the matter. Information should be accurate and factual as to the circumstances surrounding the compliance incident and current status as to any reporting to a regulator. Care should be taken to ensure legal professional privilege is maintained.
Rectifying and Resolving 5.40 Compliance Incidents may in certain circumstances be classified as an operational
risk incident or vice versa. The process flow to rectify generally remains the same; the key difference is that an assessment must be undertaken without delay to determine if the incident is a Reportable Breach or a Notifiable Significant Matter and needs to be reported to a regulator.
5.41 Compliance Incidents must be reviewed to establish what, if any, remedial action needs to take place or improved controls need to be implemented and establish suitable remedial action and timeframes in which that action will be completed.
5.42 Where the Compliance Incident is reported to a regulator, updates are to be provided to the regulator(s) on the remedial action taking place and when the incident has been resolved. This contact must be in accordance with the Contact with Regulators Policy.
5.43 Following the completion of the final action, records must be retained to ensure supporting documentation is collated as part of the Compliance Incident sign off process.
6. ROLES AND RESPONSIBILITIES
Role Responsibilities
Chief Operational Risk Officer
Own and approve this Policy
Relevant Group Executive (or delegate)
Overall accountability for the timely reporting of relevant Reportable Breaches or Notifiable Significant Matters impacting the BUs they have responsibility for.
Business Units
Develop and maintain Compliance Incident procedures that are aligned to this policy, relevant regulatory requirements, industry standards or codes, governing bodies and appropriate Roles & Responsibilities are assigned.
Ensure adequate training, coaching and resources are provided to ensure employees are aware of how to identify, deal with and manage Compliance Incidents.
Follow the agreed BU procedure in relation to assessing the impact of a Compliance Incident to determine if a Reportable Breach or a Notifiable Significant Matter has occurred and report to a regulator without delay and without waiting for all of the information and/or BU processes have been completed.
Allocate an incident owner. Manage: Compliance Incidents until resolution and closure
ensuring all impacts, including regulatory impacts, direct or indirect costs associated with the compliance incident, are captured.
CBA.0001.0084.2573
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 7
Role Responsibilities
Analyse: Determine underlying cause of the incident and/or control weakness and ensure they are raised and rectified as required.
Escalate/ Report: Compliance Incidents in accordance with relevant Governing Body reporting requirements including where required to the relevant Group Executive.
Business Unit Risk and/or Compliance team
Support BUs in implementing the requirements of this policy including the assessment for determining Reportable Breaches or Notifiable Significant Matters.
Respond to BU queries on the application of this policy. Review and monitor the BUs compliance with this policy and any
specific BU policies that support its implementation. Provide guidance to the business in managing Compliance
Incidents and monitoring of Compliance Incidents until resolution and closure.
Escalation/Reporting: In terms of BU, Group and any other Subsidiary Committee and any relevant Governing Body reporting requirements, including where required to the relevant Group Executive. .
Legal Services When engaged by a BU; provide advice on Compliance Incidents as to whether they are Reportable Breaches or Notifiable Significant Matters.
Where a determination is made of a Compliance Incident or Notifiable Significant Matter, conduct a peer review process.
Respond and articulate whether a Compliance Incident is a breach of law and if so provide a recommendation if it is a Reportable Breach.
Group Compliance
Review this policy regularly to ensure its ongoing relevance. Respond to Group queries on the application of this policy and
escalation for disputed assessments. Seek assurance regarding ongoing compliance with this policy.
Internal & External Audit
Provide independent assurance to key stakeholders (including the Audit Committee, senior management, and regulators) regarding the adequacy and effectiveness of the Group’s system of internal controls, risk management procedures and governance processes.
7. RELATED POLICIES AND REFERENCES CBA Group Risk Appetite Statement Operational Risk Management Framework Compliance Risk Management Framework ORMF How to Guides Group Contact with Regulators Policy Customer Complaint Handling Policy & Standard Group Internal Privacy Policy
CBA.0001.0084.2574
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 8
8. REGULATORY REQUIREMENTS - AUSTRALIA Corporations Act 2001, s912D APRA:
Banking Act 1959, ss 13(3) and 62 Insurance Act 1973, s 38AA Life Insurance Act 1995, s 132A Superannuation Industry Supervision Act 1993, s 29JA and s 106(1)
ASIC Regulatory Guide 78 Breach reporting by AFS licensees ASIC Regulatory Guide 214 Guidance on ASIC market integrity rules for ASX and
ASX 24 market Anti-Money Laundering and Counter-Terrorism Financing Act 2006
9. CONTACT Group Compliance Risk Management [email protected] Policy owner: Chief Operational Risk Officer
CBA.0001.0084.2575
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 9
10. APPENDIX A – CBA GROUP AND BUSINESS UNIT IMPACT MATRIX
FINANCIAL (BUSINESS)
FINANCIAL (TRUSTEE) *
FINANCIAL (FUM/FUA) *
CUSTOMER SERVICE & OPERATIONS
REPUTATION/ BRAND LEGAL/REGULATORY
COMPLIANCE PEOPLE CUSTOMERS
MANAGEMENT EFFORT
GUIDANCE **
A1 A2 A3 B C D E F
Assessment Based on:
As per Group or Business Unit defined values
Impact on Unit Price
Impact on Funds under Management or Administration
Loss of existing customers/market share
Cost of remediation/recovery
Fall in Group’s share price
Loss of new business / market share. Includes impacts on all brands e.g. Colonial, ASB, Bankwest
Damage to reputation by actions of both individual staff and the Group as a whole
Lack of confidence in financial sector generally
Regulatory action
Customer/third party legal actions
Workplace health & safety
Workplace relations
Staff morale/loyalty
Actual or potential impact on customers
Drain on
Executive resources
Opportunity cost
5 Severe
As per Group or Business Unit defined values
>100bp >20% Significant loss of market share and customer numbers because of extensive interruption to service capability
Group Wide data availability or integrity issues or information security is compromised
Widespread and prolonged inability to service all or the majority of our customer base irrespective or geographic location, channel or product.
Significant fall (> 20%) in Group’s share price resulting from financial performance with recovery over several months
Major failure of the payments system and/or Group’s systems impacting personal and business customers
Prolonged media and/or political attention as a result of inappropriate pricing or product decision or operational incident
Actual or potential loss of license, loss of ASX listing and/or penalties on directors
Severe impact on regulator relationships
Imposition of significant regulatory restrictions e.g. enforceable undertakings, conditions or directions
Death or incapacitation to employees whilst on Group business, or customers on Group property
Widespread loss of morale among management and staff resulting in high staff turnover
Industrial dispute/action – Group Wide impact
Serious financial or reputational impact to all or most customers
Potential to lead to the significant damage to the business
Sustained ExCo/Senior Management effort
CBA.0001.0084.2576
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 10
4 Major
As per Group or Business Unit defined values
>50bp-100bp
>10-20% Some loss of market share and customer numbers because of major interruption to service capability
Extensive management involvement and significant costs to restore critical processes
Significant data availability or integrity issues or compromise of information security
Widespread inability to service a significant proportion of customers irrespective or geographic location, channel or product.
Medium fall (10 – 20%) in Group’s share price or a loss of market share or damage to Group brands resulting from detrimental national publicity or extensive negative local publicity
Short term media and/or political attention as a result of inappropriate pricing or product decision or operational incident
Medium but widespread disruption of the payments system and/or Group’s systems lasting several days
Major fines and sanctions
Multiple legal actions
Focussed regulatory surveillance / significant increased regulatory oversight
Major systemic, recurring or significant breaches
Major impact on regulator relationships
Severe injury to employees whilst on Group business, or customers on Group property
Serious but localised loss of morale among management and staff resulting in high staff turnover
Industrial dispute/action – State or BU based impact
Serious financial or reputational impact to a significant number of customers
Moderate financial or reputational impact to all customers
A significant event requiring major Group Executive/Senior Management effort to absorb the impact
3 Modera
te
As per Group or Business Unit defined values
>25bp-50bp
>5-10% Minimal loss of market share and customer numbers because of minor interruption to service capability
Some costs to restore critical processes
Localised data availability or integrity issues, or compromise of information security
Inability to
Short term fall (<10%) in Group’s share price as a result of product/pricing decisions
Reduced market share or temporary damage to Group brands resulting from limited negative national publicity or detrimental local publicity
Minor but widespread disruption of the payments system and/or Group’s systems lasting several days
Fines
Multiple agreements with customers at risk
Systemic complaints or compliance incidents
Significant breaches
Potential impact on regulator relationships
Increased general regulatory oversight
Injuries to employees whilst on Group business, or customers on Group property
Some loss of morale among management and staff
Industrial dispute/action – localised department level
Moderate financial or reputational impact to a limited number of customers
Minor financial or reputational impact to a significant number of customers
Moderate EGM/Senior Management effort is required to absorb the event impact
CBA.0001.0084.2577
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 11
* Columns (A2 & A3) relate to funds management, investment management, superannuation and life insurance businesses and can be deleted by Business Units that do not market these products. ** To be used as additional guidance in determining the level and amount of management effort to resolve any event impacts. To be used in conjunction with other impact categories
satisfactorily service a material proportion of customers irrespective or geographic location, channel or product.
impact
2 Minor
As per Group or Business Unit defined values
3bp-25bp 1-5% Service Standards not achieved, but no impact on market share or customer numbers
Minimal time, effort and cost required to correct critical processes
Minimal disruption to satisfactorily servicing some customers irrespective or geographic location, channel or product.
No fall in Group’s share price due to pricing decision/products
Small, short term loss in market share resulting from limited negative local publicity
Limited disruption of the payments system and/or Group’s systems impacting some geographical areas
Multiple customer complaints or compliance incidents which are not systemic or significant
Individual legal actions
Low range fines
Injury to an employee whilst on Group business, or a customer on Group property
Short term and localised loss of morale among management and staff
Industrial dispute/action – localised at team level impact
Minor financial or reputational impact to a limited number of customers
Impact can be absorbed though normal activity with minor effort required from senior management
1 Negligib
le
As per Group or Business Unit defined values
<3bp <1% No measurable operational impact on business.
Limited operational impact on business; Ability to service individual customers impacted but no systemic issues
Limited adverse publicity = 1 – 2 days as a result of isolated customer complaint impacting little or no customers nationally
Intra-day disruption of the payments system and/or Group’s systems
No measurable loss of market share resulting from limited negative local publicity
One off complaints or compliance incidents
No impact on staff morale
Insignificant financial or reputational impact to a limited number of customers
Impact can be absorbed through normal activity with no senior management effort required
CBA.0001.0084.2578
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 12
11. APPENDIX B –FACT FIND TEMPLATE
THIS FORM IS TO BE COMPLETED FOR THE PURPOSES OF ASSESSING COMPLIANCE INCIDENTS AND FOR OBTAINING LEGAL ADVICE IN RELATION TO COMPLIANCE INCIDENTS1
A copy of the completed form must be retained for record keeping purposes.
Guide to Use
Legal Services has requested this form be completed and sent to Legal Services with any requests for Legal Advice as to whether the Compliance Incident ("Incident") is a breach in terms of the Compliance Obligations for the entity.
Completing the Form with all available details will assist in providing a timely and accurate response. If some of the required information cannot be completed the form should still be sent and state when you expect to provide the outstanding information. Once the missing information has been received please send an updated version of the form to Legal Services.
Please be as clear as possible. In particular, avoid business jargon or explain any business jargon that has been used.
Some of the questions may seem to be repetitive. However this is intended to assist consideration of all aspects of the Compliance Incident.
When statistical information is included you should indicate whether these numbers have been confirmed (e.g. by impact assessment) and if so please provide their source or whether they are estimates.
Question Answer
1. Briefly state the facts regarding the matter. Do not include any statements of opinion. Keep your description of what has happened purely factual.
2. Indicate if known who is the licensee/product issuer or authorised representative involved in the matter? (Name all parties involved).
3. Please name all products affected and include their product type.
4. If aware please indicate what Compliance Obligation was involved in the matter?
1 A compliance incident is an actual, potential, suspected, likely or imminent contravention or breach of an obligation of any applicable: law; regulation; industry standard; industry codes which have been subscribed to; or an external business rule or guideline (such as ASX Market Rules, APRA guidance notes). A Compliance Incident may also result from a material contravention of an internal policy/procedure.
CBA.0001.0084.2579
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 13
Question Answer
5. If aware please indicate if there is a mandatory obligation to report to a regulator?
6. What happened/should have happened or failed to happen?
7. When did the matter occur and for how long has this been happening?
8. How was the matter identified? For example, was it identified as a customer enquiry or complaint or identified as part of a compliance or operational risk process, such as CAP testing, monitoring/review or audit process? Or other?
9. How long was the matter undetected?
10. Has the matter ceased?
11. If ceased, has the matter been corrected and if so how?
12. If not corrected, what steps are planned to ensure that the matter will cease/be corrected?
13. Are you aware if this matter or a similar matter has occurred before? (If so how often, please provide details.)
14. If aware has legal advice previously been provided? If so please provide a reference or a copy of that advice if available, ensuring it is appropriate to do so in respect of legal professional privilege (refer section 5.36 & 5.39 of the Policy).
15. How many customers have been or are likely to be affected by the matter?
16. Does the matter involve unauthorised conduct? For example, was the wrong advice provided or did the matter involve fraud or unethical behaviour?
CBA.0001.0084.2580
Commonwealth Bank of Australia Compliance Incident Management Group Policy
Page 14
Question Answer
17. Has a customer suffered a financial loss or loss of any financial or other benefit or potential benefit as a result of the matter?
18. Are other customers affected or are likely to be affected and how much have they lost individually and collectively?
19. Has the matter impacted or is it likely to impact upon, the licensee's ability to continue to provide financial services for which it is licensed?
20. Has the licensee suffered or is likely to suffer a loss as result of the matter?
21. Does the matter indicate that compliance arrangements to ensure compliance with the obligations (that have been breached or contravened) are inadequate?
22. Have any steps already been taken or are about to be taken in respect of the matter to ensure compliance?
23. Are there any other factors which Legal Services should be made aware of in relation to this matter?
24. Have you attached/enclosed documents relevant to the matter (eg a copy of any letters, PDS, SOA, FSG, trust deeds, policies etc). If not, please state when they will be available.
Summary of Compliance Incident
[Please briefly summarise what you consider are the key points around this Compliance Incident]
Date completed/updated
CBA.0001.0084.2581