FILE NO 1-9945

SECURITIES AND EXCHANGE COMMISSION

WASHINGTON DC 20549

FORM 6-K

REPORT OF FOREIGN ISSUER

Pursuant to Rule 13a-16 or 15d-16 of

the Securities Exchange Act of 1934

For the month of March 2004

National Australia Bank Limited

ACN 004 044 937

(Registrant’s Name)

Level 24

500 Bourke Street

MELBOURNE VICTORIA 3000

AUSTRALIA

Indicate by check mark whether the registrant files or will file annual reports under cover of Form 20-F or Form 40-F.

Form 20-F

Form 40-F

Indicate by check mark whether the registrant by furnishing the information contained in this Form is also thereby furnishing the information to the Commission pursuant to Rule 12g3-2(b) under the Securities Exchange Act of 1934.

Yes

If “Yes” is marked, indicate below the file number assigned to the registrant in connection with Rule 12g3-2(b): 82 -

This Report on Form 6-K shall be deemed to be incorporated by reference in the prospectus included in the Registration Statement on Form F-3 (No. 333-6632) of National Australia Bank Limited and to be part thereof from the date on which this Report, is filed, to the extent not superseded by documents or reports subsequently filed or furnished.

SIGNATURE PAGE

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorised.

		NATIONAL AUSTRALIA BANK LIMITED

	*Susan E Crook*
Date: 13 April 2004	Title:	Associate Company Secretary

	Group Corporate Affairs
		National Australia Bank Limited ABN 12004044937


		500 Bourke Street
		Melbourne
ASX Announcement		Victoria 3000
		Australia

Melbourne, 24 March 2004

APRA report into irregular currency options trading at the National

The National today released a report by the Australian Prudential Regulation Authority (APRA) into irregular currency options trading at the bank.

The National’s Chairman, Mr Graham Kraehe, and Chief Executive, Mr John Stewart, also outlined the bank’s response to the APRA report and its proposed remedial actions.

Mr Kraehe said the Board, following consultation with APRA, had decided to release the entire APRA report and their proposed remedial actions to ensure full disclosure.

“As a matter of policy we do not release correspondence between the National and regulatory authorities,” he said. “However, because of the exceptional circumstances surrounding this issue, we have decided to release the APRA report.”

Mr Kraehe said the APRA report is consistent with the conclusions in the PricewaterhouseCoopers report released earlier this month.

“The two reports, and the remedial actions proposed by APRA, provide the Board with a clear roadmap to improve key policies and systems within the National,” he said. “We fully accept APRA comments about the need for the Board to take a leadership role in transforming the culture and governance processes at the National.”

The Chief Executive of the National, Mr John Stewart, said the bank would act as quickly as possible to implement all of the remedial actions proposed by APRA including capital adequacy initiatives to take the National’s total capital to 10 per cent. This will also result in termination of the current share buy-back.

“We have already started to implement a series of actions to enhance our policies and systems,” he said. “We will continue to work co-operatively with APRA, and other regulatory authorities, to implement all remedial actions within agreed timelines.”

“The first step will be to incorporate the remedial actions proposed by APRA into the four point action plan we announced earlier this month. We will then report regularly to the Board and APRA on implementation of the remedial actions.”

For further information:

Brandon Phillips

Corporate Relations Manager

03 8641 3857 work

0419 369 058 mobile

Or visit www.nabgroup.com

REPORT INTO IRREGULAR

CURRENCY OPTIONS TRADING

AT THE

NATIONAL AUSTRALIA BANK

23 MARCH 2004

EXECUTIVE SUMMARY

1.	OBJECTIVES & SCOPE

2.	ANALYSIS OF EVENTS LEADING TO LOSSES

3.	CORPORATE & INSTITUTIONAL BANKING (CIB)

4.	RISK MANAGEMENT

5.	GOVERNANCE

6.	CULTURE

7.	REGULATORY RESPONSE

ANNEXURE 1: GLOSSARY
ANNEXURE 2: SUMMARY ORGANISATION CHARTS
ANNEXURE 3: PERSONS INTERVIEWED

EXECUTIVE SUMMARY

The losses ultimately incurred by the National Australia Bank (NAB) on currency options were caused by four currency options traders, possessed of an abundance of self confidence, who positioned the NAB’s foreign currency options portfolio in the expectation that the falls in the US dollar that occurred mid last year would reverse and volatility would stabilise. Rather than closing their positions as the market moved against them, the traders chose to conceal their true positions - allowing those positions to deteriorate unchecked over a period of three months before they were finally discovered. By that time, the positions held were totally out of control.

That this was possible was, first and foremost, due to the collusive behaviour of the traders themselves. However, it can also be attributed to an operating environment characterised by lax and unquestioning oversight by line management; poor adherence to risk management systems and controls; and weaknesses in internal governance procedures.

Our report identifies a number of weaknesses and areas for improvement in NAB’s market risk control framework. While many of the areas identified for improvement bear directly upon the losses that emerged, the control failures in this case have more to do with poor implementation than poor design. On paper, NAB’s existing control framework - despite its weaknesses - should have been able to identify and contain the risk positions of the traders. Had the risk control framework been implemented effectively, the losses would certainly have been substantially less or, quite possibly, averted altogether.

There were many missed opportunities to detect and close down the irregular currency options trades. In particular, a number of key control weaknesses were identified in APRA on-site risk reviews. Other missed signals included: critical internal audit reports; prolonged limit excesses; unreconciled reporting issues; and expressions of concern by counterparties at large and unusual trades being undertaken by NAB’s currency options desk. While none of these - on their own - suggested the true nature of the emerging risk on the currency options desk, in combination they should have set alarm bells ringing and led to probing examinations.

There are many layers to NAB’s internal control framework: line management; back office; middle office; risk committees; internal audit; and the Principal Board and its sub-committees. While the collusive behaviour of the traders involved succeeded in suppressing many of the bank’s early warning signals, NAB’s internal control systems failed at every level to detect and shut-down the irregular currency options trading activity. NAB’s internal governance model, which should have enabled timely identification and effective and quick escalation of serious risk issues on the currency options desk, simply did not function. That this could occur is symptomatic of an organisational culture that did not have sufficient regard to the risks attendant with these products.

In particular:

• Line Management turned a blind eye to known risk management concerns. Despite some worrying signals of irregular trading practices on the currency options desk, these were ignored. “Profit is king” was an expression frequently heard in our interviews with Corporate and Institutional Banking (CIB) staff. As long as the business unit turned a profit, other shortcomings could be overlooked.

• Operations (the back office) verification procedures contained significant gaps, raising questions about the adequacy of its resourcing and skills, and whether its mandate had been weakened by pressure to reduce costs and its growing subservience to the front office.

• Market Risk (the middle office), while noting a number of irregularities, failed to engage the trading desk effectively to resolve them and failed to attract the attention of higher management or otherwise escalate its concerns.

• Executive Risk Committees were particularly ineffective, missing or dismissing risk information pertinent to the problems that emerged and failing to escalate warnings. If the members of the CIB Risk Management Committee had acted on the warning signs before them - for example, by commissioning a targeted review of known control weaknesses by Internal Audit - the irregular trading would surely have been discovered.

• The Principal Board (the Board) was not sufficiently proactive on risk issues. Despite often asserting that risk issues were of such importance that they should be dealt with by the full board, the Board paid insufficient attention to risk issues and, until the establishment of a separate risk committee, appeared content to leave the elevation of risk issues to its Audit Committee.

Cultural issues are at the heart of these failings. In recent years, NAB has repositioned the role of the Global Risk Management function to be more of a business partner with frontline areas rather than a separate risk controller. There has been a conscious effort to embed a more commercial culture in risk management areas within NAB. Considerable emphasis has been placed on the role of risk managers in assisting business units to develop new business. Terms such as “business partnership” and “embedded risk management” are used frequently.

But, as in any successful partnership, each partner must recognise and accept the contribution that the other brings to the partnership. Business units - under pressure to meet performance hurdles - will always take a more ‘rose-coloured’ view of risk than their more dispassionate colleagues in risk management. The culture that predominated in CIB at NAB was one in which risk management controls were seen as trip-wires to be negotiated rather than presenting any genuine constraint on risk-taking behaviour.

It is self-evident that all business units within a bank have a long-term vested interest in prudent risk management. However, in order to properly give effect to that principle, banks need to have in place appropriate checks and balances, and implement them rigorously. Business units need to be supported by independent risk management professionals. And where differences of views emerge on risk, it is important that risk managers have the final say. In banking, the aphorism “risk managers are right, even when they are wrong” is a sound one.

Remedial Actions

Our report identifies a number of areas that need remedying. These are detailed in the body of the report. They fall broadly into two categories and the main points are:

1. Fixing cultural, governance and risk management issues across NAB

• Culture - The Board is required to review cultural norms within NAB and clearly articulate the standards of behaviour, professionalism and openness it expects of the organisation; the Board is required to develop policies that promote and support ‘whistle-blowing’; the Board is required to review incentive arrangements to ensure that these promote behaviours that have appropriate regard to risk.

• Governance - The Board, its Committees and Executive Risk Committees are required to clarify the appropriate escalation channels available to enable the Board and its committees to deliberate on serious risk issues. The Board must establish more transparent risk reporting systems and place greater reliance on independent checks and balances on executive management to enable it to discharge its duties appropriately.

2. Fixing risk management and operational controls for traded markets area

• Limit Frameworks - The Board is required to review, and formally approve, all market risk limits in Global Markets; limit policies should clearly specify mandatory (or ‘hard’) limits; trigger levels (or ‘soft’ limits) should also be specified; all limit excesses - whether ‘hard’ or ‘soft’ must have a defined response.

• Global Markets - the respective roles and responsibilities of Global Markets and Market Risk in respect of risk analysis and escalation of risk issues needs to be clearly specified and distinct from each other.

• Market Risk - reporting lines in, and responsibilities of, Market Risk and Prudential Control (MR&PC) are required to be streamlined in order to ensure that adequate attention is devoted to market risk issues; roles and

responsibilities in MR&PC are required to be clarified and confer an unambiguous mandate; the process surrounding the approval of Product Usage Authorities is to be reviewed to ensure that all relevant risk management issues are covered.

• Operations - in relation to Operations, NAB is required to review: all confirmation and reconciliation procedures; operational procedures followed by Operations staff - especially as regards interaction with the front office; and reporting of transactional and other statistical information.

• Finance - Finance is to be assigned responsibility for data integrity; analysis of the components of reported profit and loss data; and critical questioning of discrepancies. Finance is also required to review and formally document the materiality thresholds applicable to each desk.

• Quantitative Support - a number of reforms are required to formalise and enhance the role played by Quantitative Support in model validation and testing.

Regulatory Response

1. NAB is to commence a program to implement all required actions (and recommended actions, as necessary) identified in this report according to timeframes agreed with APRA. NAB will remain under close supervision by APRA until these actions are implemented.

2. NAB’s internal target total capital adequacy ratio is to rise to 10 per cent until such time as APRA is satisfied that all material weaknesses identified in this report have been rectified.

3. NAB’s approval to use an internal model to determine market risk capital is withdrawn; future market risk capital requirements are to be measured according to the standard method.

4. NAB’s currency options desk is to remain closed to corporate business and proprietary trading until new limit structures have been approved; all key staff changes have been settled; and substantial progress has been made to redress the issues raised in this report.

End-Piece

The taking of risk is an inherent part of banking. A bank’s viability is dependent upon having in place a strong network of risk management controls to manage and contain risks. But no risk management system is bullet-proof; some losses are inevitable. In this case, the bank’s customers were not affected by the losses.

The wisdom of hindsight provides a valuable platform from which to learn lessons for the future. Our report focuses on analysing the trading activity that led to the losses; identifying gaps and weaknesses in NAB’s internal control framework; assessing whether risk management policies and procedures were being implemented correctly; and setting out what needs to be done to rectify the breakdowns.

Much needs to be implemented if NAB is to achieve the best practice in market risk management which a bank such as NAB should have. This report is provided as a constructive basis from which to move forward.

1. Objectives & Scope

APRA was informed of the irregular activity on the currency options desk on Tuesday 13 January, immediately prior to NAB’s release of its first announcement on the matter to the ASX.

APRA’s actions were to:

1. identify appropriate requirements to control risk on the currency options desk in the immediate term; and

2. commence a full investigation into the causes of the losses and the control breakdowns that led to the losses.

In the immediate term, APRA required that NAB only trade currency options where trades either resulted in a reduction of risk in the portfolio or to provide services to customers who would be without, or unable to establish quickly, other banking connections (and, in this event, NAB had to clear such exposures daily through the interbank market). The controls on ongoing operations of the desk have continued to be monitored by APRA since being put into effect. These controls were to be reviewed as part of the completion of the APRA investigation.

The objectives of APRA’s investigation into the trading losses were to:

(i) investigate and report upon:

• the facts surrounding the trading losses reported by NAB on 13 January 2004;

• the cause of the losses;

• the control and governance breakdowns that contributed to the losses;

• any other relevant failings or deficiencies in NAB’s market risk management or trading operations;

(ii) identify remedial actions required to be instituted by NAB ; and

(iii) set out APRA’s regulatory response to the matters raised in (i) and (ii).

A timeframe for implementation of all actions proposed in this report will be specified after its delivery to NAB.

Scope

APRA’s investigation included the following phases of work:

• initial briefings from NAB senior executives, the (previous) NAB Chairman and the internal investigation team first established to deal with the matter;

• establishment of an on-site investigation team and scoping of the investigation work required;

• on-site investigation;

• documentation by the investigation team of its findings and preparation of a draft report;

• peer review of the investigation process, report findings and recommended actions; and

• finalisation of the report and submission of recommendations to APRA’s Chairman and other Members.

The on-site investigation team carried out the following tasks:

• interviews with relevant senior executives and operational staff in all functional areas associated with trading operations and market risk management (see Annexure 3);

• review of relevant reports and documentation surrounding the currency options desk and risk management of that desk;

• review of agendas, papers and minutes of relevant Boards and Committee meetings within the NAB governance structure;

• liaison and co-ordination, where relevant and appropriate, with the PricewaterhouseCooper’s (PwC’s) investigation commissioned by NAB; and

• liaison with NAB’s internal investigation team, where relevant and appropriate.

The scope of the investigation covered:

• front office operations relating to the following functional areas:

• the trading operations of the currency options desk;

• quantitative support operations;

• systems support.

• back office functions for the currency options desk;

• related accounting and finance operations;

• risk management functions for the currency options desk, performed within the Market Risk Management unit;

• internal audit and external audit reviews;

• corporate governance issues, including the operations of relevant boards and committees, internal reporting and escalation procedures; and

• the performance incentives and culture, and other human resources issues.

The investigation did not include in its scope the following areas:

• analysis of the Horizon system operations;

• valuation of the losses, other than to review the KPMG report for reasonableness;

• the operations of any other desks in the trading room, other than related operations of the foreign exchange desk;

• risk management of any other desks; or

• review of the operational risk framework or Business Risk Management (BRM) process.

The APRA investigation has relied upon information provided by the PwC investigation in the following areas:

• forensic accounting work to corroborate our understanding of:

• the fabricated and incorrectly valued transactions; and

• the system deficiencies that facilitated these transactions.

The services of PwC were also used to source:

• internal NAB e-mails relevant to our enquiries; and

• extracts from dealing room tapes relevant to our enquiries.

Pending completion of our investigation and remedial action in connection with NAB’s trading room operations, APRA has continued to rely on data provided by NAB, such as VaR levels, in relation to our understanding of ongoing operations of the currency options desk.

This report is prepared for APRA in relation to its prudential supervision of NAB. APRA may choose to release this report to equivalent prudential supervisors in other jurisdictions. Any other release of information contained in this report by APRA is to be made in accordance with the relevant secrecy provisions of the Australian Prudential Regulation Authority Act 1998.

2. Analysis of Events Leading to Losses

2.1.1. Background on NAB’s Currency Options desk

The currency options business is part of Global Foreign Exchange. Currency options sales desks operate from all major trading rooms of the Bank: Melbourne, Sydney, New York, Wellington, London, Singapore and Hong Kong. Prior to the suspension of the four dealers, the Currency Options trading activity was managed globally out of Melbourne and London, with deals being booked centrally onto the Melbourne global book. External transactions with intra-group entities such as currency option deals between BNZ customers and BNZ, are backed out by BNZ transacting an equal and opposite deal with the global desk. In these cases, the intra-group entity assumes the credit risk with the counterparty and maintains the banking relationship. All back office operations are performed in Melbourne.

The Currency Options desk transacts a range of currency option products both on behalf of clients and on NAB’s own account. Products range from the vanilla option products (European, American style) to the more exotic path dependent options (barrier, One-Touch and Digital). The desk also has Product Usage Authority (PUA) to transact a range of other foreign currency products including Spot FX, Forward FX and Non-Deliverable Forwards. The list of currency pairs transacted is broad but concentrated to just five currencies.

2.1.2. How the losses were incurred

• Most of the losses occurred in the December quarter 2003, escalating rapidly in the month of December. Some smaller losses created in earlier periods were disguised and carried forward into the current financial year.

• In general, the trading losses were the result of the Currency Options desk not anticipating and protecting its positions against a sustained and significant rally in both the AUD and NZD. Similarly, the desk did not foresee and manage its exposures against a rise in AUD and NZD volatility over the last quarter of 2003.

• The underlying cause of the bulk of the losses can be traced to proprietary currency options positions taken in advance of the G-7 Meeting on 22 September, when the dealers took an aggressive view on both the direction and volatility of the USD.

• A combination of bought and sold option and spot positions were taken to put this trading strategy into effect. In particular, the desk sold ‘butterfly spreads’ (ie long at-the-money volatility; short out-of-the-money volatility).

• Contrary to the dealers’ expectations, the G-7 meeting on 22 September came out with a statement explicitly supporting flexible exchange rates. This statement was followed by a significant and continuing weakening of the USD.

• As the USD weakened, the desk lost money on their spot positions and became progressively shorter AUD (and NZD) due to the nature of the options positions they had taken. Their positions were also exposed to increasing implied volatility over the period. In addition, the desk transacted proprietary deals in USD/JPY and GBP/USD which subsequently generated additional losses.

• Throughout the December quarter the traders sought to mask the growing actual loss position by entering fictitious trades (explained within 2.1.4). To complicate the issue, the traders were already masking a carried forward loss position from the prior financial year (ending September 2003).

• The fictitious trades had the dual effect of producing an immediate profit (as they were often dealt at off-market prices) and dampening the risk measures for the books. As the USD weakened, further proprietary transactions (both spot and option related) were dealt which, in turn, produced losses. The traders sought to disguise these additional losses by entering more fictitious trades. By early 2004, the actual risk position and loss had grown to sizeable amounts in the AUD, NZD, GBP and JPY.

• The traders also transacted options which exploited known weaknesses in the bank’s approach to currency options revaluation. These weaknesses related to the accuracy of the volatility smile used to revalue the portfolio. This enabled certain deals, transacted at market prices, to generate an immediate profit when revalued.

2.1.3. Quantum of the loss

On 13 January 2004, the NAB announced that it had experienced a loss of $180m from unauthorised dealing within its Currency Options business. This amount was subsequently marginally adjusted to $185m on 19 January 2004. A further announcement was made by the NAB on 27 January 2004 in which it restated the size of the losses to be $360m. The adjustment from the previously quoted $185m to the higher amount of $360m was due to revisions to revaluation rates and to market prices used, as well as an adjustment to these rates/prices to reflect expected close-out costs.

2.1.4. How the actual positions were concealed: the “fictitious” trades

The traders concealed loss-making positions in three ways:

• P&L Smoothing using Spot FX - Late 2001 to May 2003

• Loss Masking using ‘surrendered’ Spot FX trades - July 2003 to January 2004

• Fictitious Options Trades - October 2003 to January 2004

A. P&L smoothing using amended spot FX deals

• The masking of losses using amended spot trades was achieved using a number of different methods. In all cases, however, traders took advantage of the “window” between Horizon end-of-day and the Kapiti deal matching process to mask losses.

• Prior to end-of-day, a spot deal would be transacted with a counterparty (the evidence so far suggests all counterparties were internal) in the currency pair where the loss needed to be masked.

• One method used would be for this deal to be booked in the system by the Currency Options desk at an exchange rate different to what was agreed with the internal counterparty to generate the desired profit.

• Once Horizon end-of-day is complete, the posting to the sub ledger occurs and the daily P&L for the desk is calculated (based on the incorrect trade rate).

• Post end-of-day, the deal would be “amended” by the trader to the correct rate and then allowed to mature as a legitimate deal.

• While the profit smoothing method allowed the traders to conceal loss-making trades, only daily P&L figures were affected. Long term P&L figures reflected legitimate deals at correct prices.

B. Loss-masking using surrendered spot FX deals

The next level of loss-masking activity commenced in July 2003 when the traders began using the surrender function in the Horizon system to remove fictitious Spot FX deals. This followed a Horizon change request made in May 2003 that allowed Front Office to surrender(1) Spot FX deals. This change was significant because the ability to remove trades from the system meant that the traders were now able to input fictitious trades into Horizon.

The extent of loss masking from July to September 2003 was in the range of AUD $3-$6 million per day. In late September 2003, the extent of the loss masking using fictitious spot trades escalated rapidly to approximately $45m (as at 30 September 2003).

(1) Surrender is a process used to amend or cancel deals.

• The end-of-day for the currency desk was New York close of business (3pm New York). Just before end-of-day (i.e. 7.59am Melbourne time) processing for Horizon was completed, a one-sided spot deal would be transacted within the desk (i.e. between Horizon portfolios 1792: non exotic and 1371: exotic). Because this deal was “one-sided” this deal could be designed to generate the required amount of P&L.

• The Horizon end-of-day process generated the P&L posting to the Treasury sub-ledger.

• Once end-of-day was complete (i.e. soon after 8.00am local), and the system clock has ticked over to the new day, the trade is surrendered in Horizon.

• Operations (back office) reconciliations commenced at Melbourne open (depending on time of year this could be between 15 minutes and two hours after end-of-day) and only looked at trades that were then still live. Thus, the automated internal deal matching process for spot deals using Kapiti information did not occur.

• When the Kapiti reconciliation was completed, the original fictitious trade and the surrendered trade would effectively cancel each other out. Consequently, it did not appear as an exception on the unmatched deal report.

• The “window” of time between Horizon end-of-day and the Kapiti reconciliation of internal deals, allowed Front Office to book P&L on a one-sided internal deal without it being detected via the deal matching process. This impacted on the daily P&L figures by concealing the extent of losses on legitimate trades.

• This process was repeated daily and the loss rolled forward.

C. Fictitious options trades

The third stage of loss-masking evolved from stage two and involved the use of fictitious options trades. It began shortly after 10 October 2003 when Operations ceased reconciling internal trades. Entry of fictitious one-sided options trades commenced on 22 October 2003. The booking of these trades appears to coincide with the point at which the booking of spot trades became so large (i.e. > $50m) that an alternative means of masking the losses was required. In December 2003, the extent of the loss-masking escalated exponentially to around AUD $150m.

• On 10 October, the Operations practice of reconciling internal option trades ceased. This followed an email that was received from the Head of Currency Options that was interpreted by Operations as meaning that this procedure was no longer required to be performed. The change in procedure was not brought to the attention of management,

and ongoing supervision of the desk did not detect that this control had ceased.

• These fictitious trades involved entering an options deal with an internal counterparty (i.e. within Horizon) and not entering the other side of the deal. This trade could be input in the system at any time of day by any trader, and was not detected because Operations did not check that the deals were offset by another internal (equal or opposite) deal.

• The presence of one-sided internal deals within the portfolio meant that the Front Office was able to generate the P&L/position required to mask real losses and dampen the risk measures.

• The intention of these trades was to remove them from the system (by surrendering them) when either the position was reduced or the relevant loss was made back.

3. Corporate & Institutional Banking (CIB)

3.1 Global Markets front office trading

Global Markets is responsible for the sale of financial products such as foreign exchange and interest rate products to the corporate and institutional customer base of NAB. In addition, it makes markets in a number of products, including derivatives, and trades on its own account for profit. Global Markets exists within a number of financial centres around the globe.

Global Markets is responsible for its own risk taking and for the subsequent ongoing management of these risks. Its activities are subject to independent risk oversight from Market Risk & Prudential Control (MR&PC), in the Risk Management Division. To enable effective management of risk, Global Markets requires accurate measurement of risk factors at a number of levels, ranging from trader portfolios to aggregated views across the regions and products it operates in. To operate effectively, it needs to balance risk and reward and strive for a targeted mix of sales and trading revenue streams.

3.1.1. Responsibility and Organisational Structure

A. Responsibility for front office risk analysis

There has been dispute between the General Managers of both of Global Markets and Market Risk (MR&PC) regarding which of their functions is responsible for the production of risk analysis for use by Global Markets dealers and front office management. In practice, it appears that this responsibility has resided with the front office which failed to produce detailed and useful analysis. The lack of desk specific risk analysis is a significant failing which contributed to the bank’s failure to detect the fictitious trading activities of the currency options desk.

• APRA requires NAB to clearly articulate the roles and responsibilities of each of MR&PC and Global Markets in respect of risk analysis.

B. FX options trading oversight

Options trading by the Currency Options desk has been reckless, undertaking large, loss-making trades, and disguising losses and the risk profile with fictitious trades. This has exposed NAB to significant risk which could have resulted in losses even greater than those ultimately realised.

Our review has identified inadequate oversight of the operations of the currency options desk by the Joint Head of Foreign Exchange (JHFX). The desk appears to have been left largely to manage itself with little rigour applied by the JHFX to keep up to date with the desk’s activities, profit/loss

or risk profile. As the JHFX was previously involved with the design, implementation and functionality of the currency options system and was previously Head of Currency Options, he possessed a detailed knowledge of the reporting and risk measurement capabilities of the system. It is significant that the JHFX appears not to have maintained a good understanding of the desk’s activities. Our view is that the JHFX placed an inordinate amount of trust in the currency options team.

While the JHFX appears to have not sufficiently oversighted the currency options desk’s activities, the lack of risk analysis of the desk’s activities has meant that others, including the second Joint Head of Foreign Exchange and the General Manager, Global Markets did not receive useful risk information relating to the desk’s activities. They too appear to have trusted that the desk was in order, placing too much faith in explanations provided by the JHFX and Head of Currency Options and without undertaking further investigation. As noted above, a lack of risk analysis is a critical deficiency from the perspective of the management of Global Markets. During our review, we were advised that Global Markets is now considering hiring some staff to commence production of a reliable set of risk reports.

• APRA endorses the Global Markets initiative to introduce risk reporting for use by the front office. This initiative must be supported by clear role descriptions for the staff hired to perform this duty.

• APRA requires that role descriptions in CIB clearly enunciate the risk identification and escalation responsibilities of senior personnel within Global Markets. The EGM, CIB should review the management structure and relevant role descriptions to put this into effect.

3.1.2. Policies, Controls and Procedures

A. Market risk limits

Global Markets management and dealing staff have a responsibility to monitor market risk limit utilisation and undertake actions to contain the risk when limits are breached. This is a fundamental responsibility of any front office operation. In the case of the currency options desk, NAB management failed in this duty. While there was dispute regarding the accuracy of the value at risk (VaR) results for currency options (this is acknowledged by MR&PC) the undisputed “greek” risk measures (delta, gamma, rho, vega and theta) were also routinely exceeded. This demonstrates very poor limit discipline by the front office and its management. Despite the currency options desk being in excess of market risk limits almost daily, there was no serious effort by Global Markets to either bring the business back within mandated risk parameters, or undertake any rigorous reassessment of the adequacy of the existing limit structures.

• NAB is required to formalise its approach to limits, including treatment of excesses and requests for new limits, by 30 April 2004. This was required by APRA previously, in respect of the old limit structure, with a deadline of 31 March 2004.

B. FX options business model

The business strategy of Global Markets was to increase revenue from sales of financial products to customers and to reduce trading revenue as a percentage of total revenue. This strategy was set for the currency options desk.

The currency options desk was known to be a major player within particular currency option types (e.g. AUD/USD based options). It often dealt options interbank and in large size with less typical structures, for example, low delta trades. It is difficult to view such activities and position in the market place as being consistent with the desired business strategy for the desk. The dealing practices of the currency options desk were well known, or ought to have been known, within Global Markets. The desk had actual option exposures which were heavily concentrated amongst a few interbank counterparties. These were sizeable trades (multiples of regular customer trades) and the desk often requested Product Usage Authorities (PUAs) for long dated transactions with unusual structures. PUAs for the desk were meant to be signed-off at senior levels within Global Markets and MR&PC.

Given this desk profile was out of line with CIB’s business strategy and the knowledge that the desk continually exceeded risk limits, it is clear that Global Markets management oversight of the desk was inadequate.

3.1.3. Systems and tools

Our understanding is that the currency options system has significant functionality that allows the option trader (or desk manager) to view the aggregate positions within the various books and quantify the non-linear dimensions of the risk. It also provides detailed performance information that can quantify the losses in each book. A good level of “drill down” to the deal level is available on the system. We note that some of the fictitious trades (mostly the fictitious option trades) will have been on the desk system for extended periods and could have been viewed (i.e. detected) by a regular user of the system or within the reporting produced by the system.

3.1.4. Role performance

Our review has identified that a number of Global Markets roles have not been performed in accordance with the responsibilities and duties normally associated with those positions. We found deficiencies regarding the oversight of the currency options desk and a general lack of proper

consideration of risk within decision making. We have found both the General Manager, Global Markets and the Joint Head of Foreign Exchange did not give appropriate attention and priority to the risk management of the activities of the currency option desk. Clearly, the majority of the currency option traders have not acted in the best interests of the Bank.

3.2. Operations Division

Operations should facilitate a secure and controlled process for the confirmation, settlements, messaging, payments and reconciliation of the Front Office dealing activity in the various currencies. The resulting sub-ledger movements should be clear and verifiable.

Our review identified a number of gaps in normal back office procedures:

• failure to check or reconcile internal trades;

• failure to validate surrendered or amended trades;

• failure to extend validation procedures to close-out the processing ‘window’ between front and back office systems.

In our view, these deficiencies arose from a combination of inadequate policies and procedures and a lack of clarity around roles and responsibilities.

3.2.1. Responsibility and Organisational Structure

A. Transparency of staff responsibility

Our review has identified that Operations senior management possessed an incomplete understanding of the tasks, roles and responsibilities of staff under their direction. As examples:

• Roles and responsibilities were delegated by management but, in some cases, this was not clear between the parties involved. As an example, changes to reconciliation procedures were not communicated between the Manager, Structured and Derivative Products, Senior Supervisor Currency Options and the Currency Options Operations team. The responsibility of Operations staff should be clearly aligned with the procedures manual, communicated to staff and reasonable training undertaken to allow them to confidently perform those tasks.

• Decision making by the front office and other support areas has at times been taken without, it seems, full regard for the consequences on the processes of Operations. For example, changes to the Authorised and Verified process for deals entered into Horizon seem to have not appropriately included Operations staff. This apparent lack of inclusion of Operations within decision making will have made it

difficult at times for management to know how Operations’ procedures and staff duties ought to be configured.

B. Role statements and procedures

Within Operations’ staff role statements, some responsibilities have been defined too narrowly; they failed to cover escalation and management response triggers adequately. Any decision by Operations staff to change key processes, such as reconciliations, should have initiated a discussion and agreement between the staff member and Operations management as to the appropriate action to take. In the case of currency options, critical changes were made without reference to the Manager, Structured and Derivative Products.

C. Inappropriate internal actions

Interviews with staff have suggested that certain Global Markets and Operations staff engaged in detailed discussions around the confirmation and reconciliation processes, outside of normal activity. Although parties to the discussions may have had innocent intent, this may have provided important information on the back office systems and procedures to the traders who subsequently undertook the fraudulent activity using this knowledge to avoid detection.

• NAB is required to review and administer role statements, processes and procedures of currency options Operations staff to identify and close gaps and weaknesses. Role statements and procedural manuals should closely reflect the required responsibility of the staff and adequate training should be provided to ensure that line management and staff understand their own oversight responsibilities and their respective duties regarding escalation of changes to work practices.

• NAB is required to ensure that dealers are made aware that a tight Operations control framework and strict separation exists between Global Markets and Operations.

3.2.2. Policies, controls and procedures

Significant inadequacies were evident in the policies, controls and procedures that form the core activities of the foreign exchange and currency options Operations teams.

A. Confirmation and reconciliation procedures

It should be noted that Operations at NAB directs its process to ensuring accurate and timely processing of confirmations/settlements/payments of live deals with external parties. Accordingly, some processes were not applied or were inadequately applied to internal trades between desks, and

those deals which were amended or cancelled. As an example, key reconciliations were not completed for internal option trades to ensure that such deals were entered as two-sided transactions which matched.

• NAB is required to tighten its confirmation and reconciliation processes, particularly as they relate to currency options and foreign exchange deals to ensure that these processes are sound. This should encapsulate both internal and external trades and also whether any inadequacies exist associated with other CIB products due to the variety of end-of-day times for the processing systems used by NAB. The details of all revised procedures are to be provided to APRA for review.

B. Daily deal analysis

As with Finance and MR&PC, Operations has access to significant deal information on a daily basis. Accordingly, it can be asked to assist in the identification of unusual deals or activities. It appears that responsibility for enquiring and escalating of unusual trades is minimal in Operations. We note that:

• No formal process has existed to escalate instances of large settlement triggers or large transactions which would ordinarily require a heightened level of diligence. Similarly, no exception reports existed to identify unusual deal characteristics such as option premiums settling at distant future dates.

• Exception reports for off-market rates are lacking. Controls for tolerances around rates were incorporated into the FX back office system. However, these were ignored since the report was producing too many exceptions. The front office system for currency options did not have the functionality to identify off-market rates.

• NAB is required to implement additional reporting and control procedures in Operations to identify unusual deals and activities. Specifically, these should include exception reporting, settlement day movements, unusual or suspect trades, trades done at off-market rates and balance movements. The details of all revised reports and control procedures are to be provided to APRA for review.

C. Change management

• Due consideration of the impact for changing processes, particularly the introduction of the two FX end-of-days (typically, Melbourne 5pm for spot deals and New York 3pm for option deals) was not given. This allowed a window of opportunity for the traders to by-pass the reconciliation control process.

• NAB is required to review its change management procedures and how these procedures are communicated and understood by Operations staff.

3.2.3. Resources, systems and tools

The recent currency options loss has highlighted weaknesses in key processes within the Operations area. In reviewing these weaknesses and identifying the strategies to address them, NAB should also assess whether the Operations area has been adequately resourced.

• NAB is required to review the adequacy of its Operations resources, including systems, skills and headcount. The findings of this review are to be provided to APRA.

3.2.4. Reporting

A. Operational risk control dashboard

NAB was unable to produce any report which showed operational statistics in detail, including position breaks and the number of cancelled/amended deals. Operational statistics can help management determine inefficient processes and, at times, unusual activities.

• NAB is required to ensure that Operations management receive periodic, centrally produced statistical information to assist management identify risk issues and better understand current trading activities.

3.2.5. Role performance

Our review has not assessed the variety of responsibilities for key Operations staff and whether these were performed adequately. The events surrounding the currency options loss included a key breakdown with the cessation of reconciliations by Operations staff, in this case, by the Supervisor, Currency Options and staff in the Currency Options team. This event highlighted the absence of effective change management protocols to govern adjustments to key controls and procedures within Operations. This task was properly the responsibility of the Manager, Structured Finance and Derivatives Products.

3.3 Finance Division

The main responsibilities of the Finance division are the management and integrity of the general ledger and reporting of business performance to management. Finance is responsible for uploading the profit and loss information from each desk into the general ledger and for comparing the daily profit or loss to the dealer estimates. If these are substantially similar, they will produce the daily profit and loss report, which is sent out to each

desk and senior management for the previous day. On a periodic basis, mostly monthly, Finance produces profit/loss commentaries for management.

3.3.1. Organisation and Responsibilities

A. Review of data

Other than comparing dealer estimates and ensuring that the profit/loss data is complete, Finance does not conduct any detailed review of the information which it has received. APRA has identified a number of issues arising from the review of data by Finance.

NAB has assigned responsibility to review major movements in profit/loss to Finance. This process focussed on desk level profit/loss movements.

Currently, there is minimal analysis undertaken by Finance on the components of the deals transacted and reported in the general ledger. Finance has focussed on movements in the profit and loss for the desk as a whole, and has not performed any profit attribution on the components of profit for each trading desk. For example, there is no daily assessment of the movement in profit for each particular currency, profit on internal deals compared to external deals or profit from proprietary trading compared to profit from customer deals.

A report is produced daily by Finance which allows for the monitoring of profit/loss referral points (triggers) at desk level. Throughout the December quarter, P&L triggers associated with the currency options desk were breached on numerous occasions. These episodes did not initiate a more detailed review of the deal composition of the currency options desk and tended to reinforce a sense of complacency.

In addition, there has been minimal review of deal structures, including the use of premium in arrears, deal size, deal volumes, and immediate booking of profits.

Currently, Operations have the responsibility to ensure that all deals are entered into the system correctly, MR&PC and Quantitative Support have the responsibility to ensure that the rates and revaluation of deals are correct, and Technology has the responsibility to ensure that all programs interface correctly. The implicit assumption which is made by Finance is that all inputs into the calculation of profit and the feed into the general ledger system are correct. There are no formal enquiries made, or regular updates received regarding the status of the input parameters. The system generated “Trade Value Report” is accepted as a true reflection of general ledger movements with minimal analysis.

• APRA requires the task of reviewing the profit and loss components and attribution to be assigned to the Finance Division, and that there be adequate and appropriately skilled staff to review this information.

• APRA requires the responsibility of ensuring general ledger data integrity be assigned to Finance. This may mean that Finance needs to receive positive confirmation from the various operational units that the input components are correct. The frequency of these confirmations would vary, depending on the input parameter. For example, assurance over the integrity of rates used for revaluation of positions should be sought from MR&PC on a daily basis.

3.3.2. Controls and procedures

A. Policies

Despite receiving a management letter point from the external auditor on three occasions, NAB currently has no reserving policy in place for the valuation of long-dated or illiquid securities or positions and revaluation deficiencies. Global Markets has approval to trade in long-dated and illiquid currencies, even when there have been difficulties in obtaining the applicable revaluation rates and volatility curves for these options.

• APRA requires that a reserving policy be implemented for Global Markets.

B. Timing of reporting and amended deals

APRA found a number of issues where the timing of end-of-day procedures and cancellation or amendment of trades created an opportunity for profit smoothing to be engaged. These are as follows:

• The end-of-day procedures for the foreign exchange spot desk occur at 5pm Melbourne time, with the end-of-day procedures occurring at 3pm New York time for the FX options desk. This means that two sets of spot rates are used to revalue both sides of the same internal deals between these two desks. The implication is that the profit or loss on the internal trades between these desks will rarely match exactly. Any form of complacency in matching the deals between the two desks could, and did, allow mismatched trades to go unnoticed.

• The daily and monthly profit and loss report generated by Finance are not adjusted for deals which have subsequently been amended or cancelled the following day.

While APRA appreciates the need for a daily cut-off point, it is important that Finance appreciate the need to review and restate the profit impact of trades where the details have been cancelled or amended the following day. Ordinarily, the profit impact would be minimal, but by undertaking this review the true position of the rolling losses from the FX options desk should have become apparent.

• APRA requires that the NAB review the use of two different spot rates for internal trades to ensure that the profit characteristics of all internal deals match at least once daily.

• APRA requires NAB to make adjustments to general ledger cut-off procedures to ensure that month-end profit includes any restatement for amended or cancelled deals.

C. Profit materiality

Finance reviews the movements in profit on each desk when the movements are material.

In APRA’s view, the materiality thresholds set for the currency options desk were set too high, rendering them ineffective as a financial control.

As the profit review was completed on a desk basis, and not a product or deal basis, the review of profit has been too narrow to detect any unusual trades within the FX options desk or to adequately explain movements or profit/loss trigger events. This has resulted from a high tolerance to profit volatility for deals and books on the desk, as the focus has concentrated on material movements in profit for the desk as a whole.

• APRA requires Finance to determine appropriate materiality thresholds for each desk, product and deal. These materiality levels should be based on the business needs and planned budget for each desk.

• APRA requires all materiality levels to be formally documented and clearly communicated to all staff within Finance, along with the appropriate escalation procedures. The monthly reporting pack issued by Finance should include an explanation of the profit movements which exceed revised materiality thresholds.

3.3.3. Reporting

A. Daily and monthly reporting

APRA noted a number of areas of concern over the reporting provided by Finance, as follows:

• The reporting of profit details for Global Markets is highly aggregated, and does not give an overview of profit movements for each of the different products. Whilst aggregated information is useful to the reader, the ability to review disaggregated information would, on many occasions, be extremely useful to Senior Management and MR&PC to understand the profit contribution from each of the products, and to track these against budget.

Currently, the general ledger system does not readily allow for drilling down on the components of profit below the desk level.

• Daily and monthly reporting should include commentary and details of the cancelled and amended trades during the month. A valuation of the deals cancelled or amended for the day after month end should be incorporated into the monthly reporting pack.

• As the materiality triggers for investigation and escalation of movements in profit were set too high, there were few unusual transactions which were noticed and reported. Refer to 3.3.2 C above.

• APRA requires the reporting of the components of profit on a monthly basis and, upon request, to Senior Management. This report should reconcile to the aggregated profit reported in the monthly reporting pack.

• APRA recommends that Finance report the value and details of cancelled or amended deals in the daily and monthly reports. The reporting of such items should help to reduce the volume of cancelled or amended trades.

3.4 Quantitative Support

Quantitative Support (QS) is small group of staff whose role is to validate the pricing algorithms used for the various products within Global Markets and CIB. QS forms part of the PUA process when requested by MR&PC. QS also reviews, where requested, the pricing tools and applications created by the quantitative staff on each desk.

QS is part of Services, CIB.

3.4.1. Organisation and Responsibilities

A. Role and reporting line

QS currently forms a discrete part of the CIB cost centre. The limited reporting received by QS comes mostly from the few quantitative analysts on the desks and MR&PC, although both of these are on an ad-hoc basis. APRA has recognised a number of issues relating to reporting lines as follows:

• The extent of validation and testing required by QS at the outset of a new product or model is unclear. Currently, QS - when requested by MR&PC - will test the pricing models to ensure integrity for new products and will, where necessary, propose limitations on the product usage. These proposed limitations require the acceptance of MR&PC to take effect. Validation and testing of ongoing product usage for model limitations is minimal.

• QS acts as an independent party which confirms and tests the validation of the models and algorithms used for revaluation purposes by Global Markets. In this way, the responsibilities of QS are in tandem

to those of MR&PC. APRA has reservations over the current reporting lines to CIB, as QS is not a profit generating function and needs to maintain independence from the business.

• APRA requires that the procedures for initial testing and ongoing monitoring of the pricing models by QS be formalised and communicated to all staff in QS and MR&PC. The procedures for documenting model limitations and any ongoing validation responsibilities should be clarified. The contribution of QS into the PUA process should also be included here, refer to 3.4.1 B.

• APRA recommends that the reporting lines for QS be reviewed to ensure that the independence of QS is maintained.

• APRA recommends that the budget allocation for QS be reviewed to ensure that QS has the appropriate resourcing to effectively undertake its role. Refer also to 3.4.3 A.

B. PUA responsibilities

Quantitative analysis of the risk attributes of new products is an integral part of the process governing their approval.

QS does not have direct responsibility for the PUA process, and is only required to have input at the request of MR&PC. The result is that QS is reliant on MR&PC to indicate which PUA’s are currently in the pipeline, including the PUA’s which may impact on the pricing models.

There is little formalisation of the initial and ongoing role of QS in the PUA process. The perceptions of responsibilities assigned to QS are not universally held between Global Markets, QS and MR&PC.

• As part of the PUA rectification process detailed at 4.1.2 B, APRA requires the sign-off authorities for each PUA for Global Markets to include QS. QS should be given appropriate feedback on the status of PUA’s and MR&PC’s decisions regarding QS’s input.

3.4.2. Policies and procedures

A. Testing undertaken

QS undertakes testing on each of the models to validate the results of the pricing for new products.

QS has only recently reviewed the interpolation of volatility smiles and the impact of the smile on the valuation of FX options products. This review has taken place after the tenor of a number of FX option products has been extended and after deals have been done at extremely low deltas.

APRA understands the volatility smile was not reviewed for all FX option products. The work which has been done is on the use of stochastic volatility

models to replace the smile, to prevent the extrapolation of a flat smile for long-dated options.

The requests for guidance from QS by MR&PC in relation to regular testing, and testing of complex issues, has been minimal. This recent testing should have been incorporated into the PUA process for the FX option products concerned. An annual review of deals jointly by MR&PC and QS for each desk could have uncovered the trades which were not being properly treated within the pricing model.

QS has a “test bed” which is used to ensure that any upgrades of the pricing model in the Horizon system produce a correct and consistent result. The test bed is used as a check on the algorithms only, and incorporates a number of products for specific testing.

Upgrades to Horizon are not necessarily communicated to QS, which indicates that QS may not participate in all upgrades. This could lead to issues with the pricing model lying dormant for extended periods of time.

The pricing models have not been independently validated by an external source, even though some of the models have been in place for extended periods of time.

• APRA requires a formal involvement of QS in the on-going assessment of the products dealt by Global Markets and their associated pricing models. QS is to review pricing models at least annually.

• APRA requires that the ‘test bed’ limitations be documented for each test of the pricing models. Where possible, alternative reviews of these limitations should be made.

• APRA recommends that NAB has its models validated by an external party for both pricing and risk, at least for the major exotic option types traded by Global Markets.

3.4.3. Resourcing and system tools

A. Resourcing

As with other support functions, it is unclear whether there has been a fundamental underspend on either headcount or systems within QS. QS consists of a small team which focuses mainly on pricing methodology for new products and has little to do with existing products.

In clarifying the appropriate roles and responsibilities for the QS function, NAB should also assess whether the QS area has been adequately resourced to discharge its duties in a timely manner.

• NAB is required to reassess the adequacy of its resources in QS, including systems, skills and headcount. The findings of this report are to be provided to APRA.

B. PUA process limitations

When requested by MR&PC, QS will become part of the PUA process and when necessary, propose limitations on the PUA. On numerous occasions, deals were transacted which were outside of the PUA limitations set by QS. QS and MR&PC have had minimal discussions on these deals, which has led to the PUA limitations being circumvented without the knowledge of QS.

• APRA requires that appropriate feedback be sought and given to QS regarding the deals transacted and their compliance with the PUA limitations set by QS. Where monitoring deficiencies are identified, this should be discussed between MR&PC and QS to ensure that appropriate action is taken to properly monitor PUA compliance.

3.5 Technology

The central technology facilitating the currency option transactions was the Horizon system. An external vendor was engaged to assist in the development of the system. The application facilitates all front to back office functionality, and provides information that is used to calculate the balance movements in the general ledger.

The integrity of the Horizon system cannot be fully ascertained at this point in time as the NAB has not provided documentation regarding the extent of user acceptance testing undertaken upon the implementation of the Horizon system and upgrades to the pricing models used by the Horizon system. This is despite the procedural requirement for the Technology team to document and approve all testing, log all requests for, and actual changes to, the Horizon system. This issue was raised by KPMG in early 2004.

This investigation has not reviewed other issues surrounding IT systems within NAB’s trading operations. Developments in IT systems were previously identified by APRA among its findings from the 2002 and 2003 on-site reviews, and NAB provided a timeframe for implementation of system developments as part of its response to the 2003 review. In light of the issues raised in this report, NAB should reassess whether the timeframe for implementation of system upgrades, including development of better system interfaces, should be accelerated.

• APRA recommends that NAB revisit the plan for development of systems within its trading operations, in light of matters raised by this report, and consider if the timeframe for implementation of

system upgrades, including development of better system interfaces, should be accelerated. NAB is to report back to APRA on the outcome of this review.

• APRA requires NAB to undertake an internal review of the processes followed in the development, implementation and upgrades of the Horizon system and, in particular, identify any non-compliance with NAB policies on user acceptance testing and system change control processes.

4. Risk Management

4.1 Market Risk Division

4.1.1. Organisation and responsibilities

A. Transparency of market risk issues

Ordinarily, market risk issues are discussed at a number of levels within an ADI. Best practice in market risk management should include regular discussions on market risk matters, resulting in constant fine tuning and enhancements to market risk monitoring and reporting so that the important issues are being escalated, analysed and discussed. In many large ADIs, market risk issues are perceived as minor relative to the other risks being managed by the ADI such as credit risk. The challenge for an ADI is to give appropriate diligence to market risk issues and to develop a consciousness for market risk issues on an ongoing basis. It is the role of the Chief Risk Officer and the Head of Market Risk to instil an understanding of the importance of market risk issues at key management meetings or forums.

In reviewing market risk management at NAB, it is difficult to find many instances where key forums (committees or presentations) have spent sufficient management time on market risk issues. There have been numerous opportunities to discuss market risk issues in detail: at Board committee meetings and presentations; senior executive risk management committee meetings; and meetings with APRA. Few of these opportunities appear to have been taken.

Despite APRA’s dialogue with NAB over the years, and the amount of time spent with NAB staff through the first two months of 2004, it is difficult to identify why market risk has not received sufficient management attention or why market risk executives have not taken opportunities to escalate concerns, or generally to raise the profile of market risk issues within NAB. In our opinion, deficiencies in organisational culture at NAB have played a significant part in this. Whatever the actual reason, it is clear that market risk as a risk type has not been well promoted and addressed within NAB.

While ownership of this issue is broad, the EGM, Risk Management (EGM, RM) and GM, Market Risk and Prudential Control, CIB Risk Management (GM, MR&PC) carry much of the responsibility for ensuring that market risk issues receive appropriate priority and attention.

• APRA requires that NAB ensure agenda items for critical risk management meetings and forums devote appropriate attention to market risk issues.

B. Responsibilities of Market Risk Division

It is critical to the success of any risk management function that there is clarity around the accountabilities and authorities for which the function is responsible. Any inconsistencies or vagueness in a function’s charter can act to dilute the effectiveness of the function and can allow important risk processes to go unaddressed or be inadequately completed. Our discussions with MR&PC and associated front office and support functions have identified that there has been a lack of clarity on key processes. Examples of this lack of clarity relating to responsibilities and authorities of the MR&PC function include:

• sourcing and review of revaluation rates;

• ongoing sign-off of the valuation methodology for option related exposures including the treatment of factors such as the volatility “smile”;

• ongoing monitoring of agreed product types (known within NAB as the PUA process);

• risk analysis of dealer positions;

• authority, as outlined in the CIB Policy Manual, to require position excesses to be cut, reduced or escalated;

• escalation of large or unusual deals; and

• limit ownership.

It is the responsibility of senior risk management officers to ensure that clarity of responsibilities for important risk control processes exists.

• APRA requires that the responsibilities and authorities of MR&PC be reviewed and defined by the EGM, Risk Management and a Board agreed mandate be given to the EGM, Risk Management and the GM, MR&PC. This process should be transparent with the results communicated to other functions including Global Markets, Operations, Finance and Internal Audit.

C. Responsibilities for procedures pertaining to market risk

Our investigation has identified some vagueness around how the MR&PC function has been organised to carry out its duties. Several key senior staff members within the function are unclear as to the boundaries of their responsibilities. As an example, in July 2003 an agreement was reached at a senior level within MR&PC that a particular staff member would no longer perform his agreed responsibilities for the Currency Options desk. This transfer of responsibilities was not known to other members of MR&PC or to

staff on the desk, even as recently as January 2004. It is the responsibility of the GM, MR&PC to ensure that divisional staff have clear role definitions and accountabilities.

• Following formalisation of the Board-agreed market risk management mandate for MR&PC, the GM, MR&PC should allocate key tasks to individual members of MR&PC. Processes as they relate to important facets of risk management such as escalation and treatment of limit excesses should be clearly enunciated.

D. Reporting lines of Market Risk management

APRA has previously questioned the number of reporting lines flowing into the GM, MR&PC and whether this allowed for issues to be managed effectively. The GM, MR&PC has a variety of responsibilities which are additional to his market risk role including components of each of Basel II, operational risk management and compliance. Along with these responsibilities the GM, MR&PC retains most of the day-to-day market risk approval authority for NAB. Additionally, the GM, MR&PC has dual reporting lines into the EGM, RM and EGM, CIB, the second line being for CIB risk management matters. In responding to APRA’s questions, the GM, MR&PC raised no concerns over the aggregation of reporting lines and responsibilities being channelled through his position.

We believe the volume of reporting lines in place for the GM, MR&PC has hindered the effectiveness and efficiency of the MR&PC function.

• APRA requires that the responsibilities of and reporting lines for the GM, MR&PC be streamlined with a view to ensuring that the role devotes greater attention to market risk issues and to improving the quality of management processes. Any perceived or potential conflicts of interest related to the GM, MR&PC having dual reporting lines should be removed. Responsibilities for the control of market risk and the administration of prudential controls more widely should be split.

• Delegations should then be issued within the new structure.

4.1.2. Controls and procedures

A. The internal model

NAB has an approved internal model for market risk and is permitted to use this model to derive its regulatory capital for general market risk. APRA approval signifies that the model is accurate in all material respects and that the model user, NAB, has a control environment where risk is identified, measured, monitored and reported. As a model user, NAB is expected to have an appropriate policy framework to manage market risk and to escalate matters requiring attention. These requirements are clearly explained within APS 113 - Capital Adequacy: Market Risk.

From discussions with MR&PC and Global Markets it is now clear that, for an extended period, there has been little confidence in the accuracy of the internal model VaR result for the currency options business. This lack of confidence led to VaR excesses being switched-off for the currency options desk for large parts of the last two years. This information has not previously been disclosed to APRA.

In addition, our work has identified major deficiencies both in relation to the calculation of value at risk (“VaR”) (i.e. quantitative factors) and also in the requisite control framework (i.e. the qualitative factors) as required under APS113. Our main observations are detailed below:

Quantitative factors

• the time series input to the VaR model has not occurred “no less frequently than quarterly”;

• the inadequate treatment of the volatility smile has caused inaccuracies in the VaR result; and

• the volatility surface within the VaR calculation is incomplete.

Qualitative factors

• the Board and senior management have demonstrated insufficient review of market risk matters;

• the integrity of the back testing process is questionable due to parts of the VaR results being inaccurate;

• there has been a lack of clarity around which function - Global Markets or MR&PC - has the authority to enforce risk reductions;

• VaR limits were often ignored for the currency options business and excesses were signed-off as a matter of course;

• the policy framework addressing the approach to limit excesses is incomplete;

• stress test results are not distributed widely within the Bank and contains deficiencies particularly regarding non-linear products; and

• compliance has been found wanting.

In addition to our quantitative and qualitative observations, we also identified:

• data integrity issues relating to the accuracy of deal capture i.e. deal entry errors;

• risk mapping issues in which the risk treatment of particular option types was inaccurate due to the deal being entered into the wrong book or the data feed mapping the deal to the incorrect calculation method. This issue often related to hedging transactions (i.e. deals that should have been treated within the contingent loss matrix approach sometimes fell into the VaR model and vice versa) and internal deals;

• timing inconsistencies between the points at which VaR is calculated, P/L is produced and rates are collected add complexity and reduce the quality of processes such as back testing. Inconsistent timing of end-of-day processes across different systems have also added noise to the accuracy of the results and made VaR error detection difficult.

Turning to stress testing, we note that:

• stress results were only circulated within MR&PC. There was no escalation of results, even when these were sufficiently large to warrant Board and senior management attention. Within December 2003, potential losses under stress test scenarios reached in excess of $300m. We understand this result was not escalated and was assumed to be incorrect; and

• stress testing numbers only address those positions within the internal model and do not incorporate the positions which are measured under the contingent loss matrix. This means that stress testing excludes some non-linear products.

We note that despite the currency options loss, there have been recent events which illustrate the inaccuracies residing within the model. As an example, within February 2004, the currency option VaR jumped approximately $4m on one occasion, due to model inaccuracy as opposed to new deal activity. The causes of the increase were not immediately apparent to NAB, suggesting a deficiency in the working knowledge of the quantitative operations of the model.

APRA sets high standards for internal model users and expects compliance with its standards on an ongoing basis. The NAB has fallen short of our expectations of an internal model user.

• We have detailed above many areas where the NAB’s internal market risk model or its use has been deficient. On both quantitative and qualitative grounds, APRA is not satisfied that the NAB should remain an approved internal model user. APRA

accordingly withdraws its approval for the NAB to use an internal model to determine its market risk capital.

• The NAB is to apply the regime described within AGN 113.3 - The Standard Method to determine market risk regulatory capital. The Standard Method is to be applied, at a minimum, for the quarters ending March and June 2004.

• NAB may seek re-approval from APRA regarding its regulatory model once compliance with APS 113 can be assured. Until it receives internal model recognition, NAB is to apply the general market risk standard approach on an ongoing basis.

B. Product Usage Authority (“PUA”) process

The PUA process aims to ensure that the requisite control framework is in place to manage the ongoing risks presented by new products. Our work has identified a number of issues relating to the PUA process, namely:

• there appears to be a lack of consistency regarding the functional sign-offs required under a PUA. Due to the lack of clarity surrounding some processes, such as pricing model validation, it is also unclear what it is that some areas are attesting to by signing the PUA;

• the PUA system has undergone functionality enhancements over time. A prior lack of functionality regarding some products, particularly option based products has meant that, as the product set has widened, the PUA system has struggled to identify some new products outside of previously agreed PUAs;

• PUAs sometimes contain dealing conditions such as certain premium arrangements not being allowed under option products. Not all conditions can be monitored by the system meaning that some conditions may have not been followed when Global Markets has completed transactions; and

• the only signatory for market risk is the GM, MR&PC. This has caused unnecessary tension within the process due to the time demands on this individual. At times, PUAs were signed-off retrospectively, and often for the purpose of formalising existing breaches.

• APRA requires that the PUA process be reviewed to ensure full coverage of risk management issues. The process should be formalised, with the required authorisations clearly identified. PUAs which cannot be accurately and effectively handled by any function (e.g. valuation) should be known and transparent to all parties prior to the PUA being approved.

• Appropriate delegation of PUA authorities should be established. The need for delegated signatories should be addressed within all support functions.

• The population of trades monitored by the PUA system should be interrogated to determine which, if any, have no associated PUA. The functionality of the PUA system should be investigated to identify deal types or deal conditions which cannot be monitored by the system.

C. Limit framework and escalation

The process surrounding limit management and treatment of excesses remains poor. NAB has been operating without an updated limit framework; and without adequate limit ownership and treatment of limit excesses. The volume of currency option limit breaches - which peaked at over 750 for one month during the December quarter of 2003 - is indicative of an environment where limits are ineffective. While doubt existed regarding the accuracy of the VaR results for the currency options desk, there was general agreement as to the accuracy of the “greek” risk measures for the same business. In both cases, VaR and “greek” limits were repeatedly exceeded and routinely signed off by front office management and acknowledged by MR&PC.

The principal issues relating to the limit framework, including issues specific to the currency options desk are as follows:

• there is no annual review of limits to determine how risk appetite is to be cascaded down within the front office;

• there is no formal limit policy which enunciates how limits are determined, monitored and reviewed and how excesses would be treated, particularly continuing breaches of desk level limits;

• there was minimal early escalation of the quantum of limit breaches to the relevant risk committees;

• for reasons associated with the perceived inaccuracy of the VaR result for currency options, the daily authorisation of VaR limit excesses did not include currency options VaR excesses for parts of the last two years. This was unclear on the daily limit report; and

• no alternative measures to VaR were adhered to or enforced.

• As mentioned in our letters to NAB previously, the policy regarding the limit structure is required to be formalised. This had been accepted by NAB and a deadline set for completion of this task by 30 March 2004.

• APRA requires that the Board approve, and formally implement, a revised set of market risk limits across Global Markets and, in

particular, those pertaining to all options trading businesses. This formal acceptance by the Board should occur by 30 April 2004.

This policy should clearly summarise the limits mandated by the Board (these are referred to as “hard” limits by NAB) and how these are cascaded within Global Markets. Any limits deemed as trigger levels should be specified. Treatment of excesses of limits and trigger levels should be clearly explained. APRA requires that every limit excess have a defined response. Treatment of continuing trigger level breaches should be detailed. The policy should describe the ownership of the limit process and the respective roles of MR&PC and the front office. It should also detail the procedure for escalation of limit excesses and incorporate the role of particular senior executives or committees regarding limits and excesses. Discipline procedures following repeated limit excesses should be detailed.

• APRA requires that the policy describe the method and process to be followed in determining the cascading of limits from the Board and describe the roles and responsibilities of key functions within this process.

• The policy should require a review of all limits to be made at least annually, jointly by MR&PC and Global Markets.

D. Risk analysis

As mentioned previously, there has been dispute between the General Managers of both of Global Markets and MR&PC regarding which of their functions is responsible for the production of risk analysis for use by Global Markets dealers and front office management. In practice, it appears that this responsibility has resided with the front office.

While this may reduce the need for highly detailed analysis of desk position risk (for use by traders or dealing management), it does not eliminate the need for MR&PC to produce its own analysis so that it can effectively perform the role of being an independent risk oversight function. The NAB MR&PC function performs minimal risk analysis and does not, in all cases, closely follow desk position risk on a daily basis. This has been the case regarding currency options risk, particularly over the second half of 2003. The issues relating to analysis undertaken by MR&PC are listed below:

• there is insufficient analysis of risk, which exacerbates the difficulties in analysing the output of VaR and other risk measures;

• there is minimal profit attribution undertaken;

• there is minimal review of valuation method and processes and ineffective tolerance checking for rates or volatility surfaces; and

• there is limited use of drill down on risk and position information to understand components of the VaR results.

• APRA requires that the responsibilities of the Market Risk division be restated to include a greater emphasis on risk analysis and the production of risk reports. In doing so, NAB should clearly specify which parts of the MR&PC function are responsible for the production of such analysis.

E. Revaluations

The currency options loss has raised a number of deficiencies within the revaluation process:

• volatilities used within currency options valuations have been sourced from no more than two but often just one external source;

• these external sources have consisted of brokers which were used frequently by the currency option traders;

• there is evidence of collusion between the traders and one of the brokers used to source rates;

• there has been minimal testing of these sourced volatilities rates against other sources to verify the accuracy of the volatilities provided;

• there has been no formal monthly process to further test the accuracy of any rates used to value illiquid or concentrated positions; and

• there were known weaknesses, mainly related to the volatility smile, in the valuation of certain option type exposures.

These deficiencies have been aggravated by insufficient segregation of duties between Global Markets and MR&PC and have created an environment in which the currency options traders have been able to manipulate valuations.

APRA has previously raised with NAB the requirement that, at all times, rates and prices must be sourced independently of the front office. In its 2002 review, APRA raised the issue that the currency options team was sourcing some of its own prices for daily revaluations. These concerns were subsequently addressed by NAB. At the same time, and again in 2003, APRA recommended that NAB initiate a formal monthly meeting at which illiquid securities and option input parameters could be tested for accuracy. This process has not yet been implemented by NAB.

• APRA requires NAB to ensure the accuracy and independence of prices and rates used within daily valuations.

• APRA requires NAB to form a committee which meets monthly to test the accuracy of prices used to value concentrated positions, illiquid securities and option positions.

F. FX Option trading oversight

There were a number of signals pointing to risk concerns about NAB’s Currency Options desk which were brought to the attention of MR&PC over the last few years. APRA’s market risk review letters noted issues concerning limit adherence, systems deficiencies and valuation. Added to these, there were signals from a variety of other sources: internal and external audit points; interbank counterparties; atypical market risk analysis which questioned the trading style of the desk (e.g. low delta trades); and the sheer number of limit breaches by the Currency Options desk. These signals, combined with the aggressive nature of the traders and their over-confident trading style, could have been expected to have led to intensive oversight by the risk management function.

The low level of analysis and investigation undertaken by Market Risk in late 2003 and its failure to grasp the background behind certain currency option deals was disappointing, even after receiving consistent signals that an issue may exist.

G. Policy development

From discussions with MR&PC, it was noted that the development of policies and the formalisation of procedures are only undertaken on an ad-hoc basis. Currently, staff who undertake this role have other responsibilities which compete with their ability to draft and maintain policies.

• APRA recommends that resources be dedicated to update and maintain appropriate policies and procedures for the MR&PC function.

4.1.3. Systems and personnel

A. Resourcing

The headcount of MR&PC has not increased markedly over the past few years, even though many additional products and markets have been introduced to the Global Markets operation. The complexity of products offered has also increased, which calls for upgrading of systems and tools for MR&PC to adequately perform its oversight function.

As noted above, the resource allocation of the MR&PC function, on grounds of both headcount and systems, has been previously raised by APRA in its market risk review letters. On headcount, the GM, MR&PC had responded that there were no resourcing concerns in his area. However, in the course of our investigation, a different view was offered.

NAB appears to have made progress on the systems environment supporting the MR&PC function. However, it remains the case that the MR&PC engine receives much of its information after deals entered have first been processed by a number of other systems. The higher the amount of pre-processing and number of linkages, the greater the chance that VaR and other risk measures may be inaccurate due to data capture rather than calculation deficiencies.

• NAB is best placed to decide on the budget allocation required by MR&PC to discharge its agreed duties. It is the case that MR&PC has not performed its role in an effective manner. NAB is required to review the adequacy of its MR&PC resources, including systems, skills and headcount. In particular, NAB should critically analyse its risk engine to determine whether the system offers NAB a viable, flexible platform going forward. The findings of this report are to be provided to APRA.

4.1.4. Reporting

A. Reporting on VaR and other risk measures

It is noted above that the MR&PC function produced little in the way of detailed analysis for use by traders or dealing management. Instead, its focus was on producing high level VaR and sensitivity type reports (including “greeks” for option books) for wider distribution within NAB. We have also noted above our concerns that components of the risk calculations have been found to be inaccurate. Our issue relating to Reporting is whether users of MR&PC distributed information knew, or could have known, that deficiencies existed within the produced MR&PC reports.

Our investigation found minimal evidence of meaningful notes being made in the reports to alert the user to the ongoing deficiencies of the report. This is critical as it means that the principle output of the MR&PC function (the production of VaR and comparison to limits) may have been misleading and ineffective as a risk management tool.

Separately, we identified examples of VaR reports where the published result must have raised concerns within MR&PC as to accuracy. Such concerns were not noted on the report even though the results published were, on occasion, revised later to more accurate results. Examples of this occurred throughout December 2003 when VaR reached in excess of $100m, only to be revised downward days later to approximately $30m. Revised VaR results were not normally re-sent to the original distribution list.

• APRA requires NAB to include explanatory notes on distributed MR&PC reports which detail the deficiencies of the report. These notes may include details of data feeds excluded from the calculation, products for which VaR has been approximated and so on.

4.1.5. Role performance

Our review has identified that the MR&PC function has fundamentally underperformed in many areas. The MR&PC function has two principal functions; the calculation of risk, and the restriction of the risk profile through the use of limits. On both counts it has failed to carry out these duties. Separately, it has allowed the product range of Global Markets to outpace its own abilities to adequately identify, measure, monitor and escalate risk matters of importance to senior management. As mentioned, previously these responsibilities lay with the GM, MR&PC and the EGM, Risk Management.

4.2 Internal Audit

Internal Audit performed regular reviews of Global Markets units, including the foreign currency options desk, internal controls and the Horizon trading system over the past few years.

Internal audit changed its audit issue rating system in 2001 under the previous General Manager of Internal Audit from a five grade rating (1, 2, 3, 4 and 5 stars) to a six grade rating (1, 2, 3, 3+, 4 and 5). Higher ratings were considered more serious, with reports rated 3 stars and above reported to the PBAC under the old system. Under the revised audit rating system, audit issues rated 3+ and above were reported to the PBAC. A memorandum on this change was presented to PBAC at its meeting of 14 February 2002 and the quarterly Internal Audit Report for 31 December 2001 dealt with this issue.

Under the current General Manager of Internal Audit the internal audit rating system changed to a three grade rating (1, 2 and 3 stars) in 2002, with only audit issues rated 3 stars reported to the PBAC. This change was effective from March 2002.

We have been informed that a number of quantitative measures used in the methodology to rate internal audit issues and used as a basis for the elevation of internal audit issues to PBAC has changed over time, in line with changes in the internal audit ratings system. We have also been informed that the qualitative criteria and measures used to determine issues to be elevated for PBAC’s attention have also changed in line with changes in the audit rating system.

When Internal Audit raises an issue in its reports, it is entered into the Global Audit Issues Tracking System (GAITS) system for tracking. Both business unit management and internal audit use this system to review and track the status of audit issues on GAITS.

Regular meetings are scheduled between internal audit and external audit at both the highest level (ie General Manager, Internal Audit would meet regularly with the external audit engagement partners) and senior

management level (ie heads of audit for the divisions would meet with their external audit counterparts regularly).

From February to August 2002, a PwC partner was seconded from PwC to take up the position as Acting Head of Audit, CIB, as the incumbent was himself seconded to an overseas position within the NAB group for an extended period of time. We have been informed that the regular scheduled meetings between the PwC secondment and their external audit counterpart did not take place during the secondment period. It is likely that this adversely impacted on the level of communication between internal audit and external audit over this period. It is unknown whether this impacted on the quality of the internal and external audit over this period.

4.2.1. Policies and procedures

A. Audit recommendations and timeframes

The timeframes given to address three star issues has, on occasion, been overly generous. Three star issues are issues where there is cause for great concern regarding financial and / or reputational loss to the bank. These issues should be taken with the utmost seriousness, and the appropriate resources and time devoted to ensuring that all components of the audit issue have been rectified.

APRA noted from review of recent Internal Audit reports for FX options, that some issues remain as audit points over a number of years. These audit points were given lower ratings each year reflecting the progression of the business in dealing with the issue, but were still not completely closed.

• APRA requires that the timeframes given for all issues be made by Internal Audit, after due consideration of the business capabilities. In many instances, and particularly for three star issues, Internal Audit will need to raise the issue with senior management in order to ensure that the appropriate resources are devoted to rectifying the issue within a reasonable time frame.

• APRA requires that more serious audit issues which are not resolved within the allocated timeframe, or that remain outstanding in follow-up audits, be escalated to senior management and the Principal Board Audit Committee, along with comments from the business. The closure of audit issues is a vital process to ensure that controls and procedures are in place to prevent both financial and reputational loss to the bank. The closure of all audit issues should be a priority for the business.

B. Audit issue ratings

APRA appreciates that the ratings assigned to audit issues are subjective and, to some extent, based on the experience of the auditor. Nevertheless, APRA noted that audit issues which are rated less than three star (that is two and one star issues) do not require verification and approval from Internal Audit to be considered closed. This allows the business unit to close an issue without it being considered again until the next Internal Audit review, which is usually about twelve months later.

• APRA requires that NAB revoke the ability of the business units to close off all two star audit points, without verification by Internal Audit. APRA would expect that all two star issues would remain open until Internal Audit has verified that the controls have been updated.

In relation to one star issues, APRA considers that these issues could be closed by the business, pending follow-up at a later date by Internal Audit.

• As matters of quantitative, qualitative and professional judgement are involved in the elevation and escalation of audit issues to PBAC, internal audit should regularly discuss with PBAC the use of these measures to ensure a full understanding of the application of specific cut-off levels (based on quantitative measures) and how the application of qualitative factors and professional judgement are being used (or has changed) in the escalation process of audit issues elevation.

Changes to internal audit rating systems and the methodology used therein should be reassessed regularly to ensure they continue to be relevant and meet the desired consequences and the intended audience’s (ie PBAC’s) appetite for issues escalation.

APRA requires internal audit to review its existing audit issues rating methodology and obtain PBAC’s endorsement and approval for the criteria to be used in determining audit issues to be escalated to PBAC.

4.2.2. Resourcing and systems

Overall, APRA has not found the internal audits of the currency options desk undertaken during this time to be lacking. While Internal Audit failed to detect the system weaknesses associated with internal deals and end-of-day times, currency options audits did raise issues concerning VaR, limit monitoring and approaches to valuation.

APRA is cognisant of the need to ensure that all audit issues are identified in complex audit areas such as currency options. In order to understand and challenge the business on complex issues, the senior audit staff need to be adequately skilled. APRA notes that Internal Audit staff who are classified below manager level are “pooled” and then required staff members are drawn from the pool for each audit. On at least one occasion, senior members of Internal Audit were seconded to a large internal audit project, without the consequent diminution in its skill base being replaced from within Internal Audit.

• APRA requires that the skill base of internal audit teams be maintained when key staff members are not available. APRA would expect that succession planning and continued training of members of the audit team would ensure that there are a number of members who would have the requisite knowledge to conduct an audit on complex areas of the business.

4.3. External Audit

NAB’s external auditor, KPMG, performs regular reviews of CIB in connection with preparation of NAB’s financial statements. KPMG relies, to some extent, on the work of internal audit in performing this role but will also do a certain level of additional testing of its own.

KPMG prepares an annual management letter in which it identifies issues in respect of each business unit. Prior to 2003 KPMG rated issues as Minor or Major. From 2003 KPMG has adopted the same three star rating system as used by NAB Internal Audit.

KPMG also provides APRA with an annual report in accordance with its responsibilities under APS 310 - Audit and Related Arrangements for Prudential Reporting.

4.3.1. Policies and procedures

External Audit had identified issues related to the current investigation in management letters for financial years 2001 and 2002.

As noted earlier in the report, points about the need for valuation reserve policy were raised first in 2001 and repeated in 2002, both times as minor. There was inadequate response by management about these points and the timeframe for completion was allowed to slip.

The 2003 management letter identified key issues relevant to the operations of the foreign currency desk and the market risk unit. Issues about limit management and reporting and escalation of breaches were rated at the maximum 3 star rating level.

Issues relating to management responses to external audit points are discussed in the Governance section below.

4.3.2. Role performance

KPMG’s annual external audit in 2003 did not identify the existence of, or issues related to, disguising and carrying forward of losses relating to the currency options activity. The work conducted by KPMG did not sufficiently address internal deals and their impact on P&L at the desk level and on the bank’s financial results.

In reviewing the KPMG management letters for previous audits, APRA noted that a few issues had been outstanding for extended periods of time. As is the case for Internal Audit, APRA stresses that the closure of all issues is a vital process to ensure that controls and procedures are in place to prevent both financial and reputational loss to the bank.

We note that, in its APS 310 annual report provided to APRA on 22 December 2003, KPMG offers no reasons why APRA should not

rely on market risk reporting provided by NAB.

5. Governance

The governance structure for any organisation is the means by which the organisation structures itself to perform its business operations and carry out all supporting functions.

Within any large organisation, boards and committees provide the overlay to operational day-to-day management and should provide an additional means for the principal board and executive management to monitor and escalate issues from within the various business operations. Similar to other large financial groups, NAB’s governance structure is headed by a principal board and a range of board committees, which in turn are supported by executive, risk management and other committees across the group’s operations.

The Principal Board is expected to determine strategy and risk tolerance for the group and to ensure that the organisation has the appropriate means and systems to carry this out. APRA Prudential Standard 310 (APS 310) places the responsibility on an ADI’s board and management to ensure that the ADI meets all prudential and statutory requirements and has management practices in place to limit risks to prudent levels. This is done via an annual declaration being provided by the CEO, endorsed by the Board, that key risks facing the ADI have been identified, and systems to monitor and manage those risks established, where appropriate, by setting a series of prudent limits, and by adequate and timely reporting processes.

The key elements within NAB’s governance structure relevant to this matter are:

Board and board committees:

• Principal Board (the Board)

• Principal Board Audit Committee (PBAC)

• Principal Board Risk Committee (PBRC)

Executive risk committees:

• Group Risk Forum (GRF)

• Central Risk Management Committee (CRMC)

• CIB Risk Management Executive Committee (CIB RMEC)

The relationship between the Board, Board committees and executive risk committees is shown in Annexure 2.

APRA accepts that each organisation needs to determine an appropriate structure and operation that suits its style and operation of business. However, whatever structure is adopted, the key control features need to

work effectively. This includes internal Board and executive structures to carry out the business of the bank as well as control functions, internal and external audit, and risk management mechanisms.

In a ‘business partnership’ model, such as applies in NAB, the risk management committee structure and operation is crucial as the escalation route for risk issues: it provides an important means by which risk management issues can be considered and resolved at executive level.

Our investigation has shown that, while the structure of the governance model within the bank appears appropriate, the established escalation channels in existence for executive management to elevate issues to the Board and Board committees were generally ineffective. We also found that a number of executive risk committees within the structure did not carry out the roles as described in their charters, detracting from the effectiveness of the risk management governance function.

Recent governance changes

In late 2002 the Board commenced deliberations on the creation of a Board committee to oversee compliance and risk throughout the group. The Board acknowledged that increasing expectations by shareholders and regulators of the Board’s involvement in risk oversight was challenging the capacity of the existing Board and Board committee structure.

Whilst the Board has always been (and continues to be) responsible for the overall group risk appetite and expected return on that appetite, there was a lack of clarity, prior to the formation of the PBRC, on the role that the PBAC performed in relation to risk management and oversight. There appears to have been a de facto expectation that members of PBAC would exercise a significant degree of risk management oversight, not specified in a review of its May 2002 charter.

Whilst the Board was responsible for overall governance and high level risk monitoring and oversight, it had limited opportunities to consider market risk management in any depth or detail. In contrast to the regular reports from group executive management on strategy, day-to-day operations, overall business and divisional performance, the level of risk reporting going to the Board was inadequate. The Board received little reliable management information on risk metrics; risk reports were infrequent, superficial and, at times, inaccurate.

For example:

• the Board was not made aware of the significant amount of proprietary trading conducted by the currency options desk, which was a significant departure from CIB’s stated strategy. In addition, the Board was not aware of significant exposures the desk had, in the final quarter of 2003, to a depreciation in the USD; and

• In mid-December 2003, the Board received a tutorial on the activities and operations of the Markets Division of CIB. Amongst a number of topics presented, the tutorial examined the foreign exchange unit and focussed on trading, risk management and sales. The minutes of this meeting note that “Management confirmed that the sales people understand the compliance implications of their product.” The minutes also record that the “Board noted that traders work within tight limit structures”. This has subsequently proved to be an entirely inaccurate and misleading representation of the activities and operations of the currency options desk.

It is also evident that even though MR&PC reported regularly to both the Board and PBAC, gaps in market risk reporting and metrics to the Board and PBAC were identified and acknowledged in August 2003. In creating the PBRC and revamping the group’s reporting structure, existing market risk reporting and metrics gaps were expected to be closed off.

The following extract from a report presented by the EGM Risk Management (with the endorsement of the CEO) in August 2003 to the Board serves to best illustrate the gaps in market risk reporting and escalation channels with the Board and committee structure that existed up until August 2003. The proposed new structure was approved by the Board in August 2003.

Description	Current		Proposed
	Board	PBAC	Board	PBRC	PBAC
Risk/Reward analysis (as determined by Finance)			Approve	Review
Market Risk report	Notation		Notation	Review
Market Risk framework				Review
Market Risk compliance exceptions					Notation
New stress tests				Notation

Source: Memorandum for Principal Board: Consideration of a Principal Board Risk Committee, dated 30 July 2003, presented to the Board on 8 August 2003.

Whilst there may not have been a formal delegation of board-level risk oversight and monitoring functions to the PBAC, the nature of the reports and papers that were being tabled at the PBAC and the discussions that ensued at the PBAC indicated that, over time, in the absence of more frequent and detailed risk reporting to the Board, the PBAC was performing an important risk monitoring and oversight function by “default”, in conjunction with the activities outlined in its May 2002 charter.

There is anecdotal evidence that the Board was aware of the large workload being experienced by members of its PBAC, including the PBAC’s ‘by default’

oversight of risk management issues (particularly in relation to credit risk issues and operational risk issues and to a lesser extent market risk issues) and this led to the ultimate decision to create the PBRC in August 2003.

We note that the Board regularly receives tutorials on sections of the NAB group and we encourage this practice continuing. We also note the Board has recently indicated that it will look to recruit two additional members with banking and finance backgrounds. The Board also made changes to the composition of PBAC under which John Thorn, a member with specific audit background, will Chair PBAC. APRA supports these changes. We also consider that all members of the Board, particularly those with PBAC and PBRC roles, should ensure that they have a sufficient level of understanding of systems and operations of the bank and associated risk issues, and increase their level of enquiry of management in these areas.

5.1 The Principal Board

The overall NAB group traded market risk appetite of $80 million (as measured in VaR) was set by the Principal Board in September 1999. This overall group VaR limit did not change until it was reduced sometime in early 2004. This group VaR limit is delegated by the Board to the Managing Director and Chief Executive Officer for the management of market risk in CIB. In practice, this high level VaR limit is supplemented with a number of physical risk measures (the “greeks”) for exposure monitoring and control purposes.

VaR limits are sub-delegated down to trading desk level in each region and are monitored on a daily basis by Head Office and the regional MR&PC teams.

The levels and parameters for this mandatory control are set by MR&PC. Breaches of various levels of limits require approval and sign-off at the predefined management levels. A monthly report is presented to the Board that compares group VaR to Markets Division Profit & Loss.

5.1.1. Escalation of market risk issues to the Board

Up until the formation of the PBRC, market risk issues and concerns could have reached the Board via a number of channels, including the following:

• PBAC;

• executive management; and

• APRA.

The interaction of the Board with internal or external audit was limited, with concerns or issues raised by either entity most likely to be channelled to the Board via the PBAC.

PBAC

Minutes of PBAC meetings were tabled to the Board regularly and the Chairman of the PBAC would present an annual report and review of the operations of the PBAC to the Board. Likewise, members of PBAC could raise issues of concern to the Board where necessary.

The 2002 annual report by PBAC on its operations, submitted to the Board in December 2002, included comment on a widely publicised trading room fraud carried out within a subsidiary of Allied Irish Bank in early 2002. PBAC had received a report on the matter from Internal Audit, which aimed to assess whether NAB could be vulnerable to such a fraud.

The assessment provided by the PBAC report to the Board advised that there were no issues of concern for NAB from the review. In hindsight, this report warranted a deeper, more detailed assessment (refer Section 5.2.1)

While some concerns about traded market risk (including limit excesses) came to the attention of the PBAC and were not escalated to the Board, the potential seriousness of these concerns was dampened by management. Arguably, the PBAC ought to have been more questioning about these issues.

Executive management

Executive management regularly reported to the Board via detailed monthly group financial performance and risk reports and quarterly operating division reports for CIB. Market risk reporting within these regular executive management reports is limited and does not generally raise issues of concern. For example, the monthly financial performance report would provide a comparison of daily profit and loss versus the daily group VaR but would provide no lower level risk reporting (eg no P&L or VaR measures or comparisons based on regions or trading desks).

The quarterly CIB reports presented contained even fewer market risk metrics or discussion. The annual risk management systems description would also be provided to both the PBAC and the Board but did not contain any qualifications regarding known issues and concerns with either the VaR measurement framework nor concerns about excessive trading limit breaches.

We have not been made aware of any occasions where concerns about traded market risk, the integrity of the VaR measures or the operations of currency options desk were raised by executive management to the Board under various escalation channels that were available.

APRA

APRA had previously raised its concerns about market risk management at the NAB with the Board. On 16 and 17 January 2003 APRA wrote to the EGM , RM

and to the Chairman of the Board to relay its concerns. These concerns included:

• a lax approach to limit management;

• a culture of poor adherence to risk management policies;

• inadequate sourcing of revaluation rates;

• problems with interfaces to the Infinity risk engine;

• no formal validation or back-testing for NAB’s approved VaR model; and

• inadequate stress testing.

The report noted that APRA expected NAB to address these issues promptly “owing to the potential for (these) issues to give rise to significant problems in the future”.

Whilst correspondence received directly from APRA concerning previous annual prudential consultations held with NAB executive management was tabled to the Board, it is unknown why the Chairman of the Board did not table a copy of the APRA market risk review letter.

Members of the PBAC, however, did receive a copy of this letter when it was tabled in May 2003 at the request of the Chairman of the PBAC (refer Section 5.2.1).

5.1.2. Monitoring of risk management systems

As detailed in the body of this report, there were deficiencies in the risk identification and monitoring systems within CIB which meant that important control failures were not identified (eg changes to back office procedures) and risk controls were not acted upon (eg limit breaches) by the expected tertiary control measures.

While we accept that such operational level failings cannot be directly attributed to the Board, the Board does have ultimate responsibility for ensuring that appropriate risk management systems are in place and resourced correctly. The Board must rely on executive management to implement such systems and, at the same time, the Board needs to be sufficiently enquiring of management to ensure that key risks are being adequately measured, monitored and controlled.

• APRA recommends that the Board provide greater clarity surrounding the ownership and reporting of high level market risk management issues, including the division of responsibilities between the principal board and its board committees for the oversight of market risk issues, the escalation of market risk issues, including market risk limit breaches, risk management frameworks and other established internal risk controls in accordance with the Basel Core Principles.

“The Board of directors should have responsibility for approving and periodically reviewing the overall business strategies and significant policies of the bank; understanding the major risks run by the bank, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, measure, monitor and control these risks; approving the organisations structure; and ensuring that senior management is monitoring the effectiveness of the internal control system. The Board of directors is ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained.” (emphasis added)

Principle 1 “Framework for Internal Control Systems in Banking Organisations”, Basel Committee on Banking Supervision.

• APRA requires that the Board take steps to ensure that it possesses the expertise necessary to discharge its duties in relation to risk management. This includes taking on directors with a range of experience and expertise commensurate with the Group’s activities.

• APRA requires the Board to be pro-active in monitoring the workloads of established Board committees and consequent impacts on their effectiveness.

• APRA requires the Board to be pro-active in setting both the risk appetite within the group, including CIB’s markets division (for example, customer-related business versus proprietary trading) and in obtaining regular exception reporting based on compliance with established limits.

• APRA requires the Chairman of the Board to table, at the earliest opportunity, all correspondence to the Chairman received from regulators.

• APRA requires the Board to ensure there are adequate processes in place for the identification and monitoring of risk at operational level. Appropriate reporting against these processes should be made through risk committee and board committee structures.

5.2 Principal Board Audit Committee (PBAC)

The PBAC operated based on a charter that was approved on 6 May 2002. With the creation of the PBRC in August 2003, the PBAC operated based on a revised charter from September 2003 onwards.

Under the previous charter, PBAC’s role was to assist the Board “fulfil its statutory and fiduciary responsibilities relating to the selection and application of accounting policies, financial reporting practices and procedures, and internal control systems of the Company and of the Group.”

It was also the PBAC’s responsibility to “Evaluate the adequacy and effectiveness of the Company’s and Group’s risk management, financial control and other internal control systems and evaluate the operations thereof” and to “Review and endorse the Chief Executive Officer’s annual attestation statement in accordance with regulatory requirements”.

The operating procedures of the PBAC were designed to ensure that it would “maintain open local and Group lines of communication among the Board, the external auditors, Internal Audit, Consulting Actuary and Company management to exchange information and views”. This was designed to “Ensure the Board is made aware of any actual or potential matters of concern which comes to the Committee’s attention”.

Of importance was that the PBAC was to “consider and assess the manner in which management ensures and monitors the adequacy of the nature, extent and effectiveness of accounting and internal control systems” and “Review internal audit periodic reports on the effectiveness of the risk management review processes and the annual attestation by Internal Audit”. It would also “Review reports prepared by Regulators on the operations of the Group”.

Amongst the various channels available for the escalation of risk issues to the PBAC, the most important channels independent of executive management(2) were via internal and external audit.

This included separate private sessions with internal audit and external audit. Private sessions with internal audit and external audit would ensure that no management restrictions were being placed on the scope of their respective examinations. The private sessions could also discuss pertinent matters such as concerns over risk management systems and the internal control environment. The external audit private session could also discuss the quality of management.

According to the PBAC charter, it was required to discuss the progress of work noted in internal audit plans, the impact of changes in business operations and internal control systems, as well as review the annual internal audit

(2) Although the General Manager of Internal Audit reported to the Executive General Manager, Risk Management a “dotted” reporting line to the PBAC was maintained through the regular private sessions held without the presence of executive management.

staffing plan and budget. PBAC also had responsibility for the assessment and review of the depth, coverage and breadth of the internal audit plan.

With the creation of the PBRC, the PBAC’s role was both clarified and refined within its revised charter. The PBAC was now responsible for review and oversight of the “integrity of the accounting and financial reporting processes of the National and its subsidiaries”.

Under the revised charter, PBAC was to “review the major reports to financial sector regulators and make recommendations to the Board on their approval or amendment if required”. In regards to financial risk management and compliance, the PBAC was to “take into account the Board’s allocation of responsibility for review of risk to the PBRC, review the financial risk management internal control systems and compliance processes for accounting and external reporting”. It would also “review the major reports of financial sector regulators on the operations of the Group and management’s response”.

Although there was no formal delegation of market risk monitoring functions to the PBAC prior to the formation of the PBRC, it is arguable that the PBAC took on a market risk monitoring role in the absence of explicit market risk oversight and monitoring that occurred at Board level. There is also evidence to suggest that PBAC had a number of opportunities to discuss market risk management issues in 2003, principally due to the elevation of issues via the APRA letter and the external auditor KPMG.

5.2.1. Escalation of market risk issues to the PBAC

Up until the formation of the PBRC, market risk issues and concerns could have reached the PBAC via a number of channels, including the following:

• executive management, management and executive committee reporting;

• internal and external audit; and

• APRA.

Executive Management, management and executive committee reporting

On a regular basis, the Chief Executive Officer, the Chief Financial Officer and the EGM Risk Management would attend the PBAC meetings. In addition, executive management regularly presented to the PBAC on various issues and matters of interest. A number of risk and control-related reports are regularly presented to the PBAC, including: the Group Risk Inventory, the Regulatory Compliance Report and the annual declaration of the Chief Executive Officer on the Group’s Risk Management Systems.

In addition, summarised minutes of the CIB Risk Management Executive Committee and a report on the operations of the Central Risk Management Committee were tabled in 2003 to the PBAC.

Even though internal concerns about traded market risk, the integrity of the VaR measures and the operation of currency options desk were raised and discussed internally by executive management within CIB and MR&PC, these issues and concerns do not appear to have been elevated through the available escalation channels by executive management to the PBAC under the various escalation channels that existed.

Internal Audit

NAB’s General Manager of Internal Audit reported regularly to the PBAC in the form of summaries of internal audit work completed and the elevation and presentation of serious audit issues within the business. In addition to regular attendance at PBAC meetings, the GM of Internal Audit was able to meet in private sessions with members of the PBAC when necessary to elevate and escalate concerns about risk management and internal controls.

Over the past few years, Internal Audit completed a number of reports on the operation of the currency options desk, including an assessment of internal controls and the currency options trading system. For example, in 2001, internal audit rated and raised issues defined as “serious matters for the attention of the Managing Director and reportable to the PBAC”. However, under a revised rating system for the elevation and escalation of audit issues to the PBAC, these serious issues were not raised for consideration and discussion at the PBAC.

In 2002 the PBAC requested that a memorandum be prepared on lessons learned from the recent foreign exchange losses suffered in 2001 by Allied Irish Bank, as they applied to the NAB. Although primarily prepared by CIB executive management, input was provided by a seconded PwC partner who was Acting Head of Internal Audit for WFS (now CIB) and he also presented the memorandum and findings at a meeting of the PBAC in May 2002.

Among the lessons identified from the Allied Irish Bank failings, the report noted that alarm bells should ring when the following occur:

• “Weaknesses identified by Audit or Regulators are not quickly and permanently resolved;

• breaches of limits are not quickly and independently investigated; and

• there is a culture that allows undue influence or bullying to prevail over due process.”

A review of this report in hindsight may conclude that this work was flawed. APRA has not taken this matter further, other than to note that it stands as another example where reporting to the Board from management did not acknowledge areas of concern and was relied upon without further enquiry. At the time that this report was prepared, its authors ought to have been aware of internal audit issues concerning the sourcing of revaluation rates.

Even though internal concerns about traded market risk, the integrity of the VaR measures and the operation of currency options desk were well known to internal audit because of its past reviews of the desk, these issues and concerns do not appear to have been elevated to the PBAC because they were below the internal audit threshold for issue escalation.

External Audit

NAB’s external auditors KPMG reported regularly to the PBAC in the form of reports and management letters. In addition to regular attendance at PBAC meetings, KPMG was able to meet in private sessions with members of the PBAC when necessary to elevate and escalate concerns about risk management and internal controls.

External audit identified a number of issues related to the current investigation in management letters for financial years 2001 and 2002 and had a number of opportunities to raise known concerns about the currency options desk and breaches of VaR. However, escalation channels do not appear to have been effective in drawing issues concerning the markets or operations area to the attention of PBAC. In particular, a number of issues were not considered to be major control issues or were placed amongst a large number of similarly rated issues:

• control environment issues identified in 2001 were rated as “minor”. It is not clear why an important control matter regarding effective operation of the market risk unit and its resourcing was only rated “minor” and it is not clear how management responded or what follow-up was performed by KPMG on this issue; and

• an issue regarding breaches of VaR limits and other market risk limits is found on page 32 of a 107 page “Matters for Management Attention” report dated February 2003;

The draft management letter for 2003 was sent to NAB Finance management on 10 December 2003 to commence the process of getting management responses incorporated.

The findings that KPMG made in the management letter of 2003 clearly identified the problems with limit management and lack of appropriate resolution and escalation of limit breaches. The relevant findings from the CIB section of the letter were:

• Market Risk limit breaches - the extent of the over 800 limit breaches was detailed and recommendation was made for strategy to be developed to address the situation;

• Market Risk Management - the lack of reporting of limit breaches to CIB RMEC was noted and recommended that this be addressed.

The 2003 management letter was in the process of being finalised when the trading losses were discovered in mid January 2004. As three star issues, these matters would have been included in reporting to PBAC and should have been given priority action. However, given that the initial proposed response of management was to deny the extent of the problem and look again to the business to resolve the problem, it is not certain the issues would have been addressed. Even the final management response submitted in February 2004 indicated a leisurely approach to the limit breaches.

APRA

A “Regulator Compliance Reviews and Investigations” report is presented regularly to the PBAC and logs and reports regulator compliance reviews and investigations, significant regulatory change and material regulatory compliance incidents.

PBAC first heard about the APRA letters dated 16 and 17 January 2003 at its 6 March 2003 meeting. The APRA letters and EGM Risk Management’s (Chris Lewis’) response were discussed at the meeting but not tabled.

The minutes of the meeting note that:

“APRA made a number of observations and reported these in a letter to the Chairman of the Principal Board in January 2003. The National has since learned that the letter was copied to the Financial Services Authority in the UK.

“Mr Lewis noted that sharing of information by global banking regulators in this manner was a concern to the group, particularly the manner in which APRA had failed to contextualise the issues arising from the visit. He has responded to APRA’s letter. Mr Cicutto indicated that he would highlight the National’s concerns about APRA’s actions at his next scheduled meeting with them.

“The Chairman noted that PBAC had not sighted the letter from APRA, nor the response prepared by Mr Lewis, and requested that both documents be circulated at the next PBAC meeting.”

PBAC members received a copy of APRA’s letter dated 16 January and Chris Lewis’ response dated 26 February, which was attached to a 3 page memorandum from Chris Lewis dated 29 April at its 8 May 2003 meeting. The committee noted this memorandum but there is no record in the minutes of discussions on this letter.

Transcripts of PwC’s interviews with one PBAC member have indicated that they had only read the covering memorandum but not the attached letters when they were tabled in May 2003.

The language of the memorandum to the PBAC did not reflect the gravity of the issues raised in the APRA letter. It is unlikely that the responses provided

by Chris Lewis’ letter, in conjunction with his memorandum to the committee, would have raised concerns at PBAC.

It is unknown why the second APRA letter (dated 4 November 2003) and the response from the General Manager of Market Risk & Prudential Control, were not tabled to the PBAC for their review.

5.2.2. Assessment of PBAC

Anecdotal evidence suggests that the PBAC did become overwhelmed with issues and may not have had the opportunity to discuss, deliberate or escalate further those market risk management issues that came to them. While acknowledging the volume of material before it, this is an issue faced by all boards and committees of large organisations. Our concern is that the PBAC became too focussed on ensuring process was in place, without understanding or enquiring into the substantive issues underlying what was being put before it by management or adequately probing inconsistencies or warnings.

The evidence does suggest that a number of escalation procedures to the PBAC were not as effective as they should have been. In the case of the APRA letters, the tabling of these letters by executive management and management’s response and covering memorandum had the impact of dampening or concealing the seriousness of the issue. In the case of the escalation via KPMG, the evidence suggests that the plethora of issues raised in its communication with the PBAC via the management letters obscured the seriousness of particular market risk management issues.

In addition, executive management did not effectively escalate or acknowledge the existence of known issues concerning market risk, the reliability of VaR, the internal control environment and other issues specifically concerning the currency options desk to the PBAC, even though these issues were given prominence through the draft management letter for 2003.

• APRA recommends that the PBAC provide clarity to executive management and other risk escalation channels, including internal audit and external audit, on the severity of issues it believes should be escalated to it for consideration and decision and those issues which can be dealt with through executive committees and the like. The criteria for the escalation of audit issues should be risk-based and unambiguous.

• APRA requires the PBAC to ensure that internal audit and the external auditor comment on the ‘reasonableness’ and ‘accuracy’ of the management responses provided to internal audit and external audit issues raised in their respective reports. An opportune time for internal audit and external audit to do this would be in their regular private sessions with PBAC. In the absence of an independent assessment of the reasonableness and accuracy of

management responses provided, PBAC will have no way of knowing whether the management responses are appropriate.

• APRA requires the PBAC to ensure that all reports prepared by regulators on the operations of the Group be tabled and reviewed.

• In regards to management responses to regulators and actions taken to address issues raised by regulators, PBAC is required to ensure internal audit assess and verify that the management actions taken to address the issues raised by regulators have been completed before issues are closed out.

• APRA recommends that the PBAC commence regular private sessions with regulators in a similar way it does with internal audit, external audit and the consulting actuary.

• In the course of this investigation, APRA found on occasions a lack of clarity amongst interviewees of the reporting line for Internal Audit. APRA recommends that the PBAC review the reporting line for Internal Audit and clarify the role of EGM, RM in this regard.

5.3 Principal Board Risk Committee (PBRC)

The PBRC was created by the Board on 28 August 2003, its charter was approved by the Board on 16/17 October 2003 and its first meeting was on 21 November.

Under the PBRC reporting framework, the risk and finance functions reporting to the PBRC would report on risk strategy, appetite and control frameworks. These divisions will then report the outcomes of control frameworks to the PBAC. The PBRC would address all elements of risk including market risk, although it was acknowledged that credit risk would be a significant component of the Committee’s deliberations.

In particular, the PBRC’s charter explicitly notes that it is to “ensure that the Group has a comprehensive independent market risk control framework in operation” and it is to “review and set Value at Risk (VaR) limits”.

5.3.1. Escalation opportunities - hits or misses?

At the PBRC meeting on 21 November 2003, the PBRC received an overview of the market risk profile of CIB and the risk measurement framework from the GM MR&PC. It was noted that the average usage for 2002/2003 was approximately $22.4 million, which was well within the maximum VaR limit for the group of $80 million.

Although the analyses of VaR by region and product were reviewed, there is no record of discussion or escalation of VaR sub-limit breaches at the PBRC even though these were well known by MR&PC at the time.

5.3.2. PBRC assessment

The establishment of the PBRC meant that the Board formally delegated its risk oversight and monitoring function to this committee, including the review and setting of VaR limits for traded market risk. However, it is arguable that the delay in PBRC meeting for the first time did not unduly impact on the committee’s consideration of market risk issues. The evidence suggests that the committee did consider market risk issues at its first meeting on 21 November 2003, but it is apparent that these issues were not elevated as a serious concern by executive management at the meeting.

• APRA recommends that the PBRC provide clarity to executive management and other risk escalation channels, in particular executive management and executive committees, on the severity of issues it believes should be escalated to it for consideration and decision and those issues which can be dealt with through executive committees and management streams. The criteria for the escalation of risk issues should be risk-based and unambiguous.

5.4 Internal Audit

Regular meetings are scheduled between internal audit and external audit at both the highest level (ie general manager internal audit would meet regularly with the external audit engagement partners) and senior management level (ie heads of audit for the divisions would meet with their external audit counterparts regularly).

Between February and August 2002, when a PwC partner was seconded from PwC to take up the position as Acting Head of Internal Audit, CIB, it appears that the regular scheduled meetings between the PwC secondment and their external audit counterpart did not take place. It is likely that this adversely impacted on the level of communication between internal audit and external audit over this period.

5.5 EXECUTIVE RISK COMMITTEES

5.5.1. Group Risk Forum (GRF)

This forum is an executive level committee that meets on an ad hoc basis. The composition is CEO, CFO, EGM Risk Management, Chief Credit Officer and the relevant EGM to the proposal before the committee.

The charter for this committee identifies it as the principal management authority to:

• interpret the Group’s risk appetite for change initiatives;

• approve ‘high’ risk proposals under the Risk Assessment and Approval Policy (RAAP) process(3); and

• monitor and evaluate reports and actions of the Central Risk Management Committee (CRMC) and direct any “large scale” action that may be necessary.

It also approves the Country Line of Credit (CLOC) limits on their way to the Board and has a role to overview existing risk management policies.

A review of papers for this committee shows that it operates in practice primarily as an approval forum for new products or changes to tolerances / limits rated high risk under the RAAP process. Other than this process, there is no evidence of it having other risk matters escalated to it from CRMC for decision. It received activity reports every six months from CRMC and received minutes of CRMC meetings by circulation. It is noted that issues from the CRMC minutes would be queried by GRF members (eg a CLOC approval in August 2003) but it is not apparent that GRF operated as a forum for monitoring of ongoing risk issues or an escalation point other than for RAAP proposals.

A review of the minutes and papers of the GRF for the period from September 2003 to December 2003 shows that no issues relevant to this current investigation were put before it.

5.5.2. Central Risk Management Committee (CRMC)

CRMC’s charter gives it two key functions:

• oversee and approve ‘high’ risk proposals under the RAAP process; and

• oversee management’s reporting of key risks and control environment effectiveness.

The charter also identifies eight specific roles that CRMC will perform, including:

• “Oversee the effectiveness of the control environment (including significant non-lending losses, regulatory compliance, legal and audit matters), to ensure that all key risks have appropriate management attention prior to reporting to the Principal Board. If necessary, direct a line of business to undertake specific action and/or have relevant funding approved to provide an appropriate response to correct any key control issues reported.”

(3) The Risk Assessment and Approval Policy (RAAP) process is the means by which NAB considers and approves new initiatives or significant changes to existing products or operations. Proponents are required to prepare formal assessments on any such initiatives in the form of a Strategic Risk Assessment (SRA) or a Risk Management Description (RMD).

The other specific roles relate to approval and implementation of RMDs, reviewing new products/ market segments against business cases, specific credit limit roles and approving and reviewing new and existing risk management policies.

The CRMC had its inaugural meeting on 29 October 2002 and usually met monthly. The CRMC was chaired by EGM, RM and other members were EGM, Corporate Development, Chief Credit Officer, Chief General Counsel, GM Group Finance, GM Internal Audit, GM MR & PC, GM Regulatory Compliance, Head of Operational Risk and Insurance, GM Portfolio Development CIB and GM Technology Risk.

In practice, the CRMC sits as a co-ordinating and oversighting committee above five regional or business unit risk committees. Activity is largely consideration and approval of high risk new and/or significant change initiatives, including major group projects such as Basel II implementation, Model Risk Policy, National @ Docklands and Whistleblower Protection Policy. It also reviews the Group Risk Inventory before submission to PBAC.

CRMC carries out its second role of oversighting risk reporting and control effectiveness by review of minutes and reports from the business committees that sat below it. During 2003 CRMC identified and took action to provide feedback to subsidiary committees on certain actions (eg to European regional committee on member attendance rates; queries of the Wealth Management Risk Committee about its response to regulatory actions). At its meeting on 26 June 2003, the CRMC noted that the CIB RMEC was meeting only in its Risk Approval capacity and not to fulfil its risk monitoring capacity. Subsequent to this, CIB RMEC met on 30 July and on 13 November in the latter capacity (discussed further below). CRMC escalated a matter to the CEO during 2003, arising from Wealth Management and concerning missed imputation and foreign tax credits.

In regard to the specific enquiries of this report, the CMRC received minutes from all CIB Risk Management Committees, including for 13 November, 15 October and 21 November (at some CRMC meetings minutes were not provided due to timing of the other committee meetings). No issues regarding CIB were raised within CRMC from those minutes. As EGM, RM was both Chair of the CRMC and of CIB RMEC, he had an awareness of matters before the CIB RMEC.

The CRMC reports to CEO, GRF and PBAC on a six monthly basis (actually 7 and five months for 2003). The report for five months ended 31 December 2003 will be submitted to PBRC now that it has assumed risk responsibilities from PBAC. This report is an activity report, showing numbers of Risk Management Documents (RMDs) and Strategic Risk Assessments (SRAs) reviewed and actions taken on them.

The report for the five months ended 31 December 2003 also outlines the actions by which CRMC considers it fulfils its second role in regard to management reporting and control effectiveness. It identifies that, in reviewing minutes and reports from the subsidiary committees, CRMC must be satisfied that each committee has processes in place to review, consider and make decisions in regard to risk issues. It acknowledges that CRMC can seek further information or engage in resolution of a risk issue should it deem it necessary to maintain any effective control environment or mitigate risks.

The report concludes that “the CRMC remains comfortable that the risk committee framework continues to develop and it is satisfied that its two objectives are being met”. The executive summary of the report also notes that CRMC has not addressed the foreign exchange loss issue.

APRA considers that the overall charter of CRMC is appropriate. However CRMC failed to identify the deficiencies within the CIB risk management control environment. As discussed below, the CIB RMEC did not have appropriate processes in place to be able to itself fulfil its role of monitoring the risk control framework and its effectiveness. CRMC’s charter does give it responsibility to act as a monitor and action point in such cases.

The process of simply reviewing reporting by subsidiary committees is not sufficient to fulfil this role of assessing control environment effectiveness. Attention and resources need to be provided to ensuring there is an effective risk identification and monitoring process in place that can form the basis of reporting to the CRMC across all areas of the group.

We consider that there remains a role for CRMC in oversighting the business risk committees. This role needs to be more interventionist than in the past and should accept the need for the CRMC to act as an escalation point, given that business units may not be able or willing to deal appropriately with risk issues at the business level.

While there is evidence that the CRMC, in particular, did identify and pursue issues arising from reports to it, this was a small part of what it did and the issues identified were sporadic, one-off issues. The CRMC did not appear to have put itself in a position where it could identify any significant risk issue not being appropriately addressed below it.

The CRMC’s charter also did not promote itself as an escalation route, focussing on reporting of activity rather than promotion of risk issues. This meant that the CIB RMEC was the body that needed to identify and resolve risk issues from daily operations. The fact it spent most of its time on new products reduced its capacity to do this role effectively.

Further, with the establishment of PBRC, the relationship between it and CRMC should be reviewed to identify appropriate reporting and escalation points. It is noted that CRMC currently receives its authority by delegation from the CEO rather than via board delegation. Attention will need to be

given to this in considering escalation routes, but APRA considers this can be managed.

5.5.3. CIB Risk Management Executive Committee (CIB RMEC)

The CIB RMEC meets monthly and comprises business representatives and one market risk representative. It is chaired by the EGM Risk Management. The CIB RMEC, as with other business committees, has the core functions of:

• risk approval and oversight in line with RAAP; and

• risk monitoring and oversight of the existing control environment and the direction of appropriate management action.

Most of its time is occupied with consideration of new product initiatives or significant changes in products under the RAAP process. Meetings of the committee are often referred to as “Risk Approval” meetings, as opposed to “Monitoring, Oversight and Reporting” meetings. The latter were introduced following identification by CRMC in June 2003 that this role was not being performed.

The first of the CIB RMEC Monitoring, Oversight and Reporting meetings occurred in July 2003 and the next on 13 November 2003. Meeting in this capacity, the CIB RMEC received reports on market, operational, legal, regulatory compliance risk and from internal audit. These reports are intended to focus on key issues that the committee needs to know about and are then presented to the committee for no longer than five minutes each.

The CIB RMEC met five times between 1 September and 31 December 2003. Issues relevant to the currency options desk and related controls at each of these meetings were as follows:

• 22 September - development of a limit breach disciplinary framework was considered by the committee. This appears to have been developed in response to PBAC requesting business to identify certain zero tolerance behaviours;

• 15 October - the committee noted in Other Business that limit breaches were to be flagged and reported to the business by market risk team;

• 13 November (a “Monitoring, Oversight and Reporting” meeting) - the market risk report included comments about the currency options business. It was recommended that the committee receive a presentation in the “new year” on the risk management challenges that the business posed;

• 21 November (a “Risk Approval meeting”) - the agenda for this meeting was consideration of two RMDs and OFAC policy. In Other Business it was noted that Market Risk Limit Breaches action was to be

complete by December meeting. The detail of what the report should cover was included in the minutes; and

• 16 December meeting (a “Risk Approval meeting”) - the time at this meeting was spent on consideration of a RMD for a new product (Credit Index Deposits). A presentation was scheduled in Other Business on Currency Options Business and management of market risk. Presentations were also scheduled on Market Risk Limits, Market Risk delegated authority framework and Delegated Credit Authorities.

All the presentations were deferred to the next scheduled meeting on 5 February 2004. No papers on these scheduled presentations were circulated to members prior to the meeting (other than one sent in advance to one member).

The presentation that was prepared in regard to Market Risk and Currency Options outlined the nature of the risk and recommended that the risk appetite and corresponding limits be re-engineered jointly by the business and market risk to ensure they were appropriate to the business being done by the desk.

The presentation that was prepared in regard to limit breaches built on the proposed limit review and outlined a plan to make the limit structure more flexible and to reduce the various categories of limit excesses over the course of 2004.

Neither of the presentations put to the committee demonstrated a clear rationale for the limit excesses and appeared to accept that the ‘soft’ limit excesses would continue and had legitimacy. The planned reduction in limit excesses up to August 2004 still estimated there would be over one hundred soft limit excesses at that time. This action plan was also submitted in February 2004 as the response to the external audit management letter findings. APRA’s view on required actions in limit management are outlined earlier in this report.

Although charged with the responsibility to review the existing control environment, there was no comprehensive or effective means for CIB RMEC to do this, such as reporting of control effectiveness against a business risk matrix for CIB. It should be expected that the Business Risk Management (BRM) process will provide this when fully rolled out to CIB.

Assessment of CIB Risk Executive Management Committee

The CIB RMEC was the closest risk management forum to the problems on the currency options desk. It did not acknowledge or deal with the known problems and difficulties that were being faced by the Market Risk unit in dealing with the currency options desk.

The fundamental risk control mechanism of limit management was not operating effectively, and was before the CIB RMEC in October 2003. Members of the Committee would also have been aware of issues surrounding the risk on the currency options desk from their daily management roles. The CIB RMEC did not give sufficient priority to the issue of limit management, which was before it, and did not have appropriate processes to identify and deal with other significant risk management deficiencies within CIB.

The EGM, RM (as Chair) and the GM, MR&PC, as the non-‘business’ representatives on the Committee should have been more pro-active in having these issues brought before the Committee and dealt with.

Given the NAB’s philosophy of ‘embedding’ risk with the business unit, the CIB RMEC should have been the first and foremost forum to promote risk awareness in the business. This was not achieved.

• APRA requires PBRC to review the operation of the Executive Risk Committees as follows:

Group Risk Forum

• Revise the charter of GRF to determine:

• its role in the overall risk management committee structure;

• its role in monitoring and evaluating reports from CRMC; and

• its role in overviewing changes to risk management policies.

Central Risk Management Committee

• Revise the charter of CRMC to specify, inter alia:

• the CRMC’s role as an escalation point within the structure;

• those matters which should be drawn to the attention of the CEO and those to be put before the PBRC;

• a means by which it can monitor the effectiveness and implementation of the control environment; and

• a better balance between consideration of RAAP approvals and monitoring and oversight of ongoing risk issues.

CIB Risk Management Executive Committee

• Revise the charter of CIB RMEC to specify, inter alia:

• the CIB RMEC’s role as an escalation point within the structure;

• those matters which should be put before the CRMC and when;

• a means by which it can monitor the effectiveness and implementation of the control environment; and

• a better balance between consideration of RAAP approvals and monitoring and oversight of ongoing risk issues.

All Executive Risk Committees

• develop a matrix map of how each executive risk committee fulfils its role;

• remove common chairs of CRMC and CIB RMEC (and any other regional or business line risk committees);

• consider increased representation of MR&PC staff on CIB RMEC;

• develop regular MR&PC reports to CIB RMEC, CRMC and PBRC with appropriate level of detail on risk issues and their potential; and

• prioritise the rollout of the Business Risk Management framework into CIB and relevant reporting against this for each Executive Risk Committee. A timeframe for implementation of this should be developed, with key milestones identified, and provided to APRA.

6. CULTURE

The culture that exists within NAB contributed to many of the control breakdowns that led to the currency options losses. While their effect is difficult to measure, we are in no doubt that cultural issues had a significant bearing on the extent of the losses that emerged - influencing both excessive risk-taking behaviour and the bank’s capacity to detect it.

By the term ‘culture’, we refer not only to the working environment within the dealing room and the personal attitudes and behaviours of individuals associated with the currency options desk, but also to the wider environment within the bank and the attitudes displayed by key decision-makers to principles of risk management, transparency and candour.

APRA considers that the cultural issues thrown up by this investigation need to be treated with the same attention and seriousness as the technical and operational breakdowns. Our observations on this point are sourced from both this investigation and from APRA’s ongoing interaction with NAB as part of our routine prudential supervision.

In this section, two clear themes emerge:

• the profit motive, or performance culture, and its skewing of the ‘business partnership’ balance between risk management and business decision making; and

• a close management of information flows that discourages the escalation of issues of concern to the Board or to relevant external parties (such as APRA).

6.1 Balancing profitability and risk management

While a risk/return trade-off is an inevitable part of any business investment decision, profitability considerations should not bear upon the objectivity of the risk assessment process. The risks of any proposed transaction must be assessed objectively, independent of potential earnings, so that business decision-makers can be fully informed in weighing up the two.

Much of NAB’s organisational structure is predicated on an assumption that risk management should be embedded in the business operations, rather than being performed by a central unit. This ‘business partnership’ model requires that ‘the business owns the risk’ and therefore considers appropriate risk management processes as part of its day-to-day business decision making.

Our observation is that the correct balance between these two elements was not achieved in the case of CIB Markets and market risk management. During our investigation it became apparent to us that, in some parts of CIB, the notion of risk management being embedded in the business was more a

matter of form than one of substance. Potential profitability of a transaction under consideration and/or of the business unit which put it forward, often took precedence over risk concerns. This is evidenced by:

• the inability of the ‘business partnership’ to give priority to addressing the high number of limit excesses. Some support should have been forthcoming from the front office to the attempts by market risk to have their concerns addressed or considered appropriately. There is little evidence of the JHFX or GM Global Markets effectively demonstrating this risk ownership in connection with the currency options desk;

• the continued ‘pushback’ and resistance from front office towards market risk and internal audit, which was in no way controlled by senior front office management, such as:

• lack of willingness to address or resolve data issues;

• not accepting decisions of delegated market risk personnel (eg challenging/escalating decisions by Head of Market Risk, Southern Hemisphere to refuse the desk authority or sign off on proposals); and

• repeated personal and professional attacks and aggressive behaviour towards market risk and internal audit staff. There is clear evidence on occasion of senior front office management being at the forefront of such attacks;

• predominance of attention of CIB RMEC to new products and product expansion, as opposed to attention to existing risk control framework and whether it was operating effectively.

It is expected that there will be tension between such areas in any financial markets operation. In NAB, the extent of resistance and pushback from front office was excessive and the form it took was not constructive. While recognising personal behaviours of individuals were a factor here, such behaviour was allowed to dominate unchecked, and it operated to tip the cultural balance away from risk awareness. This made the role of NAB’s market risk team much harder to perform and created a situation where Market Risk limited its follow-through of issues.

6.2 Close control of information and issues

It is clear from our investigation that a number of important risk issues did not come to the attention of the Board and CEO. In our view, NAB’s highly regimented culture acted to impede transparency and mollify the message when it involved acknowledging concerns or difficulties at operational level.

Managing the message was frequently given equal, or greater, priority than dealing with the underlying issue.

NAB’s tendency to closely control information flows can be seen in the lack of escalation of issues outside the immediate operational environment:

• the extent of ongoing concerns in risk management about the currency options desk and the risks it was running throughout 2002 and 2003 (culminating in the Head of Market Risk, Southern Hemisphere abandoning his role in respect of the desk in July 2003) are not apparent in reporting to CIB RMEC in July 2003 or subsequent meetings;

• when reporting to the CIB RMEC (the minutes of which were reviewed outside of CIB), the Market risk report in November 2003 states “At the time of writing, GMD trading operations continue to manage risk responsibly in changing market conditions. Adherence to risk discipline is good.”;

• when concerns with the desk operations were elevated through the management line GM, MR&PC to EGM, RM, it was put back to him for resolution, with no evidence of any acceptance or escalation of the matter;

• there was no elevation of any issues surrounding limit management or the foreign currency options desk to CEO level or Board Committee level; and

• submissions to PB or PBAC, eg about serious regulatory action taken by FSA regarding Northern Bank anti-money laundering requirements in August 2003, are presented in an anodyne fashion that acknowledges no failings by NAB or actively promotes need for significant change.

Issues or concerns raised by external parties were not routinely accepted or prioritised for attention.

This approach was exemplified by NAB’s treatment of APRA’s letters following its reviews in 2002 and 2003. These letters were not circulated to the Board (although the 2002 review letter was sent directly to the Chairman) and the former letter was only circulated to the Board Audit Committee in response to an enquiry from a Board committee member. A memorandum accompanying the letter was generally dismissive of the points raised by APRA. The responses to APRA’s letters were prepared within the market risk area. There was no Board, Board committee or executive committee endorsement, before the responses were issued.

Moreover, on a number of occasions during APRA’s on-site review in August 2003, and during our annual prudential consultation in December 2003, APRA was explicitly informed that “average FX and volatility (option) exposures were relatively static” and that NAB’s trading profile was “conservative”.

Based on indicators available to NAB at the time, these statements were not a reasonable representation of the true picture and were patently misleading.

In another instance of lack of attention to issues raised by external parties, responses to external audit were not always complete or followed through in agreed timeframes (see comments earlier in this report about the 2001 and 2002 management letters from KPMG).

The lack of transparency in responding to issues or concerns within the business also has a direct impact on the effectiveness of tertiary controls afforded by internal audit, external audit and regulators:

• internal and external audit scoping is reliant on input from business and is most effective when operational staff are encouraged to contribute issues of concern or areas warranting review. In the absence of a culture to encourage that (which should be expected under a business partnership model), the process is not as effective as it could be;

• as prudential regulator, APRA expects frank and open communication with regulated institutions. Confidentiality provisions in APRA’s governing legislation are designed to facilitate this. When risk management issues cannot be discussed openly, APRA must rely on more onerous and less efficient means to ensure compliance with prudential requirements.

While there is no overt instruction within NAB that would impede the escalation of problem issues to the Board and Executive, staff behaviour would suggest otherwise. Lack of willingness by senior management to accept and acknowledge issues, resistance to escalation of issues and less-than-open responses to ‘external’ parties all are significant drivers of culture within an organisation, and so signals what is expected of staff within that environment. It is difficult to expect operational staff to actively identify issues or escalate concerns if there is no encouragement or evidence of such action higher up in the organisation.

6.3 ‘People & Culture’ policies

APRA recognises that NAB’s People and Culture division has a range of policies and procedures that can be appropriate tools to influence the culture and environment. These include:

• formal recruitment processes;

• NAB and CIB Code of Conduct;

• a structured performance management system that included a range of key result areas for trading room staff, including a minimum 15 per cent risk management component and requirements for management expertise where relevant; and

• formal systems for resolving disputes.

But none of these measures were respected or applied by the individuals or management surrounding the currency options desk.

The JHFX circumvented the formal recruitment processes (for example, we understand that no external reference checks were conducted) in engaging the currency options team in 1998 and 1999. Also, although a performance appraisal for one of the dealers identified excessive risk-taking as a concern, no action was taken. The other measures proved ineffective in controlling the operating environment in the dealing room and the domineering and bullying behaviours of front office staff. There was no intrusion into CIB to enforce any of the policies.

People and Culture Division has advised that from 1 October 2003, changes were made to require stricter adherence to recruitment processes across the Group. We also note that a formal Whistleblower Policy (or “Confidential Complaint” line) was introduced across the Group in late 2003.

There will be significant difficulty in implementing such measures effectively given the inculcated culture of CIB. Significant, long-term resources need to be allocated to:

• educating staff on acceptable behaviours;

• demonstrating executive management commitment to accountability and transparency from all staff; and

• providing appropriate incentives towards genuinely incorporating risk management into business decision making.

• APRA believes that cultural change must be driven from the top. APRA requires that the Board undertake a review of cultural norms within NAB and, following this, clearly articulates the standards of behaviour, professionalism and openness it expects of the organisation.

• APRA recommends that these standards should be expressly built into staff performance plans and agreements and, where necessary, supported by relevant training.

• APRA requires that codes of conduct and disciplinary procedures be vigorously enforced.

• APRA requires that the Board reinforce policies to promote and support ‘whistle-blowing’ within the organisation, and provide avenues to facilitate this.

• APRA requires that the Board review incentive arrangements at NAB to remove potential conflicts of interest on risk management staff, and to ensure that all staff observe behaviours that have appropriate regard to risk.

7. Regulatory response

7.1.1. Changes to policies, procedures and systems

NAB is to commence a program of changes to implement all required actions (and recommended actions, as necessary) identified in this report. Implementation timelines should be referred to and agreed with APRA. NAB will be subject to close supervision until these changes are implemented. APRA should receive regular updates (at least quarterly) while the changes are being implemented.

7.1.2. Capital adequacy

In view of the seriousness and the extent of the deficiencies identified in this report, NAB’s risk profile is materially weaker than that on which APRA’s current capital adequacy requirements are based. APRA requires that NAB’s internal target for total capital rise to 10 per cent of risk-weighted assets.

7.1.3. Model recognition

APRA withdraws NAB’s approval to use an internal model to determine its market risk capital. NAB should commence using the standard method to determine market risk regulatory capital as soon as practicable. Refer Section 4.1.2A.

7.1.4. Currency Options trading

Since its original announcement on 13 January 2004, APRA has been in dialogue with the NAB regarding its ongoing currency option activities. APRA and NAB have agreed a timetable to reduce the exposures on the desk and an appropriate “face to the market” for the product offering by NAB. The activities of the NAB are currently narrower than previously, and involve much less corporate business flow for the product.

APRA is cognisant of NAB’s wish to return to “business as usual” at the earliest opportunity and to arrest any exodus from its client base. Nevertheless, the recent $360m loss experience has demonstrated material weaknesses in the NAB’s traded market risk control framework. These need to be redressed to APRA’s satisfaction prior to NAB’s resumption of regular trading activity on the currency options desk.

At a minimum, a return to normal trading should await a review and formal sign-off by the NAB Board of all limits (including both VaR and non-VaR limits) applicable to the currency options desk, and the settlement of all staff changes to relevant positions in CIB and Risk Management. In addition, APRA would need to be satisfied as to the following:

• there is effective and independent daily oversight of risk positions assumed by the desk;

• MR&PC and Global Markets meet regularly, not less than weekly, to reach agreement regarding the detailed risk profile of the currency options desk. This meeting is to be minuted with points of dispute documented. The outcome flowing from the meeting is to be an acknowledged agreement on the desk position risk by both parties;

• independent validation of each risk measure;

• all outstanding currency options have an unqualified, independent pricing model sign-off;

• there are no outstanding currency option trades without PUAs, and that existing PUAs for the Currency Options desk can be monitored;

• a reliable procedure for sourcing revaluation rates (including option volatilities) is settled and there is a procedure for escalating marked changes to these rates for review; and

• tighter controls around internal trades and key back office reconciliations/confirmations for the currency options business are implemented.

7.1.5. Other trading desks in CIB

While our investigation has focussed on control issues concerning the currency options trading, APRA’s requirements for CIB have application to all trading desks. NAB Internal Audit is required to investigate, and report back to APRA, as a matter of urgency whether similar control weaknesses exist in other parts of CIB.

7.1.6. Role performance

NAB has announced a number of personnel changes to address deficiencies in role performance as identified in this report. APRA will further discuss with NAB the issues surrounding role performance and the implementation of staffing changes.

Annexure 1: Glossary

ADI		Authorised Deposit-taking Institution
AGN		APRA ADI Guidance Note
APRA		Australian Prudential Regulation Authority
APS		APRA ADI Prudential Standard
ASX		Australian Stock Exchange
AUD		Australian dollar

BNZ		Bank of New Zealand Limited - NAB’s banking subsidiary in New Zealand

CEO		Chief Executive Officer
CFO		Chief Financial Officer
CIB		Corporate and Institutional Banking division of NAB, formerly known as WFS
CIB RMEC		CIB Risk Management Executive Committee - NAB executive risk committee
CLOC		Country Line of Credit
CRMC		Central Risk Management Committee - NAB executive risk committee

EGM		Executive General Manager

FX		Foreign Exchange

G-7		Group of major industrial democracies
GAITS		Global Audit Issues Tracking System, a database used by Internal Audit and the businesses to track and monitor audit issues
GBP		United Kingdom pound
GM		General Manager
GMD		Global Markets Division, a part of NAB CIB
GRF		Group Risk Forum - NAB executive risk committee

Horizon		Trading system used for currency options

JHFX		Joint Head of Foreign Exchange
JPY		Japanese Yen

KPMG		NAB’s current external auditor

MR&PC		Market Risk & Prudential Control, a part of Group Risk Management

NZD		New Zealand dollar

OFAC		Office of Foreign Assets Control, part of the United States Department of the Treasury which administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction

P&L		Profit and Loss
PB		Principal Board of NAB
PBAC		Principal Board Audit Committee - Board committee
PBRC		Principal Board Risk Committee - Board committee
PUA		Product Usage Authority - a product and trading approval authority with defined parameters
PwC		PricewaterhouseCoopers, an audit and consulting firm

QS		Quantitative Support, an area within Services, CIB

RAAP		Risk Assessment and Approval Process, this is a policy and tool that is used across all regional and global lines of business to assess all change initiatives including new/re-engineered products and processes, outsourcing and third party alliances. Consists of 2 stages, the SRA and RMD.
RM		Risk Management division of NAB
RMD		Risk Management Document, Stage 2 of RAAP, it covers the end-to-end risk profile of the initiative and ensures all risks are identified, assessed and mitigated to minimise exposure from the initiative.

SRA		Strategic Risk Assessment, Stage 1 of the RAAP, which enables a strategic decision to be taken early in the life cycle of an initiative before significant investment and human resources are applied, and helps align the initiative with the strategic objectives of the business, the region it operates in and, where applicable, the wider group

USD		United States dollar

VaR		Value at Risk, a quantitative method to calculate possible losses within a defined confidence interval and time period

WFS		Wholesale Financial Services, former name of NAB’s CIB division

Annexure 2: Summary Organisation Charts

CORPORATE AND INSTITUTIONAL BANKING (CIB)

MANAGEMENT CHART FOR CURRENCY OPTIONS DESK PRE 13 JANUARY 2004

NATIONAL AUSTRALIA BANK

GROUP RISK MANAGEMENT

MANAGEMENT CHART FOR CIB RISK,

MARKET RISK & PRUDENTIAL CONTROL (MR&PC) AND

INTERNAL AUDIT PRE 13 JANUARY 2004

NATIONAL AUSTRALIA BANK

PRINCIPAL BOARD, BOARD COMMITTEES AND

GOVERNANCE STRUCTURE - PRE AUGUST 2003

NATIONAL AUSTRALIA BANK

PRINCIPAL BOARD, BOARD COMMITTEES AND

GOVERNANCE STRUCTURE - POST AUGUST 2003

NATIONAL AUSTRALIA BANK

MEMBERSHIP OF PRINCIPAL BOARD & BOARD COMMITTEES

Board of Directors (Non-executive)

• Charles Allen (Chairman until 16 February 2004)

• Brian Clark

• Peter Duncan

• Graham Kraehe (director from 1997, Chairman from 16 February 2004)

• Kenneth Moss

• Geoff Tomlinson

• John Thorn (director from 16 October 2003)

• Edward Tweddell

• Catherine Walter

Board of Directors (Executive)

• Frank Cicutto (director until 2 February 2004)

• John Stewart (director from 11 August 2003)

PBAC

• Peter Duncan

• Graham Kraehe (member until 5 September 2003)

• Kenneth Moss

• John Thorn (member from 16 October 2003, Chairman from 12 March 2004)

• Catherine Walter (Chairman until 12 March 2004)

PBRC

(committee established on 8 August 2003, charter approved on 17 October 2003)

• Frank Cicutto (member from 17 October 2003 until 2 February 2004)

• Peter Duncan (member from 5 September 2003, Chairman from 12 March 2003)

• Graham Kraehe (Chairman from 5 September 2003 until 12 March 2003)

• John Stewart (member from 2 February 2004)

• Edward Tweddell (member from 5 September 2003)

Annexure 3: Persons Interviewed

Table 1:

APRA interviews conducted

First Name		Surname
Scott		Alomes
Charles		Anastassiadis
Kevin		Bakhurst
Peter		Barton
Peter		Beharis
Godfrey		Boyce (KPMG)
Stephen		Campbell
Peter		Cannizzaro
John		Comito
Richard		Connolly
Gary		Dillon
Ron		Erdos
John		Harford
John		Holihan
Anne		Jackson
Clive		Johnston
Tim		Keramitzis
Tzu Ming		Lao
Chi Wai		Law
Chris		Lewis
Peter		Matthey (KPMG)
Steve		McCarthy
Richard		Oakes
John		O’Rourke
David		Potter
Wayne		Read (KPMG)
Bruce		Rose
Hektor		Rous
Brendan		Spain
Eva		Swierczak
Shane		Thompson
John		Toomath
Catherine		Walter

Table 2:

PWC interviews attended by APRA

First Name		Surname
Charles		Allen
Dac		Bui
Dave		Bullen
Frank		Cicutto
Richard		Connolly
Peter		Cunningham
Dennis		Gentilin
Gary		Dillon
Luke		Duffy
Ron		Erdos
Gianni		Gray
John		Holihan
Ann		Jackson
Clive		Johnston
Sonia		Katheklakis
Tim		Keramitzis
Graeme		Kraehe
Tzu Ming		Lao
Chi Wai		Law
Chris		Lewis
Mark		Maltar
Vanessa		McCallum
Sean		O’Neil
David		Potter
Kate		Radzikowska
Hektor		Rous
Mike		Sheehan
Brendan		Spain
Eva		Swierczak

In addition, APRA received transcripts of all interviews conducted by PWC

Susan E Crook

EXECUTIVE SUMMARY

Remedial Actions

1. Objectives & Scope

2.1.1. Background on NAB’s Currency Options desk

2.1.2. How the losses were incurred

2.1.3. Quantum of the loss

2.1.4. How the actual positions were concealed: the “fictitious” trades

3.1 Global Markets front office trading

3.1.1. Responsibility and Organisational Structure

3.1.2. Policies, Controls and Procedures

3.1.3. Systems and tools

3.1.4. Role performance

3.2. Operations Division

3.2.1. Responsibility and Organisational Structure

3.2.2. Policies, controls and procedures

3.2.3. Resources, systems and tools

3.2.4. Reporting

3.2.5. Role performance

3.3 Finance Division

3.3.1. Organisation and Responsibilities

3.3.2. Controls and procedures

3.3.3. Reporting

3.4 Quantitative Support

3.4.1. Organisation and Responsibilities

3.4.2. Policies and procedures

3.4.3. Resourcing and system tools

3.5 Technology

4.1 Market Risk Division

4.1.1. Organisation and responsibilities

4.1.2. Controls and procedures

4.1.3. Systems and personnel

4.1.4. Reporting

4.1.5. Role performance

4.2 Internal Audit

4.2.1. Policies and procedures

4.2.2. Resourcing and systems

4.3. External Audit

4.3.1. Policies and procedures

4.3.2. Role performance

5.1 The Principal Board

5.1.2. Monitoring of risk management systems

5.2.1. Escalation of market risk issues to the PBAC

5.2.2. Assessment of PBAC

5.3.1. Escalation opportunities - hits or misses?

5.3.2. PBRC assessment

5.5.1. Group Risk Forum (GRF)

5.5.3. CIB Risk Management Executive Committee (CIB RMEC)

7.1.1. Changes to policies, procedures and systems

7.1.2. Capital adequacy

7.1.3. Model recognition

7.1.4. Currency Options trading

7.1.5. Other trading desks in CIB

7.1.6. Role performance

Annexure 1: Glossary

Annexure 2: Summary Organisation Charts

Annexure 3: Persons Interviewed