GRR working with their stakeholders to become “ A New Standard in Regulatory Risk Management” Our performance in 2004 – key achievements For discussion with Mike Ellis – 2 nd December 2004 Enhancing shareholder value through business focused regulatory risk management

Contents  Our accountabilities  Key departmental priorities for 2004  Vision for 2004  Context for 2004’s performance  Our performance in a nutshell  “Shaping Strategy”  “Delivering Results”  “Building Capability”  Final message

 GRR’s accountabilities are as follows:-  Setting group wide regulatory risk management standards, policies and framework.  Carrying out oversight of and providing advice on regulatory risk management and the Combined Code (Turnbull) in each of the eight operating divisions and in Group Areas.  Providing functional / technical leadership and advice to Regulatory Risk Management specialists in the operating divisions.  Fulfilling the regulatory accountabilities of Group MLRO and Data Protection Officer including processing suspicion reports to go to NCIS  Coordinating communications and relations with the FSA including managing the Approved Persons regime.  Coordinating the operational implementation of new regulatory developments. Our accountabilities

Key departmental priorities / objectives  Business and client focused regulatory risk management oversight, advice and leadership. [Note:- This will be achieved through deep business understanding, developing outstanding relationships with business colleagues and technical excellence]  Developing outstanding relationships and credibility with the FSA  Continued focus on fighting all aspects of financial crime  Creating a centre of excellence in our new Technical and Policy Services Team  The implementation of The Integrated Prudential Source Book  Developing our people to be the right people with the right mixture of skills  Developing a cohesive approach to leading and managing GRR  Communicating our vision and strategy for GRR effectively

Our vision for 2004  Typical extracts from colleague feedback in “GRR Today” 31/12/04  “The GRR Team has added real value this year by helping us to understand and manage our regulatory risks better”.  “The whole approach to risk regulatory risk management across the HBOS Group feels different. It feels simpler, more business focused and more effective at the same time. GRR’s new vision, strategy and approach has made a tangible difference to the way we manage regulatory risk in HBOS”.

Context for 2004 – “very difficult”  The FSA yet to be convinced that our risk management and control framework was effective and keeping pace with our growth. Clearly concerned with the way Group Risk functions relate to the Divisions and whether they are really able to carry out their oversight role effectively.  FSA concluded in 2003 "…that the risk posed by HBOS Group to the FSA's four regulatory objectives is higher than it was perceived….".  Increased ICR. Very challenging RMPs particularly in Retail including S166.  GRR Business Plan – “The regulatory environment – a key strategic challenge.” Keys to success; communications and relationships with FSA; more rigorous oversight by second line of defence in which FSA has confidence; the demonstrable and enthusiastic engagement of the operating divisions  Major organisational changes required to GRR – strategy, structure, people.

Our performance in a nutshell - 1  HBOS regulatory risk profile reduced. FSA’s confidence significantly increased. Additional ICR to be removed. No regulatory censure.  Positive outcome of S166 – “We have been impressed with the limited number of senior personnel that we have interviewed in GRR”  Positive feedback received from George Mitchell, Alistair MaCrae, Steven Cragg, Colin Matthew, Richard McDonald (BOSI), George McArthur (HBOSA)  “Our relationships with GRR in particular have been good……We are quite comfortable to rely on GRR……and that is the real test” Kirstie Canneparo – 26th November 2004  “I can’t believe the turn-around in our relationships with the FSA” – Tony Hobson – November 2004  Major organisational change in GRR effected highly successfully – MORI.

 “An excellent year all round building on a similar result in The New Horizons programme has been transformational. The work with HBOS FS in SJPC (life-saving support!) was excellent and both are emerging in much better shape as a result. You have recruited some excellent people and have inspired many of the old GRR folks to new heights.” Phil Hodkinson 30 November  “Phil Thanks for the opportunity to contribute and to see the IID executive views [on GRR]. Very helpful. Its obviously very positive feedback for Paul and the team and I can only reiterate your positive views. Tony” Tony Hobson 30 Nov.  Outstanding oversight and advice work carried out in Retail despite difficulties which has added significant value and protected Retail from undoubted FSA intervention. Courage in action. Our performance in a nutshell - 2

“Shaping Strategy”  There wasn’t one. Now there is. It has created an esprit de corp in GRR  Developed, communicated and got buy-in from all key stakeholders to a powerful vision and strategy for regulatory risk management around HBOS – “A New Standard in Regulatory Risk Management”. Very strong support from the GRR management team and department as a whole. Inspired and gave direction.  Inherent in the vision and strategy is a broader change agenda for the division focusing on clients, people, excellence, openness, simplicity and clear accountability – which will drive down costs and profits up by creating an atmosphere in which innovation can thrive.

Delivering Results – Australia and Ireland  Undertaken very effective RRME in Ireland which has been very well received - and the recommendations of which are being taken forward.  Feedback positive from both Ireland and Colin Matthew (“Good, it’s gone down well … we’re making good progress here”).  Australian RRME also well received - draft report being discussed.  Good relationship established with  International Operations - “our relationship with your guys is great”  Ireland  Australia  Not easy bearing in mind the various constituencies and their differing approaches.  Helped Strategy on two potential acquisitions.  Assisted PPU by carrying out certain work while they resource up.

Delivering Results – Corporate & Treasury  Strong positive feedback from George Mitchell, Alistair Macrae and Stephen Kragg. “I can’t believe the difference in approach” – Stephen Kragg  Provided critical support to Treasury during period when it might have ben impossible to have delivered the compliance plan they had promised to the FSA. Fully involved in the recruitment of Ian Capes.  Substantial support to Corporate throughout the year to support the improved relationship with the FSA.  Full scale review of regulatory risk management effectiveness in Corporate carried out since late September and now almost complete. Early presentation given to Corporate Board on November. Feedback positive.

Delivering Results – Insight  Delivered all aspects of planned activity. A number of key oversight reviews have been completed or substantially completed by the end of 2004 in relation to;-  Market timing, a key piece of assurance work within tight deadlines in order to satisfy FSA’s requirement that controls and processes were robust to counteract this type of investor behaviour.  Derivatives, a key area of business development for which GRR provided an independent view of the control environment  Financial promotions – a major part of the FSA’s TCF initiative.  Anti-money laundering – significant advice and assurance has been provided, CCR filters successfully negotiated with FSA resulting in substantial operational cost savings.

Delivering Results – Insight  Regulatory risk management effectiveness review - a major piece of work completed in Q1/Q2 resulting in confirmation of the correct approach for Insight being to restructure the risk areas into one department and establishing a formal risk committee structure.  Outsourcing - a major change in the business. Our work has ensured that the changes have been made but that controls have been suitably maintained.  Temporary Resource via a secondment for 6 months assisting in relation to monitoring and policy work  Data Protection - GRR has provide specialist resource during transition of responsibilities.  Very strong positive feedback from Dougie Ferrans and Keith Lovett.

Delivering Results – HBOS GI  Delivered all aspects of planned activity & accommodated additional work - at same time as being faced with need to build relationships with three different Heads Of Risk and changing business risk team during the year who had limited experience of similar roles.  Leading the cross-Group oversight of General Insurance Regulation – feedback from all involved has been positive, seen as a strong ‘second line’ control mechanism and the way forward on oversight of regulatory issues with cross-divisional impact.  Assisting HGI towards successfully implementing requirements of GI regulation  Carried out a significant amount of direct monitoring/review work in the business - compensated for the lack of ‘first line’ monitoring carried out by the business Risk team due to a period of resource/skill shortage.  Strong positive feedback from HGI senior management. “You have done a great job, created a great team, and left a quality legacy. “ Howard Posner, November 2004

 Temporarily filled a technical expertise vacuum on ICOB issues for HGI - (Quotes from MW/SAB…”cooperative in terms of resource utilisation”..”supportive of HBOS GI, a real ‘win-win’ for both teams”)  Received excellent feedback from business on performance and quality of support and advice (whilst acknowledging the increased challenge) - Quotes from MW…”visibly challenging of the business in Risk Committees and Project Steering Groups.  FSA have commented orally that they are comfortable with Risk Management Effectiveness within GI.  Built positive working relationships with the Finance Director, Heads of Risk, Risk team and individuals in the business (Quotes from Stephen Blott…”overall very positive relationship” and from MW…” supportive of me personally…”)  Fighting financial crime - Conducted extensive AML oversight across most business areas. Delivering Results – HBOS GI

 Mike Gardener described as “a complete star”. Very strong positive feedback from Jonh Edwards and Mike Davies.  Successfully delivered on all key material areas of oversight, in a year of transition and change following Project Crystal and against a background of significant team resource devoted to the SJP Strategic Review Implementation Programme.  Played a significant role in helping our Divisional risk colleagues and the Divisional CEO to implement a new risk structure and strategy in a difficult year of change.  Through a key secondment (Paul Gowland) Designed, trained and implemented a revised Divisional Risk Monitoring Programme and significant improvements in content and quality of reporting Board/Governance committees. Positive oral feedback from Head of IID and Divisional Director of risk.  Built excellent working relationships with divisional colleagues.  Successfully helped divisional colleagues establish positive lines of communication and professional relationship with the FSA supervisory team. Delivering Results – HBOS FS

 Arrow – Assessed and monitored the actions taken in response to the Arrow RMP, culminating in the Arrow visit in October 2004 when FSA advised that they viewed that the overall risk profile presented by HBOS FS was at a reduced level.  Provided functional leadership on a number of joint reviews with Divisional risk colleagues. Also assisted in selection process for key divisional risk roles in new risk structure.  Delivered effective oversight of AML issues within the division. Additionally obtained FSA agreement for the use of two major filters (IFA introductions and payments from major banks) in the HBOS FS Current Customer Review exercise. This was considered a significant step forwards with major cost savings for the division.  Delivered effective oversight of Data Protection issues within the division whilst assisting in the recruitment and training of a new divisional Data Protection Risk adviser.

Delivering Results – Retail  Delivered all aspects of planned activity & accommodated significant additional work. Significant oversight work undertaken in key areas. Despite some negative findings in a number of these reviews, the quality of the work undertaken, and the determination of the organisation to resolve its regulatory issues has added greatly to the credibility of risk management effectiveness within the Group  Sales Culture and Controls Review – A major review of the extent to which the sales culture within Retail was matched by the control environment.  ACT and CBF – Review of the operation of the Advice Checking team within Advisory Sales and the sale of the Corporate Bond Fund.  Complaints Handling - Several interlinking pieces of work undertaken by GRR on complaints and complaints handling in A key part of the work was the support, advice and oversight provided as part of the MEC Review.

 Complaints handling (advice) - A critical "win" from the work included FSA withdrawing their threat of enforcement action on Post A day complaints and FSA agreeing in writing that HBOS could use the "Attitude to Risk" prevailing at the time of the sale to assess suitability as part of handling a complaint - this was critical for not only current business but for establishing a stable and known platform for business going forward – undoubtedly this work has saved the organisation many £millions. Critical input to Pre A Day issues.  MCOB - GRR were fully involved in the work and Steering Group which led up to the successful delivery of MCOB on 31/10/04. GRR undertook several key pieces of work in conjunction with both GIA and RRR and is a key part of the "FSA Dummy Run" work being planned ahead of the expected FSA visit on MCOB. Delivering Results – Retail

Delivering Results - SJPC  Managed a major regulatory sensitive review and substantial implementation programme at SJPC.  The extent of this work was not originally built in to our 2004 plan  The implementation programme has been successfully delivered  During the implementation programme, business performance has continued to be very good – the programme was designed to ensure the business could continue (as far as possible) as normal.  Significantly helped to develop FSA confidence in quality of GRR staff/their regulatory expertise and professionalism.  Feedback from SJPC senior management has been very good.

Delivering Results – Financial Crime  Continued to deliver requirements in relation to fighting financial crime including processing of suspicious transactions. Supported the divisional teams. Recruited and trained STR team implementing Release 0 of Searchspace and replanning Releases 1 and 2 following delay in delivery due to software supplier. Moving to final AML structure within GRR by 31/01/05.  Fulfilling roles of Group MLRO and Data Protection Officer - achieved through significant transition.  Processing suspicion reports for NCIS - achieved with application times now at industry best levels.  Recruitment of key staff and, in particular, new Deputy GMLRO.

Delivering Results - Other  IPSB – Key input at beginning of year to design of new project structure. Successful implementation of new “Sysc” & Group Contagion Risk requirements.  Development of new vision and strategy for “Technical and Policy Services” ready for full launch post AML transition. Excellent early input to divsions.  Managed S166 Review and key involvement in post S166 recommendations.  Development of clear and detailed 2005 Business Plan following involvement in Group- wide regulatory risk assessments of operating division business plans. Design and development of new and much clearer approach to GRR Annual Oversight Plans. Business Plan presented and accepted by FSA – “The Plan contains everything we would have expected” – November FSA.  Introduced new Regulatory Communications Policy. Coordinated all communications with the FSA very successfully including. Managed the Approved Persons Regime including MAP project. Introduced new and successful training programme.  Fulfilled all reporting requirements.

Building Capability  Reorganised and re-launched GRR at February conference. New structure. New Vision. New Strategy.  Outstanding MORI survey results – best in GF&R – even stronger given the level of change when you would expect them to be worse.  Recruitment of a large number of new staff  Roll out of Project New Horizons to the whole of IID and new GRR – “This is functional leadership in action” – David Fisher. Plus hugely positive feedback from throughout IID and the delegates. Developed new programme for 2005 “People Matters Matter Most”  Set up new centralised Operations Management team freeing up professionals to focus on technical work. Strong financial management.  Rolled out completely new and effective communications strategy for GRR including “Town Hall” meetings, regular bulletins etc etc. Set up GRR Advisory Panel.  Reviewed work / life balance with LetsDoLife. Introduced “Smileometer”.

Final message  Highly difficult circumstances on take-over in November 2004  Very high regulatory risk environment  Demoralised department with no real direction  Excellent stakeholder feedback throughout  Strong technical quality of oversight and other work  High work volumes  High impact – little confidence to greatly improved confidence  Significantly improved relationships with FSA  “Our relationships with GRR in particular have been good……We are quite comfortable to rely on GRR……and that is the real test” Kirstie Canneparo – 26th November 2004.