Startlingly, the chairman said he was "confident" the bank was still selling products that would trigger compensation for customers in the future. Confidential minutes of the interview said he "highlighted an example of SMSF [self managed super fund] borrowing to invest in managed funds".

The EY team needed to know what Henry thought so it could help the bank prepare a report, required by the Australian Prudential Regulation Authority (APRA), that would assess NAB’s performance on risk management and culture.

They were there to talk risk - more specifically the NAB board’s appetite for it.

NAB chairman Ken Henry, still five months off his disastrous commission appearance, was in a meeting room at the bank’s head office with senior staff from consultants EY (formerly Ernst & Young).

It was the beginning of winter 2018 and National Australia Bank was reeling from stunning revelations in the banking royal commission about its shoddy treatment of customers and a foot-dragging approach to compensating customers.

The documents give a rare insight into the thinking of the bank at the highest levels and raise questions about a process that forms part of the prudential regulator’s monitoring of our largest financial institutions.

They reveal a flawed approach to risk, poor controls, technology challenges, a failure to adequately address and fix compliance issues and slow remediation.

The leaked material features highly sensitive internal documents including the minutes of more than 70 interviews with NAB executives and directors, including Henry, then-CEO Andrew Thorburn, former NSW premier Mike Baird and Phil Chronican, who is due to take Henry’s place as chairman. Other documents include EY's confidential internal observations about NAB, as well as the bank’s risk reports and surveys.

Nor did a raft of other detail about poor systems and governance. It is not clear if the final report contained any of this information.

Underlining the whistleblower's concern was that much of what was discovered in that review, including what Dr Henry and others said in meetings with EY, did not make it into EY’s draft report.

The minutes of that June 13, 2018, interview form part of an extraordinary trove of documents leaked to the Sydney Morning Herald and The Age by a whistleblower who felt the royal commission had glossed over important problems.

The whistleblower believes the persistent "red" and "amber" ratings for compliance risk were indicative of a breakdown in the capability of people, processes and technology inside the bank, saying: "It indicates that NAB will be subject to oversight and ‘hand-holding’ for years to come."

One report, labelled "highly confidential" and prepared by NAB’s then chief risk officer, David Gall, for a board risk committee, said the bank’s risk profile and outlook remained "amber" as it battled financial crime challenges, regulatory investigations and technology issues.

Insiders warn that when compliance alerts don’t work properly it can result in scandals and consumer detriment.

The reports go much further than Henry’s royal commission admission that the compliance rating had been red for a long time.

At the time of the review last year, NAB’s own risk ratings for compliance had been "red" on its internal traffic light system for at least 20 months, operational risk had been "amber" for 35 months and regulatory risk had been "amber" for 26 months, according to leaked internal NAB reports.

They lay out NAB’s failure to tackle long-standing issues in its wealth management division, new anti-money laundering breaches and an internal rating of its financial crime risk as "excessive" and "not effective".

"I’ve decided to take a big risk in disclosing a cache of highly sensitive NAB documents after losing patience with APRA, ASIC and the royal commission in exposing the true extent of failures in NAB’s risk management practices … a symptom of cultural decadence and operational incompetence."

"I’m tired of turning a blind eye to the lies and unethical behaviour so executives can keep their bonuses," the whistleblower said.

The whistleblower is incredulous that EY, the bank’s external auditor of 13 years, won the job compiling an "independent" review of the bank’s risk management framework, known as CPS 220.

"There’s so much information and can’t see the woods from the tree," one compliance executive was quoted as saying.

The minutes of interviews with executives and directors highlight serious problems.

He said all significant risk matters - financial and non-financial - are detailed in reports for NAB’s most senior risk committees and forwarded to APRA.

In July 2019 APRA ordered NAB to put aside an additional $500 million of capital in response to the findings of this report.

“NAB has been open and transparent in acknowledging the significant problems required to non-financial risk management and compliance, as identified in its self assessment on culture, accountability and governance," he said, pointing to a significant self-assessment report in November in which the bank admitted that its approach to compliance lacked rigour and discipline.

NAB’s chief risk officer, Shaun Dooley, said the bank had policies to protect the independence of its external auditor, including limitations on the non-audit services EY could provide.

EY was sent a detailed list of questions but declined to comment for this story, saying it did not comment on client matters.

Sitting 34 floors up in the heart of Melbourne, Henry was asked a range of questions about the bank’s systems, the royal commission, board committee meetings and the bank’s appetite for risk.

This was just months before his now-famous royal commission appearance in which he was asked why the board paid full bonuses to executives at a time when there had been so many scandals at NAB.

"Well, we could have fired everybody, I suppose," was Henry’s response.

Henry told his EY inquisitors that he questioned the usefulness of risk limits such as having red-flag transactions for issues like money laundering.

"The value is really in the discussion rather than the limits themselves," he is quoted as saying.

So did he feel the bank had enough compliance grunt?

The minutes record him as saying: "On compliance risk always you can argue that you can put more resources in but in reality he has no idea if NAB have enough or not."

The EY record of the interview says: "Overall didn’t feel he has a good sense of where NAB is with compliance - and not sure they are in a better or worse spot than when he joined the board."

The minutes also included a statement from Henry that "some odd appetites have been given to the board", including a tolerance for some level of non-compliance from sources he did not name.

"See this as nonsensical e.g. when [is it] sometimes okay [to] break the law?," the EY minute says.

Phil Chronican, who is set to succeed Henry as chairman but was a NAB director and chairman of the board’s risk committee at the time of the review, is recorded in his interview expressing frustration about the handling of an unspecified money laundering case.

"Had they embarked on more comprehensive plans two to three years ago, they would not have spent as much today," he said.

Other minutes record him saying, he “feels like NAB is the sort of organisation that people want to do the right thing but not at a level of risk mastery where people can actively raise issues due to: a residual fearfulness on how to raise issues; possible that there is a lack of awareness/time lag due to not knowing enough.”

The minutes noted Thorburn’s main concern was "around risk culture and the bank becoming too risk averse" and [he] saw this as the biggest emerging risk the bank faced going forward. He also saw "reputation risk as a major emerging risk".

Asked how he would like to see NAB’s risk governance structure develop over the next three years, he said he thought the only improvement the various risk committees could make was to set aside more time for reflection.

At every fourth committee meeting, he suggested, committee members could allocate one hour, without paperwork, just to "sit on the couch and think through which risks they had not considered yet".

'We’re meeting all our obligations.'

The internal documents also gave new details on NAB's troublesome internal systems.

As well as the “red” ratings - which Henry touched on in passing at the royal commission - the leaked documents show NAB had long-standing issues with conduct risk, which was rated “unsatisfactory”.

Conduct risk covers issues such as market misconduct, false and misleading advertising, unfair contract terms and inappropriate credit decisions. These are problems that can lead to fines, compensation, reputational damage and lawsuits.

The review examined 222 conduct risks and found that 30 per cent had ineffective controls in place to pick up breaches.

From a customer’s perspective it meant losses weren’t detected, while from NAB’s perspective it contributed to reduced management focus and an insufficient investment in improving systems.

Compliance with anti-money laundering and counter-terrorism finance (AML/CTF) laws was another weak spot exposed in the review.

Loading

In March 2018, NAB discovered a reportable breach of AML/CTF laws after finding a "subset of customers" in its financial planning businesses – Antares Capital Partners and MLC Investments – had not been screened or risk rated as required.

The group chief risk officer's report where the breach was noted said NAB had so far identified 1000 impacted customers and remedial actions were still under discussion. In a statement, NAB said it had notified AUSTRAC of the issues and no customers were negatively impacted.

This situation, which was not revealed at the royal commission or to investors, emerged only a few months after CBA’s money laundering scandal erupted in August 2017.

At the time Thorburn told the media: "The main point is that we are very confident we’ve got the monitoring, the oversight, the supervision we need… we’re meeting all our obligations."

A separate internal NAB document prepared in April 2018 reveals that NAB had also breached its AML/CTF "know your customer" obligations, which require banks to collect and verify certain information about customers to deter terrorists and criminals.

The breaches in its business, private banking and consumer banking and wealth "due to onboarding customers without completing KYC [know your customer] prior to drawdown or debits from the account" dated back as far as 2016, and the bank states in its internal report that it still hadn’t fixed them.

It deemed NAB’s practices in this regard "ineffective" in business and private banking as well as consumer banking and in its wealth business.

There were also problems in NAB Wealth’s risk and controls systems relating to the detection of financial advice breaches – problems that had been identified as far back as October 2014 – including forgery, fraud and misconduct among financial planners.

Loading

“NAB had always cut close to the bone when it came to investing in systems and culling risk staff,” the whistleblower said.

Keeping a lid on costs was one of Thorburn’s signature strategies: in November 2017, he announced a plan to cut 6000 jobs, reduce costs by $1 billion and replace staff with automated systems.

Ironically, the leaked documents showed that as Thorburn was publicly spruiking technological solutions, the bank had serious issues in that area. For example, a letter from APRA to Thorburn in October 2017 summarised an IT risk review, outlining four broad areas of "fundamental weaknesses": systems health, systems recovery, information security and board and executive oversight.

The cuts were also raising concerns internally and their timing was a recurring theme in the executive interviews.

"Thinks headcount reduction have to take into account the materiality risk of businesses," Angus Gilfillan, an executive in consumer products at NAB, reportedly told his EY interviewers.

"Believes, the promised simplification target won’t be achieved till next year. Hence, people will invariably have to be taken out before delivery of simplification."

A free pass

The whistleblower, who asked for anonymity, was disappointed that the royal commission had failed to examine the dual role of external auditors and consultants.

"The royal commission gave the banks’ auditors and consultants a free pass. It was a shortcoming that needs to be addressed. They are the random variable in the equation," the whistleblower said.

It had emerged briefly when AMP was shown to have directed law firm Clayton Utz to revise numerous drafts of a report to the corporate regulator on its behalf.

The leaked documents raise questions about the role of EY in its assessment of the bank for the APRA review.

Labor MP Deborah O'Neill on Thursday called for a parliamentary inquiry into the auditing sector, saying the new controversy around NAB and EY had deepened her existing concerns about the management of conflicts of interest.

"There have been a lot of questions about why auditors were not included in the terms of reference for the banking royal commission," she told The Age and the Sydney Morning Herald. "This is a serious and confronting global issue and these revelations only reinforce my concerns."

The review conducted by EY, is one that banks required by APRA to commission every three years under Prudential Standard CPS 220. APRA states it must be conducted by "operationally independent, appropriately trained and competent people" but can conduct either an external or internal audit.

In APRA's eyes, an internal person can be sufficiently independent.

In a letter to NAB pitching for the review, EY spruiked the fact that it had been the bank’s auditor for 13 years and therefore had a deep understanding of the company.

EY’s proposal outlined the rules of engagement, including that both NAB and EY would agree who would be interviewed and discuss interim findings. EY would also prepare a draft report with recommendations and send it to NAB for review.

EY also offered to provide "proactive end-to-end stakeholder management and early communication of findings based on a no-surprises approach".

Once NAB had reviewed the draft report, the proposal said, EY would "socialise with key management". A draft report would then be presented (along with the final report) to NAB’s board risk committee and/or the board audit committee.

Finally, a working group of NAB and EY staff would update the document "as required" and then EY would present to NAB’s group chief risk officer.

The leaked documents include the draft report as well as confidential notes written by EY consultants for their own referral.

NAB said in a statement it classified the report as audit-related work in its 2018 statutory accounts "as the work was assurance in nature and required under prudential standards".

The documents show the EY team that worked on the review was not from auditing but from its risk advisory practice, not assurance.

The bank said the document was produced for NAB not APRA, although a copy of the report was sent to the regulator.

The draft report uses neutral, passive language to play down some of the challenges NAB faced. EY’s private observations are much more frank.

For example, the draft report rated NAB’s risk management framework (RMF) design as "adequate and appropriate" and concluded that overall NAB "largely" met APRA’s regulatory requirements.

It noted approvingly that "NAB has made significant improvements".

In contrast, EY’s confidential notes stated: "The bank focuses only on addressing the issues through Band-Aid fixes rather than investing in long-term solutions."

It said that when issues were identified internally by NAB or raised by the regulator there seemed "to be inadequate analysis [by NAB] of the root cause of these identified weaknesses”.

In terms of conduct risk management, it says "we have seen the industry evolve in its approach" and "we see NAB lagging with regards to having a conduct risk management strategy and framework in place".

APRA said on Thursday that this type of report supplemented its other supervisory work.

Given the persistent red and amber ratings for NAB and its own assessment that conduct risk is "unsatisfactory" the whistleblower questioned how EY could give an adequate rating to NAB’s risk strategy and a partially adequate rating to people, risk and culture in the APRA review.

"How can something be partially effective? Don’t they mean partially ineffective? What does that mean?" the insider asked.

Five months after Henry’s interview with EY he walked into courtroom 4A at the royal commission.

By the time he finished the following day, NAB was battling yet another crisis, this time about its chairman.

His fate was sealed when commissioner Kenneth Hayne handed down his final report in February saying: “Having heard from … the chair, Dr Henry, I am not as confident as I would wish to be that the lessons of the past have been learned … Overall, my fear – that there may be a wide gap between the public face NAB seeks to show and what it does in practice – remains.”

It would have seemed a lifetime ago since his meeting with EY, where he said he was unsure “what will come out of the royal commission”.

Adele Ferguson’s book Banking Bad is out on August 5. Click here for more information. An extract will run in Saturday's Good Weekend in The Age and the Sydney Morning Herald.