POLICY FOR REPORTING IRREGULARITIES RELATING TO ACCOUNTING, INTERNAL ACCOUNTING CONTROLS AND AUDITING MATTERS AT NATIONAL BANK OF CANADA

Scope

The Policy for Reporting Irregularities Relating to Accounting, Internal Accounting Controls and Auditing Matters at National Bank of Canada (the “Policy for Reporting Accounting Irregularities” or the “Policy”) applies to all employees of National Bank and its subsidiaries (the “Bank”) and any individuals wishing to avail themselves of this Policy.

Regulatory Context

In compliance with Regulation 52-110 of the Canadian Securities Administrators, the Audit and Risk Management Committee (the “ARMC”) of National Bank hereby establishes procedures for:

  • the receipt, retention and treatment of complaints and concerns received by the Bank regarding accounting, internal accounting controls and auditing matters;
  • the confidential, anonymous submission by any individual or Bank employees of complaints or concerns regarding questionable accounting and auditing matters; and
  • the protection of individuals who wish to file a complaint or submit a concern in connection with this Policy.

Objective of Policy

This Policy addresses the reporting of complaints and concerns about questionable accounting, internal accounting controls and auditing matters at the Bank, including:

  • any misstatement, fraud or omission in any financial statement of, or other financial information published by, the Bank, including any report or document filed with securities regulatory authorities or any other government or regulatory authority;
  • any intentional error or misconduct in the preparation, evaluation, review or audit of any of the Bank's financial statements;
  • any misstatement, fraud or omission in the recording and maintaining of the Bank’s financial records;
  • any weakness or deficiency or non-compliance with the Bank’s internal accounting controls;
  • any misrepresentation or false statement made to or by an officer or accountant concerning a matter contained in, or required to be contained in, the Bank’s financial records, financial statements, financial reports or audit reports;
  • any deviation from full and fair reporting of the Bank’s financial condition, operating results or cash flows;
  • any effort to mislead, deceive, coerce or fraudulently influence any internal or external accountant or auditor of the Bank in connection with the preparation, examination, audit or review of any of the Bank’s financial statements or records;
  • any other error, deficiency or weakness in the Bank’s financial statements, internal controls, auditing procedures, financial records and reports.


Complaint Handling Procedure 

Ombudsman
Any individual or Bank employee may submit a complaint or concern regarding questionable accounting, internal accounting controls or auditing matters at the Bank directly to the Office of the Client Ombudsman:

  • By telephone:
    A dedicated, toll-free phone line:
    1-877-390-7881

  • By regular mail:
    Ombudsman
    National Bank of Canada
    P.O. Box 275, Montreal, Quebec  H2Y 3G7
    Transit: 9152-1

  • By fax:
    1-888-866-3399

The Ombudsman maintains the anonymity of the reporting individual and the confidentiality of the complaint. The information obtained by the Ombudsman is compiled on an anonymous, confidential basis and the file is sent to Internal Audit with a copy to Compliance.

If the irregularity or concern relates to the Ombudsman, it must be reported directly to Compliance, which will act in accordance with the rules established for the Ombudsman. In these situations, Compliance must be notified by telephone at 514-394-8694.

If the complaint or concern relates to Compliance or to Internal Audit, the Ombudsman will notify the ARMC, and the ARMC will mandate a third party, such as the Bank's external auditors, to conduct the investigation to ensure independence and impartiality.

Compliance
Compliance receives and retains a copy of the complaint file. Compliance informs the Global Risk Committee (GRC) and the ARMC of each complaint received or concern reported, whether founded or unfounded. Once the investigation by Internal Audit has been completed, Compliance reports to the ARMC on the results of the investigation (it should be noted that Compliance already reports to the ARMC and is independent in its functions). In addition, Compliance compiles statistics and informs the ARMC periodically, or as necessary, about the number of complaints and concerns received, whether founded or unfounded.

Internal Audit
Internal Audit receives the complete file prepared by the Ombudsman and investigates the reported irregularity. If additional information is needed during the investigation, the Ombudsman contacts the reporting individual. Once the investigation has been completed, Internal Audit submits its investigation report to Compliance and to the Ombudsman.

Audit and Risk Management Committee (ARMC) of the Bank
Periodically, or as necessary, Compliance reports to the ARMC on complaints and concerns received, and subsequently apprises the ARMC of the results of each investigation.
In the event a complaint or a concern is determined to be well-founded, Compliance makes a recommendation to the ARMC concerning any action to be taken. The action may be formulated as follows:

  • if the complaint or concern relates to a weakness or deficiency in any of the Bank’s internal controls or accounting systems, the ARMC designates an officer to oversee any necessary strengthening and/or correction of such weakness or deficiency.
  • if the complaint or concern relates to a misstatement, error or omission in any of the Bank’s financial statements, or in any report or other document filed by the Bank with securities regulatory authorities or any government or regulatory authority, the officer (or other person designated by the ARMC), in cooperation with the Corporate Secretary’s Office, if appropriate, oversees the prompt correction or restatement of such financial statement, report or document and, if necessary, ensures that all amendments to any previously filed reports or documents to correct said misstatements, errors or omissions are filed with the securities regulatory authorities or any other government or regulatory authority.
  • any other matter reported is addressed and resolved appropriately in accordance with legislation and the applicable accounting and auditing standards.
  • the officer or the person designated by the ARMC is responsible for taking the necessary action against any employee who is the object of a well-founded complaint or concern and is determined to be at fault.

Follow-Up Report to Reporting Individual
When the ARMC has completed its investigation of a complaint or concern, whether each complaint or concern is determined to be founded or unfounded, the Ombudsman gives the reporting individual a written report on the results of the investigation. However, if action is to be taken against an employee at fault, the details of said action are not disclosed in the report.

Protection of Reporting Individual

Confidentiality and anonymity are ensured at all times for all individuals, including Bank employees, who submit complaints or concerns.

No action or reprisal may be taken against any individual, including a Bank employee, who submits a complaint or concern in good faith, even if the irregularity or concern is ultimately determined to be unfounded. In particular, neither the Bank nor any employee of the Bank may discharge, demote, suspend, threaten, harass or in any manner discriminate in the terms and conditions of employment or otherwise take any form of reprisal against a reporting individual who filed a complaint or submitted a good faith concern in accordance with this Policy. Any such action or reprisal taken against a reporting individual constitutes a violation of this Policy.

In addition, any Bank employee who alleges having been discharged, demoted, suspended, threatened, harassed or in any manner discriminated against in violation of the provisions of this Policy may report the alleged violation to the Chair of the ARMC, which may take remedial action, as appropriate, in particular by appointing an individual to direct an investigation into the employee’s allegations.

However, if an individual, including a Bank employee, submits a complaint or concern in an unreasonable, frivolous or abusive manner, that individual may be subject to disciplinary action.
 

Confidentiality and anonymity

Complaints or concerns may be submitted confidentially and the Bank will take all necessary actions to ensure the confidentiality of the information disclosed and the anonymity of the reporting individual. Only the individuals and/or sectors specified in this Policy may be made aware of the information disclosed. Unless the disclosure of the information is required by law or is essential to conducting the investigation, confidentiality will be maintained at all times. The identity of the reporting individual may not be disclosed without the reporting individual’s consent. If the reporting individual consents to disclosure, said consent must be provided in writing.

Roles and responsibilities

The Global Risk Committee (GRC) oversees all matters pertaining to comprehensive risk management Bank-wide.

The Audit and Risk Management Committee (ARMC) is responsible for applying and revising, as applicable, this Policy.

The Conduct Review and Corporate Governance Committee (CRCGC) approves all revisions to this Policy.
Compliance reviews the Policy annually or as needed, and recommends any changes, if required, to the ARMC for approval by the CRCGC.

Compliance and the Ombudsman ensure that the Policy is communicated to Bank employees and to anyone who requests it.