The governing body governs data, information and technology in a way that enables the organisation to sustain and optimise its strategy and objectives.

Exception declaration

All the recommended practices in support of Principle 10 have been implemented. Ongoing enhancements continue in specific areas where the organisation is strengthening governance evidence and reporting depth.

Specific disclosures

(a) Disclosures in relation to data and compliance:

1. Data and information governance effectiveness
   
   Whether the governing body is satisfied that the management and control (including acquisition, creation, use, dissemination and disposal) of data and information are effective, compliant and ethical.
   
   The board is satisfied that the management and control of data and information are effective, compliant and ethical, based on the governance arrangements, reporting and assurance received during the reporting period. Oversight of data and information governance is exercised primarily through the board's delegation to relevant committees, including the GITCO for technology and data governance oversight, the GRCMC for risk oversight and Group DAC for ethics and compliance oversight (with the GMROC providing specialised oversight of model-related data considerations).
   
   In 2025, the governance structure supported ongoing monitoring of enterprise data controls, data quality remediation and value realisation, including discussion at committee level of the maturation of the data capability and data strategy execution. Assurance activity related to enterprise data infrastructure was reported with favourable outcomes (with improvement areas identified and tracked through management action). The organisation's data life cycle governance is applied through a combination of policy frameworks, risk reporting and committee oversight that enable the identification and classification of data to support appropriate control across confidentiality, integrity and availability considerations.
   
   Formal risk data aggregation and risk reporting (RDARR) limitations are tracked through a standing-limitations register supported by management letters of representation, which provides additional assurance over the completeness, quality and control of risk‑related data.
   
   
   
2. Information privacy breach prevention and response
   
   Whether the governing body is satisfied that the arrangements for the prevention and detection of information privacy breaches are effective, and that significant incidents have been appropriately responded to, to manage consequences and prevent future occurrences.
   
   The board is satisfied that arrangements for the prevention and detection of information privacy breaches are effective, and that significant incidents are appropriately responded to, based on a combination of risk reporting, control assurance, and management remediation tracking. Privacy and data protection oversight is monitored through the board's delegated structures, including GITCO and GRCMC, with ethics and compliance oversight primarily positioned through Group DAC, supported by compliance reporting and escalated to other governance forums by exception.
   
   Independent assurance reporting for the period indicated that where significant control weaknesses were identified, management implemented remediation actions immediately, and these actions were subsequently issue‑assured as completed. In addition, the cyberrisk reporting to governance committees explicitly tracked privacy incident themes within the broader cyber- and operational risk landscape, supporting ongoing monitoring and management focus.

(b) Disclosures in relation to technology:

1. Technology governance effectiveness
   
   Whether the governing body is satisfied that the acquisition, development, use and distribution of technology in and by the organisation are effective, compliant and ethical.
   
   The board is satisfied that the acquisition, development, use and distribution of technology are effective, compliant and ethical, based on the governance system of delegated oversight, performance monitoring, and independent assurance received during the reporting period. The board delegates significant technology governance responsibilities to GITCO and the relevant risk committees, with GITCO's charter explicitly covering the monitoring of the adequacy, effectiveness and efficiency of the group's information systems, as well as the oversight of frameworks and governance for the management and reporting of material technology risks (including cyberthreats and artificial intelligence).
   
   Independent assurance reporting during the period assessed controls over IT operations and cybersecurity posture as generally adequate and effective, noting that while control deficiencies do arise, they are identified and addressed through appropriate remedial actions, which supports the board's assurance that the control environment is well managed, with targeted areas for improvement identified.
   
   
   
2. Cyberattack prevention and response
   
   Whether the governing body is satisfied that the arrangements for the prevention and detection of cyber-attacks are effective, and that significant incidents have been appropriately responded to, to manage the consequences and prevent future occurrences.
   
   The board is satisfied that arrangements for the prevention and detection of cyberattacks are effective, and that significant incidents are appropriately responded to, based on structured cyberrisk reporting, key risk indicator monitoring, and incident management evidence presented through the governance cycle. Cyberrisk reporting to GITCO and GRCMC included tracking of key risk indicators (including independent security ratings and cybermetric coverage), progress on the cyberresilience programme, and periodic independent cyberresilience assessment and benchmarking outcomes.
   
   Cyberreporting for the period also explicitly recorded the detection of major cyberincidents, which were addressed in accordance with the bank's established cyberincident response protocols, with management actions identified to remediate the control themes highlighted by those incidents. Governance reporting further recorded the execution of cybercrisis simulation activities and ongoing resilience validation practices (including breach and attack simulation), supporting confidence in preparedness and response capability.
   



3. Emerging and innovative technology risks
   
   Whether the governing body is satisfied that the ethical, legal and operational risks associated with the use of emerging, innovative and disruptive technologies are effectively managed and addressed.
   
   The board is satisfied that the ethical, legal and operational risks associated with emerging, innovative and disruptive technologies are effectively managed and addressed, based on the delegated governance model and risk reporting received during the period. GITCO's mandate explicitly includes the oversight of frameworks and governance for material technology risks and exposures (including those arising from cyberthreats and artificial intelligence), and the organisation's cyberresilience reporting reflects active monitoring of evolving technology risk drivers (including artificial intelligence‑enabled threats and other emerging technology considerations).
   
   Third‑party technology dependence is governed through established third-party management practices and contractual oversight, including the annual review and monitoring of large IT contracts and vendor performance, while recognising that gaps persist and are addressed through ongoing enhancement initiatives.
   



4. Artificial intelligence (AI) accountability and human oversight
   
   With regards to AI, whether the governing body is satisfied that the accountability for decisions, actions, outputs and outcomes is clearly established – including that automated technologies are subject to human oversight and override mechanisms that are commensurate with their level of risk to the organisation and its stakeholders.
   
   The board is satisfied that accountability for decisions, actions, outputs and outcomes relating to AI is being clearly established, including that automated technologies are subject to human oversight and override mechanisms commensurate with risk. The governance approach positions oversight of AI across the relevant delegated committees, with explicit focus on values‑based AI considerations (including ethics, accountability, transparency, explainability, security, privacy, fairness and trustworthiness) being recognised and embedded through evolving governance arrangements.
   
   Management has developed enabling artefacts to support operational AI governance and accountability [including an AI playbook incorporating a Responsible, Accountable, Consulted, Informed (RACI) model; the AI Acceptable Use Guideline; and the AI Risk Management Standard], and governance structures are continuing to strengthen the extent to which such artefacts are formally tabled and evidenced within board committee reporting lines as AI capability matures. The AI Risk Management Framework and AI Governance Framework are being developed.