REPORT TO THE FINANCIAL SERVICES AUTHORITY ON HIGH LEVEL CONTROLS WITHIN THE ROYAL BANK OF SCOTLAND GROUP plc

JUNE 2008

SECTION-PAGE 1. INTRODUCTION 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 2. Purpose of Report Group Organisational Structure Authorised Institutions Corporate Governance Boards and Senior Committees Key Roles Support and Control Functions Strategic Planning Strategic Investment and Project Expenditure Budgetary Control Asset and Liability Management Process for Monitoring and Reporting on Internal Control Group Policy Framework 1 1-1 1-1 1-3 1-4 1-4 1-7 1-8 1-10 1-10 1-11 1-11 1-11 1-11 2 2-1 2-2 2-5 2-7 2-11 2-13 2-15 2-17 2-23 2-26 2.28 2-33 2-36 2-39 2-41 3 3-1 3-1 3-2

BOARDS AND SENIOR COMMITTEES 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 Diagram Group Board of Directors Bank Board of Directors Group Executive Management Committee Group Nominations Committee Chairman's Committee Group Chief Executive's Advisory Group Group Audit Committee Group Remuneration Committee Advances Committee Group Credit Committee Group Risk Committee Group Asset and Liability Management Committee Group Investment Committee Appendix: Conversion of Unquoted Investments

3.

STRATEGIC PLANNING 3.1 3.2 3.3 Purpose Process Relationship between Strategic and Operational Planning

4.

SECTION-PAGE 4. BUDGETARY CONTROL 4.1 4.2 4.3 4.4 5. General Principles Annual Budget Process Quarterly Reforecast Process Review of Monthly Performance 4 4-1 4-1 4-1 4-2 5

STRATEGIC INVESTMENT AND PROJECT EXPENDITURE 5.1 5.2 Strategic Investment Strategic Investment and Project Expenditure Process and Limits Appendix: Acquisitions and Disposals Procedure

5-1 5-1 5-4 6 6-1 6-2 6-3 6-3 6-5 7 7-1 7-2 7-4 7-7 7-8 8 8-1 8-1 8-1 8-2 8-3 8-3 8-3 8-4 8-6

6.

ASSET AND LIABILITY MANAGEMENT 6.1 6.2 6.3 6.4 6.5 Capital Adequacy Funding and Liquidity Intra-Group Credit Exposures and Integrated Group Membership Policy Non-Trading Interest Rate and Foreign Currency Risk Own Asset Securitisation

7.

RISK MANAGEMENT 7.1 7.2 7.3 7.4 7.5 Governance Credit Risk Market Risk Operational Risk Regulatory Risk

8.

INTERNAL AUDIT 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 Authority Purpose and Roles Audit Approach and role with respect to Risk Management Reporting Scope Rights and Authorities General Internal Audit Policy Organisation of Internal Audit within the Group

9.

9.

PROCESS FOR MONITORING AND REPORTING ON INTERNAL CONTROL 9.1 9.2 9.3 9.4 Introduction The Groups Internal Control Reporting Process Responsibilities Group Finance Director

9-1 9-1 9-2 9-4

10.

GROUP POLICY FRAMEWORK 10.1 10.2 10.3 10.4 10.5 10.6 Overview Definitions Objectives Group Policies Standard Exceptions to Group Policy Assurance

10 10-1 10-1 10-2 10-2 10-3 10-3

1-1

1. 1.1

INTRODUCTION Purpose of Report

This Report sets out the various high level controls that exist within The Royal Bank of Scotland Group plc ("the Group"). The Group is listed on the London, New York and Euronext Amsterdam Stock Exchanges. It has amongst its direct and indirect subsidiaries The Royal Bank of Scotland plc ("RBS"), National Westminster Bank Plc ("NatWest") (collectively "the Bank"), Citizens Financial Group, Inc. ("Citizens"), Ulster Bank Limited ("Ulster Bank") and Direct Line Group Limited ("Direct Line"), Churchill Insurance Group PLC ("Churchill"), RFS Holdings B.V. (RFS Holdings), ABN AMRO Holdings N.V. (ABN AMRO) and their respective subsidiaries. 1.2 Group Organisational Structure
Group Chief Executive

Group Manufacturing

ABN AMRO

Global Markets

Regional Markets

RBS Insurance

Group Finance

RBS Risk Management

Global Transaction Services

Global Banking & Markets

RBS Americas

Group Human Resources

RBS UK Group Legal & Secretariat

RBS Europe & Middle East

Group Strategy

RBS Asia and Wealth Management

Group Communications

The principal businesses of the Group, with the current exceptions of RBS Insurance and ABN AMRO are clustered into customer-facing divisions, supported by a central Manufacturing division. A summary of each Group business is as follows:a) Regional Markets

Regional Markets provides consumer banking, business and commercial banking and wealth management products and services to customers in the US, UK, Europe & Middle East, and Asia. RBS /

1-2

RBS UK The RBS UK constituent businesses are Consumer Banking, Business Banking, Major Corporate Banking, Regional Corporate Banking, Specialist Corporate Business Group, Commercial Banking and Scotland. RBS Americas The RBS Americas businesses are comprised primarily of two distinct divisions, Citizens Financial Group (Citizens) and Global Banking and Markets, North America (GBM North America). RBS Americas is a management structure which oversees and coordinates the RBS businesses in the Americas and is not itself an operating entity, holding company or business division. RBS Asia and Wealth Management The RBS Asia and Wealth Management Division consists of four primary business units together with centralised support functions, namely Adam & Company, Coutts UK, Offshore Banks and RBS Coutts International RBS Europe and Middle East The RBS Europe and Middle East businesses are comprised primarily of two divisions, Ulster Bank Group, operating on the island of Ireland, and retail and commercial businesses operating across Europe and the Middle East. Tesco Personal Finance is part of Regional Markets, reporting in via the Director, Chairmans Office. (b) Global Markets

The businesses within Global Markets operate across the UK, Continental Europe, North America and Asia Pacific. It comprises Global Banking and Markets (GBM), which serves many of the largest corporates in these areas, including over 95 per cent of the FTSE 100 and over 80 per cent of the Fortune 100, plus many of the most influential financial institutions in the world. It also encompasses Global Transaction Services (GTS), the Groups leading cash management, liquidity management, trade finance and merchant acquiring capabilities, ranking among the top five payments businesses in the world. (c) Manufacturing

Manufacturing provides five key services to the wider group (Operations, IT, Purchasing, Property and Group Security & Fraud). Manufacturing supports the customer-facing businesses, providing operational technology, customer support in telephony, account management, lending and money transmission, global purchasing, property and other services. Manufacturing drives efficiencies and supports income growth across multiple brands and channels by using a single, scalable platform and common processes wherever possible. It also leverages the Groups purchasing power and has become the centre of excellence for managing large-scale and complex change. (d) /

1-3

(d)

RBS Insurance

RBS Insurance sells and underwrites retail and SME insurance over the telephone and internet, as well as through brokers and partnerships. Direct Line, Churchill, and Privilege sell general insurance products direct to the customer. Through its International division, RBS Insurance sells general insurance, mainly motor, in Spain, Germany and Italy. The Intermediary and Broker division sells general insurance products through independent brokers. (e) ABN AMRO

RFS Holdings B.V. (RFS) was incorporated for the purpose of acquiring ABN. RFS is owned by a consortium of RBS (38.2%), Fortis (33.8%) and Santander (27.9%) (the Consortium) and the Consortium, through RFS, acquired ABN AMRO on 17 October 2007. The basis of the Consortium parties investment is set out in the Consortium and Shareholders Agreement and the Supplemental Consortium and Shareholders Agreement (the CSA). This also details the assets each of the Consortium parties will acquire. Upon separation of ABN AMRO, RBS will acquire: Business Unit (BU) North America; BU Global Clients (including global and wholesale clients distributed to other BUs during 2006 / 2007 but excluding Brazil); BU Asia (excluding the Saudi Hollandi interest); BU Europe (excluding Banco Antonveneta).

The separation and integration of these businesses is in progress and it is currently proposed that it will be completed by the end of 2009. There are a number of additional assets currently owned by RFS, the ultimate ownership of which is currently undetermined. These assets will continue to be owned jointly by the Consortium until they are disposed of to either a Consortium party or to a third party. The lead regulator that has overseen this acquisition is De Nederlansche Bank (DNB). As part of their approval to allow the acquisition to proceed it was agreed that ABN AMRO shall be operated and governed in accordance with the governance, risk management and systems and controls policies and procedures reasonably determined by RBS from time to time to be necessary or desirable to ensure ABN is managed in accordance with the regulatory requirements applying under applicable laws and regulations. This is reflected in the CSA. RBS has lead responsibility and is therefore ultimately responsible for the regulatory compliance and reporting of ABN AMRO. 1.3 Authorised Institutions

The undernoted banking companies within the Group are authorised institutions under the Financial Services and Markets Act 2000:(a) (b) The Royal Bank of Scotland plc; /

1-4

(b) (c) (d) (e) (f)

National Westminster Bank Plc; Coutts & Co; Ulster Bank Limited; Adam & Company PLC; and Tesco Personal Finance Limited.

Companies (a) to (e) inclusive are wholly-owed subsidiaries of the Group. Company (f) is a joint venture between RBS and Tesco PLC. Each company maintains a separate High Level Control Report on its activities which is reviewed and updated at least annually. High Level Control Reports for companies (a) and (b) are incorporated within this Report. All these Reports conform to and are consistent with the control framework set out in this Report. 1.4 Corporate Governance

The Group is committed to high standards of corporate governance, business integrity and professionalism in all its activities. RBSG complies with the provisions of the revised Combined Code (the Code) issued by the Financial Reporting Council (FRC) in 20061, the Smith Guidance on Audit Committees and the standards of corporate governance and business and financial disclosure imposed by the US Sarbanes-Oxley Act 2002. 1.5 Boards and Senior Committees
Group Audit Committee

Group Nominations Committee

Group Board of Directors

Chairman's Committee Group Remuneration Committee

Group Executive Management Committee

Bank Board of Directors

Advances Committee

Group Chief Executive's Advisory Group

Group Credit Committee

Group Investment Committee

Group Asset & Liability Management Committee

Group Risk Committee

(a)
1

RBSG complies with the Combined Code save in relation to the authority reserved to the Board to make the final determination of the remuneration of Executive Directors.

1-5

(a)

Group Board of Directors The Group Board is the principal decision-making forum for the Group. It approves Group strategy, including the strategies for each of the principal businesses, and monitors overall Group performance and the performance of the principal businesses. It also reviews acquisitions and other significant transactions, and is responsible for capital raising and allocation and determines dividend policy. The Group Board normally meets eight or nine times per year. Ad hoc meetings are convened as and when necessary.

(b)

Bank Board of Directors The Bank Board of Directors meets principally to satisfy statutory and regulatory requirements in respect of the Bank. The content of agendas reflects its statutory and regulatory responsibilities.

(c)

Group Executive Management Committee (GEMC) The GEMC meets monthly, with ad hoc meetings being convened as necessary. The GEMC provides Executive support to the Group Board to enable it to discharge its responsibilities. It reviews high level strategic issues in advance of these being discussed by the Group Board and formulates and reviews policy relating to Group Risk. The operational management of the business of the Group has also been devolved to the GEMC. The authorities delegated to the GEMC are consistent with the overall control procedures determined by the Group Board. Advice is provided to GEMC by the Executive Teams from the various businesses and Divisions as required.

(d)

Group Chief Executives Advisory Group The Group Chief Executive's Advisory Group acts as a forum for the provision of information and advice to the Group Chief Executive. The Group Chief Executive's Advisory Group is not a Committee of the Group Board and derives no delegated authority from the Board, although it does form part of the control process of the Group.

(e)

Group Nominations Committee The Group Nominations Committee meets as required and is responsible for making recommendations to the Group and Bank Boards in respect of Non-executive and Executive Board appointments, membership of Board Committees and succession planning. It is involved in the selection and appointment of individuals to senior positions. Executive Director appointments are made by the Group Board and Bank Board, and other Executive appointments are made by the Group Board, Bank Board and Group Executive Management Committee, as appropriate.

(f)

1-6

(f)

Chairman's Committee The Chairman's Committee meets only when required and is responsible for exercising all the powers of the Group Board or the Bank Board without limitation as it shall deem necessary in the event of emergencies or in respect of material matters that require an immediate decision. It operates under a comprehensive delegated authority from the Group Board and the Bank Board.

(g)

Group Audit Committee The Group Audit Committee, which also acts as Audit Committee for the Bank, meets a minimum of five times per year, and as required. It is responsible for assisting the Board in carrying out its duties relating to accounting policies, internal control, financial reporting and risk assessment. It operates under delegated authority from the Group Board. A Divisional Audit Committee structure has also been established to support the Group Audit Committee. Divisional Audit Committees have been established for Global Markets and each Regional Market business in addition to the Committees required for Citizens, Ulster, ABN AMRO and RBS Insurance. Divisional Audit Committee meetings will take place at least four times per annum and will report into their respective Divisional Boards and the Group Audit Committee. Their Terms of Reference are based on those of the Group Audit Committee.

(h)

Group Remuneration Committee The Group Remuneration Committee meets three times per year, and as required. It is responsible for considering and making recommendations to the Group Board in respect of the policies of the Group on remuneration and, as required, the remuneration arrangements of Directors of the Group and Bank, including pension rights, service contracts and compensation payments. It operates under delegated authority from the Group Board.

(i)

Group Investment Committee The Group Investment Committee is responsible for reviewing and managing a number of investments (i.e. the holding of shares) held throughout the Group which are not dealt with as ordinary business by the Investment Committees of the relevant business areas concerned.

(j)

Group Asset and Liability Management Committee (GALCO) GALCO operates as a sub-committee of GEMC and is responsible for identifying, managing and controlling Group balance sheet risks in executing its chosen business strategy. Balance sheet risks are managed by setting limits and controls across the dimensions of capital, funding and liquidity, intragroup credit exposures and non-trading interest rate, equity exposure and foreign /

1-7

foreign currency translation risks. Group Treasury is responsible for managing the Group balance sheet in accordance with GALCO policy and direction. (k) Group Risk Committee Group Risk Committee ("GRC") is a sub-committee of GEMC. It recommends and approves (subject to delegated authority from GEMC) limits, policies, processes and procedures to enable the effective management of risk across the Group. Its remit includes all credit risk, market risk, operational risk, compliance and regulatory risk, enterprise risk and country risk affecting or likely to affect the Group. (l) Advances Committee The Advances Committee is responsible for approving proposals on behalf of the Group Board which are recommended to it by Group Credit Committee, and, in particular, facility limits in excess of those authorities delegated to Group Credit Committee. (m) Group Credit Committee The Group Credit Committee is responsible for the review of specific information including, as appropriate, credit grade and Loss Given Default (LGD). The Group Credit Committee will also be responsible for approving proposals (including agreeing the final credit grade(s) and LGD(s) and any overrides thereof) for facility limits in excess of those authorities delegated to divisional Credit Committees. The Committee will make recommendations to the Advances Committee for approval of facilities in excess of the Group Credit Committees delegated authority. High level controls are exercised through a number of Board and other Committees. 1.6 (a) Key Roles The Chairman The Chairman is appointed by the Directors collectively and his appointment is confirmed by each of the Group and Bank Boards annually. He chairs meetings of the Group and Bank Boards and is involved closely in the high level affairs of the Group and the Bank. The Chairman receives support from the Group functions referred to above, as required. (b) Group Chief Executive The Group Chief Executive has ultimate Executive responsibility for all businesses of the Group and acts in accordance with authority delegated from the /

1-8

the Boards of Directors. The Group Chief Executive is responsible for: a) overall strategy and the direction of the Group strategic alliances and partnerships; and b) acquisitions, disposals and joint ventures. The Group Chief Executive is supported by: i. a Strategy Unit with responsibility for high level strategy development and management of the annual Strategy Development Cycle; and ii. a Communications function to manage media relations and both internal and external communications. The Group Chief Executive also has delegated authority from the Board of Directors to take decisions in respect of the Groups businesses as and when the need to do so arises. Such decisions will include issues that do not otherwise fit within the normal control framework and will normally be subject to a financial limit of 100 million. In such an event, the Group Chief Executive will report his actions forthwith to the Chairman or a Vice-chairman and obtain ratification or approval from the Chairmans Committee or at the next scheduled meeting of the Board of Directors. The Group Chief Executive's Advisory Group meets daily for brief discussions on current issues affecting the Group. (c) Non-executive Directors The Non-executive Directors of the Group are involved through the medium of the Group Board in the discussion and monitoring of strategy and financial performance. The Group Audit Committee is comprised wholly of Non-executive Directors, as is the Group Nominations Committee and the Group Remuneration Committee. Membership of the Chairman's Committee comprises nominated Non-executive and Executive Directors of the Group. Members of the Executive of the Group and Bank, including Executive Directors, sit on the Boards of the Group's principal subsidiaries in a Non-executive capacity. 1.7 (a) Support and Control Functions Group Finance There is a central finance function, headed by the Group Finance Director, who reports to the Group Chief Executive. This covers asset and liability management, capital raising, credit policy, financial /

1-9

financial systems, financial control and monitoring, financial reporting, internal audit (for administrative and budgeting purposes), investor relations, management of the balance sheet, risk management and taxation. (b) RBS Risk Management The Group has an independent risk management function ("RBS Risk Management") responsible for ensuring there is an appropriate risk governance framework implemented on a Group wide and Divisional basis and that day-to-day risks are managed within this framework. The Group Chief Risk Officer leads this function through the strategic setting and execution of its responsibilities and reports directly to the Group Finance Director. At a Divisional level, the Group Chief Risk Officer is supported by the Divisional Chief Risk Officers who each have a direct functional reporting line to the Group Chief Risk Officer. The Divisional Risk Management departments typically focus on credit, market, operational and regulatory risk, together with insurance risk where appropriate to the business activities. The oversight of these departments is undertaken by the appropriate Group Risk function. (c) Group Internal Audit (GIA) GIA is an independent assurance function established within the Group. GIA supports the Group and Bank Boards and Executive in achieving their strategic and operational objectives and in discharging their corporate governance responsibilities. GIA's role is to: assess how key business risks are being managed and controlled throughout the Group and report the results to the Group Executive and Group Audit Committee; influence the continuous development of the risk management and control process through sharing best practices across the Group.

The Head of GIA has overall responsibility to the Group Board and the Group Audit Committee for the provision of Internal Audit services throughout the Group. All activities undertaken within, and on behalf of, the Group fall within the scope of GIAs remit. This includes all Group functions, divisions, and subsidiaries. GIA responsibilities also extend to the relevant Subsidiary and Divisional Audit Committees. (d) Group Legal and Secretariat (GL & S) GL& S has responsibility for legal and company secretarial policy, for providing a full legal service, including the management of litigation, to the Group's businesses and for providing a full company secretarial service to the Board /

1-10

Board and a number of subsidiary/JV companies. It is also responsible for corporate governance, listing authority compliance and liaison, shareholder services and intellectual property. It provides and manages the legal resource in respect of acquisitions, disposals and joint ventures. (e) Human Resources (HR) HR, headed by the Group Director, Human Resources, who reports to the Group Chief Executive, has responsibility for Group-wide HR policy and process, as well as providing advisory support and related services to the Group and its businesses. 1.8 Strategic Planning

Business strategy development is the responsibility of line management, and ultimately the Group Chief Executive. The purpose of the Groups strategic planning process is to ensure that the business divisions, and the Group, are identifying appropriate and sufficient strategic growth opportunities, at acceptable levels of risk, to deliver the Groups goal of delivering superior, sustainable value for shareholders. The process is also intended to ensure that all members of the Group Executive Management team, and the wider senior management group, understand the strategy of each of the divisions, and can contribute where appropriate, and that the Group Board has the opportunity to assess, and give input into, the divisions and the Groups strategy. 1.9 Strategic Investment and Project Expenditure

The strategy planning cycle identifies opportunities for expansion, diversification and divestment. Where appropriate, specialist teams are set up to investigate particular opportunities. On occasion, this work will entail the appraisal of possible acquisitions. A detailed financial model is constructed, where appropriate, to forecast the potential return and sensitivity analyses are also undertaken. The teams undertaking such studies usually include staff from the Group Corporate Legal, Group Corporate Finance, Group Strategy and Group Projects, with other secialist skills added as appropriate. Final reports and recommendations are reviewed by the Group Chief Executive with major acquisitions being presented to the Group Board for authority to proceed. A similar approach is followed in respect of unsolicited approaches from third parties and in respect of joint venture projects. Disposals of business units or assets follow similar procedures to acquisitions. The strategy planning cycle provides an opportunity to identify units which no longer fit within the Group's overall strategy. The Group has a detailed codified Acquisitions and Disposals Procedure in respect of its systems of control over acquisitions, disposals and joint ventures.

1.10

1-11

1.10

Budgetary Control

The financial planning and control process comprises the annual budget process for the following four years, quarterly reforecasts which cover the current year and following year and the monthly reporting process. The budget process follows on from the group strategy review and involves the divisions preparing projections for operating income, costs & profit, headcount, balance sheet, capital expenditure and their capital planning assumptions. Key operating and financial ratios, including capital adequacy, are determined. These projections are split between base case and strategic projects carried forward or identified as part of the strategy review. 1.11 Asset and Liability Management

The Group Asset and Liability Management Committee (GALCO), a subcommittee of the GEMC, is responsible for identifying, managing, and controlling Group balance sheet risks in executing its chosen business strategy. These risks are managed by setting limits and controls across the dimensions of capital, funding and liquidity, intra-group credit exposures and non-trading interest rate, equity exposure and foreign currency translation risks. GALCO is also responsible for authorising own asset securitisation transactions. Group Treasury is responsible for managing the Group Balance sheet, operating independently of the Groups businesses and in accordance with the GALCO policy and direction. 1.12 Process for Monitoring and Reporting on Internal Control

The Combined Code is a code of corporate governance best practice. The FSAs Listing Rules require listed companies to make a disclosure statement in two parts in relation to the Combined Code in the Annual Report and Accounts. In the first part of the statement the Group has to report on how it has applied the principles in the Combined Code, in the second part of this statement the Group has to confirm that it complies with the Combined Codes provisions or explain why it does not. The Board regularly receives and reviews reports on internal control. In addition the Board annually reviews the effectiveness of the system of internal control. This review covers all material controls and supports required disclosures under the Combined Code. 1.13 Group Policy Framework

The Group Policy Framework, in its current form, captures, maintains and provides access for all Group employees to current Group-wide Policies. The Group Policy Framework includes all Group Policies which are listed on the Group intranet site, Insite, and which can be distributed in paper form to employees and agents with no access to Insite. Monitoring of and compliance with Group Policies is the responsibility of the Policy owner and Policy assurance is being integrated into the quarterly self-certification process. The Group Policy Framework and its integration into the wider control environment is currently under review by RBS Risk Management. The Group Policy Framework is administered by RBS Risk Management.

2-1

2 2.1

BOARDS AND SENIOR COMMITTEES

Group Nominations Committee

Group Audit Committee

Group Board of Directors

Chairman's Committee Group Remuneration Committee

Group Executive Management Committee

Bank Board of Directors

Advances Committee

Group Chief Executive's Advisory Group

Group Credit Committee

Group Investment Committee

Group Asset & Liability Management Committee

Group Risk Committee

2-2

2.2

GROUP BOARD OF DIRECTORS TERMS OF REFERENCE

MEMBERS: QUORUM: MEETINGS: CHAIRMAN:

The Board of Directors According to the Articles of Association Eight or nine times per year and ad hoc as required. The Chairman of the Group as appointed by the Board from time to time, or, in his absence, the Senior Independent Director or the Chairman appointed by the meeting. Group General Counsel and Group Secretary

SECRETARY:

Main Responsibilities: The Group Board will be the main decision making forum at Group level. It will consider strategic issues and risk, and approve expenditure over certain limits in respect of its principal businesses. It will have overall responsibility for management of the business and affairs of the Group, the establishment of Group strategy and capital raising and allocation. The Board will monitor and oversee the Group's operations, ensuring competent and prudent management, sound planning, proper procedures for the maintenance of adequate accounting and other records and systems of internal control, and for compliance with statutory and regulatory obligations. In carrying out the duties of the Group Board, the Directors will act in accordance with all relevant and applicable legislative and regulatory rules. In particular, they will take into account the Directors Duties contained in the Companies Act 2006 and will consider the factors listed in Section 172 of the Companies Act 2006 and any other relevant factors. To enable the Group Board to carry out its objectives, authority and terms of reference will be delegated to the Boards of its principal businesses and committees appointed by the Board, as required. In particular, there will be Group Audit, Group Remuneration and Group Nominations Committees comprised of Non-executive Directors and a Chairman's Committee to which the powers of the Board will be devolved in certain circumstances. Matters not specifically delegated will be reserved to the Group Board. The Group Executive Management Committee will provide executive input to the Group Board, and will monitor and report to the Group Board on all operational and day to day activities in relation to the Group's principal businesses. Membership of the Group Board will comprise the appropriate Group Executive Directors along with the Chairman and Non-executive Directors. Detailed /

2-3

Detailed Responsibilities: The detailed responsibilities of the Board are to: 1. Determine and review the Group's strategic direction including, as appropriate, the strategies for each of the principal business units. Determine the Group's key financial objectives including: (a) (b) 3. Prudential and other ratios; and Target rates of return on capital and on assets.

2.

Consider emerging issues which may be material to the business and affairs of the Group. Keep under review and maintain the Group's capital and liquidity positions. Review and approve proposals for the allocation of capital and other resources within the Group. Approve material acquisitions and disposals of assets and share acquisitions and disposals which are significant in terms of the business of the Group. Approve material joint ventures, strategic partnerships and alliances which are significant in terms of the business of the Group. Review and approve the Group's annual capital and revenue budgets (and any material changes thereto). Receive monthly Business and Financial Reports from the principal business units and consolidated reports for the Group and review actual performance in the light of the Group's strategy, objectives, corporate and business plans and budgets. Consider and approve the Group's procedures for reviewing and monitoring risk, and receive regular reports thereon. Approve the Group's Annual Report and Accounts and its other published financial statements and other material and significant statements issued to shareholders or the London Stock Exchange. Determine dividend policy. Approve arrangements for Annual and Extraordinary General Meetings. /

4. 5.

6.

7.

8.

9.

10.

11.

12. 13. 14.

2-4

14.

Receive and consider high level reports on matters material to the Group, in particular: (a) (b) (c) (d) (e) (f) (g) (h) (i) (j) Relations with Regulatory Authorities; Human Resources matters; Information systems and Technology; Insurance cover; Disaster recovery; Litigation and claims; Premises; Investor and public relations; Environmental Policy; and Socially Responsible Investment Policy.

15.

Establish and maintain appropriate accounting policies, implement and monitor the maintenance of adequate accounting and other records and systems of planning and internal control and inspection. Consider and approve appointments to the Boards of the Group and the Bank, the Group Executive Management Committee, and approve remuneration arrangements for Executive Directors. Receive the Minutes of and/or reports from the Boards of subsidiary companies and the Committees of the Group Board. Approve delegated authorities for expenditure and for lending, and for other risk exposures. Review and, as appropriate, agree changes in the terms of reference of subsidiary Boards and Committees established by the Board. Approve the appointment of Reporting Accountants under the terms of Section 342 of the Financial Services and Markets Act 2000.

16.

17.

18.

19.

20.

2-5

2.3

BANK BOARD OF DIRECTORS* TERMS OF REFERENCE AND REPORTING LINE

* (The Royal Bank of Scotland plc and National Westminster Bank Plc) GROUP BOARD OF DIRECTORS BANK BOARD OF DIRECTORS MEMBERS: QUORUM: MEETINGS: The Board of Directors According to the Articles of Association As required to meet statutory and regulatory requirements. The Chairman of the Bank as appointed by the Board from time to time, or, in his absence, the Senior Independent Director or the Chairman appointed by the meeting. Group General Counsel and Group Secretary

CHAIRMAN:

SECRETARY: Main Responsibilities:

The Bank Board will meet principally to fulfil statutory and regulatory functions in respect of the Bank. The main forum for controlling and directing the Bank's business will be the Group Executive Management Committee. To enable the Bank Board to carry out its objectives, authority and terms of reference will be delegated to the Group Executive Management Committee and committees appointed by the Bank Board, as required. The Bank Board will normally have a common membership with the Group Board. In carrying out the duties of the Bank Board, the Directors will act in accordance with all relevant and applicable legislative and regulatory rules. In particular, they will take into account the Directors Duties contained in the Companies Act 2006 and will consider the factors listed in Section 172 of the Companies Act 2006 and any other relevant factors.

Detailed Responsibilities: The detailed responsibilities of the Bank Board are to: 1. Keep under review and maintain the capital and liquidity positions of the Bank and its subsidiaries. /

2.

2-6

2.

Approve the charges to be made and aggregate provisions to be held in the consolidated accounts of the Bank for Bad and Doubtful Debts. Approve the Bank's Annual Report and Accounts and its other published financial statements. Approve dividend payments within agreed Group policy. Approve arrangements for Annual and Extraordinary General Meetings. Receive and consider high level reports on matters material to the Bank, in particular relations with Regulatory Authorities and Regulatory Risk. Consider and approve appointments to the Bank Board. Approve delegated authorities for expenditure and for lending, and for other risk exposures. Review and as appropriate agree changes in the terms of reference of subsidiary Boards and Committees established by the Bank Board. Approve the appointment of Reporting Accountants under the terms of Section 342 of the Financial Services and Markets Act 2000.

3.

4. 5. 6.

7. 8.

9.

10.

2-7

2.4

GROUP EXECUTIVE MANAGEMENT COMMITTEE TERMS OF REFERENCE AND REPORTING LINE

GROUP BOARD OF DIRECTORS GROUP EXECUTIVE MANAGEMENT COMMITTEE

MEMBERS:

+ + + + +

Group Chief Executive Group Finance Director Chairman, Retail Markets Chairman, Global Markets Chairman, Managing Board, ABN AMRO Chief Executive, RBS Insurance Chief Executive, Group Manufacturing Chief Executive, Global Banking and Markets Chief Executive, RBS Americas Chief Executive, RBS UK Chief Executive, RBS Europe and Middle East Director, Group Human Resources Group General Counsel and Group Secretary Director, Group Strategy Group Chief Risk Officer Director, Group Economics and Corporate Affairs Six members, at least one of whom should normally be the Group Chief Executive or a Group Executive Director Deputy Chief Executive Officer, Global Banking and Markets Chief Executive, Global Transaction Services Chief Executive, RBS Asia Head of Global Banking and Markets, Asia

QUORUM:

IN ATTENDANCE:

MEETINGS:

Monthly, by video, to discuss risk and financial issues, quarterly face to face meetings and ad hoc as required Group Chief Executive, failing whom a Group Executive Director /

CHAIRMAN:

SECRETARY:

2-8

SECRETARY DELEGATED AUTHORITY Main Responsibilities:

Head of Group Secretariat Group project expenditure: between 25 million and 100 million (See Section 5)

The Group Executive Management Committee will be responsible for all operational decisions in relation to the business of The Royal Bank of Scotland Group plc and its subsidiaries. For management purposes, the Group Executive Management Committee will report directly to the Group Board, although statutory and regulatory reports will be made to the Boards of The Royal Bank of Scotland plc and National Westminster Bank Plc (the Bank Boards) as necessary. The Group Executive Management Committee will operate under delegated authority from the Group Board and, as appropriate, the Bank Boards. Membership of the Group Executive Management Committee will comprise the Executives responsible for the Group's principal business units and Group functions. Detailed Responsibilities: Monthly video meetings with be held to discuss, in particular, risk and financial matters. The detailed responsibilities of the Group Executive Management Committee, which will be considered quarterly, will cover, in particular, the following:1. Group Strategy To recommend and review Group Strategy and: (a) monitor the Group's key financial objectives consistent with Group policy; formulate and review the Group's strategy, including the strategies for each of the principal business units; submit the strategy to the Group Board for approval; and consider emerging issues which may be material to the business and affairs of the Group.

(b)

(c)

2.

Budgets To review and recommend for Group Board approval the Group's annual capital and revenue budgets.

3.

2-9

3.

Capital allocations (a) To consider joint ventures, strategic projects/investments and new businesses, regardless of level of expenditure; To approve all projects for the Group, and principal business divisions, with expenditure between 25 million and 100 million. It will also require to consider whether, because of the nature of the proposal, it should be referred for consideration by the Group Board; To monitor and manage the capital and liquidity positions of the Group and its principal businesses; To review and approve proposals for the allocation of capital and other resources within the Group; To review any investment decisions which are considered to be strategic in nature; To allocate capital to the various business units throughout the Group to achieve the highest returns commensurate with the risks undertaken.

(b)

(c)

(d)

(e) (f)

4.

Results To receive monthly business and financial reports from the principal business units and consolidated reports for the Group, and review actual performance in light of the Group strategy, objectives, corporate and business plans and budgets.

5.

Risk (a) Strategy and Policy (i) To consider and as necessary approve any risk management matters referred to it by the Group Risk Committee; To consider and approve all Group policies, processes and procedures across the Group; To consider and approve Group, divisional and business area limits in respect of credit risk, enterprise risk, market risk and regulatory risk; To define overall strategy for the management of the Group balance sheet; To approve Group-wide risk management strategies; and /

(ii)

(iii)

(iv)

(v) (vi)

2-10

(vi)

To ensure that risk considerations are incorporated within the strategic planning and budgeting processes and consider and as necessary approve any matter appropriately referred to it by the Group Risk Committee; To consider and approve the opening of overseas branches and representative offices, and any related requirements.

(vii)

(b)

Management (i) To approve/recommend for approval the charges to be made and aggregate provisions to be held in the consolidated accounts of the Group for Bad and Doubtful Debts; To establish, implement and monitor the maintenance of adequate accounting and other records and systems of planning and internal control and inspection; receive regular reports thereon; and To approve delegated authorities for expenditure and for lending, and for other risk exposures.

(ii)

(iii)

6.

Operational Issues (a) To receive and consider reports on matters material to the Group, in particular: (i) (ii) Relations with Regulatory Authorities; Human Resources matters, including pension scheme arrangements; Information systems and technology; Insurance cover; Disaster recovery; Litigation and claims; Premises;

(iii) (iv) (v) (vi) (vii)

(viii) Signing authorities; (b) To consider and approve Business Unit Executive appointments and, as appropriate, remuneration arrangements.

2-11

2.5

GROUP NOMINATIONS COMMITTEE REPORTING LINE AND TERMS OF REFERENCE

GROUP BOARD OF DIRECTORS

BANK BOARD OF DIRECTORS

GROUP NOMINATIONS COMMITTEE

MEMBERS:

Chairman of the Group Senior Independent Director At least one other independent Non-executive Director

QUORUM:

Two members, one of whom must be the Chairman of the Group or the Senior Independent Director Group Chief Executive Group General Counsel and Group Secretary As required Chairman of the Group or, in his absence, the Senior Independent Director. The Senior Independent Director will chair the Committee when it is dealing with the appointment of a successor to the Chairman.

IN ATTENDANCE:

MEETINGS: CHAIRMAN:

SECRETARY: Main Responsibilities:

Senior Assistant Secretary

The Group Nominations Committee will be responsible for considering and making recommendations to the Group Board in respect of appointments to the Boards of Directors. In addition, the Committee will make recommendations in respect of membership and chairmanship of Group Board Committees. In carrying out the duties of the Group Nominations Committee, the Directors will act in accordance with all relevant and applicable legislative and regulatory rules. In particular, they will take into account the Directors Duties contained in the Companies Act 2006 and will consider the factors listed in Section 172 of the Companies Act 2006 and any other relevant factors.

Detailed Responsibilities: /

2-12

Detailed Responsibilities: 1. To review regularly the structure, size and composition of the Board and make recommendations to the Board with regard to any changes. 2. To review and make recommendations on Board appointments (executive and non-executive), having regard to the overall balance of skills, knowledge and experience on the Board. 3. To prepare a description of the role and capabilities required for each particular Board appointment, following an evaluation of the balance of skills, knowledge and experience on the Board. 4. To consider succession planning taking into account the skills and expertise which will be needed on the Board in the future. 5. To make recommendations to the Board in respect of composition and membership/chairmanship of Group Board Committees.

2-13

2.6

CHAIRMAN'S COMMITTEE TERMS OF REFERENCE AND REPORTING LINE GROUP BOARD OF DIRECTORS CHAIRMAN'S COMMITTEE BANK BOARD OF DIRECTORS

MEMBERS: QUORUM:

The Board of Directors Scheduled Meetings Any three Members Ad-hoc Meetings Three Members, Two of whom must be the Chairman, the Senior Independent Director, or the Chairman of the Group Audit Committee; and One of whom must be the Group Chief Executive or the Group Finance Director.

IN ATTENDANCE: MEETINGS:

Group General Counsel and Group Secretary Three scheduled meetings per year and ad hoc as required Chairman, failing whom, the Senior Independent Director Deputy Group Secretary

CHAIRMAN:

SECRETARY: Main Responsibilities:

The Chairman's Committee will be responsible for exercising all the power of the Group Board and Bank Board without limitation. The Chairmans Committee will operate under delegated authority from the Group and Bank Board. In carrying out the duties of the Chairmans Committee, the Directors will act in accordance with all relevant and applicable legislative and regulatory rules. In particular, they will take into account the Directors Duties contained in the Companies Act 2006 and will consider the factors listed in Section 172 of the Companies Act 2006 and any other relevant factors. Scheduled Meetings The main purpose of the scheduled meetings is to discuss the Groups financial results and risk issues in months when there is no scheduled Board meeting. Ad-hoc Meetings /

2-14

Ad-hoc Meetings The main purpose of ad-hoc meetings is to deal with emergencies or material matters that require immediate decision. Ad-hoc meetings of the Chairmans Committee may be convened by the Chairman (or, in the event of the Chairmans unavailability, by the Group Chief Executive) in his sole discretion provided that all members present confirm their agreement that the matters to be discussed fall within the ambit of the responsibilities of the Chairmans Committee. The Secretary will inform members of the relevant Board, as soon as is practical after the meeting, of the purpose for which the meeting was convened and of any decisions taken by the Committee.

2-15

2.7

GROUP CHIEF EXECUTIVE'S ADVISORY GROUP TERMS OF REFERENCE AND REPORTING LINE

GROUP CHIEF EXECUTIVE GROUP CHIEF EXECUTIVE'S ADVISORY GROUP MEMBERS: Group Chief Executive Group Finance Director Chairman, Regional Markets Chairman, Global Markets Chairman of the Managing Board, ABN Amro Chief Executive, Group Manufacturing Chief Executive, RBS Insurance Group Chief Executive, Ulster Bank Group Limited Group General Counsel and Group Secretary Group Director, Strategy Group Director, Economics and Corporate Affairs Group Director, Human Resources Group Chief Risk Officer Chief Executive, Global Banking and Markets Chief Executive, RBS UK Chief Executive, RBS Americas Two members, one of whom must be an Executive Director Other Executives and officials as necessary Daily Group Chief Executive, failing whom, a Group Executive Director Provided by Group Secretariat

QUORUM:

IN ATTENDANCE: MEETINGS: CHAIRMAN:

SECRETARY: Main Responsibilities:

The Group Chief Executive's Advisory Group acts as a forum for the provision of information and advice to the Group Chief Executive. The /

2-16

The Group Chief Executive's Advisory Group is not a Committee of the Group Board and derives no delegated authority from the Board, although it does form part of the control process of the Group. Detailed Responsibilities: The detailed responsibilities of the Group Chief Executive's Advisory Group will cover, in particular, the following:1. To consider and decide in principle upon proposals under the Group's Acquisitions and Disposals Procedures and to determine whether such a proposal should be submitted to the Group Executive Management Committee or the Group Board for further consideration. To consider and decide in principle upon new product proposals under the Group's New Product Approval Process and to determine whether such a proposal should be submitted to the Group Executive Management Committee for further consideration. To consider and ensure that appropriate action is taken in respect of any significant business or control issues. To receive weekly Liquidity Reports.

2.

3.

4.

2-17

2.8

GROUP AUDIT COMMITTEE TERMS OF REFERENCE AND REPORTING LINE GROUP BOARD OF DIRECTORS BANK BOARD OF DIRECTORS

GROUP AUDIT COMMITTEE

MEMBERS:

At least three independent Non-executive Directors, at least one of whom is a financial expert as defined in the SEC Rules under the US Exchange Act.

QUORUM:

Two members

IN ATTENDANCE:

Group Chief Executive Group Finance Director Group General Counsel and Group Secretary Head of Group Internal Audit Group Chief Risk Officer Group Chief Accountant The External Auditor Specialists may be requested to attend for specific items or to make presentations to the Group Audit Committee.

MEETINGS:

A minimum of five meetings per annum, with two of these meetings being held immediately prior to submission of the annual and interim financial statements to the Group Board. Ad hoc meetings can be called, as required, at the request of the Chairman of the Group, a Committee member, the Group Chief Executive, the Head of Group Internal Audit or the External Auditor.

CHAIRMAN:

An independent Non-executive Director

SECRETARY:

Deputy Secretary

COMPOSITION

2-18

COMPOSITION:

Each member of the Group Audit Committee shall be a member of the Group Board but shall otherwise be independent. In addition to the definition in paragraph A.3.1 of the Combined Code, to be considered independent, a member of the Group Audit Committee may not, other than in his or her capacity as a member of the Group Audit Committee, the Group Board or any other committee of the Group Board: a) accept (directly or indirectly) any consulting, advisory, or other compensatory fee from the Group or any Group subsidiary; or b) be an Affiliated Person of the Group or any subsidiary of the Group. An Affiliated Person of the Group means any person who, directly or indirectly, through one or more intermediaries, controls or is controlled by, or is under common control with, the Group or any subsidiary of the Group.

Main Responsibilities: The Group Audit Committee will be responsible for:1. Assisting the Royal Bank Board and the NatWest Board (collectively "the Bank Boards") and the Group Board in carrying out their responsibilities relating to accounting policies, internal control, financial reporting functions and risk assessment. Assisting on such other matters as may be referred to it by the Group Board or the Bank Boards. Acting as the Audit Committee of the Group Board and the Bank Boards. Reporting to the Group Board, identifying any matters within its remit in respect of which it considers that action or improvement is needed, and making recommendations as to the steps to be taken.

2.

3. 4.

The Group Audit Committee will operate under delegated authority from the Group Board and the Bank Boards. . In carrying out the responsibilities of the Group Audit Committee, the Directors will act in accordance with all relevant and applicable legislative and regulatory rules. In particular, they will take into account the Directors Duties contained in the Companies Act 2006 and will consider the factors listed in Section 172 of the Companies Act 2006 and any other relevant factors.

The Group Audit Committee may engage independent counsel and other advisers, as it determines necessary, to carry out its duties. The Group Audit Committee may also obtain /

2-19

obtain appropriate funding, as it so determines, for payment of compensation to such advisers, to any auditors and for ordinary administrative expenses of the Group Audit Committee that are necessary or appropriate for carrying out its duties. Detailed Responsibilities: The detailed responsibilities of the Group Audit Committee will cover, in particular, the following:1. Financial Affairs of the Group (a) To monitor the integrity of the financial statements of the Group (including any discussion or analysis thereof), and any formal announcements relating to the Groups actual and forecast financial performance, reviewing significant financial reporting judgements contained in them; To review any unusual items or matters brought to its attention requiring the exercise of managerial judgement affecting the preparation of the statements and announcements; and To provide a forum for the discussion and resolution of areas of disagreement in relation to the statements and announcements, e.g. between management and the External Auditor.

(b)

(c)

2.

Arrangements for Accounting and Financial Reporting and for Regulatory Compliance (a) To review the Group's and Royal Bank and NatWests accounting policies and practices and to consider their compliance with regulatory requirements; To review the controls and procedures established by management for compliance with regulatory and financial reporting requirements and with the requirements of external regulators; and To monitor the relationship with the Financial Services Authority and other relevant regulatory bodies, including review of the scope and results of work conducted by the Reporting Accountants approved by the Financial Services Authority.

(b)

(c)

3.

Standards of Internal Control (a) To monitor, by means of the Group-wide Consolidated Risk and Control Assessment (formerly the Turnbull Report) reporting process, the ongoing process of the identification, evaluation and management of all significant risks throughout the Group; /

(b)

2-20

(b)

To review the arrangements of the Groups systems of internal controls in relation to risk, financial management, compliance with laws and regulations and safeguarding of assets, and the procedures for monitoring the effectiveness of such controls; To monitor any significant deficiencies and material weaknesses in internal controls and disclosure controls and procedures, as reported by Group Internal Audit and the External Auditor, and the implementation by management of appropriate remedial action; and To review arrangements for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls or auditing matters, including procedures by which employees may, in confidence and with anonymity, raise concerns of questionable financial reporting, accounting or auditing matters.

(c)

(d)

4.

Arrangements for Group Internal Audit (a) (b) To review the Terms of Reference for Group Internal Audit; To approve the Annual Plan of Group Internal Audit, with reference to the appropriateness of the scope and timing of proposed coverage in relation to risk; To monitor and review in broad terms, at least annually, the scope, nature of the work and effectiveness of Group Internal Audit, to receive and review its reports, findings and recommendations covering the management of key operating risks, the adequacy of any necessary follow up action and any relevant investigation work carried out by, or on behalf of Group Internal Audit ; and To assess and confirm the independence of the Group Internal Audit function.

(c)

(d)

5.

Arrangements for Group Risk Management (a) (b) To review the Terms of Reference for Group Risk Management; To approve the Annual Operational Plan with reference to the appropriateness of the scope and timing of proposed coverage in relation to risk and to review any significant issues / recommendations arising in the current period under review; and To review, in broad terms, the scope and nature of the work undertaken by Group Risk Management in terms of Credit Risk, Market Risk, Enterprise Risk, Regulatory Risk, Insurance Risk and Liquidity Risk to receive and review its reports, findings and recommendations, noting, in particular, any significant issues in the current period under review and work planned for the next period.

(c)

6.

2-21

6.

Arrangements for Divisional Audit Committees (a) (b) To review the Terms of Reference for Divisional Audit Committees; To review bi-annual reports prepared by the Chairmen of the Divisional Audit Committees, such reports to include: (i) a summary of the role and work of the Divisional Audit Committee, confirming that it has met all responsibilities as laid down in its Terms of Reference over the period in question; (ii) the names and attendance record of all members of the Divisional Audit Committee during the period; and (iii) the number of Divisional Audit Committee meetings held during the period. (c) To liaise with Divisional Audit Committees to promote consistent practices across such Committees, where this is considered desirable.

7.

Arrangements for External Audit (a) To make recommendations to the Group Board, for it to put the Group Audit Committees recommendations to the shareholders for their approval in general meeting, in relation to the appointment, re-appointment and the removal of the External Auditor; To fix the remuneration of the External Auditor as authorised by shareholders; To approve the terms of engagement of the External Auditor; To resolve any disagreements between management and the External Auditor regarding financial reporting; To review the scope and planning of the External Auditor; To confirm that, in planning its work, the External Auditor places appropriate reliance on the work of Group Internal Audit, such that unnecessary overlap is avoided; To review reports prepared by the External Auditor, including its annual management letter; To review and monitor the External Auditors independence and objectivity and the effectiveness of the audit process, taking into consideration all relevant professional and regulatory requirements; and /

(b) (c) (d)

(e) (f)

(g)

(h)

(i)

2-22

(i)

To review the overall financial relationship between the Group, the Banks and the External Auditor.

8.

Audit and Non-Audit Services Policy (a) To develop and implement guidance on the engagement of the External Auditor to supply audit and non-audit services (the Policy), taking into account relevant legislation and ethical guidance regarding the provision of audit and non-audit services by the External Auditor and to report to the Group Board, identifying matters in respect of which it considers that action or improvement is needed and making recommendations as to the steps to be taken; and The Group Audit Committee shall consider and approve each audit and non-audit service to be provided by the External Auditor in accordance with the Policy.

(b)

9.

Communication (b) To make available its terms of reference, including the Group Audit Committees role and the authority delegated to it by the Group Board; To describe in the Groups annual report the work of the Group Audit Committee including; (i) (ii) a summary of the role of the Group Audit Committee; the names and qualifications of all members of the Group Audit Committee during the period;

(c)

(iii) the number of Group Audit Committee meetings; (iv) a report on the way the Group Audit Committee has discharged its responsibilities; (v) a description of the Groups policy and procedures for the approval of audit and non-audit services and an explanation of how External Auditor objectivity and independence is safeguarded where the External Auditor provides non-audit services; and

(vi) a description of the External Auditors fees and services. (c) To review the Group Audit Committee Chairman's Annual Report, for submission to the Group Board.

2-23

2.9

GROUP REMUNERATION COMMITTEE REPORTING LINE AND TERMS OF REFERENCE

GROUP BOARD OF DIRECTORS

BANK BOARD OF DIRECTORS

GROUP REMUNERATION COMMITTEE

MEMBERS:

At least three independent Non-executive Directors. The Chairman of the Group is also a member of the Committee. Three members

QUORUM: IN ATTENDANCE:

Group Chief Executive Group General Counsel and Group Secretary Group Director, Human Resources MEETINGS: CHAIRMAN: SECRETARY: Main Responsibilities: The Group Remuneration Committee will be responsible for considering the Group's Policy on Executive Remuneration and, as required, making recommendations to the Group Board in respect of the remuneration arrangements of the Executive and Nonexecutive Directors of the Group. It shall also be responsible for setting the remuneration arrangements of the Group Executive Management Committee. The Group Remuneration Committee will operate under delegated authority from the Group and Bank Boards. In carrying out the responsibilities of the Group Remuneration Committee, the Directors will act in accordance with all relevant and applicable legislative and regulatory rules. In particular, they will take into account the Directors Duties contained in the Companies Act 2006 and will consider the factors listed in Section 172 of the Companies Act 2006 and any other relevant factors. Detailed Responsibilities: The detailed responsibilities of the Group Remuneration Committee will cover, in particular, the following:1. / Three meetings per annum Senior Independent Non-executive Director Senior Assistant Secretary

2-24

1.

Remuneration Policy and Remuneration Arrangements (a) To determine and develop the Groups Executive Remuneration Policy; To make recommendations to the Group Board on the total individual remuneration package of each Executive Director; including, where appropriate, salaries, annual and longer term incentive targets and payments, share options, pension rights, service contracts and compensation payments. In determining such packages and arrangements, the Committee will have regard to relevant market comparisons and practice as well as any other relevant guidance; To make recommendations to the Group Board on termination payments for Executive Directors, within the terms of the agreed policy and ensuring that :(i) contractual terms on termination, and any payments made, are fair both to the Executive Director and to the Group, (ii) that failure is not rewarded; and (iii) that the duty to mitigate loss is fully recognised.

(b)

(c)

(d) To consider proposals from the Chairman in respect of the remuneration arrangements of Non-executive Directors of the Group and to make recommendations to the Group Board in this respect; (e) To approve proposals from the Group Chief Executive in respect of the remuneration arrangements of senior executives below Board level who are members of the Group Executive Management Committee; (f) To review all long term incentive arrangements operated in the Group; and (g) To review the report of the Variable Pay Review Panel. 2. Reporting and Disclosure (a) To prepare an Annual Report to Group shareholders which will form part of the Annual Report and Accounts of the Group and will include all relevant information in respect of the Group's Executive Remuneration Policy and full details of each Director's remuneration package; and To account directly to Group shareholders for decisions of the Group Remuneration Committee through the attendance of the Chairman of the Group Remuneration Committee at the Groups Annual General Meeting to answer Group shareholders' questions on Directors' remuneration.

(b)

3.

2-25

3.

Share Schemes (a) To keep under review the Group's employee share schemes in light of legislative and market developments and the overall remuneration policy of the Group; To decide, on an annual basis, whether grants of options or awards should be made in terms of the Group's employee share schemes; and To determine, on an annual basis, the staff profit share in terms of the Groups Profit Sharing Scheme.

(b)

(c)

4.

External Advice (a) To select, appoint and set the terms of reference for any remuneration consultants who advise the Remuneration Committee; and To obtain internal or external legal or other professional advice on matters within the terms of reference of the Remuneration Committee.

(b)

2-26

2.10 ADVANCES COMMITTEE TERMS OF REFERENCE AND REPORTING LINE

GROUP BOARD OF DIRECTORS ADVANCES COMMITTEE

GROUP A MEMBERS:

Sir Fred Goodwin, Group Chief Executive Guy Whittaker, Group Finance Director Gordon Pell, Chairman, Regional Markets Johnny Cameron, Chairman, Global Markets Mark Fisher, Chairman, Managing Board, ABN AMRO Any member of the Group Executive Management Committee who can be a Chairman of Group Credit Committee, and the Group Chief Credit Officer. Any one member from Group A together with one member from Group B provided that: Neither of these members acted as the Chairman of the relevant Group Credit Committee for the case being considered; and The Group B member is independent of the Business sponsoring the case being considered.

GROUP B MEMBERS:

QUORUM:

Quorum members must consider whether the credit application represents a potential or perceived conflict of interest. Further details are provided in the Group Credit Risk Authority policy standards. MEETINGS: Members may meet in person or consider and review papers electronically and provide their approvals via-email. Decisions are advised to the Credit Committee Secretariat for inclusion within the Group Credit Committee minutes. For record purposes, the Chairman will be a Group A member Credit Committee Secretariat

CHAIRMAN:

SECRETARY: DELEGATED AUTHORITY: Main /

Unlimited credit authority

2-27

Main Responsibility: Based on the review of specific information including, as appropriate, credit grade and Loss Given Default, the Advances Committee is responsible for approving proposals (including agreeing the final credit grade(s) and Loss Given Default(s) and any overrides thereof) on behalf of the Group Board of Directors which are recommended to it by Group Credit Committee, and, in particular, facility limits in excess of those authorities delegated to Group Credit Committee.

2-28

2.11 GROUP CREDIT COMMITTEE TERMS OF REFERENCE AND REPORTING LINE

GROUP BOARD OF DIRECTORS ADVANCES COMMITTEE GROUP CREDIT COMMITTEE

GROUP CREDIT COMMITTEE MEMBERS: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * # # # # # # # # # # # # # # # # # # # # # # Sir Fred Goodwin Guy Whittaker Gordon Pell Larry Fish Johnny Cameron Cormac McCarthy Chris Sullivan Mark Fisher Miller McLean Brian Crowe Alan Dickinson Leith Robertson Bob McKillip Peter Nathanial David Coleman Phil Carraro Howard Burnside Derek Sach Bob Mahoney Jim Connolly Christine Palmer John McDonnell Peter Shaw Daniel Frumkin Peter Commons Paul Fillmore Bill Gallagher Paul Treacy David Skelly Graeme Willis Stephen Sanders Group Chief Executive Group Finance Director Chairman, Regional Markets Chairman, RBS America Chairman, Global Markets Chief Executive, RBS Europe & Middle East Chief Executive, RBS Insurance Chairman of the Managing Board, ABN AMRO Group Secretary and General Counsel Chief Executive, Global Banking and Markets Chief Executive, RBS UK Deputy Chief Executive, Global Banking and Markets Head of Corporate Relationship Management, North America, Global Banking and Markets Group Chief Risk Officer Chief Risk Officer, Global Markets, ABN AMRO Special Advisor, Group Credit Risk Chief Risk Officer, Global Markets Head of Specialised Lending Services Vice Chairman, Citizens Financial Group President, Citizens Financial Group Chief Credit Officer, Global Banking & Markets Chief Risk Officer, RBS Europe & Middle East Chief Risk Officer, RBS UK MD, Consumer Products, Retail Markets Head of Underwriting & Transactions, GBM Chief Risk Officer, CEEMEA, GBM Co-Chief Credit Officer, GBM Americas Head of Group Credit Risk Review Director of Credit and Market Risk, Wealth Management Division Group Head of Enterprise Risk Group Head of Regulatory Risk & Compliance

2-29

Chantal Geall Robert Gallagher Brian Stevenson Ian Henderson Tom Metzger Donald Workman David Barnes Nick Jordan Alan Devine John Hourican Thomas Herrmann Martin Powell Paul Howard Ronnie Hanna John Boyd

Head of Financial Institutions Credit Portfolio, Group Credit Risk Chief Executive, Corporate Markets, Ulster Bank Group Chief Executive, Global Transaction Services Chief Executive, The Royal Bank of Scotland International Chief Risk Officer, Citizens Financial Group Risk Management Investment Director, Global Markets Managing Director, Banking Groups, Global Banking and Markets Head of Risk & Portfolio Management, Global Banking and Markets Head of Structured Asset Finance, Global Banking and Markets Chief Financial Officer, ABN AMRO Chief Administrative Officer, ABN AMRO Director, Corporate & SME Credit Risk, RBS UK Chief Credit Officer, Citizens Financial Group Head of Credit Risk, Northern Ireland, Ulster Bank Head of Risk Assurance, Corporate Markets, Ulster Bank

Note: Individuals are personally accredited as Members of the Committee rather than being entitled to become Members by virtue of their job title.

QUORUM:

A Chairman from the list indicated by #, plus two other members. Where the Chairman is not independent of the business sponsoring the transaction, at least one of the other members must be a Group Member from the list indicated by *. Quorum members must ensure that they are above Chinese Walls (as documented in Divisional procedures) and advise the committee secretariat as soon as possible if this is not the case. In situations where the same committee is considering applications for customers which have competing interests in a transaction (when seeking finance for competing acquisition or defence bids), the Chairman must ensure that each application is considered on its merits (to reduce the scope for challenge that our decision was not impartial). Quorum members must consider whether the credit application represents a potential or perceived conflict of interest between his/her (or family) interests, including the ownership of shares, and those of the RBS Group and/or the customer and then form a judgement as to the materiality of any such conflict in the context of the relevant credit application. If the conflict is considered

2-30

to be material, he/she must stand down for that particular application. In the event that the quorum member identifies a potential or perceived conflict but is confident on reasonable grounds that this is not sufficiently material either to influence, or to be reasonably expected to influence, his/her judgement of the credit application, he/she should advise the Committee Secretariat of the circumstances for the record and may proceed with committee duties in respect of the application. If the quorum member has any doubt as to whether the issue identified is, or could reasonably be considered to be, material to his/her judgement of the transaction, he/she must advise the Committee Secretariat of the potential issue, in order that contingency arrangements may be made, and immediately consult the Director, Group Risk Management (failing whom, the Head of Group Credit Risk, failing whom the Head of Group Regulatory Risk). The decision of the Director, GRM or his delegate would be final. IN ATTENDANCE: MEETINGS: CHAIRMAN: SECRETARY: DELEGATED AUTHORITY: Main Responsibilities: Based on the review of specific information including, as appropriate, Credit Grade and Loss Given Default, (including agreeing the final Credit Grade(s) and LGD(s) and any overrides thereof), the Group Credit Committee will be responsible for:1. Approving proposals for facility limits in excess of those authorities delegated to the Global Markets, RBS UK and Retail Credit Committees. Recommending to the Advances Committee for approval facilities in excess of the Group Credit Committees delegated authority (Note 1). Noting defined facilities within delegated authorities and certain exposures under regulatory requirements. Other Executives and officials as necessary As necessary Must be from the list indicated by # Credit Committee Secretariat See Section 7.2

2.

3.

Detailed /

2-31

Detailed Responsibilities:The detailed responsibilities of the Group Credit Committee will cover, in particular, the following1. To approve:(a) New business connection exposures/increases in aggregate counterparty exposures in excess of the Global Markets, RBS UK and Retail delegated authorities; Settlement exposures in excess of the Global Markets, RBS UK and Retail delegated authorities; Equity investments in excess of the authorities of the Global Markets Equity Investment Committee and other Group entities; Investment or Residual Value risk on specified operating lease transactions (involving physical assets where control and ownership remains with the Group) which is in excess of the Global Markets Asset Risk Investment Committee delegated authorities (being a sub committee of the Global Markets Credit Committee); Material amendments to existing or new business (new connection within first year) where aggregate exposures are in excess of the Global Markets, RBS UK and Retail delegated authorities; Annual reviews of aggregate counterparty exposures in excess of Global Markets, RBS UK and Retail delegated authorities; To approve wholesale credit risk measures (Credit Grade and LGD) for exposures in excess of Global Markets, RBS UK and Retail delegated authorities; Proposals involving exposures under specific criteria; The recommendation of facilities in excess of the Group Credit Committees delegated authority to the Advances Committee; and Exposures which would result in a credit risk policy exception.

(b)

(c)

(d)

(e)

(f)

(g)

(h) (i)

(j)

2.

To note:(a) Exposures under Financial Services Authority Large Exposures guidelines; and Advances under specified criteria on an annual basis.

(b) Note /

2-32

Note 1: Ultimate credit approvals on behalf of the Board are undertaken by a sub-committee of the Board (the Advances Committee) comprising any one person from Group A together with one person from Group B: Group A Fred Goodwin, Group Chief Executive Guy Whittaker, Group Finance Director Gordon Pell, Chairman, Regional Markets Larry Fish, Chairman, RBS America Johnny Cameron, Chairman, Global Markets Mark Fisher, Chairman of the Managing Board, ABN AMRO Group B Any member of Group Executive Management Committee who can be a Chairman of Group Credit Committee provided that:neither of the Advances Committee members acted as the Chairman of the relevant Group Credit Committee for the case being considered. Conflicts of interest will be managed on the same basis as detailed in the Quorum requirements for GCC, although the requirements in respect of Chinese Walls and situations involving competing bids will not apply for Advances Committee given the roles and seniority of its members.

2-33

2.12 GROUP RISK COMMITTEE TERMS OF REFERENCE AND REPORTING LINE

GROUP BOARD OF DIRECTORS GROUP EXECUTIVE MANAGEMENT COMMITTEE GROUP RISK COMMITTEE

MEMBERS:

Group Finance Director Group General Counsel and Group Secretary Group Chief Risk Officer Chairman, Global Markets Chairman, Regional Markets Chief Executive, Group Manufacturing Chief Executive, Global Banking and Markets Chief Risk Officer or equivalents for: Global Markets Group Manufacturing RBS Insurance RBS UK, Regional Markets RBS Europe & Middle East, Regional Markets RBS Americas, Regional Markets RBS Asia & Wealth Management, Regional Markets Group Chief Credit Officer Group Head of Operational Risk Group Head of Market Risk Group Head of Regulatory Risk & Compliance Group Chief Economist Group Treasurer Note: Each Divisional member should have a nominated alternate to attend meetings in their absence. The alternate should be the next most senior person with overall responsibility for risk management within their respective division. All alternates must be approved by the Chairman of the Committee (see Attendance)

QUORUM:

2-34

QUORUM:

MEETINGS: CHAIRMAN:

Five members, at least one of whom must be the Group Finance Director, the Group General Counsel and Group Secretary or the Group Chief Risk Officer Monthly and ad hoc as required The Group Finance Director or in his absence the Group General Counsel and Group Secretary or the Group Chief Risk Officer Provided by Group Secretariat Senior Risk Officers and Business Executives to attend as required by the Chairman The Head of Group Internal Audit has the right of attendance at all Group Risk Committee meetings.

SECRETARY: IN ATTENDANCE:

Terms of Reference The Group Risk Committee will operate as a sub-committee of, and is responsible directly to, the Group Executive Management Committee. Main Responsibilities: The main responsibility of the Group Risk Committee is to recommend and approve (subject to delegated authority from GEMC) limits, policies, processes and procedures to enable the effective management of risk across the Group. The remit of the Group Risk Committee includes all credit risk, market risk, operational risk, compliance and regulatory risk, enterprise risk and country risk affecting or likely to affect the Group. It is the responsibility of RBS Risk Management to: 1. Design and ensure the implementation of risk management strategies and policies. Report to Group Risk Committee on the Group's risk profile to the extent to which it provides evidence of ineffectiveness of risk policies and the need for policy change. Understand and report to the Group Executive Management Committee on the risk profile of the Group. Monitor and report to the Group Executive Management Committee on the management of key risks within the Group.

2.

3.

4.

Implementation /

2-35

Implementation of risk management policies and procedures and the management of risks within Group Divisions is the responsibility of those Divisions. Detailed Responsibilities: The detailed responsibilities of the Group Risk Committee include the following: 1. To receive direction from the Group Board and the Group Executive Management Committee on the Group's risk appetite and to provide appropriate input to the risk appetite-setting process. To approve and refine as necessary Group-wide credit risk, operational risk, market risk and regulatory risk Policy Standards, processes and procedures. These will be considered and approved in the context of the Group's risk appetite, the Group's risk profile and information on the effectiveness of existing risk policies. Appropriate contextual information will be provided to the Group Risk Committee by RBS Risk Management. To approve appropriate limits in respect of credit risk, operational risk, market risk and regulatory risk. To refer any risk or risk management matter requiring Executive consideration to the Group Executive Management Committee. To approve material aspects of the Banks rating/evaluation systems and associated management reporting.

2.

3.

4.

5.

2-36

2.13 GROUP ASSET AND LIABILITY MANAGEMENT COMMITTEE TERMS OF REFERENCE AND REPORTING LINE GROUP EXECUTIVE MANAGEMENT COMMITTEE GROUP ASSET AND LIABILITY MANAGEMENT COMMITTEE DIVISIONAL/ SUBSIDIARY ASSET AND LIABILITY MANAGEMENT COMMITTEES, OR EQUIVALENT FOR NONBANKING BUSINESSES MEMBERS: Group Finance Director Chairman, Global Markets Chairman, Regional Markets Chief Executive or Deputy Chief Executive, Global Banking and Markets Chief Executive, Global Transaction Services Chief Executive, RBS Americas Chief Executive, RBS UK Chief Executive, RBS Europe and Middle East Chief Executive, RBS Asia Chief Financial Officer, ABN AMRO Group Chief Accountant Group Chief Risk Officer Director, Group Corporate Finance Director, Group Financial Planning & Analysis Group Treasurer Deputy Group Treasurer Head of Capital Management, Group Treasury Three members, at least one of whom should be: Group Finance Director, Chairman, Global Markets, Chairman, Regional Markets or Group Treasurer Group Finance Director Monthly and ad hoc as required Provided by Group Treasury Other Executives and officials as appropriate /

QUORUM:

CHAIRMAN: MEETINGS: SECRETARY: IN ATTENDANCE: DELEGATED AUTHORITY

2-37

DELEGATED AUTHORITY:

See authority section

The Group Asset & Liability Management Committee ("GALCO") operates as a subcommittee of the Group Executive Management Committee ("GEMC") and is responsible for optimising the Groups balances sheet structure and identifying, managing and controlling Group balance sheet risks in the execution of its chosen business strategy. Balance sheet risks are managed by setting limits and controls across the dimensions of capital, funding and liquidity, intra-group credit exposures and non-trading interest rate, equity exposure and foreign currency translation risks. Group Treasury is responsible for managing the Group balance sheet in accordance with GALCO policy and direction. The responsibilities of GALCO include the following: 1. Strategic overview:

Formulate and implement proposals for the efficient capital structure and liquidity and funding positions of the Group having regard to the Groups objectives, market conditions and current and future regulatory requirements. Monitor, review and challenge where relevant legal, regulatory and accounting developments affecting the structure, measurement and control of balance sheet risks and capital. Review the balance sheet, funding and capital implications of major corporate restructuring proposals, acquisitions and disposals. Direct the development of management information requirements for effective asset and liability management processes within the Group.

2. Capital:

Optimise the capital structure of the Group and its subsidiaries. Minimise the average cost of capital and ensure sufficient capital flexibility exists to support strategic objectives and planned business growth. Set and review internal management target capital adequacy ratios for each authorised firm in the Group in accordance with relevant regulatory guidelines and the Groups Internal Capital Adequacy Assessment Process (ICAAP). Set and review policy to ensure that acceptable external credit ratings are maintained for the Group and relevant subsidiaries. Set and review intra group dividend policy. Set and review policy for the use of solo-consolidated subsidiaries and oversee compliance with relevant FSA requirements. Review and approve all external capital raising opportunities by the Group and/or subsidiaries, which are then made in accordance with the approval from the appropriate Board Committee(s). Review Risk Weighted Assets and regulatory capital trends in context of plans/ forecasts and compliance with Financial Services Authority (FSA) target ratios. Protect capital ratios against the adverse effects of movements in the principal foreign currencies to within agreed tolerances. Approve capital injections (including other loans and commitments deemed to be of a capital nature) in to subsidiaries. Review periodic stress testing of Group capital adequacy position

3 /

2-38

3. Liquidity and Funding:

Optimise the liquidity and funding position of the Group and its subsidiaries. Set and review the Group liquidity policy, as submitted to the FSA. Oversee the implementation of liquidity management across the Group. Review contingent liquidity risks. Review term structure of assets and liabilities. Review and approve policy parameters for the management of funding sources and wholesale market reliance. Set and review Intra-Group Exposure Management policy Set and review intra group limits as part of the annual business plan. Set and review intra group Funds Transfer Pricing Policy. Review periodic stress testing of the Groups liquidity position. Approve the establishment/renewal of CP and MTN programmes as well as stand-alone term debt issues and secured term funds issuance.

4. Non- trading Interest Rate Risk:

Set and review the Groups non-trading Interest Rate Risk Management policy. Oversee the implementation of non-trading interest rate risk management across the Group. Approve and periodically review principal positions, hedging strategies and risk limits. Review sensitivities to interest rate movements; to include the review of stress testing design and results. Review IFRS 39 related P&L sensitivities to interest rate movements. Non-trading Foreign Currency Exposure: Set and review the Groups non-trading Foreign Currency Exposure policy. Review principal positions and hedging strategies. Review and monitor sensitivities to foreign exchange rate movements.

5.

Delegated Authority GALCO is authorised to support the Group and Bank Boards and the GEMC in determining the Groups financial balance sheet risk limits, and ensuring that the Groups asset and liability management functions manage their balance sheets within the limits set by GALCO from time to time. Group Treasury, on behalf of GALCO, operates independently of the Groups businesses and is authorised to have access to the data required to measure, assess, control and facilitate the management of the Groups non-credit related capital and balance sheet risks. Group Treasury is authorised to attend and represent GALCO on all divisional and business unit committees responsible for asset and liability management.

2-39

2.14 GROUP INVESTMENT COMMITTEE TERMS OF REFERENCE AND REPORTING LINE

GROUP BOARD GROUP EXECUTIVE MANAGEMENT COMMITTEE GROUP INVESTMENT COMMITTEE

MEMBERS:

Group Chief Executive Group Finance Director *Chief Executive, Corporate Markets Head of Equity Finance Head of Specialised Lending Services Director, Strategy * Alternate - Chief Executive, Global Banking and Markets

QUORUM:

Two members, one of whom must be the Group Chief Executive, the Group Finance Director or the Chief Executive, Corporate Markets Other Executives and officials as necessary As required The Group Chief Executive, failing whom the Group Finance Director or the Chief Executive, Corporate Markets Group Financial Accountant

IN ATTENDANCE MEETINGS: CHAIRMAN:

SECRETARY:

Main Responsibilities The Group Investment Committee will be responsible for reviewing and managing a number of investments (i.e. the holding of shares) held throughout the Group which are not dealt with as ordinary business by the Investment Committees of the relevant business areas concerned. Such /

2-40

Such investments, which cannot satisfactorily be dealt with as ordinary business by the relevant Investment Committee, either because of their nature or size, include the following:1. 2. Formerly unquoted investments, which have been converted into quoted shares; The small portfolio of structural investments which may be quoted or unquoted; and Certain investments within the business areas which require central input because of their size, or the specialised knowledge residing within the Group or because they fall outside the skills of the business unit area.

3.

Detailed Responsibilities The detailed responsibilities of the Group Investment Committee cover, in particular, the following:1. General To determine a policy for each investment held by the holding company, or any of its subsidiaries, which is deemed by the Group Investment Committee to fall outside the ordinary business of a particular business area, either because of the nature or size of the investment. (Attached as an appendix to these Terms of Reference is the detailed procedures to be followed on the conversion of unquoted investments). 2. Central Investments To take responsibility for the small portfolio of investments held in the Bank. The Group Investment Committee will provide advice to the Group Executive Management Committee ("GEMC") on the structural investments which are held at cost for accounting purposes. 3. Other Investments To determine from its knowledge of the investments held within the Group, whether any require to be reviewed by the Group Investment Committee.

Authority 1. The Group Investment Committee is authorised to consider investments outside the ordinary course of business up to such limit as may be delegated by the Group Board or the GEMC, as appropriate, in respect of specific investment proposals. Any investments considered by the Group Investment Committee to be of a strategic nature will be referred to the GEMC for approval. Investments involving acquiring or selling subsidiary companies will require Group Board approval - after consideration by the GEMC.

2.

2-41

APPENDIX

Conversion of Unquoted Investments 1. As soon as an unquoted investment is converted into a quoted investment, control over the investment is transferred to the Group Investment Committee (GIC). The GIC determines: (a) which Group entity or entities should be the legal and/or beneficial owner(s) of the investment; and whether the investment is a long term strategic asset for the Group or not, and if not, the guidelines for the disposal of the investment. These guidelines should normally include objectives for a hedging approach, if any, and an indication of the desired time period for disposal.

(b)

In both cases, Group Treasury or other designated body will act as agent on behalf of the GIC and the legal/beneficiary owner(s) for the purposes of managing and reporting. Group Treasury or other designated body will:(i) (ii) determine the current market value of the investment; determine the most effective hedging approach, consistent with the guidelines issued by the GIC. The GIC retains final approval, although it may delegate this authority to the Director, RBS Risk Management or the Deputy Chief Executive, Corporate Banking and Financial Markets. implement the hedging approach approved by the GIC by executing the necessary transactions in the market; implement the approved disposal strategy on a best efforts basis; determine the resulting periodic (daily where possible) profit and loss from the revaluation of the investment, and any hedging transactions. The profit and loss will be transferred to the beneficial owner as specific by the GIC; operationally manage the cash flows resulting from these transactions, including interest and dividend payments, etc; and report periodically (daily where possible but not less frequent than monthly) on the above activities to the Deputy Chief Executive, Corporate Banking and Financial Markets and the Director, RBS Risk Management and any other individuals or Committees designated by the GIC.

(iii)

(iv) (v)

(vi)

(vii)

3-1

3 3.1

STRATEGIC PLANNING Purpose Business strategy development is the responsibility of line management, and ultimately the Group Chief Executive. The purpose of the Groups strategic planning process is to ensure that the business divisions, and the Group, are identifying appropriate and sufficient strategic growth opportunities, at acceptable levels of risk, to deliver the Groups goal of delivering superior, sustainable value for shareholders. The process is also intended to ensure that all members of the Group Executive Management team, and the wider senior management group, understand the strategy of each of the divisions, and can contribute where appropriate, and that the Group Board has the opportunity to assess, and give input into, the divisions and the Groups strategy.

3.2

Process Group Executive Management Committee (GEMC) Strategy Offsite In January/February the GEMC meet for a 2 day offsite to share their current strategic agendas, discuss potential additional opportunities for growth within each division and at Group level, and refine the Groups strategic priorities. The meeting is facilitated by the Group Director, Strategy The additional opportunities identified at the offsite are developed at divisional or Group level as appropriate, alongside the existing agenda of initiatives that form part of each divisions budget. Executive Management Conference In March/April the Group and divisional strategic agendas are presented to, and discussed with, the wider senior management team, comprising the top 400 executives in the Group. Group Strategy Board In June, a 2 day meeting of the Group Board discusses the divisional and Group level strategic agenda: Divisional strengths, weaknesses, threats and opportunities and associated strategic action plans Group strategic opportunities in new market entry, mergers and acquisitions Principal opportunities for organic growth, in each division Group priorities and interim objectives

3.3 /

3-2

3.3

Relationship between strategic and operational planning The Group Projects Department works with divisional management to ensure that strategic opportunities identified have strategic action plans prepared to initially validate, and where appropriate, exploit the opportunity. Group Projects Department also monitor the transmission of strategic opportunities into divisional budgets which are agreed during the fourth quarter of the year. As part of the budget, detailed action plans with specific timescales, resources and quantified benefits are developed for each of the opportunities that are being taken forward.

4-1

4. 4.1

BUDGETARY CONTROL General Principles (a) The financial planning and control process comprises the annual budget process for the following four years, quarterly reforecasts which cover the current year and following year and the monthly reporting process; (b) The budget process follows on from the group strategy review and involves the divisions preparing projections for operating income, costs & profit, headcount, balance sheet, capital expenditure and their capital planning assumptions. Key operating and financial ratios, including capital adequacy, are determined. These projections are split between base case and strategic projects carried forward or identified as part of the strategy review.

4.2

Annual Budget Process (a) The annual budget process commences in the Divisions with the preparation of detailed financial projections at business unit level post the half year reforecast, followed by consolidation, internal review and challenge by divisional management. The key inputs will be outputs from:

the strategy review at the June Group Board; and the half year reforecast which will agree a high level 'shape' for the following year's budget. (see below);

(b) Divisional financial projections are then submitted to Group Finance for review in late September. The Divisions are responsible for completing management information packs, containing analysis and commentary on their projections and key performance metrics pertinent to their business. These are then reviewed and challenged at meetings, culminating in a review with divisional executive management, Director of GFP&A, Group Finance Director and Group Chief Executive; and (c) The divisional and consolidated group projections are then submitted to the GEMC and the Group Board in Quarter 4. Once approved, the first year of the four year forecast is adopted as the following years budget. 4.3 Quarterly Reforecast Process (a) The reforecasts are undertaken at the quarter ends each year, with the September reforecast submitted in conjunction with the annual budget. The primary focus of the reforecast is financial projections for the current year. The June reforecast also looks at high level projections for the following year.

(b) /

4-2

(b) As with the budget, Divisional review is followed by submission to Group Finance of detailed management information packs. These form the basis of a review involving divisional executive management and the Group Finance Director. The reforecast is then presented to the GEMC. Group Board are informed of the key issues and themes in the forecast. 4.4 Review of Monthly Performance (a) On a monthly basis, the Group Finance Director reports on the Groups profit and operating performance against budget and prior year to the GEMC and the Group Board; (b) In addition, divisional management in conjunction with Group Finance prepare detailed monthly financial reports. These comprise a review of strategic projects performance by comparing actual results against budget; and (c) To give an earlier indication of the monthly results and issues affecting performance, a 'flash' profit is prepared (around workday eight) and presented to the Group Finance Director and the Group Chief Executive.

5-1

5. 5.1

STRATEGIC INVESTMENT AND PROJECT EXPENDITURE Strategic Investment

The strategy planning cycle (see Section 3) identifies opportunities for expansion, diversification and divestment. Where appropriate, specialist teams are set up to investigate particular opportunities. On occasion, this work will entail the appraisal of possible acquisitions. A detailed financial model is constructed, where appropriate, to forecast the potential return and sensitivity analyses are also undertaken. The teams undertaking such studies usually include staff from the Group Corporate Legal, Group Corporate Finance, Group Strategy and Group Projects, with other specialist skills added as appropriate. Final reports and recommendations are reviewed by the Group Chief Executive with major acquisitions being presented to the Group Board for authority to proceed. A similar approach is followed in respect of unsolicited approaches from third parties and in respect of joint venture projects. Disposals of business units or assets follow similar procedures to acquisitions. The strategy planning cycle provides an opportunity to identify units which no longer fit within the Group's overall strategy. The Group has a detailed codified Acquisitions and Disposals Procedure in respect of its systems of control over acquisitions, disposals and joint ventures which is set out in the Appendix to this Section 5. 5.2. Strategic Investment and Project Expenditure Process and Limits (a) Strategic Investment and Project Expenditure Process In the first instance, project expenditure proposals will be considered in one of the following ways:(i) under the Acquisitions and Disposals Procedure, the project sponsor will complete a proposal form detailing the nature of the proposal, the strategic rationale, and financial and structural information. The proposal will then be considered by the Group Chief Executive's Advisory Group ("GCEAG") and a decision "in principle" will be given. At this stage, the appropriate formal approval channel will be considered. If the proposal falls above any of the delegated project expenditure limits, Group Executive Management Committee ("GEMC") or Group Board approval will be required. In addition, if the members of the GCEAG consider that, in view of the nature of the proposal, it should be submitted to one of these bodies for approval, this will be intimated to the project sponsor at that time;

(ii) /

5-2

(ii)

if any investment is referred to the Group Investment Committee ("GIC"), and is considered by the GIC to be a strategic investment, it will be referred for approval to the relevant body through the Acquisitions and Disposals Procedure. (see Section 5.2(c) below); if, because of the expenditure involved, the project is submitted for consideration by the GEMC, this body will require to consider whether, because of the nature of the proposal, it should be referred for consideration by the Group Board; and if not covered by points i) or ii) above then the Group Investment Appraisal & Approval Policy will apply.

(iii)

(iv)

(b)

Strategic Investment and Project Expenditure Limits The expenditure limits which apply to capital or revenue are as follows:

AUTHORISATION LEVEL

PROJECTS & NON PROJECT Financial Approval Business Commitment Business Commitment : Contract Renewal Request Purchase to External Commitment Purchase Order / Sign off Release of Funds Invoice Sign off

ACQUISITIONS & DISPOSALS Financial Approval Commitment Approval

Group Board GEMC Group Chief Executive Divisional Board GEMC Member / Attendee Authorisers 5 Authoriser 4 Authoriser 3

>100m Up to 100m Up to 25m Up to 10m Up to 2m Up to 500k Up to 100k Up to 50k

>100m Up to 100m > 2m Up to 2m Up to 500k Up to 100k Up to 50k All Contracts over 50k signed by Group Purchasing > 10m Up to 10m Up to 500k Up to 100k Up to 50k

> 10m Up to 10m Up to 100k Up to 50k

Note: An exception to the above is consultancy spend which must all be pre approved by the Group Chief Executive.

For any purchase/project/contract all three stages must be completed and in that order. GEMC members may not exceed their annual expenditure budget without prior approval from the Group Chief Executive. Non-financial guidelines If a proposal falls within the following categories, it should be submitted for approval by the GEMC or the Group Board as considered appropriate, regardless of the level of expenditure involved:(i) strategic joint ventures - any formal arrangement undertaken by a business unit or subsidiary with a view to entering into a strategic venture with an external third party; /

(ii)

5-3

(ii)

new businesses - departures from the business unit or subsidiary's usual type of business. New products will continue to be considered under the "Group New Product Approval Process"; and investments - any investment outside the ordinary course of business and of a non-strategic nature must be referred to the GIC. If the GIC considers that the proposed investment has a "strategic" element, it will refer the proposal to the GEMC for consideration.

(iii)

(c)

Investment Authorities Certain investments which, because of their nature or size require special consideration, should be remitted to the GIC to ensure that all interested parties have input into the investment appraisal process. Detailed Terms of Reference for this Committee can be found on page 2-38 of this document. The GIC will operate alongside the project approval procedures detailed above so that "strategic" investments continue to be given the appropriate level of consideration.

5-4

The Royal Bank of Scotland Group Group Acquisitions and Disposals Procedure Introduction The Group's Acquisitions and Disposals Procedure provides a system of control over Group wide acquisitions and disposals. The implementation of the Procedure has been approved by the Group Board and communicated throughout the Group's business areas and Group central functions. The Procedure is designed to ensure that strategic initiatives taken anywhere within the Royal Bank Group are consistent with its strategic objectives, that they satisfy its financial criteria and risk profile, and that they are authorised by those forums within the corporate governance structure which have the necessary levels of authority. The Procedure applies to all acquisitions, disposals, mergers, strategic joint ventures (see Note 1 below), new businesses and investments (of whatever size) outside the normal course of the Groups business. The main objectives of the Procedure are as follows: 1. To ensure that, at the very earliest opportunity possible, all proposed transactions of this nature are reviewed by the Group Strategy Department and submitted to the Group Chief Executive and/or the Group Finance Director for their initial outline approval - this avoids both time and money being unnecessarily wasted on initiatives which the Group does not wish to pursue. In the case of a proposal which is approved by the Group Chief Executive/Group Finance Director, to determine: (a) the further formal approval channels which will need to be followed; and the structure and process through which a proposal should be managed.

2.

(b) 3.

To ensure that, to the extent the Group Chief Executive/Group Finance Director determines to be necessary in light of the nature of the proposal, there is the appropriate level of input from Group central functions. In the initial stages this will involve Group Corporate Finance, Group Transactions & Projects, Group Strategy and Group Projects (see Appendix 1 for a summary of the roles and responsibilities of each of these Group functions). As a transaction proceeds Group Financial Accounting, Group Tax, Group Purchasing, Group Human Resources, Group Secretariat, Group Corporate Communications and the Groups principal control functions (i.e. Group Internal Audit, Group Risk and Group Compliance) will be involved.

The /

5-5

The Procedure requires all business areas of the Group to submit a summary of the proposal to Group Strategy, Group Corporate Finance , Group Transactions & Projects and Group Projects containing a brief description of the proposal, its strategic rationale and the financial highlights (an Initial Proposal Paper). The Initial Proposal Paper will be used by Group Strategy to consider the proposal in conjunction with the Group Chief Executive/Group Finance Director and with other Group executives at the Group Chief Executives Advisory Group (GCEAG). At this stage the proposal may be completely declined, declined subject to the provision of further information, approved (within Executive Director expenditure limits) or approved in principle and recommended for further detailed consideration by the GCEAG and/or the Group Executive Management Committee (GEMC) and/or the Group Board according to the relevant levels of delegated authority. Preliminary discussions with any of the contacts provided later in this paper in Group Corporate Finance, Group Transactions & Projects, Group Corporate Strategy and Group Projects is encouraged. Detailed Procedure 1. An Initial Proposal Paper (see Appendix 2 for pro forma) should be completed and approved by the relevant divisional Chief Executive/Managing Director/Finance Director as soon as sufficient information in relation to the relevant proposal (see Note 2 below) is available. Group Corporate Finance and Group Transactions & Projects will assist in the preparation of the Initial Proposal Paper (see contact details set out below). The Initial Proposal Paper should be e-mailed to the Group Director Strategy for confirmation and sign-off that the proposal is consistent with Group strategy and, for information, to the Head of Group Corporate Finance, the Head of Group Transactions & Projects and the Head of Group Projects. When the confirmation and sign-off referred to in 2 above has been obtained the divisional Chief Executive/Managing Director/Finance Director should forward the Initial Proposal Paper to the Group Chief Executives Office for confirmation of (a) if, and (b) when, it can be submitted to the GCEAG which meets daily at 9.30 a.m. Until a GCEAG decision has been taken, no further action in relation to any proposal should be taken. As soon as an initial decision has been reached (which in the case of an approval will generally be an approval in principle only), it will be verbally communicated to the relevant sponsor together with an explanation of the authority conferred at this stage and details of how it should be managed on an ongoing basis.

2.

3.

4.

5.

6. /

5-6

6.

If an Initial Proposal Paper is declined, the reason will be explained. If a decision cannot be taken at this stage without further information, the nature and extent of the required information will be explained which, when available, should be incorporated into an updated Initial Proposal Paper. In the case of an Initial Proposal Paper which is approved in principle, the sponsor will be informed at this stage of the formal approval channels which will require to be followed (see paragraph 8 below), the scope of the approvals which should be sought and of the nature and extent of the more detailed information which will require to be submitted as part of that process. Once an Initial Proposal Paper has been approved in principle a detailed paper (a Detailed Proposal Paper) (see Appendix 3 for pro forma) will, unless the GCEAG determines otherwise, require to be prepared for consideration by the GCEAG and/or the GEMC and/or the Group Board. The decision as to which forum (or which combination of forums) a proposal will require to be considered by will be determined by reference to its materiality from both a strategic and a financial perspective. From a financial point of view the levels of authority which have been delegated to these bodies is likely to mean that proposals will be referred as follows:(a) (b) (c) Consideration/initial investment <25m: Consideration/initial investment 25m-<100m: Consideration/initial investment 100m or more: GCEAG GEMC Group Board

7.

8.

9.

When an Initial Proposal Paper has been approved in principle the sponsor will also be informed whether or not the proposal will require to be managed on a centralised basis under the guidelines for Project Control Committees (see paragraphs 10 and 11 below) (which will involve active, direct, day-today involvement of individuals from Group central functions) or whether it can be managed by the relevant subsidiary/division on a devolved basis (which is likely to involve individuals from Group central functions having a watching brief over the transaction and structured periodic input in relation to it). If a transaction is to be managed on a centralised basis, the General Counsel and Group Secretary and/or the Group Director, Strategy and/or the Head of Group Corporate Finance and/or the Head of Group Transactions & Projects will discuss with the relevant sponsor the formation of a project team, a meeting of which should be convened by the sponsor as soon as possible thereafter. The project team will then be responsible for the on-going management of the project with particular responsibility in relation to the following: (a) the instruction and use of external professional advisers (see Note 3 below);

10.

11.

(b) /

5-7

(b) (c) (d) (e) (f) (g) (h) (i) (j) (k)

legal, accounting, valuation, tax, strategic and business considerations; information exchanges; confidentiality undertakings; on-going approvals; board and committee papers; due diligence check lists; the due diligence process; the negotiation process; legal documentation; developing business operating models and implementation plans (including dates and responsibilities ) which support and deliver the proposed benefits; assessing the financial impact of transactions for input into divisional and Group budgeting processes; regulatory considerations and clearance applications; internal and external communications including Stock Exchange announcements and press releases; and management and control framework (both existing and going forward).

(l )

(m) (n)

(o) 12.

In the event that a subsidiary/division has been authorised to manage a proposal on a devolved basis, the sponsor must ensure that input in relation to the issues referred to above (particularly regulatory issues and the preparation of a Detailed Proposal Paper) is obtained from the nominated individuals in Group central functions who will have a watching brief in relation to the transaction. After the completion of a transaction it will be necessary for the relevant division to: (a) immediately agree with Group Secretariat the manner in which a new business will be integrated into the Groups high level control framework; as soon as practical, explain the manner in which areas of concern identified in the due diligence process have been resolved;

13.

(b)

(c) /

5-8

(c)

as soon as practical, explain the way in which the new business has been integrated into the Groups management framework; and schedule periodic meetings with Group Projects to discuss progress being achieved against the plans and projections referred to in paragraphs 11(k) and (l) above.

(d)

(See Appendix 4 for a flowchart of the procedure.)

Contact Names Miller McLean Group Secretary and General (T): 0131-523-2223 (Ext. 22223) Counsel (F): 0131-626 2997 (e): miller.mclean@rbs.com Group Director, Strategy (T): 0131-523-4164 (Ext. 24164) (F): 0131-626 0550 (e): iain.allan@rbs.com Head of Group Corporate (T): 0131-626 4045 (Ext. 264045) Finance (F): 0131-626 3091 (e): calum.osborne@rbs.co.uk Head of Group Transactions (T): 0131-626 3936 (Ext. 263936) & Projects (F): 0131-626 3326 (e): eric.tough@rbs.co.uk Head of Group Projects (T):0131-626 3994 (Ext. 263994) (F): 0131 626 3300 (e): brian.mccrindle@rbs.co.uk Personal Assistant to the (T):0131-523-2203 Group Chief Executive (F):0131-523 5812 (e): mary.mccallum@rbs.co.uk

Iain Allan

Calum Osborne

Eric Tough

Brian McCrindle Mary McCallum

Note 1: It is recognised that a number of businesses within the Group utilise or participate in joint venture structures (e.g. special purpose vehicles, back office/delivery platforms) which although they are, as such, outside the ordinary course of the Groups business are non-strategic in nature. Nevertheless, such proposals should, as soon as sufficient information is available, be raised verbally with the Group Transactions & Projects and/or Group Corporate Finance for confirmation as to whether or not the Procedure applies and to enable any issues (e.g. regulatory) which may be relevant from a Group perspective to be identified. Note 2: A confidentiality agreement/undertaking may require to be entered into by a subsidiary/division prior to the stage of completing a proposal form. If this is the case, Group Transactions & Projects, MUST be contacted for advice in relation to the format and content of the agreement/undertaking PRIOR to its execution. In /

5-9

In addition, in the case of transactions which are sufficiently material from a strategic and/or financial perspective a confidentiality register and, in some cases, a dealing ban on affected listed securities may be put in place. Part of this process involves relevant individuals formally acknowledging, in accordance with the FSAs market abuse regime, their legal and regulatory duties (and related sanctions) in relation to the possession of inside information. Appendix 5 explains in more detail how, and in what circumstances, these operate. Note 3: Regardless of whether or not a transaction is one which is to be managed on a centralised basis, no external advisers (e.g. solicitors, investment banks, reporting accountants, actuaries) should be approached without first conferring with Group Corporate Finance and Group Transactions & Projects so that the most appropriate appointees can be identified and, where necessary, a recommendation made to the Group Executive for its approval.

5-10

APPENDIX 1 INITIAL STAGE GROUP FUNCTIONS Group Corporate Finance The primary role of Group Corporate Finance is to support the Group Executive Management Committee on the financial aspects of strategic transactions and to prepare regulatory capital forecasts. The department has a secondary role which is to support Divisional finance teams and Executives. Detailed responsibilities in the context of the Groups Acquisitions & Disposals Procedures include the following: Assisting the project management process on behalf of Divisions/ Group (if required) Performing initial high level review and challenging Divisional forecasts for acquisitions and joint ventures ahead of detailed review by Group Projects Evaluating structural and funding options from a Group perspective Appraising valuation in accordance with Group practice Assisting in due diligence planning with a primary focus on the financial aspects Ensuring that there is a system in place to identify and track risks and issues, where necessary Assessing impact on key financial indicators and ratios from a Group perspective Assessing impact on Group and Bank regulatory capital ratios Assisting in drafting of Group Board/ GEMC/ GCEAG/ Executive briefing papers as required Assisting on the financial aspects of contract negotiation if required Ensuring that where risks / issues are identified in due diligence that these are communicated to the division for inclusion in the operational plan , where necessary Group Transactions & Projects The Group Transactions & Projects is an in-house legal department which provides legal support to the Directors and Senior Executives of the Group (and, as required, of the Divisions) in relation to the planning, negotiation, documentation, and on-going legal and regulatory aspects of strategic corporate transactions and projects In the context of the Group Acquisitions and Disposals Procedure the Group Transactions & Projects is responsible for: Assessing legal, regulatory and structural issues Assisting in the project management of transactions/project which the Group Executive determine should be managed centrally Co-ordinating and conducting legal due diligence reviews Providing advice and assistance in relation to all internal approval processes Assisting /

5-11

Assisting in the preparation and submission of regulatory notifications and clearances Assisting with the negotiation, drafting and conclusion of legal agreements Providing advice and assistance in relation to the preparation of shareholder circulars, company announcements and other public documentation Instructing and managing of the groups external legal advisers. Group Strategy In relation to Group corporate transactions and projects, Group Strategy is responsible for: Assessing the strategic rationale for proposed acquisitions, disposals or joint ventures to enable the Group Executive to make informed decisions Preparing operational, financial and other background information to inform the Group Executive of key issues Liasing with Group departments and Divisions to consider and resolve strategic issues as the transaction progresses Liasing with the Groups investment banking advisers to ensure appropriate support is provided Assisting with the preparation of GCEAG, GEMC and Group Board papers In relation to Divisional transactions and projects, Group Strategy is responsible for: Reviewing proposed transactions to validate their strategic rationale and to ensure consistency with Group strategy and the strategies of other Divisions Assisting with the preparation of GCEAG, GEMC and Group Board papers Group Projects Group Projects is responsible for : Assisting in the development of a robust operating model for the proposed business, which supports the proposed transaction benefits and is consistent with strategic objectives Assisting in the development of robust project plans for the transaction and operating model implementation which are consistent with the proposed benefits In conjunction with Group Finance, ensuring the transaction costs and benefits are correctly reflected in Group and divisional budgets Managing ongoing reporting of progress against agreed targets following completion of the transaction

5-12

APPENDIX 2 INITIAL PROPOSAL PAPER

Group Chief Executives Advisory Group [Day][Month][Year] [Project Codename]

1.

Name of Subsidiary/Division Submitting Proposal: ..............................................................................

2.

Name of Individual Sponsor within Subsidiary/Division: ........................................................................................

3.

Describe in Outline the Nature of the Proposal: This should comprise a brief description of what is proposed including, if appropriate, the identity of the buyer/seller/partner.

4.

Explain the Core Strategic Rationale for the Proposal: This should comprise a high level explanation of the market plus details of how the proposal fits with the Group's strategy.

5.

Provide High Level Financial Information relating to the Proposal: This should include the price range and a brief financial forecast.

6.

Process/Authority This should summarise the proposed process and timetable for the transaction through to completion and explain the authority being asked for at this stage.

Note: This paper has been signed-off by the Group Director, Strategy.

5-13

APPENDIX 3 DETAILED PROPOSAL PAPER

[GCEAG]/[GEMC]/[Group Board] [Day][Month][Year] [Name of Sponsoring RBS Division/Subsidiary] [Project Codename]

[ ].

Introduction This should explain the manner in which the proposal/opportunity has been brought to/initiated by the relevant division.

[ ].

Background This should explain any high level/general background in relation to the relevant RBS Group Division and/or the counterparty and/or the company/business which is the subject of the transaction which has led to the proposal/opportunity arising.

[ ].

Profile This should provide a brief description of the company/business which is the subject of the transaction.

[ ].

The Proposal This should include some general background information providing details of what is proposed (e.g. what is to be acquired/ sold/invested in and the percentage interest the RBS Group will acquire/sell/retain), the identity of the buyer/seller and the intended completion date.

[ ].

Strategic Rationale This should include details of the market and, if relevant, implications of competition, plus details of why the proposal is consistent with the Group's strategy.

[ ].

Financial Information Where appropriate this should include, highlights from the latest published accounts of the relevant company/business and any financial forecasts or other relevant financial information in the relation to the company/business and the relevant RBS Group division. If /

5-14

If this requires the presentation of detailed financial/statistical information this material should be presented (where appropriate/possible) in tabular format and attached as an appendix/appendices. [ ]. Valuation/Price This should comprise details of the proposed price range, the basis of calculation (including alternative and preferred methods) and an explanation of how the consideration will be satisfied (e.g. cash/non-cash, will it be paid at completion, will any be deferred?). [ ]. Funding This should explain how the consideration will be funded (cash/intra-group lending/shares/loan notes). [ ]. Financial Impact on the Group This should explain the overall financial impact of the transaction on the relevant RBS Group division or, if of a sufficient level of materiality, on the RBS Group as a whole. [ ]. Process This should explain any particular features of the process for executing the transaction (e.g. public offer/private offer/controlled auction/one-on-one negotiation) [ ]. Timetable This should explain the anticipated timetable for executing the transaction and highlight any particular issues/events, particularly those outside of the control of the RBS Group, which could impact on this. [ ]. Due Diligence This should confirm the outcome of any preliminary due diligence already carried out, explain the detailed due diligence process which will take place going forward and explain any particular areas/issues on which the exercise will concentrate. [ ]. Key Contractual Issues This should explain any known/anticipated contractual issues/provisions which are likely to be significant in the context of the transaction this should include any provisions which could have a particular commercial impact on the RBS Group (e.g. restrictive covenants/non-competes) or have a particular financial/risk element (e.g. specific indemnities). [ ]. Regulatory Issues /

5-15

[ ].

Regulatory Issues This should explain the regulatory regime/framework within which the company/business which is the subject of the transaction operates, it should identify the regulatory notifications and/or approvals and/or licences which will have to be given/obtained to execute the transaction and it should highlight any particular regulatory issues/difficulties which might be encountered. To the extent not covered in the strategic rationale, this should also identify any anti-trust/competition law notification/clearances which may have to be given/obtained and should explain any particular difficulties anticipated.

[ ].

Structure This should include details of the proposed structure for the transaction (e.g. acquiring/selling shares or a business, existing RBS Group entities which will be parties to the transaction and the use of SPVs), how it will affect the RBS Group corporate structure. Any pre- or post-completion restructuring requirements should also be explained.

[ ]

Management and Control This should explain (a) to the extent possible at this stage, the existing management and control regime for the business to be acquired, (b) how it will be integrated into the RBS Groups management and control framework postacquisition and (c) any issues arising from this and how they will be resolved.

[ ].

Taxation This should highlight any particular taxation issues which could arise in connection with the proposal and the way it will be structured.

[ ].

Conclusion and Recommendation This should explain why the relevant business division considers the proposal to be in the best interests of the RBS Group and should contain the express recommendation of the Divisional Chief Executive/Managing Director. In addition, the Divisional Chief Executive/Managing Director is likely to be required, as part of this recommendation, to provide confirmation in relation specifics such as: (a) (b) (c) (d) the scope of the due diligence exercise; his/her review of the due diligence findings; the manner in which due diligence issues have been/will be addressed; /

5-16

(d)

the absence of any issues which have not been brought to the boards/committees attention which are relevant to the proposal; the achievability of the financial projections which form the basis for the recommendation.

(e)

[ ].

Approvals Requested This should set out the specific approvals being requested from the forum to which the proposal is being presented.

[Name of Proposer] [Title of Proposer] [Day] [Month] [Year]

5-17

APPENDIX 4 PROCEDURE FLOWCHART

Process:

Division Originates Proposal

Initial Proposal Paper prepared by Division

for approval

Group Chief Executive / Group Finance Director and then to the GCEAG

Acquisition/Disposal proceeds with involvement of: Group Corporate Finance Group Transactions & Projects Group Strategy Group Projects

Detailed Proposal Paper for : GCEAG GEMC Group Board as appropriate

Sign offs required:-

Divisional Chief Executive

Group Strategy And for information to: Group Corporate Finance Group Transactions & Projects Group Projects Format as per Group Acquisitions and Disposal guidelines GCEAG approval required to proceed to next stage External advisors only to be appointed on GCEAGs agreement Full consultation with Group Strategy, Group Transactions & Projects, Group Projects and Group Corporate Finance required

Minute of appropriate meeting of GCEAG

Minute of appropriate meeting of GCEAG/GEMC/ Group

Notes:-

Divisional Chief Executive to determine fit with Divisional Strategy

Project Control Committee established with Group representation Group Transactions & Projects, Group Corporate Finance and Group Projects involved in all steps of Project through completion Other departments (e.g. Group Tax, Group HR, Group Risk, Group Communications involved as necessary)

Required prior to final approval of transaction Sign-off required from all relevant Group areas Divisional Chief Executive to ensure Paper has prior approval of Group Chief Executive

5-18

APPENDIX 5 CONFIDENTIALITY AND SHARE DEALING REGISTER Introduction RBS maintains a confidentiality and share dealing register. This records RBS group personnel who are engaged in strategic transactions and other matters which are material in the context of RBS and/or involve the distribution/awareness/possession of sensitive information. RBS maintains procedures supporting this register, which are set out below and which ensures that: 1. 2. 3. confidentiality in relation to RBSs affairs is maintained; legal/contractual obligations of confidentiality to third parties are adhered to; dealing in securities or other inappropriate conduct by RBS personnel in possession of sensitive information affecting those securities is avoided.

Dealing in securities is permitted subject to permission as usual until commencement of Stage 2 below. However, even prior to Stage 2, individuals and their approving managers will need to give particular thought in any given situation as to whether an application to deal will invite reputational or perception risk. All personnel subject to these provisions are encouraged to obtain guidance at any stage from the General Counsel and Group Secretary (or his nominee) or the Head of Group Regulatory Risk. Implementation The register is maintained on a case-by-case basis and is implemented in relation to specific transactions/matters on the instruction of the Group Chief Executives Advisory Group (GCEAG) in relation to strategic transactions, this will usually happen when RBS has entered into a formal non-disclosure/confidentiality agreement but sometimes before this stage if there is a serious possibility of a material transaction taking place. RBS personnel whose names are placed on the register will be sent written notification and this will usually take place on a two-stage basis. Stage 1 : Confidentiality Letter This will confirm to each individual that their name has been placed on the register for a specific project/matter, stress the need for all information in relation to it to be treated as highly confidential and provide practical guidance on how such information should be handled. Stage 2: /

5-19

Stage 2 : Share Dealing Letter In relation to projects of sufficient materiality a letter will be issued that will confirm that the transaction/matter has reached a stage (e.g. preferred bidder status having been granted in a controlled auction process) where the probability of it proceeding or impacting on RBS or another public company is such that it is either: (a) (b) relevant for the purposes of the FSA Code of Market Conduct; or inside information for the purposes of the Criminal Justice Act or the Financial Services and Markets Act;

and that until further notice, individuals on the register in relation to that transaction/matter are prohibited from dealing in the securities of RBS and/or those of any other relevant entity (e.g. those of a target business or its holding company). At this stage individuals will be asked to formally acknowledge their legal and regulatory duties (and the sanctions attaching to breaches thereof) in relation to the possession of inside information. Combined Confidentiality and Share Dealing Letter In limited circumstances the immediacy of an event or the extreme materiality of a matter (e.g. an opportunistic hostile bid, unexpected material events outside of RBSs control) will require the GCEAG to impose a dealing ban as soon as a confidentiality register is set up. In these circumstances, combined stage 1 and stage 2 letters will be issued.

6-1

6.

ASSET AND LIABILITY MANAGEMENT

The Group Asset and Liability Management Committee (GALCO), a subcommittee of the Group Executive Management Committee ("GEMC"), is responsible for identifying, managing, and controlling Group balance sheet risks in executing its chosen business strategy. These risks are managed by setting limits and controls across the dimensions of capital, funding and liquidity, intra-group credit exposures and non-trading interest rate, equity exposure and foreign currency translation risks. GALCO is also responsible for authorising own asset securitisation transactions. Group Treasury is responsible for managing the Group Balance sheet, operating independently of the Groups businesses and in accordance with the GALCO policy and direction. The Financial Services Authority (FSA) and overseas regulators, where relevant, carry out the prudential supervision of all authorised firms and the Group at a consolidated level, including monitoring the adequacy of a firms capital, liquidity and systems and controls. Firms are required to submit regular capital adequacy, liquidity and intra-group exposures returns to the FSA (and overseas regulators) for supervisory assessment. 6.1 Capital Adequacy

It is the Groups policy to maintain a strong capital base, to expand it as appropriate and to utilise it efficiently throughout its activities to optimise the return to shareholders while maintaining a prudent relationship between the capital base and the underlying risks of the business. In carrying out this policy, the Group has regard to the minimum supervisory requirements of the FSA and other considerations such as overseas regulators, rating agencies, peer group and market expectations. The FSA uses the Risk Asset Ratio (RAR) as a measure of capital adequacy in the UK banking sector, comparing a banks capital resources with its weighted risk assets (the assets and off-balance sheet exposures are weighted to reflect the inherent credit and other risks); by international agreement, the RAR should be not less than 8% with a tier 1 component of not less than 4%. The FSA also sets requirements relating to margins of solvency (i.e. the excess of the value of assets over the amount of liabilities) for companies carrying out insurance business. This requires them to submit regular returns covering reserves and solvency. The Groups policy is to maintain capital at an appropriate level for the consolidated Group and in each firm in the Group at each level at which regulatory capital requirements apply, to ensure that the Individual Capital Guidance (ICG) set from time to time by the FSA (or similar ratios set by non-UK regulators) is breached. To achieve that, it is the Group's practice to maintain operational checks to prevent an accidental breach in capital ratios. All /

6-2

All authorised institutions in the Group are required to ensure that their RAR exceeds the ICR at all times. They are also required to monitor and report regulatory capital and Risk Weighted Asset ("RWAs") positions on a frequent basis to minimise the risk of a breach. The level and appropriateness of the capital buffer applied to the ICR will be reviewed by GALCO, and reset as considered appropriate, no less frequently than annually. Ad hoc reviews of specific institutions may be undertaken from time to time where significant changes in the underlying business warrants it. Papers are submitted to the Group Board half-yearly which show comparisons of the capital adequacy ratios of the Group with those of the major clearing banks and provide commentaries on the adequacy of the Group's ratios, particularly its RAR. A strong emphasis is placed on the allocation of capital to the various business areas of the Group. Targets are set during the strategic planning process and the annual budgetary control exercise and progress is regularly monitored against plan. 6.2 Funding and Liquidity

The GEMC/GALCO are responsible for defining and approving the Groups liquidity policy and setting acceptable parameters and risk limits. The Groups liquidity policy is subject to annual, or more frequent as appropriate, review and a copy of the policy is provided to the FSA when material changes are made. Overall responsibility for liquidity management within the Group lies with the Group Treasurer. Group Treasury, which reports to the Group Treasurer and, through him, to the Group Finance Director, provides full technical support to the GEMC/GALCO in respect of liquidity policy and its implementation and control. Through the medium of the Group Liquidity Managers, who meet weekly, Group Treasury maintains a close working relationship with the Global Head of Money Markets, Global Banking and Markets (GBM) and his staff, who have principal responsibility for the management of daily cash flows. The Group Treasurer has responsibility for controlling and monitoring the Group's liquidity risk, bringing to the attention of the Group Finance Director and Group Executive immediately any situation which would threaten to take the Group beyond the limits set by the GEMC/GALCO. The previous weeks Stock and Mismatch liquidity positions are reported to the Group Chief Executive's Advisory Group each Monday. Monthly liquidity reports are also submitted to GALCO and the Financial Services Authority, and monthly summary reports to the Group Board. To enable compliance with GEMC/GALCO policy and limits set, each liquidity reporting unit within the Group is required to have in place appropriate controls and reporting capabilities over its outflows, inflows, undrawn commitments and other contingent liabilities, and holdings of marketable assets, in line with the Group's liquidity policy. Compliance /

6-3

Compliance is monitored daily by Group Treasury in respect of all Group companies which are consolidated for liquidity purposes. Daily monitoring does not take place in respect of the liquidity positions of Citizens Financial Group, Inc. or the Group's insurance companies. The latter entities are subject to separate regulatory liquidity treatments and their compliance is reviewed periodically. In accordance with the Group Liquidity Policy, GALCO also reviews and monitors the Groups structural liquidity position and its range of funding sources and receives liquidity stress reports from Group Treasury. 6.3 Intra-Group Credit Exposures and Integrated Group Membership Policy

GALCO is responsible for defining and approving the Groups policy in respect of the control of intra-group credit exposures. GEMC is responsible for defining and approving the related Integrated Group Membership Policy. Copies of both policies have been provided to the FSA. Overall responsibility for the management of intra-group credit exposure and compliance with Integrated Group criteria lies with the Group Treasurer. All intragroup funds flows and exposure limits are controlled day to day by Group Treasury, liaising as necessary with the relevant operational business units across the Group to ensure that FSA regulatory requirements and the above policies are strictly observed. Each operational business unit is responsible for controlling utilisation within the approved limits as part of their normal credit control processes. Intra-group limits are subject to annual GALCO approval as an integral part of the Groups budget planning process, and Group Treasury ensure that the limits requested are consistent with the broader budget plans submitted for GEMC approval. If the limit requirements of a Group company change subsequent to the annual budget process, intra year amendments may be approved by Group Treasury within authorised limits mandated by GALCO or are submitted to GALCO for approval if above those levels. The above controls apply fully to limits required in relation to parental guarantees, risk sharing agreements and other contingent intra-group exposures. In addition to the role of Group Treasury in approving and controlling all such exposure, the Group Secretariat is responsible for the approval and annual review of all parental guarantees. Reports are provided monthly to GALCO and quarterly to the FSA on overall intragroup limits compared with sectoral and concession limits agreed with the FSA. All intra-group limits approved within Group Treasurys mandated authority are also reported monthly to GALCO. 6.4 Non-Trading Interest Rate and Foreign Currency Risk

The objectives of the Groups Non-Trading interest rate risk (NTIRR) management policy are:1. /

6-4

1. to manage the overall interest rate risk of the Group by: minimising the sensitivity at product, balance or business level of net accrual accounted earnings to changes in benchmark interest rates. ensuring that interest rate risk arising in business units is transferred to the market or managed efficiently and effectively by a designated treasury function within approved limits.

2. to undertake required hedging in a manner that, as far as is practicable, minimises potential volatility in the Groups p&l due to the fair value accounting of derivatives. 3. To ensure compliance with evolving regulatory NTIRR requirements is maintained within each jurisdiction in which the Group operates, including requirements set out as part of an Internal Capital Adequacy Assessment Process [ICAAP].

This policy applies to the Non-Trading Books and Insurance Businesses of the Group, except for: Money markets businesses which generate profits from deliberate positioning for movement in short term interest rates and are subject to daily risk controls. These businesses are covered by the Group Market Risk Policy Statement. Citizens Financial Group does not manage NTIRR with the objective of minimising accrual accounted earnings sensitivity. It is managed by a professional treasury function which optimises yield, whilst staying within approved limits. RBS Insurance will seek to minimise sensitivity of income to the extent that the objective does not conflict with other key requirements such as solvency.

Risk limits must be agreed with Group Treasury at product or business level as appropriate. Business Units must report their positions by currency to Group Treasury on a monthly basis. Positions managed by Group Treasury must be reported to Group Market Risk to ensure independent control. A consolidated Group position is included in mandatory regulatory and statutory disclosures. The Group Asset and Liability Management Committee [GALCO] will review overall Group positions and Business Unit excesses on a monthly basis. The principal aim of the foreign currency exposure policy is to minimise the Groups exposure to foreign currency risk outside established foreign exchange trading businesses. It covers three main categories of foreign currency exposure: The / Structural foreign currency exposures Transactional foreign currency exposures Foreign currency profit streams

6-5

The Group will also seek to minimise accounting profit and loss volatility, where practicable, at both legal entity and Group consolidated levels, The key requirements of policy are (i) structural foreign currency exposures should be match funded (i.e. funded in the same currency as the functional currency of the investment), save where doing so would materially increase the sensitivity of either the Groups or a subsidiarys regulatory capital ratios to currency movements; (ii) transactional/commercial foreign currency exposures should be match funded within de-minimis limits; (iii) Foreign currency profit stream should either be quarterly remitted to/ from the branch head office and exchanged for the functional currency of the parent (Overseas branches) or exchanged for the relevant functional currency on a monthly basis (domestic branches) Structural foreign currency exposures and any exceptions to policy are reported to GALCO and the Board. 6.5 Own Asset Securitisation

The Groups own asset securitisation programme is a diversified funding and balance sheet management initiative. GALCO is responsible for setting the strategy to meet Group targets, and for authorising individual own asset transactions. All own asset securitisation is controlled by the Programme Executive Board and managed on a day-to-day basis by Group Treasury. Own asset securitisations arise primarily out of the need to manage and diversify the Group funding mix, in response to centrally-set targets. Securitisation is a useful risk distribution tool and provides liquidity in the market. Hitherto, securitisation opportunities have consisted mainly of credit card portfolios, residential mortgages and commercial property loans, but the Groups balance sheet is continually being reviewed for other potential securitisable assets. Potential asset pools are reviewed to assess the quality of assets for suitability for securitisation and, if appropriate securitisations are then pursued in conjunction with the GBM Securitisation Front Office, plus appropriate support functions. With own asset securitisations, systems changes may be required to support the planned structures and these are also managed as part of the individual initiatives.

7-1

7. 7.1 7.1.1

Risk Management Governance The Group Board and Senior Committees

The Group Board of Directors sets the overall risk appetite, with the risk and capital framework underpinning the delivery of the Board's strategy. Advances Committee (AC) is a sub-committee of the Board. AC has unlimited credit authority, with its membership and authorities approved by the Board. AC deals with credit transactions that exceed the Group Credit Committee's delegated authority. The Group Credit Committee approves (or recommends to Advances Committee when requirements are in excess of their authority) those customer limits which are beyond the authority of Divisional credit committees. The credit authority and membership of the Group Credit Committee is approved by GEMC. Group Executive Management Committee (GEMC), an executive committee, ensures that implementation of strategy and operations are in line with the agreed risk appetite. Group Risk Committee (GRC) is a sub-committee of GEMC. It recommends and approves (subject to delegated authority from GEMC) limits, policies, processes and procedures to enable the effective management of risk across the Group. Its remit includes all credit risk, market risk, operational risk, compliance and regulatory risk, enterprise risk and country risk affecting or likely to affect the Group. 7.1.2 RBS Risk Management

In addition to these Committees, the Group has an independent risk management function (RBS Risk Management) responsible for ensuring there is an appropriate risk governance framework implemented on a Group wide and Divisional basis and that day-to-day risks are managed within this framework. The Group Chief Risk Officer leads this function through the strategic setting and execution of its responsibilities and reports directly to the Group Finance Director. At a Divisional level, the Group Chief Risk Officer is supported by the Divisional Chief Risk Officers who each have a direct functional reporting line to the Group Chief Risk Officer. As such the Group Chief Risk Officer has a direct involvement in the selection, appointment or removal of the Divisional Chief Risk Officer(s) as well as responsibility for their on-going performance assessment and management. The Divisional Risk Management departments typically focus on credit, market, operational and regulatory risk, together with insurance risk where appropriate to the business activities. The oversight of these departments is undertaken by the appropriate Group Risk function (e.g. Group Credit Risk for the credit risk discipline). This oversight involves ensuring /

7-2

ensuring that:

All activities undertaken by the individual Divisions are consistent with the Groups risk appetite. Group policies and resulting operating frameworks, including delegated authorities and limits, are complied with through effective monitoring and exception reporting. There is the effective operation of Group-wide risk processes such as the Group Credit Committee process and Group New Product Approval Process.

Liquidity risk and the day-to-day management of liquidity and funding of the book is the responsibility of Group Treasury which is covered in Chapter 6. The Group functions have a role to advise on any systemic risk issues which may impact on liquidity and contribute to their management. 7.2 Credit Risk

Credit Risk arises from the potential that RBS group will incur losses from the failure of a customer or other debtor to meet its credit obligations. Effective management of credit risk requires an appropriate Credit Risk Management Framework (CRMF), meaning the governance structures, policies, procedures and infrastructure established to support the management of credit risk, and a strong credit culture. 7.2.1 Group Credit Risk Policy and Policy Standards Group Credit Risk is responsible for the development of the Group Credit Risk policy and supporting policy standards and procedures. These documents set out the requirements for establishing and maintaining the CRMF, the approval of credit risk transactions and the management of credit risk at customer and portfolio level throughout the period that the bank is at risk. In setting and executing these requirements, due recognition is given to the need to ensure that other risks, such as operational and reputational risk from taking on credit risk are recognised and effectively managed, that all relevant laws and regulations are complied with and that customers are treated fairly. The Group Credit Risk policy is approved by GEMC, with supporting policy standards approved by the GRC. The policy and policy standards are subject to continuous review. Group Credit Risk is responsible for seeking confirmation from Divisions that they are compliant with rules set out in the Group Credit Risk policy and supporting policy standards. When compliance will take some time, the requirements of the Group Credit Risk Exemptions and Exceptions policy standards must be complied with and progress /

7-3

progress towards compliance regularly reviewed and reported to Divisional credit risk management, relevant Risk Management Committees and Group Credit Risk, as appropriate. The Divisional Credit Risk departments have credit risk policies which are consistent with the Group Credit Risk policy and supporting policy standards, and which are appropriate for the size and nature of the credit risks faced by their Divisions, business units and subsidiaries. Divisional credit risk policies are approved by the relevant Divisional Risk Management or Credit Policy Committee or duly authorised individual. 7.2.2 Credit Risk Authority

The approval of an individual credit risk proposition requires assessment of the customer, any existing credit risk exposure to the customer and the credit risks associated with the transaction, at the same time taking into account the reward being offered for the risk and the extent of the risk mitigation available to offset the potential loss in the event of default. Credit authority is granted to designated individuals who have the appropriate experience, seniority and judgement to exercise either on a personal basis or in conjunction with other individuals in a duly authorised credit committee. Full details are set out in the Group Credit Risk Authority policy standards. In summary: Advances Committee has unlimited credit authority. Its credit risk authority, chairs and members are approved by the Group Board of Directors. GEMC approves the credit risk authority, chairs and members of the Group Credit Committee. GRC approves the credit risk authority of Primary Divisional credit committees. Divisional Chief Executives, in conjunction with the Divisional Head of Credit, approve the chairs and members of Primary Divisional credit committees subject to the explicit non objection in writing / e-mail of the Group Chief Credit Officer. Divisions through the Divisional Chief Executive in conjunction with the Divisional Head of Credit may delegate a subset of the Divisional credit authority to sub-committees or individuals. This is subject to the explicit nonobjection of the Group Chief Credit Officer. Provisioning

7.2.3

Where recovery, of all or part of amounts due, is in doubt, a provision is made to ensure that balance-sheet values fairly reflect current credit losses. The Groups policy standards for provisioning require agreed methodologies to be used that are aligned with applicable accounting and regulatory requirements and which take into account the amount and timing of expected cash flows, including the realisation of any credit risk mitigation, and the costs of recovery. Within the Groups Divisions, responsibility for the implementation of these policy standards /

7-4

standards and the reporting of appropriate provisions rests with the Divisional Heads of Credit and Finance Directors. Oversight of this is undertaken through the Provisions Adequacy Committee. At this quarterly Committee, the Divisions assert that Impairment Provisions are adequate and represent the full provision requirement. Challenge is provided by the Group Finance Director, the Group Chief Risk Officer, the Group Chief Credit Officer and the Group Chief Accountant. A semi-annual report is presented by Group Credit Risk to the Group Audit Committee on the adequacy of provisions. 7.3 7.3.1 Market Risk Market Risk Management Principles and Objectives

Effective management of market risk requires that all relevant staff within RBS Group are aware of:

The Groups market risk appetite. The measures used to quantify and limit risk to within that appetite. Their responsibilities to capture and validate market risk data. Their responsibilities to manage risk exposures within limits, and to escalate either breaches of these limits or potential issues with the market risk management framework.

Where RBS group incurs market risk, business units are required to endorse and comply with the requirements of the Groups Market Risk Policy Statement (MRPS). Adequate procedures must be in place to ensure compliance with the MRPS. The main objectives and responsibilities of Group Market Risk are the identification, measurement, monitoring, analysis and reporting of the market risk generated by the various businesses on an independent, timely and consistent basis. This is to allow the alignment of the market risk taken by the Group with the risk appetite articulated by GEMC. The main practical tools to effect this are the delegated authorities, the limits and discussion triggers, independent model valuation, a robust and efficient risk system and timely and accurate management information. It is also the responsibility of Group Market Risk to ensure that the quality of market risk management, controls and processes in the businesses allow effective risk control and compliance with internal and external requirements. 7.3.2 Delegation of Risk Tolerance The overall risk appetite of the Group is set and agreed at Group Board level. This risk appetite expresses the Group's tolerance for losses for a given level of expected trading revenues. It is communicated by the Group Board to the GEMC. GEMC /

7-5

GEMC sets the consolidated market risk limits for the Group, in particular the RBS group-level trading book Value at Risk (VaR) limit and market risk stress test limit. The Group-level market risk limits are set out in the MRPS, together with the toplevel market risk limits for each division. GRC sets the high level VaR and stress testing limits for business lines with material market risk. The authority to further allocate these limits to individual trading businesses and desks is delegated to the Divisional Heads of Market Risk. The processes by which this is done are set out in the relevant divisional market risk policies. GRC also reviews material concentrations of market risk exposure, including as part of this the requirement for the assessment of appropriate stress tests designed to quantify the particular exposure of concern. The committee will escalate issues to the GEMC as it deems appropriate. It is the responsibility of all relevant business and risk management staff to maintain the market risk exposures within limits. Requests to change the Groups market risk limits, or notifications of breaches of these limits must be communicated in accordance with the requirements of the MRPS. 7.3.3 Operational Structure for Market Risk Management Unless otherwise authorised by the Group Head of Market Risk, the Divisional Head of Market Risk must have a reporting line to the Divisional Chief Risk Officer, or the Group Head of Market Risk. As part of the divisional risk assessment and control assessment process, Group Market Risk reviews the level and experience of resource in the divisional market risk functions. 7.3.4 Risk Management Tools

Effective management of market risk requires a variety of tools. The most significant tools used at Group level are summarised below: VAR reporting. The Groups primary market risk limits are based upon VaR. A programme of daily, weekly, monthly and quarterly checks are undertaken to validate the Groups VaR reporting. In addition to the requirement for accurate internal management data, the VaR utilisation is used to calculate the Groups market risk capital for modelled products under a waiver agreed with the FSA. Consolidated stress testing reports. These are run for all trading businesses on a daily basis. The scenarios used are reviewed frequently to ensure that they remain relevant to the Groups trading exposures. Material concentrations of risk under stress scenarios are escalated to GRC. Strategy-level /

7-6

Strategy-level stress reports. For each material concentration of market risk, including those not well captured by VaR, the relevant market risk management function must calculate and report a stress test result for discussion with Executive management as part of the market risk MI review process.

A wide range of market risk controls are also used at individual business and trading desk level, as set out in the MRPS and the Divisional Delegated Authorities for Market Risk. In addition, individual businesses are required to have appropriate operational controls including: Position capture. For each trading business, the relevant market risk function must ensure that position capture into the relevant risk systems is complete. Timeliness. Trading risk capture is a daily basis. All risk feeds must be submitted according to the agreed service standards, with sufficient time to allow review and challenge by the market risk functions such that validated risk reports are available on a timely basis. New Product. The relevant divisional risk function is responsible for developing methodology to manage new sources of market risk exposure, including for new products. These are then subject to independent validation before being accepted as updates to the Groups VaR and pricing models. Key data accuracy. It is essential that the market risk manager can rely upon the integrity of the data used to assess market risk exposures. The divisions are responsible for creating and maintaining a control framework that independently verifies trading data used for market risk calculations. The following list is not intended to be exhaustive, but includes the key controls that Group Market Risk requires to be in place for all active trading businesses: Independent two-way trade confirmation process. Independent front office to back office position reconciliation. Independent front office to back office P&L reconciliation. Independent price verification process. Complete segregation between front office and back office control functions. Ownership of systems. The ownership of the consolidated market risk system UniVaR sits with Global Banking & Markets for IT development and maintenance. Group Market Risk sign off must be obtained for all material changes to the system before they are introduced to the Live reporting environment.

7.3.5 Structural Interest Rate Exposures Group Market Risk are responsible for providing independent market risk oversight of the central books in the Structural Interest Rate Exposures (SIRE) programme managed by Group Treasury. This involves the following specific controls: Periodic review of the processes used by Group Treasury to generate net cashflow exposure ladders for SIRE. Calculation /

7-7

Calculation of the SIRE VaR for the central books on a regular (at least monthly) basis is undertaken by Group Treasury using the Groups market risk system UniVaR. Agreement and maintenance of the SIRE limits for the central books set out in the Delegated Authority for Market Risk to Group Treasury. Monitoring the SIRE utilisations against these limits as set out in the Delegated Authority. Escalation of breaches of SIRE limits on the central books to the appropriate senior Group management in conjunction with Group Treasury. Operational Risk

7.4

Operational risks are inherent in the Group's business. Operational risk losses occur as the result of fraud, human error, missing or inadequately designed processes, failed systems, damage to physical assets, improper behaviour or from external events. 7.4.1 Framework

To ensure appropriate responsibility is allocated for the management, reporting and escalation of operational risk, the Group operates a Three Lines of Defence model which outlines principles for the roles, responsibilities and accountabilities for operational risk management:

The first line of defence is the business line management. This is where the primary responsibility resides for the identification, management and mitigation of the risks associated with the products and processes of the business. This accountability includes regular testing and certification of the adequacy and effectiveness of controls and compliance with Group Policies including the Group's Operational Risk Policy and Principles (ORPP). The second line of defence is the Operational Risk community. Group Operational Risk is responsible for the design and ownership of the ORPP. Implementation of the ORPP is facilitated and overseen by Divisional Operational Risk teams who provide expert support and advice as well as oversight and challenge to business line management. The third line of defence is audit. Group Internal Audit and External Audit are responsible for assessing compliance with the ORPP and for providing independent evaluation of the adequacy and effectiveness of the risk and control framework. Operational Risk Policy and Principles (ORPP)

7.4.2

The ORPP sets out the Groups policy that all businesses identify, assess, manage, monitor and report operational risk in a timely and effective manner. It is designed to protect the Group from financial loss, protect the Groups reputation, customers and employees and enable it to meet important legal and regulatory requirements. 7.4.3 /

7-8

7.4.3

ORPP Minimum Standards and Process Documentation

The ORPP is supported by policy standards and process documentation, which are mandatory across the Group and clearly set out the operational risk requirements for Divisions and Group Functions. This includes: The escalation of events that trigger certain pre-defined actual or potential customer, staff, financial or reputational damage criteria to the Groups senior management and Executive within a specified time frame (the Group Notifiable Event Policy - GNEP). The requirement for a comprehensive risk review of all new products or significant variations to existing products prior to launch (the Group New Product Approval Policy - GNPAP). The regular review and self-certification on the adequacy and effectiveness of the internal control framework across the Group (the Self Certification Policy - SCP).

The ORPP and Policy Standards are required to be implemented fully in each business taking into account the particular activities and risk exposure of the business. 7.4.4 Operational Risk Database The Group maintains an operational risk database to capture risks, issues and loss data across the Group to support the requirements of ORPP, Sarbanes Oxley 404 and Basel 2. The database is the primary tool for monitoring and reporting the operational risk profile of the Group, and its contents are subject to regular review and challenge by Operational Risk. 7.5 Regulatory Risk

Regulatory Risk is the risk of material loss, reputational damage or liability arising from a failure to comply with the requirements of the Groups lead regulator, the FSA, or of other regulators or of related codes of best practice that oversee regulated financial services businesses in any locations in which the Group operates. 7.5.1 Management of Regulatory Risk

The management of regulatory risk is achieved through: Reviews of potential changes in regulation to ensure the Group addresses the risks arising from such changes and implements them appropriately. Monitoring of compliance with existing rules and regulations and mitigating the consequences of any inadvertent non-compliance. Management of effective relationships with regulators to ensure open two-way communication.

Group Regulatory Risk and Compliance discharges its responsibilities by: Managing /

7-9

Managing relationships with the FSA (as the Groups lead regulatory authority) and other key regulators, covering both formal deliverables (such as reporting and notification requirements and close and continuous relationship management activities) and communicating RBS opinion and views on regulatory matters, ensuring that the perception of the Group is positive. Establishing and maintaining a Group-wide framework of high-level regulatory policies, approved by the GEMC which set performance measures for the Groups Regulatory Risk community to adhere to the standards set by the Groups businesses. Providing assurance as to the effectiveness of Divisional and Regional compliance infrastructures, processes and governance, including assessing adherence to Group Regulatory Risk policies Working with domestic and international regulators and trade associations to gain an appropriate understanding of planned changes and to contribute to regulatory policy formulation Managing the Groups framework for the identification, analysis, mitigation and reporting of regulatory developments, ensuring that the most material initiatives are brought to the attention of and managed by, members of GEMC. Reporting material regulatory issues and risks to the GRC, GEMC and Group Board on ad-hoc and routine bases as is necessary. Providing advice to the GRC, GEMC and Group Board in relation to regulatory matters.

8-1

8. 8.1

INTERNAL AUDIT Authority

Group Internal Audit is an independent assurance function established within the Group. Internal audit operates continuously in the Group and its subsidiaries in accordance with the statement of Internal Audit Policy approved by the Board of the Bank in September 1989 and as subsequently revised and detailed in section 8.8. 8.2 Purpose and Roles

Group Internal Audit supports the Group and Bank Boards and Executive in achieving their strategic and operational objectives and in discharging their corporate governance responsibilities. Group Internal Audit's role is to: assess how key business risks are being managed and controlled throughout the Group and report the results to the Group Executive and Group Audit Committee influence the continuous development of the risk management and control process through sharing best practices across the group. Audit Approach and role with respect to Risk Management

8.3

Group Internal Audits core role with respect to Risk Management is to provide objective assurance to the Audit Committee that the key business risks are being managed to an acceptable level and that the risk management and internal control framework is operating effectively. Group Internal Audit follows the principles laid out in the Institute of Internal Auditors position statement relating to the role of Internal Audit in Enterprise Risk Management. The position statement outlines key roles for internal audit, lists other appropriate activities and highlights activities that are deemed to be inappropriate. Group Internal Audit will fulfil the key roles, which include: Giving continuous assurance on the risk management processes and on the correct evaluation of the risks Evaluating risk management processes and the reporting of key risks Reviewing the management of the key risks.

In /

8-2

In line with the position statement on inappropriate activities, Group Internal Audit will not: set the risk appetite for the Group impose risk management processes represent managements assurance on risks implement risk responses on managements behalf take accountability for risk management

Group Internal Audits resources will be directed towards the areas of greater risk within the Group as assessed on a continuous basis. All new systems, processes and products, together with all proposed acquisitions, will be included in this assessment process. Group Internal Audit will provide professional direction and guidance so that all internal audit activities operate to minimum acceptable standards; and undertake sufficient review to ensure those standards are met and reliance can be placed upon the work carried out. Group Internal Audit will strive to use the most effective auditing techniques when carrying out their activities. To facilitate this, Group Internal Audit will keep abreast of practices and techniques being used in the areas of internal auditing and risk management. Furthermore Group Internal Audit will continue to be assessed independently on a three year cycle as recommended by the Smith report. 8.4 Reporting
RBS Group Board Audit Committee Group Chief Executive Group Finance Director

Head of Group Internal Audit

In order to assure the independence of Internal Audit, the prime upward reporting line for Group Internal Audit is to the Group Audit Committee. The Head of Group Internal Audit has the right to inform the Group Audit Committee and the Group Board of any matters where, in his opinion, he considers it necessary to do so and will present reports to this Committee on a quarterly basis. This /

8-3

This reporting line enhances the independence of Internal Audit for the reporting of major issues; for example where inadequate action has been taken following a report to the Group and Bank Executive by the business. Group Internal Audit reports to the Group Chief Executive on the adequacy and effectiveness of internal control on a quarterly basis and where there have been any significant breakdowns in internal control. The Head of Group Internal Audit has a direct reporting line to the Group Chief Executive with regard to all matters relating to its roles as set out in this document. An executive reporting line is established to the Group Finance Director for day to day administration and budgeting purposes. 8.5 Scope

All activities undertaken within and on behalf of the Group fall within the remit of Group Internal Audit. 8.6 Rights and Authorities

Group Internal Audit shall, for the purposes of performing its duties, have the right of access to all: a) Group and Bank Executive Directors and the Group and Bank Boards; b) Audit Committees in the Group, to attend, and to receive agendas and minutes of all meetings of these Committees; c) operations of the Group and its subsidiaries; and d) information, people and properties relating to the operations of the Group. In addition, the Head of Group Internal Audit will have: e) the right to be informed, on a timely basis, of any major potential or actual control failure relevant to the Group and includes any identified by the external auditors or other external parties; and f) right of attendance at any committees where the Head of Group Internal Audit considers this is appropriate or necessary. g) The right to be informed, on a timely basis, of any major acquisition / reorganisation that may have a material impact on the risk management and control environment of the Group. 8.7 General

Group Internal Audit monitors developments affecting the bank both externally in the form of ongoing regulatory change, such as Sarbanes Oxley Section 404, and internally in the form of the development of new functions. As these developments occur, GIA will review the approach taken by management to establish new processes and will provide assurance as to their effectiveness. As /

8-4

As processes become embedded, GIA will seek to place reliance on work performed by other assurance providers in the Group and may reduce audit effort, for example, in areas where the banks self-certification process is assessed to be robust. Group Internal Audit will work with other assurance providers within the Group (e.g. RBS Risk Management) and the Group's external auditors to share information on their respective roles, to minimise any duplicate effort and ensure adequate coverage of all significant risks. The Head of Group Internal Audit will liaise as appropriate with the Financial Services Authority and other Regulators of the Group on matters concerning risk management and control, and all other matters relating to internal audit. The independence and objectivity of Group Internal Audit will be deemed to be impaired if the function is required to carry out any executive or operational duties. 8.8 Internal Audit Policy

An Internal Audit service will be provided to cover all activities undertaken within, and on behalf of, The Royal Bank of Scotland Group and its subsidiary companies ("the Group") and will operate at the highest professional standards. Internal Audit is an independent appraisal of the adequacy, effectiveness, and sustainability of the internal control process operating in an organisation. The internal control process comprises all aspects of control including managerial, operational and financial. It embraces not only the internal control objectives of the Group, but also the requirements of relevant legislation and of external regulators. Internal Audit is not itself part of the internal control system, nor is it responsible for internal control or for compliance, which remains the responsibility of management. Maintenance of this principle is key for Group Internal Audit to follow the principles outlined by the Institute of Internal Auditors in their position statement on The Role of Internal Audit in Enterprise-wide Risk Management. Internal Audits work will normally include, but is not restricted to reviewing the risk management and internal control processes developed and maintained by management to ensure: the achievement of agreed strategic and operational goals and objectives; compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on operations, and determining whether the Group is in compliance; safe custody of assets and, where appropriate, verifying the existence of assets; and effective and efficient use of resources.

Group /

8-5

Group Internal Audit will establish a programme of audit coverage to detect fundamental control weaknesses which expose the group to fraud. It is not the role of Group Internal Audit to detect individual instances of fraud occurring in a division. Group Internal Audit will be the independent internal audit function established within the Group. Independence is established by organisational status through its reporting lines and by members of Group Internal Audit carrying out their duties freely and objectively. Independence and objectivity will be deemed to be impaired if Group Internal Audit staff are required to carry out any executive or operational duties. In order to assure the independence of Internal Audit, the prime upward reporting line will be to an Audit Committee, whether at subsidiary business or Group level, made up of Non-executive Directors. An executive reporting line is required for day to day and administrative purposes; in view of the wide-ranging remit for internal audit, such executive reporting line will be to the Chief Executive Officer of a subsidiary business or at Group level as appropriate. It is incumbent upon Group Internal Audit to bring to the attention of the Group Chief Executive any significant breakdowns in internal control where, in the opinion of the Head of Group Internal Audit, corrective action needs to be taken. In such circumstances, the relevant business Chief Executive will have been similarly advised. In addition, the Head of Group Internal Audit has the right to inform the Group Audit Committee and the Group Board of any matters where in his opinion he considers it necessary to do so and will present reports to this Committee on a quarterly basis. Access will be made available throughout the Group for internal auditors, and this includes access to all departments, subsidiaries, information, assets and properties, and to Directors and staff. Such access will also be granted in respect of pension funds, where these are administered by subsidiaries, and to joint venture investments and other non-subsidiary situations where operational management rests with the Group or one of its subsidiaries. Authority for access will be vested in the Head of Group Internal Audit who will be responsible for ensuring that such authority is exercised in a responsible manner. Members of Group Internal Audit are required to be objective and constructive in discharging their responsibilities. In addition, they will comply with the Group Code of Conduct and be aware of the professional internal audit standards and code of ethics as issued by the Institute of Internal Auditors particularly in relation to: integrity; honesty; objectivity; and professional care

Group /

8-6

Group Internal Audit will liaise with the Groups external auditors to minimise any duplication of effort and to ensure that there is adequate audit coverage given to all significant risk activities. Whilst it is recognised that it is managements responsibility to ensure the external auditors are adequately briefed and advised of developments which may impact on their opinion, Group Internal Audit will work closely with the external auditors to facilitate effective communication. The Head of Group Internal Audit will be expected to participate in meetings with the Financial Services Authority and other Regulators of the Group on matters concerning risk management and control, and all other matters relating to internal audit. Adequate resources will be made available to enable internal audit work to be completed to a high standard, and, in particular, account will be taken of the need to provide appropriate expertise to cover specialist business areas. Internal Audit resources will be directed towards the areas of greater risk within the Group as assessed on a continuous basis. All new systems, processes and products, together with all proposed acquisitions, will be included in this assessment process. Group Internal Audit will strive to use the most effective auditing techniques when carrying out their activities. To facilitate this, Group Internal Audit will keep abreast of practices and techniques being used in the areas of internal auditing and risk management. Audit findings should, except in very exceptional circumstances, be fully discussed with operational management prior to the issue of a formal report. Such reports should identify weaknesses, comment on the implications, and make recommendations as appropriate, but it will remain the responsibility of management as to the implementation of such recommendations. Group Internal Audit should nevertheless monitor action taken as a result of reports issued, and will have access to senior management, to Directors and to the Audit Committee where necessary to discuss the possible consequences of failing to implement audit recommendations. It is Group policy that the total cost of any internal audit service provided to a subsidiary is borne by the subsidiary business concerned. 8.9 Organisation of Internal Audit in the Group

The Head of Group Internal Audit has overall responsibility to the Group Board and the Group Audit Committee for the provision of Internal Audit services throughout the Group. All activities undertaken within, and on behalf of, the Group fall within the scope of Group Internal Audits remit. This includes all Group functions, divisions, and subsidiaries. Group Internal Audit's responsibilities also extend to the relevant Subsidiary and Divisional Audit Committees.

9-1

9 9.1

Process for Monitoring and Reporting on Internal Control Introduction

The FSAs Listing Rules requires the Board of companies listed on the London Stock Exchange to comply with the requirements of the Combined Code, and specifically: Review how the company has applied the Combined Code Principle on internal control. Implement the requirements of Code Principles on internal control. Report on these matters to shareholders in the annual report and accounts.

The requirements of the Combined Code Provision C.2 are discharged through the following activities: The business is accountable to the Board for monitoring the system of internal control on a continuous basis. The business completes a quarterly certification system which specifically considers the adequacy and effectiveness of the system of internal control. The Board regularly receives and reviews reports on the adequacy and effectiveness of internal control. The Groups Internal Control Reporting Process

9.2

The Executive Management Committees ("EMCs")/Divisional Boards of each of the Group's principal businesses and key corporate functions receive, for review and challenge, regular reports from their constituent businesses setting out their most significant risks and how these are controlled. In addition, the Group Board, GEMC and GRC receive monthly risk management reporting. The Audit Committee also receives regular reports from RBS Risk Management and Group Internal Audit. The reporting includes information on audit findings, fraud, and risk management. The internal control reporting process is supported by the quarterly Self-Certification Policy (SCP). Management regularly monitor and report on the internal control framework and regularly review and confirm the robustness (i.e. adequacy and effectiveness) of the internal control framework for which they are responsible. The SCP requires all business areas to certify that: Controls established to manage and mitigate key risks are adequate and are operating effectively. The business is compliant with the requirements of Group-wide Policies.

Certification is a quarterly requirement.

9.3 /

9-2

9.3 9.3.1

Responsibilities The Group Board

The Group Board of Directors is responsible for the Group's framework of internal control. It seeks regular assurance, both from management and its internal audit function, to satisfy itself that the system is functioning effectively. The Group Board is also responsible for reviewing the effectiveness of internal controls. The Group Board forms its own view on effectiveness after due and careful enquiry based on the information and assurances provided to it. In particular, the Group Board receives and reviews the Risk Management Monthly Report setting out the most significant risks across the Group and how they are controlled. 9.3.2 Group Executive Management Committee

The GEMC receive the Risk Management Monthly Report for review, and the Annual Risk and Control Report for noting prior to its submission to the Group Audit Committee and Group Board. 9.3.3 Group Audit Committee

The Group Audit Committee reviews the draft disclosure statement on internal control for the Groups Annual Report and Accounts, taking account of: The Group Risk and Control Report setting out the most significant risks and how they are controlled. Group Internal Audits quarterly reports on internal control across the Group. Other reports received throughout the year from the control functions (Group Internal Audit and RBS Risk Management). Group Finance

9.3.4

Group Finance drafts the internal control disclosure statement for the Group's Annual Report and Accounts. As a minimum, this states that there is an ongoing process for identifying, evaluating and managing the significant risks faced by the Group, that is regularly reviewed by the Group Board and accords with the guidance in the Combined Code. In addition, it summarises the process the Group Board has used to review the effectiveness of internal controls and discloses the action initiated to deal with any significant or material issues highlighted in the Groups Annual Report and Accounts. 9.3.5 Sarbanes-Oxley (SOX) 404

Section 404 of Sarbanes-Oxley (SOX) requires all US listed organisations to report on the effectiveness of internal control over financial reporting. An annual exercise is undertaken to ensure that all material financial balances are covered, as well as other balances considered by management to be higher risk. Each /

9-3

Each division or function that owns SOX 404 controls is responsible for testing the adequacy and effectiveness of the controls and reporting the results to the SOX 404 Central Team in Group Chief Accountants. The Group Chief Accountant reports on SOX 404 progress and compliance to GEMC and Group Audit Committee during the year. In addition, he provides the Management Assessment Report, which is the basis for managements formal assessment of internal control over financial reporting, to GEMC and the Group Board in February each year for approval prior to inclusion in the Annual Report on Form 20-F. 9.3.6 Group Internal Audit

Group Internal Audit provides to the GEMC, Group Audit Committee and the Group Secretary and General Counsel, assurance on the adequacy of the internal control reporting process throughout the Group through its quarterly opinions on the Groups system of internal control. 9.3.7 RBS Risk Management

The Group has an independent risk management function, responsible for managing risks on a Group wide and Divisional basis, with each Divisional Chief Risk Officer having a reporting line to the Group Chief Risk Officer as well as the Divisional Chief Executive Officer. Risk management within the Group is governed by a series of policies, procedures and activities that are designed to monitor the Groups risk profile against a set of risk indicators, limits and controls approved by the Group Board. The Groups Chief Risk Officer reports on a regular basis to the Board on: Performance against approved risk Key Performance Indicators and limits. Changes made, or threats to, to the Groups risk profile. The performance of the Groups system of internal control.

In addition, the Group Chief Risk Officer is a member of the Group Chief Executives Advisory Group and the GEMC, where he will advise of any emerging material issues impacting the Groups risk profile. 9.3.8 Divisional Chief Executives

The Divisional Chief Executives/ Executive Heads of Group Functions sign a Quarterly Certificate (supported by sign-off by appropriate levels of Executive and Senior Management the Designated Signatories) confirming the adequacy and effectiveness of internal controls against the requirements of the: Controls over the key business processes. Group-wide Policies. Internal Control over Financial Reporting (Sarbanes Oxley Section 404). Combined Code Provision D.2.

These /

9-4

These Certificates are submitted to Group Operational Risk who then prepare a summary memo for the Group Chief Executive detailing any specific material areas of concern and the remedial actions. 9.4 Group Finance Director

The Group Finance Director is the Group Executive with responsibility for the reporting process and submitting consolidated reports to the Group Board and Group Audit Committee.

10-1

10. 10.1

Group Policy Framework Overview

Group Policies recognise the major areas of risk to the Group and the Standards that must be met to enable those risks to be managed in line with our risk appetite. All Group Policies are approved by either the Groups Board or the GEMC. Individual Group Policies are owned by the Executive Group officer responsible for management of the risk(s) to which the policy relates. This will be the case unless the Board of Directors or the GEMC assign policy ownership elsewhere. The Group Policy Framework is administered by RBS Risk Management and operates on a hierarchical basis as follows:

HOW WE DO BUSINESS WITHIN THE RBS GROUP GROUP POLICIES GROUP POLICY STANDARDS

APPENDICIES TO GROUP POLICIES (Divisional, Regional, Country Interpretation) PROCESSES AND PROCEDURES

TRAINING AND AWARENESS

Full implementation of the Group Policy Framework will take place during 2008. 10.2 Definitions

10.2.1 How we do Business within the RBS group Statements which set out how we do business within the RBS group. All Group policies must be aligned to these statements. 10.2.2 Group Policies A governing document expressing the Groups formal commitment to the:

Accomplishment of defined risk management objectives. Adoption of appropriate governance and operational processes to ensure that all Group Divisions and our people conduct their activities in a manner consistent with the accomplishment of those objectives.

10.2.3 /

10-2

10.2.3 Group Policy Standards Mandatory more detailed specific control statements that link to the Policy. Includes high level processes and procedures which set out the requirements which must be achieved to attain compliance with Policy. 10.2.4 Appendices to Group Policies By exception, Divisional, regional and country interpretation of higher level Policy and Standards to support implementation. 10.2.5 Processes and Procedures Operational level processes and procedures which embody the higher level requirements in the hierarchy. 10.2.6 Training and Awareness Training and Awareness must create transparency for our people ensuring that they are aware of the minimum policy requirements, standards and processes that are required for their role. 10.3 Objectives

The Group Policy Framework provides a standard structure to:

Ensure all our people have centralised access to current Group Policies and Procedures. Improve awareness amongst our people of Group Policies and their responsibilities in respect of these Policies. Highlight new or amended Group Policies. Specify the standards with which Group Policies must comply. Group Policies Standard

10.4

The Group Policies Standard document sets the governance framework for all Group Policies. Only Policies which have been formulated, approved and implemented in accordance with the Group Policies Standard document are Group Policies. In addition the Group Policies Standard document contains details of the common roles, responsibilities and key terms for all Group Policies. The Standards for all Group Policies are also contained in the Group Policies Standard document.

10.5 /

10-3

10.5

Exceptions to Group Policy

The Group Policies Standard document permits the approval of Exceptions to Group Policy where there is an identified non-compliance with a Group Policy or associated Standard and there is no action plan in place to rectify the non-compliance within 12 months. An identified non-compliance with a Group Policy or associated Standard where an action plan is in place to rectify the non-compliance within 12 months is not considered an Exception to Group Policy although this must be approved and recorded in the appropriate manner. This is also the case where a Group Policy or associated Standard is not relevant for a business. 10.6 Assurance

Each individual Group Policy is supported by a documented Standard for evaluating the Policys adequacy and the effectiveness of its implementation. The framework for Group Policies and its integration into the wider control environment are currently under review by RBS Risk Management.