WEBNF Westpac Banking Corp Ltd (PK)

ASX Release 4 November 2024 2024 Risk Factors Westpac Banking Corporation (“Westpac”) today provides the attached 2024 Risk Factors. For further information: Hayden Cooper Justin McCarthy Group Head of Media Relations General Manager, Investor Relations 0402 393 619 0422 800 321 This document has been authorised for release by Tim Hartin, Company Secretary. Level 18, 275 Kent Street Sydney, NSW, 2000

RISK FACTORS WESTPAC BANKING CORPORATION ABN 33 007 457 141 NOVEMBER 2024

2 WESTPAC GROUP 2024 RISK FACTORS DISCLAIMER The material contained in this document is intended to provide further information on the current and future risks faced by Westpac Banking Corporation (Westpac), including potential consequences if those risks materialise. The information is not intended to be exhaustive, and is not necessarily complete in respect of each risk described. It is not intended that it be relied upon as advice to investors or potential investors, who should consider seeking independent professional advice depending upon their specific investment objectives, financial situation or particular needs. This document should be read in conjunction with our 2024 reporting suite, including our 2024 Annual Report, including the section titled Risk Management and any public announcements made by Westpac in accordance with the continuous disclosure requirements of the Corporations Act 2001 and ASX Listing Rules. This document contains statements that constitute “forward-looking statements” within the meaning of Section 21E of the US Securities Exchange Act of 1934. Forward looking statements are statements that are not historical facts. Forward-looking statements appear in a number of places in this document and include statements with the potential impact of the risks described on our business and operations, macro and micro economic and market conditions, results of operations and financial condition, capital adequacy and liquidity and risk management. We use words such as ‘will’, ‘may’, ‘expect’, ‘intend’, ‘seek’, ‘would’, ‘should’, ‘could’, ‘continue’, ‘plan’, ‘estimate’, ‘anticipate’, ‘believe’, ‘probability’, ‘risk’, ‘aim’, ‘outlook’, ‘assumption’, ‘target’, ‘goal’, ‘guidance’, 'objective', ‘ambition’, or other similar words to identify forward-looking statements. These forward-looking statements reflect our current views on future events and are subject to change (including as a result of maturing methodologies), certain known and unknown risks, uncertainties and assumptions and other factors which are, in many instances, beyond our control (and the control of our officers, employees, agents and advisors), and have been made based on management’s expectations or beliefs concerning future developments and their potential effect upon Westpac. There can be no assurance that future developments or performance will align with our expectations or that the effects on us of the risks described will be those anticipated. Actual results could differ materially from those we expect or which are expressed or implied in forward-looking statements, depending on various factors including the risks outlined in this document and the Risk Management section in our 2024 Annual Report and our 2024 reporting suite. When relying on forward-looking statements to make decisions with respect to Westpac, investors and others relying on information in this document should carefully consider such factors and other uncertainties and events. This document is dated 4 November 2024 and, except as required by law, we assume no obligation to revise or update any forward-looking statements contained in this document, whether from new information, future events, conditions or otherwise, after the date of this document. All defined terms in this document take their meaning from our 2024 Annual Report, unless otherwise specified.

RISK FACTORS 3 RISK FACTORS Our business is subject to risks that can adversely impact our financial performance, financial condition and future performance. Our 2024 Annual Report sets out the 11 major risk categories that impact our business, our approach to managing risks, as well as key focus areas. The 2024 Risk Factors provides our investors (and potential investors) with further information in relation to the current and future risks we face, as well as potential consequences if those risks materialise. The content of the 2024 Risk Factors is current as of the date of publication, and it is important to note that subsequent developments may impact its relevance. Risks and risk management strategies are inherently dynamic, evolving alongside changes in the external environment, market conditions and organisational priorities. The risks and uncertainties described below can emerge together or quickly in succession in a fashion that is uncorrelated with the order in which they are presented below, and they are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently deem to be immaterial, may also become important factors that affect us. If any of the following risks materialise, our business, prospects, reputation, financial performance or financial condition could be materially adversely affected, which may subsequently cause the price of our securities or the level of dividends to decline and, as a security holder, you could lose all, or part, of your investment. You should carefully consider the risks described (individually and in combination) and the other information in the 2024 Risk Factors and in our 2024 Annual Report and subsequent disclosures before investing in, or continuing to own, our securities. Risks relating to our business We have experienced, and could in the future experience, information security risks, including cyberattacks - Cyber risk - Cyber attacks - Operational risk - Information security risks - Data breaches - Third party risk Our operations depend on the secure processing, storage and transmission of information on our systems and those of external suppliers. Despite our measures to protect the confidentiality, availability and integrity of our information, our information assets may face security breaches, unauthorised access, malware, social engineering, denial of service attacks, ransomware, destructive attacks, employee misconduct, human error or other external and internal threats. These could adversely impact our and others’ confidential information and system availability. Information security risks are heightened by factors such as new technologies, increased digitisation, larger volumes of sensitive data, sophisticated cyber crime, supply chain disruptions, remote and hybrid working, targeting of critical infrastructure providers, geopolitical tensions, terrorism, state sponsored attacks, and the use of AI in cyberattacks (which can increase the speed, complexity and effectiveness of cyberattacks), each of which could compromise our information assets and interrupt our usual operations and those of our customers, suppliers and counterparties. Adverse events like data breaches, cyberattacks, espionage and errors (including human-related), are increasing in frequency and impact. These can cause a range of impacts including financial instability, reputational damage, disruption to services, contagion risk, in addition to economic and non-economic losses to us, our customers, shareholders, suppliers, counterparties and others. Our systems and processes designed to protect against and respond to these threats have not always been, and may not always be, effective and human error can occur. Westpac, its customers and other stakeholders could suffer losses from cyberattacks, information security breaches or ineffective cyber resilience. Consequences could be severe if customer data is being held in breach of legal or regulatory obligations and that data is compromised as part of an information security incident. We may not always be able to anticipate and prevent or effectively respond to such incidents , or effectively respond to and/or rectify the resulting damage. Our suppliers, counterparties, and other parties involved in or who facilitate our activities, financial platforms and infrastructure as well as our customers’ suppliers and counterparties are also at risk, which could impact us. As cyberattacks increase globally, there is a higher likelihood of regulatory enforcement and legal action for information security failures from customers or shareholders. This could include class action litigation for issues such as information security risk management failures, misleading statements about our information security practices or for deficiencies in our response to cyberattacks and information security threats (including any delayed, deficient or misleading notifications). Consequences of successful attacks could include damage to technology infrastructure, government intervention, service disruptions, loss of customers and market share, data loss, cyber extortion, customer remediation and/or compensation, breaches of the law, vulnerability to fraud or scams, litigation, fines, and increased regulatory scrutiny or other enforcement action. These potential consequences could negatively affect our business, prospects, reputation, financial performance or financial condition. As cyber threats evolve, we may need to allocate significant resources and incur additional costs to enhance our systems, address vulnerabilities or incidents and respond to regulatory changes.

4 WESTPAC GROUP 2024 RISK FACTORS RISK FACTORS We could be adversely affected by legal or regulatory change - Compliance and conduct risk - Regulators' expectations - Legal and regulatory change - Fines, penalties, other costs and capital overlays We operate in a highly regulated industry with an environment of sustained legal and regulatory change and ongoing scrutiny of financial services providers. Our business, prospects, reputation, financial performance and financial condition have been, and could in the future be, adversely affected by domestic and international changes to law, regulation, policies, supervisory activities, regulator expectations, and the requirements of industry codes of practice, such as the Banking Code of Practice. Such changes may affect how we operate and have altered, and may in the future alter, the way we provide our products and services, in some cases requiring us to change or discontinue our offerings. This includes possible future changes in laws, regulations, policy or regulatory expectations arising from industry-wide reviews and inquiries. The effects of such changes and reviews in the past have included, and could continue to include, limiting our flexibility, requiring us to incur substantial costs (such as costs of systems changes, the levies associated with the Compensation Scheme of Last Resort, or if our liability for scams or operational costs relating to scam management or other industry wide issues are increased as a result of legal or regulatory change), absorbing specialist resources, impacting the profitability of our businesses, requiring us to retain additional capital, impacting our ability to pursue strategic initiatives or implement other changes, resulting in us being unable to increase or maintain market share and/or creating pressure on margins and fees. A failure to manage legal or regulatory changes effectively and in the timeframes required has resulted, and could in the future result, in the Group not meeting its compliance obligations. It could also result in enforcement action, penalties, fines, civil litigation, capital impacts and ultimately loss of business licences. Managing large volumes of regulatory change contributes to execution risk. Updates to our technology, systems and processes to keep pace with legal and regulatory change may not always be successful, and such changes can increase the risk of flaws, human error or unintended consequences. This is exacerbated by frequent requirements for change. Significant management attention, costs and resources may be required to update existing, or implement new, processes to comply with such changes. The availability of skilled personnel required to implement changes may be limited. There is additional information on certain aspects of regulatory changes affecting the Group in the Significant developments section and in the sections ‘Critical accounting assumptions and estimates’ and ‘Future developments in accounting standards’ in Note 1 to the financial statements in the 2024 Annual Report. We have been and could be adversely affected by failing to comply with laws, regulations or regulatory policy - Compliance and conduct Risk - Regulators' expectations - Legal and regulatory - Industry codes - Fines, penalties and capital overlays We are responsible for ensuring that we comply with all applicable legal and regulatory requirements and industry codes of practice in the jurisdictions in which we operate or obtain funding. We are subject to compliance and conduct risks. These risks are exacerbated by the complexity and volume of regulation, and the level of ongoing regulatory change, including where we interpret our obligations and rights differently to regulators or a Court, tribunal or other body, or where applicable laws (in different jurisdictions or between regimes in Australia) conflict. The potential for this is heightened when regulation is new, untested or is not accompanied by extensive regulatory guidance, or where industry consultation is limited. Our compliance and conduct management system (which is designed to support our commitment to satisfying regulatory requirements and the effective management of compliance and conduct risk for the benefit of customers, other stakeholders and financial markets) has not always been, and may not always be, effective. Breakdowns have occurred, and may in the future occur, including due to a failure to exercise good judgement in the decisions we make, flaws in the design or implementation of controls or processes, or when new measures are implemented. These factors can result in a failure by the Group to meet its compliance obligations (including obligations to report or provide information to regulators). As reviews and change programs are progressed, compliance issues have been, and will likely continue to be, identified. Conduct risk has occurred, and could continue to occur, through the provision of products and services to customers (including vulnerable customers and customers in hardship) that do not meet their needs or do not meet the expectations of the market. It has occurred, and could continue to occur, through the deliberate, reckless, negligent, accidental or unintentional conduct of our employees, contractors, agents, authorised representatives, credit representatives and/or external services providers that results in the circumvention or inadequate implementation of our controls, processes, policies or procedures. This could occur through a failure to meet professional obligations to specific clients (including fiduciary, suitability, responsible lending and hardship requirements), weakness in

RISK FACTORS 5 risk culture, corporate governance or organisational culture, poor product design and implementation, failure to adequately consider customer needs or selling products and services outside of customer target markets, or human error. These risks are heightened where there has been, or is in the future, inadequate supervision and oversight of our distribution channels. A failure by our people to comply with the behaviours we expect, our policies and procedures, or the law, could also negatively impact other employees, which could lead to outcomes including litigation and reputational damage for Westpac. Where third parties have contributed to conduct risk (for example, where customers misrepresent their position on product applications and we have failed to identify it), Westpac and its related entities may have limited recourse against these third parties, and regulatory outcomes may not be mitigated by third party culpability. These factors have resulted, and could continue to result, in poor customer outcomes (including for vulnerable customers and customers in hardship), a failure by the Group to meet its compliance obligations (or to promptly detect, report and/or remedy non-compliance) and other outcomes including impacts which may compromise the integrity of the markets in which we operate or data we report, reputational damage, increased regulatory surveillance or investigation and employment disputes in relation to consequence management. We are currently subject to a number of investigations, reviews and industry inquiries by, and have and continue to respond to a number of requests from, domestic and international regulators including APRA, ASIC, the ATO, the ACCC, AUSTRAC, BCCC, FINRA, AFCA, RBNZ and the Fair Work Ombudsman, BaFin and BPNG’s Financial Analysis and Supervision Unit, involving significant resources and costs (which may divert specialist resources from other programs of work). Regulatory reviews and investigations have in the past, and may in the future, result in a regulator taking administrative or enforcement action against the Group and/or its representatives. Regulators have broad powers, and in certain circumstances, can issue directions to us (including in relation to product design and distribution and remedial action). Regulators could also pursue civil or criminal proceedings, seek substantial fines, civil penalties, compliance regimes or other enforcement outcomes. Penalties can be (and have been) more significant where it has taken some time to identify contraventions, or to investigate, correct or remediate contraventions, where there are patterns of similar conduct, or where there has been awareness of contraventions. These risks are heightened where we fail to meet our obligations (or the expectations of regulators) in areas of particular regulatory focus. For example, in relation to vulnerable customers, customers in hardship and indigenous customers or where regulators consider issues to be material or indicate systemic issues. In addition, regulatory investigations may lead to adverse findings against directors and management, including potential disqualification. The allocation of resources to regulatory reviews and investigations can also impede other activities, including change, simplification and remediation activities. APRA can also require the Group to hold additional capital either through a capital overlay or higher risk weighted assets (including in response to a failure to comply with prudential standards and/or expectations including in relation to, for example, stress testing and liquidity management). Following the commencement of civil penalty proceedings, APRA imposed a A$500 million Culture, Governance and Accountability Review overlay and a further A$500 million Risk Governance overlay to our required operational risk capital in 2019. On 19 July 2024, APRA announced the reduction of the Group’s total operational risk capital overlay from A$1 billion to A$500m. This increased the Common Equity Tier 1 (CET1) capital ratio by approximately 18 basis points, reflecting a reduction in risk weighted assets of $6,250 million. This change was applied with immediate effect. If the Group incurs additional capital overlays, we may need to raise additional capital, which could have an adverse impact on our financial performance. The political and regulatory environment that we operate in has seen (and may continue to see) the expansion of powers of regulators along with materially increased civil penalties and fines for corporate and financial sector misconduct or non-compliance and an increase in criminal prosecutions against institutions and/or their employees and representatives (including where there is no fault element). This could also result in reputational damage and impact the willingness of customers, investors and other stakeholders to deal with Westpac. Given the size of Westpac and scale of its activities, a failure by Westpac may result in multiple contraventions, which could lead to significant financial and other penalties. The introduction of the Financial Accountability Regime may heighten these risks as it imposes a strengthened responsibility and accountability framework. Regulatory investigations or actions commenced against the Group have exposed, and may in the future expose, the Group to an increased risk of litigation brought by third parties (including through class action proceedings), which may require us to pay compensation to third parties and/or to undertake further remediation activities. In some cases, the amounts claimed and/or to be paid may be substantial. Market developments suggest the scope and nature of potential claims is expanding, including in relation to cyber incidents, financial crime and environmental, social and governance issues. We have incurred significant remediation costs on a number of occasions (including compensation payments and costs of correcting issues) and new issues may arise requiring remediation. We have faced, and may continue to face, challenges in effectively and reliably scoping, quantifying and implementing remediation activities, including determining how to compensate impacted parties properly, fairly and in a timely way. Remediation activities may be affected or delayed by a number of factors including the number of customers (or other parties) affected, the commencement of investigations or litigation (including regulatory or class action proceedings), requirements of regulators (including as to the method or timeframe for remediation) or difficulties in locating or contacting affected parties and any reluctance of affected parties to respond to contact. Investigation of the underlying issue may be impeded due to the passage of time, technical system constraints, or inadequacy of records. Remediation programs may not prevent regulatory action or investigations, litigation or other proceedings from being pursued, or sanctions being imposed.

6 WESTPAC GROUP 2024 RISK FACTORS RISK FACTORS Regulatory investigations, inquiries, litigation, fines, penalties, infringement notices, revocation, suspension or variation of conditions of regulatory licences or other enforcement or administrative action or agreements (such as enforceable undertakings) have and could, either individually or in aggregate with other regulatory action, adversely affect our business, prospects, reputation, financial performance or financial condition and increases class action risk. There is additional information on certain regulatory and other matters that may affect the Group (including class actions) in the Significant developments section and in the sections ‘Critical accounting assumptions and estimates’ and ‘Future developments in accounting standards’ in Note 1 to the financial statements in the 2024 Annual Report. We have suffered, and in the future could suffer, losses and be adversely affected by the failure to implement effective risk management - Risk management - Controls and processes - Risk culture - Risk governance - Fines, penalties Our risk management framework has not always been, and may not in the future be, fully effective. The resources we have in place for identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating material risks may not always be adequate. This may arise due to inadequacies in the design of the framework or key risk management policies, controls and processes, the design or operation of our remuneration structures and consequence management processes, technology failures, our corporate structure, incomplete implementation or embedment, or failure by our people (including contractors, agents, authorised representatives and credit representatives) to comply with or properly implement our policies and processes. The potential for these types of failings is heightened if we do not have appropriately skilled, trained and qualified people in key positions or we do not have sufficient capacity, including people, processes and technology, to appropriately manage risks. There are also inherent limitations with any risk management framework. Risks may exist, or emerge in the future, that we have not anticipated or identified. The risk management framework may also prove ineffective because of weaknesses in risk culture or risk governance practices and policies. For example, where there is a lack of awareness of our policies, controls and processes or where they are not adequately complied with, monitored, audited or enforced. This may result in poor decision-making or risk and control weaknesses not being identified, escalated or acted upon. We periodically review our risk management framework to determine if it remains appropriate. Our ongoing analysis and reviews, in addition to regulatory feedback, have highlighted that while there have been improvements, the risk management framework is still not operating satisfactorily in a number of respects and needs continued focus. As part of our risk management framework, we measure and monitor risks against our risk appetite. When a risk is out of appetite, we aim to take steps to bring this risk back into appetite. This may include improving the design of our risk management framework and supporting policies. However, we may not always be able to bring a risk back within appetite within proposed timeframes or implement effective improvements. This may occur because, for example, the required changes involve significant complexity, or because we experience delays in enhancing our information technology systems, or we do not have sufficient appropriately trained staff for required activities (including where staff are occupied by other regulatory change or remediation projects), or because of an operational failure. It is also possible that due to external factors beyond our control, certain risks may be inherently outside of appetite for periods of time. Westpac developed the Integrated Plan (IP) to address the root causes of our risk governance shortcomings which led to the Enforceable Undertaking (EU) with APRA in December 2020 in relation to our risk governance remediation and supporting the strengthening of our risk governance, accountability and culture. We completed the IP in December 2023, as committed. Promontory Australia (as Independent Reviewer) issued its final report on 30 April 2024 confirming that Westpac has successfully completed the IP. This report and previously issued reports are published on our website at https://www.westpac.com.au/about-westpac/media/core/. Westpac is continuing to focus on the sustainability and effectiveness of the uplift delivered by the Integrated Plan through a transition phase in 2024. If any of our governance or risk management processes and procedures prove ineffective or inadequate or are otherwise not appropriately implemented or we do not bring risks into appetite, we could be exposed to higher levels of risk than expected and sustained or increased regulatory scrutiny and action. While improvements in risk culture can drive early and increased self-identification and remediation of compliance concerns, this can also highlight concerns that may lead to further regulatory action. This may result in financial losses, imposition of capital requirements, breaches of compliance obligations, fines and reputational damage, and significant remediation which could adversely affect our business, prospects, financial performance or financial condition.

RISK FACTORS 7 We could suffer losses due to technology failures - Operational risk - Information and technology - Change management - Technology failure - Outages Maintaining the reliability, availability, integrity, confidentiality, security and resilience of our information and technology is crucial to our business. While the Group has a number of processes in place to preserve and monitor the availability, and facilitate the recovery, of our systems, there is a risk that our information and technology systems may be inadequate, fail to operate properly or result in outages, including from events wholly or partially beyond our control. If we experience a technology failure, we may fail to meet a compliance obligation (such as a requirement to retain records and/or data for a certain period, or to destroy records and/or data after a certain period, or other risk management, privacy, business continuity management or outsourcing obligations), or our employees and our customers may be adversely affected, including through the inability for them to access our products and services, privacy breaches, or the loss of personal data. This could result in reputational damage, remediation costs and a regulator commencing an investigation and/or taking action, or others commencing litigation, against us. Technology issues in the financial sector can also affect multiple institutions. This means we could impact, or be impacted by, other institutions. The use of legacy systems, as well as work underway to uplift our technological capabilities, may heighten the risk of a technology failure, change management issues and the risk of non-compliance with our regulatory obligations or poor customer outcomes. Projects aimed at simplifying/streamlining our systems (including our UNITE program) will require the allocation of significant resources (including specialist expertise) and incur costs. In addition, the risk of technology failure, regulatory non-compliance or poor customer outcomes may be heightened while those projects are being undertaken, or post-implementation where there are unanticipated outcomes or impacts. We are also exposed to the risk that such projects may not be completed on time or may require further resources or funding than anticipated. The success of such projects relies in part on having robust governance arrangements and appropriate oversight at board and senior executive level, and the risk of regulatory non-compliance, poor customer outcomes, delays, increased cost or demand on resources can be heightened where we fall short in these areas. Failure to regularly renew and enhance our technology to deliver new products and services, comply with regulatory obligations and ongoing regulatory changes, improve automation of our systems and controls, and meet our customers’ and regulators’ expectations, or to effectively implement new technology projects, could result in cost overruns, technology failures (including due to human error in implementation), reduced productivity, outages, operational failures or instability, compliance failures, reputational damage and/or the loss of market share. This could place us at a competitive disadvantage and also adversely affect our business, prospects, financial performance or financial condition. We could suffer losses due to geopolitical events - Geopolitical risks - Conflicts - Operational risk - Credit risk We, our customers and our suppliers operate businesses and hold assets in different geographic locations. Significant risks remain including from geopolitical instability, conflicts, trade tensions, tariffs, sanctions, social disruption, civil unrest, war, terrorist activity, acts of international hostility, and complicity with or reluctance to take action against certain types of crimes. Such events could affect domestic and international economic stability and impact consumer and investor confidence which in turn could disrupt industries, businesses, service providers and supply chains and ultimately adversely impact economic activity. This could lead to shortages of materials and labour, higher energy costs and commodity prices, volatility in markets and damage to property. This in turn could affect asset values and impact customers’ ability to repay amounts owing to us, and our ability to recover amounts owing. All of these impacts could adversely affect our business, prospects, financial performance or financial condition. The current global landscape is marked by significant conflict and heightened tensions, which have the potential to further intensify these impacts.

8 WESTPAC GROUP 2024 RISK FACTORS RISK FACTORS Climate change and other sustainability factors such as human rights and natural capital may have adverse effects on our business - Climate and nature risks - Physical and transition risks - Social and human rights risks - Credit risk - Operational risk - Reputational and sustainability risk - Compliance and conduct risks Climate and other sustainability-related risks have had and are likely to have adverse effects on us, our customers, external suppliers, and the communities in which we operate. Managing these risks is challenging given the significant uncertainties in modelling climate and other sustainability-related risks and opportunities and in assessing their impact. Climate related risks may manifest as physical risks, transition risks, and risks related to legal and regulatory action. Physical risks from climate change include risks to us directly, as well as to customers, suppliers and other stakeholders that may impact us due to disruption or changes to business activities, income, business models, asset values, insurability of assets (or the availability/affordability of insurance), and frequency or extent of damage to assets. These risks could arise from increases and variability in temperatures, changes in precipitation, rising sea levels, loss of natural capital (including biodiversity loss), and more severe and frequent climatic events, including fires, storms, floods and droughts. Such events could also increase human rights risk and/or increase customer vulnerability. Transition risks are risks that the transition to a lower carbon economy could impact Westpac. This could occur from climate change mitigation, obsolescence of certain businesses including from energy transition, changes in investor appetite, shifting customer preferences, technology developments and changes in regulatory expectations/policy. Transition risks could emerge through our lending to certain customers that experience reduced revenues or asset values or increased costs, which in turn impacts our credit risk. Westpac may also be directly impacted by transition risks, or be unable to reduce our exposure to impacted customers, suppliers and other third parties. Our ambition to become a net-zero, climate resilient bank, has led and will lead to changes in policies and processes which may present associated execution risk. Our ability to meet our commitments and targets is in part dependent on the orderly transition of the economy towards net-zero, which may be impacted by external factors including (but not limited to) government and other policies, investment, electricity grid capacity, and constraints in the development and supply of technology, infrastructure and the skilled labour required to deliver the necessary change. Our ability to transition, including to meet our targets and commitments, may also be impacted by challenges faced by customers in meeting their own transition plans and commitments. The high dependency of the economy on nature means natural capital loss is a risk to us, primarily through our exposure to customers that are materially dependent or impact on nature. Natural capital refers to the stock of renewable and non-renewable natural resources (e.g. plants, animals, air, water, soils, minerals) that combine to yield a flow of benefits to people. Natural capital loss can also contribute to, and be accelerated by, climate change. Increasing recognition and responses to this risk also create heightened regulatory and stakeholder expectations on Westpac. As with our climate ambitions, our ambition to become a nature positive bank will lead to changes to policies and processes which may present associated execution risk, and our ability to meet those ambitions will be impacted by external factors outside our control. Global strategies and standards for nature positivity are at an early stage, which increases regulatory risk and uncertainty. Our business may be exposed to social and human rights risks through our operations, our supply chain and in the provision of financial services. If we fail to adequately identify and manage these risks, we may cause, contribute to, or be directly linked to adverse social and human rights impacts. This includes a risk that we provide financial services to, or use services provided by, parties involved in human rights abuses or criminal activity, or that our platforms and products may be exploited for criminal purposes. While we seek to manage and assess social risks and act if we identify risks, we cannot be certain that our assessment will uncover these risks and/or enable us to act. This could be because of the increasing sophistication of perpetrators and/or our monitoring systems and analytics have not kept pace with change. Data relevant to our assessment and management of climate, and other sustainability-related risks continues to mature. In some cases, we require data from third parties to estimate our exposure and risks. If those data sources are not sufficiently available or reliable, there is a risk that our decision making, including target setting and reporting, could be affected and we may not be able to meet our targets and commitments. Associated risks increase where disclosure of data is required by mandatory reporting. Failure or perceived failure to adapt the Group’s strategy, governance, procedures, systems and/or controls to proactively manage or disclose climate and other sustainability-related risks and opportunities (including, for example, perceived misstatement of, or failure to adequately implement or meet, sustainability claims, commitments and/or targets) may give rise to business, reputational, legal and regulatory risks. This includes financial and credit risks that may impact our profitability and outlook, and the risk of regulatory action or litigation (including class actions) against us and/or our customers.

RISK FACTORS 9 We may also be subject, from time to time, to legal and business challenges due to actions instituted by activist or other groups. Examples of areas which have attracted activism and challenges include: the financing of businesses perceived to be at greater risk from climate-related physical and transition risks and/or perceived not to demonstrate responsible management of climate or other sustainability issues; and climate and sustainability related disclosures (including net-zero or emissions reduction strategies, targets and policies). Scrutiny from regulators, shareholders, activists and other stakeholders on climate-related risk management practices, lending policies, targets and commitments, and other sustainability products, claims and marketing practices will likely remain high. Applicable legal and regulatory regimes, policies, and reporting and other standards are also evolving. For example, in Australia, mandatory climate reporting has been introduced, and there is an increased compliance and enforcement focus by ASIC and ACCC on a range of issues related to sustainability, sustainable finance, and monitoring/investigation of related claims. This increases compliance, legal and regulatory risks, and costs. For further detail on the identification, assessment and management of these risks, please refer to our 2024 Climate Report, and the Creating Value for the Community, Creating Value for the Environment, Risk Management and Sustainability Governance sections of the 2024 Annual Report. The failure to comply with financial crime obligations has had, and could have further, adverse effects on our business and reputation - Financial crime risk - Bribery and corruption - Tax evasion - Money laundering and terrorism financing - Economic and trade sanctions The Group is subject to anti-money laundering and counter-terrorism financing (AML/CTF) laws, anti-bribery and corruption laws, economic and trade sanctions laws and tax transparency laws in the jurisdictions in which it operates (Financial Crime Laws). These laws can be complex and, in some circumstances, impose a diverse range of obligations. As a result, regulatory, operational and compliance risks are heightened. In some jurisdictions (e.g. the Pacific region) financial crime risks are elevated beyond the Group’s risk appetite requiring an appropriate action plan to reduce risk, and return to within appetite. Financial Crime Laws require us to report certain matters and transactions to regulators (such as international funds transfer instructions, threshold transaction reports, suspicious matter reports, FATCA and CRS reports) and ensure that we know who our customers are and that we have appropriate ongoing customer due diligence in place. The failure to comply with some of these laws has had, and in the future could have, adverse impacts for the Group. The Group operates within a landscape that is constantly changing, particularly with the emergence of new payment technologies, ongoing legislative reform impacting Financial Crime Laws, increased regulatory focus on digital assets, and increasing reliance on economic and trade sanctions to manage issues of international concern. These developments bring with them new financial crime risks for the Group (as well as other risks including scams and fraud, and criminal activity that utilises a variety of technology and platforms), which may require adjustments to the Group’s systems, policies, processes and controls. There has been, and continues to be, a focus on compliance with financial crime obligations, with regulators globally commencing investigations and taking enforcement action for identified non-compliance (often seeking significant penalties). Due to the Group’s scale of operations, an undetected failure or the ineffective implementation, monitoring or remediation of a system, policy, process or control (including a regulatory reporting obligation) has resulted, and could in the future result, in a significant number of breaches of AML/CTF or other Financial Crime Laws. This in turn could lead to significant financial penalties and other adverse impacts for the Group, such as reputational damage and litigation risk. While the Group has systems, policies, processes and controls in place designed to manage its financial crime obligations (including reporting obligations), these have not always been, and may not in the future always be, effective. This could be for a range of reasons including, for example, a deficiency in the design of a control or a technology failure or a change in financial crime risks or typologies. Our analysis and reviews, in addition to regulator feedback, have highlighted that our systems, policies, processes and controls are not always operating satisfactorily in a number of respects and require improvement. We continue to have an increased focus on financial crime risk management and, as such, further issues requiring attention have been identified and may continue to be identified. Although the Group provides updates to various regulators on its remediation and other program activities, there is no assurance that those or other regulators will agree that its remediation and program update activities will be adequate or effectively enhance the Group’s compliance programs. If we fail to comply with our financial crime obligations, we have faced, and could in the future face, significant regulatory enforcement action and other consequences (as discussed in the risk factor entitled ‘We have been and could be adversely affected by failing to comply with laws, regulations or regulatory policy’) and increased reputational risks (as discussed in the risk factor entitled ‘Reputational damage has harmed, and could in the future

10 WESTPAC GROUP 2024 RISK FACTORS RISK FACTORS harm, our business and prospects’). There is additional information on financial crime matters in the Significant developments section in the 2024 Annual Report. Reputational damage has harmed, and could in the future harm, our business and prospects - Reputational and sustainability risk - Negative customer outcomes Reputational risk arises where there are differences between stakeholders’ current and emerging perceptions, beliefs and expectations and our past, current and planned activities, processes, performance and behaviours. Potential sources of reputational damage include where our actions (or those of our contractors, agents, authorised representatives and credit representatives) cause, or are perceived to cause, a negative outcome for customers, shareholders, stakeholders or the community. Reputational damage could also arise from the failure to effectively manage risks, failure to comply with legal and regulatory requirements, enforcement or supervisory action by regulators, adverse findings from regulatory reviews, failure or perceived failure to adequately prevent or respond to community, environmental, social and ethical issues or expectations and cyber incidents, and inadequate record-keeping, which may prevent Westpac from demonstrating that, or determining if, a past decision was appropriate at the time it was made. We are also exposed to contagion risk from incidents in (or affecting) other financial institutions and/or the financial sector more broadly (for example, issues affecting the cash-in-transit industry and the potential for disruption to the availability of cash, as well as flow on consequences including runs on cash). There are potential reputational consequences (together with other potential commercial and operational consequences) of failing to appropriately identify, assess and manage environmental, social and governance related risks, or to respond effectively to evolving standards and stakeholder expectations. Our reputation could also be adversely affected by the actions of customers, suppliers, contractors, authorised representatives, credit representatives, joint-venture partners, strategic partners or other counterparties. Failure, or perceived failure, to address issues that could or do give rise to reputational risk, has created, and could in the future create, additional legal risk, subject us to regulatory investigations, regulatory enforcement actions, fines and penalties or litigation or other actions brought by third parties (including class actions), and the requirement to remediate and compensate customers, including prospective customers, investors and the market. It could also result in the loss of customers or restrict the Group’s ability to efficiently access capital markets. This could adversely affect our business, prospects, financial performance or financial condition. We have and could suffer losses due to litigation - Compliance and conduct risk - Enforcement action - Litigation - Class actions - Substantial fines and penalties Litigation has been, and could in the future be, commenced against us by a range of plaintiffs, such as customers, shareholders, employees, suppliers, counterparties, activists and regulators and may, either individually or in aggregate, adversely affect the Group’s business, operations, prospects, reputation or financial condition. In recent years, there has been an increase in class action proceedings in the broader market, many of which have resulted in significant monetary settlements. The risk of class actions has been heightened by a number of factors, including regulatory enforcement actions, an increase in the number of regulatory investigations and inquiries, a greater willingness on the part of regulators to commence court proceedings, more intense media scrutiny, the increasing prospect of regulatory reforms which might eliminate some of the current barriers to such litigation, and the growth of third party litigation funding and other funding arrangements. Class actions commenced against a competitor could also lead to similar proceedings against Westpac and a competitor’s response to those actions may impact attitudes of counterparties to Westpac proceedings. Activism strategies directed at financial institutions, particularly in the area of climate change, sustainability and energy transition, have also increased globally in recent years, where the focus, including through the commencement of proceedings, may be to publicly highlight particular issues, to enforce legal or regulatory standards, or to influence the financial institution to change its operations and activities. Westpac is currently, and in the future may be, exposed to such litigation and/or strategies employed by activist shareholders or organisations. Litigation is subject to many uncertainties and the outcome may not be predicted accurately. Furthermore, the Group’s ability to respond to and defend litigation may be adversely affected by inadequate record keeping. The Group’s ability to settle litigation on reasonable terms will be affected by attitudes of counterparties. Depending on the outcome of any litigation, the Group has been, and may in the future be, required to comply with broad court orders, including compliance orders, enforcement orders or otherwise pay significant damages, fines, penalties or legal costs. There is a risk that the actual penalty or damages paid following a settlement or

RISK FACTORS 11 determination by a Court for any legal proceedings may be materially higher or lower than any relevant provision (where applicable) or that any contingent liability may be larger than anticipated. There is also a risk that additional litigation or contingent liabilities arise, all of which could adversely affect our business, prospects, reputation, financial performance or financial condition. There is additional information on certain legal proceedings that may affect the Group in the Significant developments section and in Note 25 to the financial statements in the 2024 Annual Report. We are exposed to adverse funding market conditions - Market risk - Volatility and disruption - Funding and liquidity risk - Credit risk We rely on deposits, global money markets and global capital markets to fund our business and source liquidity. Our liquidity and costs of obtaining funding are related to funding market and general economic conditions, in addition to our creditworthiness and credit profile. Funding sources can be unpredictable and experience periods of extreme volatility, disruption and decreased liquidity. Market conditions, and the behaviour of market participants, can shift significantly over very short periods of time. The main risks we face are damage to market confidence, changes to the access and cost of funding and reduction in appetite for exposure to Westpac, as well as the potential impacts arising from broader macroeconomic themes. Additionally, a shift in investment preferences could result in deposit withdrawals that would increase our need for funding from other sources. These other sources may offer lower levels of liquidity and increase costs. If market conditions deteriorate due to economic, political, regulatory, or other reasons (including those idiosyncratic to Westpac), there may also be a loss of confidence in bank deposits leading to unexpected withdrawals. These events can transpire quickly and be exacerbated by information transmission on social media. This could increase funding costs, constrain our liquidity, funding and lending activities and threaten our financial solvency. In such events, even robust levels of capital may not be sufficient to safeguard Westpac against detrimental loss of funding. If our current sources of funding prove to be insufficient, we may need to seek alternatives which will depend on factors such as market conditions, our credit ratings, reputation and confidence issues and market capacity. Even if available, these alternatives may be more expensive or on unfavourable terms, which could adversely affect our financial performance, liquidity, capital resources or financial condition. If we are unable to source appropriate funding, we may be forced to reduce business activities (e.g. lending) or operate with smaller liquidity buffers. This may adversely impact our business, liquidity, capital resources, financial performance or financial condition. If we are unable to source appropriate funding for an extended period, or if we can no longer realise liquidity, we may not be able to pay our debts as and when they fall due or meet other contractual obligations. We also enter into collateralised derivative obligations, which may require us to post additional collateral based on market movements. This has the potential to adversely affect our liquidity or ability to use derivatives to hedge interest rate, currency and other financial risks. We could be adversely affected by the risk of inadequate capital levels - Capital adequacy - Capital risk - Regulatory capital requirements The Group is subject to the risk of an inadequate level or composition of capital to support our business activities and meet regulatory capital requirements under normal operating environments or stressed conditions, and to maintain our solvency. Even robust levels of capital may not be sufficient to ensure the ongoing sustainability of Westpac in the event of a bank run, where depositors quickly withdraw funds because of concerns about bank failure. Our capital levels are determined by regulation and risk appetite and informed by stress testing. Buffers on regulatory requirements have been built to assist in maintaining capital adequacy during stressed times. We determine our management buffers taking into consideration various factors. These include our balance sheet, forecasts, portfolio mix, potential capital headwinds (including real estate valuations, inflation and rising rates) and stressed outcomes, (also noting that models and assumptions may or may not be accurate in predicting the nature and magnitude of particular stress events). The macroeconomic environment, stressed conditions and/or regulatory framework could result in a material increase to risk weighted assets or impact our capital adequacy, trigger capital distribution constraints, threaten our financial viability and/or require us to undertake a highly dilutive capital raising. Capital distribution constraints apply when an ADI’s Common Equity Tier 1 Capital ratio is within the prudential capital buffer range (consisting of the Capital Conservation Buffer plus any Countercyclical Capital Buffer). Such constraints could impact future dividends and distributions on Additional Tier 1 (AT1) capital instruments. Should AT1 and Tier

12 WESTPAC GROUP 2024 RISK FACTORS RISK FACTORS 2 capital securities that we have issued be converted into ordinary shares (for example where our CET 1 ratio falls below a certain level or APRA determines we would become non-viable without conversion of capital instruments or equivalent support), this could significantly dilute the value of existing ordinary shares. Additionally, it should be noted that APRA is currently consulting on a proposal to phase out AT1 capital instruments (see further discussion in the Significant developments section in the 2024 Annual Report). Our business is substantially dependent on the Australian and New Zealand economies, and could be adversely affected by a material downturn or shock to these economies or other financial systems - Strategic risk - Macroeconomic risks - Market disruption - Domestic and international economic conditions - Geopolitical risks - Credit risk Our revenues and earnings are dependent on domestic and international economic activity, business conditions and the level of financial services our customers require. Most of our business is conducted in Australia and New Zealand so our performance is influenced by the level and cyclical nature of activity in these countries. The financial services industry and capital markets have been, and may continue to be, adversely affected by volatility, global economic conditions (including inflation and rising interest rates), external events, geopolitical instability, political developments, cyberattacks or a major systemic shock. Market and economic disruptions (or the possibility of interest rates remaining higher for longer than anticipated) could cause consumer and business spending to decrease, unemployment to rise, demand for our products and services to decline and credit losses to increase, thereby reducing our earnings. These events could undermine confidence in the financial system, reduce liquidity, impair access to funding and adversely affect our customers and counterparties. Given Australia’s export reliance on China, slowdown in China’s economic growth and foreign policies (including the adoption of protectionist trade measures or sanctions) could negatively impact the Australian economy. This could result in reduced demand for our products and services and affect supply chains, the level of economic activity and the ability of our borrowers to repay their loans. The nature and consequences of any such event are difficult to predict but each of these factors could adversely affect our business, prospects, financial performance or financial condition. Declines in asset markets could adversely affect our operations or profitability and an increase in impairments and provisioning could adversely affect our financial performance or financial condition - Market risk - Decline in asset values - Impairments - Credit risk Declines in Australian, New Zealand or other asset markets, including equity, bond, residential and commercial property markets, have adversely affected, and could in the future adversely affect, our operations and profitability. Declining asset prices including as a result of change in taxation policies and potential legislation to restrict rents, could also impact customers and counterparties and the value of security (including residential and commercial property) we hold. This may impact our ability to recover amounts owing to us if customers or counterparties default. It may also affect our impairment charges and provisions, in turn impacting our financial performance, financial condition and capital levels. Declining asset prices could also impact our wealth management business as its earnings partly depend on fees based on the value of securities and/or assets held or managed. We establish provisions for credit impairment based on accounting standards using current information and our expectations. If economic conditions deteriorate beyond our expectations, some customers and/or counterparties could experience higher financial stress, leading to an increase in impairments, defaults and write-offs, and higher provisioning. Changes in regulatory expectations in relation to the treatment of customers in hardship could lead to increased impairments and/or higher provisioning. Such events could adversely affect our liquidity, capital resources, financial performance or financial condition. Credit risk also arises from certain derivative, clearing and settlement contracts we enter into, and from our dealings in, and holdings of, debt securities issued by other institutions and government agencies, the financial conditions of which may be affected to varying degrees by economic conditions in global financial markets.

RISK FACTORS 13 Sovereign risk may destabilise financial markets adversely - Sovereign risk - Defaults Potential sovereign contractual defaults, sovereign debt defaults and the risk that governments will nationalise parts of their economy including assets of financial institutions (such as Westpac) could negatively impact the value of our holdings of assets. Such an event could also destabilise global financial markets, adversely affecting our liquidity, financial performance or financial condition. We could be adversely affected by the failure to maintain our credit ratings - Availability of funding - Cost of funding - Downgrade Credit ratings are independent opinions on our creditworthiness. Our credit ratings can affect the cost and availability of our funding and may be important to investors, certain institutional customers and counterparties when evaluating their investments in the Group, our products and services. A rating downgrade could be driven by a downgrade of Australia’s sovereign credit rating, a material weakening in our financial performance, or one or more of the risks identified in this section or by other events including changes to the methodologies rating agencies use to determine credit ratings. A credit rating or rating outlook could be downgraded or revised where credit rating agencies believe there is a very high level of uncertainty on the impact to key rating factors from a significant event. A downgrade to our credit ratings could have an adverse effect on our cost of funds, collateral requirements, liquidity, competitive position, our access to capital markets and our financial stability. The extent and nature of these impacts would depend on various factors, including the extent of any rating change, differences across agencies (split ratings) and whether competitors or the sector are also impacted. We face intense competition in all aspects of our business - Margins; - Regulatory scrutiny - Strategic risk - New entrants The financial services industry is highly competitive. We compete with a range of firms, including retail and commercial banks, investment banks, other financial service companies, fintech companies and businesses in other industries with financial services aspirations. This includes those competitors who are not subject to the same capital and regulatory requirements as us or who derive substantial revenue from other markets, which may allow those competitors to operate more flexibly and with lower costs of funds. Emerging competitors are increasingly altering the competitive environment by adopting new business models or seeking to use new technologies to disrupt existing business models. The competitive environment may also change as a result of increased scrutiny by regulators in the sector (such as in the payments space, or as a result of the recommendations following the ACCC’s inquiry into the market for the supply of retail deposit products) and other legislative reforms, which will stimulate competition, improve customer choice and likely give rise to increased competition from new and existing firms. Competition in the various markets in which we operate has led, and may continue to lead, to a decline in our margins or market share. Deposits fund a significant portion of our balance sheet and have been a relatively stable source of funding. If we are not able to successfully compete for deposits this could increase our cost of funding, lead us to seek access to other types of funding, or result in us reducing our lending. Our ability to compete depends on our ability to offer products and services that meet evolving customer preferences. Not responding to changes in customer preferences could see us lose customers. This could adversely affect our business, prospects, financial performance or financial condition. For more detail on how we address competitive pressures refer to the Our Operating Environment section in the 2024 Annual Report.

14 WESTPAC GROUP 2024 RISK FACTORS RISK FACTORS We have suffered, and could continue to suffer, losses due to operational risk - Operational risk - Change execution - Records management - Ineffective processes and controls - Fraud and scams - Third parties - AI Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. It includes, among other things, model risk, data risk, operations risk, change execution risk and third party risk. While we have policies, processes and controls in place to manage these risks, these have not always been, or may not be, effective. Ineffective processes and controls (including those of our contractors, agents, authorised representatives and credit representatives, or inadequate supervision and oversight of their activities) have resulted in, and could continue to result in, adverse outcomes for customers, employees or other third parties. The risk of operational breakdowns occurring is heightened if measures are implemented quickly in response to external events. These types of operational failures may result in financial losses, customer remediation, regulatory scrutiny and intervention, fines, penalties and capital overlays and, depending on the nature of the failure, litigation, including class action proceedings. Examples of operational risks include: • Fraud and scams. We have incurred, and could in the future incur, losses from fraud and scams, including fraudulent applications for loans (including misrepresentations by customers), or from incorrect or fraudulent payments and settlements. Such losses, including the potential for additional customer compensation and financial penalties, could increase significantly due to regulatory change (for example, if the Group does not adhere to obligations set out in the impending mandatory cross industry scams code framework and/or a UK style bank reimbursement scheme is implemented in Australia or New Zealand, making Australian and New Zealand banks liable to compensate scam victims). Fraudulent conduct can also arise from external parties seeking to access our systems or customer accounts, the use of mule accounts and where identification records are compromised due to third party cybersecurity events. These risks are heightened by real-time transaction capability, and we are also exposed to contagion risk from incidents affecting other institutions. If systems, procedures and protocols for preventing and managing fraud, scams or improper access to our systems and customer accounts fail, or are inadequate or ineffective, they could lead to losses which could adversely affect our customers, business, prospects, reputation, financial performance or financial condition. Regulatory and compliance requirements can impede the ability to swiftly identify or respond to a fraud or scam, or to communicate with affected parties. • Records management. We could incur losses from a failure to adequately implement and monitor effective records management policies and processes. This could impact our ability to safeguard or locate relevant records, respond to production and regulatory notices, conduct remediation, and generally meet records lifecycle management and compliance obligations. Where there are inadequacies or complexities in our systems, these risks are further heightened, for example retaining records and data for, or destroying records or de-identifying records after a certain period. • Artificial Intelligence (AI). As we increase the adoption of AI to support our customers and business processes, we may become more exposed to risks associated with the use of technology, such as lack of transparency, inaccurate data input, risk of unintentional bias or inaccurate outputs, breaches of confidentiality and privacy obligations, and inaccurate decisions or unintended consequences that are inconsistent with our policies or values. In addition, failure or delays in adopting AI could lead to competitive disadvantages or otherwise not leveraging capability that could better support risk management or improve customer outcomes. These could have financial, regulatory, conduct, reputational and customer impacts. • Third party. We rely on third parties, both in Australia and overseas, to provide services to us and our customers. Failures by these third parties, including our authorised representatives and credit representatives, to deliver services as required and in accordance with law, regulation and regulatory expectations could disrupt our ability to provide products and services and adversely impact our customers, operations, financial performance or reputation. For example, we rely on third parties to provide cash transport, handling and storage services. With reduced demand for cash placing pressure on the cash-in-transit (CIT) industry, we are exposed to operational risk including loss of (or delays in accessing) cash held by CIT providers on our behalf, reduced availability of cash in the system generally (which could lead to a run on cash), and related consequences where we or our customers suffer loss or damage due to disruptions to CIT services. • Change execution. We are exposed to change execution risk through delivery of technology and other change programs. There are risks that a change program fails to deliver the desired outcomes, or fails to reduce, pre-empt, mitigate and manage the challenges associated with transformation delivery. This could result in business disruption and delays, technology challenges, financial loss or further regulatory scrutiny. If our technology systems or financial infrastructure do not operate correctly, this may also cause loss or damage to us or our customers. This can also arise from complexities in our systems, and the interaction between those systems. This

RISK FACTORS 15 could include, for example, where systems issues result in incorrect fees or charges being applied to customers, or other poor customer outcomes. • Insurance coverage. There is a risk that we will not be able to obtain and/or have not obtained appropriate insurance coverage for the risks that we may be exposed to. This could be due to lack of available or adequate insurance, an increase in the cost of insurance, or failure of the insurance underwriter. If an insurance policy is not available or does not respond to a loss, we will not have the ability to recover its loss from an insurance policy. We could suffer losses due to market volatility - Market risk - Geopolitical risks - Volatility and disruption - Credit risk Market risk is the risk of an adverse impact on the Group’s financial performance, financial position, capital and liquidity, resulting from changes in market factors, such as foreign exchange rates, commodity prices, equity prices, credit spreads and interest rates. Market risk is present in both banking book and trading book. We are exposed to market risk due to our financial markets businesses, asset and liability management, our holdings in liquid asset securities and our defined benefit plan. Changes in market factors could be driven by a variety of developments including economic disruption, geopolitical events, market liquidity or concerns relating to major market participants or sectors. The resulting market volatility could potentially lead to losses and may adversely affect our financial performance. As a financial intermediary, we underwrite listed and unlisted debt securities. We could suffer losses if we fail to syndicate or sell down this risk to others. This risk is more pronounced in times of heightened market volatility. Poor data quality could adversely affect our business and operations - Operational risk - Data quality - Poor customer and risk outcomes Having accurate, complete and reliable data, supported by appropriate data controls, retention and, destruction methods and access to internal frameworks and processes, is critical to the effective operation of Westpac’s businesses. Data plays a key role in determining how we provide products and services to customers, the effectiveness of our systems and risk management frameworks and our ability to make effective decisions and strategic planning. Some of our businesses are affected by poor data quality and/or limited data availability. This has been, and may continue to be, due to a number of factors, including inadequacies across systems, processes and policies, or ineffectively implemented data management frameworks. Poor data quality could lead to poor customer service outcomes, adverse risk management outcomes, deficient system outputs and processes. This is because inadequacies in data quality renders that data unreliable to assist in making informed business decisions. Deficiencies with internal systems and processes could negatively impact Westpac’s decision-making in areas such as the provision of credit to a customer, and the terms on which a credit facility is provided. The production of accurate data is also critical for other functions across the Westpac Group, such as financial and other reporting (internal and external). Poor data quality and availability impacts the ability for Westpac’s business to effectively monitor and manage their operations, comply with production notices, respond to regulatory notices, defend and respond to litigation and conduct remediation activities. Conflicting data retention or destruction obligations may increase that risk. Poor data and/or poor data retention/destruction methods, deficient controls that result in control gaps and weaknesses, negatively impact Westpac’s ability to meet its compliance obligations (including its regulatory reporting obligations). In the past this has led to regulatory investigations or adverse findings and actions against Westpac, and such actions are likely to continue if we do not maintain an acceptable level of quality for the data we hold and use, as well as having effective oversight practices in place. The data related frameworks and processes that we have in place must be continuously reviewed, and improved where required, to ensure our data quality and data management practices remain relevant, fit for purpose and sustainable. This is because outdated or unsustainable practices may lead to inefficient data management practices and/or poor quality data. Potential consequences from holding data that is of a poor quality and/or having poor data oversight and controls include adversely impacting on the ability for the Group to effectively operate its existing businesses, securing prospective business from third parties, its reputation, financial performance and financial condition.

16 WESTPAC GROUP 2024 RISK FACTORS RISK FACTORS Certain strategic decisions may have adverse effects on our business - Strategic risk - Warranties and indemnities - Divestments and acquisitions - Implementation risk We routinely evaluate and implement strategic decisions, priorities and objectives including simplification, diversification, innovation, divestment, investment, acquisition, business expansion initiatives or decisions to shut down some operations. Each of these activities can be complex, costly and may not proceed in a timely manner. For example, we may experience difficulties in completing certain transactions, separating or integrating businesses in the scheduled timeframe or at all, disruptions to operations, diversion of management resources or higher than expected transaction costs, there may be impacts on third parties, and there may be differing market views about a strategic choice, which may cause reputational damage. Any failure to successfully divest businesses means that we may have sustained exposure to higher operating costs and to the higher inherent risks in those businesses. Decisions to retain businesses means we may be exposed to the higher inherent risks in those businesses. For example, our Pacific businesses face a number of risks including heightened operational risk, sovereign risk, financial crime and exchange control risks which could adversely affect our customers, business, prospects, reputation, financial performance or financial condition. In addition, as part of the now-completed Specialist Businesses transactions, we have given a number of warranties and indemnities in favour of counterparties relating to certain pre-completion matters and made certain other contractual commitments, including in relation to transitional services. Warranties, indemnities and commitments may also be given in the future in relation to other divestments we undertake. Claims under these warranties, indemnities and other contractual commitments may result in us being liable to make significant payments to these counterparties while the various contractual liability regimes remain on foot. For potential matters related to conduct and customer redress, additional operational risk capital is held against this risk pursuant to APRA’s published guidance. These contingent liabilities are described in Note 25 to the financial statements in the 2024 Annual Report. We also acquire and invest in businesses. These transactions involve a number of risks and costs. A business we invest in may not perform as anticipated, may result in the assumption of unknown and unaccounted for liabilities, regulatory risks or may ultimately prove to have been overvalued when the transaction was entered into. Operational, cultural, governance, compliance and risk appetite differences between us and an acquired business may lead to longer and more costly integration. There are risks involved in not implementing strategies successfully due to internal factors, for example, inadequate funding, resourcing, business capabilities or operating model, or failing to identify, understand or respond effectively to changes in the external business environment, including economic, geopolitical, regulatory, consumer sentiment, technological, environmental, social and competitive factors. This could have a range of adverse effects on us, such as being unable to increase or maintain market share or resulting pressure on margins and fees. Any of these risks could have a negative impact on our business, growth prospects, reputation, engagement with regulators, financial performance or financial condition. Other risks • Failure to recruit and retain key executives, employees and Directors may have adverse effects on our business, prospects, reputation, financial performance or financial condition. Macro-environmental factors including low unemployment, restricted migration levels, on-shoring of work and the competitive talent market, may also have an adverse impact on attracting specialist skills for the Group. • Changes to the critical accounting assumptions and estimates (outlined in Note 1 to the financial statements in our 2024 Annual Report) could expose the Group to losses greater than those anticipated or recognised, which could adversely affect our financial performance, financial condition and reputation.

WESTPAC.COM.AU