ASXRELEASE Westpac Banking Corporation Level 18, 275 Kent Street Sydney, NSW, 2000 3 November 2025 2025 Risk Factors Westpac Banking Corporation (“Westpac”) today provides the attached 2025 Risk Factors. For further information: Hayden Cooper Justin McCarthy Group Head of Media Relations General Manager, Investor Relations 0402 393 619 0422 800 321 This document has been authorised for release by Tim Hartin, Company Secretary.

RISK FACTORS WESTPAC BANKING CORPORATION ABN 33 007 457 141 NOVEMBER 2025 WESTPAC

2 WESTPAC GROUP 2025 RISK FACTORS DISCLAIMER Disclaimer The material contained in this document is intended to provide further information on the current and future risks faced by Westpac Banking Corporation (Westpac), including potential consequences if those risks materialise. The information is not intended to be exhaustive, and is not necessarily complete in respect of each risk described. It is not intended that it be relied upon as advice to investors or potential investors, who should consider seeking independent professional advice depending upon their specific investment objectives, financial situation or particular needs. This document should be read in conjunction with our 2025 reporting suite, including our 2025 Annual Report, including the section titled Risk Management and any public announcements made by Westpac in accordance with the continuous disclosure requirements of the Corporations Act 2001 and ASX Listing Rules. This document contains statements that constitute “forward-looking statements” within the meaning of Section 21E of the US Securities Exchange Act of 1934. Forward looking statements are statements that are not historical facts. Forward-looking statements appear in a number of places in this document and include statements with the potential impact of the risks described on our business and operations, macro and micro economic and market conditions, results of operations and financial condition, capital adequacy and liquidity and risk management. Forward-looking statements may also be made, verbally or in writing, by members of Westpac’s management or board in connection with this document. Such statements are subject to the same limitations, uncertainties, assumptions and disclaimers set out in this document. We use words such as ‘will’, ‘may’, ‘expect’, ‘intend’, ‘seek’, ‘would’, ‘should’, ‘could’, ‘continue’, ‘plan’, ‘estimate’, ‘anticipate’, ‘believe’, ‘probability’, ‘risk’, ‘aim’, ‘outlook’, ‘assumption’, ‘target’, ‘goal’, ‘guidance’, 'objective', ‘ambition’, 'forecast' or other similar words to identify forward-looking statements. These forward-looking statements reflect our current views on future events and are subject to change (including as a result of maturing methodologies), certain known and unknown risks, uncertainties and assumptions and other factors which are, in many instances, beyond our control (and the control of our officers, employees, agents and advisors), and have been made based on management’s and/or the board's expectations or beliefs concerning future developments and their potential effect upon Westpac. There can be no assurance that future developments or performance will align with our expectations or that the effects on us of the risks described will be those anticipated. Actual results could differ materially from those we expect or which are expressed or implied in forward-looking statements, depending on various factors including the risks outlined in this document and the Risk Management section in our 2025 Annual Report and our 2025 reporting suite. When relying on forward-looking statements to make decisions with respect to Westpac, investors and others relying on information in this document should carefully consider such factors and other uncertainties and events. This document is dated 3 November 2025 and, except as required by law, we assume no obligation to revise or update any forward-looking statements contained in this document, whether from new information, future events, conditions or otherwise, after the date of this document. All defined terms in this document take their meaning from our 2025 Annual Report, unless otherwise specified.

RISK FACTORS 3 RISK FACTORS Risk factors Our business is subject to risks that can adversely impact our financial performance, financial condition and future performance. The 2025 Annual Report sets out our approach to managing risks, major risk categories that could impact our business, as well as key focus areas. The 2025 Risk Factors provides investors and potential investors with further information in relation to our current and emerging risks, as well as potential consequences if those risks materialise. The content of the 2025 Risk Factors is current as of the publication date, but its relevance may be impacted by subsequent developments. Risks and risk management strategies are inherently dynamic, evolving alongside changes in the external environment, market conditions and organisational priorities. The risks and uncertainties described below are not exhaustive and can emerge together or in quick succession, uncorrelated with the below order. Additional risks and uncertainties that we are currently unaware of or deem immaterial, may also become important factors that affect us. If any of the following risks materialise, our business, prospects, reputation, financial performance or financial condition could be materially adversely affected, which may subsequently cause the price of our securities or the level of dividends to decline and, as a security holder, you could lose all, or part, of your investment. You should carefully consider the risks described (individually and in combination) and the other information in the 2025 Risk Factors and in the 2025 Annual Report and subsequent disclosures before investing in, or continuing to own, our securities. Risks relating to our business1 We have experienced, and could in the future experience, information security risks, including cyberattacks - Cyber risk - Cyber attacks - Operational risk - Information security risks - Data breaches - Third party risk Our operations depend on the secure processing, storage and transmission of information on our systems and those of external suppliers. Despite protective measures, including to protect the confidentiality, availability and integrity of our information, our information assets may face security breaches, unauthorised access, malware, social engineering, denial of service attacks, ransomware, destructive attacks, employee misconduct, human error or other external and internal threats. These could adversely impact our and others’ confidential information and system availability. Information security risks are heightened by factors such as new technologies, increased digitisation, larger volumes of sensitive data, sophisticated cyber crime, supply chain disruptions, remote and hybrid working, targeting of critical infrastructure providers, geopolitical tensions, terrorism, state sponsored attacks, and AI-enhanced cyberattacks (which can increase the speed, breadth, complexity and effectiveness of cyberattacks). These factors could compromise our information assets and disrupt operations for us, our customers, suppliers and counterparties. Adverse events such as data breaches, cyberattacks, espionage and errors (including human-related), are increasing in frequency and impact, potentially causing financial instability, reputational damage, service disruption, contagion risk, in addition to economic and non-economic losses to us, our customers, shareholders, suppliers, counterparties and others. Our protective systems and processes have not always been, and may not always be, effective and human error can occur. Westpac, our customers and other stakeholders could suffer losses from cyberattacks, information security breaches or ineffective cyber resilience. Consequences could be severe if customer data is being held in breach of legal or regulatory obligations and that data is compromised as part of an information security incident. We may not always predict, prevent or effectively respond to such incidents, or effectively respond to and/or rectify the resulting damage. Our suppliers, counterparties, and other parties involved in or who facilitate our activities, financial platforms and infrastructure as well as our customers’ suppliers and counterparties are also at risk, which could impact us. As cyberattacks increase globally, so does the likelihood of regulatory enforcement and legal actions, including class actions related to information security failures, misleading disclosures, or deficient responses to incidents. Consequences of attacks could include damage to technology infrastructure (including data centres), government intervention, service disruptions, loss of customers and market share, data loss, cyber extortion, customer remediation and/or compensation, breaches of the law or other obligations, vulnerability to fraud or scams, litigation, fines, and increased regulatory scrutiny or other enforcement action. Such outcomes could negatively affect our business, prospects, reputation, financial performance or financial condition. As cyber threats evolve, we may need to allocate significant resources and incur additional costs to enhance our systems, address vulnerabilities or incidents and respond to regulatory changes. 1. A reference to "customer" in this document includes a "member", as appropriate.

4 WESTPAC GROUP 2025 RISK FACTORS RISK FACTORS We could suffer losses due to geopolitical events - Geopolitical risks - Conflicts - Operational risk - Credit risk We, our customers and our suppliers operate businesses, engage in trade with and hold assets in different geographic locations. Significant risks subsist including from geopolitical instability, conflicts, trade tensions, tariffs, sanctions, social disruption, civil unrest, war, terrorist activity, acts of international hostility, and complicity with or inaction regarding certain types of crimes. Such events or the uncertainty related to the potential for such events are and could continue to directly and indirectly impact our and our customers’ operations, affect domestic and international economic stability and/or impact consumer and investor confidence, which in turn could disrupt industries, businesses, service providers and supply chains and ultimately adversely impact economic activity. Potential outcomes include material labour shortages, higher energy costs and commodity prices, volatility in markets, damage to property and disruptions where essential services, logistics and infrastructure are materially impacted. Such impacts could affect asset values and impact customers’ repayment ability, and our ability to recover amounts owing. All of these impacts could adversely affect our business, prospects, financial performance or financial condition. The current global landscape, marked by significant and prolonged conflicts, increasing protectionist policies (and uncertainties surrounding such policies) and heightened tensions, risks further intensifying these impacts . We could be adversely affected by legal or regulatory change - Compliance and conduct risk - Regulators' expectations - Legal and regulatory change - Fines, penalties, other costs and capital overlays We operate in a highly regulated industry with an environment of sustained legal and regulatory change and ongoing scrutiny of financial services providers. Our business, prospects, reputation, financial performance and financial condition have been, and could in the future be, adversely affected by domestic and international changes to laws, regulations, policies, supervisory activities, regulator expectations, and industry codes such as the Banking Code of Practice. Such changes may affect how we operate and have altered, and may in the future alter, the way we provide our products and services, sometimes requiring us to change, suspend or discontinue our offerings. Industry-wide reviews and inquiries could further reshape laws, regulations, policy or regulatory expectations. Past and potential effects of such reviews include limiting our flexibility, requiring us to incur substantial costs (e.g. system changes, incurring Compensation Scheme of Last Resort levies, liabilities related to scams, fraud or operational costs relating to scam management or other industry wide issues), absorbing specialist resources, impacting profitability and requiring us to retain additional capital, which impacts our ability to pursue strategic initiatives or implement other changes, resulting in us being unable to increase or maintain market share and/or creating pressure on margins and fees. A failure to manage legal or regulatory changes effectively and in the timeframes required has resulted, and could in the future result, in the Group not meeting its compliance obligations. It could also result in enforcement actions, penalties, fines, civil litigation, capital impacts, and ultimately loss of or variations to business licences. Frequent and large volumes of regulatory change also contribute to execution risk, as technology, systems and process updates may not always be successful in keeping pace and there is heightened risk of flaws, human error or unintended consequences. Managing these changes may require significant management attention, costs and resources, including the availability of skilled personnel, which may be limited. There is additional information on certain aspects of regulatory changes affecting the Group in the Significant Developments section and in the sections titled ‘Critical accounting assumptions and estimates’ and ‘Future developments’ in Note 1 to the financial statements in the 2025 Annual Report.

RISK FACTORS 5 We have been and could be adversely affected by failing to comply with laws, regulations or regulatory policy - Compliance and conduct risk - Regulators' expectations - Legal and regulatory - Industry codes - Fines, penalties and capital overlays We are responsible for complying with all applicable legal and regulatory requirements and industry codes of practice in the jurisdictions where we operate or obtain funding. Our compliance and conduct risks are exacerbated by the complexity and volume of regulation, as well as ongoing regulatory change. These risks increase when there is ambiguity or multiple ways of interpreting our obligations and rights, conflicting laws between jurisdictions or regimes, or where there is limited industry consultation or a lack of regulatory guidance, particularly with respect to new or untested regulations. Our compliance and conduct management system, which is designed to mitigate these risks, has not always been, and may not always be, effective. Breakdowns have occurred, and may in the future occur due to factors such as poor judgement, flaws in the design or implementation of controls or processes, or the implementation of new measures. Such issues can lead to non-compliance (including failures to meet expectations or obligations to appropriately report or provide information to regulators or customers), potentially resulting in adverse outcomes for Westpac, our customers or other stakeholders. Ongoing reviews and change programs continue to identify compliance issues. Compliance and conduct risk has occurred, and could continue to occur, through the provision of products and services (including through our platforms) that may not meet legal or regulatory requirements, third party needs or expectations (including those of our customers, regulators or the market), especially for vulnerable customers, customers in hardship and indigenous customers. This risk has occurred, and could continue to occur, from deliberate, reckless, negligent, accidental or unintentional conduct of our employees, officers, contractors, agents, authorised representatives, credit representatives, trustees (including of our platforms) and/or external service providers, resulting in circumvention of, or inadequate implementation of, controls, processes (including monitoring), policies or procedures. This could occur through a failure to meet professional obligations (including fiduciary, suitability and responsible lending requirements), human error or weaknesses in risk culture, corporate governance or organisational culture or poor product design and implementation (including failing to adequately code or connect our systems with products, failing in whole or in part to consider customer needs or selling products and services outside of target markets). Inadequate supervision and oversight of our distribution channels can heighten these risks. Non-compliance by our people may negatively impact other employees, leading to outcomes including litigation and reputational damage. Additionally, third party conduct (e.g. where customers misrepresent their position on product applications and we have failed to identify it) may limit our recourse and regulatory outcomes may not be mitigated by third party culpability. These factors have resulted, and could continue to result, in poor customer outcomes (including for vulnerable customers and customers in hardship) such as inappropriate charging, failure to meet contractual, or compliance obligations (or to promptly detect, report and/or remedy non-compliance), and other outcomes including impacts which may compromise the integrity of the markets in which we operate or data we report, reputational damage, increased regulatory surveillance or investigation and employment disputes. We are currently subject to a number of investigations, reviews and industry inquiries by, and have and continue to respond to a number of requests from, domestic and international regulators including APRA, ASIC, the ATO, the ACCC, AUSTRAC, BCCC, ACMA, FINRA, AFCA, the OAIC, RBNZ, New Zealand Financial Markets Authority, New Zealand Commerce Commission, the Fair Work Ombudsman, the SEC, BaFin and BPNG’s Financial Analysis and Supervision Unit, involving significant resources and costs, potentially diverting specialist resources from other work. Regulatory reviews and investigations have, and may in the future, result in a regulator taking administrative or enforcement action against us and/or our representatives. Regulators have broad powers and may issue directions (e.g. for product design and distribution and remedial action), pursue civil or criminal proceedings, seek substantial fines and penalties, and other compliance or enforcement outcomes. These risks are heightened (and penalties have been and may be higher) where contraventions are not promptly detected or addressed, where we fail to meet our obligations (or the expectations of regulators), where there are patterns of behaviour indicating systemic conduct or where there has been an awareness of contraventions, especially in areas of heightened regulatory focus, such as vulnerable customers, customers in hardship and indigenous customers. Additionally, regulatory investigations may lead to adverse findings against directors and management, including potential disqualification. The resources allocated to these reviews and investigations can impede other activities, including change and remediation programs. APRA can require, and has required, us to hold additional capital either through a capital overlay or higher risk weighted assets (including in response to a failure to comply with prudential standards and/or expectations in relation to, for example, stress testing and liquidity management). Capital overlays could have an adverse impact on our financial performance. The evolving political and regulatory landscape has seen (and may continue to see) expansion of regulators’ powers, materially increased civil penalties and fines and increased criminal prosecutions against institutions and/or their employees and representatives (including where there is no fault element). This could also result in reputational

6 WESTPAC GROUP 2025 RISK FACTORS RISK FACTORS damage and impact the willingness of customers, investors and other stakeholders to deal with us. Given our size and scale of activities, a failure by us may result in multiple contraventions, which could lead to significant penalties, remedial action and other consequences (e.g. regulatory damage). Regulatory investigations or actions commenced against the Group have exposed, and may in the future expose, the Group to an increased risk of litigation brought by third parties (including through class action proceedings), which may require us to pay (sometimes substantial) compensation to third parties and/or to undertake further remediation activities. Market developments suggest there is an expanding scope for potential claims, including in relation to cyber incidents, financial crime and ESG issues. We have incurred significant remediation costs on a number of occasions (including compensation payments and costs of correcting issues) and new issues may arise requiring remediation. We have faced, and may continue to face, challenges in effectively and reliably scoping, quantifying and implementing remediation activities (whether or not such activities are prompted by a regulator), including determining how to compensate impacted parties properly, fairly and in a timely way. Investigation of the underlying issue may be impeded due to the passage of time, technical system constraints, or inadequacy of records. Delays in remediation may occur due to factors such as the number of affected parties and their responsiveness, ongoing investigations or litigation, and regulatory requirements. Remediation programs may not prevent regulatory action or investigations, litigation or other proceedings from being pursued, or sanctions being imposed. Regulatory investigations, inquiries, litigation, fines, penalties, infringement notices, disclosures, revocation, suspension or variation of conditions of regulatory licences or other enforcement or administrative action or agreements (such as enforceable undertakings) have and could, either individually or in aggregate with other regulatory action, adversely affect our business, prospects, reputation, financial performance or financial condition and increase class action risk. There is additional information on certain regulatory and other matters that may affect the Group in the Significant Developments section and in Note 25 to the financial statements in the 2025 Annual Report. We have suffered, and in the future could suffer, losses and be adversely affected by the failure to implement effective risk management - Risk management - Controls and processes - Risk culture - Risk governance - Fines, penalties Our risk management framework has not always been, and may not in the future be, fully effective. Resources allocated to identifying, measuring, evaluating, monitoring, reporting, controlling or mitigating material risks may sometimes be inadequate. This may arise due to inadequacies in the design of the framework or key risk management policies, controls and processes, the design or operation of our remuneration structures and consequence management processes, technology failures, our corporate structure, incomplete implementation or embedment, or failure by our people (including contractors, agents, authorised representatives and credit representatives) to comply with or properly implement our policies and processes. The potential for these types of failings is heightened if we lack sufficiently skilled, trained or qualified personnel or capacity, including people, processes and technology, to appropriately manage risks. Although we periodically review our risk management framework to determine if it remains appropriate, all risk management frameworks have inherent limitations (and may also be ineffective because of weaknesses in risk culture or governance), and some risks may exist or emerge that we have not anticipated or identified. For example, where there is a lack of awareness of our policies, controls and processes or where they are not adequately complied with, monitored, audited or enforced. This may result in poor decision-making or risk and control weaknesses not being identified, escalated or acted upon. Risks are measured and monitored against our risk appetite, and when outside of appetite, we aim to take steps to bring such risks back into appetite, including framework and policy design improvements. However, bringing risks back within appetite may be delayed or ineffective, due to factors including complexity, information technology system enhancement delays, staffing constraints (including where staff are occupied by other regulatory change or remediation projects), operational failures or external factors beyond our control, resulting in certain risks remaining outside of appetite for periods of time. If any of our governance or risk management processes and procedures prove ineffective or inadequate or are not appropriately implemented or we fail to bring risks into appetite, we may face sustained or increased regulatory scrutiny and action. While a stronger risk culture fosters early self-identification and remediation, it may also highlight concerns that trigger further regulatory action. This may result in financial losses, additional capital requirements, compliance breaches, fines, reputational damage, and/or significant remediation, which could adversely affect our business, prospects, financial performance or financial condition.

RISK FACTORS 7 We could suffer losses due to technology failures - Operational risk - Information and technology - Change management - Technology failure - UNITE program - Outages Maintaining the reliability, availability, integrity, confidentiality, security and resilience of our information and technology is crucial to our business. Despite existing processes to preserve, monitor and facilitate the availability of and recovery of, our systems, there is a risk that our information and technology systems may be inadequate, could be compromised, fail to operate properly or result in outages, including from events wholly or partially beyond our control. A technology deficiency or failure could lead to failures to meet contractual, legal or compliance obligations (such as a requirement to issue communications, retain records and/or data for a certain period, or to destroy records and/or data after a certain period, or other risk management, privacy, business continuity management or outsourcing obligations). Our stakeholders, including employees and customers may be adversely affected, including by being unable to access or be covered by our or a third party’s products or services (or being inappropriately charged for them), as a result of systems failures, privacy breaches, or the loss of personal data. This could result in business disruption, reputational damage, financial loss, remediation costs, regulatory investigations and/or action, or others commencing litigation. Technology issues in the financial sector can also affect multiple institutions, meaning we could impact, or be impacted by, other institutions. The use of legacy systems, as well as work underway to uplift our technological capabilities, may heighten transfer risks, the risk of a technology failure, change management issues and the risk of non-compliance with our regulatory obligations or poor customer outcomes. Projects aimed at simplifying/streamlining our systems (including our UNITE program) will require significant resources (including specialist expertise) and incur costs. These risks may be heightened while those projects are being undertaken, or post-implementation where there are unanticipated outcomes or impacts. These projects may also not be completed on time, may not deliver the expected benefits or may require further resources or funding than anticipated. The success of such projects relies in part on having robust governance arrangements and appropriate oversight at Board and senior executive level. Shortcomings in these areas could elevate the risk of regulatory non-compliance, poor customer outcomes, delays, increased costs or demand on resources. Failure to regularly renew and enhance our technology to deliver new products and services, comply with regulatory obligations and ongoing regulatory changes, improve automation of systems and controls, meet our customers’ and regulators’ expectations, or to effectively implement new technology projects, could result in cost and time overruns, technology failures (including due to human error in implementation), reduced productivity, outages, operational failures or instability, compliance failures, reputational damage and/or loss of market share. Climate change and other sustainability factors such as human rights and natural capital may have adverse effects on our business - Climate and nature risks - Physical and transition risks - Social and human rights risks - Credit risk - Operational risk - Reputational and sustainability risk - Compliance and conduct risks Climate and other sustainability-related risks have had and are likely to have adverse effects on us, our customers, external suppliers, and the communities in which we operate. Managing these risks is challenging given significant uncertainties in modelling and impact assessment. Climate related risks may manifest as physical risks, transition risks or liability risks. Physical risks include direct risks to us, our customers, suppliers and other stakeholders. These risks could arise from increases and variability in temperatures, precipitation changes, rising sea levels, loss of natural capital or biodiversity loss, and more severe and frequent climatic events, including fires, storms, floods and droughts. Such events could also increase human rights risk and/or increase customer vulnerability. Impacts may arise through damage, disruption or changes to business activities, operations, asset values and insurability of assets (or insurance availability/affordability), resulting in higher costs and/or reduced revenues to ourselves or customers. In turn, impacts on customers could lead to higher impairment charges in our lending portfolio. Transition risks may arise through the transition to a lower carbon economy, which in turn could impact Westpac through changes such as in consumer behaviour and market sentiment. These risks may emerge gradually and orderly, or abruptly and disorderly, or a combination of both. Impacts could result from climate change mitigation efforts, the obsolescence of certain businesses due to the energy transition, changes in investor appetite, shifting

8 WESTPAC GROUP 2025 RISK FACTORS RISK FACTORS customer preferences, technology developments and regulatory changes. Such risks could also emerge through lending to customers facing reduced revenues, asset devaluation and rising costs, thereby increasing our credit risk. Additionally, Westpac may be impacted by transition risks, and from adverse effects to the broader economy including as they relate to interest rates, inflation and growth (or lack thereof). Our ambition to become a net-zero, climate resilient bank, has led and will continue to lead to changes in policies and processes which may pose execution risk. Our ability to meet our ambition and targets depends partly on the broader economy’s orderly transition to net-zero, which may be impacted by external factors including (but not limited to) government policies, investment levels, electricity grid capacity, and constraints in the development and supply of technology, infrastructure and skilled labour. Our transition efforts, including to meet our targets and commitments, may also be impacted by the challenges faced by customers in executing their transition plans. Natural capital loss, referring to the depletion of renewable and non-renewable natural resources that combine to yield a flow of benefits to people, poses a risk to us. This risk emerges primarily through our exposure to customers that are materially dependent on or may impact natural resources. This loss can contribute to, and be accelerated by, climate change. Increasing recognition and response to this risk also create heightened regulatory and stakeholder expectations on Westpac. We may be exposed to social and human rights risks through our products and services, operations and supply chain. Failure to identify and manage these risks may cause, contribute to, or be directly linked to adverse social and human rights impacts. This includes the risk that we provide services to, or rely on services provided by, parties involved in human rights abuses or criminal activity. There is also the potential exploitation of our platforms and products for illicit purposes. Our ability to identify, assess, and mitigate these risks may be constrained by a range of factors including the increasing sophistication of perpetrators. Data used to assess and manage climate, and other sustainability-related risks continues to mature. Reliance on third party data (which may not be sufficiently available or reliable), may affect our decision making, target setting and reporting, and affect our ability to meet our targets and commitments. Associated risks may increase where disclosure of additional data is required by mandatory reporting. Actual or perceived failure to adapt our strategy, governance, procedures, systems and/or controls to manage or disclose climate and other sustainability-related risks and opportunities (including, for example, perceived misstatement of, or failure to adequately implement or meet, sustainability claims, commitments and/or targets) may give rise to business, reputational, legal and regulatory risks. This includes financial and credit risks that may impact our profitability and outlook, and the risk of regulatory action or litigation (including class actions) against us and/or our customers. We may also be subject, from time to time, to legal and business challenges due to actions instituted by activist or other groups. For example, our financing of businesses that are perceived to be more correlated with climate-related risks and/or that are considered not to be managing these issues responsibly have received feedback from some stakeholders and attracted scrutiny from activists. Scrutiny from regulators, shareholders, activists and other stakeholders on climate-related risk management practices, lending policies, targets and commitments, and other sustainability products, claims and marketing practices will likely remain high. Applicable legal and regulatory regimes, policies, and reporting and other standards are also evolving. For example, in Australia and New Zealand, mandatory climate reporting has been introduced, and there is an increased compliance and enforcement focus by ASIC and the ACCC on a range of issues related to sustainability and sustainable finance, along with the monitoring/investigation of related claims. All of this increases compliance, legal and regulatory risks, and costs. For further detail on the identification, assessment and management of these risks, please refer to the 2025 Sustainability Report, and the Creating Value for the Community, Creating Value for the Environment and Risk Management sections of the 2025 Annual Report. The failure to comply with financial crime obligations has had, and could have further, adverse effects on our business and reputation - Financial crime risk - Bribery and corruption - Tax evasion - Money laundering and terrorism financing - Economic and trade sanctions The Group is subject to a range of financial crime laws across its jurisdictions, including anti-money laundering and counter-terrorism financing (AML/CTF), anti-bribery and corruption, economic and trade sanctions and tax transparency (collectively, Financial Crime Laws). Financial Crime Laws are complex and impose a diverse range of obligations elevating regulatory, operational and compliance risks. In certain jurisdictions (e.g. the Pacific region), financial crime risks are elevated beyond the Group’s risk appetite requiring an appropriate action plan to reduce risk, and to return within appetite. The Group must comply with a range of reporting obligations under the Financial Crime Laws, including international funds transfer instructions, threshold transaction reports, suspicious matter reports, Foreign Account Tax Compliance

RISK FACTORS 9 Act (FATCA) and Common Reporting Standard (CRS) reports. The Group must also ensure that we know who our customers are and that we have appropriate ongoing customer due diligence in place. The failure to comply with Financial Crime Laws has had, and in the future could potentially have, adverse impacts for the Group. The Group operates in a constantly evolving landscape, particularly with ongoing legislative reform impacting Financial Crime Laws, emergence of new payment technologies, increased regulatory focus on digital assets, and increasing use of economic and trade sanctions to manage issues of international concern. These developments may require updates to the Group’s systems, policies, processes and controls to manage emerging financial crime risks for the Group, including scams, fraud and technology-enabled crime. The Australian AML/CTF reforms, due to their scale and complexity, will require a multi-year implementation program involving complex technology, policy and control framework updates. The Group is actively engaging with AUSTRAC and is progressing the development of a phased implementation plan. However, implementation risk remains elevated due to the breadth of change and complexity involved. The industry (including Westpac) has challenges meeting the legislation’s effective date of 31 March 2026. Notwithstanding AUSTRAC’s acknowledgement of this and its published regulatory expectations noting that AUSTRAC does not expect immediate compliance, there is a risk that our implementation program or timeframes will not be adequate. Compliance with financial crime obligations remains a regulatory priority. Regulators globally continue to investigate and take enforcement actions for identified non-compliance, often seeking significant penalties. Given the scale and complexity of the Group’s operations, undetected failures or ineffective implementation, monitoring or remediation of a system, policy, process or control (including a regulatory reporting obligation) has resulted, and could in the future result, in a significant number of breaches of AML/CTF or other Financial Crime Laws, which could lead to significant financial penalties and other adverse impacts for the Group, such as reputational damage and litigation risk. While the Group has systems, policies, processes and controls in place designed to manage its financial crime obligations (including reporting obligations), these have not always been, and may not in the future always be, effective, due to reasons such as control deficiencies, technology failures or changes in financial crime risks or typologies. Our analysis, reviews and regulatory feedback, have highlighted that our systems, policies, processes and controls are not always operating satisfactorily in a number of respects and require improvement. The Group continues to have an increased focus on financial crime risk management and, as such, further issues requiring attention have been identified and may continue to emerge. Although the Group provides updates to various regulators on its remediation and other program activities, there is no assurance that those or other regulators will agree that its remediation and program update activities will be adequate or effectively enhance the Group’s compliance programs. Failure to comply with financial crime obligations has resulted, and could in the future result, in significant regulatory enforcement actions, reputational risks and other consequences as detailed in other sections of the 2025 Risk Factors. There is additional information on financial crime matters in the Significant Developments section in the 2025 Annual Report. Reputational damage has harmed, and could in the future harm, our business and prospects - Reputational and sustainability risk - Negative customer outcomes We face reputational risk where our plans, processes, performance and behaviours differ from the expectations, beliefs and perceptions of our stakeholders. Our actions, inactions or associations (or those of our customers, employees, suppliers, contractors, agents, authorised representatives, credit representatives, joint-venture partners, strategic partners or other counterparties) could result in reputational damage when they cause, or are perceived to cause, a negative outcome for customers, shareholders, the community or other stakeholders. This could arise from, for example, failure or perceived failure to adequately monitor, prevent or respond to community, environmental, social and ethical issues or expectations or failure to comply with regulatory requirements or expectations. We are also exposed to contagion risk from incidents in (or affecting) other financial institutions and/or the financial sector more broadly (e.g. issues affecting the cash-in-transit industry and the potential for disruption to the availability of cash, as well as flow on consequences including runs on cash) as well as from others whom we may have relationships with. Failure, or perceived failure, to address issues that could or do give rise to reputational risk, has created, and could in the future create, additional legal risk, including regulatory investigations, regulatory enforcement actions, fines and penalties or litigation or other actions brought by third parties (including class actions), and the requirement to remediate and compensate customers, including prospective customers, investors and the market. It could also result in losing customers or restricting our ability to efficiently access capital markets. This could adversely affect our business, prospects, financial performance or financial condition.

10 WESTPAC GROUP 2025 RISK FACTORS RISK FACTORS We have and could suffer losses due to litigation - Compliance and conduct risk - Enforcement action - Litigation - Class actions - Substantial fines and penalties Litigation has been, and could in the future be, commenced against us by a range of plaintiffs, such as customers, shareholders, employees, suppliers, counterparties, activists, receivers and regulators and may, either individually or in aggregate, adversely affect the Group’s business, operations, prospects, reputation or financial condition. There could be a range of reasons for litigation, including allegations relating to failure to comply with contractual, legal or regulatory requirements. Recently, there has been an increase in class action proceedings in the broader market, many of which have resulted in significant monetary settlements. The risk of class actions has been heightened by a number of factors, including regulatory enforcement actions and willingness by regulators to commence proceedings, increased regulatory investigations and inquiries, media scrutiny, increased prospect of regulatory reforms (including those that may eliminate any actual or perceived barriers to such litigation), and the growth of third party litigation funding. Class actions commenced against competitors could also lead to similar proceedings against us and may also impact attitudes of counterparties to Westpac proceedings or Westpac’s standing more broadly. There has also been an increase in proceedings related to third party scams and fraud activity, and the bank has been and may be joined to such proceedings, and an increase in shareholder derivative actions. Activism strategies directed at financial institutions, particularly related to climate change, sustainability, diversity equity and inclusion initiatives and energy transition, have also increased globally in recent years. These strategies may involve litigation to highlight issues, enforce legal or regulatory standards, or influence the target’s operations and activities. We are currently, and may continue to be, exposed to such litigation and/or activist strategies. Litigation is subject to many uncertainties, and the outcome may not be predicted accurately. Furthermore, the Group’s ability to respond to and defend litigation may be adversely affected by inadequate record keeping. The Group’s ability to settle litigation on reasonable terms will be affected by attitudes of counterparties. Costs will be incurred associated with managing, responding to and/or defending litigation. Depending on the outcome of any litigation, the Group has been, and may in the future be, required to comply with broad court orders, including compliance orders, adverse publicity orders, enforcement orders or otherwise pay significant damages, fines, penalties or legal costs. The actual amount paid following a settlement or determination by a Court for any legal proceedings may be materially higher or lower than any relevant provision (where applicable) or that any contingent liability may be larger than anticipated. There is also a risk that additional litigation or contingent liabilities arise, all of which could adversely affect our business, prospects, reputation, financial performance or financial condition. There is additional information on certain legal proceedings that may affect the Group in Note 25 to the financial statements in the 2025 Annual Report. We are exposed to adverse funding market conditions - Market risk - Volatility and disruption - Funding and liquidity risk - Credit risk We rely on deposits and global funding markets to fund our business and source liquidity. Our funding costs are subject to funding market and general economic and geopolitical conditions, in addition to our credit profile. Funding market conditions, and the behaviour of market participants, can shift significantly over very short periods of time, resulting in extreme volatility, disruption and decreased liquidity. The main risks we face relate to reduced market confidence, market access, appetite for exposure to Westpac; increased cost of funding; and impacts from deterioration in macroeconomic conditions. Additionally, shifts in investment preferences could result in deposit withdrawals, increasing our reliance on other funding sources. These other sources may offer lower levels of liquidity at higher costs. If market conditions deteriorate due to economic, political, regulatory, or other reasons (including those idiosyncratic to Westpac), there may be a loss of confidence in bank deposits, leading to unexpected withdrawals. These events can transpire quickly and be exacerbated by information transmission on social media. This could increase funding costs, constrain our liquidity, funding and lending activities and threaten our financial solvency. In such events, even robust levels of capital may not be sufficient to safeguard Westpac against detrimental loss of funding. If our current sources of funding become insufficient, we may need to seek alternatives, subject to market conditions, our credit ratings, reputation and confidence issues, and market capacity. These alternatives may be more expensive or on unfavourable terms. If we are unable to source appropriate funding, we may be forced to reduce or suspend

RISK FACTORS 11 business activities (e.g. lending) or operate with smaller liquidity buffers. If we are unable to source funding or generate liquidity for an extended period, we may not be able to pay our debts as and when they fall due or meet other contractual obligations. These outcomes may adversely affect our financial performance, liquidity, capital resources or financial condition. We also enter into collateralised derivative obligations, which may require us to post additional collateral based on market movements. This has the potential to adversely affect our liquidity or ability to use derivatives to hedge interest rate, currency and other financial risks. We could be adversely affected by the risk of inadequate capital levels - Capital adequacy - Capital risk - Regulatory capital requirements The Group is subject to the risk of an inadequate level or composition of capital to support business activities, meet regulatory capital requirements under normal or stressed conditions, and to maintain our solvency. Even robust levels of capital may not be sufficient to ensure our ongoing sustainability in the event of a bank run, where depositors quickly withdraw funds because of concerns about bank failure. Our capital levels are determined by regulation and risk appetite and informed by stress testing. We establish buffers on regulatory requirements to maintain capital adequacy during stressed periods by considering factors such as our balance sheet, forecasts, portfolio mix, potential capital headwinds (including real estate valuations, inflation and rising interest rates) and stressed outcomes. Stress testing models and assumptions may or may not accurately predict the nature and magnitude of particular stress events. The macroeconomic environment, stressed conditions and/or regulatory framework could result in a material increase to risk weighted assets, impact our capital adequacy, trigger capital distribution constraints, threaten our financial viability and/or require a highly dilutive capital raise. Capital distribution constraints apply when an ADI’s CET1 Capital ratio is within the prudential capital buffer range (consisting of the Capital Conservation Buffer plus any Countercyclical Capital Buffer). Such constraints could impact future dividends and distributions on Additional Tier 1 (AT1) capital instruments, noting APRA’s intention to phase out AT1 capital instruments effective 1 January 2027. Should AT1 and Tier 2 capital securities that we have issued be converted into ordinary shares (for example where our CET1 ratio falls below a certain level or APRA determines we would become non-viable without conversion of capital instruments or equivalent support), this could significantly dilute the value of existing ordinary shares. See further discussion in the Significant Developments section in the 2025 Annual Report. Our business is substantially dependent on the Australian and New Zealand economies, and could be adversely affected by a material downturn or shock to these economies or other financial systems - Strategic risk - Macroeconomic risks - Market disruption - Domestic and international economic conditions - Geopolitical risks - Credit risk Our revenues and earnings are dependent on domestic and international economic activity, business conditions and the level of financial services our customers require. Most of our business is conducted in Australia and New Zealand so our performance is influenced by the level and cyclical nature of activity in these countries. The financial services industry and capital markets have been, and may continue to be, adversely affected by volatility, global economic conditions (including inflation and rising interest rates), external events, geopolitical instability, political developments, cyberattacks or a major systemic shock. Market and economic disruptions (or the possibility of interest rates remaining higher for longer than anticipated) could cause consumer and business spending to decrease, unemployment to rise, demand for our products and services to decline and credit losses to increase, thereby reducing our earnings. These events could undermine confidence in the financial system, reduce liquidity, impair access to funding and adversely affect our customers and counterparties. Conversely, an environment with falling interest rates could reduce margins and impact earnings. Given Australia’s reliance on exports, a slowdown in economic growth or change in policy settings of Australia’s major trading partners, which may be caused by their foreign policies (including the adoption of protectionist trade measures such as tariffs or sanctions) could negatively impact the Australian economy. This could result in reduced demand for our products and services and affect supply chains, the level of economic activity and the ability of our borrowers to repay their loans. The nature and consequences of any such events are difficult to predict but each of these factors could adversely affect our business, prospects, financial performance or financial condition.

12 WESTPAC GROUP 2025 RISK FACTORS RISK FACTORS Declines in asset markets could adversely affect our operations or profitability and an increase in impairments and provisioning could adversely affect our financial performance or financial condition - Market risk - Decline in asset values - Impairments - Credit risk Declines in asset markets, including equity, bond, interest rates, foreign exchange, commodities and property markets, have adversely affected, and could in the future adversely affect, our operations and profitability. Declining asset prices including as a result of changes in fiscal or monetary policies or changes in legislation, could also impact customers and counterparties and the value of security (including residential and commercial property) we hold. This may impact our ability to recover amounts owing to us if customers or counterparties default. It may also affect our impairment charges and provisions, in turn impacting our financial performance, financial condition and capital levels. Declining asset prices could also impact our wealth management business as its earnings partly depend on fees based on the value of securities and/or assets held or managed. Credit risk may arise from foreign exchange restrictions or nationalisation of borrowers, which could impair asset values or repayment capacity in offshore jurisdictions. Credit risk also arises from potential counterparty default in derivative, clearing and settlement contracts we enter into. Such risk may also arise from our dealings in, and holdings of, debt securities issued by other institutions, government agencies or sovereigns, the financial conditions of which may be affected to varying degrees by economic conditions in global financial markets. We establish provisions for credit impairment based on accounting and regulatory standards using current information and our expectations. If economic conditions deteriorate beyond our expectations, some customers and/or counterparties could experience higher financial stress, leading to an increase in impairments, defaults and write-offs, and higher provisioning beyond current modelled outcomes. Changes in regulatory expectations or requirements in relation to the treatment of customers, for example in hardship, could lead to increased impairments and/or higher provisioning. Such events could adversely affect our liquidity, capital resources, financial performance or financial condition. We could be adversely affected by the failure to maintain our credit ratings - Availability of funding - Cost of funding - Downgrade Credit ratings are independent opinions on our creditworthiness. Our credit ratings can affect the cost and availability of our funding and may be important to investors, certain institutional customers and counterparties when evaluating their investments in the Group, our products and services. A rating downgrade could be driven by a downgrade of Australia’s sovereign credit rating, a material weakening in our financial performance, or one or more of the risks identified in the 2025 Risk Factors or by other events including regulatory changes or changes to the methodologies rating agencies use to determine credit ratings. A credit rating or rating outlook could be downgraded or revised where credit rating agencies believe there is a very high level of uncertainty on the impact to key rating factors from a significant event. A downgrade to our credit ratings could adversely affect our cost of funds, collateral requirements, liquidity, competitive position, our access to capital markets and our financial stability. The extent and nature of these impacts would depend on various factors, including the extent of any rating change, differences across agencies (split ratings) and whether competitors or the sector are also impacted. We face intense competition in all aspects of our business - Margins - Regulatory scrutiny - Strategic risk - New entrants The financial services industry is highly competitive, with a range of firms, including retail and commercial banks, investment banks, other financial service companies, fintech companies and businesses in other industries with financial services aspirations (including those who are not subject to the same capital and regulatory requirements or who derive substantial revenue from other markets, which may allow them to operate more flexibly and with lower costs of funds). Emerging competitors are also increasingly altering the competitive environment by adopting new business models or seeking to use new technologies to disrupt existing business models.

RISK FACTORS 13 Increased scrutiny by regulators in the sector and other legislative reforms may also change the competitive environment by stimulating competition and improving customer choice. It may also prompt increased competition from new and existing firms. Competition in the various markets we operate in has led, and may continue to lead, to a decline in our margins or market share. Deposits fund a significant portion of our balance sheet and have been a relatively stable source of funding. If we fail to successfully compete for deposits, we may face increased funding costs, leading us to seek access to other types of funding, or result in reduced lending. Our ability to compete depends on our ability to offer products and services that attract and retain customers and meet their evolving preferences and expectations. Failure to adapt could result in lost customers, which could negatively impact our business, prospects, financial performance or financial condition. For more detail refer to the Operating Environment section in the 2025 Annual Report. We have suffered, and could continue to suffer, losses due to operational risk - Operational risk - Change execution - Records management - Ineffective processes and controls - Fraud and scams - Third parties - AI - UNITE program Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. It includes, among other things, model, data, operations, change execution and third party risks. While we have policies, processes and controls to manage these risks, they have not always been, or may not be, effective. Ineffective processes and controls (including those of contractors, agents, authorised representatives, credit representatives, customers, trustees, brokers, independent financial advisors and other third parties, or inadequate monitoring, supervision and oversight of their activities or of our employees’ activities) have resulted in, and could continue to result in, adverse outcomes (including financial or otherwise) for Westpac, our customers, trustees, employees or other third parties. Operational breakdowns can occur if measures are implemented too quickly (including without sufficient validation), or not quickly enough, in response to external events, potentially leading to financial losses, customer remediation, regulatory scrutiny and intervention, fines, penalties and capital overlays and, depending on the nature of the failure, litigation, including class action proceedings. Examples of operational risks include: • Fraud and scams. We have incurred, and could in the future incur, losses from fraud and scams, including fraudulent applications for loans, products or services (including misrepresentations by customers (or their representatives) or brokers), incorrect or fraudulent payments or (mis)conduct (including through the use of platforms, funds, portfolios or accounts to commit investment scams or frauds, whether or not as a result of unauthorised access to our systems or our customer accounts), and misuse of accounts by money mules. Our representatives, such as our employees, may be involved including knowingly or unknowingly. Such losses, including the potential for additional customer or other third party compensation, increased levies and financial penalties (including for non-compliance), could increase significantly due to regulatory change. This includes if the Group does not adhere to obligations set out in or further to the Scams Prevention Framework within the Competition and Consumer Act 2010 (Cth), which was introduced by the Scams Prevention Framework Act 2025 (Cth). Fraudulent conduct can also arise where identification records are compromised due to third party cybersecurity events. Our risks are heightened by real-time transaction capability, and we are also exposed to contagion risk from incidents affecting other organisations. If systems, procedures and protocols for preventing and managing fraud, scams or improper access (including for improper or non-compliant purposes) to our systems and customer accounts fail, or are inadequate or ineffective, they could lead to losses which could adversely affect Westpac, our customers, business, prospects, reputation, financial performance or financial condition. Regulatory and compliance requirements can impede the ability to swiftly identify or respond to a fraud or scam, or to communicate with affected parties. • Records management. A failure to adequately implement and monitor effective records management policies and processes could impact our ability to safeguard information, locate records, respond to regulatory notices, conduct remediation, and meet record retention, protection and destruction obligations. Where there are inadequacies in implementation of the records management lifecycle in our systems or embedding records management across the Group, these risks are further heightened. Where records are not adequately protected or retained for longer than required this could increase the impacts of cyber and privacy incidents such as data breaches.

14 WESTPAC GROUP 2025 RISK FACTORS RISK FACTORS • Artificial Intelligence (AI). As AI adoption to support our customers and business increases, we may become more exposed to risks associated with the use of this technology, such as lack of transparency, over-reliance on a limited number of vendors, inaccurate data input, unintentional bias, breaches of confidentiality and privacy obligations, inaccurate or opaque outputs and unexplainable decisions, amplifications of biases or other unintended consequences that are inconsistent with our policies or values. In addition, failure or delays in adopting AI could lead to competitive disadvantages or otherwise not leveraging capability that could support management of risk or improve customer outcomes. Leveraging AI could have financial, regulatory, conduct, reputational and customer impacts. • Third party. We rely on third parties, both in Australia and overseas, to provide services to us and our customers. Failures by these third parties, including our authorised representatives and credit representatives, to deliver services as required and in accordance with law, regulation and regulatory expectations could disrupt our ability to provide products and services and adversely impact our customers, operations, financial performance or reputation. For example, we rely on third parties to provide cash transport, handling and storage services. Reduced demand for cash, disruptions or other issues (including legal or regulatory changes, litigation, claims, industrial action or the viability or solvency of providers) impacting the cash-in-transit (CIT) industry, exposes us to operational risk including loss of (or delays in accessing) significant amounts of cash held by CIT providers on our behalf (this risk is exacerbated for us as we currently provide commercial cash distribution for the industry under an arrangement with one key industry participant which terminates in July 2026), reduced availability of cash in the system generally (which could lead to a run on cash), potential increased costs (for example, to enable us/third party providers to meet legal or regulatory requirements), and related consequences where we or our customers suffer loss or damage due to disruptions to CIT services. • Change execution. We face risks in delivering technology and other change programs (such as our UNITE program), including that a change program fails to deliver the desired outcomes, or fails to reduce, pre-empt, mitigate and manage the challenges associated with transformation delivery. If our technology systems or financial infrastructure do not operate correctly, this may also cause loss or damage to us or our customers. This can also arise from complexities in our systems, and the interaction between those systems. This could include, for example, where systems issues result in incorrect fees or charges being applied to customers, or other poor customer outcomes. All these issues could potentially lead to transfer risks, cost and time overruns, business disruptions and delays, product governance failures, technology challenges, financial losses, customer remediation and retention issues, regulatory scrutiny and intervention, capital overlays and litigation. • Insurance coverage. There is a risk that we will not be able to obtain and/or have not obtained appropriate insurance coverage for the risks that we may be exposed to. This could be due to lack of available or adequate insurance, an increase in the cost of insurance, or failure of the insurance underwriter. If an insurance policy is not available or does not respond to a loss, we will not have the ability to recover such loss from an insurance policy. We could suffer losses due to market volatility - Market risk - Geopolitical risks - Volatility and disruption - Credit risk Market risk is the risk of an adverse impact on the Group’s financial performance, financial position, capital and liquidity, resulting from changes in market factors, such as foreign exchange rates, commodity prices, credit spreads and interest rates. Market risk is present in both banking book and trading book. We are exposed to market risk due to our financial markets businesses, asset and liability management, our holdings in liquid asset securities, dependence on accessing capital markets and our defined benefit plan. Changes in market factors could be driven by a variety of developments including economic disruption, geopolitical events, trade tensions, market liquidity or concerns relating to major market participants or sectors. The resulting market volatility could potentially lead to losses and may adversely affect our financial performance and capital position. As a financial intermediary, we underwrite listed and unlisted debt securities. We could suffer losses if we fail to syndicate or sell down this risk to others. This risk is more pronounced in times of heightened market volatility. Poor data quality could adversely affect our business and operations - Operational risk - Data quality - Poor customer and risk outcomes Having accurate, complete and reliable data, supported by appropriate data controls, retention and, destruction methods and access to internal frameworks and processes, is critical to the effective operation of our businesses. Data plays a key role in determining how we provide products and services to customers, the effectiveness of our systems and risk management frameworks, strategic planning and our ability to make effective decisions.

RISK FACTORS 15 Some of our businesses are, and may continue to be, affected by poor data quality and/or limited data availability due to a number of factors, including inadequacies across systems, processes and policies, or ineffectively implemented data management frameworks. This could lead to poor customer service outcomes, adverse risk management outcomes, deficient system outputs and processes. This is because data quality inadequacies render such data unreliable to assist in making informed business decisions. Deficiencies with internal systems and processes could negatively impact our decision-making in areas such as the provision of credit to a customer, and the terms on which a credit facility is provided. The production of accurate data is also critical for other functions across the Group, such as financial and other reporting (internal and external). Poor data quality and availability impacts our ability to effectively monitor and manage operations across the Group, comply with production notices, respond to regulatory notices, defend and respond to litigation and conduct remediation activities. Conflicting data retention or destruction obligations may increase such risks. Poor data and/or poor data retention/destruction methods and deficient controls that result in control gaps and weaknesses could negatively impact our ability to meet compliance obligations (including regulatory reporting obligations). Previously, this has led to regulatory investigations or adverse findings and actions against the Group, and such risks remain if we fail to maintain an acceptable level of data quality and effective oversight practices. Our data related frameworks and processes must be continuously reviewed, and improved where required, to ensure our data quality and data management practices remain relevant, fit for purpose and sustainable. This is because outdated or unsustainable practices may lead to inefficient data management practices and/or poor quality data. Potential consequences from holding poor quality data and/or having poor data oversight and controls include adverse impacts to the Group’s ability to effectively operate our existing businesses, securing prospective business from third parties, and our reputation, financial performance and financial condition. Certain strategic decisions may have adverse effects on our business - Strategic risk - Warranties and indemnities - Divestments and acquisitions - Implementation risk We evaluate and implement strategic decisions, priorities and objectives including opportunities to simplify or streamline, diversify or innovate our business or products. These activities can be complex, costly and may not proceed as planned. For example, we may experience difficulties completing certain transactions, separating or integrating businesses in the scheduled timeframe or at all, disruptions to operations, diversion of management resources or higher than expected transaction costs, impacts on third parties, and there may be differing market views about a strategic choice, which may cause reputational damage. Any failure to successfully divest businesses may expose us to higher operating costs and higher inherent risks in those businesses. Decisions to retain businesses may also expose us to the higher inherent risks in those businesses. For example, our Pacific businesses face several risks including heightened operational, sovereign, financial crime and exchange control risks which could adversely affect our customers, business, prospects, reputation, financial performance or financial condition. In divesting businesses, we have given (and could in future divestments give) warranties and indemnities in favour of counterparties relating to certain pre-completion matters and certain other commitments, including in relation to transitional services. These could result in a liability to make significant payments to these counterparties while these obligations remain on foot. To manage risks related to conduct and customer redress associated with divestments, we hold additional operational risk capital pursuant to APRA’s published guidance. These contingent liabilities are described in Note 25 to the financial statements in the 2025 Annual Report. Acquiring and investing in businesses also carries risks and costs, including underperformance, assumption of unknown and unaccounted for liabilities, regulatory risks or overvaluation of a target business. Operational, cultural, governance, compliance and risk appetite differences between us and an acquired business may lead to longer and costlier integration. Internal factors, for example, inadequate funding, resourcing, business capabilities or operating model, or failing to identify, understand or respond effectively to changes in the external business environment, including economic, geopolitical, regulatory, consumer sentiment, technological, environmental, social and competitive factors, may hinder successful strategy implementation. This could adversely affect us, including our ability to increase or maintain market share or resulting pressure on margins and fees. These risks could negatively impact our business, growth prospects, reputation, engagement with regulators, financial performance or financial condition.

16 WESTPAC GROUP 2025 RISK FACTORS RISK FACTORS Other risks • Failure to recruit and retain key executives, employees and Directors with appropriate skills and qualifications may have an adverse effect on our business, prospects, reputation, financial performance or financial condition. Macro-environmental factors including unemployment rates, migration levels and the level of competition in the talent market may also have an adverse impact on attracting specialist skills for the Group. In particular, attracting and retaining employees with skills and experience in technology related fields – such as cyber security and artificial intelligence – is critical in the coming years. • Changes to the critical accounting assumptions and estimates (outlined in Note 1 to the financial statements in the 2025 Annual Report) could expose the Group to losses greater than those anticipated or recognised, which could adversely affect our financial performance, financial condition and reputation.

WESTPAC.COM.AU