AML/CTF breaches due to human and technological error: Westpac

The big four bank has released the results of its investigation into the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) compliance issues raised by AUSTRAC last year, which resulted in more than 23 million alleged breaches of the law between 2013 to late 2018.

Among the most alarming revelations raised by AUSTRAC last year was that the bank failed to appropriately monitor outgoing international funds transfer instructions (IFTIs) of customers, including those which it alleged were “consistent with child exploitation typologies”.

For example, one such customer reportedly transferred money to a person who was later arrested for child trafficking and child exploitation involving live streaming of child sex shows.

The major bank has now made public the findings of its own investigation into the compliance issues, released the full Advisory Panel report into the board’s governance of AML/CTF obligations and the findings of Promontory’s accountability review.

AML/CTF risk culture was ‘immature and reactive’ 

Westpac has conceded that it failed to report approximately 19.5 million IFTIs to AUSTRAC over a six-year period, which it found was due to a mixture of both technological and human error dating back to 2009. 

The major bank outlined that, for the “large majority” of the non-reported IFTIs, failings were traced back to “resource constraints” when imparting its IFTI implementation program, which started in 2009. For example, it said that “a high turnover of staff” – including the departure of a whole team of staff that left to “join another organisation” in 2011-12 – led to the “loss of continuity and specialist knowledge”.

Moreover, Westpac revealed that the failure to properly adhere to AUSTRAC guidance for child exploitation risk in respect of some products occurred “due to deficient financial crime processes, compounded by poor individual judgements”.

Overall, Westpac said it had identified three primary causes of the AML/CTF compliance failures: 

• Some “key parts” of the bank did not have a “consistently clear understanding and appreciation of the nature of AML/CTF risk and how it should be managed and mitigated” and “did not sufficiently appreciate the depth of specialist capabilities required to manage AML/CTF risk areas”;
• There were unclear end-to-end accountabilities for managing AML/CTF compliance, meaning that the “three lines of defence model for managing risk did not always operate effectively”; and
• Westpac’s financial crime control framework did not have enough employees with “sufficient skills, expertise and experience to effectively manage AML/CTF risk”.

Advisory Panel findings

Meanwhile, the full report from the Advisory Panel was also released by Westpac, outlining that while the organisation of the board’s general governance responsibilities were “mainstream and fit for purpose”, the “voice of financial crime risk” was not loud enough. 

The report – which is generally unscathing in nature – also noted that (with the benefit of hindsight), directors could have recognised earlier the systemic nature of some of the financial crime issues Westpac was facing. However, it also found that the Board Risk and Compliance Committee (BRCC) meetings – usually around five-hours long – typically involved approximately 40 people discussing 40 agenda points, “which made engagement with every issue difficult”. 

The panel also noted that reporting to the board on financial crime matters was at times “unintentionally” incomplete and inaccurate. 

It reads: “Overall, this saga reveals that major sins were ones of omission and not of commission. AUSTRAC’s allegations against the bank include matters that were unknown at the time to the bank’s leadership.

“The failings – such as non-reported IFTIs or inadequate due diligence on correspondent banks and particular customers – occurred deep in the organisation, and it is not reasonable to expect that a board should find these out. The board relies on information flows from management, and it was the content of those flows that was poor. Information was (unintentionally) misleading and sometimes omitted.” 

It went on to state that there had been a “noticeable shift in the bank’s response to financial crime issues from around 2017 onwards” and applauded the incoming leadership’s moves to improve financial crime risk governance.

The panel made a number of recommendations, including: 

• improving end-to-end financial crime risk management processes and establishing clearer accountabilities and responsibilties for AML/CTF compliance;
• rebuilding the relationship with AUSTRAC;
• benchmarking and learning from global best practice;
• reviewing the way in which the board monitors and scores against its conformity to AML/CTF obligations; and
• accelerating Westpac’s broader culture, governance and accountability work. 

Westpac said it has accepted these recommendations and has “ensured they are captured in its remediation program of work”.

‘Absolutely committed to making amends’

Westpac chairman John McFarlane commented: “It’s been my experience, since joining the bank, that Westpac deeply regrets this matter. Indeed, recognising the seriousness of the issues raised by AUSTRAC, the former CEO stepped down and the former chairman brought forward his retirement. 

“We are all committed to fixing these issues so they don’t happen again.” 

He added: “We accept the recommendations of the Advisory Panel report, and we are implementing them as part of the remediation plan, which is already well advanced. 

“We will have no tolerance for controllable negative events. Our transformation program has begun and will bring deep cultural change,” Mr McFarlane said.

Westpac CEO Peter King emphasised that many people responsible for the issues of the past had already left the company, while “significant remuneration impacts” were applied to 38 individuals, among other disciplinary actions.

However, Mr King added: “While the compliance failures were serious, the problems were faults of omission. There was no evidence of intentional wrongdoing.” 

Mr King also acknowledged the need for cultural change within the bank. “We recognise we need to change. We completely accept that some important aspects of Westpac’s financial crime risk culture were immature and reactive, and we failed to build sufficient capacity and experience in some important areas,” Mr King said. 

“We have learned from this and are absolutely committed to making amends for this event.” 

While Westpac and AUSTRAC have been working on the issues raised, the two parties have been unable to reach agreement on all issues raised by AUSTRAC and some aspects of the dispute are continuing through federal court. 

No trial date has yet been set. However, last month, the major bank filed its defence to AUSTRAC’s claims that it had breached AML/CTF obligations, stating it “accepts the gravity” of the claims and admitting several breaches. It has already made provisions for a $900-million penalty in its AUSTRAC case.

The bank has also recently revised and restructured its regulatory reporting standards and processes, overhauled its executive (including appointing a new chairman and CEO), appointed a new group executive, financial crime, compliance and conduct, and established a Legal, Regulatory and Compliance sub-committee on the board to oversee financial crime, regulatory and legal matters, customer remediation, compliance and conduct management. 

In April 2020, the bank board determined the CEO and the group executives would not receive any short-term variable reward in FY20 in recognition of “the importance of collective executive accountability”. This is valued at approximately $6.9 million.

[Related: Major bank ‘accepts the gravity’ of AUSTRAC claim]