An advisory panel asked to review the Westpac board’s governance of the bank’s anti-money laundering and counter-terrorism financing obligations has raised a bigger issue, questioning whether the bank’s IT is fit for purpose.
“A subsidiary question arising from this review is whether the Westpac technology platforms are best practice and what part they played in Westpac’s capacity to deal with AML/CTF obligations,” says the review.
Comprised of business heavyweights Ziggy Switkowski, Kerry Schott and Colin Carter, the panel says: “The business of banks is no longer about collecting deposits and lending to home buyers and commercial entities at a margin which provides a fair return, if it ever was, but also to accumulate , store and monitor information on every transaction and, when required by law, pass on to regulators and police for their scrutiny in search for evidence of any criminality.
“Heavy continuing investments in IT infrastructure are required.”
Yesterday, Westpac released the advisory panel report, as well as its own review into AML/CTF compliance failings raised in an Austrac statement of claim last year, and a Promontory Assurance commentary on the management review.
The bank’s review highlights insufficient understanding within the bank of AML/CTF risks, lack of clear accountability and a lack of sufficient AML/CTF expertise and resourcing.
The advisory panel review found that directors could have recognised the financial crime issues the bank was facing earlier. Reporting to the board was at times unintentionally incomplete and inaccurate.
Westpac chief executive Peter King said in a statement that while the compliance failures were serious, “the problems were faults of omission. There was no evidence of intentional wrongdoing.”
Last November, Austrac applied to the Federal Court for civil penalty orders against Westpac after finding that there was systemic non-compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act. Austrac alleged that Westpac contravened the Act on more than 23 million occasions over a six-year period.
Austrac’s allegations covered four broad categories: inadequate reporting of international funds transfer instructions; a failure to carry out adequate risk assessments of correspondent banks; a failure to adopt and maintain an AML/CTF program; and a failure to conduct adequate ongoing customer due diligence. The regulator also alleged inadequate oversight by the board.
Austrac’s most damning accusation was that the bank failed to carry out appropriate due diligence on transactions to the Philippines and South East Asia that had known financial indicators relating to potential child exploitation risks.
On May 15, the bank filed a defence to the claim, which admitted most of the alleged contraventions. However, the parties have not reached agreement on all issues.
The bank’s review found that its “systems, controls, processes and resources were not robust enough during the relevant period to prevent issues in the Austrac statement of claim from occurring.”
The bank’s AML/CTF risk culture was “immature and reactive”. It accepts that it did not appreciate sufficiently the depth of specialist capabilities required to manage AML/CTF risk.
Its reporting failures were the result of a combination of technology failings and human error. “For the large majority of the non-reported international funds transfer instructions, failings can be traced back to the IFTI implementation program which started in 2009, where resource constraints in the relevant technology team impacted the successful implementation of the project.”
The bank also acknowledged that it did not monitor 12 customers sufficiently to identify and manage the risk that they were involved in behaviour consistent with child exploitation.
It acknowledged that it did not have a process to identify deficiencies in its detection procedures. And it acknowledged that some of its processes and procedures fell short of the legal standard required.
When it comes to the board, the advisory panel found that financial crime was a relatively small item in a very crowded risk and compliance agenda over many years. “The ‘voice of financial crime risk’ was not loud enough, nor were the concerns that the regulator might have expressed.
In addition, the content of the information that made its way to board level was inadequate. It was sometimes misleading or information was omitted.
“We found no evidence of executives not reporting material matters they knew to the board. The failings, such as non-reported IFTIs or inadequate due diligence on correspondent banks and particular customers, occurred deep in the organisation and it is not reasonable to expect that the board should find these out.”
However, a gap developed between board engagement with AML/CTF obligations and that which was expected by Austrac.
“There is no evidence that the board suffered from a lack of readiness to ask relevant questions but sometimes let lagging improvement and risk mitigation efforts continue unchallenged for too long.”
Since 2017, there has been much greater engagement on the issue.
Among the organisational changes the banks has already made, the board has established a legal, regulatory and compliance sub-committee and created a new group executive position directly responsible for financial crime compliance.
It has made significant additional investment in financial crim processes and implemented a group-wide AML/CTF training program and board workshops.
A number of staff involved in the matter have left the banks and others have suffered “remuneration consequences”.