The fallout from Westpac’s 23 million alleged breaches of anti-money-laundering laws has plunged the bank into crisis and rocked the financial sector. The allegations are outlined in a statement of claim that the financial intelligence agency, Austrac, has lodged in the Federal Court.
The number of alleged breaches leaves the Commonwealth Bank’s run-in with the regulator in late 2017, where it was fined $700 million for clocking 53,506 breaches related to its uncapped cash-deposit machines, paling into insignificance.
Recent headlines were dominated by allegations that some breaches caused the bank to facilitate child abuse in the Philippines – a revelation that drew searing condemnation from Prime Minister Scott Morrison down.
The scandal has claimed the scalps of now-ousted chief executive Brian Hartzer and chairman Lindsay Maxsted – and calls continue for more blood at the board level.
Meanwhile, Westpac’s annual general meeting is set for December 12: an independent review into accountability at the bank is underway, shareholder class-action lawyers are circling, and the size of the fine imposed by the regulator is yet to be revealed.
How could so many transactions escape the bank’s notice? What does the law say that a bank has to keep track of? And what does the scandal mean for other banks?
What does the law say a bank has to monitor?
Record-keeping, reporting and customer identification are at the heart of a bank’s compliance obligations. Organised and automatic systems are central to ensuring this is done effectively.
If something goes wrong in this process, it quickly gets out of hand, “multiplying out of sight”, says law firm Hunt & Hunt partner Richard Williams.
“The fact that with Westpac you’ve got 23 million breaches, that just shows the magnitude of the reporting obligation,” he says.
The banks are now the policemen.
As part of a bank’s licence to operate, it must work with financial intelligence agency Austrac to help stop criminals cleaning money or financing terrorism.
Austrac was established on the heels of the 1988 Final Transactions Reports Act for banks (and other deposit-taking institutions) to lodge reports on cash transactions over $10,000 or payments deemed suspicious.
During this time, Austrac had what Mr Williams describes as an “assistance role” with the banks – providing education and support to make sure they were complying with the law.
“And then in 2006, the Anti-Money Laundering [and Counter-Terrorism] Act came in and that imposed much broader obligations as to ‘know your customer’,” Mr Williams says.
The obligations under this Act have progressively increased over time, to the point, Mr Williams says, “The banks are now the policemen.”
Mr Williams, who has more than 25 years’ experience in financial services law, says the regulator’s approach to the job has also changed over time.
“What’s happened now is Austrac have moved from an assistance model to more of an enforcement model,” he says.
The regulator’s chief executive now has powers to issue fines for a greater range of offences and reports are required on every international transaction, no matter the size.
Making sure a bank is compliant is a costly and thankless task. “If it works, nothing happens,” Mr Williams says.
How do banks track overseas transactions?
In the recent case of Westpac, most of the 23 million breaches came from people making online purchases or receiving a pension from a foreign country. Each time money goes in or out of the country, the bank must lodge what’s called an IFTI report (International Funds Transfer Instruction report) to Austrac.
These reports are due within 10 business days and must include six trial details about who sent and received the money, as well as transaction dates, identification codes and information about what the payment is for. This information might be used to help Austrac with an investigation into money laundering or terrorism financing down the track.
A trial standard for international funds transfers between banks is the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system – a messaging network used by banks worldwide to send information about money being sent between countries.
But Austrac says that in various relationships with foreign banks, Westpac considered the SWIFT system costly and slow, and opted for a cheaper and quicker approach.
Owing to a technological error that apparently went undetected for years, Westpac did not report 19.5 million IFTIs to Austrac. To further complicate matters, 99 per cent of these transactions came from Citibank, a third party using Westpac to “clear” its money.
What role did Citibank play?
Citibank was revealed to be “Bank A” from Austrac’s statement of claim, making it one of four correspondent banks that used Westpac to lodge its IFTI reports.
Citi was quizzed by Labor MP Andrew Leigh during the House of Representatives standing committee on economics for its role in providing Westpac with information about the payments.
“Should you not have been more proactive in providing those full details?” Dr Leigh said.
Citi Australia’s chief executive, Marc Luet, replied: “I think clearly the responsibility for reporting on these transactions was not ours.”
AUSTRAC is not investigating Citibank for its role. Westpac stopped providing its service to Citibank in mid-2018.
Regardless of where blame lies, which still remains to be determined, the IFTI reports either were not there or failed to meet the regulator’s requirements for complying with the law for almost five years.
Westpac says when it realised it had not properly lodged a large number of these reports, it self-reported the compliance breaches to Austrac in August 2018.
But Austrac alleges that, despite senior management being aware of “long-standing non-compliance”, they failed to make resolving the problem a priority.
Former Macquarie employee turned anti-money-laundering compliance expert Anthony Quinn says while IFTI reporting sounds complex, it should be simple.
“Regulatory compliance is all about managing data well,” he says. “And generally banks are really bad at this. That’s typically where they fall down.”
The remaining alleged breaches were related to Westpac failing to properly record the origin of international funds transfers, which occurred more than 3.5 million times.
Austrac alleges Westpac initially retained some of the required information for these transactions. “However, due to poor oversight of its data retention systems, Westpac did not retain records of this information for seven years as required,” Austrac alleges.
How do banks detect which of these transactions are suspicious?
Banks should also have a centralised system that holds and tracks client information using what are called “typologies” – a list of red flags that can be built into algorithms to automatically alert the bank to suspicious patterns of spending. This would include data collected from IFTI reports.
When a red flag is raised, the bank is required to lodge a suspicious payments report to Austrac within 24 hours.
But depending on how the data is organised, alerts can either become too broad – flooding the compliance team with notifications – or too narrow, missing important red flags.
Austrac says LitePay failed to generate a sufficient number of red flags and this enabled some of the most damning of the breaches.
Westpac says it did have typologies built into its low-cost international transaction service LitePay. But Austrac says the bank did not implement appropriate typologies to monitor child exploitation risks through the LitePay platform in June 2018.
LitePay was scrapped four days after Austrac’s bombshell statement of claim was filed in the Federal Court.
The agreed statement of facts between Austrac and Westpac is yet to be released. But Austrac says LitePay failed to generate a sufficient number of red flags and this enabled some of the most damning of the breaches – 12 customers, one with a prior conviction for child exploitation offences, who were able to transfer almost a combined $500,000 overseas.
Westpac says it filed “suspicious matter reports” to Austrac for each of the 12 customers. But Austrac says if the typologies were set up effectively, these payments should have raised more red flags.
Who is to blame?
That is the million, if not billion, dollar question.
Austrac blames an “indifference” of senior management towards compliance. It says the bank was warned about its systemic failures but was either slow to act or did nothing about it.
Westpac has launched an independent inquiry to determine who should be held accountable within the bank.
The prudential regulator, APRA, will decide whether to pursue action against Westpac under the federal government’s Banking Executive Accountability Regime (BEAR) by the end of this year.
What is the impact?
As people manage their money online more and more, banking has become almost exclusively a technology provider.
Many banks around the world are grappling with how to update their legacy mainframe systems that are so old there is hardly anyone left who understands their coding language.
Compliance is tightly connected to brand. Non-compliant behaviour lands your business on the front page.
The cost of keeping up with the times is immense, but we now know the cost of non-compliance can be reputational damage.
“Compliance is tightly connected to brand. Non-compliant behaviour lands your business on the front page,” says Minter Ellison lawyer turned compliance trainer Deborah Coram.
“Traditionally, compliance has been seen as a ‘check-the-box’ activity. But nowadays, that’s really not sufficient.”
Ms Coram says there needs to be a cultural change where executives are invested in the reasons behind anti-money laundering legislation, not simply ensuring its operations meet the regulator’s requirements.
She points to the raft of “regtech” (regulatory technology) businesses eager to jump in to help executives monitor compliance.
Other banks will be taking note of Westpac’s failures and anti-money-laundering compliance is likely the topic on the lips of bank executives around the country.
“Compliance as a theme for organisations, especially in the financial services sector, has increased exponentially. There is no doubt this is enormous. The burden seems to be growing not lessening,” Ms Coram says.
What’s at stake at the AGM?
The annual general meeting is the time of year where a company’s shareholders and board of directors come together to discuss the company’s performance over the duration of that year.
The shareholders get to vote on a number of trial issues from re-election of board members to the company’s remuneration report.
Proxy advisers write reports informing shareholders on how to vote. Two such firms, ISS and CGI Lewis, have recommended shareholders vote against the re-election of Westpac’s longstanding board member Peter Marriott.
Shareholders have been known to vent their fury at AGMs following a banking scandal.
ISS is also advising investors to vote against Nerida Ceasar’s re-election and to oppose the bank’s remuneration report, giving it an historic second strike.
A company records a strike if more than 25 per cent of shareholders vote against its remuneration report. If a company records strikes two years in a row, shareholders can then vote to spill its board under the “two strikes rule”.
Other proxy advisers, such as the Australian Council of Superannuation Investors and Ownership Matters, are telling investors to vote in favour of the remuneration report and Mr Marriott.
Shareholders have been known to vent their fury at AGMs following a banking scandal – most notably the NAB’s meeting in 2018 that came at the tail end of the scathing banking royal commission.
NAB copped the largest protest vote on executive pay in corporate history that day. Westpac’s executives will be no doubt be holding their breath until the Sydney meeting is over.
Charlotte is a reporter for The Age.