06 Dec 2019
As the fallout from Westpac’s massive money-laundering scandal continues, compliance officers would be well advised to spend some time reviewing how the bank’s troubles began.
For that, we can turn to AUSTRAC’s recent civil action against the lender alleging over 23-million breaches of domestic AML/CTF legislation, each carrying a maximum fine of A$21 million (£11 million). The largest set of infringements were related to the failure to report over 19.5-million international funds transfers totalling A$11 billion, whilst the bank also failed to retain records and perform enhanced due diligence on correspondent banks with links to high-risk jurisdictions, including Iraq, Ukraine and Zimbabwe. Australia’s second-largest bank has also drawn ire for potentially providing services used in the exploitation of children in South East Asia and the Philippines.
To understand what lessons might be gleaned from Westpac’s infractions, we must first look at what the bank did wrong.
Failure to report international funds transfers
Under Australian law, banks must inform AUSTRAC of the details of all incoming and outgoing international funds transfers within 10 business days of the transfer taking place. Between November 2013 and September 2018, Westpac failed to disclose 19.4 million incoming international funds transfers originating from four correspondent banks. These transfers represented total receipts of A$11 billion and comprised 72% of all incoming international funds transfers during the period. Westpac subsequently reported the relevant details of these transfers between October 2018 and September 2019.
Between October 2016 and November 2018, Westpac failed to report an additional 61,700 incoming funds transfers totalling A$100 million under arrangements it had with another institution. The lender subsequently reported the transactions between March and September 2019. Over 10,000 outgoing international funds transfers, valued at A$707 million, were processed between November 2013 and February 2019 but went unreported until October of this year.
AUSTRAC separately noted that Westpac failed to share information on 2,314 outgoing international funds transfers processed between February 2017 and June 2019 by its it interbank payment protocol, LitePay, which was intended to serve as a low-cost alternative to the SWIFT platform.
Origins of international funds transfers
Australian law also obligates banks that process electronic funds transfer instructions to include details of the origin of the transferred funds before they are sent to another financial institution. Between 2014 and 2019, Westpac issued 10,521 international funds transfers representing A$694 million through one of its correspondent banks without the relevant details accompanying the transfer instruction. These omissions prevented an international financial institution from properly managing its own ML/TF risks.
Westpac also failed to retain records of the origin of incoming international funds transfers for the required seven years. From January 2011, Westpac received 3.5 million incoming international funds transfers which were forwarded to other Australian banks for payment. Although Westpac originally retained the unique reference number created by its correspondent banks for each transaction, a majority of those records were deleted in 2011 and 2012 due to poor oversight of its data-retention systems.
Correspondent banking lapses
Even worse for the Australian lender, Westpac compliance staff did not conduct initial risk assessments on each of its correspondent banking relationships. Consequently, the bank
failed to consider well-known and documented higher-risks associated with these relationships, such as correspondent banks having nested relationships, payable-through accounts or involvement with sanctioned countries. In those cases where it had limited or no visibility on the origin of incoming international funds or their purposes, Westpac failed to identify and assess the ML/TF risks of these information gaps. In some cases, the lender did not assess the geographic compliance risks of countries. In the aggregate, according to Westpac, these shortcomings led to Westpac’s inability to fully assess appropriate risk mitigation factors.
For those correspondent bank relationships that involved higher ML/TF risk factors, Westpac was required to conduct enhanced due diligence. Yet Westpac did not regularly review its ongoing business relationships with other financial institutions, including the products and customer base of the bank in question, the types and volumes of transactions and any changes in the relationship. Nor did Westpac assess, on a regular basis, the adequacy of the financial crime controls of those banks, according to AUSTRAC. More specifically, the Australian failed to implement effective automated monitoring of the nostro account, failed to monitor the sale of new products or services to those banks and did not adopt processes to identify where its correspondent banks executed transactions on behalf of payment processors, remitters or sanctioned entities. Additionally, Westpac failed to consider and assess the extent to which its correspondent banks had adequate controls to mitigate known higher ML/TF risks, such as nested arrangements, payable-through accounts and relationships with higher-risk and sanctioned customers.
These compliance violations were exacerbated because a number of its correspondent banks disclosed to Westpac that they had their own correspondent banking relationships with institutions located in higher-risk jurisdictions including Iraq, Lebanon, Zimbabwe and the Democratic Republic of Congo. Some of the correspondent banks that disclosed such relationships had themselves been fined by regulators for sanctions or AML/CTF breaches arising from poor controls. Westpac, through such failings, potentially exposed the Australian payment system to access by higher-risk and sanctioned countries.
Inadequate AML/CTF Programme
Westpac had a legal obligation to design and implement a CTF/AML Programme with an objective of identifying, mitigating and managing the ML/TF risks it reasonably faced in providing services. In particular, it had to regularly assess the risks that its services and their respective delivery channels posed, it had to implement a risk-based transaction monitoring process and identify suspicious transactions, and it had to ensure that all relevant details of international funds transfers were reported to AUSTRAC within the specified deadline. In its civil action, AUSTRAC noted that Westpac continues to have an inadequate AML/CTF programme.
Westpac, which employs some 35,000 staff, failed to adopt a consistent approach to risk assessment and risk-based controls across the Group. Its risk assessment process failed to require the consideration of all relevant ML/TF risks and controls. Product and delivery channel assessments were not updated on a regular basis, nor were they centrally located. By October 2018, executive committees were informed that the “maturity status” in managing financial crime risk had moved from “ad hoc” to “reactive” and that it would take 3-5 years to build a comprehensive strategic approach.
Due to the inadequacies of its AML/CTF Programme, Westpac failed to identify, mitigate and manage the ML/TF risks noted by AUSTRAC in its international funds transfer and correspondent banking businesses. Westpac placed undue reliance on its faulty due diligence procedures for correspondent banks as a mitigating control and therefore failed to implement adequate risk-based controls to mitigate and manage those risks.
AUSTRAC also noted inadequacies in the lender’s transaction monitoring programme. Many products, including international transfers, fell outside the monitoring programme. The detection scenarios used throughout the Group were focussed on retail, rather than institutional, products and therefore were largely irrelevant in monitoring institutional transactions. Although nostro account monitoring was introduced in August 2017, the monitoring programme did not allow Westpac to understand the nature of its correspondent banking business.
Since 2013, Westpac had a heightened awareness of child-exploitation risks linked to low-value payments to the Philippines and South East Asia. In 2016, Westpac’s senior management were specifically briefed of these risks with regard to the bank’s LitePay channel. The bank’s own policies required it to pay regard to AUSTRAC and law enforcement guidance when developing and maintaining its automated monitoring systems.
However, it was not until June 2018 that the automated monitoring process addressed the issue and its link to the use of LitePay. AUSTRAC noted that Westpac has yet to implement automated monitoring detection scenarios for known child-exploitation risks through its other channels and hence the bank has failed to detect indicia of child exploitation through the accounts of its customers.
According to the Australian agency, Westpac had 12 customers whose accounts indicated “red flags” of child exploitation. The failure to implement automated detection scenarios until June 2018 on transactions executed via its LitePay platform meant that highly suspicious transactions were not identified earlier. Westpac opened a number of accounts for one customer who had been imprisoned for child-exploitation offences. Although the bank promptly detected suspicious transactions in one of its client’s accounts, it failed to review his other accounts.
With public trust in the Australian financial services industry at an all-time low following the publication of the report of a Royal Commission into the industry earlier this year, the events at Westpac have caused widespread outrage. Brian Hartzer, the bank’s CEO since 2015, has resigned less than a week after he said he was staying to “fix” the problems highlighted by AUSTRAC and within 24 hours of telling staff “this is not a big problem”. The bank’s chair since 2011, Lindsey Maxted is retiring early—an announcement made days after saying that any changes at the top of the bank would be destabilising. The chair of the board’s risk committee will not seek re-election at December’s Annual General Meeting.
Westpac is now facing investigations announced by the Australian Federal Police, the Australian Securities Commission and the Australian Prudential Regulatory Authority. Local law firms have suggested that class actions will be launched by aggrieved investors, and that the lawsuits will focus on the bank’s capital raising exercise announced on 4 November this year and whether adequate disclosure was made of the scale and nature of the AUSTRAC investigation.
What have we learned?
This saga provides many important lessons that financial crime staff can learn from so as to prevent their firms from making the same mistakes as Westpac.
Firstly, staff working in jurisdictions where firms are required to report international transfers to a regulator as a matter of routine, rather than on an exceptional basis, should ensure that such reports are made promptly and with the correct details. Over the years, many securities firms have been similarly sanctioned for failing to routinely report securities and derivatives transactions in the proper manner. Regular audits of reporting procedures may be helpful in this regard.
Secondly, for legitimate business reasons, Westpac developed an alternative mechanism to the widely-used SWIFT system to effect international transfers. Financial crime staff should ascertain whether their firm uses an alternative to SWIFT, whether transfers are appropriately reported and whether all relevant details are captured and forwarded to other institutions if needed.
Thirdly, AUSTRAC exposed poor record-retention processes within Westpac. Financial crime staff should ensure their firm’s record retention policies comply with all regulatory and legal requirements. Sample checking of records will identify whether or not the firm is meeting its record-keeping obligations.
Fourthly, where their firms offer correspondent banking services, financial crime staff should ensure that all regulatory requirements are satisfied for this inherently higher-risk business. FATF Guidance sets the most important issues to consider when offering this service, while the Wolfsberg Group has produced a Due Diligence Questionnaire for banks to use through out the world.
Fifthly, the failings of Westpac detailed by AUSTRAC are evidence of an inadequate AML/CTF programme. Financial crime staff should consider whether their current programme would have detected weaknesses similar to those exposed at Westpac. Staff should consider whether their groups adopt a consistent risk-assessment process and whether their transaction monitoring programmes would detect various typologies set out by regulators and others.
Finally, although the $500,000 in transactions allegedly tied to child exploitation are minuscule in financial terms, the effect on Westpac’s reputation has been devastating. Other offences such as human trafficking, modern slavery and wildlife crime also have the potential to seriously affect the reputation of any firm linked to them. Financial crime staff should ensure that they and their colleagues are aware of the “red flags” associated with these offences and that their transaction monitoring programmes are able to detect potentially suspicious transactions linked to them.
The situation that Westpac now finds itself in is a direct consequence of not properly applying fundamental ML/TF controls. The violations are not the result of any sophisticated or complex scheme devised by criminals. Financial crime staff should now need no reminder, following the recent Danske Bank and ING cases, of the importance of ensuring that basic ML/TF controls are effectively applied in a manner relevant to the activities conducted by their firms. Indeed, these cases demonstrate that no financial crime team member can afford to be complacent.
Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016.
He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.
This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.
RiskScreen: Eliminating Financial Crime with Smart Technology
Advance your CPD minutes for this content, by signing up and using the CPD WalletFREE CPD Wallet