Westpac dumps EY for risk review
20 May 2020

Westpac has elected to dump EY for a review of its risk management processes three years after its last review found “known and ongoing risks” within the bank’s anti-money laundering systems including “poor data quality”, “manual workarounds” and “historical underinvestment”.

The reviews are required under APRA’s CPS 220 and are scheduled to take place every three years. In 2017, EY’s review flagged significant issues within its AML-CTF program highlighting outdated infrastructure, incompatible systems and capacity issues.

Westpac’s decision to drop EY and find another auditor has emerged as two key executives have opted to leave Australia for the UK with head of retail banking David Lindberg heading for RBS and chief information officer Craig Bright leaving for Barclays.

The bank used the opportunity to trumpet the appointment of 25-year Westpac veteran Les Vance as the bank’s new group executive financial crime, compliance and conduct.

The departures of Mr Lindberg and Mr Bright follow those of former retail banking boss George Frazis in June 2019, CEO Brian Hartzer in December 2019 and chairman Lindsay Maxsted in March 2020. Mr Hartzer and Mr Maxsted were replaced by Peter King and John McFarlane, respectively.

Westpac’s decision to drop the big four auditor for the upcoming review was revealed in a series of answers to questions on notice published quietly last week by a Parliamentary Joint Committee hearing that focused on the relationship between Westpac and its auditors.

During the hearings, it emerged that while EY’s review of Westpac’s risk management framework was scathing, it did not directly identify any of the 23 million breaches discovered by AUSTRAC including the failure to monitor 12 customers the bank should have suspected were paedophiles.

“We observed known ongoing IT risks within anti-money-laundering and legacy systems across the group. The complexity of the IT architecture environment contributes to the challenges in IT risk management, as highlighted in the recent APRA IT risk review,” the report said.

‘Westpac’s IT infrastructure has continued to contribute to issues within risk function, including a lack of integrated data, poor data quality, manual workarounds and system performance and capacity issues. A range of interviewees noted a historical underinvestment in critical systems, legacy systems and front-office risks systems and dispersed nature.”

By James Frost, The Australian Financial Review, 19 May 2020

Read more at The Australian Financial Review

RiskScreen: Eliminating Financial Crime with Smart Technology

Count this content towards your CPD minutes, by signing up to our CPD Wallet