We welcome commentary articles from the governance community. Please contact us via email at [email protected].
If you have a scholarly piece you would like to publish though the Enterprise Governance eJournal, please see the Enterprise Governance eJournal instructions page for full information on how to submit a manuscript.
9 April 2021
The exoneration of Westpac Banking Corporation’s (Westpac) senior management by regulators leaves more questions than answers and appears to have watered down “accountability” under Banking Executive Accountability Regime (BEAR). Last year Westpac settled a record-breaking AU$1.3 billion civil penalty suit with the Australian Transaction Reports and Analysis Centre (AUSTRAC) for 23 million breaches of the anti-money laundering laws and its failure to have proper compliance and risk procedures in place. The state of play is that no one is accountable at Westpac for the serious compliance and risk failures. Where does this leave BEAR in the future?
Operating an illegal money transfer platform
On 20 November 2019, AUSTRAC issued a statement of claim against Westpac identifying 23 million breaches of the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) (the Act). Westpac since 2013 had failed to address serious money laundering and terror financing risks, that had been known for some time within the organisation and also implemented a non-approved money transaction platform (“Litepay”) that by passed reporting requirements to AUSTRAC in breach of the Act.
The AUSTRAC statement of claim clearly identifies breathtaking systemic failures and risks within Westpac, including the failure to conduct risk assessment on its AML/CFT programs, failure to have appropriate procedures and policies in place, the use of “Litepay” enabled transactions on Westpac accounts to be conducted with high-risk correspondent banks in high-risk jurisdictions including countries that were on the sanctions list, such as Democratic Republic of Congo, Iraq, Lebanon, Libya, Ukraine and Zimbabwe.
Following the scandal, the Australian Prudential Regulation Authority (APRA) announced that it has closed its investigation into whether Westpac breached the Banking Act 1959 assessing if senior management should be held liable for the risk and compliance failures under the new BEAR. Likewise, the Australian Securities and Investments Commission (ASIC) “wrote off” it’s investigation in relation to contraventions under the Corporation Act.
The consequence of this catastrophic AML failure was that money for child prostitution, slave labour, child slavery and organised crime was allowed to move freely through Westpac accounts, under the noses of APRA, ASIC and AUSTRAC since 2013. Yet not one Westpac executive will be held accountable. One has to question: how can this possibly be the right answer by the regulators?
No Visibility – by Senior Executives and the Board
Westpac had limited or no visibility over the source of funds deposited into Westpac accounts and there was no caps or limits on the volume of cross-border transactions. Westpac had allowed, through the use of the Litepay platform to deliberately reduced payment transparency to AUSTRAC. Westpac Senior Management in 2013 introduced Litepay so as to save fees on money transitions that would normally go Swift arrangements. Westpac executives never though to obtain approval from AUSTRAC to use the platform.
In Using Litepay, Westpac did not know the organiser, purpose of the payment, beneficiary, or jurisdiction of the origin of the funds. There were not appropriate assessments of the risks in using this service. Since 2013, Westpac also failed under the Act to carry out regular assessments of ML/TF risks. “Westpac did not regularly assess the adequacy of each correspondent bank controls and internal AML/CTF compliance practices,” the statement of claim of AUSTRAC says.
In June last 2020, APRA delegated its enforcement powers under the Banking Act to ASIC that was conducting its own investigation into whether the conduct giving rise to the Westpac allegations, amounted to contraventions of the Corporations Law. After completing the investigation, ASIC announced in late December 2020 that it didn’t intend to take any enforcement against the bank or any individuals.
APRA then commenced its own investigation in December 2019 to consider whether there had been any breaches under BEAR or its prudential requirements. APRA has now closed its investigations. Despite the seriousness of the allegations, both regulators closed their investigations in record time – less than six months each.
Westpac remains subject to a Court Enforceable Undertaking (CEU) to improve its compliance and risk governance and also was required to hold AU$1 billion of operational risk capital.
Analysis - The fallout
Following the AUSTRAC allegations, CEO and Managing Director, Brian Hartzer, was forced to step down from his role and former Westpac Chief Financial Officer, Peter King, was appointed as interim CEO and later, into the position. However, but for Hartzer, no one appears to have been asked to step down because of the AML scandal. Certainly, no one has been held accountable for the serious 23 million breaches of the Act and the litany of compliance failures. Only Hartzer “fell on his sword,” although he was not there when the Litepay was implemented and was not provided any information about the serious compliance failures by his executive team until AUSTRAC struck, and then it was too late.
The compliance failures and contraventions of the law is described in the 47-page AUSTRAC statement of claim, set out serious failure after failure. In particular, there were no reviews conducted by senior management or independent reviews provided by the board since 2013. “By February 2018, group audit concluded that the management control was ‘unsatisfactory’ with respect to Westpac’s program. Group audit noted that the Part A program had not been subject to independent review for several years, noting that the last review conducted in September 2013 was not an independent review,” AUSTRAC’s statement of claim states.
Since 20 November 2013, Westpac had failed to carry out regular assessments of the risk its AML program and the risks it faced using the “Litepay” platform. For example, the statement of claim states, “Westpac did not assess the impact of known higher ML/TF risks upon the banking services provided by Westpac to the correspondent banks”.
It was only in the final hour that Westpac Senior management appear to acknowledge that they needed to do a full overhaul of their AML program and that there were serious issues at hand. On 2 February 2019, the Westpac board approved a Financial Crime Strategic Plan which was approved on 2 March 2019. In formulating this plan, Westpac identified four factors that impacted upon its risk management capability including: “A lack of clear ownership for some capabilities, a lack of standardised processing mapping, and a lack of end-to-end review of ML/TF risk and controls,” stated AUSTRAC’s statement of claim.
In essence, Westpac’s senior management and Board presided over a total systemic failure of one of the most important Departments within the bank and failed to appropriately identify, mitigate and manage ML/TF risks. By Westpac’s own admission, there was a complete failure of accountability within the organisation to address ML/TF risks which were the responsibility of the board and senior management.
The lost BEAR
The BEAR regime was introduced in February 2018, a year before Westpac’s serious misdemeanours were exposed by AUSTRAC. This exposure was to the complete surprise of APRA and ASIC who apparently had no idea there were fundamental AML issues within one of their four major institutions in Australia. Senior Management and the Board had not made relevant disclosures of the serious of the matters until late in the day.
Section 37C(a) of the Banking Act (which includes the BEAR amendments) requires banks to “conduct their business with honesty and integrity and with due skill, care, and diligence.” Also, in that section, that the bank and senior management must take steps to do business to “prevent matters from arising”. Section 37C sets out the accountability obligations, and Section 37CB, defines what taking ‘reasonable steps means’, which includes having appropriate governance, control and risk management and appropriate procedures for identifying mediating problems as they arise.
The only fair conclusion that can be reached, was that Westpac senior management and board members had no comprehension of the extent of breaches occurring because there were no reviews or appropriate processes to monitor the illegal platform the Bank had implemented in 2013 to avoid SWIFT fees when processing international transfers. In all the circumstances, can executives and the board with the litany of serious breaches of the law have “conduct their business with honesty and integrity and with due skill, care, and diligence?”
No evidence of breaching the Banking Act
Well, apparently luckily for Westpac, according to APRA Deputy Chair, John Lonsdale, “The investigation has not found evidence of breaches of the Banking Act.” Mr Lonsdale then goes on to refer to the fact that there is an enforceable undertaking in place with Westpac, which conveniently side steps the issue of Senior Management accountability. APRA gave no reasons for its decision.
Once can only wonder how such a conclusion could possibly be right given the circumstances and wording of Section 37C(a)! It also begs the question, how can APRA (or ASIC in considering directors duties under the Corporations law) possibly find that Westpac did not operate with due skill and care and diligence, given the 47 pages of serious misdemeanours that AUSTRAC has gone to great lengths to expose and Westpac accepted?
The APRA conclusion means that not one individual at Westpac will be held accountable, even though several board members are still serving and the current CEO, was the Chief Financial Officer when these serious 23 million breaches of the law took place. Only Mr Hartzer, the former CEO has lost his position, even though he was not at Westpac when the illegal platform was implemented. How can this be applying BEAR for the purpose it was intended?
Accountability watered down – going forward
After Westpac it means that very few financial Institutions will be held accountable under BEAR.
If this case does not come under the BEAR regime, then what does?
The APRA decision on Westpac has left BEAR ineffective and another questionable rule. A clever advocate who will no doubt be defending another financial institution in future in a BEAR action may say, “there is an EU in place, no further action required.” This may remind you of a time before the Royal Commission – has anything changed?
9 April 2021
Reputational issues for persons and entities alike have always been important, even in the time of Shakespeare. Othello uttered, in despair, the words “Reputation, reputation, reputation! Oh, I have lost my reputation! I have lost the immortal part of myself, and what remains is bestial.” The importance of reputation is certainly alive and well in the corporate world today, with the spotlight on this issue intensifying for most companies.
This intensity has arisen as a result of a number of factors. The stakeholders who are interested in a company’s activities are now more diverse – expanding from the traditional base of shareholders and investors to include customers, suppliers, business commentators, employees, community and special interest groups to name a few. The beliefs of society has changed (and will continue to change), with companies now being expected to proactively manage their ESG issues (Environmental Social & Governance) and be socially responsible corporate citizens. Additionally, stakeholders are now better informed, better organised and better connected in the digital age in which we live, and are able to effectively voice their concerns about the conduct of a company very quickly (go ‘viral’) and to a very large audience.
A number of regulators are now requiring companies to take more of a proactive approach in relation to the management of ESG issues. For example, the ASX Corporate Governance Principles (4th edition) note that listed companies should disclose whether they have any material exposure to ESG risks and, if so, how it manages or intends to manage those risks. The ASIC has also updated two Regulatory Guides (RG228 and RG247) to provide guidance on climate-risk disclosure by companies. Legislation has also been introduced to mandate various standards for the corporate world, including for example, the recent introduction by the Federal Government of the Modern Slavery Act 2018; the enhancement of the whistle-blower regime in the Corporations Act to provide more avenues for whistleblowing of corporate misconduct and better protection for whistle-blowers; and Victoria and Qld have laws making wage theft (underpayment of staff) a criminal offence. So there is plenty of public scrutiny of, and interest in, corporate behaviour from many angles.
Having a strong corporate reputation has lots of benefits for a company – a loyal customer base, a reliable supply chain, motivated employees as well as support by the business world and the broader community – all of which are likely to lead to higher and more sustainable earnings. The converse of this is that a company with a poor reputation will generally be underperforming and struggle to achieve financial stability and longevity. However, this risk area for companies can often be fickle – as corporate reputations can seemingly be destroyed overnight (rightly or wrongly) by a damaging event. There are many examples of this in the press, most recently the NZ Government and the adverse impact that NZ’s significant dairy industry is having on the environment; to BHP destroying around 40 significant ancient Aboriginal sites in WA to expand its Pilbara mine; to the Cambridge Analytica scandal where Facebook failed to protect the private data of over 87 million of their users. Along with the damage to the corporate brands of Australia’s banking sector through years of poor financial advice and dubious charging regimes, as well as a number of companies being flushed out for underpaying their staff (‘wage theft’). Once a corporate reputation is damaged, there is significant business interruption and cost involved, and it’s often a long road to restore that reputation. The process at that later stage will also then involve a more ‘reactive’ management of this issue, with ‘crisis management’ processes then kicking in.
So the challenge for companies is how best to manage this valuable asset. As corporate reputation is an intangible asset, it is harder to manage, let alone to quantify the financial impact of a damaged corporate reputation. In a number of recent surveys undertaken of risk managers, C-suite and board directors, the majority agree that corporate reputation is a high strategic risk and are aware of the potentially serious consequences for a company if its reputation is damaged. However, there are divergent views on how best to manage this somewhat nebulous risk.
Management of reputational risk requires a multi-faceted and proactive approach and importantly, there needs to be a focus on the longer term, rather than just having a shorter term focus on profits. In addition, companies will need to tailor the management of their ‘reputation’ to suit their particular business. So it’s a complex area and there is no easy way forward to managing reputations risk. As a starting point, there needs to be support from the top that recognises corporate reputation is a critical issue for a company, which will include ensuring that adequate resources are devoted to implementing and strengthening governance frameworks and processes to manage this risk. It is an issue that requires Board oversight and monitoring, as well as treating reputational risk as a strategic issue that is included in a company’s business planning processes. Having a constructive culture with a clear set of values that promotes ethics and compliance in the organisation is another critical component, and must be supported from the top and nurtured.
At a more operational level, companies need to spend ongoing time and money to understand their key stakeholders and their drivers. This process would include undertaking regular reviews of the types of issues that could derail a company’s corporate reputation and analysing this to understand what is likelihood of these issues arising, what are the consequences of this for the company and what actions can be taken to mitigate this (i.e., a risk management approach). Some companies are structuring remuneration packages to include a component that is linked to how effective the management of corporate reputation and ESG issues have been. It is good for a company to inform their stakeholders of their corporate strategy regarding ESG issues and what actions are being taken by the company to promote ESG issues in their business operations. However, stakeholders will hold companies to account with their published corporate position, so this reporting needs to be authentic. And if one of these ‘damaging’ issues does arise, having in place a strong crisis management plan that can be activated quickly to deal with a corporate reputation crisis is a ‘must have’.
So there are many tools in the kit that are available to manage reputation risk, but this doesn’t make this task any less challenging. A final thought – companies need to be clear, intentional and authentic about the management of their reputations.
Kiri Parr | Director, Kiri Parr Pty Ltd
9 April 2021
Queensland has been named as the preferred bid city of the 2032 Olympic Games.
Queensland’s bid is the first regional bid with the event hosted across Brisbane, Gold Coast, Sunshine Coast and beyond. It’s been described as the thrifty and creative games. The bid presumes extensive use of existing facilities with very few new facilities required and a promise of $7.4bn in economic benefits against a budget of $4.45bn.
Yet the public cry for more has already begun. Loudest amongst them is whether the Olympic Games demands a fast rail link connecting the Sunshine Coast, Brisbane and the Gold Coast.
But did you know that the Olympic Games share something in common with all mega projects, pandemics and earthquakes.
They have no average level of poor performance. You simply don’t know how bad the next earthquake is going to be and there is always a chance it could be worse than every earthquake that has gone before.
The same applies to hosting Olympic games. All Olympic games have had cost overruns, without exception. The Average cost overrun is 213% for the Summer Games.
Some of the key reasons for these overruns include the fact that the timetable for an Olympic Games is unmovable (with the notable exception of the Tokyo games but not in a good way), the host city is obliged to carry the cost overruns whilst meeting an enormous number of standards and requirements and the long planning horizon can lead to any number of unpredictable variables emerging. For more, you can read Ben Flyvberg’s paper Six Reasons Why Olympic Costs Blow Up, Over and Over.
Risk mitigation strategy Number 1 - not to host the games – has gotten away from us.
Risk Mitigation strategy Number 2 is to mitigate the risk like crazy.
There is no greater governance challenge before Queensland over the next decade than the one before the leaders responsible for hosting the Brisbane 2032 Olympic Games.
A conversation about the complexities Queensland might face hosting the games locally and how they could be addressed is a necessary start. Delivering a fast rail project on its own is fraught, can it be delivered successfully with the added pressure of an Olympics Games deadline is a particularly fraught scenario.
If the cost overrun risk of the Games is going to be mitigated, the governance model and team will need to be very skilled to manage the “go for gold” mentality and hold firm to the promise to deliver a cut-price games.
Dr David Millhouse | Honorary Adjunct Senior Research Fellow | Bond University
March 1, 2021
Raising capital is a long hard process requiring considerable time, patience and shoe leather. Many start-ups underestimate the time and financial resources to achieve a result. Many also do not comprehend that capital activities are rarely one-off activities.Read more
Dr Stephen van der Mye | Honorary Adjunct Professor, Bond University
April 23, 2020
In response to the COVID-19 pandemic, changes have been made to the Corporations Act in order to provide temporary relief for financially distressed businesses.
Co-Program Director of the Master of Laws in Enterprise Governance and Honorary Adjunct Professor Stephen Van Der Mye explains what changes have been made and how it affects financially distressed businesses..Read more
Dr Stephen van der Mye | Honorary Adjunct Professor | Bond University
April 14, 2020
On Sunday, 22 March, 2020, the Australian Federal Treasurer announced changes to the Corporations Act in order to provide temporary relief for financially distressed businesses due to the COVID-19 pandemic and its economic and social effects.
It means changes to Australia’s laws on insolvency, but it doesn’t mean it’s open slather on debts. Honorary Adjunct Professor Stephen Van Der Mye explains why.Read more
Dr Stephen van der Mye | Honorary Adjunct Professor | Bond University
October 1, 2019
The words Governance, Culture and Accountability (GCA) must have become the most used words in both the academic, business and not-for-profit sectors of Australian society in the last three years or so. Unfortunately, this has not come about through having a robust approach to these concepts but to a series of reports into a wide range of associations and enterprises which revealed a less than robust approach to these concepts.Read more
Journal Articles: Enterprise Governance eJournal
The Centre for Enterprise Governance hosts an open-access academic journal that focuses on enterprise governance law and practices for commercial, government and not-for-profit organisations. It will be of interest to lawyers, business managers, non-executive directors of commercial and not-for-profit organisations, and law and management academics and students.
Editorial Commentary - No-peer reviewed | August 13, 2020 AEST
David G Millhouse
This paper proposes three options to facilitate entrepreneurship ― to increase business capital availability, consistency in definitions, and to address the insurability of directors and officers. Read more.
Editorial Commentary - Non-peer reviewed | Vol 1. Issue 1, 2020 | February 20, 2020 AEST
David G Millhouse
Financial advice is provided throughout the investment chain. Differing interpretations of 'best interest' influence every financial advice relationship. Competency requires comprehension of the underlying best interest duties governing financial assets. Read more.
Editorial Commentary - Non-Peer reviewed | October 22, 2019 AEST
The Australian Securities and Investments Commission (ASIC) Chairman, Mr James Shipton, has “dug his heels in” and is moving forward on his experimental plan to place psychologists into board rooms, on a "voluntary basis", despite mounting criticism from regulators and behavioural experts. A similar program was used by the Dutch Central Bank and, while short-comings were evident, overall it was seen as a success. Read more...
Editorial Commentary - Non-Peer Reviewed | October 22, 2019 AEST
The burning question is that when all these issues were emerging, such as “fees for no service”, anti-money laundering, misconduct and dishonesty, why wasn’t this misconduct not exposed or elevated to senior management and boards by the compliance and risk staff within the organisations? Read more...