Coronavirus (COVID-19): advice and support for the Bond community. Read more

Westpac executives escape AML liability

June 16, 2021

Westpac executives escape AML liability

Too big for BEAR accountability

Niall Coburn

The exoneration of Westpac Banking Corporation’s (Westpac) senior management by regulators leaves more questions than answers and appears to have watered down “accountability” under Banking Executive Accountability Regime (BEAR).  Last year Westpac settled a record-breaking AU$1.3 billion civil penalty suit with the Australian Transaction Reports and Analysis Centre (AUSTRAC) for 23 million breaches of the anti-money laundering laws and its failure to have proper compliance and risk procedures in place. The state of play is that no one is accountable at Westpac for the serious compliance and risk failures. Where does this leave BEAR in the future?

Operating an illegal money transfer platform

On 20 November 2019, AUSTRAC issued a statement of claim against Westpac identifying 23 million breaches of the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) (the Act).  Westpac since 2013 had failed to address serious money laundering and terror financing risks, that had been known for some time within the organisation and also implemented a non-approved money transaction platform (“Litepay”) that by passed reporting requirements to AUSTRAC in breach of the Act.

The AUSTRAC statement of claim clearly identifies breathtaking systemic failures and risks within Westpac, including the failure to conduct risk assessment on its AML/CFT programs, failure to have appropriate procedures and policies in place, the use of “Litepay” enabled transactions on Westpac accounts to be conducted with high-risk correspondent banks in high-risk jurisdictions including countries that were on the sanctions list, such as Democratic Republic of Congo, Iraq, Lebanon, Libya, Ukraine and Zimbabwe. 

Following the scandal, the Australian Prudential Regulation Authority (APRA) announced that it has closed its investigation into whether Westpac breached the Banking Act 1959 assessing if senior management should be held liable for the risk and compliance failures under the new BEAR.  Likewise, the Australian Securities and Investments Commission (ASIC) “wrote off” it’s investigation in relation to contraventions under the Corporation Act.

The consequence of this catastrophic AML failure was that money for child prostitution, slave labour, child slavery and organised crime was allowed to move freely through Westpac accounts, under the noses of APRA, ASIC and AUSTRAC since 2013. Yet not one Westpac executive will be held accountable. One has to question: how can this possibly be the right answer by the regulators?

No Visibility – by Senior Executives and the Board

Westpac had limited or no visibility over the source of funds deposited into Westpac accounts and there was no caps or limits on the volume of cross-border transactions.  Westpac had allowed, through the use of the Litepay platform to deliberately reduced payment transparency to AUSTRAC. Westpac Senior Management in 2013 introduced Litepay so as to save fees on money transitions that would normally go Swift arrangements. Westpac executives never though to obtain approval from AUSTRAC to use the platform.

In Using Litepay, Westpac did not know the organiser, purpose of the payment, beneficiary, or jurisdiction of the origin of the funds.  There were not appropriate assessments of the risks in using this service.  Since 2013, Westpac also failed under the Act to carry out regular assessments of ML/TF risks.  “Westpac did not regularly assess the adequacy of each correspondent bank controls and internal AML/CTF compliance practices,” the statement of claim of AUSTRAC says.

In June last 2020, APRA delegated its enforcement powers under the Banking Act to ASIC that was conducting its own investigation into whether the conduct giving rise to the Westpac allegations, amounted to contraventions of the Corporations Law.  After completing the investigation, ASIC announced in late December 2020 that it didn’t intend to take any enforcement against the bank or any individuals.

APRA then commenced its own investigation in December 2019 to consider whether there had been any breaches under BEAR or its prudential requirements.  APRA has now closed its investigations. Despite the seriousness of the allegations, both regulators closed their investigations in record time – less than six months each.

Westpac remains subject to a Court Enforceable Undertaking (CEU) to improve its compliance and risk governance and also was required to hold AU$1 billion of operational risk capital.

Analysis - The fallout

Following the AUSTRAC allegations, CEO and Managing Director, Brian Hartzer, was forced to step down from his role and former Westpac Chief Financial Officer, Peter King, was appointed as interim CEO and later, into the position.  However, but for Hartzer, no one appears to have been asked to step down because of the AML scandal. Certainly, no one has been held accountable for the serious 23 million breaches of the Act and the litany of compliance failures. Only Hartzer “fell on his sword,” although he was not there when the Litepay was implemented and was not provided any information about the serious compliance failures by his executive team until AUSTRAC struck, and then it was too late.

The compliance failures and contraventions of the law is described in the 47-page AUSTRAC statement of claim, set out serious failure after failure.  In particular, there were no reviews conducted by senior management or independent reviews provided by the board since 2013.  “By February 2018, group audit concluded that the management control was ‘unsatisfactory’ with respect to Westpac’s program.  Group audit noted that the Part A program had not been subject to independent review for several years, noting that the last review conducted in September 2013 was not an independent review,” AUSTRAC’s statement of claim states.

Since 20 November 2013, Westpac had failed to carry out regular assessments of the risk its AML program and the risks it faced using the “Litepay” platform.  For example, the statement of claim states, “Westpac did not assess the impact of known higher ML/TF risks upon the banking services provided by Westpac to the correspondent banks”.

It was only in the final hour that Westpac Senior management appear to acknowledge that they needed to do a full overhaul of their AML program and that there were serious issues at hand. On 2 February 2019, the Westpac board approved a Financial Crime Strategic Plan which was approved on 2 March 2019.  In formulating this plan, Westpac identified four factors that impacted upon its risk management capability including: “A lack of clear ownership for some capabilities, a lack of standardised processing mapping, and a lack of end-to-end review of ML/TF risk and controls,” stated AUSTRAC’s statement of claim.

In essence, Westpac’s senior management and Board presided over a total systemic failure of one of the most important Departments  within the bank and failed to appropriately identify, mitigate and manage ML/TF risks.  By Westpac’s own admission, there was a complete failure of accountability within the organisation to address ML/TF risks which were the responsibility of the board and senior management.

The lost BEAR

The BEAR regime was introduced in February 2018, a year before Westpac’s serious misdemeanours were exposed by AUSTRAC. This exposure was to the complete surprise of APRA and ASIC who apparently had no idea there were fundamental AML issues within one of their four major institutions in Australia. Senior Management and the Board had not made relevant disclosures of the serious of the matters until late in the day.

Section 37C(a) of the Banking Act (which includes the BEAR amendments) requires banks to “conduct their business with honesty and integrity and with due skill, care, and diligence.”  Also, in that section, that the bank and senior management must take steps to do business to “prevent matters from arising”.  Section 37C sets out the accountability obligations, and Section 37CB, defines what taking ‘reasonable steps means’, which includes having appropriate governance, control and risk management and appropriate procedures for identifying mediating problems as they arise.

The only fair conclusion that can be reached, was that Westpac senior management and board members had no comprehension of the extent of breaches occurring because there were no reviews or appropriate processes to monitor the illegal platform the Bank had implemented in 2013 to avoid SWIFT fees when processing international transfers. In all the circumstances, can executives and the board with the litany of serious breaches of the law have “conduct their business with honesty and integrity and with due skill, care, and diligence?” 

No evidence of breaching the Banking Act

Well, apparently luckily for Westpac, according to APRA Deputy Chair, John Lonsdale, “The investigation has not found evidence of breaches of the Banking Act.” Mr Lonsdale then goes on to refer to the fact that there is an enforceable undertaking in place with Westpac, which conveniently side steps the issue of Senior Management accountability. APRA gave no reasons for its decision.

Once can only wonder how such a conclusion could possibly be right given the circumstances and wording of Section 37C(a)! It also begs the question, how can APRA (or ASIC in considering directors duties under the Corporations law) possibly find that Westpac did not operate with due skill and care and diligence, given the 47 pages of serious misdemeanours that AUSTRAC has gone to great lengths to expose and Westpac accepted? 

The APRA conclusion means that not one individual at Westpac will be held accountable, even though several board members are still serving and the current CEO, was the Chief Financial Officer when these serious 23 million breaches of the law took place. Only Mr Hartzer, the former CEO has lost his position, even though he was not at Westpac when the illegal platform was implemented. How can this be applying BEAR for the purpose it was intended?

Accountability watered down – going forward

After Westpac it means that very few financial Institutions will be held accountable under BEAR.

If this case does not come under the BEAR regime, then what does? 

The APRA decision on Westpac has left BEAR ineffective and another questionable rule. A clever advocate who will no doubt be defending another financial institution in future in a BEAR action may say, “there is an EU in place, no further action required.” This may remind you of a time before the Royal Commission – has anything changed?