The agreed statement of facts offers a template for risk teams seeking to avoid a similar fate.
The complexity of Westpac’s IT systems, especially when an upgrade was needed, sits at the heart of its core failures to report millions of “international fund transfer instructions” (IFTIs). These mainly related to just two of its “corresponding banks” – offshore banks that Westpac receives money from and sends money to.
The relationships are critical to allow funds to move across borders. But they contain pitfalls, especially ascertaining the identity of the source of funds and customers to which money is being sent.
Westpac’s “Australasian Cash Management” (ACM) arrangements allowed its corresponding banks to use Westpac’s direct access to the Australian clearing system to process payments. The offshore banks liked this: it reduced costs for them, by allowing them to send “structured”, or aggregated, files, which was more efficient than sending payment messages, via a system known as SWIFT, for each and every payment.
Source of the drama
When these corresponding banks send money into Australia, they must provide Westpac with an IFTI, which Westpac has to send on to AUSTRAC. In 2010, Westpac was upgrading its systems to ensure it could provide AUSTRAC with the reports in the right format. This became the source of the drama that would unfold a decade later.
The bank failed to match the tech upgrades with different ACM arrangements it had set up for different corresponding banks. Its new systems were not properly configured.
One of these was its financial crime IT system, known as Detica, built by BAE Systems. It was the primary tool for screening customers, conducting risk assessments and reporting suspicious transactions to AUSTRAC.
But to get to AUSTRAC, files received from corresponding banks went through another system, known as WIBS. They were then converted into an IFTI format, passing through Detica via another piece of software known as an integrator, and then being processed again into an IFTI that could be uploaded to AUSTRAC.
Westpac realised it had issues with the process as far back as 2010. AUSTRAC queried its IFTI reporting process in late 2011. Westpac was in regular contact with AUSTRAC in late 2010 and early 2011, as it tried to work out a reporting solution for its “structured files”.
The statement of facts suggests the bank for which Westpac failed to report the vast majority of IFTIs fell outside the scope of a technical release relating to the Detica system and this was not picked up.
Then, between August 2011 and August 2012, 15 members of Westpac’s IT team left to join ANZ, taking with them the bank’s corporate knowledge about the complexity of the reporting system. This prevented it setting up a proper audit process that should have ensured incoming IFTIs for two banks were actually going through to AUSTRAC. The regulator described this as “an absence of appropriate end-to-end reconciliation, assurance and oversight processes for IFTI reporting”.
“Westpac did not identify that over 72 per cent of all incoming IFTIs received by Westpac for the period 5 November 2013 to 3 September 2018 had not been reported,” the statement says.
“As a result of the failure to file the IFTIs on time, AUSTRAC, the ATO and other law enforcement agencies have been deprived of timely information relating to over $11 billion in international payments.”
Several chances missed
Frustratingly, there were several chances for these reporting errors to have been caught by Westpac.
For example, in July 2013, AUSTRAC recommended it perform a review of its payment instructions to see if they were not being reported to the regulator. The bank prepared a “group assurance report” – but it did not catch the non-reporting.
Then, in 2016, a remediation project also failed to identify the reports were not being sent in to AUSTRAC. When the non-reporting from one of the correspondent banks was identified in 2017 by a team leader, it was not escalated to senior management for action.
It was not until 2018 that the proper level of senior management was made aware of the issues. The bank swung into action – but by then, the millions of legal breaches had accumulated in dramatic fashion.
The agreed statement of facts also details the holes in Westpac’s due diligence that it was obliged to conduct on its corresponding banks. While it asked them questions via a questionnaire, AUSTRAC said these weren’t regular enough for higher-risk banks, while the process failed to respond to new risks emerging from the sale of new products to the corresponding banks until November 2019.
There were also issues with the reporting of outgoing IFTIs, when money was being sent from Westpac abroad. One of the products that tripped up the bank was LitePay, which was set up in August 2016 to send up to $3000 to various countries overseas. Again, a systems upgrade was the root cause of the problem.
In May 2017, a technical issue affected database replication, meaning instructions for some IFTIs were not passed between Westpac systems. Then, in November 2018, another technical issue forced internal IT support teams to manually intervene to set the payment status of each transaction, but this then prevented the automated process for completing the reports which means AUSTRAC did not receive them.
Again, the statement of facts says the bank “did not have appropriate end-to-end reconciliation, assurance and oversight processes in place to identify the IFTI reporting failures relating to the LitePay outgoing IFTIs”. The issue was not identified until July last year.
And then there is the failure to heed AUSTRAC’s warnings, over a six-year period, about conducting proper due diligence on specific customers showing tendencies of criminal activity.
AUSTRAC published information on child exploitation risks associated with sending frequent, low-value amounts into the Philippines and some other jurisdictions in 2013. The Attorney-General’s Department did the same in 2016. Westpac was briefed by AUSTRAC in December 2016 and January 2017, about adopting the new methodology to screen for suspicious payments.
But when it launched LitePay, its detection scenarios for child exploitation risk “did not adequately reflect the guidance, and did not apply to other payment channels”. It was not properly implemented until October 2019.
The bank has paid a very heavy price for its failures to action AUSTRAC’s requests and its governance failures to audit and proactively identify the issues. AUSTRAC said on Thursday while its contraventions were not the result of any deliberate intention to breach the legislation, “there were opportunities to prevent and detect the non-reporting and, when it was identified, failures to escalate it”.