In 2018, when Westpac executives skimped on embedding proper controls to track financial crimes, they earned large bonuses after reporting an operating profit of $8 billion; but they put children at risk of sexual abuse. The bank is now facing a $1 billion penalty, but only $20 million has been clawed back from those 38 bank executives. While the media, which boasts Westpac as one of its biggest advertisers, continues to whitewash the bank’s complicity in crimes against children, Nathan Lynch reports on the true cost of its failures.
In March 2018, at a discreet hotel in Sydney, two dozen senior representatives from the financial intelligence community gathered around a diplomatically square boardroom table. There was no head, no sides, just a group of equals coming together with a shared vision and a common goal. They had been invited to the bi-annual roundtable discussion on the Fintel Alliance, the world’s first genuinely co-located public-private financial intelligence partnership dedicated to fighting serious and organised financial crime.
It was a triumphant meeting, celebrating the successes of the alliance’s first 12 months of operation. The project had broken new ground by allowing bank staff, payments companies, law enforcement agencies and criminal intelligence experts to sit in the same room and work together on top-priority projects.
Some of the early wins demonstrated what a powerful model this could become. No other country had gone as far as swearing in bankers as public servants and inviting them to sit beside law enforcement counterparts to discuss matters of national importance — and secrecy — for criminal intelligence. In its first year the project team had been focusing on detecting and disrupting money-muling syndicates, analysing the Panama Papers and mining data from the Australian Cyber Online Reporting Network.
The biggest victory, however, had been a very human story. The alliance’s most inspiring and successful work had been to use financial typologies, transaction monitoring, data and analytics to make unprecedented inroads into the detection of payments that had facilitated child exploitation. This had allowed banks and payment companies to file a raft of suspicious matter reports (SMRs) on the horrific “pay per view” streaming of child sexual abuse, notably in vulnerable regions in the Philippines.
The discussion was full of optimism for the future of “fintel” partnerships, not just in Australia but globally. The members had identified patterns of behaviour indicative of child exploitation. This included small, regular payments of between $15 and $500 disguised as such things as “school fees” or “uniforms” in the payment narrative; purchases of live streaming software and virtual private networks, or metadata stripping programs; travel to countries such as the Philippines; and the use of payment cards in high-risk areas.
In isolation, none of these would be inherently suspicious. But when aggregated and overlaid with other law enforcement data sets, banks and payment companies had a game-changing tool at their disposal. In the 2018 financial year police had made more than 30 arrests using this information. A year later, 73 suspects were detained or arrested. Even better, with the help of financial intelligence, 35 children had been rescued from abusive situations.
What the participants could never have known, however, was that one of the Fintel Alliance’s founding members was bluffing. It had not done the work to detect and disrupt the typology identifying this heinous crime. It had not invested in the technology to run sophisticated transaction monitoring across its cross-border payments. In fact, at that stage, even the bank itself had no idea it was facilitating tens of thousands of suspicious payments for at least 284 potential paedophiles.
The darkest side of money laundering
In November last year, Westpac Banking Corporation’s edifice of good governance and top-tier financial crime threat mitigation came crumbling down. The Australian Transaction Reports and Analysis Centre (AUSTRAC) levelled a civil claim against the bank alleging systemic breakdowns in its financial crime program, systems and controls.
The financial crime intelligence agency alleged that Westpac had failed to report more than 23 million transactions, including millions of complex International Funds Transfer Instruction (IFTI) reports. AUSTRAC also alleged that Westpac had failed in its obligation to detect 12 customers who had been making payments for “CEM” – child exploitation material – in the Philippines.
The latter claim was galling for the many committed people who worked in the bank’s financial crime unit. It was also galling for the many small remitters who had been “de-risked” by Westpac in 2014 on the basis that it lacked a risk appetite for that line of business. (De-risking refers to financial institutions closing the accounts of clients perceived as high risk for money laundering or terrorist financing abuse.)
Those small players had long alleged that Westpac drove them out of business only to launch its own competing low-cost service. That competing service was the now-notorious LitePay channel, which Westpac closed immediately after the AUSTRAC allegations came to light.
A group of small remitters had even developed a solution, at their own cost, to report end-to-end payment data to Westpac in return for keeping their businesses alive. They argued that they knew their customers directly and could screen all transactions against data such as the criminal, adverse media and “politically exposed person” watchlists. Westpac declined, and closed their accounts, driving many of these businesses into closure.
Within a year of these discussions taking place, Westpac had launched LitePay.
As one remittance industry source told Thomson Reuters: “Everything we feared was absolutely true. When I saw LitePay in the headlines for facilitating child exploitation, I nearly fell over. We knew our customers, we knew why they were moving money, and we were happy to report any suspicious activity to Westpac. We were their best defence against getting caught up in this.”
Westpac said in a market announcement last Friday, June 12, that it had already “admitted to a substantial majority of the contraventions alleged by AUSTRAC“.
Ever since the claim was lodged in November, the bank has continued to review its internal failures. It has conducted several major reviews, including a mammoth “lookback” program and this year alone, will add another 200 financial crime compliance staff. The bank is effectively paying a premium now for any savings it made in cutting compliance controls in the past. It is also paying an enormous reputational cost.
As a result of this remediation project, Westpac has reported to AUSTRAC an additional 60,000 to 90,000 threshold reporting failures. These failures alone exceed the number of breaches in the A$700 million Commonwealth Bank AML/CTF litigation.
In December 2019, as part of the lookback process, Westpac had also filed some particularly heinous SMRs in relation to potential child exploitation.
The financial crime agency was unimpressed by the late arrival of the SMRs, in some cases years after the offences took place. AUSTRAC’s chief executive, Nicole Rose, had made it clear to the industry that under her leadership combating child exploitation offences would be a top priority.
In a terse media release, Westpac acknowledged on Friday that the financial crime agency was now on the warpath.
“Westpac has now been informed by AUSTRAC that it is further investigating these matters and has notified Westpac it may amend its statement of claim to include allegations arising from these investigations,” the bank said.
“AUSTRAC has requested further information from Westpac on these matters, including in relation to the TTR issues and 272 customers, many of which were the subject of SMRs previously filed as part of the lookback. Further updates on this matter will be provided as required.”
There is now a strong possibility that AUSTRAC’s legal team will be burning the midnight oil, ready to lodge a revised statement of claim in the Federal Court. This may even be ready as early as the next case management hearing today.
The new revelations from Westpac are devastating, including for bank staff who work hard to combat serious financial crimes. Behind the scenes, these dedicated financial crime teams have big wins every week, alongside their partners at AUSTRAC and other Commonwealth government agencies.
But to be truly successfully these crack experts are reliant on their colleagues in the business units. They need full management and board support to win the battle against Australia’s A$36 billion financial crime problem, as all the major AUSTRAC enforcement cases have shown.
The 284 customers at the heart of the Westpac child exploitation allegations were a top priority for the Fintel Alliance and law enforcement agencies. By mid-2019, just two years after its inception, the alliance had made huge strides in disrupting the financing of child exploitation.
The alliance’s first priority was listed as “protecting the most vulnerable from child exploitation”. As noted earlier, 73 suspected offenders had been either arrested or detained — 85% of which were due directly to 25 “intelligence products” from the Fintel Alliance.
Westpac, however, was failing to fulfil its promises to the partnership. The detections could have been much higher had Westpac been embedding in its systems the alliance’s knowledge and tool sets.
From AUSTRAC’s perspective, child exploitation was a top priority and the Australian Federal Police would have acted on this financial intelligence immediately. All the major banks knew this through their involvement in the alliance and through direct engagement with AUSTRAC and its partners.
This multi-agency work is dependent, however, on banks running transaction monitoring and other anti-money laundering and counter-terror financing (AML/CTF) controls across their client base.
AUSTRAC’s revised claim will doubtless argue that Westpac’s failure to run transaction monitoring and other controls on cross-border payments led to the loss of actionable intelligence. Law enforcement and criminal intelligence agencies have already taken the view that this failure placed children directly at risk of harm.
— 💧Michael West (@MichaelWestBiz) June 4, 2020
Based on similar cases that police have investigated in the past, Westpac’s failures could involve tens of thousands of individual transactions. Bank sources say this problem was not restricted to the problematic LitePay channel, which was highlighted in the statement of claim. It cuts across many cross-border payment channels, all of which had systemic problems with their transaction monitoring programs.
In fact, Westpac decided to save money by running transaction monitoring only on its cheapest remittance service. The justification was a flawed assumption that paedophiles would be “price sensitive” and would migrate to the cheaper, monitored channel. As the lookback exercise shows, this theory was flawed.
Instead, as the other banks used AUSTRAC’s typologies, reported their intelligence, and closed the suspect accounts, Westpac became a honeypot for child exploitation payments. The case is yet another devastating reminder that any bank that lags its peers in financial crime compliance will become an unwitting magnet for all the worst types of customers.
This week, Westpac looks a lot like a banking pariah. The 12 customers at the centre of the child exploitation payments no longer look like outliers. These are systemic control failures across the bank’s international payment channels.
The Westpac case is a stark reminder for bank boards and executives of the importance of a strong financial crime function and the need to understand a bank’s activities from top to bottom. The big lesson is to resource appropriately the financial crime function. It is not a “nice-to-have” function; it is a legal obligation and a fundamental part of running a bank.
Similarly, Australian bank executives who decide to save mere millions on financial crime controls while their organisations report multiple billions each year in profits should expect to face the full wrath of customers, politicians and investors. In 2018, when these fateful decisions were made, Westpac reported an operating profit of $A8.07 billion. It was Australia’s oldest and second most profitable financial institution. Senior executives earned significant bonuses during this period, yet only $A20.1 million has been clawed back from 38 individuals to help shareholders pay the upcoming billion-dollar-plus AUSTRAC penalty.
The bank’s senior executives should now expect to face the full extent of any individual accountability that is available under the law. The Australian Securities and Investments Commission is already well advanced in Project Chiltern, its proposed case against some of the Commonwealth Bank’s senior executives for similar failures. This includes looking at whether the most senior staff and directors met their obligations of “care and diligence” in relation to systemic breakdowns in AML/CTF controls. The investigation is looking at possible breaches of Section 180 of the Corporations Act 2001. If ASIC pursues this line in court, it will be a critical test case for the “care and diligence” obligations on directors.
Given the seriousness of the Westpac allegations, it is highly likely that a similar project has already been launched against Westpac.
Time waits for no manager
This case offers another significant lesson, which is to fix problems as soon as they emerge. As large and complex organisations, banks make mistakes. When they make an error, it inevitably has a large-scale impact.
Likewise, the AML/CTF regime is not a “zero failure” framework (unlike, for example, the sanctions regime). Some requirements are fundamental, such as conducting a risk assessment, having an appropriate AML/CTF program and conducting transaction monitoring. But reporting entities can take a proportionate, risk-based approach to tackling financial crime. The regime’s obligations are scalable and ramp up in concert with the risks.
When banks do uncover failures, they must demonstrate to the regulator that they treat AML/CTF compliance as a top priority. Banks and other AML/CTF reporting entities are engaged with AUSTRAC in this process of dialogue and collaborative improvement all the time.
In keeping with this “partnership” approach, banks should also keep the regulator informed on progress throughout any remediation processes. National Australia Bank has adopted this approach as it works through a raft of compliance failures with the financial crime agency. It has made changes in key roles, trained staff, invested in compliance and is getting its relationship with AUSTRAC back on track — as key allies and partners in the fight against financial crime.
As this banking morality play rolls on, the fortunes of NAB and Westpac could not be heading further apart.