Westpac busted 23m times over epic money tracking system failure

When it comes to epic fails of transaction monitoring systems, they don’t get bigger than Westpac’s alleged wholesale abrogation of automated anti-money laundering and counter terrorism financing checks and reporting.

It's so big it could leave the CBA’s $700 million smart ATM blunder in the shade.

Financial intelligence agency AUSTRAC on Wednesday dropped its biggest bombshell to date on an Australian bank, filing documents alleging a massive failure to implement automated transaction monitoring systems for money coming in and out of Australia resulting in 23 million contraventions of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

A massive technology and governance failure is at the heart to the scandal that is certain to cost Australia’s oldest bank dearly as details of how key systems that the bank was legally required to have in place were simply not implemented, maintained or fixed.

Westpac had previously hinted during its recent results it would be hit with action after telling investors it had volunteered a confessional to AUSTRAC.

But upon revelation, the scale of the screw-up has left the sector agog.

The great reckoning begins

By AUSTRAC’s reckoning Westpac failed to provide it with reports on $11 billion in incoming lower value payments from its so-called correspondent banking arrangements with overseas banks that allow users to access the Australian payments system through Westpac’s infrastructure using virtual accounts dubbed 'Off-system BSB' (OSBSB) arrangements.

“Westpac contravened the Act on over 23 million occasions. These contraventions are the result of systemic failures in its control environment, indifference by senior management and inadequate oversight by the Board,” AUSTRAC said in documents filed in the Federal Court.

“They stemmed from Westpac's failure to properly resource the AML/CTF function, to invest in appropriate IT systems and automated solutions and to remediate known compliance issues in a timely manner.”

Ad hoc nightmare: the system no one wanted to own

AUSTRAC says that Westpac “adopted an ad hoc approach to ML/TF risk management and compliance”, a scenario almost certainly partly created by reliance on decades old proprietary technology the bank has struggled to shake off and maintain after it outsourced its tech shop to IBM in the 1990s.

Since then successive Westpac CIOs have sought to wrest back control over the bank’s architecture and core systems, most recently under Bob McKinnon, Dave Curran and now Craig Bright.

With the alleged contraventions dating back as far as six years, Bright must be wondering what he bought into having publicly aired his vision for a digitally native Westpac fit for the next decade just last week.

What AUSTRAC went after

The transactional systems AUSTRAC has slapped a massive defect notice on what are all essentially older batch-driven payments that were set up to make it cheaper and faster to transfer money in and out of Australia using correspondent banking arrangements, a bit like how airlines use code-sharing agreements.

The agreements are nothing unusual in themselves; they’re used to transfer smaller amounts for payments like overseas pensions, superannuation, payroll and other payments that would otherwise be decimated by international transfer charges.

“Due to their lower costs, they are extensively used by global business, including multinationals, payment processors, and other corporates,” AUSTRAC notes.

“However, with a significant number of payments processed under these arrangements, Westpac did not and does not know where the funds originate.”

Flying blind

Which, at a systemic, technology and governance level is a very major issue because the very reason financial intelligence agencies sought and obtained AML/CTF requirements was so that they could follow the money, normally through automated ping notifications.

The notifications are essential because they allow authorities to detect when money is moving between targets as well as being able to snoop for known patterns to zero in on criminals and sanction busters. Of which there is a growing list.

Small beer, big trouble

One service, dubbed 'Australasian Cash Management' (ACM) worked outside SWIFT’s rails that require a bunch of info on who’s paying who. AUSTRAC alleges “billions of dollars have entered Australia through the ACM arrangements over the last six years alone.”

“The ACM arrangements allow correspondent banks to use Westpac's infrastructure to process payments for their overseas customers through the Australian payments system. Correspondent banks 'batch' funds transfer instructions from multiple payers to multiple payees,” AUSTRAC said.

“The batched instructions are sent to Westpac via channels that are not governed by the Society for Worldwide Interbank Financial Telecommunication (SWIFT). These non-SWIFT instructions did not always include full information about the payer and payee.”

Under its money laundering regime, AUSTRAC requires banks and businesses (especially casinos) to file what are called IFTI reports (International Funds Transfer Instruction) to track money.

It is these reports that were not forthcoming from Westpac across a bunch of systems, either because they did not work, were not there or just plain failed to fall into scope for compliance-related tech work.

(One thing you won’t read in the AUSTRAC documents is the high cost for no-return of compliance related work that often sucks budget out of other tech uplift projects, often making compliance a cost management affair rather than ROI spend.)

“A number of product systems and channels were outside the scope of the transaction monitoring program, including those relating to international payments,” AUSTRAC says of Westpac’s systems.

“The suite of detection scenarios are largely retail and cash-based and designed to detect activity at the retail rather than institutional level.”

Too little too late

It goes on to say automated monitoring was not really implemented until 2017, with a huge chunk of data also purged.

“From January 2011, Westpac received 3,516,238 incoming IFTls to be passed on to other Australian banks for payment. Westpac initially retained a record of the correspondent bank's 'unique reference number' for each payment instruction,” AUSTRAC said.

“However, due to poor oversight of its data retention systems, Westpac did not retain records of this information for seven years as required. The significant majority of these records were deleted in 2011 and 2012.”

Ouch.

See no evil

One major point AUSTRAC is clearly intent on ramming home on the transaction monitoring front is that in these days of automated and distributed payments, even the small change matter because these are often used to sneak money past SWIFT’s sniffing software.

The monetisation of child exploitation is a case in point, with AUSTRAC leaving some of its most damning allegations until well into the court document.

The worst is that Westpac was told up front it had an issue tracking suspicious transactions in relation child exploitation with one of its platforms, LitePay, that appears to have been incapable of generating red flags as it was required to do.

The horror show begins

“Since at least 2013, Westpac was aware of the heightened child exploitation risks associated with frequent low value payments to the Philippines and South East Asia, both from AUSTRAC guidance and its own risk assessments. In June 2016, senior management within Westpac was specifically briefed on these risks with respect to the LitePay channel,” AUSTRAC alleges.

“Automated solutions are available to 'red flag' suspicious patterns of frequent low value transactions to these jurisdictions. Westpac's own policies required it to have regard to advice from AUSTRAC and law enforcement in developing and maintaining these automated detection scenarios.

“However, it was not until June 2018 that Westpac implemented an appropriate automated detection scenario to monitor for known child exploitation risks through its LitePay platform,” AUSTAC said.

And it just gets worse

“Westpac still has not implemented appropriate automated detection scenarios to monitor for the known child exploitation risks through other channels. As a result, Westpac has failed to detect activity on its customers' accounts that is indicative of child exploitation.” AUSTRAC said.

It's not theoretical consideration either.

AUSTRAC said Westpac failed to run due diligence on a dozen customers “with a view to identifying, mitigating and managing known child exploitation risks”.

“Over a number of years, there were repeated patterns of frequent low value transactions on accounts held by each of these 12 customers that were indicative of child exploitation risks. Since at least 2013, Westpac was aware of the heightened child exploitation risks associated with these patterns of transactions,” AUSTRAC said.

Still. Not. Fixed.

"In spite of this awareness, Westpac did not implement appropriate automated detection scenarios for the LitePay channel until June 2018 and is yet to implement appropriate automated detection scenarios across other international payment channels,” AUSTRAC’s court documents said.

“Some of the undetected transactions involved payments to alleged or suspected child exploitation facilitators. One customer opened a number of Westpac accounts after serving a custodial sentence for child exploitation offences.”

“Westpac promptly identified activity on one account that was indicative of child exploitation, but failed to promptly review activity on other accounts. This customer continued to send frequent low value payments to the Philippines through channels that were not being monitored appropriately.”

"Westpac is currently reviewing AUSTRAC’s statement of claim and will issue a further statement to the ASX once it has been assessed," a spokesman said.