Westpac’s hopeless monitoring software festered for a decade

When Westpac chief executive Brian Hartzer fronted Wednesday’s press pack on how the bank let legally required transaction monitoring software to remain busted for 10 years, he re-opened a window into a period many at the bank would rather forget.

A decade ago, in the immediate aftermath of the global financial crisis, Australia’s oldest bank was struggling with a perception across the markets that it was falling behind arch rival the Commonwealth Bank on the technology front, and ceding competitive advantage in the process.

Westpac had hired CBA’s former chief information officer Bob McKinnon, a seasoned systems hard head to replace Simon McNamara, who was spreading his wings overseas following the appointment of CEO Mrs Gail Kelly.

When McKinnon took the reins, he frankly conceded at a media briefing that the Westpac’s tech estate had been run down and detailed a cleanout. Kelly had also panned Westpac’s tech execution saying it had let the bank down at its 2008 earnings call.

That year Westpac’s compliance costs doubled to $69 million, with AML/CTF compliance ballooning to $36 million as it raced to get new reporting requirements bedded down before they became mandatory in 2010.

But in hindsight, the purge of tech staff and the many revolving doors around a multiplicity of shelved projects left a legacy time bomb silently ticking in the back room.

On Wednesday it exploded. The size of the crater is still unknown.

For all of the ‘ownership’, apologies and very public taking of medicine Hartzer put on display, the tech history matters here; not least because it teaches us what not to do, again.

Hartzer’s description of the circumstances that allowed the reporting notification system for some lower cost overseas transactions (dubbed IFTIs) outside the SWIFT network to remain essentially busted for a decade is a well worn path.

“The new AML/CTF law came into effect in 2006 which required banks to make a number of changes by 2010 in their processes, we had at that time a very large program of work that had increases in or improvements in various processes and controls, Hartzer explained.

He said the IFTI component of that work was originally viewed as “quite small”.

Of the 23 million breaches Westpac has had pinned on it, around 19 million are IFTI related, usually payments from overseas pension funds arriving in Australia.

“It ran into difficulties, technically, and there was some de-scoping that happened as a consequence of that, Hartzer said.

Translation: cuts.

“Around the same time, however, there were a bunch of people who left the company from the product area that was overseeing that,” Hartzer said of the still busted system a decade ago.

“So we had the confluence of a program of work that was not well managed from a project point of view, or from a technical point of view, compounded with a change in personnel.”

No doubt a lot of the technical memory and documentation went out the door with those personnel who it is understood were Westpac employees.

It’s worth bearing in mind that this was an era when it was routine for banks to get staff who were soon to be laid off to train their incoming outsourcers or service providers. It didn’t work so well.

When the new staff took over the AML/CTF stack after the purge, Hartzer reckons they just plain missed the problem. So too did Westpac’s internal controls.

“That meant that they didn't quite understand what they had inherited and that this problem existed,” Hartzer said.

“There was a subsequent audit that happened a couple of years later, which did not identify this gap. And so unfortunately it was allowed to persist over a period of time.”

And persist it did.

For nine years and 11 months.

And there are still problems. Some of the products and transactional systems were just plain shut rather than made compliant, a move that suggests they could have been beyond repair commercially.

Former Westpac staff told iTnews the revolving door factor of IT staff was definitely one issue, but AML/CTF regime requirements also had another more basic systemic problem.

One source said compliance reporting regimes were historically based, quite literally, on tellers filling in paper forms.

“They became online forms,” the source said, noting it was hardly the best way to extract data.

Another payments source noted that a lot of the data carried in transactional messaging today that allows more interrogation of payments on the fly was simply not present in older, skinnier batch loaded messaging – like BSBs (bank-state-branch).

Connecting foreign transactions to BSBs seems to be where a fair amount of Westpac’s misery stems from.

The limitations of BSBs, particularly the very small amount of data that can be carried in bilateral messages, is one of the reasons the PayID and the New Payments Platform were created.

Of course Westpac had its own little PayID monitoring problem very recently, prompting the NPP to rattle institutional cages with the threat of fines for lax security and monitoring.

Bob McKinnon, a noted previous critic of BSB limitations, is now the NPP's chairman.